Date post: | 16-Jan-2016 |
Category: |
Documents |
Upload: | jemima-pitts |
View: | 214 times |
Download: | 0 times |
COMP1321 COMP1321
Networks in OrganisationsNetworks in Organisations
Richard HensonRichard Henson
March 2014March 2014
Protecting Organisational Data
By the end of this session you should be By the end of this session you should be able to:able to:– explain why the internal network user is explain why the internal network user is
potentially a threatpotentially a threat– explain the importance of protecting entry to explain the importance of protecting entry to
the network by outsidersthe network by outsiders– suggest ways to identify vulnerabilities of suggest ways to identify vulnerabilities of
the network, so action can be taken to the network, so action can be taken to reduce the riskreduce the risk
Network ManagementNetwork Management
A network manager has two (conflicting?) A network manager has two (conflicting?) responsibilitiesresponsibilities– provide facilities and services that users need to provide facilities and services that users need to
do their jobsdo their jobs– protect the network against abuse by naïve or protect the network against abuse by naïve or
malign usersmalign users General perception (by users!)…General perception (by users!)…
– network managers are more concerned with network managers are more concerned with “protecting the network” than servicing the needs “protecting the network” than servicing the needs of its usersof its users
The “good insider”.. Threat (?)The “good insider”.. Threat (?) Users: employees, who (generally) want to do Users: employees, who (generally) want to do
their job, and do it well…their job, and do it well… Possible conflict with the “security-orientated” Possible conflict with the “security-orientated”
or “nanny-state” approach to network or “nanny-state” approach to network managementmanagement
PersonalPersonal opinion: needs balance opinion: needs balance– the network IS there for the benefit of the users…the network IS there for the benefit of the users…
» fulfill business objectivesfulfill business objectives
– the network MUST be as secure as reasonably the network MUST be as secure as reasonably possiblepossible
» protect valuable company dataprotect valuable company data
““unthinking” insidersunthinking” insiders
Employees who do stupid things on the Employees who do stupid things on the networknetwork– bring in virusesbring in viruses– spread passwords aroundspread passwords around– forward email inappropriatelyforward email inappropriately– engage with phishing emails…engage with phishing emails…– etc…etc…
Bad InsidersBad Insiders
Could be disillusionedCould be disillusioned– just plain corrupt just plain corrupt – maybe a temp?maybe a temp?
Could cause real damageCould cause real damage– bring network downbring network down– put company out of business…put company out of business…
What to do about the What to do about the Insider Threat?Insider Threat?
A matter for organisational A matter for organisational managementmanagement– Establish policyEstablish policy
» negotiated with users…negotiated with users…
– Educate/train usersEducate/train users– Enable breaches of policy to be detected…Enable breaches of policy to be detected…– Enforce policy!Enforce policy!
What about Outsiders?What about Outsiders?
Two types:Two types:– employees working “in the field”employees working “in the field”– the rest of the world…the rest of the world…
Organisational management can’t Organisational management can’t enforce policy on the latter…enforce policy on the latter…– network only protected through good, well-network only protected through good, well-
resourced network managementresourced network management
...
Firewall
INTERNET
InternalNetwork
Firewalls: checking/blocking Firewalls: checking/blocking data coming in and out…data coming in and out…
Do we have a problem?Do we have a problem? Perceptions “from the inside” quite Perceptions “from the inside” quite
different from “outside looking in”different from “outside looking in”
Should we find out…?Should we find out…?
Almost impossible to tell if the network Almost impossible to tell if the network is secure from within…is secure from within…– could just hope so (!)could just hope so (!)– could go outside, and try to penetrate could go outside, and try to penetrate
defencesdefences– better still, the organisation could get a better still, the organisation could get a
benign expert to do it for them…benign expert to do it for them…
Assuming no security…Assuming no security…
Data cannot be made completely Data cannot be made completely secure if it uses a public networksecure if it uses a public network– naïve to think sonaïve to think so
Also (especially…) true on a wireless Also (especially…) true on a wireless public networkpublic network– necessary to have a system that ensures necessary to have a system that ensures
data that is hacked en route is unintelligibledata that is hacked en route is unintelligible
Authentication Authentication had better be good…had better be good…
Generally means control via the Generally means control via the desktop or application layerdesktop or application layer– Browser/Windows desktopBrowser/Windows desktop
If Internet-based, should use PKIIf Internet-based, should use PKI» public-key encrypted emailpublic-key encrypted email
user digital certificate tied to computer & email user digital certificate tied to computer & email addressaddress
» public-key encrypted web pagespublic-key encrypted web pages use https protocoluse https protocol server has an SSL certificateserver has an SSL certificate
End-device End-device controlled security controlled security
Two types of identification (as in Two types of identification (as in previous e.g.):previous e.g.):– via computer (device) IDvia computer (device) ID– via user IDvia user ID
Either/both can (should?) have a Either/both can (should?) have a password to control accesspassword to control access
Security & PrivacySecurity & Privacy Closely related technologiesClosely related technologies
– important differences important differences Privacy Privacy
– about informational self-determinationabout informational self-determination» ability to decide what information about you goes ability to decide what information about you goes
wherewhere
SecuritySecurity– offers the ability to be confident that offers the ability to be confident that
privacy decisions are respectedprivacy decisions are respected
Privacy, Security, and Privacy, Security, and WebsitesWebsites
Many potential vulnerabilities….Many potential vulnerabilities….– openly displayed “sensitive” textopenly displayed “sensitive” text
““Hidden” web pages not really hiddenHidden” web pages not really hidden Access to web server, or ftp server, by Access to web server, or ftp server, by
finding website administrators details…finding website administrators details… Hacking web databases via SQL Hacking web databases via SQL
Injection…Injection…
Privacy, Security and Privacy, Security and Mobile NetworksMobile Networks
Mobile voice privacyMobile voice privacy– can someone listen in on my call?can someone listen in on my call?
» privacy goal: allow user to say noprivacy goal: allow user to say no
» security technology, e.g. encryption: allows user to security technology, e.g. encryption: allows user to enforce itenforce it
Sometimes goals of security and Sometimes goals of security and privacy are the sameprivacy are the same– other times orthogonal, or even in conflictother times orthogonal, or even in conflict
Security/Privacy v AvailabilitySecurity/Privacy v Availability
““I want it all, and I want it now…”I want it all, and I want it now…”– http://www.youtube.com/watch?http://www.youtube.com/watch?
v=1pm4fQRl72k v=1pm4fQRl72k ““Only if your request conforms with the Only if your request conforms with the
rules…”rules…”– society: bad for other peoplesociety: bad for other people– organisational: confidentialityorganisational: confidentiality– personal: human rightspersonal: human rights
Balancing Rules on Balancing Rules on Privacy/SecurityPrivacy/Security
Ideal:Ideal:– keeps the data secure…keeps the data secure…– allows the user freedom to do their allows the user freedom to do their
job, participate in legitimate leisure job, participate in legitimate leisure activity, etc.activity, etc.
Unnecessarily restrictive or Unnecessarily restrictive or unexplained rules…unexplained rules…– users get frustrated…users get frustrated…
NOT Getting the balance right…NOT Getting the balance right…
Worrying survey & report (BBC, 19/11/10):Worrying survey & report (BBC, 19/11/10):http://www.bbc.co.uk/news/business-http://www.bbc.co.uk/news/business-11793436 11793436
BBC’s own network users so frustrated BBC’s own network users so frustrated about IT restrictions stopping them doing about IT restrictions stopping them doing their jobs that many (typically 41% according their jobs that many (typically 41% according to a CISCO survey) ignored the rules!to a CISCO survey) ignored the rules!
Is it the same everywhere? Is it the same everywhere? Is it any better today?Is it any better today?