IS Network and Telecommunications Risks

Chapter SixChapter Six

Network ComponentsComputers and terminals

Computers processed data in a networked telecommunication system

Networked computers send and receive data from terminals

Telecommunications channels – physical and wireless

Telecommunications processorsRouters and switching devices

Network TypesLocal versus wide area networksInternet, intranet, extranetVirtual private networks (VPN)Client/server networks

Network Configuration TypesStar-shaped – centralizedRing – decentralizedBus - decentralized

Network Protocols and SoftwareOpen Systems Interconnect (OSI) model – a

standard architecture for networking that allows different computers to communicate across networks

Network and telecommuncations software – network OS, networks management software, middleware, web browsers, e-mail software

IS Network and Telecommunications Risks Social EngineeringPhysical Infrastructure Threats – the

elements, natural disasters, power supply, intentional human attacks

Programmed Threats – viruses, worms, Trojan horses, hoaxes, blended threats

Denial of Service AttacksSoftware Vulnerabilities

Social Engineering TechniquesFamiliarity exploitGathering and using informationPhishingTailgatingQuid pro quo

Sample ScenarioIn one penetration test, Nickerson used current events, public information available on social network sites, and a $4 Cisco shirt he purchased at a thrift store to prepare for his illegal entry. The shirt helped him convince building reception and other employees that he was a Cisco employee on a technical support visit. Once inside, he was able to give his other team members illegal entry as well. He also managed to drop several malware-laden USBs and hack into the company's network, all within sight of other employees.

Source:http://www.csoonline.com/article/514063/social-engineering-the-basics

CountermeasuresPersonnel trainingAwareness programEstablish security protocols

IS Network and Telecommunications SecurityNetwork security administrationAuthenticationEncryption – secret key and public keyFirewalls – packet filtering and stateful

inspectionIntrusion Detection SystemsPenetration Testing – war dialing, port

scanning, sniffers, password crackers

Auditing Network SecurityRisk assessment and best practicesBenchmark toolsIT audit programs for network security

Security Service ComparisonEvaluation against policy and security

baselineRegulatory / industry compliance, e.g. SOXEvaluation against standards such as

NIST800/ISO27002Governance Framework – COBIT/COSO

Testing Security ControlsRisk assessmentPolicy assessmentSocial EngineeringSecurity Design reviewSecurity process reviewDocument reviewTechnology review