PowerPoint Presentation


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Ideal to star with Policy Development but customers typically start at the bottom. The information security lifecycle makes the point that security is a process, not a product, and that it is an on-going process. It integrates people, process and technology. With the addition of security consulting services to our managed security services, Verizon can now support all stages of the security lifecycle. The pie is enormous. The Aberdeen Group projects that spending on security products and services through 2003 will be approximately $17 billion. ISO Standard - The level of impact to each critical asset is estimated based on the relationship between the threat and vulnerability . Identify Assets – What are You Trying to Protect Identify Threats – Perceived Risk to the Business Identify Vulnerabilities
  • Physically secured computers and servers Physical security is a pre-cursor to logical security Documentation security (i.e. shredding)
  • Two-factor Authentication uses Two of the Three Available Mechanisms This Strengthens Security Types Software-based - S-Key Hardware-based ActivCard – Challenge-Response Security Dynamics SecurID – TimeSync SmartCard Capable of Storing Digital Certificate
  • Errors – (False Positives/ False Negatives) Cost Concern over Health Issues Privacy
  • Firewalls provide perimeter security Uses a Rule Base ( Default Rule – Deny Everything not Explicitly Allowed) Firewall Types Application Gateway (Proxy Server) Packet Filter Stateful Inspection JAWZ’ networking consultants work with the client to improve overall network security through the use of firewalls to create logical segmentation. The firewall design may apply to any part of an organization’s network, including, Internet, Intranet or Extranet IDS - If you can’t block the access, Monitor & discipline the promiscuous behavior Real-time monitoring of the network segment Scan and Probe Countermeasures
  • Standard & Enhanced Services Silver Level Assessment & Gold Level Assessment Other Assessment Services Host Assessment Evaluation of the operating system as well as an examination of how the operating system provides security for the network.Includes: Physical security & documentation assessment Operating system assessment Technical & Network security overview (Port scan) Procedural assessment Firewall Assessment JAWZ’ networking consultants will review the Internet, Intranet or Extranet firewall architecture to ensure a company’s assets are protected. Assessment will ensure that both the technical staff and management understand the level of security that the company’s firewalls provide. External Attack & Pen (i.e. Ethical Hack or White Hat hacking Used to assist in identifying network perimeter vulnerabilities that may be used to gain access to networks and systems processing, storing or transmitting information assets.
  • PowerPoint Presentation

    1. 1. Beyond CIPA Compliance - Planning a Truly Secure Network Infrastructure CoSN, February 28, 2002, Session 4A [email_address] Reproduction of this material is permitted, with attribution, for non-commercial purposes. This presentation represents the professional opinion of the author. Verizon accepts no liability, expressed or implied, for the material contained herein.
    2. 2. <ul><li>What’s your SecurityQ? </li></ul><ul><li>Why Network Security? </li></ul><ul><li>What is Network Security </li></ul><ul><li>Where can Verizon help you? </li></ul>Today’s Agenda
    3. 3. Why should I care about Security? <ul><li>It’s important to ensure that Students & Staff experience a “safe” computing environment </li></ul><ul><li>If you don’t comply with CIPA, YOU LOSE E-RATE DISCOUNTS, AND MUST REPAY ANY DISCOUNTS ALREADY RECEIVED </li></ul><ul><li>Citizen’s care about security </li></ul><ul><ul><li>Heightened by 9/11 </li></ul></ul><ul><ul><li>Security breaches are widely & frequently reported </li></ul></ul><ul><ul><li>Many laws (other than CIPA) deal with security & privacy </li></ul></ul><ul><ul><li>Individuals have right of action under Tort </li></ul></ul>
    4. 4. What is “CIPA Compliant”? <ul><li>Internet Safety Policy </li></ul><ul><li>The Internet Safety Policy must address the following issues: </li></ul><ul><ul><ul><ul><li>access by minors to inappropriate matter on the Internet and World Wide Web; </li></ul></ul></ul></ul><ul><ul><ul><ul><li>the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications; </li></ul></ul></ul></ul><ul><ul><ul><ul><li>unauthorized access, including so-called &quot;hacking,&quot; and other unlawful activities by minors online; </li></ul></ul></ul></ul><ul><ul><ul><ul><li>unauthorized disclosure, use, and dissemination of personal information regarding minors; and </li></ul></ul></ul></ul><ul><ul><ul><ul><li>measures designed to restrict minors' access to materials harmful to minors. </li></ul></ul></ul></ul>
    5. 5. <ul><li>What is Security? </li></ul>
    6. 6. <ul><li>State of the Art Security </li></ul><ul><li>pre-Gunpowder! </li></ul>
    7. 7. What is Security? <ul><li>Classical definition: </li></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Availability </li></ul></ul><ul><li>How privacy can be assured: </li></ul><ul><ul><li>Administratively </li></ul></ul><ul><ul><li>Physically </li></ul></ul><ul><ul><li>Technically </li></ul></ul>
    8. 8. Information Security Lifecycle Security Assurance Testing Reporting Monitoring Training Policy and Architecture Risk Assessment Security Policy Technology Implementation VPN, Encryption, Firewalls, Authentication, IDS Solution Design and Selection Security Design Technology Selection Business Applications and Services Networks, Intranet, Internet, Remote Access Hardware and Operating Systems Building Blocks Security is a process not a product... <ul><li>People </li></ul><ul><li>Process </li></ul><ul><li>Technology </li></ul>
    9. 9. What is Privacy? <ul><li>“ The right to be left alone is the most comprehensive of rights...” US Supreme Court Justice Brandeis, 1928 </li></ul><ul><li>“ You already have zero privacy. Get over it.” Scott McNealy, CEO Sun Microsystems, 1999 </li></ul><ul><li>Consumer attitudes - The Pew Internet & American Life Project, 2000 </li></ul><ul><ul><li>86% favor opt-in privacy policies, requiring permission for use </li></ul></ul><ul><ul><li>54% view web-site tracking of users as invasion of privacy </li></ul></ul><ul><ul><li>54% have provided personal info. to use a web site </li></ul></ul><ul><ul><li>48% have bought on-line using a credit card </li></ul></ul><ul><ul><li>55% have sought medical info. on the web </li></ul></ul><ul><ul><li>43% have sought financial info. </li></ul></ul><ul><ul><li>27% will never divulge personal information on-line </li></ul></ul>
    10. 10. Privacy versus Security <ul><li>Privacy is what you promise to do </li></ul><ul><li>Security is about how you fulfil the promise </li></ul><ul><li>Networks are how the authorized (and unauthorized) get access </li></ul><ul><li>Therefore network security is of paramount importance </li></ul>
    11. 11. 5 Principles of Fair Information Practices <ul><li>Openness </li></ul><ul><ul><li>Existence and purpose of record-keeping systems must be publicly known. </li></ul></ul><ul><li>Individual Participation </li></ul><ul><ul><li>Individual right to see records and assure quality of information. </li></ul></ul><ul><li>Security </li></ul><ul><ul><li>Reasonable safeguards for confidentiality, integrity, and availability of information. </li></ul></ul><ul><li>Accountability </li></ul><ul><ul><li>Violations result in reasonable penalties and mitigation. </li></ul></ul><ul><li>Limits on Collection, Use, and Disclosure </li></ul><ul><ul><li>Information collected only with knowledge and consent of subject. </li></ul></ul><ul><ul><li>Information used only in ways relevant to the purpose for which the data was collected. </li></ul></ul><ul><ul><li>Information disclosed only with consent or legal authority. </li></ul></ul>
    12. 12. Physical Security <ul><li>Card Access Systems </li></ul><ul><li>Closed Circuit TV (CCTV) </li></ul><ul><li>Fire Suppression Systems </li></ul><ul><li>Alarm Systems </li></ul><ul><li>Power Systems </li></ul>
    13. 13. Two-Factor Authentication <ul><li>3 ways to authenticate a person: </li></ul><ul><ul><li>What they know – Password </li></ul></ul><ul><ul><li>What they have – Token </li></ul></ul><ul><ul><li>Who they are - Biometrics </li></ul></ul>
    14. 14. Biometrics <ul><li>Fingerprint / Palm Print </li></ul><ul><li>Hand Geometry </li></ul><ul><li>Iris Scanning </li></ul><ul><li>Keyboard Dynamics </li></ul><ul><li>Signature Characteristics </li></ul><ul><li>Facial Recognition </li></ul><ul><li>Voice Recognition </li></ul>
    15. 15. PKI / LDAP / X.500 <ul><li>Digital Certificates & PKI (X.509 v3) </li></ul><ul><ul><li>Digital document attesting to the binding of a public key to an individual or other entity. Use two encrypted soft key’s public & private keys, need certificate authority (notary), strong authentication </li></ul></ul>
    16. 16. RADIUS
    17. 17. More communications/network controls <ul><li>Firewalls for Internet (and other) connections </li></ul><ul><ul><li>The DMZ concept </li></ul></ul><ul><ul><li>Importance of proper installation & maintenance </li></ul></ul><ul><li>Strong encryption & digital signature on “public network” </li></ul><ul><li>Encryption on private networks (?) </li></ul><ul><li>Regular virus checking </li></ul><ul><li>Standardized client & server configurations </li></ul><ul><li>Periodic census of network software & hardware </li></ul><ul><li>Vulnerability assessment & intrusion detection </li></ul>
    18. 18. Firewalls & Intrusion Detection Systems Internet
    19. 19. Encryption <ul><li>Encryption provides confidentiality </li></ul><ul><ul><li>Symmetric (Secret) Key </li></ul></ul><ul><ul><li>Asymmetric (Public) Key </li></ul></ul><ul><li>VPNs provide a secure channel </li></ul>Network VPN VPN
    20. 20. Areas of unusual concern <ul><li>E-mail & fax </li></ul><ul><li>Telecommuting </li></ul><ul><li>IT applications </li></ul><ul><li>Logging & Audit trails </li></ul><ul><li>Suspect activity & security incidents </li></ul>
    21. 21. IT Applications <ul><li>What enhanced security features will vendors provide? </li></ul><ul><li>Interoperability in “best of breed” environment </li></ul><ul><li>Audit trails & logs </li></ul><ul><li>Access & authorization controls </li></ul><ul><li>“ Single sign-on” </li></ul><ul><ul><li>Valuable protection, or </li></ul></ul><ul><ul><li>A more attractive target? </li></ul></ul>
    22. 22. Suspect Activity & Incidents <ul><li>Suspect activity </li></ul><ul><ul><li>Regular vulnerability assessments </li></ul></ul><ul><ul><li>Intrusion detection </li></ul></ul><ul><ul><li>Surveillance of traffic </li></ul></ul><ul><li>Incident response </li></ul><ul><ul><li>Treat like crime! </li></ul></ul><ul><ul><li>Get forensic help - evidence gathering & protection </li></ul></ul><ul><ul><li>Change policy, procedure & technology as appropriate </li></ul></ul><ul><ul><ul><li>How incidents are identified </li></ul></ul></ul><ul><ul><ul><li>Ensuring staff report incidents </li></ul></ul></ul><ul><ul><ul><li>Knowing what is unauthorized </li></ul></ul></ul>
    23. 23. You Can be more Secure! <ul><li>Services for a Trusted Environment </li></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Availability </li></ul></ul><ul><ul><li>Identification & Authentication </li></ul></ul><ul><ul><li>Authorization & Access Control </li></ul></ul><ul><ul><li>Non-repudiation </li></ul></ul><ul><ul><li>Forensics </li></ul></ul>
    24. 24. Vulnerability Testing Services <ul><li>External Port Scan </li></ul><ul><li>Vulnerability Scan of External Network </li></ul><ul><li>Penetration Testing </li></ul><ul><li>Phone Sweep </li></ul>
    25. 25. Security Assessment Services <ul><li>Comprehensive review of a client’s security </li></ul><ul><li>Designed to assess and prioritize a client’s </li></ul><ul><li>security risks and develop a comprehensive </li></ul><ul><li>action plan </li></ul>
    26. 26. Technology Planning 3 rd Party Best-of-Breed Solutions <ul><li>Firewalls </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Anti-Virus/Content Filtering </li></ul><ul><li>Auditing </li></ul><ul><li>Strong Authentication </li></ul><ul><li>VPN </li></ul><ul><li>PKI </li></ul><ul><li>Physical Security </li></ul><ul><li>Biometrics </li></ul>
    27. 27. Training Programs <ul><li>Security Awareness Program </li></ul><ul><li>Technical Training </li></ul><ul><li>Intelligence Programs </li></ul>
    28. 28. Thank you for your time, please contact your Verizon Account Manager for further information regarding solutions for your Security needs.