Network security risks
Download
1 / 50

Network Security Risks IS Auditor Role - PowerPoint PPT Presentation


  • 263 Views
  • Updated On :

Network Security Risks IS Auditor Role Collect evidence to ascertain an entities ability to: Safeguard assets Provide data integrity Efficiency of systems Effectiveness of systems Networks Are Vulnerable to Attack Hackers / Crackers Terrorists Insiders Logical Attack Physical Attack

Related searches for Network Security Risks IS Auditor Role

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Network Security Risks IS Auditor Role' - paul


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Is auditor role l.jpg
IS Auditor Role

  • Collect evidence to ascertain an entities ability to:

    • Safeguard assets

    • Provide data integrity

    • Efficiency of systems

    • Effectiveness of systems


Networks are vulnerable to attack l.jpg
Networks Are Vulnerable to Attack

  • Hackers / Crackers

  • Terrorists

  • Insiders

  • Logical Attack Physical Attack

  • http://www.msnbc.com/news/482181.asp#BODY

$,trust,secrets,infrastructure

Financial Transactions-$Trillions/year EFT/Credit Card

Pentagon – 500,000 attempted attacks/year

Microsoft – Hacked

Denial of Service – February

Melissa – I Love You




Slide6 l.jpg
WAN

Fault tolerance

ISP 2


Routers firewalls gateways l.jpg

Firewalls-hardware/software used to protect assets from untrusted networks

Gateway/proxy server allow information to flow between internal and external networks but do not allow the direct exchange of packets

DMZ - isolates internal network from vulnerable web servers

Router- manages network traffic forwards packets to their correct destination by the most efficient path

Filters packets by a pre-determined set of rules

IP source address, IP destination address, source port, and destination port

Are only as secure as quality of rule set designed

Routers, Firewalls, Gateways


Tcp ip internet protocol l.jpg

IP - standard for internet message exchange

Does not guarantee delivery of packets

Packets using IP travel similarly to a post card

Does not provide for data integrity or timeliness, security, privacy or confidentiality

TCP, with error correction services is stacked on top of IP to form TCP/IP

Port – address on host where application makes itself available to incoming data

23 – telnet

25 - SMTP

Packet – unit of information transmitted as a whole, inc. source and destination address

IP address – unique 32 bit number- 4 octets separated by periods

144.92.43.178

InterNIC

TCP/IP Internet Protocol



Authentication l.jpg

Something you have

Something you are

Something you know

Smart card

Biometric devices

Password

Authentication


Authentication devices l.jpg
Authentication Devices

  • Secure ID tokens

    • something you have-token

    • something you know- pin used to generate password that changes once a minute

  • Biometric devices

    • Retinal scan

    • Fingerprints

    • Voice recognition

    • Facial recognition


Passwords l.jpg
Passwords

  • Proper maintenance & procedures essential

  • Post-it notes - on monitors and under keyboards ?

  • Longer than 8 characters

  • Not comprised of English words

  • Include special characters

  • Change regularly

  • L0pht crack L0phtCrack


Symmetric encryption l.jpg
Symmetric Encryption

  • Secret key used for encryption and decryption is identical

  • Alice and Bob must exchange the secret key in advance

  • Impractical for large numbers of people to securely exchange shared secret keys


Asymmetric encryption l.jpg
Asymmetric Encryption

  • Public-private key pairs,, used to overcome the problem of shared secret keys

  • Owner of the key knows private key

  • Public key is shared with everyone

  • Message confidentially- Bob encrypts a message with Alice’s public key and on receipt Alice decrypts the message with her private key


Encryption of data l.jpg
Encryption of data

  • Keys / Cipher length is important

  • Expressed in bits

  • 40 bit cipher can be broken in 3.5 hrs

  • 56 bit - 22 hours 15 min,

  • 64 bit - 33-34 days,

  • 128 bit - > 2000 years


Slide17 l.jpg

Message encryption

Message confidentiality

Message integrity

Authentication

Nonrepudiation

Digital signature

Message Digest


Securing transactions l.jpg

Data theft

Customer lists, engineering blueprints and other company secrets

Company assets vulnerable since connected to public networks

Cracker Kevin Mitnick stole plans for Motorola’s StarTac

Used IP spoofing

Theft of money

German Chaos Computer Club

used an Active X control to schedule transfer of money from the victim’s online bank account to numbered bank account controlled by crackers

Securing Transactions


Stored account system l.jpg

Similar to existing debit/credit card systems

Use existing infrastructure/payment systems based on electronic funds transfer

Use settlement houses/clearing houses

Highly accountable and traceable

Traceable - raise privacy concerns “big brother”

Slow and expensive online verification is necessary

SET- secure electronic transaction, CyberCash

Stored Account System


Stored value systems e cash l.jpg
Stored Value Systems – E-cash

  • Private, no approval from bank needed

  • Security stakes are high

    • Counterfeiting

    • Absence of control & auditing

  • Potentially $8 trillion a year market

  • People do not yet trust e-cash technology

  • More popular in Europe

  • E-cash superior to cash

    • Do not require proximity

    • Do not create weight & storage problems of cash


New systems l.jpg
New Systems

  • DigiCash, Mondex and Visa Cash

    • Stored value and/or stored accounts

    • E-cash is stored on an electronic device

    • Use smart card or e-cash could be stored on a PC Electronic wallet technology

    • Merchant adds or subtracts e-cash value using encrypted messaging between computers or by inserting the smart card in the merchant’s smart card reader

  • Mondex - Devices


Smart cards l.jpg
Smart Cards

  • Credit card sized devices w/ chip & memory

  • Contain operating systems & applications

  • Reader device attached PC can read smart card

  • Avoid problem of e-cash being stored on insecure hard drives

  • Smart cards disabled when physically attacked


Smart cards23 l.jpg

Will be ubiquitous

Loyalty information – frequent flier miles

Health records and health insurance information

Debit, credit, and charge cards

E-cash

Global system for mobile communications

Pay TV

Mass transit ticketing

Access controls

Digital signatures

Biometrics

Travel and entertainment

Drivers license and social security information

Smart Cards


Secure sockets layer l.jpg
Secure Sockets Layer

  • Confidentiality & authentication of web sessions

  • Encrypts the communication channel uses private key

  • Server & client and server agree to private session key & private encryption/ hashing protocols for confidentiality & data integrity

  • Client authenticates server w/ certificate authority stored on client’s browser


Secure electronic transaction protocol l.jpg
Secure Electronic Transaction Protocol

  • Open standard for secure internet payments

  • Master Card and Visa, IBM and Microsoft

  • Confidentiality of information,privacy, message integrity, authentication, and nonrepudiation, and authenticates all parties

  • Encrypts credit card numbers, shielding from public & merchant

  • Party in a SET transaction must possess a digital certificate, carry digital wallets or smart cards

  • 1,024 bit keys

  • Securing private keys is problematic

  • MasterCard International - Shop Smart! Demo


Public key infrastructure pki l.jpg
Public Key Infrastructure (PKI)

  • Issue, manage, and maintain public-private key pairs and digital certificates Digital certificates used to authenticate servers or clients using trusted third party, certificate authority

  • CA’s issue digital certificates to merchants, can be verified by the browser checking the digital signature of the CA against the public key of the CA, stored on the browser

  • Digital signatures have full legal standing 2000

  • VeriSign Training



Risks to the client l.jpg
Risks to the client

  • Active content

  • Cookies

  • Modems

  • Many clients mission critical

  • Personal firewall software

    • Needed even if part of a network with other layers of protection

    • Black Ice and Zone Alarm


Active content l.jpg
Active Content

  • Programs that automatically download & execute on user’s machine when user hits on web site with active content

  • Java applets, active X controls, JavaScript, VBScript, multimedia presentation files executed via browser “plug-ins” (Flash)

  • Can provide rich customized computing experience Could be malicious

  • Java applet coded to read client’s cookies including Passwords & id’s & send the information back to crackers


Active x controls l.jpg
Active X Controls

  • Can execute any function windows program can execute

  • Written in variety of languages- execute only on Wintel machines

  • Security measures designed to prevent trusted active X controls from damaging machine do not exist

  • Security based on level of trust client places in author of active X control

  • Software publisher certificate from a certificate authority such as VeriSign


Java applets l.jpg
Java Applets

  • Platform independent; Can run on Windows or Unix machines

  • Constrained from accessing resources outside section of memory called the sandbox

  • Applet can play but not escape

  • Trust of java applets based on restricting the behavior of the applet

  • Holes in the sandbox- bugs that allows attack code


Cookies l.jpg
Cookies

  • Internet transactions do not maintain state, no memory of last visit

  • To restore state - cookies kept on users hard drive

  • Block of data on client that server can use to identify user, instruct server to send a customized version of a web page, submit the account information of user

  • If intercepted by third party, significant personal information about user compromised

  • Compromise user privacy


Operating system risks l.jpg
Operating System Risks

  • Default configurations –on client node allows java applets to load on server using root ID

  • Escalation of privileges –

    • If an attacker gains “root” or administrator privileges the cracker can do anything to the system he desires

    • Adaptive access control, automates access control process, assigning of permissions alleviates problems of manual access control


Operating system risks 2 l.jpg
Operating System Risks 2

  • Windows 98 very insecure – modems connected to internal network problematic

  • UNIX & windows NT operating systems- more secure but still full of bugs and security holes

    • Patches available from vendors


Computer emergency response team coordination center l.jpg
Computer Emergency Response Team Coordination Center

  • Experts on call for emergencies 24 hours a day

  • Provides facilitation of communication among experts on security problems

  • Central point for the identification and correction of security vulnerabilities

  • Secure repository of computer security incident information

  • CERT Coordination Center


Viruses worms trojans l.jpg
Viruses, Worms, Trojans

  • Users need constant training and surveillance

  • System administrator - update virus definitions on schedule

  • Attack emergency and recovery plan

  • Policies regulating users handling of e-mail are important


Securing the server l.jpg
Securing the Server

  • Back-end databases must be protected

  • Web servers particularly vulnerable to attack

  • CGI Scripts – Web client request executes on server

  • Crackers escalate privileges to arbitrarily execute system commands

    • deleting or stealing files

    • placing Trojan horse programs on the server

    • running denial of service attacks

    • defacing web pages

    • storing cracking tools for a later attack


Denial of service attacks l.jpg
Denial of Service Attacks

  • Cripple or crash Web servers by flooding server with too much data or too many requests

  • E-commerce merchants cannot afford financial consequences or loss of trust

  • Online NewsHour -- Internet Security


Web page defacing l.jpg
Web Page Defacing

  • Act of rewriting web page

  • Motivations political, financial, &/or revenge

  • More than web server compromised ?


Malicious web sites l.jpg
Malicious Web Sites

  • EU study – possibly 60 billion euros lost

  • Steal credit card numbers

  • Spy on hard drives

  • Upload files

  • Plant active content

  • Example misspelled URL’s


People security policies l.jpg
People & Security - Policies

  • Embraced by management

  • Security philosophy, user policies, incident management, methods to prevent social engineering attacks, network disaster recovery, and consequences for lack of adherence

  • Programs to train staff & techniques to enhance security should be ongoing

  • Outside penetration study can be useful to document the true level of risk and vulnerability


Social engineering l.jpg
Social Engineering

  • Manipulating of employees natural tendencies

  • Objectives: obtaining passwords, obtaining configuration data to escalate user permissions in an operating system

  • Use telephone or email posing as IT staff or higher-level managers

  • Talk people into revealing damaging information

  • Many devastating cracker exploits have included social engineering


Insider risks l.jpg
Insider Risks

  • Authorized users commit 75% to 85% of all computer crime

  • Not usually prosecuted – covered up

  • Disgruntled employees - crashing file servers, deleting data, selling critical data, and financial fraud

  • Internal network sniffing


Onion approach l.jpg
Onion Approach

  • Security solutions to vulnerabilities should be implemented in a layered approach, the “onion” solution

  • Solutions should be preventive and predictive rather than reactive

  • Network security architectures rely upon layers of devices and software that provide multiple barriers to intruders and protect, detect and respond to threats


Tools l.jpg
Tools

  • Vulnerability scanning tools

    • determination of remote systems weaknesses

    • extremely dangerous in the wrong hands

    • discover open ports

    • how services respond to incoming requests

  • Intrusion Detection System (IDS)

    • detect intruders breaking into a system or to

    • detect legitimate users misusing system resources

    • well-configured IDS will prohibit all activity not expressly allowed

    • analysis of audit trail data, especially operating system activity is important


Tools 2 l.jpg
Tools 2

  • Logging enhancement tools - supplement operating system logging & can provide independent audit data

  • System evaluation tools

    • Configuration checking

    • Permissions checking

    • Analysis of accounts and groups

    • Evaluation of registry settings

    • Verification of up to date patch installation


Network sniffers l.jpg
Network sniffers

  • Intercept and analyze network traffic

  • Can be extremely useful but also are very dangerous

  • Illegal to sniff a network without permission

  • Possible to read packets with a sniffer

  • After an intrusion sniffer logs can be essential

  • Sniffers can be hardware or software based

  • Also called “packet dumpers”



ad