1

Chapter Six

IT Networks IT Networks

and and

Telecommunications RisksTelecommunications Risks

2

Lecture OutlineLecture Outline

Network and Telecommunications Network and Telecommunications TechnologyTechnology

Risks to IT Network and Risks to IT Network and Telecommunications SystemsTelecommunications Systems

IT Network and Telecommunications IT Network and Telecommunications SecuritySecurity

Auditing Network SecurityAuditing Network Security

3

Network & Telecommunications Technologies

Network Components Computers and terminals Telecommunications channels – physical and

wireless– Physical – twisted-pair wire, coaxial cable, fiber

optic– Wireless – use microwaves, infrared light, light

pulses– Vary in speed and capacity

4

Network Types Distance - LAN vs WAN Ownership - Internet, intranet, extranet Client/server networks Network topology

– Star– Bus– Ring

5

Network Protocols and Software Protocol – standardized rule sets that control

network communications among hardware and software from different vendors

Open Systems Interconnect (OSI) model – a standard architecture for networking that allows different computers to communicate across networks

Network and telecommunications software – network OS, networks management software, middleware, web browsers, e-mail software

6

IT Network and Telecommunications Risks

Social Engineering– Use of social skills to obtain confidential

information or unauthorized access by persuading insiders to provide them with access

– A form of manipulation and trickery that relies on behaviors such as fear of getting into trouble or an inclination to help someone

– Vulnerability points: security admin, technical support personnel, security guards, administrative assistants

7

Physical Infrastructure Threats– The elements

» Fire, air, and water» Make sure computers aren’t located close to place with

higher risk– Natural disasters

» Floods, earthquakes, tornadoes, hurricanes, etc…» Avoid locating networks in high-risk areas

– Power supply» Backup power supplier, uninterrupted power supply

(UPS)– Intentional human attacks

» terrorist attack» company insiders’ attack – must have well documented

policies

8

Programmed Threats – Viruses, Worms, Trojan horses, – Hoaxes – email message that instructs a user to delete

certain files as a security precaution against viruses or programmed threats

– blended threats – combinations of multiple programmed threats.

– Help» Antivirus software, update regularly

» Cautions in opening unknown email with attachments

» Warn about downloading freeware or shareware

» Incident Response Plan – in case of programmed threat outbreak

9

Denial of Service Attacks– System is tied up in such a way that it is unable to

perform its functions– Caused embarrassment and financial loss for target – DDOS – from variety of sources– DOS attack – using maximum network connections

so that new users can’t obtain access, overloading primary memory and infecting file systems with unnecessary or incorrect data

– Use firewalls, intrusion detection systems, penetration testing, establish network connection time-outs

10

Software Vulnerabilities– Holes in application and operating system– Programming errors– Holes created to allows programmers quick access

for debugging software– Errors in configuring software– IT auditors can check a network system for

application holes as part of penetration testing

11

IT Network and Telecommunications Security

Network security administration– Network security admin is responsible for

» creating a network security plan, » developing & communicating a security policy for

network resources Responsibilities of each party and their privileges

» password management Password are kept in encrypted files & protected Removing user identifications and passwords for those

no longer employed Default passwords are changed

12

Authentication– Process of ensuring that users are who they claimed to

be– Generally verified by

» What you have – key or smart card for physical access

» What you know - password

» Who you are – biometrics such as fingerprint, voice, retina

Encryption – Scrambling data so that anyone who views it won’t be

able to make sense of without decryption key– Main encryption: secret key and public key

cryptography

13

– Secret key cryptography» Sender and receiver use the same key to code and decode

the message

» Problem: both must agree on the key and both need to obtain it

– Public key cryptography» Use a private/public key pair

» One key for encrypting message and another for decrypting

» Both keys issued at same time and encrypted by certified authority

» Public key is widely available and can be transmitted across public network

» Only intended receiver can decrypt it using private key

14

» Public key cryptography can also be used for authentication

Sender signs the message with digital signature, which is encryption of the message with sender’s private key.

Recipient verifies the signature through an algorithm that includes the message, the signature, and the sender’s public key

» Public and private keys and digital certificates are available from certificate authorities such as Verisign and Thawte.

15

Firewalls – Combine software and hardware to control outside access

to an entity’s telecommunications network– Software specifies filters controlling entry to network– Can be placed at various levels to block traffic to

networks or applications– Choose based on

» ArchitectureSingle-layered

– uses only one network host for all firewall functions– Firewall host placed between the internal network

and InternetMultiple layers

– Two or more hosts providing the firewall functions– Combination of inner and outer firewall hosts

16

» FunctionalityPacket filtering routers

– Examines incoming IP message packets according to set of filtering rules

– Then forward or rejects the packetApplication-level firewalls/Proxy servers

– More security than packet filters

– There is never real connection between sender and receiver

– Firewall acts as a proxy or substitute to the receiver

– Secure but expensive

17

Intrusion Detection Systems– Log and monitor activity– May be included in firewall package or stand alone– Only report an attack but powerless to stop it– Many types, varying with level of sophistication

Penetration Testing– To learn about the logical access vulnerabilities in an

information system– Four general penetration testing tools: war dialing,

port scanning, sniffing, password cracking

18

– War dialing» Requires only a phone line, modem and war dialing

software

» The software will randomly dial phone numbers until it locates an open modem connection

» Once connected, the penetration tester will attempt to access the network through password cracking

– Port scanning» Hackers and penetration tester scan ports to find out

which network services a particular system provides

» To scan ports, a hacker ping a system by sending separate messages to each port

» The message response will tell potential intruder which ports are used and which are open

» Disable unused ports that are openDisable unused ports that are open

19

– Sniffing» A program used to capture data transmitted across network

» Most common use is for capturing user Ids and passwords

– Password crackers» Guess passwords

» ApproachesDictionary -Match password against all terms in

standard dictionaryHybrid

– Modifies dictionary wordsBrutal force - Complex sequences of letter and number

combinations

20

Auditing Network Security Risk assessment and best practices

– Evaluate controls in place are sufficient protection

Benchmark tools– Windows 2000 Benchmark – let users evaluate their

security settings against the Center for Security (CIS) benchmark

IT audit programs for network security