Computer Systems Security

1

• Computer Systems Security
• In an Internet Age
• Presented by Neil A. Rosenberg
• President CEO
• Quality Technology Solutions, Inc.

2
What is Computer Security?

• Intrusion Detection/Response?
• Confidentiality Protection Encryption?
• Single Sign-On?
• Network Firewall Configuration?
• Training Awareness?
• Secure Email?
• Virus Protection?
• Access Control?
• Electronic Records Management?
• eBusiness?
• Remote Access?
• Virtual Private Networks?
• Certificate Management?

• Identification Authentication?
• Packet Filters?
• Vulnerability Reduction?
• Disaster Recovery?
• Denial of Service Attacks?
• Risk Assessment?
• Quality of Service?
• Network Directory Service?
• Audits/Reviews?
• Policy-Based Management?
• Secure Messaging and Collaboration?
• Authentication Digital Identity

3
Definition

• Security is keeping anyone from doing things
  you do not want them to do, with, on, or from
  your computers or any peripheral devices
• William Cheswick and Steven Bellovin,
  Firewalls and Internet Security - Repelling the
  Wily Hacker

4
What are the Threats?

• Hackers
• Denial of Service Attacks
• Corporate Espionage
• Former Employees
• SPAM and Junk E-Mail
• Viruses, Trojan Horses, Worms
• Java, ActiveX and Script Vandals
• Your Current Employees!

5
Part I Securing YourInternet Connection
6
In the Age of eBusiness

• Internet Security is all about Keeping Your
  Business Running!

7

• Security is a business process requiring
  continuous improvement and automation...

2) Secure
3) Monitor and Respond
5) Manage and Improve
1) Security Policy
4) Test/Assess
8
Security Services Checklist

• What to ask yourself
• Do you have policies and procedure in place to
  deal with security incidents?
• How are they communicated with your employees?
  Ongoing training?
• Do you have security products in place to
  safeguard or monitor abuse?
• Do you test your systems security and
  continuously improve it?
• Do you keep logs to tell what happened, when and
  by whom?

9
e-Business Security StepsAn Overall Methodology

• Ensure Policy is Developed
• Identify Users, Hosts, Applications, Services
• Ensure the Perimeter is Secure
• Use Encryption as Appropriate
• Monitor Security and Respond to Events
• Train Users on the Policy
• Audit Procedures and Effect Compliance

10
The Security Dilemma
VPN and Extranets
Internet Business Value
iCommerce
Internet Presence
Corporate Intranet
Internet Access
Security Considerations
11
How Much Security Do I Need?

• The strength of ones computer security
  defenses should be proportional to the threat
  from that arena
• William Cheswick and Steven Bellovin,
  Firewalls and Internet Security - Repelling the
  Wily Hacker

12
What is your exposure?

• How do you value your information assets?
• Service Interruption
• Hour, day and week long outages
• Complete loss or disclosure of data
• Opportunity Cost?
• Theft of proprietary information
• Bad Publicity

13
What is the cost if you dont act?

• Single Loss Expectancy times annualized rate
  occurrence Annual Loss Expectancy
• Loss of Business
• Loss of Secrets
• Customer Image/Perception
• Lost Time/Productivity
• What is the value of assets to be protected?

14
At What Cost?

15
Who is Secure?
Source Cisco Secure Consulting Engagements,
1996-1999
16
Key Elements of Network Security

• Authentication Services
• Perimeter Security
• Data Privacy
• Security Monitoring
• Policy Management

17
Security A Physical Analogy
SecurityCamera
Traditional Locks
Security Office
Guard
18
The Goal Intelligent, Self Defending Networks

• Comprehensive security functionality
• System approach - not just a collection of point
  products
• Dynamic re-configuration of devices
• Centralized policy management
• Leverages infrastructure investment

19
Secure e-Commerce Identity
Certificate Authority
Server Farm
Digital Certificate
IDS
Corporate Network
Internet
Service Provider
Manufacturing
Firewall
Router
Scanner
Policy Manager
Policy Server
Digital Certificate
Supplier
Retail Customer
20
Digital Identity (PKI)

• Certificates can be used to securely identify and
  define the person
• Certificate Authorities such as Entrust and
  VeriSign vouch for the identity of organizational
  or personal certificates, for a fee or do
  internally
• Certificates can be used to secure email, or VPN
  connections, or for eCommerce
• Certificates can validate remote users, for
  access to internal systems via the Internet

21
Secure eCommerce via SSL

• Certificate Authorities such as Entrust and
  VeriSign vouch for the identity of organizational
  server certificates
• Client Browsers recognize the certificate and
  accept the connection as trusted
• Encryption is established for the session between
  the Browser and the Server
• eCommerce data is secure over the wire

22
Secure e-Commerce Data Privacy/VPN
Certificate Authority
Server Farm
IDS
Corporate Network
Internet
Service Provider
Manufacturing
Firewall
Router
Scanner
Policy Manager
Policy Server
Supplier
Retail Customer
23
Virtual Private Network (VPN)

• Use the Internet as the highway
• Exchange certificates to establish identity on
  each side
• Encrypt data going out, decrypt it coming in
  based on certificates
• Server to Server, LAN to LAN, Client to Server
• Vendors include Microsoft, Novell, Cisco, Check
  Point, and countless others

24
Secure e-Commerce Perimeter Security

Certificate Authority
Server Farm
Hacker
IDS
Corporate Network
Internet
Service Provider
Manufacturing
Firewall
Router
Scanner
Policy Manager
Policy Server
Supplier
Retail Customer
25
Packet Filtering Firewalls

• Prevent unauthorized access to corporate network
• ONLY lets authorized traffic thru
• Packet Filter administration is via IP Port
  inexpensive, but cumbersome to manage
• Firewalls add alarms, logging and improved
  administration performance

26
Secure e-Commerce Security Monitoring
Certificate Authority
Server Farm
Hacker
IDS
Corporate Network
Internet
Alert!
Service Provider
Manufacturing
Firewall
Router
Scanner
Policy Manager
Policy Server
Supplier
Retail Customer
27
Intruder Detection and Prevention

• eBusiness requires a highly effective security
  system that detects, monitors, and expels
  unauthorized users, as well as tools to prevent
  attacks before they happen
• Intrusion Detection software can monitor your
  perimeter (or internal LAN), detect attacks based
  on signature (similar to antivirus software),
  harden firewalls to prevent access, log the
  attack and identify the attacker for prosecution.
  
• Vendors include Check Point/ISS, Symantec/Axent,
  Cisco, others.

28
Alerting

• Alerting through email, console or
• broadcast on certain conditions
• Server Alerts (disk space low, memory low, etc.)
• License Alerts (licenses expired, unavailable)
• Security Alerts (Denial of Service attacks,
  hackers)
• Proxy Alerts (ICP parent down, POP3 mail server
  down, SMTP mail server down)
• Other system or administrator-defined alert
  conditions (depending on product)

29
Secure e-Commerce Policy Management
Certificate Authority
Server Farm
IDS
Corporate Network
Internet
Service Provider
Manufacturing
Firewall
Router
Scanner
Policy Manager
Policy Server
Supplier
Retail Customer
30
Policy-Based Administration

• Security Policies are managed from a central
  location and cut across all systems and security
  infrastructure Firewalls, IDS, applications,
  etc.
• Tight Integration reduces security risk
• Brings all the components together
• Check Point is the leader in this product area.

31
For More Information

• www.QTSnet.com/security
• www.microsoft.com/security
• www.novell.com/info/security
• www.checkpoint.com
• securityfocus.com
• www.cert.org
• www.securityportal.com
• www.nai.com
• razor.bindview.com
• Xforce.iss.net

32
Part II Securing YourInternal Network,and
Other Considerations
33
Internal Security Threats

• Employees
• Former Employees
• Contractors
• Competitors (Corporate Espionage)
• Viruses

34
Passwords

• How secure are your passwords?
• How many passwords do users need to remember?
• How often are passwords changed?
• Do you enforce length? Require alphanumeric?
• Do you require additional authentication?
• Can users log in with no passwords?
• Are administrator passwords known? Changed?
• Is network activity logged and auditable?
• Do you have a centralized Directory Service?

35
The Electronic Identity Crisis

• Most corporate users have too many IDs and
  passwords to remember

36
Single Password The Obvious Solution

• Users can set one password for use everywhere

Password
37
The Best Passwords - Strong and Unique

• Use different passwords for each system

NDS Jfclark/g0ut_at_h Exchange Jfc/Ah_at_rl!n! Continu
us jfclark/wR1t!c0d! Notes john/1bms0ft Digitalm
e jfclark/wBs2 Monster jfc3/4rF6yZ2 AOL IM
clarkjf/IaHlUc Dial-up Networking
johnc/c0n2!ct GroupWise jfclark/M_at_1lb0x BayStone
jfclark/z!r0Bug
38
Lost or Forgotten Passwords

• The result
• User frustration
• Help desk calls
• Compromised security

What was that password???
39
Single Sign-on (SSO) Solutions

• Password synchronization
• Weakest link security
• Difficult to implement
• Wallet solutions
• Not centralized, Questionable security
• Directory solutions (NDS, Active Directory)
• Centralized, Secure, Manageable

40
Multifactor Authentication

• Depending on security needs, it is possible to
  use multiple methods, in combination, to
  authenticate to your systems and establish
  identity
• NDS password
• Fingerprint, voiceprint
• X.509 v3 certificate
• Simple password
• Token and SmartCard
• RSA SecureID (pass-through)
• Authentication Methods can be tailored
• to the needs and the security considerations
• of the business, and its cost sensitivity

41
Multi-Factor Graded Authentication Strong
Authentication Factors

• Something you know
• Username/password (knowledge)
• Something you possess
• Token systems (possession)
• Smartcards (possession)
• Biometrics (user property)

42
E-Mail Security

• Do you have a written policy on use of email?
• Do you monitor email for destination and/or
  content?
• Do you scan all email for viruses and vandals?
• Do you limit size of email, and length of
  retention?
• Do you encrypt sensitive email?
• Do you filter SPAM and junk mail?
• Do you block relaying?
• Do you track incoming and outgoing email?

43
E-Mail Security (Continued)

• Most LAN email systems have some of these
  capabilities, including Exchange/Outlook, Notes,
  and GroupWise
• Third Party Products can expand capability,
  including integration with antivirus and firewall
  software
• Leading vendors include Aladdin, TenFour Software
  and Tumbleweed Software

44
Virus Protection

• eBusiness extends your number of network
  connections and, therefore, the number of virus
  entry points all must be completely protected
• Viruses vandals can enter your network on
  diskette, via download, via email, via web page
  browsing, in software, intentionally or
  unintentionally.
• Once on your network, a virus typically costs
  250 per PC, infected or not, to check, clean and
  return to normal.
• LANs are a conduit for viruses to spread rapidly,
  and the Internet is the ultimate LAN!

45
Antivirus Software

• Needs non-intrusive software that scans in real
  time and detects/cleans viruses before they
  spread
• Detect based on signature, or Heuristic and
  update the signatures regularly!
• Scan all incoming and outgoing email, and all
  Internet downloads if possible stop at the
  Firewall via CVP
• Some programs dont work well with AV software
• Leading vendors are Network Associates/McAfee,
  Trend Micro, Symantec, Computer Associates

46
Network Audits

• Inventory
• Asset Management
• Encryption
• File System Directory Security
• Management Policies

Why Audit? Because 80 of information security
breaches and resulting losses originate from
inside an organization - National Security
Institute, 1999
47
Improve Security

• Problem/Challenge
• Security Threats
• Internal
• External
• Security breaches are costly
• Process of performing security audits is time
  consuming
• Inconsistent enforcement of corporate policies

• Common Questions
• Who has access to resources?
• How did they obtain access?
• How quickly can corrections be implemented across
  the enterprise?
• Who is abusing or circumventing corporate
  policies?
• How do I find and get rid of security
  vulnerabilities?

48
Comprehensive Security Analysis

• Effective Rights Analysis
• Identify who has rights to resources and where
  those rights were obtained
• Password Policy Enforcement
• Analyze and change all password related settings
• programs for running password analysis reports
  against latest Hackers password dictionary
• Hidden/Invisible Objects
• Unique capability of reporting on hidden/
  invisible objects in directory and their key
  characteristics

49
Conclusion Bringing ItAll Together!
50
Best Practice Network Security Implementation

• Strong authentication for all users not weak
  passwords!
• Well-Designed DMZ Firewall infrastructure to
  limit access
• Intrusion Detection to analyze traffic in
  critical areas
• VPNs to cost-effectively extend connectivity and
  ensure data privacy security for users,
  customers and partners
• Periodic network risk assessments and attack
  testing
• On-going policy development and user training
• Antivirus solution and strong email security
  policy
• Proactive, centralized policy-based management

51
Why dont customers manage risks?

• Customer reasons for not managing security

According to the Computer Security Institute
52
Is there any doubt that security is needed?

• Global immediate access equals a shared global
  risk
• How much security is enough?
• Depends on risk/reward. How
• important are computers and
• the Internet to your business?
• How important is your data?

53
Ciscos Top 10 Security Tips

• Require employees to choose non-obvious passwords
• Require employees to change passwords every 90
  days
• Make sure your virus protection subscription is
  current
• Educate staff about the security risks of email
  attachments
• Implement a comprehensive network security
  solution
• Assess your security posture regularly
• When an employee leaves the company, remove the
  employees network access, and all user IDs,
  immediately
• If you allow people to work from home, provide a
  secure, centrally managed environment for remote
  traffic
• Update your Web server software regularly
• Do not run any unnecessary network services

54
Next Steps

• Do you have an information security plan for your
  business?
• Has that plan been communicated, implemented and
  tested?
• Is your network capable of current and future
  eBusiness needs?
• Do you have professional staff capable of
  managing and monitoring security?
• Do you need outside help?

55
Who is QTS?

• Network Integrator specializing in serving NJ/NY
  Law Firms and Businesses - Novell Platinum
  Partner, Microsoft Certified Partner, Check Point
  Authorized Partner, Cisco Authorized Reseller,
  Citrix, Compaq, RSA, Aladdin, others
• In business since 1992, based in South Orange
• 22 employees, including 12 technical (4 dedicated
  to support). Avg technician experience is 6
  years, 8 CNEs and 10 MCPs on staff.
• Winner of Novell Service Excellence Award for
  2000 and 2001, one of 15 in North America!
• Focus on well planned managed, high quality
  project delivery, and responsive support

56
QTS Partners
57
QTS Security Solutions

• Firewall Solutions Check Point, Cisco, Novell,
  Microsoft
• Intrusion Detection Systems Check Point/ISS
• Directory Services Novell, Microsoft
• Antivirus Solutions Network Associates, Computer
  Assoc, Aladdin
• Secure Email Aladdin, GroupWise, Exchange, Notes
• VPN Solutions Novell, Check Point, Cisco,
  Microsoft
• Authentication RSA
• Network Management Novell, Microsoft
• Remote Access Novell, Microsoft, Citrix, others
• Network Audits and Security Analysis
• Network Penetration/Attack Testing

58
Questions? Need Info?

• QTS is at Booth 125
• ? drop off card for info/drawing
• www.QTSnet.com (will post presentation)
• www.QTSnet.com/Security
• QTS Seminar Series event tomorrow, Thursday June
  14th from 9-12 at QTS in South Orange
• Getting your E-Business in Gear
• QTS Seminar Series continuing in September with
  Security Series with Check Point Software and
  Novell

59
Questions AnswersNeil RosenbergQuality
Technology Solutions, Inc.76 South Orange
AvenueSouth Orange, NJ 07079(973)761-5400
x230Fax (973)761-1881nrosenberg_at_QTSnet.com www.Q
TSnet.com