NETWORK sECURITY

1
NETWORK sECURITY

• The Impact of Computer and Network Security in
  Corporations Today
• Understanding the Impact and Solutions of
  Computer and Network Security in Todays Worldby
• Steve Mallard

2

• In todays world of the internet and ecommerce,
  many companies lack the expertise and training to
  secure their critical network infrastructure and
  data. Because of this fallacy, many companies
  infrastructures are subject to being compromised.

3

• With extortion, cyber theft, malicious attacks
  and internal theft occurring at an unprecedented
  pace, many companies are just becoming aware of
  the aforesaid problems. While a few companies
  and corporations awaken to a new world of
  problems, many continue to sleep, totally
  oblivious to what is happening as they go about
  their daily work. This research gives
  terminology and briefs from the Information
  Technology industry.

4

• Until now, computer security and locking down the
  network infrastructure has been on the back
  burner with most companies and corporations
  because of cost. According to a corporate poll
  in A nationally recognized information technology
  magazine, 99 of U.S. companies now use some type
  of preventive antivirus technology with 98 of
  these companies now using firewalls. This
  electronic security poll was based on compiled
  information from larger corporations and their
  practices and does not include small to midsize
  companies found throughout the United States.

5

• Cost of an electronic exploit can be greater than
  a million dollars per incident as reported by the
  FBI. This information is found in the FBIs
  (Federal Bureau of Investigation) report of cyber
  threats in the United States. In order to help
  counterbalance this, smaller to midsized
  companies could spend less than 5,000 to harden
  their systems and operating systems to put a
  statefull firewall in place. As stated in this
  paper, these companies often lack the resources,
  materials and funds to do so

6

• . A look at the example companies and how they
  used modern methods for locking down their
  networks and clientele data will be discussed.
  The following steps have been used to gather the
  analysis for this paper
• Collected data to support the weakness and
  underlying causes of security collapse.
• Used professional experience from the
  researchers company to look at analyzing and
  confirming research materials.
• Consulted with Allen Corporation, Neill
  Corporation and Taylor Corporation to gather
  information relevant to the discussion on
  security in modern infrastructures.
• Analyzed and collected data based on the scope
  outlined in these sections.
• Made the final analysis.

7

• 1960 Students become the first hackers
• 1970 Phone Phreaking and Captain Crunch
• 1980 Hacker Boards on BBS (early ways to chat)
• 1983 Kids Begin Hacking
• Note Los Alamos National Laboratory, which helps
  develop nuclear weapons was hacked this year.
• 1984 Hacker Magazines
• 1986 Computer Fraud and Abuse Act
• 1986 Boot sector viruses
• 1987 File infecting viruses
• 1988 Fist Antivirus solution Encrypted viruses
• 1988 Unix Worm
• 1989 Cyber Espionage with Germans and KGB

8

• 1989 Credit Card Theft Goes Mainstream
• 1989 Date oriented viruses
• 1990 Stealth, Polymorphic, Multipartite and
  armored viruses
• 1991 Stealth, Polymorphic and Multipartite
• 1992 Code change viruses
• 1993 Viruses that attacked viruses
• 1993 Hacking used to cheat phone system to win
  contest
• 1994 Hacking Tools Become Available
• 1994 Encoded Viruses
• 1995 Kevin Mitnick Hacks the Government
• 1995 First Macro Viruses
• 1996 Macro viruses affecting Microsoft Excel
• 1997 AOL (largest) ISP Hacked
• 1998 The Cult of Hacking Takes Off
• 1998 Spyware/malware begins to download to
  machines globally
• 1999 Macro viruses affecting Microsoft Word
• 1999 Software Security (Windows begins providing
  updates
• 2000 Service Denied
• 2000 Worm viruses

9

• General Internal Company Security and Auditing
  Controls are being applied today so that
  companies can have a standard approach to bring
  together different opinions and ideas. These
  Internal Controls are generally brought together
  by a consortium of management and other personnel
  to achieve objectives by the company. Internal
  Controls allows companies to maintain several of
  the following areas

10

• Efficiency of operations.
• Compliance with laws and regulations.
• Several documents have also been released to
  suggest ideas about Internal Company Security and
  Auditing Controls
• Company controls should be built into operations
  currently in place.
• All departments and personnel within a company
  have input to Company Controls.
• Company and Internal Controls help to govern
  companies currently operating.

11

• Risk Assessment
• The identification of key weaknesses in computer
  systems, nodes on a network, clients,
  connectivity and training.
• Security Control Activities
• Policies and Procedures that ensure all levels of
  the company are within compliance with standards
  set by the company.
• Activities include hierarchal structure,
  authorization, implementation, disaster recovery
  and planning.
• Information and Communication
• Information from vendors is archived.
• Information from customers (clients) is logged.
• Communication along internal paths of the company
  to insure all areas of protection are available.
• Monitoring/Auditing
• Assessment of hardware firewall.
• Assessment of Software Patches and Service Packs.
• Management of all personnel.
• Auditing of logs and change orders.
• Monitoring of performance of all nodes on the
  network.
• Monitoring of security alert sites of government
  and for profit sites.

12

• The research paper at this point has focused on
  the importance and makeup of generalized Internal
  Company Security and Auditing Controls.
  Weaknesses in this structure follow
• Communication
• Poor or lack of judgment
• Lack of training
• Lack of concern
• Disgruntled employees
• Lack of review
• Lack of training
•  
• It is up to management at all levels to monitor
  company security and auditing controls.

13

• Larger companies have a distinct advantage over
  smaller companies because of the minimal work
  required to keep their network infrastructure
  secure. A small list of duties below is required
  to keep data protected
• Periodic changes of passwords
• Updating of policy and procedures
• Auditing server logs
• Auditing firewall logs
• Researching new malicious threats at third party
  information sites
• Physical security
• Applying patches
• Applying service packs
• User management
• Monitoring spyware/malware
• Monitoring new installs
• Monitoring performance
• Monitoring IDS systems
• Monitoring anti-virus protection

14

• Password policies are often overlooked after the
  inception of the computer network. Network
  administrators can use the group policy editor in
  workstations or rules in active directory to set
  password rules. Minimal, complex and history
  settings can greatly increase Computer and
  Network Security.

15

• Companies should look at the update of policy
  and procedures in order to keep up with changes
  across its infrastructure. These regulations
  help to guide all levels of information
  technology professionals. The consistent and
  concise update is critical to security in a
  network infrastructure.
• The auditing of logs at all levels is critical
  and cannot be stressed enough. These logs
  provide accurate details on the access and
  changes requested and made during a session. All
  of the companies mentioned in this study review
  logs on a frequent basis. This becomes one of
  the single most important processes in looking
  for patterns and breeches of security.

16

• The outline below is provided to illustrate and
  show how Computer and Network Security has been
  implemented as a plan to a higher education
  facility. This basic outline targets the
  infrastructure of companies through which the
  bases of protecting internal assets are most
  critical. It shows the effectiveness of the
  schools control, auditing and implementation.

17

• Periodic control of Operating System Patches
• Virtual Private networking to Domain Servers with
  Student Information Systems Software from staff
  workstations
• Periodic control of Operating System Service
  Packs
• Anti-virus software installed on each workstation
  to include student work stations
• Spyware/malware / Malware control measures
• Pop up control measures
• Application updates (i.e., Microsoft Office and
  related)
• Software Update Services Server installed to push
  updates approved by administration
• Documented Policy and Procedures school level
• Documented Policy and Procedures board level
• Active Directory Server login for staff to
  establish IT Policies
• Applications with logging of activities
  (customized)
• Application and Security Logs running on Servers
• Network Address Translation used at firewall
  level
• DMZ (demilitarized zones) used on web server
• Hardware firewall (three honed) used with logs
  and specific port number restrictions.
• IDS (Instruction Detection Server) in place and
  monitored
• Traffic monitor in place to monitor inbound,
  outbound and intranetworking packets
• Disaster recover plan in place

18

• Control of patches and updates becomes one of the
  most important aspects of Computer and Network
  Security. With operating systems flaws being one
  of the most critical needs to identify when
  operating a network, control of pushing service
  packs or updates to computers becomes extremely
  important. Companies should have this in their
  plans and someone in the information technology
  department should be assigned to check SUS
  (System Update Services) servers daily. This IT
  person should also check security and operating
  system websites for alerts. Often these sites
  have email alerts to alert end-users of a
  security problem.

19

• Virtual Private Networks or VPNs should be
  created between workstations and servers that
  contain critical data. By using PPTP (Point to
  Point Tunneling Protocol), this ensures the data
  is encapsulated as it travels across the internal
  network. While packet capturing software can be
  installed on a network, this will help to encrypt
  the data and prevent loss due to network
  sniffing.

20

• Antivirus software must be installed on every
  workstation and the software should be updated
  daily. This control of updating can come through
  push services through a server to insure the
  virus pattern or signature is up to date.
• Spyware/malware control is becoming an issue at
  all companies. Spyware/malware is software
  download automatically be some websites to track
  a users internet surfing habits or to track
  software use on the end users computer. Often
  computers become burden by spyware/malware loaded
  in the operating system and become nonfunctional
  or extremely slow.

21

• Policy and Procedures
• Committees and Subcommittees used to monitor
  changes, constant updates and reviews by all
  members of the information technology team.
• Risk Assessment
• Value of product and client data, cost of breach.
  This assessment can give the company an idea of
  the risk of a breach.
• Inventory
• Inventory of software and hardware. Inventory
  allows for control of products and control of
  sensitive information.
• Needs Assessment
• Users and applications Need to Know Basis Only.
  This form of assessment allows for securing data
  at different levels based on rank or a hierarchal
  structure in the company.
• Structure
• Physical security and ideal topologies to meet
  performance needs and environmental controls.

22

• Levels of Protection
• Workstation
• Antivirus software, operating systems updates and
  patches, application updates, VPN to servers,
  strong password protection
• Private Servers
• Antivirus software, operating systems updates and
  patches, application updates, VPN from
  workstations, Kerberos security, tokens and
  certificates, strong password protection
• SNMP nodes
• Password Protected SNMP manageable devices
• Wireless Access Points
• Wireless Encryption Protocols (128 bit minimum)
  (WPA Preferred with a RADIUS Server
• MAC filtering

23

• Firewalls
• Acceptable ports and sites
• IDS Systems
• Backend for internal and external NIC cards used
  to monitor all traffic within the organization
• Network Address Translation Needs
• Public to Private ips for internal networks with
  few public ip addresses
•  
• Public Servers
• Located in DMZ areas all patches updates and only
  necessary ports open
• Training programs
• New software
• New hardware

24

• The overall strategy for the initial phase of
  protection involves the publishing of Policy and
  Procedures. The publication of Policy and
  Procedures includes the hierarchal structure of
  the information technology department and all
  tasks associated with it. The following approach
  is used to monitor the updating of the Policy and
  procedures
• Document changes to existing Policy and
  Procedures.
• Identify weaknesses
• Test disaster recover portion of Policy and
  Procedures
• Test auditing procedures
• Rewrite when significant amount of changes takes
  place
• On going training

25

• Training is in place from the lowest level of
  help desk to the Information Technology manager
  and CIO. Training updates are given to all
  employees outside of the IT department so that
  security can be maintained throughout the
  company. These companies use the following
  training methods
• Memos to all staff on new viruses
• Memos to IT Personnel on new viruses
• Memos to IT Personnel on opportunities to train
  at seminars
• Seminars (Mandatory)
• Seminars (Voluntary)
• Webcasts/Podcasts
• In house training by security personnel
• In house training by outside resources
• College reimbursement
• New product training
• Policy and procedure review
• Proper use of the internet
• Proper use of email and best practices

26

• Employ certified and experienced personnel
• All are focused on standards set by CERT.ORG and
  other security industry leaders
• Strong Policy and Procedures in place
• Communications among internal company and
  internal information systems.
• Committees and Sub-committees in place for
  compliance issues

27

• The problem statement components of when
  security is needed, and how to implement it are
  answered as follows
• Industry wide compliance of recommendations by
  industry leading experts.
• Restating the key elements from previous chapters
  include
• Employ trustworthy Information Technology
  workforce to protect assets from within the
  companies as though assets were their own.
• Focus on industry statistics and separate fact
  from fiction for the best protection of the
  security infrastructure.
• Utilize all means of security including beta
  based security tools, physical tools and update
  policys and procedures as necessary. Document all
  deficiencies and follow thorough with any and all
  short comings to insure the best and most
  adequate protection from thieves, whether
  internal or external

28

• Ongoing communications between all levels of
  employees from help desk to the CIO (Chief
  Information Officer).
• CIOs cannot lose touch with reality of the real
  world of security.
• A quality control program should be put into
  place to maintain site wide integrity.
• Policy and procedures must be reviewed.
• Internet usage policies should exist and all
  employees should review and sign acceptance
  letters.
• Email usage policies should exist and all
  employees should review and sign acceptance
  letters.
• Systems must be tested in order to ensure
  quality.
• Ongoing training must be put into place for IT
  professionals and accurate records must be
  maintained in order to verify training and
  training needs.

29

• The recommendations from this study are as
  follows
• Companies should do extensive background checks
  on their Information Technology employees.
  Checks should include financial, criminal and
  past employment checks.
• Companies should put Policy and Procedures into
  place to make sure that all aspects of disaster
  recovery and planning are covered including
  hardware failure, software failure, network
  setup, personnel hierarchy, team
  responsibilities, deployment of all software and
  appropriate licensing and other mission critical
  objectives.
• Companies should have a consistent audit practice
  in place for server logs, firewall logs, patches,
  service packs and updates.
• The network infrastructure for companies needs a
  consistent quarterly overview committee to look
  at security needs and challenges. This would
  provide quarterly updates of mission statements
  and policies as needed.

30

• Companies need training programs in place for
  Junior as well as Senior level analysts to
  understand the challenging environment of
  security. These training programs need to
  include industry leaders and seminars from
  software vendors.
• Companies need consistent and open forums within
  their infrastructure for communication of daily
  changes affecting the security environment.
• The hierarchal level of the internal department
  of Information Systems/Technology needs to be
  dynamically flexible to meet the needs and
  challenges facing the ever changing world of
  information technology security in the workplace.
  
• Small Ecommerce servers should dump data to a
  printer and be reentered as a precautionary
  measure in case of a breach on an internal file
  server.

31

• Companies must provide high level training to
  meet the needs of industry growth while
  maintaining a balanced budget and customer
  security.