From Event to Action: Accelerate Your Decision Making with Real-Time Automation
need for NS.ppt
1. THE NEED FOR
NETWORK SECURITY
By Lahiru Ratnayake
( MBA(My), BSc(UK), DNIIT(in), IPICT, Dip. Network Eng. )
2. The Need for Web Security 2
PRESENTATION OBJECTIVES
Understand information security services
Be aware of vulnerabilities and threats
Realize why network security is necessary
What are the elements of a comprehensive
security program
3. The Need for Web Security 3
TRENDS FOR INFORMATION
More information is being created, stored, processed and
communicated using computers and networks
Computers are increasingly interconnected, creating new
pathways to information assets
The threats to information are becoming more widespread
and more sophisticated
Productivity, competitiveness, are tied to the first two trends
Third trend makes it inevitable that we are increasingly vulnerable
to the corruption or exploitation of information
INFORMATION IS THE MOST VALUABLE ASSET
4. The Need for Web Security 4
Information Security Services
Confidentiality
Integrity
Authentication
Nonrepudiation
Access Control
Availability
5. The Need for Web Security 5
Information Security Services
Confidentiality
Maintaining the privacy of data
Integrity
Detecting that the data is not tampered with
Authentication
Establishing proof of identity
Nonrepudiation
Ability to prove that the sender actually sent the data
Access Control
Access to information resources are regulated
Availability
Computer assets are available to authorized parties when needed
6. The Need for Web Security 6
Collection of networks that communicate
with a common set of protocols (TCP/IP)
Collection of networks with
no central control
no central authority
no common legal oversight or
regulations
no standard acceptable use policy
“wild west” atmosphere
What Is The Internet?
7. The Need for Web Security 7
Why Is Internet Security a
Problem?
Security not a design
consideration
Implementing change is
difficult
Openness makes
machines easy targets
Increasing complexity
8. The Need for Web Security 8
Common Network Security
Problems
Network eavesdropping
Malicious Data Modification
Address spoofing (impersonation)
‘Man in the Middle’ (interception)
Denial of Service attacks
Application layer attacks
9. The Need for Web Security 9
Security Incidents are Increasing
Sophistication
of Hacker Tools
1990
1980
Technical
Knowledge
Required
High
Low 2000 -from Cisco Systems
10. The Need for Web Security 10
HACKED WWW HOMEPAGES
11/29/96
CIA
HOMEPAGE
DOJ
HOMEPAGE
USAF HOMEPAGE
11. The Need for Web Security 11
Problem is Worsening
60000
50000
40000
30000
20000
10000
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
Jerusalem
Tequila
Michelangelo
Good Times
Melissa &
ILOVEYOU
Anna Kournikova
Code Red
Nimda
Badtrans
Source: CERT®
Coordination Center
Carnegie Mellon
12. The Need for Web Security 13
VIRUSES
Risk Threat Discovered Protection
TROJ_SIRCAM.A New !! Latest DAT
W32.Navidad 11/03/2000 11/06/2000
W95.MTX 8/17/2000 8/28/2000
W32.HLLW.QAZ.A 7/16/2000 7/18/2000
VBS.Stages.A 6/16/2000 6/16/2000
VBS.LoveLetter 5/04/2000 5/05/2000
VBS.Network 2/18/2000 2/18/2000
Wscript.KakWorm 12/27/1999 12/27/1999
W32.Funlove.4099 11/08/1999 11/11/1999
PrettyPark.Worm 6/04/1999 6/04/1999
Happy99.Worm 1/28/1999 1/28/1999
13. The Need for Web Security 14
Consider that…
90% of companies detected computer
security breaches in the last 12 months
59% cited the Internet as the most
frequent origin of attack
74% acknowledged financial losses
due to computer breaches
85% detected computer viruses
Source: Computer Security Institute
14. The Need for Web Security 15
WHO ARE THE OPPONENTS?
49% are inside employees on
the internal network
17% come from dial-up (still
inside people)
34% are from Internet or an
external connection to another
company of some sort
HACKERS
15. The Need for Web Security 16
HACKER MOTIVATIONS
Money, profit
Access to additional resources
Experimentation and desire to
learn
“Gang” mentality
Psychological needs
Self-gratification
Personal vengeance
Emotional issues
Desire to embarrass the target
16. The Need for Web Security 17
Internet Security?
Spoofing
Replay Attack
17. The Need for Web Security 18
What Do People Do When They
Hear All These?
Take the risks!
But there are solutions
Ignoring the situation is not
one of them
18. The Need for Web Security 19
THE MOST COMMON EXCUSES
So many people are on the
Internet, I'm just a face in
the crowd. No one would
pick me out.
I'm busy. I can't become a
security expert--I don't have
time, and it's not important
enough
No one could possibly be interested in my information
Anti-virus software slows down my processor speed
too much.
I don't use anti-virus software because I never open
viruses or e-mail attachments from people I don't
know.
19. The Need for Web Security 20
SANS Five Worst Security Mistakes
End Users Make
1. Opening unsolicited e-mail attachments without
verifying their source and checking their content
first.
2. Failing to install security patches-especially for
Microsoft Office, Microsoft Internet Explorer, and
Netscape.
3. Installing screen savers or games from unknown
sources.
4. Not making and testing backups.
5. Using a modem while connected through a local
area network.
20. The Need for Web Security 21
SECURITY COUNTERMEASURES
THREE PHASE APPROACH
PROTECTION
DETECTION
RESPONSE
21. The Need for Web Security 22
ELEMENTS OF A COMPREHENSIVE
SECURITY PROGRAM
Have Good Passwords
Use Good Antiviral Products
Use Good Cryptography
Have Good Firewalls
Have a Backup System
Audit and Monitor Systems and Networks
Have Training and Awareness Programs
Test Your Security Frequently
22. The Need for Web Security 23
CRYPTOGRAPHY
Necessity is the mother of invention, and
computer networks are the mother of modern
cryptography.
Ronald L. Rivest
Symmetric Key Cryptography
Public Key Cryptography
Digital Signatures
23. The Need for Web Security 24
Firewall
Visible
IP
Address
Internal
Network
PC Servers
Host
A system or group of systems that enforces an access control
policy between two networks.