0
Network Security Risks
IS Auditor Role <ul><li>Collect evidence to ascertain an entities ability to: </li></ul><ul><ul><li>Safeguard assets </li>...
Networks Are Vulnerable to Attack <ul><li>Hackers / Crackers </li></ul><ul><li>Terrorists  </li></ul><ul><li>Insiders </li...
Physical Access Attack
Sneaker Net
WAN ISP 2 Fault tolerance
 
Routers, Firewalls, Gateways <ul><li>Firewalls- hardware/software used to protect assets from untrusted networks </li></ul...
TCP/IP Internet Protocol <ul><li>IP - standard for internet message exchange </li></ul><ul><li>Does not guarantee delivery...
Securing Messages / Transactions
Authentication <ul><li>Something you have </li></ul><ul><li>Something you are </li></ul><ul><li>Something you know </li></...
Authentication Devices <ul><li>Biometric devices </li></ul><ul><ul><li>Retinal scan </li></ul></ul><ul><ul><li>Fingerprint...
Passwords <ul><li>Proper maintenance & procedures essential  </li></ul><ul><li>Post-it notes - on monitors and under keybo...
Symmetric Encryption <ul><li>Secret key used for encryption and decryption is identical </li></ul><ul><li>Alice and Bob mu...
Asymmetric Encryption <ul><li>Public-private key pairs,, used to overcome the problem of shared secret keys </li></ul><ul>...
Encryption of data  <ul><li>Keys / Cipher  length is important </li></ul><ul><li>Expressed in bits  </li></ul><ul><li>40 b...
Message integrity Authentication Nonrepudiation Message confidentiality Message encryption Digital signature Message Digest
Securing Transactions  <ul><li>Data theft </li></ul><ul><li>Customer lists, engineering blueprints and other company secre...
Stored Account System <ul><li>Similar to existing debit/credit card systems </li></ul><ul><li>Use existing infrastructure/...
Stored Value Systems – E-cash <ul><li>Private, no approval from bank needed </li></ul><ul><li>Security stakes are high </l...
New Systems <ul><li>DigiCash, Mondex and Visa Cash  </li></ul><ul><ul><li>Stored value and/or stored accounts </li></ul></...
Smart Cards <ul><li>Credit card sized devices w/ chip & memory </li></ul><ul><li>Contain operating systems & applications ...
Smart Cards <ul><li>Will be ubiquitous </li></ul><ul><li>Loyalty information – frequent flier miles </li></ul><ul><li>Heal...
Secure Sockets Layer <ul><li>Confidentiality & authentication of web sessions </li></ul><ul><li>Encrypts the communication...
Secure  Electronic Transaction Protocol <ul><li>Open standard for secure internet payments  </li></ul><ul><li>Master Card ...
Public Key Infrastructure (PKI) <ul><li>Issue, manage, and maintain public-private key pairs and digital certificates  Dig...
IE –Tools – Internet Options - Content
 
Risks to the client <ul><li>Active content </li></ul><ul><li>Cookies </li></ul><ul><li>Modems </li></ul><ul><li>Many clien...
Active Content <ul><li>Programs that automatically download & execute on user’s machine when user hits on web site with ac...
Active X Controls <ul><li>Can execute any function windows program can execute </li></ul><ul><li>Written in variety of lan...
 
Java Applets <ul><li>Platform independent; Can run on Windows or Unix machines </li></ul><ul><li>Constrained from accessin...
Cookies <ul><li>Internet transactions do not maintain state, no memory of last visit </li></ul><ul><li>To restore state - ...
Operating System Risks <ul><li>Default configurations  –on client node allows java applets to load on server using root ID...
Operating System Risks 2 <ul><li>Windows 98 very insecure  – modems connected to internal network problematic </li></ul><u...
Computer Emergency Response Team Coordination Center   <ul><li>Experts on call for emergencies 24 hours a day </li></ul><u...
Viruses, Worms, Trojans <ul><li>Users need constant training and surveillance </li></ul><ul><li>System administrator - upd...
Securing the Server <ul><li>Back-end databases must be protected </li></ul><ul><li>Web servers particularly vulnerable to ...
Denial of Service Attacks <ul><li>Cripple or crash Web servers by flooding server with too much data or too many requests ...
Web Page Defacing <ul><li>Act of rewriting web page   </li></ul><ul><li>Motivations political, financial, &/or revenge </l...
Malicious Web Sites <ul><li>EU study – possibly 60 billion euros lost </li></ul><ul><li>Steal credit card numbers </li></u...
People & Security - Policies <ul><li>Embraced by management </li></ul><ul><li>Security philosophy, user policies, incident...
Social Engineering <ul><li>Manipulating of employees natural tendencies </li></ul><ul><li>Objectives: obtaining passwords,...
Insider Risks <ul><li>Authorized users commit 75% to 85% of all computer crime </li></ul><ul><li>Not usually prosecuted – ...
Onion Approach <ul><li>Security solutions to vulnerabilities should be implemented in a layered approach, the “onion” solu...
Tools <ul><li>Vulnerability scanning tools </li></ul><ul><ul><li>determination of remote systems weaknesses </li></ul></ul...
Tools 2 <ul><li>Logging enhancement tools  - supplement operating system logging & can provide independent audit data </li...
Network sniffers <ul><li>Intercept and analyze network traffic </li></ul><ul><li>Can be extremely useful but also are very...
Questions & Discussion
Upcoming SlideShare
Loading in...5
×

Network Security Risks IS Auditor Role

749

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
749
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Network Security Risks IS Auditor Role"

  1. 1. Network Security Risks
  2. 2. IS Auditor Role <ul><li>Collect evidence to ascertain an entities ability to: </li></ul><ul><ul><li>Safeguard assets </li></ul></ul><ul><ul><li>Provide data integrity </li></ul></ul><ul><ul><li>Efficiency of systems </li></ul></ul><ul><ul><li>Effectiveness of systems </li></ul></ul>
  3. 3. Networks Are Vulnerable to Attack <ul><li>Hackers / Crackers </li></ul><ul><li>Terrorists </li></ul><ul><li>Insiders </li></ul><ul><li>Logical Attack Physical Attack </li></ul><ul><li>http://www.msnbc.com/news/482181.asp#BODY </li></ul>$,trust,secrets,infrastructure Financial Transactions-$Trillions/year EFT/Credit Card Pentagon – 500,000 attempted attacks/year Microsoft – Hacked Denial of Service – February Melissa – I Love You
  4. 4. Physical Access Attack
  5. 5. Sneaker Net
  6. 6. WAN ISP 2 Fault tolerance
  7. 8. Routers, Firewalls, Gateways <ul><li>Firewalls- hardware/software used to protect assets from untrusted networks </li></ul><ul><li>Gateway/proxy server allow information to flow between internal and external networks but do not allow the direct exchange of packets </li></ul><ul><li>DMZ - isolates internal network from vulnerable web servers </li></ul><ul><li>Router - manages network traffic forwards packets to their correct destination by the most efficient path </li></ul><ul><li>Filters packets by a pre-determined set of rules </li></ul><ul><li>IP source address, IP destination address, source port, and destination port </li></ul><ul><li>Are only as secure as quality of rule set designed </li></ul>
  8. 9. TCP/IP Internet Protocol <ul><li>IP - standard for internet message exchange </li></ul><ul><li>Does not guarantee delivery of packets </li></ul><ul><li>Packets using IP travel similarly to a post card </li></ul><ul><li>Does not provide for data integrity or timeliness, security, privacy or confidentiality </li></ul><ul><li>TCP, with error correction services is stacked on top of IP to form TCP/IP </li></ul><ul><li>Port – address on host where application makes itself available to incoming data </li></ul><ul><ul><li>23 – telnet </li></ul></ul><ul><ul><li>25 - SMTP </li></ul></ul><ul><li>Packet – unit of information transmitted as a whole, inc. source and destination address </li></ul><ul><li>IP address – unique 32 bit number- 4 octets separated by periods </li></ul><ul><ul><li>144.92.43.178 </li></ul></ul><ul><ul><li>InterNIC </li></ul></ul>
  9. 10. Securing Messages / Transactions
  10. 11. Authentication <ul><li>Something you have </li></ul><ul><li>Something you are </li></ul><ul><li>Something you know </li></ul><ul><li>Smart card </li></ul><ul><li>Biometric devices </li></ul><ul><li>Password </li></ul>
  11. 12. Authentication Devices <ul><li>Biometric devices </li></ul><ul><ul><li>Retinal scan </li></ul></ul><ul><ul><li>Fingerprints </li></ul></ul><ul><ul><li>Voice recognition </li></ul></ul><ul><ul><li>Facial recognition </li></ul></ul><ul><li>Secure ID tokens </li></ul><ul><ul><li>something you have-token </li></ul></ul><ul><ul><li>something you know- pin used to generate password that changes once a minute </li></ul></ul>
  12. 13. Passwords <ul><li>Proper maintenance & procedures essential </li></ul><ul><li>Post-it notes - on monitors and under keyboards ? </li></ul><ul><li>Longer than 8 characters </li></ul><ul><li>Not comprised of English words </li></ul><ul><li>Include special characters </li></ul><ul><li>Change regularly </li></ul><ul><li>L0pht crack L0phtCrack </li></ul>
  13. 14. Symmetric Encryption <ul><li>Secret key used for encryption and decryption is identical </li></ul><ul><li>Alice and Bob must exchange the secret key in advance </li></ul><ul><li>Impractical for large numbers of people to securely exchange shared secret keys </li></ul>
  14. 15. Asymmetric Encryption <ul><li>Public-private key pairs,, used to overcome the problem of shared secret keys </li></ul><ul><li>Owner of the key knows private key </li></ul><ul><li>Public key is shared with everyone </li></ul><ul><li>Message confidentially- Bob encrypts a message with Alice’s public key and on receipt Alice decrypts the message with her private key </li></ul>
  15. 16. Encryption of data <ul><li>Keys / Cipher length is important </li></ul><ul><li>Expressed in bits </li></ul><ul><li>40 bit cipher can be broken in 3.5 hrs </li></ul><ul><li>56 bit - 22 hours 15 min, </li></ul><ul><li>64 bit - 33-34 days, </li></ul><ul><li>128 bit - > 2000 years </li></ul>
  16. 17. Message integrity Authentication Nonrepudiation Message confidentiality Message encryption Digital signature Message Digest
  17. 18. Securing Transactions <ul><li>Data theft </li></ul><ul><li>Customer lists, engineering blueprints and other company secrets </li></ul><ul><li>Company assets vulnerable since connected to public networks </li></ul><ul><li>Cracker Kevin Mitnick stole plans for Motorola’s StarTac </li></ul><ul><li>Used IP spoofing </li></ul><ul><li>Theft of money </li></ul><ul><li>German Chaos Computer Club </li></ul><ul><li>used an Active X control to schedule transfer of money from the victim’s online bank account to numbered bank account controlled by crackers </li></ul>
  18. 19. Stored Account System <ul><li>Similar to existing debit/credit card systems </li></ul><ul><li>Use existing infrastructure/payment systems based on electronic funds transfer </li></ul><ul><li>Use settlement houses/clearing houses </li></ul><ul><li>Highly accountable and traceable </li></ul><ul><li>Traceable - raise privacy concerns “big brother” </li></ul><ul><li>Slow and expensive online verification is necessary </li></ul><ul><li>SET- secure electronic transaction, CyberCash </li></ul>
  19. 20. Stored Value Systems – E-cash <ul><li>Private, no approval from bank needed </li></ul><ul><li>Security stakes are high </li></ul><ul><ul><li>Counterfeiting </li></ul></ul><ul><ul><li>Absence of control & auditing </li></ul></ul><ul><li>Potentially $8 trillion a year market </li></ul><ul><li>People do not yet trust e-cash technology </li></ul><ul><li>More popular in Europe </li></ul><ul><li>E-cash superior to cash </li></ul><ul><ul><li>Do not require proximity </li></ul></ul><ul><ul><li>Do not create weight & storage problems of cash </li></ul></ul>
  20. 21. New Systems <ul><li>DigiCash, Mondex and Visa Cash </li></ul><ul><ul><li>Stored value and/or stored accounts </li></ul></ul><ul><ul><li>E-cash is stored on an electronic device </li></ul></ul><ul><ul><li>Use smart card or e-cash could be stored on a PC Electronic wallet technology </li></ul></ul><ul><ul><li>Merchant adds or subtracts e-cash value using encrypted messaging between computers or by inserting the smart card in the merchant’s smart card reader </li></ul></ul><ul><li>Mondex - Devices </li></ul>
  21. 22. Smart Cards <ul><li>Credit card sized devices w/ chip & memory </li></ul><ul><li>Contain operating systems & applications </li></ul><ul><li>Reader device attached PC can read smart card </li></ul><ul><li>Avoid problem of e-cash being stored on insecure hard drives </li></ul><ul><li>Smart cards disabled when physically attacked </li></ul>
  22. 23. Smart Cards <ul><li>Will be ubiquitous </li></ul><ul><li>Loyalty information – frequent flier miles </li></ul><ul><li>Health records and health insurance information </li></ul><ul><li>Debit, credit, and charge cards </li></ul><ul><li>E-cash </li></ul><ul><li>Global system for mobile communications </li></ul><ul><li>Pay TV </li></ul><ul><li>Mass transit ticketing </li></ul><ul><li>Access controls </li></ul><ul><li>Digital signatures </li></ul><ul><li>Biometrics </li></ul><ul><li>Travel and entertainment </li></ul><ul><li>Drivers license and social security information </li></ul>
  23. 24. Secure Sockets Layer <ul><li>Confidentiality & authentication of web sessions </li></ul><ul><li>Encrypts the communication channel uses private key </li></ul><ul><li>Server & client and server agree to private session key & private encryption/ hashing protocols for confidentiality & data integrity </li></ul><ul><li>Client authenticates server w/ certificate authority stored on client’s browser </li></ul>
  24. 25. Secure Electronic Transaction Protocol <ul><li>Open standard for secure internet payments </li></ul><ul><li>Master Card and Visa, IBM and Microsoft </li></ul><ul><li>Confidentiality of information,privacy, message integrity, authentication, and nonrepudiation, and authenticates all parties </li></ul><ul><li>Encrypts credit card numbers, shielding from public & merchant </li></ul><ul><li>Party in a SET transaction must possess a digital certificate, carry digital wallets or smart cards </li></ul><ul><li>1,024 bit keys </li></ul><ul><li>Securing private keys is problematic </li></ul><ul><li>MasterCard International - Shop Smart! Demo </li></ul>
  25. 26. Public Key Infrastructure (PKI) <ul><li>Issue, manage, and maintain public-private key pairs and digital certificates Digital certificates used to authenticate servers or clients using trusted third party, certificate authority </li></ul><ul><li>CA’s issue digital certificates to merchants, can be verified by the browser checking the digital signature of the CA against the public key of the CA, stored on the browser </li></ul><ul><li>Digital signatures have full legal standing 2000 </li></ul><ul><li>VeriSign Training </li></ul>
  26. 27. IE –Tools – Internet Options - Content
  27. 29. Risks to the client <ul><li>Active content </li></ul><ul><li>Cookies </li></ul><ul><li>Modems </li></ul><ul><li>Many clients mission critical </li></ul><ul><li>Personal firewall software </li></ul><ul><ul><li>Needed even if part of a network with other layers of protection </li></ul></ul><ul><ul><li>Black Ice and Zone Alarm </li></ul></ul>
  28. 30. Active Content <ul><li>Programs that automatically download & execute on user’s machine when user hits on web site with active content </li></ul><ul><li>Java applets, active X controls, JavaScript, VBScript, multimedia presentation files executed via browser “plug-ins” (Flash) </li></ul><ul><li>Can provide rich customized computing experience Could be malicious </li></ul><ul><li>Java applet coded to read client’s cookies including Passwords & id’s & send the information back to crackers </li></ul>
  29. 31. Active X Controls <ul><li>Can execute any function windows program can execute </li></ul><ul><li>Written in variety of languages- execute only on Wintel machines </li></ul><ul><li>Security measures designed to prevent trusted active X controls from damaging machine do not exist </li></ul><ul><li>Security based on level of trust client places in author of active X control </li></ul><ul><li>Software publisher certificate from a certificate authority such as VeriSign </li></ul>
  30. 33. Java Applets <ul><li>Platform independent; Can run on Windows or Unix machines </li></ul><ul><li>Constrained from accessing resources outside section of memory called the sandbox </li></ul><ul><li>Applet can play but not escape </li></ul><ul><li>Trust of java applets based on restricting the behavior of the applet </li></ul><ul><li>Holes in the sandbox- bugs that allows attack code </li></ul>
  31. 34. Cookies <ul><li>Internet transactions do not maintain state, no memory of last visit </li></ul><ul><li>To restore state - cookies kept on users hard drive </li></ul><ul><li>Block of data on client that server can use to identify user, instruct server to send a customized version of a web page, submit the account information of user </li></ul><ul><li>If intercepted by third party, significant personal information about user compromised </li></ul><ul><li>Compromise user privacy </li></ul>
  32. 35. Operating System Risks <ul><li>Default configurations –on client node allows java applets to load on server using root ID </li></ul><ul><li>Escalation of privileges – </li></ul><ul><ul><li>If an attacker gains “root” or administrator privileges the cracker can do anything to the system he desires </li></ul></ul><ul><ul><li>Adaptive access control , automates access control process, assigning of permissions alleviates problems of manual access control </li></ul></ul>
  33. 36. Operating System Risks 2 <ul><li>Windows 98 very insecure – modems connected to internal network problematic </li></ul><ul><li>UNIX & windows NT operating systems - more secure but still full of bugs and security holes </li></ul><ul><ul><li>Patches available from vendors </li></ul></ul>
  34. 37. Computer Emergency Response Team Coordination Center <ul><li>Experts on call for emergencies 24 hours a day </li></ul><ul><li>Provides facilitation of communication among experts on security problems </li></ul><ul><li>Central point for the identification and correction of security vulnerabilities </li></ul><ul><li>Secure repository of computer security incident information </li></ul><ul><li>CERT Coordination Center </li></ul>
  35. 38. Viruses, Worms, Trojans <ul><li>Users need constant training and surveillance </li></ul><ul><li>System administrator - update virus definitions on schedule </li></ul><ul><li>Attack emergency and recovery plan </li></ul><ul><li>Policies regulating users handling of e-mail are important </li></ul>
  36. 39. Securing the Server <ul><li>Back-end databases must be protected </li></ul><ul><li>Web servers particularly vulnerable to attack </li></ul><ul><li>CGI Scripts – Web client request executes on server </li></ul><ul><li>Crackers escalate privileges to arbitrarily execute system commands </li></ul><ul><ul><li>deleting or stealing files </li></ul></ul><ul><ul><li>placing Trojan horse programs on the server </li></ul></ul><ul><ul><li>running denial of service attacks </li></ul></ul><ul><ul><li>defacing web pages </li></ul></ul><ul><ul><li>storing cracking tools for a later attack </li></ul></ul>
  37. 40. Denial of Service Attacks <ul><li>Cripple or crash Web servers by flooding server with too much data or too many requests </li></ul><ul><li>E-commerce merchants cannot afford financial consequences or loss of trust </li></ul><ul><li>  Online NewsHour -- Internet Security </li></ul>
  38. 41. Web Page Defacing <ul><li>Act of rewriting web page </li></ul><ul><li>Motivations political, financial, &/or revenge </li></ul><ul><li>More than web server compromised ? </li></ul>
  39. 42. Malicious Web Sites <ul><li>EU study – possibly 60 billion euros lost </li></ul><ul><li>Steal credit card numbers </li></ul><ul><li>Spy on hard drives </li></ul><ul><li>Upload files </li></ul><ul><li>Plant active content </li></ul><ul><li>Example misspelled URL’s </li></ul>
  40. 43. People & Security - Policies <ul><li>Embraced by management </li></ul><ul><li>Security philosophy, user policies, incident management, methods to prevent social engineering attacks, network disaster recovery, and consequences for lack of adherence </li></ul><ul><li>Programs to train staff & techniques to enhance security should be ongoing </li></ul><ul><li>Outside penetration study can be useful to document the true level of risk and vulnerability </li></ul>
  41. 44. Social Engineering <ul><li>Manipulating of employees natural tendencies </li></ul><ul><li>Objectives: obtaining passwords, obtaining configuration data to escalate user permissions in an operating system </li></ul><ul><li>Use telephone or email posing as IT staff or higher-level managers </li></ul><ul><li>Talk people into revealing damaging information </li></ul><ul><li>Many devastating cracker exploits have included social engineering </li></ul>
  42. 45. Insider Risks <ul><li>Authorized users commit 75% to 85% of all computer crime </li></ul><ul><li>Not usually prosecuted – covered up </li></ul><ul><li>Disgruntled employees - crashing file servers, deleting data, selling critical data, and financial fraud </li></ul><ul><li>Internal network sniffing </li></ul>
  43. 46. Onion Approach <ul><li>Security solutions to vulnerabilities should be implemented in a layered approach, the “onion” solution </li></ul><ul><li>Solutions should be preventive and predictive rather than reactive </li></ul><ul><li>Network security architectures rely upon layers of devices and software that provide multiple barriers to intruders and protect, detect and respond to threats </li></ul>
  44. 47. Tools <ul><li>Vulnerability scanning tools </li></ul><ul><ul><li>determination of remote systems weaknesses </li></ul></ul><ul><ul><li>extremely dangerous in the wrong hands </li></ul></ul><ul><ul><li>discover open ports </li></ul></ul><ul><ul><li>how services respond to incoming requests </li></ul></ul><ul><li>Intrusion Detection System (IDS) </li></ul><ul><ul><li>detect intruders breaking into a system or to </li></ul></ul><ul><ul><li>detect legitimate users misusing system resources </li></ul></ul><ul><ul><li>well-configured IDS will prohibit all activity not expressly allowed </li></ul></ul><ul><ul><li>analysis of audit trail data, especially operating system activity is important </li></ul></ul>
  45. 48. Tools 2 <ul><li>Logging enhancement tools - supplement operating system logging & can provide independent audit data </li></ul><ul><li>System evaluation tools </li></ul><ul><ul><li>Configuration checking </li></ul></ul><ul><ul><li>Permissions checking </li></ul></ul><ul><ul><li>Analysis of accounts and groups </li></ul></ul><ul><ul><li>Evaluation of registry settings </li></ul></ul><ul><ul><li>Verification of up to date patch installation </li></ul></ul>
  46. 49. Network sniffers <ul><li>Intercept and analyze network traffic </li></ul><ul><li>Can be extremely useful but also are very dangerous </li></ul><ul><li>Illegal to sniff a network without permission </li></ul><ul><li>Possible to read packets with a sniffer </li></ul><ul><li>After an intrusion sniffer logs can be essential </li></ul><ul><li>Sniffers can be hardware or software based </li></ul><ul><li>Also called “packet dumpers” </li></ul>
  47. 50. Questions & Discussion
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×