Network Security Applications:

Threats do Exists

Advance Network Based Application (CIS 471) CSUDH

Robert Pittman Jr., M.P.A., CISM Assistant CISO

County of Los Angeles April 30, 2007

Student’s questions… What kind of security risks are involved with social networking sites like

MySpace, Facebook or Match.com?

How often is there an attempt to steal information? How often is there a

breach?

What is the demand for Security Professionals in the IT field like?

Are Chief Security Officers common in corporations?

What do you think will be the future of IT security demand? (more

demanding less demanding)

From your experience, how difficult was it to get started in the IT field?

How big is the career demand?

What certifications, year of experience, and or degree are needed to

start a career in IT?

As far as network security and any thing IT related, did you get any type

of training, from your company before you started?

Agenda OSI-Layer and the Zones

Network Threats

Mitigating Network Threats

Wireless Networks Threats

Wireless Networks Secured

Web Appl (includes e-Commerce) Threats

Mitigating Web Appl (includes e-Commerce) Issues

Coding Web Appl (includes e-Commerce)

Computer Crimes – the Latest News

References

Hacker Sites

OSI-Layer and the Zones

layer 7 - Application layer 6 - Presentation layer 5 - Session layer 4 - Transport layer 3 - Network layer 2 - Data Link layer 1 – Physical

Internet Demilitarized Zone Intranet (DMZ)

Network Threats Denial of Service (DoS/DDoS) Common Attacks (e.g. Back Door, etc.) Voice over Internet Protocol (VoIP) Network devices > default SNMP community strings

> default accounts, passwords, & encryption keys

> unnecessary Services (i.e., ports)> unencrypted & unauthenticated Admin passwords> printers, fax machines, and scanners

Mitigating Network Threats

Use of a Network Intrusion Detection System (NIDS)

Use of a traffic regulator/governor

Maintain software currency (OS, DBMS, etc.)

Maintain currency of anti-virus and other security products

Perform a Complete Configuration Audit

Set up a syslog server

Disable default accounts & change default passwords

Disable unnecessary services

Use encrypted & authenticated admin protocols

Use port-level security

Wireless Networks Threats

Ability to passively obtain confidential data and leave no trace of the attack

Positioned behind perimeter firewalls may provide attackers with a backdoor

Could serve as a launching pad for attacks (i.e., zombie, etc.) on unrelated networks

Provide convenient cover as identifying the originator of an attack is difficult, if not impossible

Wireless Networks Secured Isolate wireless networks

Require stronger authentication Secure the handhelds (e.g., PDA’s laptops, etc.) WEP is not a security solution Eliminate the use of a descriptive name for SSID and

the Access Point Hardcode MAC address that can use the AP Change Encryption Keys frequently Locate APs centrally Change default AP passwords/IP addresses DHCP should not be used Identify Rogue APs

Web Appl (includes e-Commerce) Threats

Spoofing identity (RFC 2617)

Data Tampering

Repudiation

Information disclosure

Denial of Service

Elevation of privilege

Mitigating Web Appl (includes e-Commerce)

Issues Source Code Authentication Session Handling Error Handling Database Handling Shopping Cart File Handling Application Audit Events Input Validation Sensitive Data in Cookies and Fields

Coding Web Appl (includes e-Commerce)

Do not… trust data received from any external source not rely on client-side data validation write unfiltered data to the web browser access files based on user input without validation put sensitive information in hidden form fields store passwords or other sensitive info in ASP pages leave comments in client-side HTML store unnecessarily sensitive info in the database put sensitive info in URLs

Do’s… disable the default error page properly quote external data used in SQL statements log suspicious activity specify a particular character set

Computer Crimes – the Latest News

Vermilion, Ohio Man Sentenced in Wire Fraud Case (April 19, 2007)

Former Navy Contractor Sentenced for Damaging Navy Computer System (April 5, 2007)

St. Joseph Woman Sentenced For $312,000 Wire Fraud (March 14, 2007)

Hackers from India Indicted for Online Brokerage Intrusion Scheme that Victimized Customers and Brokerag

e Firms

(March 12, 2007)

New CCIPS Publication, "Prosecuting Computer Crimes" Manual Now Available (March 10, 2007)

Defendant Sentenced For Conspiring To Commit Computer Fraud And Identity Theft (March 5, 2007)

Massachusetts Man Charged with Defrauding Cisco of Millions of Dollars Worth of Computer Networking Equ

ipment: Using False Identities and Private Mailboxes in at Least 39 States, Suspect Allegedly Carried out the

Fraud at Least 700 Times

(February 28, 2007)

Washington State Man Pleads Guilty To Charges Of Transmitting Internet Virus (February 15, 2007)

Clovis and Fresno Residents Plead Guilty to Conspiracy to Commit Wire Fraud, Mail Fraud, and Copyright Inf

ringement

(February 8, 2007)

Three Internal Revenue Service Employees Indicted for Computer Fraud/Abuse (February 8, 2007)

Man Pleads Guilty to Stealing Morgan Stanley Trade Secrets Relating to Hedge Funds (February 1, 2007)

References csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf www.cert.org/security-improvement/modules/m11.html www.cisco.com www.cisecurity.org www.csoonline.com www.ietf.org/rfc.html www.linuxhomenetworking.com/cisco-hn/syslog-cisco.htm www.netstumbler.com www.nist.gov (not www.nist.org) www.ntbugtraq.com www.owasp.org www.sans.org www.usdoj.gov/criminal/cybercrime/cc.html Hack Notes: Web Security Portable Reference, Mike Shema; 174

pages, 2003, McGraw-Hill Companies. Writing Secure Code, Microsoft Second Edition, Michael

Howard and David LeBlanc; 768 pages, 2003, Microsoft Press.

Hacker Sites www.2600.com www.antionline.com www.defcon.org www.hackers.com www.insecure.org

Thanks for listening!

Questions?