it - network security .. chapter 1.1

8/10/2019 IT - Network Security .. Chapter 1.1

1/35

Introduction

There is increased dependence worldwide oninformation technology (IT) and IT-based services forpublic and private sectors.

The modern IT Infrastructure aswe know it today, has evolvedover the years.

- In the mid 1940s huge computers could not evendo what our small calculators can do today

- We then moved on to the mainframe technology


2/35


3/35

Objectives of IT Security

- Confidentiality

- Integrity

- Availability

- Confidentiality, integrity, and availability (CIA) is a modeldesigned to guide policies for information security within an

organization.- In this context,

- Confidentiality is a set of rules that limits access toinformation,

- Integrityis the assurance that the information istrustworthy and accurate, and

- Availabilityis a guarantee of ready access to theinformation by authorized people.

- The model is sometimes known as the CIA triad.


4/35

Objectives of IT Security Confidentiality

keeping important information secret and restricted to only those

people who are authorized to access and view that information. Confidentiality prevents sensitive information from reaching the

wrong people, while making sure that the right people can in fact getit.

A good example is an account number or routing number when

banking online. Data encryption is a common method of ensuring confidentiality.

User IDs and passwords constitute a standard procedure; two-factorauthentication is becoming the norm and biometric verification is anoption as well.

In addition, users can take precautions to minimize the number ofplaces where the information appears, and the number of times it isactually transmitted to complete a required transaction. User Levels in Organizations


5/35

Objectives of IT Security Integrity

Integrity involves maintaining the consistency, accuracy,

and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be

taken to ensure that data cannot be altered byunauthorized people.

In addition, some means must be in place to detect anychanges in data that might occur as a result of non-human-caused events such as an electromagnetic pulse (EMP) orserver crash. If an unexpected change occurs, a backup

copy must be available to restore the affected data to itscorrect state. Keeping information in its true form. And stopping it from

unauthorized changes. Bank Account, Someone May change balance of Account. GCUF CMS, change in Marks etc.


6/35

Objectives of IT Security Availability

Availability is best ensured by carefully maintaining

all hardware, performing hardware repairs immediately whenneeded, providing a certain measure of redundancy and failover,providing adequate communications bandwidth and preventingthe occurrence of bottlenecks, implementing emergency backuppower systems, keeping current with all necessary system

upgrades, and guarding against malicious actions such as denial-of-service (DoS) attacks.

Services, applications, webpages..etc Smooth running of the network. Like Broadband

We make sure devices are always available(Resiliant) Services remain UP. Disaster Recover BCM Business Continuity Management. Making sure that business services are always running in

case of disaster , there will be another site named disater

recoverydata will be switched there.


7/35

Three Foundations of

IT Security


8/35

People who we are

People who use or interact with the ICT Infrastructure

include:

Share Holders / Owners

Management

Employees

Business Partners

Service providers

Contractors Customers / Clients

Regulators etc


9/35

Process what we do

The processes refer to "work practices" or workflow.

Processes are the repeatable steps to accomplishbusiness objectives. Typical process in our ICTInfrastructure could include:

Helpdesk / Service management

Incident Reporting and Management

Change Requests process

Request fulfillment

Access management

Identity management

Service Level / Third-party Services Management


10/35


11/35

Technology.

Network Infrastructure:

Cabling, Data/Voice Networks and equipment

Telecommunications services, including VoIP services , Broadband , VideoConferencing

Server computers and associated storage devices

Operating software for server computers

Communications equipment and related hardware.

Intranet and Internet connections

VPNs and Virtual environments

Remote access services

Wireless connectivity

Application software:

Finance and assets systems, including Accounting packages, Inventorymanagement, HR systems, Assessment and reporting systems

Software as a service (Sass) - instead of software as a packaged or custom-madeproduct. Etc..


12/35


13/35


14/35

The Threats

People

Process

Technology


15/35


16/35

The ThreatsPeople

Security is a chain, and People are the weakest link in the chain

Data Diddling:is the act of modifying information, programs, ordocuments to commit fraud, tampers with INPUT data.

For example if a cashier enters an amount of Rs. 40,000/= into the cashregister, but really charges the customer Rs. 60, 000/= and keeps theextra Rs. 20,000/=.

Salami attack:one in which an attacker commits several small crimes

with the hope that the overall larger crime will go unnoticed.For example, a bank employee may alter a banking software program tosubtract 5 Paisa from each of the banks customers accounts once amonth such as a debit could be represented as service charge, andmoved to some other bank account. If this happened to all of the banks50,000 customer accounts, the intruder could make up to Rs. 30,000 a

year.

Trap Door/ Maintenance hooks: An undocumented access path througha system usually made by Application Developers. This typically bypassesthe normal security mechanisms and can be used to gain access later on.


17/35

The ThreatsPeople

Hackers / Crackers / phreakers:Hackers sometimes break into networks forthe thrill of the challenge (Script Kiddies), or for bragging rights in the hackercommunity. Crackers aim at financial gain, Phreakers break intotelecommunication infrastructure like Public telephone systems or company.

Publication of illegal content:Involves dissemination of unacceptablecontent online, include Racist material, terrorist literature, etc..

Shoulder Surfing:Is a technique in which the attacker looks over someone'sshoulder to obtain passwords, Information, PINs and other security codesbeing entered. Shoulder surfing can also be done long distance with the aid ofbinoculars or other vision-enhancing devices.

Wire tapping:Most communication signals can be vulnerable to some typewire tapping or eaves dropping, using tools like cellular scanners, radioreceivers; telephone tapping devices etc.

Dumpster diving:practice of go through commercial or residential trash tofind items, documents or records that have been discarded by their owners,

but which may be useful to the dumpster diver.


18/35

The ThreatsPeople


19/35

The Threats

People

Process

Technology


20/35

The Threats - Process


This section looks at weaknesses in the businessprocesses which could lead to attacks on theInfrastructure:

Failure to develop an Information Systems securityProgram:

Organizations should develop an Information SystemsSecurity program that documents the policy, procedures,standards etc for protecting the concerned assets. Issuesthat arise due to lack of a proper security program could

include:1. Lack of security awareness

2. Concentration of duties

3. Lack of ways to detect fraud

4. Security through obscurity: Idea that attacker might fail to see

loopholes


21/35

The ThreatsProcess


Excessive User Rights/ privileges:Excessive user rights or privileges,is a very common security issue that has become increasingly hard to

control. It occurs if a user has more access rights than necessary, beyond

the necessary need to know.

Unencrypted Laptops and Removable Media: Loss of laptops and

removable media has become a major liability for corporations and

government agencies as well as for general consumers.

All too frequently, a major loss of personal or identifying information is

traced back to the loss of a single laptop or piece of removable media.


22/35


23/35

The Threats

People

Process

Technology


24/35

The Threats - Technology


Technology could be a powerful enabler of business

productivity as well as a catalyst for crime activity:

Access Control attacks:

Access control is the process that involves:

- One Identifying who they are - Ident i f icat ion

- Proving that they are, who they say they are - Authent icat ion

- Getting granted access to those areas of the system, where they aresupposed to have access - Author izat ion

This process could be compromised by any of the following attacks:

1. A dictionary attackuses a brute-force technique of successively tryingall the words in an exhaustive list (from a pre-arranged list of values)

- Brute forceis trying every possible combinations


25/35



2. Spoofing at login:A technique used by an attacker to present a fake

login screen, often tricking the user to try and login. The credentials

are stored somewhere for the attacker to use later.


26/35


27/35



Man-in-the-Middle Attacks:A man-in-the-middle attack refers generallyto an attack in which the attacker positions himself between two

communicating parties and gleans information to which he should nothave access.

Zero Day Attacks:A zero day vulnerability occurs when a flaw in softwarecode has been discovered and exploits of the flaw appear before a fix or

patch is available. Once a working exploit of the vulnerability is releasedinto the wild, users of the affected software will be compromised until asoftware patch is available or some form of mitigation is taken by the user.

Phishing attackis a process of attempting to acquire sensitive

information such as usernames, passwords and credit card details bymasquerading as a trustworthy entity in an electronic communication.

Keyloggers and Screenloggers:Program installed on a victim'smachine that records every keystroke that a user makes. Used to steal

login in details.


28/35



Content Injection Attacks:Content injection refers to insertingmalicious content into a legitimate site. In addition to deceptive actions

such as redirecting to other sites, malicious content can installcrimeware on a users computer through a web browser vulnerabilityor by social engineering, such as asking a user to download and installanti-virus software that actually contains crimeware. Examples include:

1. Cross-Site Scripting (XSS):Cross site scripting, better known as XSS, is the most pernicious and easily foundweb application security issue. XSS allows attackers to deface web sites, inserthostile content, conduct phishing attacks, take over the users browser usingJavaScript malware, and force users to conduct commands not of their ownchoosing - an attack known as Cross-site Cross request forgeries (CSRF).

2. SQL Injection:

Injections, particularly SQL injections, are common in web applications. Injectionsare possible due to intermingling of user supplied data within dynamic queries orwithin poorly constructed stored procedures


29/35

Cross-Site Scripting


30/35



Denial of service (DoS):is a general term for many different types of

attacks. However, each attack has one thing in common, which is the goalto deny others the service that the victim system usually provides.

Spam E-mail: Spam is anonymous, unsolicited bulk emailit iseffectively the email equivalent of physical junk mail delivered through thepost office. Spam is a problem not only because of the enormous

resources it demands, but also because it now serves as a means forother types of attack. There is also reduced system performance and thecosts of filtering e-mail, loss of employee productivity or requiredincreased usage of help desk support. Spam consumes networkbandwidth used to transmit messages or consumes disk storage used tostore messages.

Botnets:A Botnet is collection of infected and compromised computingdevices harnessed together and remotely controlled for maliciouspurposes. Thousands of systems with zombie codes can be used inDDOS (Distributed denial of Service attacks) or spammers.


31/35



Click Fraud:Online advertising networks offer the ability for a web site

operator to host third-party advertisements and collect payment for everytime a user clicks on an advertisement. Click fraud refers to variousschemes in which the number of clicks is artificially inflated..

Other Malware: software designed to cause damage to a singlecomputer, server, or computer network. These include:

- Viruses- Virus is a small application, or a string of code, that infectsapplication, requires user action to compromise a machine. .

- Spy wareSoftware that monitors user activity without user knowledgeor consent. Spyware can capture and release sensitive data, makeunauthorized changes, and decrease system performance.

- Trojan Horse- Trojan Horse is a program that is disguised as another

program, masquerades as useful application, but does harm.

- Worm - A Worm is Malware that reproduces on its own without a hostapplication. Worms can infect and take over computers without any help,bar lax security, from a victim


32/35



Wireless Networks threats: Wireless networks have now become

very common, for both organizations and individuals. Most laptopsship with wireless adaptors and organizations have also deployedwireless LANs given the easy of deployment. Some of the securityissues with wireless networks include the following:

- Accidental association: When a user turns on a computer and it latcheson to a wireless access point from a neighboring companys overlappingnetwork, this could cause security issues if the victim network is notsecure.

- War driving- War driving is the act of searching for Wi-Fi wirelessnetworks by a person in a moving vehicle, using a portable computer(laptop) or PDA. Software for war driving is freely available on the Internet,notably NetStumblerfor Windows, Kismetor SWScannerfor Linux. Thesetools can sniff for any available wireless access points (APS)


33/35


Security is a chain, and People are the weakest link in the chain Blue tooth attacks: Various security holes have already appeared in

Bluetooth, which is becoming widely used in mobile phones and high-end smart phones. Some of these are listed below:

- Bluebugging -Refers to hacking into a Bluetooth device and using thecommands of that device without notifying or alerting the user. By bluebugging, a hacker could eavesdrop on phone conversations, place phonecalls, send and receive text messages, and even connect to the Internet.

- Bluejacking- A kind of practical joke played out between Bluetooth-enabled devices, bluejacking takes advantage of a loophole in the

technology's messaging options that allows a user to send unsolicitedmessages to other nearby Bluetooth. (Similar to doorbell ditching)


34/35


Security is a chain, and People are the weakest link in the chain Physical ICT Infrastructure threats:

The threats to the Physical ICT infrastructures include Naturalenvironment threats (earthquakes floods, tornadoes), Supply systemthreats (power, Internet and Telecom outage, water, gas etc..),Manmade threats (vandalism, fraud, theft), Politically motivated threats(terrorist attacks, riots, bombings).

Other threats to look out for:

- 419 scam - Advance Fee Fraud

- Web vandalism: Attacks that deface web pages

- Fake products / Product imitations


35/35

it - network security .. chapter 1.1

Documents