Security

1
Security

• Securing IS

2
SECURITY

• Deter
• Detect
• Minimize
• Investigate
• Recover

3
Security Risks
Internal External
4
Threats

• Disaster and breakdowns
• Access and disclosure
• Alteration or destruction
• Improper use

5
RISK ASSESSMENT

• P1 Probability of attack
• P2 Probability of success
• L Cost of Loss
• Expected Loss P1 P2 L
• Minimize Threat Categories

6
Security Policy

• Security is always a cost to efficiency. It must
  be promoted to be effective.
• From the top
• Before installing hardware
• Politically charged

7
Writing a Security Policy

• Assess the types of risks
• Identify vulnerabilities
• Analyze user needs
• Write the policy
• Develop change procedures
• Plan implementation
• Implement

8
Elements of Risk
Asset
Threat
Access
9
Administrative ControlsLimit the Threat

• Standards, rules, procedures and discipline to
  assure that personnel abide by established
  policies. Includes segregation of functions.

10
Administrative Controls

• Security organization
• Audits
• Risk assessment
• Administrative standards and procedures

11
Protecting the Assets

• Resource management
• Disaster recovery
• System segregation

12
Resource Management

• Backup planning
• Job scheduling
• Redundant design
• Selective decoupling

13
Disaster Management

• Redundancy and fault tolerant systems
• Backups and off site storage
• Hot and cold sites
• Planning and procedures

14
Elements of Risk
Asset
Threat
Access
15
Access Control

• Human environment
• Policies and procedures
• Technological solutions

16
Vulnerabilities

• Servers
• Securing operating systems and applications
• Networks
• Access protection from snooping, attacks,
  spoofing
• Clients and modems
• User verification for PCAnywhere etc.
• Viruses

17
Operating Systems

• UNIX
• Novell Netware
• Windows and Windows NT

18
Secure Operating Systems

• U.S. Government Certification
• A1, B1, B2, B3, C1, C2 (most commercial systems),
  D
• Ease of use
• CERT (Computer Emergency Response Team)
  www.cert.org

19
Top 12 SecurityRisks

• 1. Hosts run unnecessary services
• 3. Information leakage through network service
  programs
• 4. Misuse of trusted access
• 5. Misconfigured firewall access lists
• 7. Misconfigured web servers
• 10.Inadequate logging, monitoring or detecting

20
Top 12 Security Risks

• 2. Unpatched, outdated or default configured
  software
• 6. Weak Passwords
• 8.Improperly exported file sharing services
• 9. Misconfigured or unpatched Windows NT servers
• 11.Unsecured remote access
• 12.Lack of comprehensive policies and standards

21
Tools

• Firewalls
• Network partitioning and routers
• Encryption
• Testing tools
• Consultants

22
Firewall functions

• Packet Filter Blocks traffic based on IP
  address and/or port numbers.
• Proxy Server Serves as a relay between two
  networks, breaking the connection between the
  two.
• Network Address Translation (NAT) Hides the IP
  addresses of client stations in an internal
  network by presenting one IP address to the
  outside world.
• Stateful Inspection Tracks the transaction in
  order to verify that the destination of an
  inbound packet matches the source of a previous
  outbound request. Generally can examine multiple
  layers of the protocol stack.

23
Firewall Operation
24
Firewall Operation

• 1. A router sits between two
• networks
• 2. A programmer writes an access control list,
  which contains IP addresses that can be allowed
  onto the network.
• 3. A message gets sent to the router. It checks
  the address against the access control list. If
  address the is on the list, it can go through.
• 4. If the address isn't on the list, the message
  is denied access to the network.

25
Encryption

• Keys and key length
• Public key/private key
• Processing problems
• Location
• Application
• Network
• Firewall
• Link

26
Encryption Techniques
27
How Public Encryption Works

• 1. Sue wants to send a message to Sam, so she
  finds his public key in a directory.
• 2. Sue uses the public key to encrypt the message
  and send it to Sam.
• 3. When the encrypted message arrives, Sam uses
  his private key to decrypt the data and read
  Sue's message.

28
Encryption at the Firewall
29
Authentication

• Passwords
• Credit cards
• Biometrics
• Isolation
• Remote location verification

30
Biometrics how it works

• Users "enroll" by having their fingerprints,
  irises, faces, signatures or voice prints
  scanned.
• Key features are extracted and converted to
  unique templates, which are stored as encrypted
  numerical data.
• Corresponding features presented by a would-be
  user are compared to the templates in the
  database.
• Matches will rarely be perfect, and the owners of
  the system can vary a sensitivity threshhold so
  as to minimize either the rate of false
  rejections, which annoy users, or false
  acceptances, which jeopardize security. This
  offers far more flexibility than the binary "Yes"
  or "No" answers given by password technologies.

31
Common biometric techniques and how they rate
International Biometric Group, New York as
reported in Computerworld, Quick Study
Biometrics, 10/12/98
32
Security The expense that keeps on costing, By
Erik Sherman, June 2000

• Lessons learned about properly securing your
  company.
• Train employees to act in secure ways
• Use security professionals to perform an audit
• Provide the necessary resources
• Physically secure servers
• Use the appropriate degree of security

33
Security