Network Security


Published on

methodology approach for networks security

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The cost of various levels of failure, combined with the expectation of how frequently a failure or attempted attack may occur, provide metrics to determine the financial impact of disaster recovery for the organization’s network.
  • While security precautions are necessary in the modern networking environment, many of us are still required to justify the cost of these precautions.
  • Network Security

    1. 1. Information & Communication Technology (ICT) Security أمن تقنية المعلومات والإتصالات نظرة فلسفية وإقتصادية
    2. 2. Overview <ul><li>Why Secure your Network and Information? </li></ul>2. How Much Security Do You Need? 3. How to Developing a Security Policy?
    3. 3. Introduction <ul><li>Setting for every user a password and correct level of file permissions, does not mean we could go to sleep at night confident that our network environment was secure. </li></ul><ul><li>Internet have accelerated the pace of information dissemination. </li></ul><ul><li>Individuals with Malicious intent have always had places to exchange ideas, Pirate bulletin boards existed since 1980s. </li></ul><ul><li>The Internet has become an excellent means to get vulnerability info. Into the hands of network security specialist. </li></ul><ul><li>Increased Awareness brings increased Responsibility. </li></ul><ul><li>This is true for S/W company’s as well as network administrators to deploy the Fix. </li></ul><ul><li>Where to begin ??? </li></ul><ul><li>Need to view security not as static package, but as a constant process incorporating all facets of Network and I.T. </li></ul>
    4. 4. Why Secure Network <ul><li>Computer based attacks are on the rise. </li></ul><ul><li>Not all attacks are publicized. </li></ul><ul><li>Large Number of attacks go undocumented. </li></ul><ul><li>Thinking Like an Attacker </li></ul><ul><li>In order to determine how to best guard your resources, you must identify who would want to disrupt them. </li></ul><ul><li>An Attacker is someone who looks to steal or disrupt your assets, like a spy or crook. </li></ul><ul><li>A Hacker is a person with deep knowledge of computers and networking structure. feels the need to go beyond the obvious and to further their understanding of any information system. </li></ul><ul><li>Cracker who uses this knowledge to illegally or un-ethically penetrate systems. </li></ul>
    5. 5. Why would someone Want to Ruin My Day? <ul><li>It is extremely rare for staging attacks randomly. Something must be gained by the attack. </li></ul><ul><li>70% of Attacks are from Within. Intentional or out of ignorance. </li></ul><ul><li>External Attacks can come from many diverse sources. </li></ul><ul><ul><li>Competitors </li></ul></ul><ul><ul><li>Militant Viewpoints </li></ul></ul><ul><ul><li>High Profile </li></ul></ul><ul><ul><li>Bouncing Mail </li></ul></ul>
    6. 7. How Much Security Do You Need? <ul><li>Begin first by analyzing your network to determine what level of fortification you actually require. </li></ul><ul><li>Then use this information to develop your security policy. </li></ul><ul><li>Having done so, you are in good position to start making intelligent decisions about your security structure. </li></ul>
    7. 8. Performing a Risk Analysis <ul><li>It is the process of identifying the assets you wish to protect and the potential threats against them. </li></ul><ul><ul><li>What Assets do I need to protect? </li></ul></ul><ul><ul><li>From what sources am I trying to protect these assets? </li></ul></ul><ul><ul><li>Who may wish to compromise my network and to what gain? </li></ul></ul><ul><ul><li>How likely is it that threat will violate my assets. </li></ul></ul><ul><ul><li>What is the immediate cost if an asset is compromised? </li></ul></ul><ul><ul><li>What is the cost of recovering from an attack or failure? </li></ul></ul><ul><ul><li>How can these assets be protected in a cost-effective manner? </li></ul></ul><ul><ul><li>Am I governed by a regulatory body that dictates the required level of security for my environment? </li></ul></ul>
    8. 9. What Assets Do I need to Protect? <ul><li>Physical Resources </li></ul><ul><li>Intellectual Resources </li></ul><ul><li>Time Resources </li></ul><ul><li>Perception Resources </li></ul>
    9. 10. What Sources Am I trying to protect theses Assets from? <ul><li>Internal Systems. </li></ul><ul><li>Access from field Office Location. </li></ul><ul><li>Access through a WAN link to Business partner. </li></ul><ul><li>Access through the Internet. </li></ul><ul><li>Access through modem pool. </li></ul>
    10. 11. Who May Wish to Compromise Our Network <ul><li>Employees. </li></ul><ul><li>Temporary or Consulting Personnel. </li></ul><ul><li>Competitors. </li></ul><ul><li>Individuals with viewpoints or objectives radically different from those of your organization. </li></ul><ul><li>Individuals who wish to gain due to your organization’s public visibility. </li></ul>
    11. 12. What is the Likelihood of an Attack? <ul><li>Now that we identified our resources and who might attack them, we can assess our organization’s level of potential risk attacks. </li></ul><ul><li>Is our network isolated or has many entry points? </li></ul><ul><li>Could an attacker find value in exploiting one of these access points in order to gain access to your network resources? </li></ul><ul><li>Appraising the attack value of our network is highly subjective. Soliciting inputs </li></ul>
    12. 13. What is the immediate Cost? <ul><li>For each asset listed, record the immediate cost impact of having that resource compromised or destroyed. </li></ul><ul><li>Do not include long term effects, such as failure to meet shipping deadlines. </li></ul><ul><li>Simply calculate the cost for having that asset inaccessible as a network resource. </li></ul><ul><li>Examples: Hard Drive, new products’ schematic lists, medical records in a hospital, low stock prices, consumer confidence…etc. </li></ul>
    13. 14. What are the Long-Term recovery Costs? <ul><li>Now that we have quantified the cost of initial failure, we should evaluate the costs incurred when recovering from a failure or a compromise. </li></ul><ul><li>Identifying the financial impact of various levels of loss. For example given a server that holds corporate information: </li></ul><ul><ul><li>What is the cost of momentary glitch that disconnects all users? </li></ul></ul><ul><ul><li>What is the cost of denial-service attack? </li></ul></ul><ul><ul><li>What is the cost of recovering critical files that have been damaged or deleted? </li></ul></ul><ul><ul><li>What is the cost of recovering from a failure of a single hardware component? </li></ul></ul><ul><ul><li>What is the cost of recovering from a complete server failure? </li></ul></ul><ul><ul><li>What is the cost of recovery when information has been stolen and theft goes goes undetected? </li></ul></ul><ul><ul><li>Based on those figures, What should be spent to secure our assets? Do not forget assets like reputation, consumer & investor confidence. </li></ul></ul>
    14. 15. How can I Protect my Assets Cost Effectively? <ul><li>Consider how much security will cost when determining what level of protection is appropriate for your networking environment. </li></ul><ul><li>We face difficult security choices: </li></ul><ul><ul><li>Is packet filtering enough? </li></ul></ul><ul><ul><li>Should I invest in a firewall? </li></ul></ul><ul><ul><li>Is one firewall sufficient or should I invest in two? </li></ul></ul><ul><ul><li>Is it worth it to have hybrid firewalls (i.e. hardware and software)? </li></ul></ul><ul><ul><li>The general guideline is that the cost of all security measures taken to protect a particular asset should be less than the cost of recovering that asset from from a disaster. </li></ul></ul><ul><ul><li>That’s why it is important to quantify potential threats as well as the cost of recovery. </li></ul></ul>
    15. 16. Am I Governed by a regulatory Body? <ul><li>Even though you have created a painstakingly accurate risk analysis of your network, there may be some regulatory or overview body that dictates your minimum level of security. </li></ul><ul><li>It may not be sufficient to simply justify your security precautions. </li></ul><ul><li>You may be required to meet certain minimum security requirements, regardless of the cost outlay to your organization. </li></ul>
    16. 17. Budgeting Security Network <ul><li>Depreciable items (server hardware, firewalls and constructions of secured areas) </li></ul><ul><li>Recurring costs (security personnel, audits and system maintenance) </li></ul><ul><li>Old Wisdom, “Do not put all your eggs in one basket”. i.e. do not put all your budget on one security mode. </li></ul><ul><li>Combine budget expenditure with other groups in your organization. </li></ul><ul><li>Document your findings…. </li></ul>
    17. 18. Developing a Security Policy <ul><li>Why do I even need a security policy? </li></ul><ul><li>It serves many functions: </li></ul><ul><ul><li>It is a central document that describes in details, acceptable network activity and penalties for misuse. </li></ul></ul><ul><ul><li>It also provides a forum for identifying and clarifying security goals and objectives. </li></ul></ul><ul><ul><li>It shows each employee how he/she is responsible for helping to maintain a secure environment. </li></ul></ul>
    18. 19. Security Policy Basics <ul><li>In order for a policy to be enforceable, it needs to be: </li></ul><ul><li>Consistent with other corporate policies. </li></ul><ul><li>Accepted by the network support staff and appropriate level of management. </li></ul><ul><li>Enforceable using existing network equipment and procedures. </li></ul><ul><li>Compliant with local laws. </li></ul>
    19. 20. What makes a good security usage Policy? <ul><li>Be readily accessible to all members of the organization. </li></ul><ul><li>Define a clear set of security goals. </li></ul><ul><li>Accurately define each issue discussed in the policy. </li></ul><ul><li>Clearly show the organization’s position on each issue. </li></ul><ul><li>Describe the justification of the policy regarding each issue. </li></ul><ul><li>Define under what circumstances the issue is applicable. </li></ul><ul><li>State the role and responsibilities of organizational members with regard to the described issue. </li></ul><ul><li>Spell-out the consequences of noncompliance with the described policy. </li></ul><ul><li>Provide contact information for further details. </li></ul><ul><li>Define the user’s expected level of privacy. </li></ul><ul><li>Include the organization’s stance on issues not specifically defined. </li></ul>
    20. 21. Sample Security Policy <ul><li>“ Access to Internet-based Web server resources shall only be allowed for the express purpose of performing work related duties. This policy is to insure the Effectiveness use of networking resources and shall apply equally to all employees. This policy shall be enforced during both production and non-production time periods. All Web server access can be monitored by networking personnel, and employees may be required to justify Web server access to their direct supervisor. Failure to comply with this policy will result in the issuance of a written warning. For more information regarding what is considered appropriate Web server access of internet resources, please consult your direct supervisor. ” </li></ul>
    21. 22. Summary <ul><li>You should know which assets you need to protect and their inherent value to your organization. </li></ul><ul><li>Risk Analysis is the cornerstone for each of the security precautions discussed. </li></ul><ul><li>You should know how to write effective security policy, understanding the importance of a precise security policy to securing your environment. </li></ul><ul><li>Distribute sample policy notes…. </li></ul>
    22. 23. Thank You