1 / 30

INTERNET SECURITY - An Introduction

INTERNET SECURITY - An Introduction. Security. Security is a ‘Hygiene Factor’ When there, noone should notice When not there, can mean the end of a business overnight. Security. Security is the sum of: Access controls Authentication methods Availability of data/systems

birch
Download Presentation

INTERNET SECURITY - An Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INTERNET SECURITY - An Introduction

  2. Security • Security is a ‘Hygiene Factor’ • When there, noone should notice • When not there, can mean the end of a business overnight

  3. Security • Security is the sum of: • Access controls • Authentication methods • Availability of data/systems • Confidentiality of data/info • Data Integrity • Non-repudiation of transactions • Policies • Reliability of data/systems

  4. Topics • What are the risks? • What are the solutions? • Which issues are specific to the Utilities Industry? • Which issues are specific to the World Wide Web?

  5. Security - the hype

  6. How Real Is The Risk? • 31% of all companies (private and public) have experienced 1-3 “major security breaches” in the past 6 months • Real number is HIGHER! Companies keep breaches secret!

  7. How Real Is The Risk To Utilities? • Risk is very real • Bad publicity is risky • Govt requirements: • Privacy of info • Reliability of info • Availability of systems

  8. What Is The Biggest Risk? • Not having good security procedures? • Having good security procedures that are not followed? • Terrorism? • Hackers? • Internal misuse/errors? • Viruses/worms? • Trojan Horses?

  9. Biggest Risk? Internal Users! • Human error is the most significant cause of IT security breaches (63%)* • Research shows that good training would be the most effective way of improving security in most organizations *Computing Technology Industry Assoc (CompTIA)

  10. Biggest Risk? Internal • Internal security breaches seen as a much bigger threat than external ones by 51% of respondents to an Oracle/Institute of Directors survey • Threat can be to: • Privacy of data • Corruption of data • Loss of data integrity • Loss of data altogether • Loss of whole system!

  11. Solutions? Company Policies • Chase up references • Do background/ security checks on staff • Check out Temp staff carefully • Give Temp staff limited access • Get staff to signup to security policy • Switch off rights of ex-employees • Ensure it is very clear which staff have which roles and responsibilities

  12. Solutions? Company Policies • Clean desk policy • Lock sensitive documents/disks away • Physically secure laptops and PCs • Ensure passwords are not written down • Employee records/contracts etc hidden

  13. Solutions? Training • Good, effective training • Training is an ongoing process 66 per cent believe that staff training/certification has improved their IT security, primarily through increased awareness, as well as through proactive risk identification (source:CompTia)

  14. Solutions? Training • 22 per cent said none of their IT employees have received security-related training • 69 per cent have fewer than 25 per cent of their IT staff were security-trained • Only 11 per cent said that all of their IT employees have received security training.

  15. Solutions? Physical Security • Visitors/guests accompanied at all times • Reception area manned at all times • All staff must wear a pass • Access to work areas by pass only • Access to sensitive areas by keycode • Servers housed in a room with no windows, inaccessible to unauthorised personnel, air conditioned with failover power

  16. Solutions? Network Security

  17. Solutions? Network Security • Use roles and groups • Restrict access to minimum possible • Use VPNs to allow external access • Keep intranet protected from internet using Firewalls • Enforce policy on passwords • change regularly • not easy to guess • minimum length • must contain numerics • can’t reuse

  18. Solutions? Application Security • Access Controls • Authentication (userid and password) • Digital keys (public and private) • Access to info by user ‘class’ • Code quality • Programmers should be security aware • Code walkthroughs • Testing/QA procedures • Source code control/version control • Bug/defect tracking

  19. Solutions? Disaster Recovery • Redundancy essential • Of servers, firewalls, hubs, routers, air conditioning, power • Of ISP (in case ISP fails!) • Physically separate location • Have disaster recovery plans • Test those plans! • Test those plans regularly! Video on Security and Company Policies http://webevents.broadcast.com/ZDAUwebcast/enemy/index.asp?loc=1

  20. Problems on the Internet • Payment Fraud • Viruses (e.g. MyDoom) • Hackers • Denial of Service attacks • Spam • Imposters

  21. Viruses/worms/trojan horses • Programs that do damage • Often attachments to emails • Can be downloaded from websites • Often ‘attached’ to benign software • May send emails using addressbook • May delete files on hard disk • A virus is copied by a user • A worm replicates automatically • A trojan horse seems benign

  22. Solutions? IE and Mail • Internet Explorer Permissions • Internet Options ->Security Zones • Internet Options->Privacy • Internet Options->Advanced • Enforce default policy for IE across company • Don’t open email from anyone you don’t know • Don’t download files/attachments from emails or web pages unless from a trusted source (esp .exe or .vbs files)

  23. Problems on the Internet • No centralised infrastructure • Huge global scale - millions of potential users • 24 x 7 availability • Initial conception was openness and robustness - not security • Organisations must provide a window into their networks

  24. Solutions? Monitor Usage • Log usage • Carry out regular audits/checks of logs • Disable access if misuse detected • Auto send emails of ‘exception’ usage

  25. Solutions? Web Server Security

  26. Solutions? Software • Install ‘protection software’: • Firewalls • Proxy Servers • Anti-Virus software • Update key software regularly: • Web servers • Operating systems • Mail software • Anti-virus software • Don’t forget patches!!

  27. Solutions? Software • Use SSL (Secure Socket Layer) • Protects private information • Encrypted using digital key • Especially for payment data • Use public/private keys • To authenticate parties • To encrypt data • To ‘digitally sign’ documents • Some have whole infrastructures* * Verisign Onsite Managed Trust Services

  28. Security Quiz 1. What number (or e-mail address) should you contact if you want to report suspicious activity? 2. What type of corporate data are you allowed to store on your personal home computer? 3. When is it ok to give your password to someone else? 4. Create a multiple-choice question about which types of corporate information would be sensitive Answer: key security contacts at your company Answer: none Answer: never Answer: all of it

  29. Resources • ‘Web Security and Commerce’ Garfunkel and Spafford (O’Reilly) • http://wp.netscape.com/security/ - intro to security concepts • http://www.netcraft.com/security/diary.html - security diary • http://www.mcaffee.com – mailing list of security issues • http://www.verisign.com – general security issues • http://groups.google.com – groups / news groups • http://way2goal.com/internet/is.html - security issues

  30. Resources • Apogee Interactive Inc. • http://www.apogee.net • Michelle Johnston 770 270 6516 • Email mjohnston@apogee.net • Security reviews/IT reviews/Audits • Code reviews • Training • Web site reviews/audits • ELearning

More Related