1 / 46

MIS 430 Chapter 11

MIS 430 Chapter 11. Network Security. Mgt Focus 11-1: Western Union. 9/2000: hacker broke into Western Union and stole 15,700 credit card numbers Caused by human error: left file unprotected after web site revision

sari
Download Presentation

MIS 430 Chapter 11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MIS 430 Chapter 11 Network Security Chapter 11 Data Security

  2. Mgt Focus 11-1: Western Union • 9/2000: hacker broke into Western Union and stole 15,700 credit card numbers • Caused by human error: left file unprotected after web site revision • Routine security audit discovered break in and site was shut down (5 days lost) • Cost over $1M ! Chapter 11 Data Security

  3. I. Introduction • Some Threats .. See fig 11-2 p. 358 • Data Center … Hardware • Protection failure, destruction • Software • Unauthorized access, copying, modification, destroy, theft • Errors and Omissions • Files • Unauthorized access, copy, modify, destroy, theft • Offline input/output • Disaster, vandalism, fraud/theft/extortion, errors and omissions Chapter 11 Data Security

  4. Intro, contd. • More Threats … • Organization • Inadequate functional separation, lack of security responsibility • Personnel • Dishonesty, gross error, incompetence • Physical Security • Unauthorized access, inadequate safety, transportation exposure • External people • Disaster, vandalism, fraud/theft/extortion • Data communications circuit • Network unavailable, illegal access, lost messages Chapter 11 Data Security

  5. Intro, contd. • More threats.. • Client Users • Masquerading, authorization bypass, unauthorized input/output, manipulation • Avg loss: $1 M but is tip of the iceberg • Loss of consumer confidence costs much more than lost business! • But business disruption due to lost applications is even more costly!! • Bank of America says $50M loss if down 24 hours Chapter 11 Data Security

  6. Types of Threats • Disruptions: loss or reduction of network services • Loss of circuits • Loss of data • Disasters that affect equipment • Unauthorized Access • Mostly employees, not hackers! • CERT: Computer Emergency Response Team from Carnegie Mellon University http://www.cert.org/ • ISU loss of 10,000 social security numbers Chapter 11 Data Security

  7. Network Controls • Control: mechanism to reduce or eliminate threats to network security • Types of Controls • Prevention: stop act from occurring • Detection: reveal unwanted events • Correction: remedy unwanted event • Important: someone must be responsible for controls and security, including updates and making sure they are implemented ok. Chapter 11 Data Security

  8. Less complex is better Control’s cost is equivalent to risk Preventing is better thandetecting and correcting! Adequate: just enough to protect the network Automated controls better than manual! Controls apply to all! Document overrides; overrides need controls Control documents are confidential Names, uses, & locations of network HW are private information Controls ensure network can be audited Assume a hostile environment Tech Focus 11-1 (p. 361) Chapter 11 Data Security

  9. Convey an image of high security by education & training Controls provide separation of duties Implement entrapment to ID bad guys When control fails, network defaults to tight security: deny access Controls still work when only one part of network fails Don’t forget the LAN! Central mgrs often just worry about the WAN Always assume your opponent is smarter than you are Always have insurance in case a control fails Tech Focus, contd Chapter 11 Data Security

  10. II. Risk Assessment • Assign levels of risk to various threats • Compare nature of threats to controls • OCTAVE method http://www.cert.org/octave/ • Control spreadsheet (fig 11-3, p. 362) • Assets (something of value) with priority in parentheses • Threats in categories • Center includes controls now in use Chapter 11 Data Security

  11. Types of Assets (fig 11.4) • Hardware: servers, client computers, network devices (hubs, routers, switches) • Circuits: LANs, BNs, contracted MAN and WAN circuits, Internet access circuits • Network SW: server NOS, applications such as mail server, web server • Client SW: OS, applications like Word, etc • Organizational data: DBs • Mission-Critical Apps: depends on organ. Chapter 11 Data Security

  12. Threat Likelihoods (fig 11.5) • Virus: 85% • Internet Hacker: 70% • Device Failure: 68% • Denial of Service (DoS): 60% • Theft of Equipment: 44% • Natural Disaster: 28% • Theft of Information: 9% • Fraud: 3% • From Insiders: 70% From Outsiders: 25% Chapter 11 Data Security

  13. After spreadsheet (assets, threats) is done, work on the controls(see fig. 11-6 p. 366) Disaster recovery plan: business continuity plan Halon fire system in machine room; sprinklers Not below ground level (beware of floods: Chicago) UPS on major servers Contract guarantees from interexchange carriers Extra backbone fiber cable laid in different conduits Virus checking software present on network Extensive user training about viruses Strong password software Extensive user training about PW security Application layer firewall Identify the Controls Chapter 11 Data Security

  14. Evaluate Network’s Security • Evaluate adequacy of existing controls as it relates to each threat • Do by an independent Delphi team who makes the final decision • 3-9 members • Therefore implement quickly Chapter 11 Data Security

  15. Mgt Focus 11-2: Microsoft I • Microsoft’s web sites 3rd most visited • All down for 22 hours in Jan 2001 due to a technician’s error: • MS placed all 4 of its DNS servers on same network segment • Tech loaded incorrect routing table information into routers, and nobody could reach any DNS servers • Had any one been on a different segment, no trouble! • MS lost $4M in ad revenue during 22 hours • More lost on sites like Expedia that sell services Chapter 11 Data Security

  16. Mgt Focus 11-3: World Trade Center Disaster Recovery • TradeWeb HQ on 51st floor: destroyed! • Changed DNS entry to refer to London office to get back on the web • Rebuilding database took longer • Allstate: lost NYC data center (but had a plan) • No network: onslaught of claims! • Had 25 LAN in-a-box dial-up network kits from office LAN to headquarters; needed 24 more • Remaining offices back up in 4 days Chapter 11 Data Security

  17. III. Controlling DDD: Prevention • Use redundant hardware • UPS American Power Conversion www.apc.com • Fault tolerant server • Disk mirroring and RAID 1, 5 (not RAID 0) • Prevent natural disaster • Avoid basement rooms near rivers and oceans • State Farm data center: 6 foot thick SW walls: tornado • Install Halon fire prevention system (but phase out) http://www.epa.gov/ozone/snap/fire/qa.html • Decentralize network resources: multiple servers, data centers, even different parts of the country Chapter 11 Data Security

  18. Prevention Controls • Preventing Theft ($1B stolen annually) • Physical security methods for data center • Use security cables to attach HW to desks • Private security guards • Keep certain key network locations secret • Preventing viruses • Protect both servers and clients! • Macro viruses account for 75% of viruses • Use anti-virus software; keep it current weekly Chapter 11 Data Security

  19. Mgt Focus 11-4: NIMDA! • 9-18-2001: NIMDA virus swept through Windows servers around the world • Attached to email message; emailed to others in Outlook address book • Also spread by servers, shared drives • Could get it through a browser click (Javascript) • Patches developed but it came back as variants. Ask me about my !@@!# servers • 5 months later, still the most common attack – it was an attack suite: well written, tested  Chapter 11 Data Security

  20. Prevention Controls • Preventing Denial of Service Attacks • Hacker floods network with messages so that server cannot handle normal workload • Hackers use false IP addresses (IP spoofing) • Distributed DoS attack is more disruptive – hacker controls many machines that all attack simultaneously • Can set up several servers around the world (like Microsoft has done) Chapter 11 Data Security

  21. Tech Focus 11-2: DoS Attack • Smurf attacks: flood with Ping ICMP requests • Fraggle attacks: similar to smurf but uses UDP echo requests • TCP SYN floods: request to establish TCP connection • UNIX process table attacks: like TCP SYN • Finger of death attacks: flood with finger requests • DNS Recursion Attacks: spoof the from address to be within the organization Chapter 11 Data Security

  22. Mgt Focus 11-5: Microsoft Part 2 • DDoS attack 1/2001 caused MS to redesign networks • Hacker gained control of a large number of computers, implanting DDoS software • SW targeted MS DNS servers, not web or mail • By focusing on routers on the segment containing the DNS servers, brought net to a crawl • Put 4 DNS servers on separate network segments • MS Contracted with Akamai.com to hold most popular web pages around the world • Pages served from Akamai server closest to customer, reducing response time and providing redundancy Chapter 11 Data Security

  23. Controlling DDD: Detecting • Network management software should notify management of problems • Can send alerts via email or even to pagers • Major problems easier to detect than minor • Network should log performance data which can be compared to current performance • Caterpillar bulldozer agent: avoid any unplanned downtime • Software agents and sniffers look for out of bound measurements • Contact the command center to report possible trouble Chapter 11 Data Security

  24. Controlling DDD: Correcting • Disaster Recovery Plan • Remember United DC-10 that lost hydraulics and crash-landed in Iowa city? Iowa City’s DRP helped save lives! • Provides various levels of response to a number of possible disasters • See fig 11-7 p. 373 for elements of DRP • Managers (2), staff duties, priorities for what done first, locations of spares, data comm recovery, manual procedures, testing methods, backups, actions for certain scenarios Chapter 11 Data Security

  25. Controlling DDD: Correcting • Disaster Recovery Plans • Good backups don’t mean data can be used! • Disaster Recovery Drills important • Two levels: internal redundancy, out sourced DR service • Cold site: storage of data and applications • Hot site: dedicated equipment that is ready to run your applications seamlessly • http://www.disasterrecoveryworld.com/ for checklists, etc. • Disaster Recovery Journalhttp://www.drj.com/ Chapter 11 Data Security

  26. IV. Controlling Access • Unauthorized access is 2nd main problem • Types of intruders • Casual hackers w/ limited knowledge of computers they encounter (script kiddies) • Experts in security but enjoy the challenge (crackers) • Professional hackers who break in for specific purpose (most dangerous kind) • Organization employees with legitimate access who gain access to information they are not authorized to use (most common kind of security breach) Chapter 11 Data Security

  27. Preventing Unauthorized Access • Be proactive! Routinely test security before the intruder does • Don’t keep extremely sensitive data online • Store in networks that are isolated from other networks • Security Policy: define important assets and the policies to access them; see fig 11-8 p. 376 • Manager, incident reporting system, risk assessment with priorities, effective controls at major access points, use min # of controls to reduce inconvenience, acceptable use policy, procedure to monitor changes to network devices, routine training plan for users, routine test plan, annual security audit Chapter 11 Data Security

  28. Security Policy • Security policy should define what employees should and should not do • Password policies: don’t post, don’t tell, change frequently, minimum length, cannot reuse previous password • Use combinations of letters and numbers • Use upper and lower case: go4iT • See next slide for more hints • Apply different controls to different data items Chapter 11 Data Security

  29. Mgt Focus 11-10: Passwords • A good password is easy to remember, hard to guess • Don’t use birthdays, anniversaries, pet names, family names: can guess easily • At least 7 characters; change at least every 90 days; include numbers and some capital letters • Hot apple pie with ice cream and cheese: haPwicAc • ISU policy: www.indstate.edu/adminaff/handbook/SectionV.pdfp. 14 • Change system PW every 90 days, user PW every 180 days • Don’t use same password for non-ISU accounts! • Don’t put PW in (plain text) email • Use strong passwords: >=8 char, not in dictionary, use upper and lower case characters, have a punctuation symbol, not based on personal or family information • Don’t write it down anywhere or share it • Use pass phrase for public key encryption Chapter 11 Data Security

  30. User Profiles • Specifies for user what data and network • What resources can they access • How they can access it (R, W, C, D) • When can they access the resources (days, times, locations) • How many incorrect log-ins are permitted? • Group profiles: shared permissions Chapter 11 Data Security

  31. Physical Security • Biometrics: finger prints, hand geometry, face geometry, iris prints, retina scans • Smart cards: embedded microprocessor with a clock that constantly changes PWs • Computer locks: hardware, software PWs • Hide cables behind walls and ceilings • Alarm systems • USAF uses pressurized cables that show a break-in and sounds alarm • Locked wiring closets for routers, hubs, etc. Chapter 11 Data Security

  32. Dial-In Security • This is a major security risk! • Change phone numbers periodically • Change dial-up PW periodically • One-time PWs • Use smart card PW • Require call backs to designated place • Use embedded ID chip in computer that dials • Use VPNs – encrypted sessions Chapter 11 Data Security

  33. Firewalls • Sits between network and the outside world • HW (router) or SW varieties of firewalls • Examines packets as they enter/leave the network • Packet-level firewall (examines source and destination IP addresses of each packet) • Application-level firewall (intermediate host that authenticates: more complex) • IP Spoofing: hacker changes actual source IP address to a “good” one that is not stopped Chapter 11 Data Security

  34. Tech Focus 11-4: Packet Level Firewalls • Could delete any packets coming from a different subnet or different network • Could delete packets from certain IPs • Could keep certain types of packets from reaching the network (FTP, Telnet, etc) • Software is constantly updated Chapter 11 Data Security

  35. NAT: Network Address Translation (previously covered) • This is cool: you can share 1 IP address across several computers on network • Translates between set of private IP addresses inside network and outside proxy IP addresses • Ex: outside IP is 139.102.180.36. • Inside IP addresses are 192.168.1.1 through 192.168.1.5 (local, private IP addresses) • Could also use 10.X.X.X IP range • NAT device (proxy server) has two NICs – one inside and the other outside the firewall Chapter 11 Data Security

  36. More NAT • When inside client makes a request, its IP address and a unique port number are placed in the packet, then packet is sent to server • Server remembers that port number, replaces the internal IP address with the outside IP address, then sends it along to Internet • When return packet appears, it contains unique port number; server substitutes inside IP address for the computer with that port, passes it to inside network • Slower, but very nice to share one IP address!! Chapter 11 Data Security

  37. DMZ (Demilitarized) Zone • DMZ is the network behind the firewall • Open a hole in the firewall to some of the computers • Contains some but not complete security • Can have better protected internal networks inside the DMZ that are fully protected • Use DMZ for servers that need partial access to/from the outside world Chapter 11 Data Security

  38. Security Holes • This is a bug that permits unauthorized access: quickly circulates on Internet • Ex: I left anonymous FTP turned on and left FTP write access on • This allowed hackers to store huge amounts of MP3 and illegal files in FTP area of server • Solution: turn off anonymous FTP access, but still allow Write for authenticated FTP sessions • Real Solution: do MS Critical Updates and keep servers and clients current!!! Chapter 11 Data Security

  39. Encryption History • Germans used Enigma Machine during WW II – we broke the code • Looked like a typewriter with 3 or 4 code wheels • We also broke the Japanese code in WW II • US used the Navajo Code Talkers who spoke in their native language – never broken! • Plain text vs. cipher text • Key needed to “unlock” the cipher text into plain text Chapter 11 Data Security

  40. Symmetric Encryption • Use mathematical algorithm to disguise • Symmetric: uses same key to encrypt and decrypt • Assymetric: Encrypt and decrypt keys are not same • Good encryption does not require that the algorithm be kept secret, only the keys • DES: Data Encryption Standard • 56-bit key, but was broken in 22 hours using 10,000 PCs distributed over the Internet • 3DES – uses DES 3 times, much harder to break • RC4: up to 256 bit key; still can be broken • A version of RC4 is available in MS Excel for a file • Tools | Options | Security • Can set password, assign digital signature Chapter 11 Data Security

  41. Public Key Encryption • PKI–set of HW, SW, organizations, and policies to make public key encryption work • Two keys, 512 or 1024 bits long! • Public key is used to encrypt the message • Will have a different public key for each destination organization • Private key is used to decrypt the message and is only known to the destination • Could encrypt with private key and decrypt with public key to trace the original sender Chapter 11 Data Security

  42. Other Encryption • PGP – Pretty Good Privacy • Freeware public key software where users post their public key on a web page • Someone sends that user a secret message encrypted by that public key • SSL – Secure Sockets Layer • Used to encrypt web pages for credit card data • Creates a public/private key on the fly for the session • Much slower than regular web page, though! • Done by the web server hosting the page Chapter 11 Data Security

  43. More Encryption • IPSec-IP Security Protocol • Like SSL but focused on more than just Web activities. • IPSec sits between IP at network layer and and TCP/UDP at the transport layer • Two parties use Internet Key Exchange to decide on encryption technique and public/private keys • Tunnel mode: IPSec encrypts entire IP packet and encapsulates it in another packet; this cloaks the actual sender and destination. Used with VPN sessions Chapter 11 Data Security

  44. Detecting Unauthorized Access • IDS: Intrusion Detection System • Network-based IDS • Host-based IDS • Application-based IDS • Techniques • Misuse detection: compares monitored activities with signatures of known attacks • Anomaly detection: compares monitored activities with normal set of activities (e.g., flood of Pings, etc) Chapter 11 Data Security

  45. Correcting Unauthorized Access • Have a “SWAT” team to call into action • Computer forensics uses computer analysis techniques to gather evidence for criminal prosecution • Criminal law has been slow to keep up with computers and the Internet • Companies use entrapment techniques to bait hackers to a false network (like the fake deer near the highway) • This special server has sophisticated SW to monitor access and gather evidence for prosecution! • Called a “honey pot” Chapter 11 Data Security

  46. For More Information … • Enroll in Dr. Moates’ Computer Security class (MIS 475) • NIST CSRC web page • http://csrc.nist.gov/ • CERT Coordination Center • http://www.cert.org/ • Microsoft Security & Privacy site • http://www.microsoft.com/security/ Chapter 11 Data Security

More Related