1 / 50

Network Security Risks

Network Security Risks IS Auditor Role Collect evidence to ascertain an entities ability to: Safeguard assets Provide data integrity Efficiency of systems Effectiveness of systems Networks Are Vulnerable to Attack Hackers / Crackers Terrorists Insiders Logical Attack Physical Attack

paul
Download Presentation

Network Security Risks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security Risks

  2. IS Auditor Role • Collect evidence to ascertain an entities ability to: • Safeguard assets • Provide data integrity • Efficiency of systems • Effectiveness of systems

  3. Networks Are Vulnerable to Attack • Hackers / Crackers • Terrorists • Insiders • Logical Attack Physical Attack • http://www.msnbc.com/news/482181.asp#BODY $,trust,secrets,infrastructure Financial Transactions-$Trillions/year EFT/Credit Card Pentagon – 500,000 attempted attacks/year Microsoft – Hacked Denial of Service – February Melissa – I Love You

  4. Physical Access Attack

  5. Sneaker Net

  6. WAN Fault tolerance ISP 2

  7. Firewalls-hardware/software used to protect assets from untrusted networks Gateway/proxy server allow information to flow between internal and external networks but do not allow the direct exchange of packets DMZ - isolates internal network from vulnerable web servers Router- manages network traffic forwards packets to their correct destination by the most efficient path Filters packets by a pre-determined set of rules IP source address, IP destination address, source port, and destination port Are only as secure as quality of rule set designed Routers, Firewalls, Gateways

  8. IP - standard for internet message exchange Does not guarantee delivery of packets Packets using IP travel similarly to a post card Does not provide for data integrity or timeliness, security, privacy or confidentiality TCP, with error correction services is stacked on top of IP to form TCP/IP Port – address on host where application makes itself available to incoming data 23 – telnet 25 - SMTP Packet – unit of information transmitted as a whole, inc. source and destination address IP address – unique 32 bit number- 4 octets separated by periods 144.92.43.178 InterNIC TCP/IP Internet Protocol

  9. Securing Messages / Transactions

  10. Something you have Something you are Something you know Smart card Biometric devices Password Authentication

  11. Authentication Devices • Secure ID tokens • something you have-token • something you know- pin used to generate password that changes once a minute • Biometric devices • Retinal scan • Fingerprints • Voice recognition • Facial recognition

  12. Passwords • Proper maintenance & procedures essential • Post-it notes - on monitors and under keyboards ? • Longer than 8 characters • Not comprised of English words • Include special characters • Change regularly • L0pht crack L0phtCrack

  13. Symmetric Encryption • Secret key used for encryption and decryption is identical • Alice and Bob must exchange the secret key in advance • Impractical for large numbers of people to securely exchange shared secret keys

  14. Asymmetric Encryption • Public-private key pairs,, used to overcome the problem of shared secret keys • Owner of the key knows private key • Public key is shared with everyone • Message confidentially- Bob encrypts a message with Alice’s public key and on receipt Alice decrypts the message with her private key

  15. Encryption of data • Keys / Cipher length is important • Expressed in bits • 40 bit cipher can be broken in 3.5 hrs • 56 bit - 22 hours 15 min, • 64 bit - 33-34 days, • 128 bit - > 2000 years

  16. Message encryption Message confidentiality Message integrity Authentication Nonrepudiation Digital signature Message Digest

  17. Data theft Customer lists, engineering blueprints and other company secrets Company assets vulnerable since connected to public networks Cracker Kevin Mitnick stole plans for Motorola’s StarTac Used IP spoofing Theft of money German Chaos Computer Club used an Active X control to schedule transfer of money from the victim’s online bank account to numbered bank account controlled by crackers Securing Transactions

  18. Similar to existing debit/credit card systems Use existing infrastructure/payment systems based on electronic funds transfer Use settlement houses/clearing houses Highly accountable and traceable Traceable - raise privacy concerns “big brother” Slow and expensive online verification is necessary SET- secure electronic transaction, CyberCash Stored Account System

  19. Stored Value Systems – E-cash • Private, no approval from bank needed • Security stakes are high • Counterfeiting • Absence of control & auditing • Potentially $8 trillion a year market • People do not yet trust e-cash technology • More popular in Europe • E-cash superior to cash • Do not require proximity • Do not create weight & storage problems of cash

  20. New Systems • DigiCash, Mondex and Visa Cash • Stored value and/or stored accounts • E-cash is stored on an electronic device • Use smart card or e-cash could be stored on a PC Electronic wallet technology • Merchant adds or subtracts e-cash value using encrypted messaging between computers or by inserting the smart card in the merchant’s smart card reader • Mondex - Devices

  21. Smart Cards • Credit card sized devices w/ chip & memory • Contain operating systems & applications • Reader device attached PC can read smart card • Avoid problem of e-cash being stored on insecure hard drives • Smart cards disabled when physically attacked

  22. Will be ubiquitous Loyalty information – frequent flier miles Health records and health insurance information Debit, credit, and charge cards E-cash Global system for mobile communications Pay TV Mass transit ticketing Access controls Digital signatures Biometrics Travel and entertainment Drivers license and social security information Smart Cards

  23. Secure Sockets Layer • Confidentiality & authentication of web sessions • Encrypts the communication channel uses private key • Server & client and server agree to private session key & private encryption/ hashing protocols for confidentiality & data integrity • Client authenticates server w/ certificate authority stored on client’s browser

  24. Secure Electronic Transaction Protocol • Open standard for secure internet payments • Master Card and Visa, IBM and Microsoft • Confidentiality of information,privacy, message integrity, authentication, and nonrepudiation, and authenticates all parties • Encrypts credit card numbers, shielding from public & merchant • Party in a SET transaction must possess a digital certificate, carry digital wallets or smart cards • 1,024 bit keys • Securing private keys is problematic • MasterCard International - Shop Smart! Demo

  25. Public Key Infrastructure (PKI) • Issue, manage, and maintain public-private key pairs and digital certificates Digital certificates used to authenticate servers or clients using trusted third party, certificate authority • CA’s issue digital certificates to merchants, can be verified by the browser checking the digital signature of the CA against the public key of the CA, stored on the browser • Digital signatures have full legal standing 2000 • VeriSign Training

  26. IE –Tools – Internet Options - Content

  27. Risks to the client • Active content • Cookies • Modems • Many clients mission critical • Personal firewall software • Needed even if part of a network with other layers of protection • Black Ice and Zone Alarm

  28. Active Content • Programs that automatically download & execute on user’s machine when user hits on web site with active content • Java applets, active X controls, JavaScript, VBScript, multimedia presentation files executed via browser “plug-ins” (Flash) • Can provide rich customized computing experience Could be malicious • Java applet coded to read client’s cookies including Passwords & id’s & send the information back to crackers

  29. Active X Controls • Can execute any function windows program can execute • Written in variety of languages- execute only on Wintel machines • Security measures designed to prevent trusted active X controls from damaging machine do not exist • Security based on level of trust client places in author of active X control • Software publisher certificate from a certificate authority such as VeriSign

  30. Java Applets • Platform independent; Can run on Windows or Unix machines • Constrained from accessing resources outside section of memory called the sandbox • Applet can play but not escape • Trust of java applets based on restricting the behavior of the applet • Holes in the sandbox- bugs that allows attack code

  31. Cookies • Internet transactions do not maintain state, no memory of last visit • To restore state - cookies kept on users hard drive • Block of data on client that server can use to identify user, instruct server to send a customized version of a web page, submit the account information of user • If intercepted by third party, significant personal information about user compromised • Compromise user privacy

  32. Operating System Risks • Default configurations –on client node allows java applets to load on server using root ID • Escalation of privileges – • If an attacker gains “root” or administrator privileges the cracker can do anything to the system he desires • Adaptive access control, automates access control process, assigning of permissions alleviates problems of manual access control

  33. Operating System Risks 2 • Windows 98 very insecure – modems connected to internal network problematic • UNIX & windows NT operating systems- more secure but still full of bugs and security holes • Patches available from vendors

  34. Computer Emergency Response Team Coordination Center • Experts on call for emergencies 24 hours a day • Provides facilitation of communication among experts on security problems • Central point for the identification and correction of security vulnerabilities • Secure repository of computer security incident information • CERT Coordination Center

  35. Viruses, Worms, Trojans • Users need constant training and surveillance • System administrator - update virus definitions on schedule • Attack emergency and recovery plan • Policies regulating users handling of e-mail are important

  36. Securing the Server • Back-end databases must be protected • Web servers particularly vulnerable to attack • CGI Scripts – Web client request executes on server • Crackers escalate privileges to arbitrarily execute system commands • deleting or stealing files • placing Trojan horse programs on the server • running denial of service attacks • defacing web pages • storing cracking tools for a later attack

  37. Denial of Service Attacks • Cripple or crash Web servers by flooding server with too much data or too many requests • E-commerce merchants cannot afford financial consequences or loss of trust • Online NewsHour -- Internet Security

  38. Web Page Defacing • Act of rewriting web page • Motivations political, financial, &/or revenge • More than web server compromised ?

  39. Malicious Web Sites • EU study – possibly 60 billion euros lost • Steal credit card numbers • Spy on hard drives • Upload files • Plant active content • Example misspelled URL’s

  40. People & Security - Policies • Embraced by management • Security philosophy, user policies, incident management, methods to prevent social engineering attacks, network disaster recovery, and consequences for lack of adherence • Programs to train staff & techniques to enhance security should be ongoing • Outside penetration study can be useful to document the true level of risk and vulnerability

  41. Social Engineering • Manipulating of employees natural tendencies • Objectives: obtaining passwords, obtaining configuration data to escalate user permissions in an operating system • Use telephone or email posing as IT staff or higher-level managers • Talk people into revealing damaging information • Many devastating cracker exploits have included social engineering

  42. Insider Risks • Authorized users commit 75% to 85% of all computer crime • Not usually prosecuted – covered up • Disgruntled employees - crashing file servers, deleting data, selling critical data, and financial fraud • Internal network sniffing

  43. Onion Approach • Security solutions to vulnerabilities should be implemented in a layered approach, the “onion” solution • Solutions should be preventive and predictive rather than reactive • Network security architectures rely upon layers of devices and software that provide multiple barriers to intruders and protect, detect and respond to threats

  44. Tools • Vulnerability scanning tools • determination of remote systems weaknesses • extremely dangerous in the wrong hands • discover open ports • how services respond to incoming requests • Intrusion Detection System (IDS) • detect intruders breaking into a system or to • detect legitimate users misusing system resources • well-configured IDS will prohibit all activity not expressly allowed • analysis of audit trail data, especially operating system activity is important

  45. Tools 2 • Logging enhancement tools - supplement operating system logging & can provide independent audit data • System evaluation tools • Configuration checking • Permissions checking • Analysis of accounts and groups • Evaluation of registry settings • Verification of up to date patch installation

  46. Network sniffers • Intercept and analyze network traffic • Can be extremely useful but also are very dangerous • Illegal to sniff a network without permission • Possible to read packets with a sniffer • After an intrusion sniffer logs can be essential • Sniffers can be hardware or software based • Also called “packet dumpers”

  47. Questions & Discussion

More Related