the need for network security thanos hatziapostolou
TRANSCRIPT
THE NEED FORTHE NEED FORNETWORK SECURITYNETWORK SECURITY
Thanos Hatziapostolou
The Need for Web Security 2
PRESENTATION PRESENTATION OBJECTIVESOBJECTIVES
Understand information security services
Be aware of vulnerabilities and threats
Realize why network security is necessary
What are the elements of a comprehensive security program
The Need for Web Security 3
TRENDS FOR TRENDS FOR INFORMATIONINFORMATION
More information is being created, stored, processed and communicated using computers and networks
Computers are increasingly interconnected, creating new pathways to information assets
The threats to information are becoming more widespread and more sophisticated
Productivity, competitiveness, are tied to the first two trends
Third trend makes it inevitable that we are increasingly vulnerable to the corruption or exploitation of information
INFORMATION IS THE MOST VALUABLE ASSETINFORMATION IS THE MOST VALUABLE ASSET
The Need for Web Security 4
Information Security Information Security ServicesServices
Confidentiality Integrity Authentication Nonrepudiation Access Control Availability
The Need for Web Security 5
Information Security Services
Confidentiality Maintaining the privacy of data
Integrity Detecting that the data is not tampered with
Authentication Establishing proof of identity
Nonrepudiation Ability to prove that the sender actually sent the data
Access Control Access to information resources are regulated
Availability Computer assets are available to authorized parties
when needed
SERVICES
The Need for Web Security 6
Collection of networks that communicate with a common set of protocols (TCP/IP)
Collection of networks with no central control no central authority no common legal oversight or
regulations no standard acceptable use policy
“wild west” atmosphere
What Is The Internet?What Is The Internet?
The Need for Web Security 7
Why Is Internet Why Is Internet Security a Problem?Security a Problem?
Security not a design consideration
Implementing change is difficult
Openness makes machines easy targets
Increasing complexity
The Need for Web Security 8
Common Network Common Network Security ProblemsSecurity Problems
Network eavesdropping Malicious Data Modification Address spoofing
(impersonation) ‘Man in the Middle’ (interception) Denial of Service attacks Application layer attacks
The Need for Web Security 9
Security Incidents are Security Incidents are IncreasingIncreasing
Sophistication of Hacker Tools
19901980
Technical Knowledge Required
High
Low 2000 -from Cisco Systems
The Need for Web Security 10
HACKED WWW HOMEPAGESHACKED WWW HOMEPAGES
11/29/96
CIA HOMEPAGE
DOJ HOMEPAGE
USAF HOMEPAGE
The Need for Web Security 11
Problem is WorseningProblem is Worsening
60000
50000
40000
30000
20000
10000
19
88
19
89
19
90
19
91
19
92
19
93
19
94
19
95
19
96
19
97
19
98
19
99
20
00
20
01
Inte
r net
Secu
r ity
Vio
lat i
ons
Jerusalem
Tequila
Michelangelo
Good Times
Melissa & ILOVEYOU
Anna Kournikova
Code Red
Nimba
Badtrans
Source: CERT® Coordination Center Carnegie Mellon
The Need for Web Security 12
VIRUSESVIRUSES
Risk Threat Discovered Protection TROJ_SIRCAM.A New !! Latest
DATW32.Navidad 11/03/2000 11/06/2000 W95.MTX 8/17/2000 8/28/2000 W32.HLLW.QAZ.A 7/16/2000 7/18/2000 VBS.Stages.A 6/16/2000 6/16/2000 VBS.LoveLetter 5/04/2000 5/05/2000 VBS.Network 2/18/2000 2/18/2000 Wscript.KakWorm 12/27/199912/27/1999 W32.Funlove.4099 11/08/199911/11/1999 PrettyPark.Worm 6/04/1999
6/04/1999 Happy99.Worm 1/28/19991/28/1999
The Need for Web Security 13
Consider that…Consider that…
90% of companies detected computer security breaches in the last 12 months
59% cited the Internet as the most frequent origin of attack
74% acknowledged financial losses due to computer breaches
85% detected computer viruses
Source: Computer Security Institute
The Need for Web Security 14
WHO ARE THE OPPONENTS?
49% are inside employees on the internal network
17% come from dial-up (still inside people)
34% are from Internet or an external connection to another company of some sort
HACKERS
The Need for Web Security 15
HACKER MOTIVATIONSHACKER MOTIVATIONS Money, profit Access to additional resources Experimentation and desire to
learn “Gang” mentality Psychological needs Self-gratification Personal vengeance Emotional issues Desire to embarrass the target
The Need for Web Security 16
Internet Security?Internet Security?
Malicious Code
Malicious Code
Viruses
Worms
Buffer Overflows
Buffer Overflows
Session Hijacking
Port Scanning
Trojans
Denial of ServiceSpoofingSpoofing
Replay Attack
Man-in-the-middle
The Need for Web Security 17
What Do People Do When They Hear All These?
Take the risks!
But there are solutions
Ignoring the situation is not one of them
The Need for Web Security 18
THE MOST COMMON THE MOST COMMON EXCUSESEXCUSES
So many people are on the Internet, I'm just a face in the crowd. No one would pick me out.
I'm busy. I can't become a security expert--I don't have time, and it's not important enough
No one could possibly be interested in my information Anti-virus software slows down my processor speed too much. I don't use anti-virus software because I never open viruses or e-
mail attachments from people I don't know.
The Need for Web Security 19
SANS Five Worst Security SANS Five Worst Security Mistakes End Users MakeMistakes End Users Make
1. Opening unsolicited e-mail attachments without verifying their source and checking their content first.
2. Failing to install security patches-especially for Microsoft Office, Microsoft Internet Explorer, and Netscape.
3. Installing screen savers or games from unknown sources.
4. Not making and testing backups. 5. Using a modem while connected through a
local area network.
The Need for Web Security 20
SECURITY SECURITY COUNTERMEASURESCOUNTERMEASURES
THREE PHASE APPROACH
PROTECTION
DETECTION
RESPONSE
The Need for Web Security 21
ELEMENTS OF A ELEMENTS OF A COMPREHENSIVE SECURITY COMPREHENSIVE SECURITY
PROGRAMPROGRAMHave Good PasswordsUse Good Antiviral ProductsUse Good CryptographyHave Good FirewallsHave a Backup SystemAudit and Monitor Systems and
NetworksHave Training and Awareness ProgramsTest Your Security Frequently
Principles
The Need for Web Security 22
CRYPTOGRAPHYCRYPTOGRAPHY
Necessity is the mother of invention, and computer networks are the mother of modern cryptography.
Ronald L. Rivest
Symmetric Key Cryptography
Public Key Cryptography
Digital Signatures
The Need for Web Security 23
FirewallFirewall
Visible IP Address
InternalNetwork
PC Servers
Host
A system or group of systems that enforces an access control policy between two networks.
The Need for Web Security 24
The Need for Web Security 25
THANK YOUTHANK YOU
I have questions…