ITEC 3010 Network Security

Confidentiality

protection of organizational data from unauthorized disclosure

Integrity

assurance that data have not been altered (i.e., that data hasn’t lost its accuracy or validity)

Availability (aka business continuity)

protection against disruption, destruction and disasters; degree to which information and systems are accessible to authorized users

Threats to business continuity

disruption, destruction and disaster Loss or reduction in network service caused by viruses, hardware/software malfunctioning, natural or manmade disasters, etc

Threats to confidentiality

unauthorized access (i.e., intrusion by hackers [from outside the organization] or rogue employees [from inside the organization])

Mechanisms that reduce/eliminate security threats

Preventive controls stop a threat from occurring (e.g., passwords)

Detective controls reveal unwanted events (e.g., auditing software)

Corrective controls rectify an unwanted event (e.g., restoring an IS after a fire)

Three common risk assessment frameworks:

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

Control Objectives for Information and Related Technology (COBIT)

Risk Management Guide for Information Technology Systems (NIST guide)

Inventory IT assets

IT managers and business managers must: Identify all organization’s IT assets (Fig. 11- 2: Type of assets) Document and rank the importance of each asset for the organization

Identify threats

IT manager must: Identify the threats (Can use threats and likelihood, e.g., summarized in Fig. 11-4) Create for EACH IT asset a threat scenario that describes how that asset can be compromised by a one specific threat (therefore, it is common to have more than one threat scenario for each IT asset) Each threat scenario must include (1) the name of IT asset, (2) its importance, (3) the threat, (4) its likehood of occurrence, (5) the potential consequences of threat and a Risk Score used to quantify the impact and likelihood of occurrence and (6) content related to applied controls generated in Step 4 (see below and next slides)

Document Existing Controls

IT manager must: Determine the risk control strategy: 4 options Risk acceptance: Take no actions for risks that have low impacts Risk mitigation: Use of control to remove or reduce impact of threat Risk sharing: Transfer all or part of impact (through insurance or outsourcing) Risk deferring: Take no action while collecting more information about threat and risk (for non-imminent risks)

Identify Improvements

They evaluate adequacy of (1) the controls and (2) degree of risk associated with each threat

Antiviruses

protect against malware i.e., viruses, worms, spyware, etc
Traffic anomaly detector and traffic anomaly analyzer protect against Denial of Service (DoS or DDoS) attacks that prevent normal access to servers (see Fig. 11-8)

Protection against device failure

Solution for failing component: Redundancy in the network (e.g., BN), use of fault-tolerant servers (i.e., servers with redundant components), RAID storage technology, cluster/server farms, backup servers, etc. Solution for power interruption: Uninterruptible power supplies (UPS) allowing IS to operate while battery lasts and shut down properly

Disaster protection

Solution 1: Disaster avoidance i.e., storing critical data in multiple locations and avoiding locations prone to flood (basements) or natural disasters Solution 2: Disaster Recovery Plan (DRP) i.e., clear plan that (1) identifies responses to different types of disasters, (2) provides recovery of data, applications and network and (3) specifies the backup and recovery controls. DRPs can be outsourced to disaster recovery firms

Security policy

Document clearly identifying (1) key IT assets, (2) what employees should and should not do and (3) plan for routinely train employees (Elements of a security policy, Fig. 11-11)

Perimeter security and firewalls

Firewalls: Network component (typically a router) that examines packets flowing into and out of the organization’s network and restrict access to that network Packet-level firewalls: Filtering based on IP address and ACL rules (Fig. 11-13) Application-level firewalls: Filtering based on content (i.e., stateful filtering or executable files)

Physical security: All servers and network equipment are in secured rooms and only authorized personnel can enter those rooms To prevent eavesdropping, use fiber optic cables on wired networks and encryption on wireless networks

Server and client protection

Installing security patches eliminates software security holes i.e., flaws in network software that permit unintended access to the network • Installing and updating antivirus protects against (1) trojan horse (or rootkits)

Encryption

Process of message coding that involves (1) a plaintext, (2) an encryption algorithm (often widely known), (3) a key or a combination of keys, (4) a ciphertext and (5) decryption (reverse process that doesn’t always use the same key)

Encryption techniques:

Symmetric (private key encryption): Uses a single (receiver) key for encrypting and decrypting. Advantage: fast and secure. Problem: key distribution Asymmetric (public key encryption): Uses 2 keys. Solves key distribution problem (see next slide)

Asymmetric (public-key) encryption

A pair of keys are used One key is designated the public key and can be freely shared The other key is designated the secret private key When a message is encrypted using one key, it can only be decrypted with the other Based on mathematical calculations that are easy in one direction but difficult in reverse

User authentication

User profile specifies data and network resources a user can access and the type of access or privileges (CRUD i.e., Create, Read, Update or Delete).

Preventing social engineering (e.g.: Phishing):

Training end user not to disclose User IDs and passwords as a solution

Intrusion Protection Systems (IPS)

Software/Hardware package designed to detect an intrusion and take action to stop it

IPS use 2 techniques to determine if an intrusion is in progress:

Misuse detection: Compares monitored activities with signatures of known attacks Anomaly detection: Looks for major deviations from the “normal” parameters of network operation (Ex. of anomaly: large number of failed logins)