The University of Akron Summit College Business Technology Dept. - PowerPoint PPT Presentation

1 / 71
About This Presentation
Title:

The University of Akron Summit College Business Technology Dept.

Description:

Some of the questions in the client survey must include questions about: General information ... Present at most three designs for consideration ... – PowerPoint PPT presentation

Number of Views:42
Avg rating:3.0/5.0
Slides: 72
Provided by: gozips4
Category:

less

Transcript and Presenter's Notes

Title: The University of Akron Summit College Business Technology Dept.


1
The University of AkronSummit CollegeBusiness
Technology Dept.
  • 2440 141Web Site Administration
  • Introduction to Security
  • Instructor Enoch E. Damson

2
Information Security
  • Consists of the procedures and measures taken to
    protect each component of information systems
  • Protecting data, hardware, software, networks,
    procedures and people
  • The concept of information security is based on
    the C.I.A triangle (according to the National
    Security Telecommunications and Information
    Security Committee NSTISSC)
  • C Confidentiality
  • I Integrity
  • A Availability

3
Confidentiality
  • Addresses two aspects of security with subtle
    differences
  • Prevents unauthorized individuals from knowing or
    accessing information
  • Safeguards confidential information and
    disclosing secret information only to authorized
    individuals by means of classifying information

4
Integrity
  • Ensures data consistency and accuracy
  • The integrity of the information system is
    measured by the integrity of its data
  • Data can be degraded into the following
    categories
  • Invalid data not all data is valid
  • Redundant data the same data is recorded and
    stored in several places
  • Inconsistent data redundant data is not
    identical
  • Data anomalies one occurrence of repeated data
    is changed and the other occurrences are not
  • Data read inconsistency a user does not always
    read the last committed data
  • Data non-concurrency multiple users can access
    and read data at the same time but loose read
    consistency

5
Availability
  • Ensures that data is accessible to authorized
    individuals to access information
  • An organizations information system can be
    unavailable because of the following security
    issues
  • External attacks and lack of system protection
  • Occurrence of system failure with no disaster
    recovery strategy
  • Overly stringent and obscure security procedures
    and policies
  • Faulty implementation of authentication
    processes, causing failure to authenticate
    customers properly

6
Information Security Architecture
  • The model for protecting logical and physical
    assets
  • The overall design of a companys implementation
    of the C.I.A triangle
  • Components range from physical equipment to
    logical security tools and utilities

7
Components of Information Security Architecture
  • The components of information security
    architecture are
  • Policies and procedures documented procedures
    and company policies that elaborate on how
    security is to be carried out
  • Security personnel and administrators people
    who enforce and keep security in order
  • Detection equipment devices to authenticate
    users and detect and equipment prohibited by the
    company

8
Components of Information Security Architecture
  • Other components of information security
    architecture include
  • Security programs tools to protect computer
    systems servers from malicious code such as
    viruses
  • Monitoring equipment devices to monitor
    physical properties, users, and important assets
  • Monitoring applications utilities and
    applications used to monitor network traffic and
    Internet activities, downloads, uploads, and
    other network activities
  • Auditing procedures and tools checks and
    controls to ensure that security measures are
    working

9
Levels of Security
  • The levels of security include
  • Highly restrictive
  • Moderately restrictive
  • Open

10
Levels of Security
  • Before deciding on a level of security, answer
    these questions
  • What must be protected?
  • From whom should data be protected?
  • What costs are associated with security being
    breached and data being lost or stolen?
  • How likely is it that a threat will actually
    occur?
  • Are the costs to implement security and train
    users to use a secure network outweighed by the
    need to provide an efficient, user-friendly
    environment?

11
Highly Restrictive Security Policies
  • Include features such as
  • Data encryption
  • Complex password requirements
  • Detailed auditing and monitoring of
    computer/network access
  • Intricate authentication methods
  • Policies that govern use of the Internet/e-mail
  • Might require third-party hardware and software
  • Implementation cost is high
  • Cost of a security breach is high

12
Moderately Restrictive Security Policies
  • Most organizations can opt for this type of
    policy
  • Requires passwords, but not overly complex ones
  • Auditing detects unauthorized logon attempts,
    network resource misuse, and attacker activity
  • Most network operating systems contain
    authentication, monitoring, and auditing features
    to implement the required policies
  • Infrastructure can be secured with moderately
    priced off-the-shelf hardware and software
    (firewalls, etc)
  • Costs are primarily in initial configuration and
    support

13
Open Security Policies
  • Policy might have simple or no passwords,
    unrestricted access to resources, and probably no
    monitoring and auditing
  • May be implemented by a small company with the
    primary goal of making access to basic data
    resources
  • Internet access should probably not be possible
    via the company LAN
  • Sensitive data, if it exists, might be kept on
    individual workstations that are backed up
    regularly and are physically inaccessible to
    other employees

14
Securing the Web Environment
  • Both Linux and Windows need to configured
    carefully to minimize security risks
  • Keep software patches up to date
  • Web servers with static pages are relatively easy
    to protect than those with dynamic pages
  • To secure transmission, data may be encrypted
    with Secure Socket Layer (SSL) and Secure Shell
    (SSH)
  • To isolate a Web server environment
  • Firewalls may be used to block unwanted access to
    ports
  • Proxy servers may be used to isolate computers
  • To discover whether and how attackers have
    penetrated a system, intrusion detection software
    may be used

15
Identifying Threats and Vulnerabilities
  • Hackers sometimes want the challenge of
    penetrating a system and vandalizing it other
    times they are after data
  • Data can be credit card numbers, user names and
    passwords, other personal data
  • Information can be gathered by hackers while it
    is being transmitted
  • Operating system flaws can often assist hackers

16
Types of Attacks Vulnerabilities
  • Some of the numerous methods to attack systems
    are as follows
  • Virus code that compromises the integrity and
    state of a system
  • Worm code that disrupts the operation of a
    system
  • Trojan horse malicious code that penetrates a
    computer system or network by pretending to be
    legitimate code
  • Denial of service the act of flooding a Web
    site or network system with many requests with
    the intent of overloading the system and forcing
    it to deny service to legitimate requests
  • Spoofing malicious code that looks like
    legitimate code
  • Bugs software code that is faulty due to bad
    design, logic, or both

17
Types of Attacks Vulnerabilities
  • Other methods to attack systems include
  • Email spamming E-mail that is sent to many
    recipients without their permission
  • Boot sector virus code that compromises the
    segment in the hard disk containing the program
    used to start the computer
  • Back door an intentional design element of some
    software that allows developers of a system to
    gain access to the application for maintenance or
    technical problems
  • Rootkits and bots malicious or legitimate
    software code that performs functions like
    automatically retrieving and collecting
    information from computer systems

18
Examining TCP/IP
  • TCP/IP was not designed to be secure but to allow
    systems to communicate
  • Hackers often take advantage of the ignorance
    about TCP/IP to access computers connected to the
    Internet
  • The following are parts of the IP header most
    relevant to security
  • Source address start-point IP address
  • Destination address end-point IP address
  • Packet identification, flags, fragment offset
  • Total length length of packet in bytes
  • Protocol TCP, UDP, ICMP

19
Vulnerabilities of DNS
  • Historically, DNS has had security problems
  • BIND is the most common implementation of DNS and
    some older versions had serious bugs
  • Current versions of BIND have been more secure

20
Vulnerabilities in Operating Systems
  • Operating systems are large and complex
  • Hence, more opportunities for attack
  • Inattentive administrators often fail to
    implement patches when available
  • Some attacks, such as buffer overruns, can allow
    the attacker to take over the computer

21
Vulnerabilities in Web servers
  • Static HTML pages pose virtually no problem
  • Programming environments and databases add
    complexity that a hacker can exploit

22
Vulnerabilities of E-mail Servers
  • By design, e-mail servers are open
  • E-mail servers can be harmed by a series of very
    large e-mail messages
  • Sending an overwhelming number of messages at the
    same time can prevent valid users from accessing
    the server
  • Viruses can be sent to e-mail users
  • Retrieving e-mail over the Internet often
    involves sending your user name and password as
    clear text

23
Security Basics
  • Some of the basic security rules are as follows
  • Security and functionality are inversely related
    the more security you implement, the less
    functionality you will have, and vice versa
  • No matter how much security you implement and no
    matter how secure your site is, if hackers want
    to break in, they will
  • The weakest link in security is human beings

24
Security Methods
  • People
  • Physical limits on access to hardware and
    documents
  • Through the processes of identification and
    authentication, make certain that the individual
    is who he/she claims to be through the use of
    devices, such as ID card, eye scans, passwords
  • Training courses on the importance of security
    and how to guard assets
  • Establishments of security policies and procedures

25
Security Methods
  • Applications
  • Authentication of users who access applications
  • Business rules
  • Single sign-on (a method for signing on once for
    different applications and Web sites)

26
Security Methods
  • Network
  • Firewalls to block network intruders
  • Virtual private network (VPN) a remote computer
    securely connected to a corporate network
  • Authentication

27
Security Methods
  • Operating System
  • Authentication
  • Intrusion detection
  • Password policy
  • Users accounts

28
Security Methods
  • Database Management Systems
  • Authentication
  • Audit mechanism
  • Database resource limits
  • Password policy

29
Security Methods
  • Data Files
  • File permissions
  • Access monitoring

30
Securing Access to Data
  • Securing data on a network has many facets
  • Authentication and authorization identifying
    who is permitted to access which network
    resources
  • Encryption/decryption making data unusable to
    anyone except authorized users
  • Virtual Private Networks (VPNs) allowing
    authorized remote access to a private network via
    the public Internet
  • Firewalls installing software/hardware device
    to protect a computer or network from
    unauthorized access and attacks

31
Securing Access to Data
  • Other facets of securing data on a network
    include
  • Virus and worm protection securing data from
    software designed to destroy data or make
    computer or network operate inefficiently
  • Spyware protection securing computers from
    inadvertently downloading and running programs
    that gather personal information and report on
    browsing and habits
  • Wireless security implementing unique measures
    for protecting data and authorizing access to the
    wireless network

32
Securing Data Transmission
  • To secure data on a network, you need to encrypt
    the data
  • Secure Socket Layer (SSL) is commonly used to
    encrypt data between a browser and Web server
  • Secure Shell (SSH) is a secured replacement for
    Telnet

33
Securing the Operating System
  • Use the server for only necessary tasks
  • Minimize user accounts
  • Disable services that are not needed
  • Make sure that you have a secure password

34
Securing Windows
  • Some services that are not needed in Windows for
    most Internet-based server applications may be
    turned off
  • Examples include
  • Alerter
  • Computer browser
  • DHCP client
  • DNS client
  • Messenger
  • Server
  • Workstation
  • Also, the registry can be used to alter the
    configuration to make it more secure such as
    disabling short file names

35
Securing Linux
  • Only run needed daemons
  • Generally, daemons are disabled by default
  • The command netstat -l gives you a list of
    daemons that are running
  • Use chkconfig to enable and disable daemons
  • chkconfig imap on would enable imap

36
Securing E-mail
  • Tunneling POP3 can prevent data from being seen
  • Microsoft Exchange can also use SSL for protocols
    it uses
  • Set a size limit for each mailbox to prevent
    someone from sending large e-mail messages until
    the disk is full

37
Securing the Web Server
  • Enable the minimum features
  • If you don't need a programming language, do not
    enable it
  • Make sure programmers understand security issues
  • Implement SSL where appropriate

38
Securing Apache Web ServerDirectories
  • You can restrict access to directories by using
    "allow" and "deny"
  • The following only allows computers with the two
    IP addresses to access the directory
  • ltDirectory "/var/www/html/reports"gt
  • order allow, deny
  • allow from 10.10.10.5 192.168.0.3
  • deny from all
  • lt/Directorygt

39
Securing the IIS Web Server
  • The URLScan utility blocks potentially harmful
    page requests
  • The IIS Lockdown utility has templates to ensure
    that you only enable what you need
  • Change NTFS permissions in \inetpub\wwwroot from
    Everyone Full Control to Everyone Execute
  • Delete extensions you do not use, such as .htr,
    .idc, .stm, and others

40
Authenticating Web Users
  • Both Apache and IIS use HTTP to enable
    authentication
  • If HTTP tries to access a protected directory and
    fails then
  • it requests authentication from the user in a
    dialog box
  • Accesses directory with user information
  • Used in conjunction with SSL

41
Configuring User Authentication in IIS
  • Four types of authenticated access
  • Windows integrated authentication
  • Most secure requires IE
  • Digest authentication for Windows domain servers
  • Works with proxy servers
  • Requires Active Directory and IE
  • Basic authentication
  • User name and password in clear text
  • Works with IE, Netscape, and others
  • Passport authentication
  • Centralized form of authentication
  • Only available on Windows Server 2003

42
User Authentication in Apache
  • Basic authentication is most common
  • User names and passwords are kept in a separate
    file
  • Create password file
  • -c creates the users file
  • -b adds a password when creating user
  • htpasswd c users mnoia
  • htpasswd users fpessoa
  • htpasswd users lcamoes b lusiades

43
ApacheUser Authentication Directives
44
ApacheUser Authentication
  • Assume you want to restrict the /newprods
    directory to any user in the users file
  • ltLocation /newprodsgt
  • AuthName "New Product Information"
  • AuthType Basic
  • AuthUserFile /var/www/users
  • require valid-user
  • lt/Locationgt

45
Using a Firewall
  • A firewall implements a security policy between
    networks
  • Limit access, especially from the Internet to
    your internal computers
  • Restrict access to Web servers, e-mail servers,
    and other related servers

46
Types of Filtering
  • Packet filtering
  • Looks at each individual packet
  • Based on rules, it determines whether to let it
    pass through the firewall
  • Circuit-level filtering (stateful or dynamic
    filtering)
  • Controls complete communication session, not just
    individual packets
  • Allows traffic initialized from within the
    organization to return, yet restricts traffic
    initialized from outside
  • Application-level
  • Instead of transferring packets, it sets up a
    separate connection to totally isolate
    applications such as Web and e-mail

47
A Packet-filtering Firewall
  • Consists of a list of acceptance and denial rules
  • A firewall independently filters what comes in
    and what goes out
  • It is best to start with a default policy that
    denies all traffic, in and out
  • We can reject or drop a failed packet
  • Drop (best) thrown away without response
  • Reject ICMP message sent in response

48
Firewall on Linux - iptables
  • Connections can be logged
  • Initializing the firewall
  • Remove any pre-existing rules
  • iptables --flush
  • Set default policy to drop packets
  • iptables --policy INPUT DROP
  • iptables --policy OUTPUT DROP
  • At this point nothing comes in and nothing goes
    out

49
Describing the Packets to Accept
  • -A (Append rule)
  • INPUT or OUTPUT
  • -i eth0 (input interface) or o eth0 (output)
  • -p tcp or -p udp (protocol type)
  • -s , -d (source, destination address)
  • --sport, --dport (source, destination port)
  • -j ACCEPT (this is a good rule)

50
Allowing Access to Web Server
  • Allow packets from any address with an
    unprivileged port to the address on the server
    destined to port 80
  • The following should be on a single line
  • iptables A INPUT i eth0 p tcp --sport
    102465535 d 192.168.1.10 --dport 80 j ACCEPT
  • Allow packets to go out port 80 from the server
    to any unprivileged port at any address
  • iptables A OUTPUT o eth0 p tcp s 192.168.1.10
  • --sport 80 --dport 102465535 j ACCEPT

51
Allowing Access to DNS
  • DNS uses port 53
  • UDP for resolving
  • TCP for zone transfers
  • iptables A INPUT i eth0 p udp --sport
    102465535 d 192.168.1.10 --dport 53 j ACCEPT
  • iptables A OUTPUT o eth0 p udp s 192.168.1.10
  • --sport 53 --dport 102465535 j ACCEPT
  • iptables A INPUT i eth0 p tcp --sport
    102465535 d 192.168.1.10 --dport 53 j ACCEPT
  • iptables A OUTPUT o eth0 p tcp s 192.168.1.10
  • --sport 53 --dport 102465535 j ACCEPT

52
Allowing Access to FTP
  • Port 21 for data, port 20 for control
  • Data is transferred through unprivileged ports
  • Opening unprivileged ports can be a problem
  • iptables -A INPUT -i eth0 -p tcp --sport
    102465535 -d 192.168.1.10 --dport 21 -j ACCEPT
  • iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10
    --sport 21 --dport 102465535 -j ACCEPT
  • iptables -A INPUT -i eth0 -p tcp --sport
    102465535 -d 192.168.1.10 --dport 20 -j ACCEPT
  • iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10
    --sport 20 --dport 102465535 -j ACCEPT
  • iptables -A INPUT -i eth0 -p tcp --sport
    102465535 -d 192.168.1.10 --dport 102465535 -j
    ACCEPT
  • iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10
    --sport 102465535 --dport 102465535 -j ACCEPT

53
Using a Proxy Server
  • A proxy server delivers content on behalf of a
    user or server application
  • Proxy servers need to understand the protocol of
    the application that they proxy such as HTTP or
    FTP
  • Forward proxy servers isolate users from the
    Internet
  • Users contact proxy server which gets Web page
  • Reverse proxy servers isolate Web server
    environment from the Internet
  • When a Web page is requested from the Internet,
    the proxy server retrieves the page from the
    internal server

54
Using Intrusion Detection Software
  • Intrusion detection is designed to show you that
    your defenses have been penetrated
  • With Microsoft ISA Server, it only detects
    specific types of intrusion
  • In Linux, Tripwire tracks changes to files

55
Tripwire
  • Tripwire allows you to set policies that allow
    you to monitor any changes to the files on the
    system
  • Tripwire can detect file additions, file
    deletions, and changes to existing files
  • By understanding the changes to the files, you
    can determine which ones are unauthorized and
    then try to find out the cause of the change

56
Tripwire
  • After installing Tripwire, you configure the
    policy file to determine which files to monitor
  • A default list of files is included but it will
    take time to refine the list
  • A report can be produced to find out which files
    have been added, changed, and deleted
  • Usually, it runs automatically at night

57
Intrusion Detection in ISA Server
  • The following intrusions are tracked
  • Windows out-of-band (WinNuke)A specific type of
    Denial-of-Service attack
  • LandA spoofed packet is sent with the SYN flag
    set so that the source address is the same as the
    destination address, which is the address of the
    server. The server can then try to connect to
    itself and crash.
  • Ping of death The server receives ICMP packets
    that include large files attachments, which can
    cause a server to crash.

58
Intrusion Detection in ISA Server
  • Other intrusions that are tracked include
  • IP half scan If a remote computer attempts to
    connect to a port by sending a packet with the
    SYN flag set and the port is not available, the
    RST flag is set on the return packet. When the
    remote computer does not respond to the RST flag,
    this is called an IP half scan. In normal
    situations, the TCP connection is closed with a
    packet containing a FIN flag.
  • UDP bomb A UDP packet with an illegal
    configuration.
  • Port scan You determine the threshold for the
    number of ports that are scanned (checked) before
    an alert is issued.

59
Implementing Secure Authentication and
Authorization
  • Administrators must control who has access to the
    network (authentication) and what logged on users
    can do to the network (authorization)
  • Network operating systems have tools to specify
    options and restrictions on how/when users can
    log on to network
  • File system access controls and user permission
    settings determine what a user can access on a
    network and what actions a user can perform

60
Cryptography
  • The science of encrypting and decrypting
    information to ensure that data and information
    cannot be easily understood or modified by
    unauthorized individuals
  • Allows encryption of data from its original form
    into a form that can only be read with a correct
    decryption key
  • Some of security functions addressed by
    cryptography methods are
  • Authentication
  • Privacy
  • Message integrity
  • Provisions of data signatures

61
Vocabulary of Cryptography
  • Cryptanalysis the process of evaluating
    cryptographic algorithms to discover their flaws
  • Cryptanalyst a person who uses cryptanalysis to
    find flaws in cryptographic algorithms
  • Cryptographer a person trained in the science
    of cryptograpy
  • Alphabet set of symbols used in cryptographic
    to either input or output messages
  • Plaintext (cleartext or raw data) the original
    data in its raw form
  • Cipher (algorithm) a cryptographic encryption
    algorithm for transforming data from one form to
    another
  • Cyphertext - the encrypted data

62
Encryption
  • The act of encoding readable data into a format
    that is unreadable without a decoding key
  • Decryption the act of decoding encoded data
    back into the original readable format
  • Encryption provides privacy (confidentiality)

63
Encryption Methodology
  • There are two elements in encryption
  • Encryption method (ciper or algorithm)
    specifies the mathematical process used in
    encryption
  • Key the special string of bits used in
    encryption

64
Types of Cryptographic Ciphers
  • Ciphers fall into one of two major categories
  • Symmetric (single-key) ciphers the same key is
    used to both encryption and decryption
  • Asymmetric (public-key) ciphers different keys
    are used for encryption and decryption

65
Symmetric (Single Key) Ciphers
  • The most common and simplest form of encryption
  • Both parties in the encryption process use the
    same key and must keep the key secret
  • Symmetric ciphers are divided into
  • Steam ciphers encrypt the bits of message one
    at a time
  • Block ciphers encrypt a number of bits as a
    single unit
  • Some symmetric ciphers include
  • Data Encryption Standard (DES), Triple-DES, DESX,
    RDES, Blowfish, Twofish, AES (Advanced Encryption
    Standard), and IDEA (International Data
    Encryption Algorithm), Serpent

66
Asymmetric (Public Key) Ciphers
  • There are two keys for each party
  • The sender and receiver each has a private and
    public key
  • Public key senders will encrypt data using
    non-secure connections with the receivers public
    key
  • Private key the receivers use their private
    keys to decrypt data
  • The only person who can decrypt the ciphertext is
    the owner of the private key that corresponds to
    the public key used for the encryption
  • Well regarded asymmetric techniques include RSA
    (Rivest, Shamir, and Adleman), DSS (Digital
    Signature Standard), and EIGamal
  • Internet protocols using asymmetric ciphers
    include Secure Socket Layer (SSL), Transport
    Layer Security (TLS), Secure Shell (SSH), Pretty
    Good Privacy (PGP), and GNU Privacy Guard (GPG)

67
Encryption Example
  • Alphabet ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • Plaintext Meet me on the corner
  • Cipher (algorithm) C P K
  • C the ciphertext character
  • P the plaintext character
  • K the value of the key
  • Key 3
  • The algorithm simply states that to encrypt a
    plaintext character (P) and generate a ciphertext
    (C), add the value of the key (K) to the
    plaintext character
  • Shift the plaintext character to the right of the
    alphabet by three characters
  • D replaces A, E replaces B, F replaces C, etc
  • The following message is generated
  • Ciphertext Phhw ph rq wkh fruqhu

68
Authentication
  • One purpose of encryption is to prevent anyone
    who intercepts a message from being able to read
    the message
  • It brings authorization (confidentiality) only
    authorized users can use data
  • In contrast, authentication proves the senders
    identity

69
Forms of Authentication
  • There are many forms of authentication
  • Passwords
  • Authentication cards ATMs use these with coded
    information
  • Biometrics measures body dimensions like
    finger-print analyzers
  • Public key authorization uses digital
    signatures
  • Digital signature the electronic version of a
    physical signature

70
Security Experts
  • Two of the most prominent computer security
    organizations are the CERT Coordination Center
    (CERT/CC) and the Systems Administration,
    Networking, and Security (SANS) Institute
  • CERT/CC a federally funded software engineering
    institute operated by Carnegie Mellon University
  • SANS a prestigious and well-regarded education
    and research organization with members including
    some of the leading computer security experts in
    the country

71
Security Resources
  • Computer Security Resources
  • http//www.sans.org (SANS Institute)
  • http//www.cert.org (CERT/CC)
  • http//www.first.org (FIRST Forum of Incident
    Response and Security Teams)
  • http//csrc.nist.gov (NIST National Institute
    of Standards and Technology, Computer Security
    Resource Center)
  • http//www.securityfocus.com (Security Focus
    Forum)
Write a Comment
User Comments (0)
About PowerShow.com