Information Security

1
Information Security

• Chapter 13

2
Objectives

• In this chapter, you will learn to
• List the key steps in assessing information
  security risks
• Explain the elements and purpose of a security
  policy
• Describe strategies for minimizing common
  security risks associated with people, passwords,
  physical security, and modem access
• Discuss the most popular, current methods of
  encrypting data

3
Objectives

• In this chapter, you will learn to
• Identify security threats to public and private
  telephone networks and discuss ways to prevent
  them
• Identify security threats to LAN- and WAN-based
  telecommunications and discuss ways to prevent
  them
• Identify security threats to wireless
  telecommunications and discuss ways to prevent
  them

4
Risk Assessment

• A thorough analysis of an organizations
  vulnerability to security breaches and an
  identification of its potential losses.
• A risk assessment should answer the following
  questions
• What resources or assets are at risk?
• What methods could be taken to compromise those
  resources?
• Who or what are the most likely threats to
  resources?
• What is the probability that the organization or
  its resources will be compromised?
• What are the consequences of those resources
  being compromised?

5
Risk Assessment
6
Security Policy Goals

• Ensuring that authorized users have appropriate
  access to the resources they need
• Preventing unauthorized users from gaining access
  to facilities, cabling, devices, systems,
  programs, or data
• Protecting sensitive data from unauthorized
  access, from individuals both internal and
  external to the organization
• Preventing accidental or intentional damage to
  hardware, facilities, or software
• Creating an environment in which the network and
  its connected nodes can withstand and, if
  necessary, quickly respond to and recover from
  any type of threat

7
Security Policy Content

• Subheadings for security policy content
• Password policy
• Software installation policy
• Confidential and sensitive data policy
• Network access policy
• Telephone use policy
• E-mail use policy
• Internet use policy
• Remote access policy
• Policies for connecting to remote locations, the
  Internet, and customers and vendors networks
• Policies for use of laptops and loaner machines
  and Cable Vault and Equipment room access policy

8
Response Policy

• Suggestions for team roles
• Dispatcher the person on call who first notices
  or is alerted to the problem.
• Manager - The team member who coordinates the
  resources necessary to solve the problem.
• Technical support specialists - The team members
  who strive to solve the problem as quickly as
  possible.
• Public relations specialist - The team member who
  acts as official spokesperson for the
  organization to the public.

9
Human Error, Ignorance, and Omission

• These cause more than half of all security
  breaches sustained by voice and data networks.
• Social engineering - involves manipulating
  social relationships to gain access to restricted
  resources.
• The best way to counter social engineering is to
  educate all employees to ask the supposed
  technician for his telephone number, agreeing to
  call him back with the information.

10
Human Error, Ignorance, and Omission

• Risks include
• Intruders or attackers using social engineering
  or snooping to obtain user passwords.
• Network administrators overlooking security flaws
  in network design, hardware configuration,
  operating systems, or applications.
• An unused computer or terminal left logged on to
  the network, thereby providing an entry point for
  an intruder.
• Users or administrators choosing easy-to-guess
  passwords.

11
Passwords

• Guidelines for choosing passwords
• Always change system default passwords after
  installing new programs or equipment.
• Do not use familiar information, such as your
  birth date, anniversary, pets name, childs
  name, etc.
• Do not use any word that might appear in a
  dictionary.
• Make the password longer than six characters -
  the longer, the better.
• Change your password at least every 60 days, or
  more frequently, if desired.

12
Physical Security

• Locations on voice and data networks that warrant
  physical security
• Inside a central office or POP
• Cable vaults
• Equipment rooms
• Power sources (for example, a room of batteries
  or a fuel tank)
• Cable runs (ceiling and floor)
• Work areas (anyplace where networked workstations
  and telephones are located)

13
Physical Security

• Locations on voice and data networks that warrant
  physical security
• Outside telecommunications facilities
• Serving area interfaces and remote switching
  facilities
• Exterior cross-connect boxes
• Wires leading to or between telephone poles
• Base stations and mobile telephone switching
  offices used with cellular telephone networks
• Inside a business
• Entrance facilities
• Equipment room (where servers, private switching
  systems, and connectivity devices are kept)
• Telecommunications closet

14
Physical Security
15
Physical Security

• Relevant questions
• Which rooms contain critical systems,
  transmission media, or data and need to be
  secured?
• How and to what extent are authorized personnel
  granted entry?
• Are authentication methods (such as ID badges)
  difficult to forge or circumvent?
• Do supervisors or security personnel make
  periodic physical security checks?
• What is the plan for documenting and responding
  to physical security breaches?

16
Modem Access

• Modems are notorious for providing hackers with
  easy access to networks.
• Although modem ports on connectivity devices can
  open access to significant parts of a network,
  the more common security risks relate to modems
  that users attach directly to their workstations.
• When modems are attached directly to networked
  modems, they essentially provide a back door into
  the network.
• War dialers - computer programs that dial
  multiple telephone numbers in rapid succession,
  attempting to access and receive a handshake
  response from a modem.

17
Encryption

• The use of an algorithm to scramble data into a
  format that can be read only by reversing the
  algorithm.
• Encryption ensures that
• Data can only be viewed and voice signals can
  only be heard by their intended recipient (or at
  their intended destination).
• Data or voice information was not modified after
  the sender transmitted it and before the receiver
  picked it up.
• Data or voice signals received at their intended
  destination were truly issued by the stated
  sender and not forged by an intruder.

18
Key Encryption
19
Private Key Encryption
20
Public Key Encryption

• Data is encrypted using two keys One is a key
  known only to a user (a private key) and the
  other is a public key associated with the user.
• Public-key server - a publicly accessible host
  (often, a server connected to the Internet) that
  freely provides a list of users public keys.
• Key pair - The combination of the public key and
  private key .
• Digital certificate - a password-protected and
  encrypted file that holds an individuals
  identification information, including a public
  key.

21
Public Key Encryption
22
Encryption Methods

• Kerberos - a cross-platform authentication
  protocol that uses key encryption to verify the
  identity of clients and to securely exchange
  information after a client logs on to a system.
• PGP (Pretty Good Privacy) - a public key
  encryption system that can verify the
  authenticity of an e-mail sender and encrypt
  e-mail data in transmission.
• IPSec (Internet Protocol Security) - defines
  encryption, authentication, and key management
  for TCP/IP transmissions.

23
Encryption Methods

• SSL (Secure Sockets Layer) - a method of
  encrypting TCP/IP transmissions between a client
  and server using public key encryption
  technology.
• When a Web pages URL begins with the prefix
  HTTPS, it is requiring that its data be
  transferred from server to client and vice versa
  using SSL encryption.
• Each time a client and server establish an SSL
  connection, they also establish a unique SSL
  session.
• Handshake protocol - authenticates the client and
  server to each other and establishes terms for
  how they will securely exchange data.

24
Eavesdropping

• The use of a transmission or recording device to
  capture conversations without the consent of the
  speakers.
• Eavesdropping can be accomplished in one of four
  ways
• Bugging
• Listening on one of the parties telephone
  extensions
• Using an RF receiver to pick up inducted current
  near a telephone wire pair
• Wiretapping, or the interception of a telephone
  conversation by accessing the telephone signal

25
Eavesdropping
26
Private Switch Security

• A hacker might want to gain access to a PBX in
  order to
• Eavesdrop on telephone conversations, thus
  obtaining proprietary information
• Use the PBX for making long-distance calls at the
  companys expense, a practice known as toll fraud
  
• Barrage the PBX with such a high volume of
  signals that it cannot process valid calls, a
  practice known as a denial-of-service attack
• Use the PBX as a connection to other parts of a
  telephone network, such as voice mail, ACD, or
  paging systems

27
Voice Mail Security

• Voice mail - the service that allows callers to
  leave messages for later retrieval, is a popular
  access point for hackers.
• If a hacker obtains access to a voice mail
  systems administrator mailbox, she can set up
  additional mailboxes for her private use. Valid
  voice mail users will never notice.
• Privacy breaches - if a hacker guesses the
  password for a mailbox, she can listen to the
  messages in that users mailbox.

28
Telecommunications Firewall

• A type of firewall that monitors incoming and
  outgoing voice traffic and selectively blocks
  telephone calls between different areas of a
  voice network.
• Performs the following functions
• Prevents incoming calls from certain sources from
  reaching the PBX
• Prevents certain types of outgoing calls from
  leaving the voice network
• Prevents all outgoing calls during specified time
  periods
• Collects information about each incoming and
  outgoing call
• Detects signals or calling patterns
  characteristic of intrusion attempts, immediately
  terminates the suspicious connection, and then
  alerts the system administrator of the potential
  breach

29
Telecommunications Firewall
30
Network Operating System

• To begin planning client-server security, every
  network administrator should understand which
  resources on the server all users need to access.
• Network administrators typically group users
  according to their security levels as this
  simplifies the process of granting users rights
  to resources.
• Besides establishing client rights and
  restrictions to network resources, a network
  administrator must pay attention to security
  precautions when installing and using the network
  operating system.
• A vigilant network administrator will also take
  care to keep his or her servers NOS software
  current.

31
Network Operating System

• Restrictions that an administrator may use to
  protect network resources include
• Time of day - Use of logon IDs can be valid only
  during specific hours, for example, between 800
  A.M. and 500 P.M.
• Total time logged in - Use of logon IDs may be
  restricted to a specific number of hours per day.
• Source address - Use of logon IDs can be
  restricted to certain workstations or certain
  areas of the network
• Unsuccessful logon attempts - As with PBX
  security, use of data network security allows
  administrators to block a connection after a
  certain number of unsuccessful logon attempts.

32
Security Through Network Design

• Risks inherent in data network hardware and
  design
• Transmissions can be intercepted
• Leased lines are vulnerable to eavesdropping
• Shared media and broadcast traffic allow data
  capture
• Device ports can be exploited
• Private IP addresses can be exploited
• Private and public hosts on the same network

33
Firewall

• Packet-filtering firewall - a device that
  operates at the Data Link and Transport layers of
  the OSI model.

34
Firewall

• Criteria used to accept or deny data include
• Source and destination IP addresses
• Source and destination ports
• Use of the TCP, UDP, or ICMP transport protocols
• A packets status as the first packet in a new
  data stream or a subsequent packet
• A packets status as inbound or outbound to or
  from a private network

35
Firewall

• Factors to be considered when choosing a
  firewall
• Does the firewall support encryption?
• Does the firewall support user authentication?
• Does the firewall allow the network administrator
  to manage it centrally and through a standard
  interface?
• How easily can you establish rules for access to
  and from the firewall?
• Does the firewall support filtering at the
  highest layers of the OSI model, not just at the
  Data Link and Transport layers?

36
Proxy Servers

• Proxy server (Gateway) - the network host that
  runs the proxy service.
• Proxy servers manage security at all layers of
  the OSI model.
• On a network, a proxy server is placed between
  the private and public parts of a network.
• Proxy service - a software application on a
  network host that acts as an intermediary between
  the external and internal networks, screening all
  incoming and outgoing traffic.

37
Proxy Servers
38
Virtual Private Networks (VPNs)

• Private networks that use public channels to
  connect clients and servers.
• Point-to-Point Tunneling Protocol (PPTP) - A
  Layer 2 protocol that encapsulates PPP so that
  any type of data can traverse the Internet,
  masked as pure IP transmissions.
• Layer 2 Tunneling Protocol (L2TP) - an enhanced
  version of L2F that, like L2F, supports multiple
  protocols.
• does not require costly hardware upgrades to
  implement
• optimized to work with the next generation of IP
  (IPv6) and IPSec

39
Cellular Network Security

• Hackers intent on obtaining private information
  can find ways to listen in on cellular
  conversations.
• Potentially more damaging than eavesdropping is
  cellular telephone fraud.
• cellular telephone cloning - occurs when a hacker
  obtains a cellular telephones electronic serial
  number (ESN), and then reprograms another handset
  to use that ESN.
• To combat cloning fraud, cellular telephones that
  use CDMA and TDMA technology transmit their ESN
  numbers in encrypted form.

40
Wireless WAN Security

• War driving - searching for unprotected wireless
  networks by driving around with a laptop
  configured to receive and capture wireless data
  transmissions.
• Wired Equivalent Privacy (WEP) standard - a key
  encryption technique that assigns keys to
  wireless nodes.
• Extensible Authentication Protocol (EAP) -
  defined by the IETF in RFC 2284.
• Does not perform encryption. Instead, it is used
  with separate encryption and authentication
  schemes.

41
Summary

• In a risk assessment, an organization analyzes
  its valuable assets, ways in which the assets
  might be compromised, the sources of threats to
  those assets, and the consequences that would
  arise if those assets were stolen or damaged.
• Key goals of a security policy include
  preventing unauthorized users from gaining access
  to facilities, cabling, devices, systems,
  programs, or data, and preventing accidental or
  intentional damage to hardware, facilities, or
  software
• Encryption acts as the last means of defense
  against information eavesdropping, theft, or
  tampering.