1 / 11

Network Security

This text explores the concepts of network security, trust relationships, and risk assessment in designing a secure infrastructure for an organization. It covers topics like trusted locations, trusted partners, assessing risks, identifying vulnerabilities, and defending against threats. It also discusses defense in depth, technology controls, and hardening systems to protect assets from breaches.

jlindahl
Download Presentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security

  2. Trust Relationships (Trust Zones) • High trust (internal ) = f c (once you gain access); g p • Low trust () = more controls; fewer privileges • Trusted locations are systems • V partners are Semi trusted entities. You would give them access to non-publically available systems after being . • Customers are entities. After authentication, they can be given access to publically available systems.

  3. Assessing the Risks • The first stage of designing security infrastructure for your organization is to that you might want to protect and to the organization if that asset is compromised. • Once you identify what needs to be protected, you then need to ask what you need to . • Conduct a comprehensive risk assessment to: • Identify all potential vulnerabilities • Assess the likelihood that they will be compromised. • Determine the impact/cost that will be incurred if the asset is compromised. • The combination of likelihood and impact are then combined to identify major inherent security risks.

  4. Threats • Object, person, or other entity that represents a constant danger to an asset • Human error • Acts of Nature • Technical hardware or software failures – yours, a service provider’s • Deliberate Acts (attacks) – Sabotage, Vandalism, theft, software attacks (hacking, viruses, worms)

  5. Defense in depth • Defense in depth • Implementation of security so that multiple layers of defense have to be circumvented to gain access to internal information and assets • Requires that organization establish sufficient security controls and safeguards so that an intruder faces . If one layer of security is breached, there will be another layer of security with • P and security are BOTH important. • How does a bank protect its assets?

  6. Figure 5-15 – Spheres of Security IDS = Intrusion Detection System IR = Incident Response DR = Disaster Recovery BC = Business Continuity planning

  7. Technology Controls • Access Controls – multiple levels – networks, systems, data • Intrusion Detection Systems • Disconnection • Monitoring Systems/Logging of User Activity • Proxy Servers • Firewalls • Encryption – in storage, in transmission • Backups • Antivirus • Redundant Systems • Patches and Upgrades

  8. Definitions not found in CyberProtect Information • F : device that selectively discriminates against information flowing into or out of organization • Proxy Server: a separate computer that relays requests from an application to an untrusted zone, and receives responses before forwarding them back to the application.

  9. Hardened Systems – Refers to stability and impenetrability of the operating system. Step 1 – Secure the Core Operating System • Eliminate unneeded services • Patch Management (both OS and Applications) • Avoid Unencrypted Protocols • Ensure Virus Protection • Rename Administrator Accounts • Change Default passwords • Disable Guest Accounts • Do not allow anonymous FTP • Control remote access to systems logs • Increase size of log files • File, Directory and other permissions. • Display a warning message for remote access

  10. Hardened Systems • Step 2 – Apply Concept of – “Each subject should be granted the most restrictive set of privileges needed for the performance of authorized tasks. “ Usually accomplished through access control lists that are role-based. • Allow users only the system access that they specifically require to perform their role within the organization. • D

  11. Hardened Systems • Step 3 - Separation of Duties – Cannot create new users, grant them access and activate their accounts. • Similar to NOT having the person who orders something also being the person responsible for receiving the goods. • This ensures that , and therefore reduces the risk of • Any local examples you can think of?

More Related