Network Security Risks IS Auditor Role

Uploaded on


  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Network Security Risks
  • 2. IS Auditor Role
    • Collect evidence to ascertain an entities ability to:
      • Safeguard assets
      • Provide data integrity
      • Efficiency of systems
      • Effectiveness of systems
  • 3. Networks Are Vulnerable to Attack
    • Hackers / Crackers
    • Terrorists
    • Insiders
    • Logical Attack Physical Attack
    $,trust,secrets,infrastructure Financial Transactions-$Trillions/year EFT/Credit Card Pentagon – 500,000 attempted attacks/year Microsoft – Hacked Denial of Service – February Melissa – I Love You
  • 4. Physical Access Attack
  • 5. Sneaker Net
  • 6. WAN ISP 2 Fault tolerance
  • 7.  
  • 8. Routers, Firewalls, Gateways
    • Firewalls- hardware/software used to protect assets from untrusted networks
    • Gateway/proxy server allow information to flow between internal and external networks but do not allow the direct exchange of packets
    • DMZ - isolates internal network from vulnerable web servers
    • Router - manages network traffic forwards packets to their correct destination by the most efficient path
    • Filters packets by a pre-determined set of rules
    • IP source address, IP destination address, source port, and destination port
    • Are only as secure as quality of rule set designed
  • 9. TCP/IP Internet Protocol
    • IP - standard for internet message exchange
    • Does not guarantee delivery of packets
    • Packets using IP travel similarly to a post card
    • Does not provide for data integrity or timeliness, security, privacy or confidentiality
    • TCP, with error correction services is stacked on top of IP to form TCP/IP
    • Port – address on host where application makes itself available to incoming data
      • 23 – telnet
      • 25 - SMTP
    • Packet – unit of information transmitted as a whole, inc. source and destination address
    • IP address – unique 32 bit number- 4 octets separated by periods
      • InterNIC
  • 10. Securing Messages / Transactions
  • 11. Authentication
    • Something you have
    • Something you are
    • Something you know
    • Smart card
    • Biometric devices
    • Password
  • 12. Authentication Devices
    • Biometric devices
      • Retinal scan
      • Fingerprints
      • Voice recognition
      • Facial recognition
    • Secure ID tokens
      • something you have-token
      • something you know- pin used to generate password that changes once a minute
  • 13. Passwords
    • Proper maintenance & procedures essential
    • Post-it notes - on monitors and under keyboards ?
    • Longer than 8 characters
    • Not comprised of English words
    • Include special characters
    • Change regularly
    • L0pht crack L0phtCrack
  • 14. Symmetric Encryption
    • Secret key used for encryption and decryption is identical
    • Alice and Bob must exchange the secret key in advance
    • Impractical for large numbers of people to securely exchange shared secret keys
  • 15. Asymmetric Encryption
    • Public-private key pairs,, used to overcome the problem of shared secret keys
    • Owner of the key knows private key
    • Public key is shared with everyone
    • Message confidentially- Bob encrypts a message with Alice’s public key and on receipt Alice decrypts the message with her private key
  • 16. Encryption of data
    • Keys / Cipher length is important
    • Expressed in bits
    • 40 bit cipher can be broken in 3.5 hrs
    • 56 bit - 22 hours 15 min,
    • 64 bit - 33-34 days,
    • 128 bit - > 2000 years
  • 17. Message integrity Authentication Nonrepudiation Message confidentiality Message encryption Digital signature Message Digest
  • 18. Securing Transactions
    • Data theft
    • Customer lists, engineering blueprints and other company secrets
    • Company assets vulnerable since connected to public networks
    • Cracker Kevin Mitnick stole plans for Motorola’s StarTac
    • Used IP spoofing
    • Theft of money
    • German Chaos Computer Club
    • used an Active X control to schedule transfer of money from the victim’s online bank account to numbered bank account controlled by crackers
  • 19. Stored Account System
    • Similar to existing debit/credit card systems
    • Use existing infrastructure/payment systems based on electronic funds transfer
    • Use settlement houses/clearing houses
    • Highly accountable and traceable
    • Traceable - raise privacy concerns “big brother”
    • Slow and expensive online verification is necessary
    • SET- secure electronic transaction, CyberCash
  • 20. Stored Value Systems – E-cash
    • Private, no approval from bank needed
    • Security stakes are high
      • Counterfeiting
      • Absence of control & auditing
    • Potentially $8 trillion a year market
    • People do not yet trust e-cash technology
    • More popular in Europe
    • E-cash superior to cash
      • Do not require proximity
      • Do not create weight & storage problems of cash
  • 21. New Systems
    • DigiCash, Mondex and Visa Cash
      • Stored value and/or stored accounts
      • E-cash is stored on an electronic device
      • Use smart card or e-cash could be stored on a PC Electronic wallet technology
      • Merchant adds or subtracts e-cash value using encrypted messaging between computers or by inserting the smart card in the merchant’s smart card reader
    • Mondex - Devices
  • 22. Smart Cards
    • Credit card sized devices w/ chip & memory
    • Contain operating systems & applications
    • Reader device attached PC can read smart card
    • Avoid problem of e-cash being stored on insecure hard drives
    • Smart cards disabled when physically attacked
  • 23. Smart Cards
    • Will be ubiquitous
    • Loyalty information – frequent flier miles
    • Health records and health insurance information
    • Debit, credit, and charge cards
    • E-cash
    • Global system for mobile communications
    • Pay TV
    • Mass transit ticketing
    • Access controls
    • Digital signatures
    • Biometrics
    • Travel and entertainment
    • Drivers license and social security information
  • 24. Secure Sockets Layer
    • Confidentiality & authentication of web sessions
    • Encrypts the communication channel uses private key
    • Server & client and server agree to private session key & private encryption/ hashing protocols for confidentiality & data integrity
    • Client authenticates server w/ certificate authority stored on client’s browser
  • 25. Secure Electronic Transaction Protocol
    • Open standard for secure internet payments
    • Master Card and Visa, IBM and Microsoft
    • Confidentiality of information,privacy, message integrity, authentication, and nonrepudiation, and authenticates all parties
    • Encrypts credit card numbers, shielding from public & merchant
    • Party in a SET transaction must possess a digital certificate, carry digital wallets or smart cards
    • 1,024 bit keys
    • Securing private keys is problematic
    • MasterCard International - Shop Smart! Demo
  • 26. Public Key Infrastructure (PKI)
    • Issue, manage, and maintain public-private key pairs and digital certificates Digital certificates used to authenticate servers or clients using trusted third party, certificate authority
    • CA’s issue digital certificates to merchants, can be verified by the browser checking the digital signature of the CA against the public key of the CA, stored on the browser
    • Digital signatures have full legal standing 2000
    • VeriSign Training
  • 27. IE –Tools – Internet Options - Content
  • 28.  
  • 29. Risks to the client
    • Active content
    • Cookies
    • Modems
    • Many clients mission critical
    • Personal firewall software
      • Needed even if part of a network with other layers of protection
      • Black Ice and Zone Alarm
  • 30. Active Content
    • Programs that automatically download & execute on user’s machine when user hits on web site with active content
    • Java applets, active X controls, JavaScript, VBScript, multimedia presentation files executed via browser “plug-ins” (Flash)
    • Can provide rich customized computing experience Could be malicious
    • Java applet coded to read client’s cookies including Passwords & id’s & send the information back to crackers
  • 31. Active X Controls
    • Can execute any function windows program can execute
    • Written in variety of languages- execute only on Wintel machines
    • Security measures designed to prevent trusted active X controls from damaging machine do not exist
    • Security based on level of trust client places in author of active X control
    • Software publisher certificate from a certificate authority such as VeriSign
  • 32.  
  • 33. Java Applets
    • Platform independent; Can run on Windows or Unix machines
    • Constrained from accessing resources outside section of memory called the sandbox
    • Applet can play but not escape
    • Trust of java applets based on restricting the behavior of the applet
    • Holes in the sandbox- bugs that allows attack code
  • 34. Cookies
    • Internet transactions do not maintain state, no memory of last visit
    • To restore state - cookies kept on users hard drive
    • Block of data on client that server can use to identify user, instruct server to send a customized version of a web page, submit the account information of user
    • If intercepted by third party, significant personal information about user compromised
    • Compromise user privacy
  • 35. Operating System Risks
    • Default configurations –on client node allows java applets to load on server using root ID
    • Escalation of privileges –
      • If an attacker gains “root” or administrator privileges the cracker can do anything to the system he desires
      • Adaptive access control , automates access control process, assigning of permissions alleviates problems of manual access control
  • 36. Operating System Risks 2
    • Windows 98 very insecure – modems connected to internal network problematic
    • UNIX & windows NT operating systems - more secure but still full of bugs and security holes
      • Patches available from vendors
  • 37. Computer Emergency Response Team Coordination Center
    • Experts on call for emergencies 24 hours a day
    • Provides facilitation of communication among experts on security problems
    • Central point for the identification and correction of security vulnerabilities
    • Secure repository of computer security incident information
    • CERT Coordination Center
  • 38. Viruses, Worms, Trojans
    • Users need constant training and surveillance
    • System administrator - update virus definitions on schedule
    • Attack emergency and recovery plan
    • Policies regulating users handling of e-mail are important
  • 39. Securing the Server
    • Back-end databases must be protected
    • Web servers particularly vulnerable to attack
    • CGI Scripts – Web client request executes on server
    • Crackers escalate privileges to arbitrarily execute system commands
      • deleting or stealing files
      • placing Trojan horse programs on the server
      • running denial of service attacks
      • defacing web pages
      • storing cracking tools for a later attack
  • 40. Denial of Service Attacks
    • Cripple or crash Web servers by flooding server with too much data or too many requests
    • E-commerce merchants cannot afford financial consequences or loss of trust
    •   Online NewsHour -- Internet Security
  • 41. Web Page Defacing
    • Act of rewriting web page
    • Motivations political, financial, &/or revenge
    • More than web server compromised ?
  • 42. Malicious Web Sites
    • EU study – possibly 60 billion euros lost
    • Steal credit card numbers
    • Spy on hard drives
    • Upload files
    • Plant active content
    • Example misspelled URL’s
  • 43. People & Security - Policies
    • Embraced by management
    • Security philosophy, user policies, incident management, methods to prevent social engineering attacks, network disaster recovery, and consequences for lack of adherence
    • Programs to train staff & techniques to enhance security should be ongoing
    • Outside penetration study can be useful to document the true level of risk and vulnerability
  • 44. Social Engineering
    • Manipulating of employees natural tendencies
    • Objectives: obtaining passwords, obtaining configuration data to escalate user permissions in an operating system
    • Use telephone or email posing as IT staff or higher-level managers
    • Talk people into revealing damaging information
    • Many devastating cracker exploits have included social engineering
  • 45. Insider Risks
    • Authorized users commit 75% to 85% of all computer crime
    • Not usually prosecuted – covered up
    • Disgruntled employees - crashing file servers, deleting data, selling critical data, and financial fraud
    • Internal network sniffing
  • 46. Onion Approach
    • Security solutions to vulnerabilities should be implemented in a layered approach, the “onion” solution
    • Solutions should be preventive and predictive rather than reactive
    • Network security architectures rely upon layers of devices and software that provide multiple barriers to intruders and protect, detect and respond to threats
  • 47. Tools
    • Vulnerability scanning tools
      • determination of remote systems weaknesses
      • extremely dangerous in the wrong hands
      • discover open ports
      • how services respond to incoming requests
    • Intrusion Detection System (IDS)
      • detect intruders breaking into a system or to
      • detect legitimate users misusing system resources
      • well-configured IDS will prohibit all activity not expressly allowed
      • analysis of audit trail data, especially operating system activity is important
  • 48. Tools 2
    • Logging enhancement tools - supplement operating system logging & can provide independent audit data
    • System evaluation tools
      • Configuration checking
      • Permissions checking
      • Analysis of accounts and groups
      • Evaluation of registry settings
      • Verification of up to date patch installation
  • 49. Network sniffers
    • Intercept and analyze network traffic
    • Can be extremely useful but also are very dangerous
    • Illegal to sniff a network without permission
    • Possible to read packets with a sniffer
    • After an intrusion sniffer logs can be essential
    • Sniffers can be hardware or software based
    • Also called “packet dumpers”
  • 50. Questions & Discussion