02 fundamental aspects of security

transcript

Network SecurityFundamental Aspects

Msc. Vuong Thi NhungFaculty of Information TechnologyHanoi UniversityAug 23, 2015

Contents

History of Information Security Information Security Definition and Concept AAA & CIA models Threats and Risks Some security guidelines

The story of the Internet worm On November 2, 1988, Robert Morris, Jr., a

graduate student in Computer Science at Cornell, wrote an experimental, self-replicating, self-propagating program called a worm and injected it into the Internet.

He chose to release it from MIT, to disguise the fact that the worm came from Cornell.

Morris soon discovered that the program was replicating and reinfecting machines at a much faster rate than he had anticipated.

Ultimately, many machines at locations around the country either crashed or became “unreponsive”.

When Morris realized what was happening, he contacted a friend at Harvard to discuss a solution. Eventually, they sent an anonymous message from Harvard over the network, instructing programmers how to kill the worm and prevent reinfection.

However, because the network route was blocked, this message did not get through until it was too late.

Computers were affected at many sites, including universities, military sites, and medical research facilities. The estimated cost of dealing with the worm at each installation ranged from $200 to more than $53,000.

The program took advantage of a hole in the debug mode of the Unix sendmail program, which runs on a system and waits for other systems to connect to it and give it email.

People at the University of California and MIT had copies of the program and were actively disassembling it (returning the program back into its source form) to try to figure out how it worked.

Teams of programmers worked non-stop to come up with at least a temporary fix, to prevent the continued spread of the worm.

The information didn't get out as quickly as it could have, however, since so many sites had completely disconnected themselves from the network.

After a few days, things slowly began to return to normalcy and everyone wanted to know who had done it all. Morris was later named in The New York Times as the author of incidents.

Robert T. Morris was convicted of violating the computer Fraud and Abuse Act (Title 18), and sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision. His appeal, filed in December, 1990, was rejected the following March.

http://www-swiss.ai.mit.edu/6805/articles/morris-worm.html

After the incident, Morris was suspended from Cornell for acting irresponsibly according to a university board of inquiry. Later, Morris would obtain his Ph.D. from Harvard University for his work on modeling and controlling networks with large numbers of competing connections.

Robert Morris is currently an assistant professor at MIT (apparently they forgave him for launching his worm from their network) and a member of their Laboratory of Computer Science in the Parallel and Distributed Operating Systems group. He teaches a course on Operating System Engineering and has published numerous papers on advanced concepts.

What is Security

Security: “The quality or state of being secure—to be free from danger”

Security is The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information

Necessary tools: policy, awareness, training, education, technology

Layers of security

A successful organization should have multiple layers of security in place: Physical security - To protect the physical items, objects, or

areas of an organization from unauthorized access and misuse.

Personal security - To protect the individual or group of individuals who are authorized to access the organization and its operations.

Operations security - To protect the details of a particular operation or series of activities

Communications security - To protect an organization’s communications media, technology, and content.

Network security - To protect networking components, connections.

Information security- To protect the confidentiality, integrity and availability of information assets, whether in storage, processing or transmission.

It is achieved via the application of policy, education, training and awareness, and technology.

Building elements of Information Security Authentication

Access ControlAuditing

Authentication

Sender, receiver want to confirm identity of each other

Who am I talking to?

Example: FIT E-learning

Student V

FIT E-learning

Authentication: Who am I talking to?

ISP BHello, I’m V FIT E-learning

Student V

Is that student

Is that FIT ?

Authentication

Protection Mechanisms Password

Manual One-Time Password

Key Sharing Public-private keys Wifi

Challenge-Response Multi-factor Authentication

Access Control

Access control can be defined as a policy, software component, or hardware component that is used to grant or deny access to a resource.

Example of hardware components: A smart card, a biometric device, or network access hardware

Access Control

Services must be accessible to appropriate users

Do you have adequate privileges to access this information?

Access control

ISP BMr. Anonymous FIT E-learning

Student V

Are Mr. T allowed to

view course contents?

Access Control

Protection mechanisms Access control list Firewall VPN Smart card Rules

Auditing

Auditing is the process of tracking and reviewing events, errors, access, and authentication attempts on a system.

Protection mechanism: logging system, history.

Auditing

Develop a path and trail system in the logging of the monitored events that allows to track usage and access, either authorized or unauthorized.

It improves security and allows for better audit policies and rules

Example: Enable auditing for logon eventsGo to Administrative Tools | Local Security PolicyNavigate to Local Policies | Audit Policy

Enable auditing for logon events

Go to Event Viewer to see logs.

Integrity

Confidentiality Availability

Security Goal

ISO 27002:2005 defines Information Security as the preservation of:

– ConfidentialityEnsuring that information is accessible only to those authorized to have access

– Integrity

Safeguarding the accuracy and completeness of information and processing methods

– Availability

Ensuring that authorized users have access to information and associated assets when required

INFORMATIONATTRIBUT

05/01/2023 25Mohan Kamat

Confidentiality

Only sender, intended receiver should “understand” message contents

Is my data hidden?

Confidentiality

Protection Mechanisms Data encryption

Symmetric Asymmetric (public-private keys)

Confidentiality: Is my data hidden?

ISP BMr. T FIT E-learning

Student V Can Mr. T see my homework?

Integrity

Sender, receiver want to ensure message not altered (in transit, or afterwards) without detection

Has my data been modified?

Integrity: Has my data been modified?

ISP BMr. T FIT E-learning

Student V

Can Mr. T modify student V’s homework?

Integrity

Protection mechanisms Digital signature

Availability

Services must be available to users

Can I reach the destination?

Availability: Can I reach the destination?

ISP B FIT E-learning

Student V

Can I access

FIT during

midterm?

Availability

Protection mechanisms Backup and recovery Firewall Vulnerability scanning and patching Intrusion detection and response Virus scanning

WHAT IS RISK

What is Risk?Risk: A possibility that a threat exploits a vulnerability

in an asset and causes damage or loss to the asset.

Threat: Something/Someone that can potentially cause damage to the organisation, IT Systems or network.

Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.

• Information Security is “Organizational Problem” rather than “IT Problem”• More than 70% of Threats are Internal• More than 60% culprits are First Time fraudsters• Biggest Risk : People• Biggest Asset : People • Social Engineering is major threat• More than 2/3rd express their inability to determine “Whether my systems are currently compromised?”

INFO SECURITY SURVEY

High User Knowledge of IT

Systems

Theft, Sabotage,

MisuseVirus Attacks

Systems & Network Failure

Lack Of Documentation

Lapse in Physical Security

Natural Calamities &

RISKS &THR

Potential Threats

SO HOW DO WE OVERCOME THESE PROBLEMS?

USERRESPONSIBILIT

Information Security Policy

IS Policy is approved by Top Management

Policy is released on Intranet at http://xx.xx.xx.xx/ISMS/index.htm

USERRESPONSIBILIT

Access Control - Physical• Follow Security Procedures• Wear Identity Cards and Badges• Ask unauthorized visitor his credentials• Attend visitors in Reception and Conference Room only

• Bring visitors in operations area without prior permission

• Bring hazardous and combustible material in secure area

• Practice “Piggybacking”• Bring and use pen drives, zip drives, ipods, other

storage devices unless and otherwise authorized to do so

USERRESPONSIBILIT

Password Guidelines Always use at least 8 character password with combination of

alphabets, numbers and special characters (*, %, @, #, $, ^) Use passwords that can be easily remembered by you Change password regularly as per policy Use password that is significantly different from earlier passwords

Use passwords which reveals your personal information or words found in dictionary

Write down or Store passwordsShare passwords over phone or EmailUse passwords which do not match above complexity

criteria

USERRESPONSIBILIT

Technology Department is continuously monitoring Internet Usage. Any illegal use of internet and other assets shall call for Disciplinary Action.

Do not use internet for viewing, storing or transmitting obscene or pornographic material

Do not use internet for accessing auction sites Do not use internet for hacking other computer systems Do not use internet to download / upload commercial

software / copyrighted material

Use internet services for business purposes only

Internet Usage

USERRESPONSIBILIT

E-mail Usage

Do not use official ID for any personal subscription purpose Do not send unsolicited mails of any type like chain letters or

E-mail Hoax Do not send mails to client unless you are authorized to do so Do not post non-business related information to large number

of users Do not open the mail or attachment which is suspected to be

virus or received from an unidentified sender

Use official mail for business purposes only Follow the mail storage guidelines to avoid blocking of E-mails If you come across any junk / spam mail, do the following

a) Remove the mail.b) Inform the security help deskc) Inform the same to server administratord) Inform the sender that such mails are undesired

USERRESPONSIBILIT

Security IncidentsReport Security Incidents (IT and Non-IT) to

Helpdesk through• E-mail to info.sec@organisation.com• Telephone : xxxx-xxxx-xxxx• Anonymous Reporting through Drop boxes

e.g.: IT Incidents: Mail Spamming, Virus attack, Hacking, etc. Non-IT Incidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized Media

• Do not discuss security incidents with any one outside organisation• Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents

USERRESPONSIBILIT

IES Ensure your Desktops are having latest antivirus updates Ensure your system is locked when you are away Always store laptops/ media in a lockable place Be alert while working on laptops during travel Ensure sensitive business information is under lock and key

when unattended Ensure back-up of sensitive and critical information assets Understand Compliance Issues such as

Cyber Law IPR, Copyrights, NDAContractual Obligations with customer

Verify credentials, if the message is received from unknown sender

Always switch off your computer before leaving for the day Keep your self updated on information security aspects

Disable Non-essential services, protocols, processes, programs Protocols, systems, and processes that rob

systems of resources and allow potential attacks to occur that could damage your systems.

If they are not being actively used, it is an unnecessary security risk.

The solution is simply to disable or inactivate the service, protocol, system, or process which is not needed

But… Be Careful!

You need to understand what it is and what you are doing!

Example: FIT E-learning

Student V

Mr. T FIT E-learning

Example: FIT-E-learning

ISP BHello, I’m V FIT E-learning

Tutorial

Using wireshark to sniff the network traffic.

Let’s see if you can get some passwords?