1 / 41

Information Security

Information Security. Chapter 13. Objectives. In this chapter, you will learn to: List the key steps in assessing information security risks Explain the elements and purpose of a security policy

evangeline-cortez
Download Presentation

Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Chapter 13

  2. Objectives In this chapter, you will learn to: • List the key steps in assessing information security risks • Explain the elements and purpose of a security policy • Describe strategies for minimizing common security risks associated with people, passwords, physical security, and modem access • Discuss the most popular, current methods of encrypting data

  3. Objectives In this chapter, you will learn to: • Identify security threats to public and private telephone networks and discuss ways to prevent them • Identify security threats to LAN- and WAN-based telecommunications and discuss ways to prevent them • Identify security threats to wireless telecommunications and discuss ways to prevent them

  4. Risk Assessment • A thorough analysis of an organization’s vulnerability to security breaches and an identification of its potential losses. • A risk assessment should answer the following questions: • What resources or assets are at risk? • What methods could be taken to compromise those resources? • Who or what are the most likely threats to resources? • What is the probability that the organization or its resources will be compromised? • What are the consequences of those resources being compromised?

  5. Risk Assessment

  6. Security Policy Goals • Ensuring that authorized users have appropriate access to the resources they need • Preventing unauthorized users from gaining access to facilities, cabling, devices, systems, programs, or data • Protecting sensitive data from unauthorized access, from individuals both internal and external to the organization • Preventing accidental or intentional damage to hardware, facilities, or software • Creating an environment in which the network and its connected nodes can withstand and, if necessary, quickly respond to and recover from any type of threat

  7. Security Policy Content • Subheadings for security policy content: • Password policy • Software installation policy • Confidential and sensitive data policy • Network access policy • Telephone use policy • E-mail use policy • Internet use policy • Remote access policy; • Policies for connecting to remote locations, the Internet, and customers’ and vendors’ networks; • Policies for use of laptops and loaner machines; and Cable Vault and Equipment room access policy.

  8. Response Policy • Suggestions for team roles: • Dispatcher: the person on call who first notices or is alerted to the problem. • Manager - The team member who coordinates the resources necessary to solve the problem. • Technical support specialists - The team members who strive to solve the problem as quickly as possible. • Public relations specialist - The team member who acts as official spokesperson for the organization to the public.

  9. Human Error, Ignorance, and Omission • These cause more than half of all security breaches sustained by voice and data networks. • Social engineering - involves manipulating social relationships to gain access to restricted resources. • The best way to counter social engineering is to educate all employees to ask the supposed technician for his telephone number, agreeing to call him back with the information.

  10. Human Error, Ignorance, and Omission • Risks include: • Intruders or attackers using social engineering or snooping to obtain user passwords. • Network administrators overlooking security flaws in network design, hard-ware configuration, operating systems, or applications. • Network administrators overlooking security flaws in network design, hard-ware configuration, operating systems, or applications. • An unused computer or terminal left logged on to the network, thereby providing an entry point for an intruder. • Users or administrators choosing easy-to-guess passwords.

  11. Passwords • Guidelines for choosing passwords: • Always change system default passwords after installing new programs or equipment. • Do not use familiar information, such as your birth date, anniversary, pet’s name, child’s name, etc. • Do not use any word that might appear in a dictionary. • Make the password longer than six characters - the longer, the better. • Change your password at least every 60 days, or more frequently, if desired.

  12. Physical Security • Locations on voice and data networks that warrant physical security: • Inside a central office or POP: • Cable vaults • Equipment rooms • Power sources (for example, a room of batteries or a fuel tank) • Cable runs (ceiling and floor) • Work areas (anyplace where networked workstations and telephones are located)

  13. Physical Security • Locations on voice and data networks that warrant physical security: • Outside telecommunications facilities: • Serving area interfaces and remote switching facilities • Exterior cross-connect boxes • Wires leading to or between telephone poles • Base stations and mobile telephone switching offices used with cellular telephone networks • Inside a business: • Entrance facilities • Equipment room (where servers, private switching systems, and connectivity devices are kept) • Telecommunications closet

  14. Physical Security

  15. Physical Security • Relevant questions: • Which rooms contain critical systems, transmission media, or data and need to be secured? • How and to what extent are authorized personnel granted entry? • Are authentication methods (such as ID badges) difficult to forge or circumvent? • Do supervisors or security personnel make periodic physical security checks? • What is the plan for documenting and responding to physical security breaches?

  16. Modem Access • Modems are notorious for providing hackers with easy access to networks. • Although modem ports on connectivity devices can open access to significant parts of a network, the more common security risks relate to modems that users attach directly to their workstations. • When modems are attached directly to networked modems, they essentially provide a back door into the network. • War dialers - computer programs that dial multiple telephone numbers in rapid succession, attempting to access and receive a handshake response from a modem.

  17. Encryption • The use of an algorithm to scramble data into a format that can be read only by reversing the algorithm. • Encryption ensures that: • Data can only be viewed and voice signals can only be heard by their intended recipient (or at their intended destination). • Data or voice information was not modified after the sender transmitted it and before the receiver picked it up. • Data or voice signals received at their intended destination were truly issued by the stated sender and not forged by an intruder.

  18. Key Encryption

  19. Private Key Encryption

  20. Public Key Encryption • Data is encrypted using two keys: One is a key known only to a user (a private key) and the other is a public key associated with the user. • Public-key server - a publicly accessible host (often, a server connected to the Internet) that freely provides a list of users’ public keys. • Key pair - The combination of the public key and private key . • Digital certificate - a password-protected and encrypted file that holds an individual’s identification information, including a public key.

  21. Public Key Encryption

  22. Encryption Methods • Kerberos - a cross-platform authentication protocol that uses key encryption to verify the identity of clients and to securely exchange information after a client logs on to a system. • PGP (Pretty Good Privacy) - a public key encryption system that can verify the authenticity of an e-mail sender and encrypt e-mail data in transmission. • IPSec (Internet Protocol Security) - defines encryption, authentication, and key management for TCP/IP transmissions.

  23. Encryption Methods • SSL (Secure Sockets Layer) - a method of encrypting TCP/IP transmissions between a client and server using public key encryption technology. • When a Web page’s URL begins with the prefix HTTPS, it is requiring that its data be transferred from server to client and vice versa using SSL encryption. • Each time a client and server establish an SSL connection, they also establish a unique SSL session. • Handshake protocol - authenticates the client and server to each other and establishes terms for how they will securely exchange data.

  24. Eavesdropping • The use of a transmission or recording device to capture conversations without the consent of the speakers. • Eavesdropping can be accomplished in one of four ways: • Bugging • Listening on one of the parties’ telephone extensions • Using an RF receiver to pick up inducted current near a telephone wire pair • Wiretapping, or the interception of a telephone conversation by accessing the telephone signal

  25. Eavesdropping

  26. Private Switch Security • A hacker might want to gain access to a PBX in order to: • Eavesdrop on telephone conversations, thus obtaining proprietary information • Use the PBX for making long-distance calls at the company’s expense, a practice known as toll fraud • Barrage the PBX with such a high volume of signals that it cannot process valid calls, a practice known as a denial-of-service attack • Use the PBX as a connection to other parts of a telephone network, such as voice mail, ACD, or paging systems

  27. Voice Mail Security • Voice mail - the service that allows callers to leave messages for later retrieval, is a popular access point for hackers. • If a hacker obtains access to a voice mail system’s administrator mailbox, she can set up additional mailboxes for her private use. Valid voice mail users will never notice. • Privacy breaches - if a hacker guesses the password for a mailbox, she can listen to the messages in that user’s mailbox.

  28. Telecommunications Firewall • A type of fire-wall that monitors incoming and outgoing voice traffic and selectively blocks telephone calls between different areas of a voice network. • Performs the following functions: • Prevents incoming calls from certain sources from reaching the PBX • Prevents certain types of outgoing calls from leaving the voice network • Prevents all outgoing calls during specified time periods • Collects information about each incoming and outgoing call • Detects signals or calling patterns characteristic of intrusion attempts, immediately terminates the suspicious connection, and then alerts the system administrator of the potential breach

  29. Telecommunications Firewall

  30. Network Operating System • To begin planning client-server security, every network administrator should understand which resources on the server all users need to access. • Network administrators typically group users according to their security levels as this simplifies the process of granting users rights to resources. • Besides establishing client rights and restrictions to network resources, a network administrator must pay attention to security precautions when installing and using the network operating system. • A vigilant network administrator will also take care to keep her servers’ NOS software current.

  31. Network Operating System • Restrictions that an administrator may use to protect network resources include: • Time of day - Use of logon IDs can be valid only during specific hours, for example, between 8:00 A.M. and 5:00 P.M. • Total time logged in - Use of logon IDs may be restricted to a specific number of hours per day. • Source address - Use of logon IDs can be restricted to certain workstations or certain areas of the network • Unsuccessful logon attempts - As with PBX security, use of data network security allows administrators to block a connection after a certain number of unsuccessful logon attempts.

  32. Security Through Network Design • Risks inherent in data network hardware and design: • Transmissions can be intercepted • Leased lines are vulnerable to eavesdropping • Shared media and broadcast traffic allow data capture • Device ports can be exploited • Private IP addresses can be exploited • Private and public hosts on the same network

  33. Firewall • Packet-filtering firewall - a device that operates at the Data Link and Transport layers of the OSI model.

  34. Firewall • Criteria used to accept or deny data include: • Source and destination IP addresses • Source and destination ports • Use of the TCP, UDP, or ICMP transport protocols • A packet’s status as the first packet in a new data stream or a subsequent packet • A packet’s status as inbound or outbound to or from a private network

  35. Firewall • Factors to be considered when choosing a firewall: • Does the firewall support encryption? • Does the firewall support user authentication? • Does the firewall allow the network administrator to manage it centrally and through a standard interface? • How easily can you establish rules for access to and from the firewall? • Does the firewall support filtering at the highest layers of the OSI model, not just at the Data Link and Transport layers?

  36. Proxy Servers • Proxy server (Gateway) - the network host that runs the proxy service. • Proxy servers manage security at all layer’s of the OSI model. • On a network, a proxy server is placed between the private and public parts of a network. • Proxy service - a software application on a network host that acts as an intermediary between the external and internal networks, screening all incoming and outgoing traffic.

  37. Proxy Servers

  38. Virtual Private Networks (VPNs) • Private networks that uses public channels to connect clients and servers. • Point-to-Point Tunneling Protocol (PPTP) - A Layer 2 protocol that encapsulates PPP so that any type of data can traverse the Internet, masked as pure IP transmissions. • Layer 2 Tunneling Protocol (L2TP) - an enhanced version of L2F that, like L2F, supports multiple protocols. • does not require costly hardware upgrades to implement • optimized to work with the next generation of IP (IPv6) and IPSec

  39. Cellular Network Security • Hackers intent on obtaining private information can find ways to listen in on cellular conversations. • Potentially more damaging than eavesdropping is cellular telephone fraud. • cellular telephone cloning - occurs when a hacker obtains a cellular telephone’s electronic serial number (ESN), and then reprograms another handset to use that ESN. • To combat cloning fraud, cellular telephones that use CDMA and TDMA technology transmit their ESN numbers in encrypted form.

  40. Wireless WAN Security • War driving - searching for unprotected wireless networks by driving around with a laptop configured to receive and capture wireless data transmissions. • Wired Equivalent Privacy (WEP) standard - a key encryption technique that assigns keys to wireless nodes. • Extensible Authentication Protocol (EAP) - defined by the IETF in RFC 2284. • Does not perform encryption. Instead, it is used with separate encryption and authentication schemes.

  41. Summary • In a risk assessment, an organization analyzes its valuable assets, ways in which the assets might be compromised, the sources of threats to those assets, and the consequences that would arise if those assets were stolen or damaged. • Key goals of a security policy include: preventing unauthorized users from gaining access to facilities, cabling, devices, systems, programs, or data, and preventing accidental or intentional damage to hardware, facilities, or software; • Encryption acts as the last means of defense against information eavesdropping, theft, or tampering.

More Related