Download - Chapter 1 - Network Security-ITT
-
7/24/2019 Chapter 1 - Network Security-ITT
1/32
INFORMATION SYSTEMSSECURITY
-
7/24/2019 Chapter 1 - Network Security-ITT
2/32
Setting the Scene Security is one of the oldest probleth!t
go"ernents #coerci!l org!ni$!tions !nd!lost e"ery person h!s to f!ce
The need of security e%ists since infor!tionbec!e ! "!lu!ble resource
Introduction of coputer systes to businessh!s esc!l!ted the security proble e"en ore
The !d"!nces in net&or'ing !nd speci!lly indistributed systes !de the need for
security e"en gre!terThe Coputer Security Institute report# notesth!t in ye!r ())* coputer crie costs &hereincre!sed to ore th!n +,) illion doll!rsinthe USA !lone-
-
7/24/2019 Chapter 1 - Network Security-ITT
3/32
.ro/ling Ad"ers!ries
0eneies1
Ad"ers!ries th!t t!rget corpor!te syste !re nuerous2 These c!n be gener!l cl!ssi/ed in the follo&ing c!tegories2
3!c'ers
Eployees0both !licious !nd unintention!l1
Terrorists groups 4o"ernents
Opposing Industries
-
7/24/2019 Chapter 1 - Network Security-ITT
4/32
Security
So no& &e 'no& th!t &e need security-
5UT &h!t is security !ny&!y 6 M!ny people f!il to underst!nd the e!ning of the &ord-
M!ny corpor!tions inst!ll !n !nti"irus soft&!re# !nd7or !/re&!ll !nd belie"e they !re protected-
Are they 6
-
7/24/2019 Chapter 1 - Network Security-ITT
5/32
Consider soe c!ses 2 An intern!l eployee &!nts to re"enge the cop!ny !nd so
publishes pri"!te corpor!te infor!tion on the internet-
The terrorist !tt!c' on the t&in to&ers 0in USA1 h!d !s ! result !nycorpor!tions to close- 8hy 6
An eployee forgets his l!ptop in ! c!f9- This l!ptop cont!ins !llcorpor!te pri"!te infor!tion-
3O8 CAN A FIRE8A:: .ROTECT FROM T3E.RE;IOUS 6
-
7/24/2019 Chapter 1 - Network Security-ITT
6/32
8h!t is Infor!tion Security 6The protection of infor!tion 7 d!t! !nd its
critic!l eleents including systes !ndh!rd&!re th!t use# store# !nd tr!nsit
infor!tion to ensure continu!l oper!tion ofbusiness &ithout interruption-
-
7/24/2019 Chapter 1 - Network Security-ITT
7/32
Ch!r!cteristics of Coputer Intrusion
Any computer system can be a target - Hardware, Software, Storage, Data,
People/User
Any system is most vulnerable at its weakest point - Any system is most
vulnerable at its weakest point. A robber intent on stealing from a ouse will not
attempt to penetrate a two-in!-ti!k metal door if a window gives easier a!!ess
Intrusion- An in!ident of unautori"ed a!!ess to data, !omputer system or #$e%uipment.
Principle of Easiest Penetration- An intruder must be e&pe!ted to use any
available means of penetration. Penetration may not ne!essarily be by te most
obvious means, nor via te one we ave te most defense against.
$is prin!iple implies tat !omputer se!urity spe!ialists must !onsider -All the
means of penetration, penetration analysis must be repeated especially whenever
the system or its security change, do not underestimate the attacker/think like an
attacker, strengthening one aspect of a system might weaken another
-
7/24/2019 Chapter 1 - Network Security-ITT
8/32
;ulner!bilities# Thre!ts# Att!c's# !nd Controls
A vulnerabilityis ! &e!'ness in the securitysyste 0for e%!ple# in procedures# design# oripleent!tion1# th!t ight be e%ploited toc!use loss or h!r-
A threatto ! coputing syste is ! set of
circust!nces th!t h!s the potenti!l to c!use lossor h!r-
A hu!n &ho e%ploits ! "ulner!bility coits !nattackon the syste-
3o& do &e !ddress these probles6 8e use ! control!s ! protecti"e e!sure- Th!t is# !
control is !n !ction# de"ice# procedure# or techni
-
7/24/2019 Chapter 1 - Network Security-ITT
9/32
;ulner!bilities# Thre!ts !n Att!c's
'all olding ba!k water
$reat is water to te left of te wall (a treat to te man)- water !ould rise and overflow onto te man
*ulnerability is te !ra!k in te wall
#f te water rises to or beyond te level of te !ra!k, it wille&ploit te vulnerability and arm te man.
-
7/24/2019 Chapter 1 - Network Security-ITT
10/32
Thre!ts 8e c!n "ie& !ny thre!t !s being one of four 'inds2
interception# interruption# odi/c!tion# !nd f!bric!tion-
-
7/24/2019 Chapter 1 - Network Security-ITT
11/32
Thre!ts
An interceptione!ns th!t soe un!uthori$ed p!rtyh!s g!ined !ccess to !n !sset-
In !n interruption# !n !sset of the syste becoeslost# un!"!il!ble# or unus!ble-
If !n un!uthori$ed p!rty not only !ccesses butt!pers &ith !n !sset# the thre!t is ! modifcation-
Fin!lly# !n un!uthori$ed p!rty ight cre!te !abricationof counterfeit ob=ects on ! coputing
syste-
-
7/24/2019 Chapter 1 - Network Security-ITT
12/32
Thre!ts to Infor!tion Security
-
7/24/2019 Chapter 1 - Network Security-ITT
13/32
Method# Opportunity#
!nd Moti"e A !licious !tt!c'er ust h!"e three things
(MOM)2
method:the s'ills# 'no&ledge# tools# !nd other
things &ith &hich to be !ble to pull o> the !tt!c' ?no&ledge of systes !re &idely !"!il!ble
opportunity:the tie !nd !ccess to !ccoplishthe !tt!c'
Systes !"!il!ble to the public !re !ccessible tothe
Motive:! re!son to &!nt to perfor this !tt!c'!g!inst this syste
-
7/24/2019 Chapter 1 - Network Security-ITT
14/32
Security 4o!ls
Security 4o!ls
8hen &e t!l' !bout coputer security# &e e!n th!t &e !re!ddressing three iport!nt !spects of !ny coputer@rel!tedsyste2 confdentiality# integrity,!nd availability (CIA)
Confdentialityensures th!t coputer@rel!ted !ssets !re!ccessed only by !uthori$ed p!rties-
Re!ding# "ie&ing# printing# or e"en 'no&ing their e%istence
Secrecy or pri"!cy
Integritye!ns th!t !ssets c!n be odi/ed only by!uthori$ed p!rties or only in !uthori$ed &!ys-
8riting# ch!nging# deleting# cre!ting
Availabilitye!ns th!t !ssets !re !ccessible to !uthori$edp!rties !t !ppropri!te ties- For this re!son# opposite of!"!il!bility is soeties 'no&n !s denial o service-
-
7/24/2019 Chapter 1 - Network Security-ITT
15/32
Security 4o!ls 0Contd1
-
7/24/2019 Chapter 1 - Network Security-ITT
16/32
;ulner!bilities of Coputing
Systes Hardware Vulnerabilities
adding devi!es, !anging tem, removing tem, inter!epting tetraffi! to tem, or flooding tem wit traffi! until tey !an no longer
fun!tion. (many oter ways to arm te ardware).
Software Vulnerabilities
Software !an be repla!ed, !anged, or destroyed mali!iously, or it
!an be modified, deleted, or mispla!ed a!!identally. 'eterintentional or not, tese atta!ks e&ploit te software+svulnerabilities.
-
7/24/2019 Chapter 1 - Network Security-ITT
17/32
ata !ulnerabilities
d!t! h!"e ! de/nite "!lue# e"en though th!t"!lue is often diBcult to e!sure-
E%2 con/denti!l d!t! le!'ed to ! copetitor
!y n!rro& ! copetiti"e edge
E%(2 Dight coordin!te d!t! used by !n !irpl!neth!t is guided p!rtly or fully by soft&!re
C!n cost hu!n li"es if odi/ed
;ulner!bilities of Coputing
Systes 0Contd-1
-
7/24/2019 Chapter 1 - Network Security-ITT
18/32
"rinciple o Ade#uate "rotection$Coputerites ust be protected only until they losetheir "!lue- They ust be protected to ! degree
consistent &ith their "!lue- This principle s!ys th!t things &ith ! short life c!n
be protected by security e!sures th!t !ree>ecti"e only for th!t short tie-
;ulner!bilities of Coputing
Systes 0Contd-1
-
7/24/2019 Chapter 1 - Network Security-ITT
19/32
Other E%posed Assets
%et&orks
Net&or's !re speci!li$ed collections of h!rd&!re#soft&!re# !nd d!t!-
C!n e!sily ultiply the probles of coputersecurity
Insecure sh!red lin's
In!bility to identify reote users 0!nonyity1
'ey "eople
.eople c!n be cruci!l &e!' points in security- Ifonly one person 'no&s ho& to use or !int!in !p!rticul!r progr!# trouble c!n !rise if th!tperson is ill# su>ers !n !ccident# or le!"es theorg!ni$!tion 0t!'ing her 'no&ledge &ith her1-
-
7/24/2019 Chapter 1 - Network Security-ITT
20/32
Methods of efense Preventit# by bloc'ing the !tt!c' or closing the "ulner!bility
Preventive controls can be as simple as locks and access codes to sensitive areas of a building orpasswords for confidential information
Deterit# by !'ing the !tt!c' h!rder but not ipossible
Defectit# by !'ing !nother t!rget ore !ttr!cti"e 0or this one less so1
ExampleHoney Pots
Detectit# either !s it h!ppens or soe tie !fter the f!ctA security camera is a example of a detective control. A store manager who wants to monitor the use ofcash drawer by a particular clerk can easily look at video of the clerks actions throughout the day todetect potential theft.
An access log fileand an alert systemcan !uickly detect and notify management of attempts byemployees or outsiders to access unauthori"ed information or parts of a building.
Recoverfro its e>ects 0!-'-! correcti"e controls1#ack up data so that it could be restored to continue the functioning of the system in the event of a crash.
-
7/24/2019 Chapter 1 - Network Security-ITT
21/32
Methods of efenseA sample log file (to detect)
-
7/24/2019 Chapter 1 - Network Security-ITT
22/32
Controls A"!il!ble
Control !ttept to pre"ent the e%ploit!tion of !"ulner!bility
Coputer Security h!s lots of controls
Siple or iBculty
Ine%pensi"e or E%pensi"e
Type of Control
- Encryption for!l n!e for the scr!bling process
e!ls &ith con/denti!lly !nd integrity
Cle!rte%t
Cipherte%t
.rotocols
-
7/24/2019 Chapter 1 - Network Security-ITT
23/32
(1 Soft&!re Controls
.rogr!s ust be secure to pre"ent !tt!c's
.rogr! Controls2
Intern!l .rogr! Controls @ p!rts of the progr! th!t enforce securityrestrictions# such !s !ccess liit!tions in ! d!t!b!se !n!geent progr!
Oper!ting Syste !nd Net&or' Syste Controls @ liit!tions enforced bythe oper!ting syste or net&or' to protect e!ch user fro !ll other users
Independent Control .rogr!s @ !pplic!tion progr!s# such !s p!ss&ordchec'ers# intrusion detection utilities# or "irus sc!nners# th!t protect!g!inst cert!in types of "ulner!bilities
e"elopent Controls @
-
7/24/2019 Chapter 1 - Network Security-ITT
24/32
) "olicies and "rocedures Soeties# &e c!n rely on !greed@on
procedures or policies !ong users r!ther th!n
enforcing security through h!rd&!re orsoft&!re e!ns- such !s cop!ny e!il usepolicy !nd internet use policy-
Must be &ritten !nd tr!ining should be pro"ided
) "hysical Controls loc's on doors# gu!rds !t entry points# b!c'up
copies of iport!nt soft&!re !nd d!t!# !ndphysic!l site pl!nning th!t reduces the ris' ofn!tur!l dis!sters-
Controls A"!il!ble 0Contd1
-
7/24/2019 Chapter 1 - Network Security-ITT
25/32
E>ecti"eness of Controls
A&areness o "roblem
.eople using controls ust be con"inced of the need forsecurity- Th!t people &ill &illingly cooper!te &ith security
re
-
7/24/2019 Chapter 1 - Network Security-ITT
26/32
*ikelihood o +se
Of course# no control is e>ecti"e unless it is used-
"rinciple o -ectiveness$
Controls ust be used !nd used properly to be e>ecti"e- They ustbe eBcient# e!sy to use# !nd !ppropri!te-
This principle iplies th!t coputer security controls ust beeBcient enough# in ters of tie# eory sp!ce# hu!n !cti"ity# orother resources used# th!t using the control does not seriously !>ect
the t!s' being protected- Controls should be selecti"e so th!t theydo not e%clude legiti!te !ccesses-
E>ecti"eness of Controls0Contd1
depends on-
-
7/24/2019 Chapter 1 - Network Security-ITT
27/32
E>ecti"eness of Controls0Contd1
Overlapping Controls (layered deense)
Se"er!l di>erent controls !y !pply to !ddress ! single"ulner!bility 0good1
"eriodic .evie&
Gust &hen the security speci!list /nds ! &!y to secure !ssets!g!inst cert!in 'inds of !tt!c's# the opposition doubles its
e>orts in !n !ttept to defe!t the security ech!niss-Thus# =udging the e>ecti"eness of ! control is !n ongoingt!s'-
depends on-
-
7/24/2019 Chapter 1 - Network Security-ITT
28/32
Soci!l Engineering
The act of obtaining or attempting to obtain secure data by deceiving an
individual into revealing secure information.
Social engineering is successful because its victims inherently want to trust
other people and are naturally helpful.
The victims of social engineering are tricked into releasing information that
they do not realie will be used to attack a computer network.
!or e"ample# an employee in an enterprise may be tricked into revealing a
coworker$s personal information such as employee number# address# contact
numbers or salary to someone who is pretending to be somebody thatrepresent or known to the coworker.
-
7/24/2019 Chapter 1 - Network Security-ITT
29/32
Soci!l Engineering----
-
7/24/2019 Chapter 1 - Network Security-ITT
30/32
.eople !re the 8e!'est :in'
Se!urity !an be no stronger tan its weakest link. ften te weakest link in se!urity is not te!nology, but te people wo
use it.
A #$ network may be prote!ted by firewalls, intrusion dete!tion andoter state-of-te-art se!urity te!nologies. And yet, all it takes is one
person+s intentional or unintentional (!areless) a!tivity and suddenlyentire network se!urity or information se!urity as a wole !ould be atrisk.
$erefore it is re%uired tat se!urity professionals and managementnot to overlook te weakest link in se!urity systems tat being teuman fa!tor.
#t is easy to be!ome overly !onfident solely in te use of advan!edalgoritms and te!nology. ut History sows relian!e on an advan!edte!nology is lost if te people operating te system are not fully
trained and managed.
-
7/24/2019 Chapter 1 - Network Security-ITT
31/32
.eople !re the 8e!'est :in'
A US !ompany !arried out an e&periment. #t s!attered unautori"edUS drives and disks in te !ar parks of US government agen!ies.Some 01 of workers wo found tese devi!es plugged tem into teiroffi!e !omputers. $is per!entage rose to 201 wen an offi!ial logo
was printed on te devi!e.
All of tese agen!ies ad poli!ies stri!tly forbidding te unautori"edintrodu!tion of USs, but te employees plugged tem in anyway.
-
7/24/2019 Chapter 1 - Network Security-ITT
32/32
.eople !re the 8e!'est :in'
ter 3&les4.
y using wat5s known as 6so!ial engineering5, a!kers e&ploitunsuspe!ting people wo in good fait open up teir doors tounwanted strangers su! as giving away passwords
'riting passwords down on sti!ky notes atta!ed to te !omputer+smonitor, or on witeboards nearby be!ause tey find diffi!ult toremember passwords
7eaving P8s unlo!ked wile out at lun!
7eaving laptop !omputers / US drives !ontaining !onfidentialinformation unse!ured or unattended in publi! pla!es