02 fundamental aspects of security
TRANSCRIPT
Network SecurityFundamental Aspects
Msc. Vuong Thi NhungFaculty of Information TechnologyHanoi UniversityAug 23, 2015
Contents
History of Information Security Information Security Definition and Concept AAA & CIA models Threats and Risks Some security guidelines
The story of the Internet worm On November 2, 1988, Robert Morris, Jr., a
graduate student in Computer Science at Cornell, wrote an experimental, self-replicating, self-propagating program called a worm and injected it into the Internet.
He chose to release it from MIT, to disguise the fact that the worm came from Cornell.
Morris soon discovered that the program was replicating and reinfecting machines at a much faster rate than he had anticipated.
Ultimately, many machines at locations around the country either crashed or became “unreponsive”.
When Morris realized what was happening, he contacted a friend at Harvard to discuss a solution. Eventually, they sent an anonymous message from Harvard over the network, instructing programmers how to kill the worm and prevent reinfection.
However, because the network route was blocked, this message did not get through until it was too late.
Computers were affected at many sites, including universities, military sites, and medical research facilities. The estimated cost of dealing with the worm at each installation ranged from $200 to more than $53,000.
The program took advantage of a hole in the debug mode of the Unix sendmail program, which runs on a system and waits for other systems to connect to it and give it email.
People at the University of California and MIT had copies of the program and were actively disassembling it (returning the program back into its source form) to try to figure out how it worked.
Teams of programmers worked non-stop to come up with at least a temporary fix, to prevent the continued spread of the worm.
The information didn't get out as quickly as it could have, however, since so many sites had completely disconnected themselves from the network.
After a few days, things slowly began to return to normalcy and everyone wanted to know who had done it all. Morris was later named in The New York Times as the author of incidents.
Robert T. Morris was convicted of violating the computer Fraud and Abuse Act (Title 18), and sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision. His appeal, filed in December, 1990, was rejected the following March.
http://www-swiss.ai.mit.edu/6805/articles/morris-worm.html
After the incident, Morris was suspended from Cornell for acting irresponsibly according to a university board of inquiry. Later, Morris would obtain his Ph.D. from Harvard University for his work on modeling and controlling networks with large numbers of competing connections.
Robert Morris is currently an assistant professor at MIT (apparently they forgave him for launching his worm from their network) and a member of their Laboratory of Computer Science in the Parallel and Distributed Operating Systems group. He teaches a course on Operating System Engineering and has published numerous papers on advanced concepts.
What is Security
Security: “The quality or state of being secure—to be free from danger”
Security is The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information
Necessary tools: policy, awareness, training, education, technology
Layers of security
A successful organization should have multiple layers of security in place: Physical security - To protect the physical items, objects, or
areas of an organization from unauthorized access and misuse.
Personal security - To protect the individual or group of individuals who are authorized to access the organization and its operations.
Operations security - To protect the details of a particular operation or series of activities
Communications security - To protect an organization’s communications media, technology, and content.
Network security - To protect networking components, connections.
Information security- To protect the confidentiality, integrity and availability of information assets, whether in storage, processing or transmission.
It is achieved via the application of policy, education, training and awareness, and technology.
Building elements of Information Security Authentication
Access ControlAuditing
Authentication
Sender, receiver want to confirm identity of each other
Who am I talking to?
Example: FIT E-learning
ISP A
ISP D
ISP C
ISP B
Student V
FIT E-learning
Authentication: Who am I talking to?
ISP A
ISP D
ISP C
ISP BHello, I’m V FIT E-learning
Student V
Is that student
V?
Is that FIT ?
Authentication
Protection Mechanisms Password
Manual One-Time Password
Key Sharing Public-private keys Wifi
Challenge-Response Multi-factor Authentication
Access Control
Access control can be defined as a policy, software component, or hardware component that is used to grant or deny access to a resource.
Example of hardware components: A smart card, a biometric device, or network access hardware
Access Control
Services must be accessible to appropriate users
Do you have adequate privileges to access this information?
Access control
ISP A
ISP D
ISP C
ISP BMr. Anonymous FIT E-learning
Student V
Are Mr. T allowed to
view course contents?
Access Control
Protection mechanisms Access control list Firewall VPN Smart card Rules
Auditing
Auditing is the process of tracking and reviewing events, errors, access, and authentication attempts on a system.
Protection mechanism: logging system, history.
Auditing
Develop a path and trail system in the logging of the monitored events that allows to track usage and access, either authorized or unauthorized.
It improves security and allows for better audit policies and rules
Example: Enable auditing for logon eventsGo to Administrative Tools | Local Security PolicyNavigate to Local Policies | Audit Policy
Enable auditing for logon events
Go to Event Viewer to see logs.
24
Integrity
Confidentiality Availability
Security Goal
ISO 27002:2005 defines Information Security as the preservation of:
– ConfidentialityEnsuring that information is accessible only to those authorized to have access
– Integrity
Safeguarding the accuracy and completeness of information and processing methods
– Availability
Ensuring that authorized users have access to information and associated assets when required
INFORMATIONATTRIBUT
ES
05/01/2023 25Mohan Kamat
Confidentiality
Only sender, intended receiver should “understand” message contents
Is my data hidden?
Confidentiality
Protection Mechanisms Data encryption
Symmetric Asymmetric (public-private keys)
Confidentiality: Is my data hidden?
ISP A
ISP D
ISP C
ISP BMr. T FIT E-learning
Student V Can Mr. T see my homework?
Integrity
Sender, receiver want to ensure message not altered (in transit, or afterwards) without detection
Has my data been modified?
Integrity: Has my data been modified?
ISP A
ISP D
ISP C
ISP BMr. T FIT E-learning
Student V
Can Mr. T modify student V’s homework?
Integrity
Protection mechanisms Digital signature
Availability
Services must be available to users
Can I reach the destination?
Availability: Can I reach the destination?
ISP A
ISP D
ISP C
ISP B FIT E-learning
Student V
Can I access
FIT during
midterm?
Availability
Protection mechanisms Backup and recovery Firewall Vulnerability scanning and patching Intrusion detection and response Virus scanning
WHAT IS RISK
What is Risk?Risk: A possibility that a threat exploits a vulnerability
in an asset and causes damage or loss to the asset.
Threat: Something/Someone that can potentially cause damage to the organisation, IT Systems or network.
Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
35
• Information Security is “Organizational Problem” rather than “IT Problem”• More than 70% of Threats are Internal• More than 60% culprits are First Time fraudsters• Biggest Risk : People• Biggest Asset : People • Social Engineering is major threat• More than 2/3rd express their inability to determine “Whether my systems are currently compromised?”
INFO SECURITY SURVEY
05/01/2023 36Mohan Kamat
High User Knowledge of IT
Systems
Theft, Sabotage,
MisuseVirus Attacks
Systems & Network Failure
Lack Of Documentation
Lapse in Physical Security
Natural Calamities &
Fire
RISKS &THR
EATS
05/01/2023 37Mohan Kamat
Potential Threats
SO HOW DO WE OVERCOME THESE PROBLEMS?
05/01/2023 38Mohan Kamat
USERRESPONSIBILIT
IES
Information Security Policy
IS Policy is approved by Top Management
Policy is released on Intranet at http://xx.xx.xx.xx/ISMS/index.htm
05/01/2023 39Mohan Kamat
USERRESPONSIBILIT
IES
Access Control - Physical• Follow Security Procedures• Wear Identity Cards and Badges• Ask unauthorized visitor his credentials• Attend visitors in Reception and Conference Room only
• Bring visitors in operations area without prior permission
• Bring hazardous and combustible material in secure area
• Practice “Piggybacking”• Bring and use pen drives, zip drives, ipods, other
storage devices unless and otherwise authorized to do so
05/01/2023 40Mohan Kamat
USERRESPONSIBILIT
IES
Password Guidelines Always use at least 8 character password with combination of
alphabets, numbers and special characters (*, %, @, #, $, ^) Use passwords that can be easily remembered by you Change password regularly as per policy Use password that is significantly different from earlier passwords
Use passwords which reveals your personal information or words found in dictionary
Write down or Store passwordsShare passwords over phone or EmailUse passwords which do not match above complexity
criteria
05/01/2023 41Mohan Kamat
USERRESPONSIBILIT
IES
Technology Department is continuously monitoring Internet Usage. Any illegal use of internet and other assets shall call for Disciplinary Action.
Do not use internet for viewing, storing or transmitting obscene or pornographic material
Do not use internet for accessing auction sites Do not use internet for hacking other computer systems Do not use internet to download / upload commercial
software / copyrighted material
Use internet services for business purposes only
Internet Usage
05/01/2023 42Mohan Kamat
USERRESPONSIBILIT
IES
E-mail Usage
Do not use official ID for any personal subscription purpose Do not send unsolicited mails of any type like chain letters or
E-mail Hoax Do not send mails to client unless you are authorized to do so Do not post non-business related information to large number
of users Do not open the mail or attachment which is suspected to be
virus or received from an unidentified sender
Use official mail for business purposes only Follow the mail storage guidelines to avoid blocking of E-mails If you come across any junk / spam mail, do the following
a) Remove the mail.b) Inform the security help deskc) Inform the same to server administratord) Inform the sender that such mails are undesired
05/01/2023 43Mohan Kamat
USERRESPONSIBILIT
IES
Security IncidentsReport Security Incidents (IT and Non-IT) to
Helpdesk through• E-mail to [email protected]• Telephone : xxxx-xxxx-xxxx• Anonymous Reporting through Drop boxes
e.g.: IT Incidents: Mail Spamming, Virus attack, Hacking, etc. Non-IT Incidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized Media
• Do not discuss security incidents with any one outside organisation• Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents
05/01/2023 44Mohan Kamat
USERRESPONSIBILIT
IES Ensure your Desktops are having latest antivirus updates Ensure your system is locked when you are away Always store laptops/ media in a lockable place Be alert while working on laptops during travel Ensure sensitive business information is under lock and key
when unattended Ensure back-up of sensitive and critical information assets Understand Compliance Issues such as
Cyber Law IPR, Copyrights, NDAContractual Obligations with customer
Verify credentials, if the message is received from unknown sender
Always switch off your computer before leaving for the day Keep your self updated on information security aspects
05/01/2023 45Mohan Kamat
Disable Non-essential services, protocols, processes, programs Protocols, systems, and processes that rob
systems of resources and allow potential attacks to occur that could damage your systems.
If they are not being actively used, it is an unnecessary security risk.
The solution is simply to disable or inactivate the service, protocol, system, or process which is not needed
But… Be Careful!
You need to understand what it is and what you are doing!
Example: FIT E-learning
ISP A
ISP D
ISP C
ISP B
Student V
Mr. T FIT E-learning
Example: FIT-E-learning
ISP A
ISP D
ISP C
ISP BHello, I’m V FIT E-learning
Tutorial
Using wireshark to sniff the network traffic.
Let’s see if you can get some passwords?