Security Fundamentals - PowerPoint PPT Presentation

About This Presentation

Title:

Security Fundamentals

Description:

Security Fundamentals Robin Anderson ... Questions You Need to Ask What is the backup policy & schedule? What kind of backup media & software is used? – PowerPoint PPT presentation

Number of Views:2081

Avg rating:3.0/5.0

Slides: 50

Provided by: academyDe

Learn more at: http://academy.delmar.edu

Category:

more less

Transcript and Presenter's Notes

Title: Security Fundamentals

1
Security Fundamentals

Robin Anderson
UMBC, Office of Information Technology

2
A Little About Me

Unix SysAdmin, Specialist with the Office of
Information Technology at UMBC
Taught Unix Administration and SANS Level One
Security courses at UMBC
Certified by the SANS Institute GIAC program in
UNIX Security and Incident Handling

3
Topics Outline

Post-Mortems in the News
Identifying Threats
Countering Threats
The (Vulnerable) Network
Questions You Need to Ask
Recommendations You Want to Make
Resources Online

4
What Happened to Amazon?

Website defacing
Hackers broke in put up phony web pages
(And now, newer worms/viruses are doing the
same!)
September 2000 OPEC 1
February 2000 Amazon , eBay 2
November 1999 NASA/Goddard 3
October 31,1999 Associated Press 4
August 1999 ABC 5
June 1999 U.S. Army

5
What Happened to Yahoo?

Denial of Service (DoS)
February 2000 Yahoo and CNN 1
Multiple Hits
September 2000 Slashdot defaced
May 2000 Slashdot suffered DoS
? The irony is that slashdot.org is a popular
"news for nerds" website

6
If Theyre Vulnerable

then you are, too.

7
The Fundamental Theorem

You have computers because they perform some
function that furthers your organizations goals
If you lose the use of those computers, their
function is compromised
So - anything that interferes with your
organizations effort to achieve its goals is a
security concern

8
What Are You Protecting?

Information
Availability of the Systems
Reputation Goodwill

9
Your Information

Crown Jewels
Trade secrets, patent ideas, research
Financial information
Personnel records
Organizational structure

10
Your Availability

Internal use
When employees cant use the network, servers, or
other necessary systems, they cant work
Website / online transactions
Often when systems are unavailable, the
organization is losing money

11
Your Reputation

Public trust
If your organization is hacked, how reliable will
people think you are you in other areas?
Who wants to do business with companies that leak
credit card information?
Being a good neighbor
Your organization may be hacked so it can be used
as a springboard to attack others

12
A Simple Network
Firewall
Router
Router
Internet
13
Attacked!
Firewall
Router
Router
3
4
1
2
Internet
5
6
9
7
8
10
14
What Are These Threats?

DoS coming from the Internet
Severed Physical link
Masquerader / Spoofer
They look like theyre already inside
Password sniffer

15
What Are These Threats? (2)

Alan brought a floppy from home that has a virus
on it
Beatrice is about to be fired and shes going
to be angry about it
Carter is careless with his passwords he writes
them down and loses the paper

16
What Are These Threats? (3)

David has unprotected shares on his NT box
Evan installed a modem on his PC (PCAnywhere)
Severed Power / HVAC

17
What Are Threat Vectors?

Vectors are the pathways by which threats enter
your network

18
Threat Vectors - Internal

Careless employees
Floyd the clumsy janitor
Contraband hardware / software
Oops, did I just type that?
Random twits (somewhere between careless
malicious)
Malicious employees
Current or former employees with axes to grind
Anyone who can get physical access

19
Threat Vectors - External

Competitors / spies / saboteurs
Casual incidental hackers
Some hackers dont want your systems except to
use them to get at their real target
Malicious hackers
Accidental tourists
Natural disasters
Be ready to face down the hurricane

20
What Are Threat Categories?

Categories are the different kinds of threat you
may encounter

21
Threat Categories

Opportunistic
Basic ankle biters and script kiddies
More advanced hackers, hacker groups out trolling
Targeted
These attackers know what they want anything
from data to disruption to springboards
Omnipotent
Government-sponsored professional hackers

22
Threat Consequences

Bad press
Breach of confidentiality
Medical data
Credit card information
Attack platform (youve been subverted!)
Loss of income
How much does it cost you in sales to have your
databases, website, etc, down for any given
length of time?
Loss of trade secrets (crown jewels)

23
The 3 Goals of Security

Ensure Availability
Ensure Integrity
Ensure Authorization Authentication

24
Threats to Availability

Denial of Service (DoS)
Connection flooding
Destroying data
Hardware failure
Manual deletion
Software agents virus, trojans

25
Threats to Integrity

Hardware failure
Software corruption
Buggy software
Improperly terminated programs
Attacker altering data

26
Threats to Authorization

Attacker stealing data
Lost / Stolen passwords
Information Reconnaissance
Organization information

27
Countering These Threats

is what security is all about.

28
Defining Security

Security is a process
Training is ongoing
Threats change, admins need to keep up
Security is inconvenient, all staff needs
training
Security is also about policies
There is no silver bullet to fix it all
For example, a firewall wont save you
Remember the Maginot Line

29
Notes

The underlying assumption in the next section is
that you, as the auditor, admin, or manager, are
in a position to make security recommendations
The following list of questions should not be
considered in any way to be exhaustive, but a
starting point to build your own list

30
Questions You Need to Ask

What is the physical access policy to systems,
routers, and backup media?
Are the servers and main routers in a
controlled-access environment?
Who monitors access?
Are desktop systems / workstations physically
secured?

31
Questions You Need to Ask

Is there a documented security policy?
Where is it located?
Who is responsible for maintaining it?
Is the policy being consistently enforced?
Who is the enforcer for the organization?
Is there a firewall?
Who maintains it and its rule-sets?
Do its rules match the policy?

32
Questions You Need to Ask

What is the backup policy schedule?
What kind of backup media software is used?
Where is the backup media stored? Is there an
off-site safe/storage rotation?
If the systems were utterly destroyed today, how
up to date could you bring their replacements?
Have the backups ever been tested (via a restore)
for completeness and integrity?

33
Questions You Need to Ask

Does the organization know what is on its
network?
If so, how does it know?
Where are the records kept?
Who has access to them?

34
Questions You Need to Ask

Are routine network vulnerability scans run?
If so, what tools are used?
Where are the reports stored?
Who has access to the tool and the reports?
Is any routine network monitoring done?
If so, what tools are used?
Where are the reports stored?
Who has access to the tool and the reports?

35
Questions You Need to Ask

What kind of power management contingencies are
available?
Uninterruptible Power Supplies (UPS)?
Power regulation?
Backup generators?
Mean time to recovery from outage?

36
Questions You Need to Ask

What kind of authentication does your
organization use?
Passwords
Multi-use, one-time?
Expiration?
Biometric authentication?
Smart-cards

37
Questions You Need to Ask

If you use passwords, how does your organization
replace lost ones?
Any policy on verifying users identity, etc?

38
Questions You Need to Ask

What kind of network connections does your
organization allow?
Are they clear-text protocols (like telnet,
rlogin, rsh, ftp)?
Can your organization migrate to using encrypted
protocols (like ssh, stunnel, etc)?

39
Recommendations You Really Want to Make