network security risks l.
Skip this Video
Loading SlideShow in 5 Seconds..
Network Security Risks PowerPoint Presentation
Download Presentation
Network Security Risks

Loading in 2 Seconds...

play fullscreen
1 / 50

Network Security Risks - PowerPoint PPT Presentation

  • Uploaded on

Network Security Risks IS Auditor Role Collect evidence to ascertain an entities ability to: Safeguard assets Provide data integrity Efficiency of systems Effectiveness of systems Networks Are Vulnerable to Attack Hackers / Crackers Terrorists Insiders Logical Attack Physical Attack

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Network Security Risks

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
is auditor role
IS Auditor Role
  • Collect evidence to ascertain an entities ability to:
    • Safeguard assets
    • Provide data integrity
    • Efficiency of systems
    • Effectiveness of systems
networks are vulnerable to attack
Networks Are Vulnerable to Attack
  • Hackers / Crackers
  • Terrorists
  • Insiders
  • Logical Attack Physical Attack


Financial Transactions-$Trillions/year EFT/Credit Card

Pentagon – 500,000 attempted attacks/year

Microsoft – Hacked

Denial of Service – February

Melissa – I Love You


Fault tolerance


routers firewalls gateways
Firewalls-hardware/software used to protect assets from untrusted networks

Gateway/proxy server allow information to flow between internal and external networks but do not allow the direct exchange of packets

DMZ - isolates internal network from vulnerable web servers

Router- manages network traffic forwards packets to their correct destination by the most efficient path

Filters packets by a pre-determined set of rules

IP source address, IP destination address, source port, and destination port

Are only as secure as quality of rule set designed

Routers, Firewalls, Gateways
tcp ip internet protocol
IP - standard for internet message exchange

Does not guarantee delivery of packets

Packets using IP travel similarly to a post card

Does not provide for data integrity or timeliness, security, privacy or confidentiality

TCP, with error correction services is stacked on top of IP to form TCP/IP

Port – address on host where application makes itself available to incoming data

23 – telnet

25 - SMTP

Packet – unit of information transmitted as a whole, inc. source and destination address

IP address – unique 32 bit number- 4 octets separated by periods


TCP/IP Internet Protocol
Something you have

Something you are

Something you know

Smart card

Biometric devices


authentication devices
Authentication Devices
  • Secure ID tokens
    • something you have-token
    • something you know- pin used to generate password that changes once a minute
  • Biometric devices
    • Retinal scan
    • Fingerprints
    • Voice recognition
    • Facial recognition
  • Proper maintenance & procedures essential
  • Post-it notes - on monitors and under keyboards ?
  • Longer than 8 characters
  • Not comprised of English words
  • Include special characters
  • Change regularly
  • L0pht crack L0phtCrack
symmetric encryption
Symmetric Encryption
  • Secret key used for encryption and decryption is identical
  • Alice and Bob must exchange the secret key in advance
  • Impractical for large numbers of people to securely exchange shared secret keys
asymmetric encryption
Asymmetric Encryption
  • Public-private key pairs,, used to overcome the problem of shared secret keys
  • Owner of the key knows private key
  • Public key is shared with everyone
  • Message confidentially- Bob encrypts a message with Alice’s public key and on receipt Alice decrypts the message with her private key
encryption of data
Encryption of data
  • Keys / Cipher length is important
  • Expressed in bits
  • 40 bit cipher can be broken in 3.5 hrs
  • 56 bit - 22 hours 15 min,
  • 64 bit - 33-34 days,
  • 128 bit - > 2000 years

Message encryption

Message confidentiality

Message integrity



Digital signature

Message Digest

securing transactions
Data theft

Customer lists, engineering blueprints and other company secrets

Company assets vulnerable since connected to public networks

Cracker Kevin Mitnick stole plans for Motorola’s StarTac

Used IP spoofing

Theft of money

German Chaos Computer Club

used an Active X control to schedule transfer of money from the victim’s online bank account to numbered bank account controlled by crackers

Securing Transactions
stored account system
Similar to existing debit/credit card systems

Use existing infrastructure/payment systems based on electronic funds transfer

Use settlement houses/clearing houses

Highly accountable and traceable

Traceable - raise privacy concerns “big brother”

Slow and expensive online verification is necessary

SET- secure electronic transaction, CyberCash

Stored Account System
stored value systems e cash
Stored Value Systems – E-cash
  • Private, no approval from bank needed
  • Security stakes are high
    • Counterfeiting
    • Absence of control & auditing
  • Potentially $8 trillion a year market
  • People do not yet trust e-cash technology
  • More popular in Europe
  • E-cash superior to cash
    • Do not require proximity
    • Do not create weight & storage problems of cash
new systems
New Systems
  • DigiCash, Mondex and Visa Cash
    • Stored value and/or stored accounts
    • E-cash is stored on an electronic device
    • Use smart card or e-cash could be stored on a PC Electronic wallet technology
    • Merchant adds or subtracts e-cash value using encrypted messaging between computers or by inserting the smart card in the merchant’s smart card reader
  • Mondex - Devices
smart cards
Smart Cards
  • Credit card sized devices w/ chip & memory
  • Contain operating systems & applications
  • Reader device attached PC can read smart card
  • Avoid problem of e-cash being stored on insecure hard drives
  • Smart cards disabled when physically attacked
smart cards23
Will be ubiquitous

Loyalty information – frequent flier miles

Health records and health insurance information

Debit, credit, and charge cards


Global system for mobile communications

Pay TV

Mass transit ticketing

Access controls

Digital signatures


Travel and entertainment

Drivers license and social security information

Smart Cards
secure sockets layer
Secure Sockets Layer
  • Confidentiality & authentication of web sessions
  • Encrypts the communication channel uses private key
  • Server & client and server agree to private session key & private encryption/ hashing protocols for confidentiality & data integrity
  • Client authenticates server w/ certificate authority stored on client’s browser
secure electronic transaction protocol
Secure Electronic Transaction Protocol
  • Open standard for secure internet payments
  • Master Card and Visa, IBM and Microsoft
  • Confidentiality of information,privacy, message integrity, authentication, and nonrepudiation, and authenticates all parties
  • Encrypts credit card numbers, shielding from public & merchant
  • Party in a SET transaction must possess a digital certificate, carry digital wallets or smart cards
  • 1,024 bit keys
  • Securing private keys is problematic
  • MasterCard International - Shop Smart! Demo
public key infrastructure pki
Public Key Infrastructure (PKI)
  • Issue, manage, and maintain public-private key pairs and digital certificates Digital certificates used to authenticate servers or clients using trusted third party, certificate authority
  • CA’s issue digital certificates to merchants, can be verified by the browser checking the digital signature of the CA against the public key of the CA, stored on the browser
  • Digital signatures have full legal standing 2000
  • VeriSign Training
risks to the client
Risks to the client
  • Active content
  • Cookies
  • Modems
  • Many clients mission critical
  • Personal firewall software
    • Needed even if part of a network with other layers of protection
    • Black Ice and Zone Alarm
active content
Active Content
  • Programs that automatically download & execute on user’s machine when user hits on web site with active content
  • Java applets, active X controls, JavaScript, VBScript, multimedia presentation files executed via browser “plug-ins” (Flash)
  • Can provide rich customized computing experience Could be malicious
  • Java applet coded to read client’s cookies including Passwords & id’s & send the information back to crackers
active x controls
Active X Controls
  • Can execute any function windows program can execute
  • Written in variety of languages- execute only on Wintel machines
  • Security measures designed to prevent trusted active X controls from damaging machine do not exist
  • Security based on level of trust client places in author of active X control
  • Software publisher certificate from a certificate authority such as VeriSign
java applets
Java Applets
  • Platform independent; Can run on Windows or Unix machines
  • Constrained from accessing resources outside section of memory called the sandbox
  • Applet can play but not escape
  • Trust of java applets based on restricting the behavior of the applet
  • Holes in the sandbox- bugs that allows attack code
  • Internet transactions do not maintain state, no memory of last visit
  • To restore state - cookies kept on users hard drive
  • Block of data on client that server can use to identify user, instruct server to send a customized version of a web page, submit the account information of user
  • If intercepted by third party, significant personal information about user compromised
  • Compromise user privacy
operating system risks
Operating System Risks
  • Default configurations –on client node allows java applets to load on server using root ID
  • Escalation of privileges –
    • If an attacker gains “root” or administrator privileges the cracker can do anything to the system he desires
    • Adaptive access control, automates access control process, assigning of permissions alleviates problems of manual access control
operating system risks 2
Operating System Risks 2
  • Windows 98 very insecure – modems connected to internal network problematic
  • UNIX & windows NT operating systems- more secure but still full of bugs and security holes
    • Patches available from vendors
computer emergency response team coordination center
Computer Emergency Response Team Coordination Center
  • Experts on call for emergencies 24 hours a day
  • Provides facilitation of communication among experts on security problems
  • Central point for the identification and correction of security vulnerabilities
  • Secure repository of computer security incident information
  • CERT Coordination Center
viruses worms trojans
Viruses, Worms, Trojans
  • Users need constant training and surveillance
  • System administrator - update virus definitions on schedule
  • Attack emergency and recovery plan
  • Policies regulating users handling of e-mail are important
securing the server
Securing the Server
  • Back-end databases must be protected
  • Web servers particularly vulnerable to attack
  • CGI Scripts – Web client request executes on server
  • Crackers escalate privileges to arbitrarily execute system commands
    • deleting or stealing files
    • placing Trojan horse programs on the server
    • running denial of service attacks
    • defacing web pages
    • storing cracking tools for a later attack
denial of service attacks
Denial of Service Attacks
  • Cripple or crash Web servers by flooding server with too much data or too many requests
  • E-commerce merchants cannot afford financial consequences or loss of trust
  • Online NewsHour -- Internet Security
web page defacing
Web Page Defacing
  • Act of rewriting web page
  • Motivations political, financial, &/or revenge
  • More than web server compromised ?
malicious web sites
Malicious Web Sites
  • EU study – possibly 60 billion euros lost
  • Steal credit card numbers
  • Spy on hard drives
  • Upload files
  • Plant active content
  • Example misspelled URL’s
people security policies
People & Security - Policies
  • Embraced by management
  • Security philosophy, user policies, incident management, methods to prevent social engineering attacks, network disaster recovery, and consequences for lack of adherence
  • Programs to train staff & techniques to enhance security should be ongoing
  • Outside penetration study can be useful to document the true level of risk and vulnerability
social engineering
Social Engineering
  • Manipulating of employees natural tendencies
  • Objectives: obtaining passwords, obtaining configuration data to escalate user permissions in an operating system
  • Use telephone or email posing as IT staff or higher-level managers
  • Talk people into revealing damaging information
  • Many devastating cracker exploits have included social engineering
insider risks
Insider Risks
  • Authorized users commit 75% to 85% of all computer crime
  • Not usually prosecuted – covered up
  • Disgruntled employees - crashing file servers, deleting data, selling critical data, and financial fraud
  • Internal network sniffing
onion approach
Onion Approach
  • Security solutions to vulnerabilities should be implemented in a layered approach, the “onion” solution
  • Solutions should be preventive and predictive rather than reactive
  • Network security architectures rely upon layers of devices and software that provide multiple barriers to intruders and protect, detect and respond to threats
  • Vulnerability scanning tools
    • determination of remote systems weaknesses
    • extremely dangerous in the wrong hands
    • discover open ports
    • how services respond to incoming requests
  • Intrusion Detection System (IDS)
    • detect intruders breaking into a system or to
    • detect legitimate users misusing system resources
    • well-configured IDS will prohibit all activity not expressly allowed
    • analysis of audit trail data, especially operating system activity is important
tools 2
Tools 2
  • Logging enhancement tools - supplement operating system logging & can provide independent audit data
  • System evaluation tools
    • Configuration checking
    • Permissions checking
    • Analysis of accounts and groups
    • Evaluation of registry settings
    • Verification of up to date patch installation
network sniffers
Network sniffers
  • Intercept and analyze network traffic
  • Can be extremely useful but also are very dangerous
  • Illegal to sniff a network without permission
  • Possible to read packets with a sniffer
  • After an intrusion sniffer logs can be essential
  • Sniffers can be hardware or software based
  • Also called “packet dumpers”