Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SegurançA Da InformaçãO Faat V1 4


Published on

  • Be the first to comment

SegurançA Da InformaçãO Faat V1 4

  1. 1. Segurança da Informação <ul><li>Rodrigo Cesar Benaglia Piovesana, MBA, CEH </li></ul><ul><li>Versão 1.4/2010 </li></ul>
  2. 2. Uma hora tem que começar… <ul><li>Bibliografia básica: </li></ul><ul><li>Principles of Network Security. ISBN 0-9762241-2-7. Check Point Press. </li></ul>
  3. 3. Recomendações <ul><li>Estude mais o idioma inglês; </li></ul><ul><li>Estude mais o idioma inglês; </li></ul><ul><li>Estude mais o idioma inglês; </li></ul><ul><li>Estude mais o idioma inglês; </li></ul><ul><li>Estude mais o idioma inglês; </li></ul><ul><li>Estude mais o idioma inglês; </li></ul><ul><li>Estude mais o idioma inglês; </li></ul><ul><li>Então… ”Hey ho let´s go” … </li></ul>
  4. 4. 1. Fundamentals <ul><li>Information Security (infosec) </li></ul><ul><li>“ Information Security is the pratice of protecting information resources. The importance of INFOSEC has increased dramatically since the creation of computer networks. Security professionals are constantly attempting to remain current with the new technologies, to maintain the security of networks and system.” (Principles of Network Security) </li></ul>
  5. 5. INFOSEC triad <ul><li>Confidentiality </li></ul><ul><li>Integraty </li></ul><ul><li>Availability </li></ul>
  6. 6. Confidentiality <ul><li>Corporations and individuals have a great need for confidentiality </li></ul><ul><li>Primary focus is to keep private information from being used by adversaries, against an organisation or individual. </li></ul><ul><li>Methods of protecting: </li></ul><ul><ul><li>Encryption </li></ul></ul><ul><ul><li>Access Control </li></ul></ul><ul><ul><li>Classification Labels </li></ul></ul>
  7. 7. Encryption <ul><li>Encryption is used to protect data on storage devices and in trainsit. </li></ul><ul><li>Information Technology is how we call the data that is stored, viewed, processed, or otherwise manipulated on a computer. </li></ul><ul><li>Types of data that should be encrypted: </li></ul><ul><ul><li>Personnel records; </li></ul></ul><ul><ul><li>Medical records; </li></ul></ul><ul><ul><li>Payroll; </li></ul></ul><ul><ul><li>Finance Information; </li></ul></ul><ul><ul><li>Trade secrets. </li></ul></ul>
  8. 8. Encryption <ul><li>Virtual Private Networks (VPN) is how we send the information during a transmission through an insecurity environment (public network) </li></ul>
  9. 9. Access Control <ul><li>Access Controls are used in a variety of ways to restrict access to data. </li></ul><ul><ul><li>Could a simple user-name and password or </li></ul></ul><ul><ul><li>Biometrics or </li></ul></ul><ul><ul><li>Tokens or </li></ul></ul><ul><ul><li>Any combination of these methods above. </li></ul></ul>
  10. 10. Classification labels <ul><li>Data Labeling assigns classification labels to information. </li></ul><ul><li>The data owner determines which level of privacy is required for a particular piece of data or information </li></ul><ul><li>Corporate: </li></ul><ul><ul><li>Public; </li></ul></ul><ul><ul><li>Confidential; </li></ul></ul><ul><ul><li>Private. </li></ul></ul><ul><li>Military: </li></ul><ul><ul><li>Unclassified; </li></ul></ul><ul><ul><li>Sensitive but unclassified; </li></ul></ul><ul><ul><li>Confidential; </li></ul></ul><ul><ul><li>Secret; </li></ul></ul><ul><ul><li>Top secret. (only Ninjas has full access  ) </li></ul></ul>
  11. 11. Classification Labels <ul><li>Privilages Escalation occurs when users or process obtain more access than necessary to perform their functions. </li></ul><ul><ul><li>Significant threat to an organisation </li></ul></ul><ul><ul><li>“ rooting a box” is the popular name </li></ul></ul><ul><li>Inheritance is property of a file system that allows objects to gain the attributes of their containers. </li></ul><ul><li>Privilage aggregation occurs when an individual moves within an organisation and additional privileges are given. (never reviewed or removed) </li></ul>
  12. 12. Integrity <ul><li>Data integrity concerns maintaining data validity. </li></ul><ul><ul><li>This includes: </li></ul></ul><ul><ul><ul><li>Preventing unauthorizes data manipulation; </li></ul></ul></ul><ul><ul><ul><li>Deletion; </li></ul></ul></ul><ul><ul><ul><li>Maintaining data reliability. </li></ul></ul></ul>
  13. 13. Availability <ul><li>This includes redudant systems, bandwith management and system backups. </li></ul><ul><ul><li>Redundancy </li></ul></ul><ul><ul><ul><li>Hardware (storage solutions) </li></ul></ul></ul><ul><ul><ul><li>Telecomunications (multiples E1 lines through different services providers) </li></ul></ul></ul><ul><ul><ul><li>Backup with clustering capabilities </li></ul></ul></ul><ul><ul><li>Capacity </li></ul></ul><ul><ul><ul><li>Measure of the amount of data device can handle </li></ul></ul></ul><ul><ul><ul><ul><li>Network </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Storage </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Future Needs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Failure Plan </li></ul></ul></ul></ul>
  14. 14. 2. Design Security <ul><li>“ the protection of information in Computador System” Dr. Jerome Saltzer and Michael Schroeder identified eight basic principles of information protection. </li></ul><ul><ul><li>Economy of mechanism </li></ul></ul><ul><ul><li>Fail-safe defaults </li></ul></ul><ul><ul><li>Complete mediation </li></ul></ul><ul><ul><li>Open design </li></ul></ul><ul><ul><li>Separation of privileges </li></ul></ul><ul><ul><li>Least privileges </li></ul></ul><ul><ul><li>Least common mechanism </li></ul></ul><ul><ul><li>Psychological acceptability </li></ul></ul><ul><li>This is a guide for programmers and engineers </li></ul>
  15. 15. Economy of mechanism <ul><li>Means to keep things simple. </li></ul><ul><li>The more complex a system is, more difficult it is to understand and maintain. </li></ul><ul><ul><li>IT implementation: </li></ul></ul><ul><ul><ul><li>Uniform hardware software configurtions for all end-users desktops; </li></ul></ul></ul><ul><ul><ul><li>Consistent security profiles for connectivity devices; </li></ul></ul></ul><ul><ul><ul><li>One server - one service. </li></ul></ul></ul>
  16. 16. Fail-safe Defaults <ul><li>A system must fail to a secure state. </li></ul><ul><ul><li>Eletronic door </li></ul></ul><ul><li>Fail-safe defaults are often expressed as implicit deny. </li></ul><ul><ul><li>Not listed, deny. </li></ul></ul><ul><ul><li>This prevents the scalation of privileges </li></ul></ul><ul><ul><li>Breakfast rules </li></ul></ul>
  17. 17. Complete Mediation <ul><li>All attempts by users or process to access resources must be controlled by the security mechanism. </li></ul><ul><ul><li>This security mechanism could be: </li></ul></ul><ul><ul><ul><li>A device or </li></ul></ul></ul><ul><ul><ul><li>Technology used to control or </li></ul></ul></ul><ul><ul><ul><li>Restrict access to information assets. </li></ul></ul></ul><ul><ul><li>Covert Channels are the methods to access the information without approval from the security mechanism </li></ul></ul>
  18. 18. Open Design <ul><li>The principles of open design requires that the methods used by a control to perfom its tasks, be open for testing and review. </li></ul><ul><ul><li>Do not require to reveal trade secrets, but could be observed and tested. </li></ul></ul><ul><ul><li>A black-box solutions claims to perform fuctions without explain the mechanism implemented </li></ul></ul><ul><ul><li>Open source? </li></ul></ul><ul><ul><ul><li>Adheres to the principle of open design. </li></ul></ul></ul>
  19. 19. Separation of Privileges <ul><li>Separation of privileges requires a security mechanism to divide authorization between two or more entities. </li></ul><ul><ul><li>Keys for a safe-deposit box in a Bank </li></ul></ul><ul><ul><li>Access to a resource inside a network requires an authentication and for the network. </li></ul></ul>
  20. 20. Least privileges <ul><li>Users and processes should be given no more rights and privileges than absolutely necessary to perform theis assigned tasks. </li></ul><ul><ul><li>Two types of keys for cars. (owner and valet keys) </li></ul></ul>
  21. 21. Least common mechanism <ul><li>The principle of least common mechanism means that processes and users should share as few mechanism as possible. </li></ul><ul><ul><li>If a processes is shared for multiple users, this could be impossible to determine who initiated the unacceptable action. </li></ul></ul><ul><ul><li>Shared variables. </li></ul></ul>
  22. 22. Psychological acceptability <ul><li>This principle link that applies the previous seven secure-design principles. For psychological acceptability to apply to a technology, the interface must be designed for ease of use, also requires minimal intrusion of technology. </li></ul><ul><li>“ a computer is secure if you can depend on it and its software to behave as you expect!” (Pratical unix & internet Security, Garfinkle, et al.) </li></ul>
  23. 23. Principle and Reality <ul><li>Cost </li></ul><ul><li>Ease to use </li></ul><ul><li>Scalability </li></ul><ul><li>Integration </li></ul><ul><li>Support </li></ul>
  24. 24. Security Life Cycle <ul><li>Securing a system is not a single event but an on-going process. </li></ul><ul><ul><li>Every change in the system every change in the system´s environment represents a potential new vulnerability or threat. </li></ul></ul><ul><li>Simple life cycle: </li></ul><ul><ul><li>Identify a need; </li></ul></ul><ul><ul><li>Identify a solution; </li></ul></ul><ul><ul><li>Implement the solution; </li></ul></ul><ul><ul><li>Test the solution; </li></ul></ul><ul><li>Introducing a new asset </li></ul><ul><ul><li>A new FTP server </li></ul></ul>
  25. 25. 3. Risk Management <ul><li>“ no security system is effective 100 percent of the time. This is due to misconfiguration, flaws, or improper deployment of a security device. Risk Management is used to: </li></ul><ul><ul><li>Assess the value of key system, networks and personnel </li></ul></ul><ul><ul><li>Determine threat probability </li></ul></ul><ul><ul><li>Determine vulnelabilities </li></ul></ul><ul><ul><li>Calculate risk </li></ul></ul><ul><ul><li>Determine appropriate countermeasures to mitigate the risks” </li></ul></ul>
  26. 26. Assets <ul><li>IT professionals tend to think of assets in tangible terms (database, web servers and routers are assets requiring protection). Unfortunately, this myopic view of assets to recognize that what really needs protection are the business process these assets supports. </li></ul><ul><li>What flows throuth this equipments are the most important thing for a business: information. </li></ul><ul><ul><li>Payroll </li></ul></ul><ul><ul><li>Billing </li></ul></ul><ul><ul><li>Shipping </li></ul></ul><ul><ul><li>Ordering </li></ul></ul><ul><ul><li>Records maintenance </li></ul></ul>
  27. 27. Assets <ul><li>Network topology </li></ul><ul><ul><li>The topology should be as detailed as possible, and should include the following elements: </li></ul></ul><ul><ul><ul><li>Entry points; </li></ul></ul></ul><ul><ul><ul><li>Routers; </li></ul></ul></ul><ul><ul><ul><li>Application and file servers; </li></ul></ul></ul><ul><ul><ul><li>User populations. </li></ul></ul></ul>
  28. 28. Assets <ul><li>Valuation </li></ul><ul><ul><li>Assets are protected, because they have value. </li></ul></ul><ul><ul><li>Valuation is the process of determine the value of an asset. </li></ul></ul><ul><ul><li>Data owner is the responsible to determine the value. </li></ul></ul><ul><ul><ul><li>Should consider the following: </li></ul></ul></ul><ul><ul><ul><ul><li>Replacement cost of hardware; </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Replacement cost of data; </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Lost of productivity costs, due the data not being available </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Liability costs,due the breaches in confidentiality; </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Lost revenue; </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Personnel work hour! </li></ul></ul></ul></ul>
  29. 29. Threats and Vulnerabilities <ul><li>Internal Threats </li></ul><ul><ul><li>Accidental file deletions; </li></ul></ul><ul><ul><li>Disgruntled employee; </li></ul></ul><ul><ul><li>Improper access to confidential information; </li></ul></ul><ul><ul><li>Social engineering of employees; </li></ul></ul><ul><ul><li>Transmission of viruses through e-mail or file transfer; </li></ul></ul><ul><ul><li>Physical access to servers and network hardware; </li></ul></ul><ul><ul><li>Weak authentication, including passwords. </li></ul></ul>
  30. 30. Threats and Vulnerabilities <ul><li>External Threats </li></ul><ul><ul><li>Corporate sabotage/espionage; </li></ul></ul><ul><ul><li>Defacement of web sites; </li></ul></ul><ul><ul><li>Malicious destruction of files; </li></ul></ul><ul><ul><li>Accessing confidential company information; </li></ul></ul><ul><ul><li>Denial-of-services (Dos) and Distributed DoS attacks; </li></ul></ul><ul><ul><li>SPAM and mail relaying. </li></ul></ul>
  31. 31. Asset Value and Loss <ul><li>Evaluation of risk begins with asset values. If an information resourse has no value, it is no worth expending any capital to protect it. </li></ul><ul><li>Percent of Loss </li></ul><ul><ul><li>When a threat is realized, losses are expressed as a percentage of the affected asset´s value. A realized threat that completely destroys an information resource is expressed as a 100-percent loss. </li></ul></ul>
  32. 32. Asset Value and Loss <ul><li>Single Loss Expectancy </li></ul><ul><ul><li>Asset Value x % of loss from realized threat = SLE </li></ul></ul><ul><ul><li>ABC company has an application server whose value has been determined to be $25.000. If a hardware failure occurs and the application server is unavailable for one hour, $5.000 in productivity will be lost. The cost of the realized threat divided by the asset value, yields the percentage of loss from a realized threat. The realized threat is 20 percent. The product of the asset´s $25.000 value and the 20% loss from the threat is the SLE, in this case the SLE is $5.000. </li></ul></ul>
  33. 33. Asset Value and Loss <ul><li>Annualized rate of occurrence </li></ul><ul><ul><li>Expresse how many times a particular threat is likely to occur annually. </li></ul></ul><ul><ul><ul><li>Natural disaster, may have an ARO that less than 1; </li></ul></ul></ul><ul><ul><ul><li>Data-entry error, may have a very high ARO; </li></ul></ul></ul>
  34. 34. Asset Value and Loss <ul><li>Annualized loss expectancy </li></ul><ul><ul><li>ARO x SLE = ALE </li></ul></ul><ul><ul><li>ABC company: the application server will probably experience three hardware failure per year. </li></ul></ul><ul><ul><li>ALE? $15.000. </li></ul></ul>
  35. 35. Risk Mitigation Strategies <ul><li>Once risks have been identified, quantified and qualified, decisions must be made regarding what to do about the risk. </li></ul><ul><ul><li>Assume (eletronic bank) </li></ul></ul><ul><ul><li>Transfer (insurance policy) </li></ul></ul><ul><ul><li>Mitigate (countermeasures) </li></ul></ul>
  36. 36. 4. Security Policies <ul><li>“ Security policies are a critical part of an organisation´s network security structure Policies are used to set the direction for guidelines, standards and procedures. The generation of security policies is a top-down initiative. Management must clearly state and demonstrate their support for a culture of security.” </li></ul>
  37. 37. Organisation Security Policies <ul><li>Should set goals and standards </li></ul><ul><li>Should be a guiding document for how the organisation protects its information assets </li></ul><ul><li>Should address protection of all information assets </li></ul><ul><li>Statement – High level security goals should be defined (specific information should not be included). The statement is a complement for goals and principles. </li></ul><ul><li>More information @ </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul>
  38. 38. Example Statement <ul><li>“ Organisation X acknowledges an obligation to ensure appropriate security for all information technology data in its domain of ownership and control. Organisation X will provide adequate protection and confidentiality of all corporate data and proprietary software systems, whether help centrally, locally or remotely. Organisation X will ensure the availability of data and programs to authorized personnel and the integrity of all data ans configuration controls. This obligations is shared to varying degrees, by every employee of Organisation X.” </li></ul>
  39. 39. Goals <ul><li>Support the mission </li></ul><ul><li>Be and integral part of sound management </li></ul><ul><li>Cost-effective </li></ul><ul><li>Include explicit accountability and responsibilities </li></ul><ul><li>Grant system owners responsibility outside their own organisation </li></ul><ul><li>Require a comprehensive and integrated approach </li></ul><ul><li>Be constrained by social factors </li></ul>
  40. 40. Issue-Specific Policies <ul><li>For assets shared by all business units, a issue-specific policies can help ensure uniform standards. </li></ul><ul><li>Acceptable-use policy </li></ul><ul><li>E-mail policy </li></ul><ul><li>Software policy </li></ul><ul><li>Hardware policy </li></ul><ul><li>Backup policy </li></ul>
  41. 41. Network Security Policies <ul><li>Define how communication between systems and machines is accomplished. </li></ul>
  42. 42. System Security Policies <ul><li>Apply to specific application server, or group of application servers. </li></ul>
  43. 43. Service Level Agreement <ul><li>SLA are documents explaining vendor and customer obligations. SLA specify consequences for violations. </li></ul>
  44. 44. 4. Business Continuity Planning <ul><li>Contingency planning refers to the interim measures used to recover IT systems after a disruption, emergency or disaster. </li></ul>
  45. 45. Building a BCP <ul><li>BCP begins with the risk management process. Risk management define assets needgin protection, their vulnerabilitities, and the possible threats to the assets. Countermeasures are deployed to mitigate risk, however risk cannot be eliminated completely. </li></ul>
  46. 46. Building a BCP <ul><li>There are a variety os possible disruptions, such as: </li></ul><ul><li>Power Failures, surges or sags </li></ul><ul><li>Natural Disasters </li></ul><ul><li>man-made disasters </li></ul>
  47. 47. Business Impact Analysis (BIA) <ul><li>The BIA is a quantitative analysis of each risk, to determine how an organisation will continue to operate during a crisis, and recover afterward. Once a risk is realized, businesses must react quickly to remain open and available to customers. </li></ul>
  48. 48. BIA <ul><li>Includes knowledgeable and responsible individuals from functional groups in the organisation </li></ul><ul><li>Identifies the interdependencies of processes and organisational groups </li></ul><ul><li>Inteifies information requirements of the organisation </li></ul><ul><li>Identifies resources usage of the organisation </li></ul><ul><li>Assess effetcs of risk exposure </li></ul><ul><li>Estimates loss and its effect upon the organisation </li></ul><ul><li>Establishes a time-line for recovery </li></ul>
  49. 49. BCP Development <ul><li>An available time frame </li></ul><ul><li>Available options </li></ul><ul><li>Personnel issues </li></ul><ul><li>Communications problems and consequences </li></ul><ul><li>Technology-recovery issues, per department </li></ul><ul><li>Recovery issues unrelated to technology </li></ul>
  50. 50. Recovery strategies <ul><li>Doing nothing </li></ul><ul><li>Deferreing action: action can wait until a later date </li></ul><ul><li>Manual procedures </li></ul><ul><li>Reciprocal agreements </li></ul><ul><li>Goals of each phase of the plan, withou goals, you cannot determine when the phase is complete, or if it was successful </li></ul><ul><li>Alternative sites </li></ul>
  51. 51. Alternative Sites <ul><li>Cold Sites </li></ul><ul><li>Warm Sites </li></ul><ul><li>Hot Sites </li></ul>
  52. 52. Testing BCP <ul><li>Checklist test </li></ul><ul><li>Structured walkthrough test </li></ul><ul><li>Simulation test </li></ul><ul><li>Parallel test </li></ul><ul><li>Full interruption test </li></ul>
  53. 53. BCP Life Cycle <ul><li>Once the BCP is created, reviewed, tested and approved, the first part of the BCP life cicle is complete. </li></ul><ul><li>Changes to the business organisation </li></ul><ul><li>New threats and vulnerabilities </li></ul>
  54. 54. 6. Operation Security <ul><li>When considering how to protct information resources. Operational Security (OPSEC) usually receives the least emphasis. </li></ul><ul><li>OPSEC involves determining how an organisation´s daily affect the security of its information assets. OPSEC also encompasses the realms of physic security and administrative Controls. </li></ul>
  55. 55. OPSEC <ul><li>US DoD – is a process of identifying critical information, and subsequently analysing friendly actions attendant to military operations and other activities: </li></ul><ul><li>Identify those actions that can be observed by adversary intelligence systems. </li></ul><ul><li>Determine indicators that hostile intelligence systems might obtain that could be interpreted or pieced together, to derive critical information in time to be useful to adversaries. </li></ul><ul><li>Select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary explotation. </li></ul>
  56. 56. OPSEC Language <ul><li>Observables </li></ul><ul><li>Indicators </li></ul><ul><li>Adversary </li></ul><ul><li>Intelligence </li></ul><ul><li>Inference </li></ul><ul><li>Aggregation </li></ul>
  57. 57. Origins of OPSEC <ul><li>Art of war (Sun Tzu) </li></ul>
  58. 58. Laws of OPSEC <ul><li>If you do not know the threat, how do you know what to protect? </li></ul><ul><li>If you do not know what to proctec, how do you know you are protecting it? </li></ul><ul><li>If you are not protecting it (information), the adversary wins. </li></ul>
  59. 59. Five Steps <ul><li>Identify critical information and its indicators </li></ul><ul><li>Analyse threats </li></ul><ul><li>Analyse vulnerabilities </li></ul><ul><li>Assess risks </li></ul><ul><li>Apply countermeasures </li></ul><ul><ul><li>Assess the adequacy of countermeasure. </li></ul></ul>
  60. 60. Know your adversary <ul><li>White Hats </li></ul><ul><li>Grey hats – this could not be serious… </li></ul><ul><li>Black hats </li></ul><ul><li>WhiteBlack get their names from characters in old Westerns. The good and bad guys… </li></ul>
  61. 61. What are you adversary resources? <ul><li>Intelligence </li></ul><ul><li>Money </li></ul><ul><li>Anger / Ire / madness </li></ul>
  62. 62. Security Controls <ul><li>Physical Security </li></ul><ul><li>Human safety (smoke and fire alarms) </li></ul><ul><li>Information assets (cable lock, backup) </li></ul><ul><li>Physical Plant </li></ul><ul><li>Administrative </li></ul><ul><li>Background investigation (human resources) </li></ul><ul><li>Non-disclosure agreements </li></ul><ul><li>Performance reviews </li></ul><ul><li>Periodic review of access </li></ul>
  63. 63. Self Study <ul><li>Communicating security effectively </li></ul><ul><li>Access Control Models </li></ul>
  64. 64. 7.Intrusions and Attacks <ul><li>Define an intrusion </li></ul><ul><li>Define an attack </li></ul><ul><li>Review intrusion detection concepts </li></ul><ul><li>Determine type of IDS </li></ul>
  65. 65. Intrusion Defined <ul><li>Internal </li></ul><ul><li>Who have permission to use some of an organisation resources. </li></ul><ul><li>External </li></ul><ul><li>no granted permissions or rights </li></ul>
  66. 66. Attacks Defined <ul><li>DoS </li></ul><ul><ul><li>Teardrop </li></ul></ul><ul><ul><li>Ping of death </li></ul></ul><ul><ul><li>Land </li></ul></ul><ul><ul><li>Ip fragments </li></ul></ul><ul><ul><li>Syn Attacks </li></ul></ul><ul><li>DDoS </li></ul><ul><ul><li>Trinoo </li></ul></ul><ul><ul><li>TFN (the Tribe Flood Network) & TFN2K </li></ul></ul><ul><ul><li>Trinity </li></ul></ul>
  67. 67. Secessive Events <ul><li>Address spoofing </li></ul><ul><li>Local interface spoofing </li></ul><ul><li>Port scanning </li></ul>
  68. 68. Web <ul><li>HTTP Worms </li></ul><ul><li>Cross-site scripting flaws </li></ul><ul><li>Mail Bombing </li></ul><ul><li>FTP Bounce </li></ul><ul><li>File and Print sharing (MS) </li></ul><ul><ul><li>Null sessions </li></ul></ul><ul><ul><li>Pop-up Messages </li></ul></ul>
  69. 69. IDS Concepts <ul><li>Involves observing a network and attempting to discover suspicious activity. </li></ul><ul><li>False Positive – no intrusion occurred </li></ul><ul><li>False Negative – IDS fail to recognize </li></ul><ul><li>Thresholds – metrics used to determine how much suspicious must occur, before an alert is generated. </li></ul>
  70. 70. Types of IDS <ul><li>Pattern Matching </li></ul><ul><li>Attack signatures </li></ul><ul><li>Statistical Anomaly </li></ul><ul><li>Behavior Analysis </li></ul><ul><li>Host Based </li></ul><ul><li>Network Based </li></ul>
  71. 71. 8. Cryptography <ul><li>A Brief History of Cryptography </li></ul><ul><li>How Encryption Works </li></ul><ul><li>Encryption Algorithms </li></ul><ul><li>Internet Key Exchange </li></ul>
  72. 72. Cryptography <ul><li>Encyclopedia Britannica: </li></ul><ul><li>“ Cryptography: Practice of the enciphering and deciphering of messages in secret code in order to render them unintelligible to all but the intended receiver.” </li></ul>
  73. 73. A Brief History of Cryptography <ul><li>Early Cryptography </li></ul><ul><li>3500 BC: Sumerians – Cuneiform writings </li></ul>
  74. 74. A Brief History of Cryptography <ul><li>Early Cryptography </li></ul><ul><li>1900 BC: Egypt – First known use of cryptography </li></ul>
  75. 75. A Brief History of Cryptography <ul><li>Early Cryptography </li></ul><ul><li>500 – 600 BC: ATBASH Cipher – Used by Hebrew scribes – Substitution cipher (reversed alphabet) (bible code) </li></ul>
  76. 76. A Brief History of Cryptography <ul><li>Early Cryptography • 486 BC: Greece – σκυτάλη – skytale </li></ul>
  77. 77. A Brief History of Cryptography <ul><li>Early Cryptography </li></ul><ul><ul><li>60 – 50 BC: Julius Caesar – substitution cipher – Shift letters by X positions: • E.g. X = 3: A D, B E, C F, ... </li></ul></ul><ul><li>Weakness? </li></ul><ul><li>Frequency analysis (1000 AD) </li></ul><ul><li>1466: Leon Albertini: cipher disk </li></ul><ul><ul><li>Used until 16th century </li></ul></ul>
  78. 78. A Brief History of Cryptography <ul><li>Medieval Cryptography </li></ul><ul><li>1587: Vigenère Cipher – Polyalphabetic: one to many relationship </li></ul><ul><li>Example </li></ul><ul><li>Encrypt: lamp </li></ul><ul><li>Keyword: ubc </li></ul><ul><li>Ciphertext: fboj </li></ul><ul><li>Apart from that... </li></ul>
  79. 79. A Brief History of Cryptography <ul><li>Modern Cryptography </li></ul><ul><li>1845: Morse Code </li></ul><ul><ul><li>Represention by code signal </li></ul></ul><ul><ul><li>States (on and off) composed into 5 symbols </li></ul></ul>
  80. 80. A Brief History of Cryptography <ul><li>Modern Cryptography </li></ul><ul><li>1863: Kasiski breaks Vigenere </li></ul><ul><ul><li>Find length of keyword </li></ul></ul><ul><ul><li>Divide message into substitution cryptograms </li></ul></ul><ul><ul><li>Use frequency analysis to solve these </li></ul></ul>
  81. 81. A Brief History of Cryptography <ul><li>Modern Cryptography </li></ul><ul><li>1918: ADFGVX Cipher </li></ul><ul><li>Used in the German army in WWI </li></ul>
  82. 82. A Brief History of Cryptography <ul><li>Modern Cryptography </li></ul><ul><ul><li>1918: The Enigma – Arthur Scherbius </li></ul></ul><ul><ul><li>Business: confidential docs </li></ul></ul><ul><ul><li>No codebooks </li></ul></ul><ul><ul><li>Rotors multi substitution </li></ul></ul><ul><ul><li>Wireing changes as-you-type </li></ul></ul><ul><ul><li>German forces in WWII </li></ul></ul>
  83. 83. A Brief History of Cryptography <ul><li>Modern Cryptography </li></ul><ul><li>1937 – 1945: Navajo Code Talkers </li></ul>
  84. 84. A Brief History of Cryptography <ul><li>Modern Cryptography </li></ul><ul><li>1949: Shannon </li></ul><ul><ul><li>Communication Theory of Secret Systems </li></ul></ul><ul><ul><li>Proved: One time pad unbreakable </li></ul></ul>
  85. 85. A Brief History of Cryptography <ul><li>DES (digital encryption standard) </li></ul><ul><ul><li>Developed by IBM 1972 </li></ul></ul><ul><ul><li>56-bits </li></ul></ul><ul><li>Triple DES </li></ul><ul><ul><li>Very secure </li></ul></ul>
  86. 86. A Brief History of Cryptography <ul><li>Modern Cryptography </li></ul><ul><li>1976: Diffie – Hellman Key Exchange </li></ul><ul><ul><li>Whitfield Diffie and Martin Hellman </li></ul></ul><ul><ul><li>Discrete logarithm problem: </li></ul></ul><ul><ul><ul><li>G: finite cyclic group with n elements </li></ul></ul></ul><ul><ul><ul><li>Modulo n multiplication </li></ul></ul></ul><ul><ul><ul><li>b: generator of G: every element g of G can be written as g = b k for some integer k </li></ul></ul></ul><ul><ul><ul><li>Goal: find k given g and b and n! </li></ul></ul></ul><ul><li>Very hard problem </li></ul>
  87. 87. A Brief History of Cryptography <ul><li>Modern Cryptography </li></ul><ul><li>So how does it work? </li></ul><ul><li>Exploits? </li></ul><ul><li>Man in the middle </li></ul><ul><li>Fix: additional authentication </li></ul>
  88. 88. A Brief History of Cryptography <ul><li>Modern Cryptography </li></ul><ul><li>Public Key Crypto </li></ul><ul><li>Key exchange problem </li></ul><ul><li>Asymmetric key algorithm – E.g: RSA, MIT, 1977 </li></ul>
  89. 90. A Brief History of Cryptography <ul><li>Modern Cryptography </li></ul><ul><ul><li>1991: PGP Pretty Good Privacy </li></ul></ul><ul><ul><li>Protocol, uses RSA – Encryption & decryption </li></ul></ul><ul><ul><li>Digital signatures MD4/MD5 (HASH) </li></ul></ul><ul><ul><li>How does that work? </li></ul></ul><ul><ul><li>Web of Trust </li></ul></ul><ul><ul><li>Third party signs (public) key to attest association between person and key </li></ul></ul><ul><ul><li>Other Possibility: Hierarchical, CA based </li></ul></ul><ul><ul><ul><li>E.g.: X.509 Certificates in SSL </li></ul></ul></ul>
  90. 91. 9.Access Control Technologies <ul><li>Identify the major categories of authentication methods </li></ul><ul><li>Discuss the characteristics of common access control methods </li></ul><ul><li>Compare and contrast acess control technologies </li></ul><ul><li>Review the administrative components of access control solutions </li></ul>
  91. 92. Authentication methods <ul><li>Singles sign-on </li></ul><ul><ul><li>Methods allows users to authenticate to a login server, and use credentials and security tokens to authenticate to other systems and services. </li></ul></ul><ul><ul><ul><li>Advantages: </li></ul></ul></ul><ul><ul><ul><ul><li>Fewer usenames/passwords </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Audit trails to trace the systems users access </li></ul></ul></ul></ul><ul><ul><ul><ul><li>High user acceptance </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Reliable level of security </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Reduce administrative overhead due the password reset </li></ul></ul></ul></ul>
  92. 93. Authentication methods <ul><li>Mandatory sign-on </li></ul><ul><ul><li>Requires users to log in individually at each server and access control. </li></ul></ul><ul><ul><li>Each log in should be unique password and username </li></ul></ul><ul><ul><li>Problems? </li></ul></ul><ul><ul><li>Combination of single and mandatory sign-on might be a good compromise for increasing security. </li></ul></ul>
  93. 94. Access control Methods <ul><li>Layered Access Controls </li></ul><ul><ul><li>Requires users and process to authenticate at several access points. Routers and other network deveices can use ACL to filter some traffic,or prompt users for authentication to pass. </li></ul></ul><ul><li>Physical Access Controls </li></ul><ul><ul><li>Restrict access to certain offices, areas, as well as building access to an organisation. </li></ul></ul><ul><ul><li>Smartcard authentication </li></ul></ul><ul><li>Administrative Acess Controls </li></ul><ul><ul><li>Background investigation </li></ul></ul><ul><ul><li>Mandatory vacations </li></ul></ul><ul><ul><li>Acceptable use documents </li></ul></ul><ul><ul><li>Separation of duties </li></ul></ul><ul><ul><li>Job rotation </li></ul></ul><ul><li>Technical Acess controls </li></ul><ul><ul><li>Workstation authentication </li></ul></ul><ul><ul><li>Network authentication </li></ul></ul><ul><ul><li>Application authentication </li></ul></ul><ul><ul><li>Service authentication </li></ul></ul>
  94. 95. Acess control technologies <ul><li>Network authentication </li></ul><ul><ul><li>LDAP – Lightweight directory access protocol (enhanced version of X.500 protocol) </li></ul></ul><ul><ul><li>Kerberos – single sign-on deployed in distributed environments </li></ul></ul><ul><li>Access Control List – generally used for general filtering of duties, most network devices include ACL </li></ul><ul><li>Firewalls – gateways to internet network. Prevent unauthorized access to or from a private network. </li></ul><ul><li>Application based Access Controls – most application contain access controls of some type, such as SMTP or FTP, users log in each time they access the services. </li></ul><ul><li>File and Directory sharing – read, write and execute permissions. </li></ul>
  95. 96. Adminstrative Access Controls <ul><li>Centralized access management </li></ul><ul><li>Decentralized access management </li></ul><ul><li>Hybrid access management </li></ul><ul><li>Accountability </li></ul><ul><ul><li>auditing </li></ul></ul>
  96. 97. 10. Small Network Security <ul><li>Determine security issues and solutions for ROBO users </li></ul><ul><li>Identify issues with remote user security </li></ul><ul><li>Determine security issues and solutions for SMB users </li></ul><ul><li>Identify issues with home user security </li></ul>
  97. 98. Remote Office/Brach Office <ul><li>A remote office/branch office (ROBO) is sometimes referred to as a satellite office. Typically have fewer employees and recources than a main office or headquarter. In most environments ROBO needs access to recources such as a file server, located at headquarters </li></ul>
  98. 99. Remote Office/Brach Office <ul><li>Issues </li></ul><ul><li>Distance </li></ul><ul><li>Resource limitation (links, emails, file servers) </li></ul><ul><li>IT staff (any or a few) </li></ul><ul><li>No dedicated INFOSEC professional </li></ul>
  99. 100. Remote Office/Brach Office <ul><li>Secure Access to remote resources </li></ul><ul><li>Usually off-site access to emails or file server </li></ul><ul><li>Confidentiality (slow connection will increase the number of local file servers – improvised solutions) </li></ul><ul><li>Integrity (diverge of data stored in headquarters and local file servers) </li></ul><ul><li>Availability (slow connections over internet) </li></ul>
  100. 102. Solutions <ul><li>Centralized Security Solutions </li></ul><ul><ul><li>Reduce the cost of maintaining security across and organisation. </li></ul></ul><ul><ul><li>Firewall (core and perimeter) </li></ul></ul><ul><ul><li>VPN servers </li></ul></ul><ul><ul><li>Email Servers </li></ul></ul><ul><ul><li>Antivirus servers </li></ul></ul><ul><ul><li>Storage </li></ul></ul>
  101. 103. Solutions <ul><li>Connectivity Solutions </li></ul><ul><li>Adequate connectivity (bandwith) </li></ul><ul><ul><li>Allowing end users to perform their duties </li></ul></ul><ul><li>Multiple entry Point (MEP) </li></ul><ul><ul><li>Two or more gateways of firewalls protecting the networking entry points. </li></ul></ul><ul><ul><li>Leased Line were the connectivity solution of choice for ROBOs, but VPNs over public lines are becoming more common. If VPN solutions is chosen, encryption should be strong enough to protect the confidentiality and integrity of the data in transit. </li></ul></ul>
  102. 104. Remote User / Telecomuter <ul><li>Or Road warrior… remote users need to access the corporate information resourcem but they are not located on corporate networks. </li></ul><ul><li>Sales, field technicians, marketing professionals, etc </li></ul>
  103. 106. Remote User / Telecomuter <ul><li>Unsecure environments </li></ul><ul><ul><li>Traveling (hotel, airports,coffee shop) </li></ul></ul><ul><ul><li>Partners networks </li></ul></ul><ul><ul><li>Customers networks </li></ul></ul><ul><ul><li>Why unsecure? Antivirus (worms), DNS poisoning, etc. </li></ul></ul><ul><li>Physical Security </li></ul><ul><ul><li>Remote users = laptops, mobile phones, PDA </li></ul></ul>
  104. 107. Remote User / Telecomuter <ul><li>Remote user requirements </li></ul><ul><ul><li>Access controls and file encryption </li></ul></ul><ul><ul><li>Personal Firewall </li></ul></ul><ul><ul><li>Flexible encryption capabilities </li></ul></ul><ul><ul><li>Configuration Control </li></ul></ul>
  105. 108. Small businesses <ul><li>Typically less than 100 people, have fewr that 50 hosts on their network. Networks are typically flat (no segmented with vlans, routers, firewalls,etc). One person for IT “department” and that person must wear many hats! </li></ul>
  106. 109. Small businesses issues <ul><li>Limited Human resources </li></ul><ul><li>Limited expertise </li></ul><ul><li>Frugal information technology budget </li></ul>
  107. 110. Small businesses requirements <ul><li>Small business face the same or greater risk that larger organisations face from threat to thei IT resources. </li></ul><ul><li>Confidentiality – there are trade secrets and competitive data. The budgetary requirement limit the number of available servers and expertise of security adminitrators. </li></ul><ul><li>Integrity – somes pieces of a process may be computerized, while others still use hard-copy methods </li></ul><ul><li>Availability – may actually be more critical than for their larger counterparts. </li></ul>
  108. 111. SB security Solutions <ul><li>Security Appliances </li></ul><ul><li>Security Appliances are combined hardware and software, which may require very little configuration and maintenance. </li></ul><ul><li>Appliances with Firewalls, IDS, antivirus, content filtering. Typically provide an easy way to configure and maintain. </li></ul>
  109. 112. Home users <ul><li>Lack of knowledge </li></ul><ul><li>… </li></ul>