1. Reunión del proyecto
2015 - Dartmouth Research & Consulting
T. J. Saotome
5
Basic Cybersecurity Concepts
You Must Know
2. Who/What Poses Threat?
2
•Hackers – casual or pro
•Intruders – organized crime, states
•Insiders – employees can steal
•Contractors – hired guns can steal
•Nature – hurricanes, fire, disasters
•Human Error – input error, deletion
3. What’s the Problem?
3
•General Lack of Awareness
– Vague understanding of users threats & risks
associated with computers and the Internet
•General Lack of Quality Help
– Many view security as cumbersome
– Many think it is complicated& expensive
•Complacency
– Software is in place
– Does not involve me
4. Key Areas of Concerns
4
• Do you accept the risk level?
– Ignore it
– Take insurance against it
– Do something about it
• What are your concerns?
Policies/proce
dures &
education
Policies/proce
dures &
education
AuthenticationAuthentication
AvailabilityAvailability
ConfidentialityConfidentiality
IntegrityIntegrity
Non-
repudiation
Non-
repudiation
5. Security Model
Types of Threat
• Masquerade
• Interception
• Tampering
• Denial of Service
• No Evidence
• Complacency
Types of Solutions
• Authentication
• Confidentiality
• Integrity
• Availability
• Non-Repudiation
• Training & education
6. Is it Possible to Eliminate All Risks?
• You know the
answer – No,
impossible
• But you can get
close by employing
“Defense in Depth”
6
ProtectionLayers
Authentication
Access Control
Confidentiality
Availability
7. Concept #1 - Authentication
7
Permission to Access
Resources
Password
Biometrics
Electronic Token
2 Factor
Authentication
Passwords are easily
“cracked”
By guessing
Social Engineering
Deception
Widely available
cracking tools
8. Concept #2 - Confidentiality
Symmetric
Encryption
Same key for
encryption/decryption
RC4, DES, 3DES, AES,
IDEA, Blowfish, Twofish
Asymmetric
Encryption
Different keys for
encryption/description
PGP, GnuPG, PKI
(using X.509)
Cryptography promotes confidentiality
9. Concept #3 – Information Integrity
Hash
Algorithm
MD5 (RFC 1321), SHA (RFC
3174)
Digital
Signature
Combination of PKI & Hash
technology
Digital Signature - Encrypted
Hash of Private Key
Digital Signature Standard – US DSS
uses SHA-1 for Hash & DSA (Digital
Signature Algorithm) for encryption
Tampering can be detected by integrity
mechanisms
10. Concept #4 - Availability
Denial of Service
Attacks
Via Internet (e.g. Ping
of Death)
Via errant applications
on LAN
Via Trojan Horse
Guard Against DOS &
Sabotage
Physical Security
Dual and Multi Paths
Redundant storage
Good backup is
essential
Cryptography promotes confidentiality
11. Concept #5 - Non-Repudiation
Destroying Evidence
Log all access to covered
entities
Separate sys admin rights
to log access rights
Set event alarms for log
tampering
Hacker or employee may cover tracks by
destroying evidence
12. System & Network Intrusion
• Trojan Horse
• Masquerading insider
• Dormant malware
• NetBIOS on TCP/IP
especially vulnerable
Many Faces of Attack
Data breach
Authentication
info
Denial of
Service
13. Security Administration
13
• Operating System Security
– Earlier versions of Windows OS lacked security
mechanism
– “OS Hardening” needed for critical systems
• User account password/permission
• Internet Security
– Encrypting communication (e.g. IPSec)
– SSL and TLS for Web
• Scan for vulnerabilities
15. 15
Reducing Risks
• Non-Technical Solutions
– Security Policies
– Procedures
– Backup and Disaster
Recovery Plan
– Off-site and
Contingency Plan
– User Education
• Security Technologies
– Firewalls
– Anti-Virus
– Biometrics
– Cryptography
– PKI
– Intrusion Detection
– Logs
You must have a
combination of
both to be
effective
16. Reducing the Risks – How?
Policies &
Procedures
• Define Security Policies
• Define Security Process
• Define Security Policies
• Define Security Process
Security
Technology
• Employ Security Technologies for enforcement
• Automate Event Monitoring/Compliance
• Employ Intelligent Event Correlation
• Employ Security Technologies for enforcement
• Automate Event Monitoring/Compliance
• Employ Intelligent Event Correlation
Residual
Risks
• Recognize that there will be residual risks
• Take insurance against it, or transfer the risks
• Recognize that there will be residual risks
• Take insurance against it, or transfer the risks
16
18. How you can start
Objective
Assessment
off the
current state
& desired
future state
Combination
of policies &
technology
appropriate
for the risks
Continuous
User
Education
Monitoring &
Due
Diligence
Periodic
Audit & Fire
Drill
19. Resources
19
•These slides are available at
– www.Dartmouth-research.com
•Security Templates
www.sans.org – Security Tools and Training
www.cert.org – CERT Coordination Center
www.itl.nist.gov – NIST IT Security Checklist