1 / 61

INFORMATION SECURITY MANAGEMENT

INFORMATION SECURITY MANAGEMENT. Chapter 10: Protection Mechanisms. You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra. Windows XP. Zero days turn to "forever days". http://windows.microsoft.com/en-us/windows/end-support-help.

dwiggs
Download Presentation

INFORMATION SECURITY MANAGEMENT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFORMATION SECURITY MANAGEMENT Chapter 10: Protection Mechanisms You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

  2. Windows XP Zero days turn to "forever days" http://windows.microsoft.com/en-us/windows/end-support-help

  3. Principles of Information Security Management http://csrc.nist.gov/publications/PubsTC.html Include the following characteristics that will be the focus of the current course (six P’s): • Planning • Policy • Programs • Protection • People • Project Management

  4. Planning • Planning as part of InfoSec management • An extension of the basic planning model discussed earlier in this chapter • Included in the InfoSec planning model • Activities necessary to support the design, creation, and implementation of information security strategies

  5. Planning (cont’d.) • Types of InfoSec plans • Incident response planning • Business continuity planning • Disaster recovery planning • Policy planning • Personnel planning • Technology rollout planning • Risk management planning • Security program planning • includes education, training and awareness

  6. Policy UNCW Policies • The set of organizational guidelines that dictates certain behavior within the organization • Three general categories of policy: • Enterprise information security policy (EISP) • Issue-specific security policy (ISSP) • System-specific policies (SysSPs)

  7. Programs • InfoSec operations that are specifically managed as separate entities • Example: a security education training and awareness (SETA) program • Other types of programs • Physical security program • complete with fire, physical access, gates, guards, etc.

  8. Protection • Executed through risk management activities • Includes: • Risk assessment and control • Protection mechanisms • Technologies • Tools • Each of these mechanisms represents some aspect of the management of specific controls in the overall information security plan

  9. People Managers must recognize the crucial role that people play in the information security program This area of InfoSec includes security personnel and the security of personnel, as well as aspects of a SETA program The most critical link in the information security program

  10. Project Management Identifying and controlling the resources applied to the project Measuring progress Adjusting the process as progress is made

  11. Target Incident – Topic Paper Presentation

  12. Software Demo – Mark Grover

  13. Hacking Networks Phase 1: Reconnaissance • Physical Break-In • Dumpster Diving • Google, Newsgroups, Web sites • Social Engineering • Phishing: fake email • Pharming: fake web pages • WhoIs Database • Domain Name Server Interrogations Registrant: Microsoft Corporation One Microsoft Way Redmond, WA 98052 US Domain name: MICROSOFT.COM Administrative Contact: Administrator, Domain domains@microsoft.com One Microsoft Way Redmond, WA 98052 US +1.4258828080 Technical Contact: Hostmaster, MSN msnhst@microsoft.com One Microsoft Way Redmond, WA 98052 US +1.4258828080 Registration Service Provider: DBMS VeriSign, dbms-support@verisign.com 800-579-2848 x4 Please contact DBMS VeriSign for domain updates, DNS/Nameserver changes, and general domain support questions. Registrar of Record: TUCOWS, INC. Record last updated on 27-Aug-2006. Record expires on 03-May-2014. Record created on 02-May-1991. Domain servers in listed order: NS3.MSFT.NET 213.199.144.151 NS1.MSFT.NET 207.68.160.190 NS4.MSFT.NET 207.46.66.126 NS2.MSFT.NET 65.54.240.126 NS5.MSFT.NET 65.55.238.126

  14. Hacking NetworksPhase 2: Scanning War Driving: Can I find a wireless network? War Dialing: Can I find a modem to connect to? Network Mapping: What IP addresses exist, and what ports are open on them? Vulnerability-Scanning Tools: What versions of software are implemented on devices?

  15. Passive Attacks Eavesdropping: Listen to packets from other parties = Sniffing Traffic Analysis: Learn about network from observing traffic patterns Footprinting: Test to determine software installed on system = Network Mapping

  16. Hacking Networks:Phase 3: Gaining Access Network Attacks: • Sniffing (Eavesdropping) • IP Address Spoofing • Session Hijacking System Attacks: • Buffer Overflow • Password Cracking • SQL Injection • Web Protocol Abuse • Denial of Service • Trap Door • Virus, Worm, Trojan horse,

  17. Some Active Attacks Denial of Service: Message did not make it; or service could not run Masquerading or Spoofing: The actual sender is not the claimed sender Message Modification: The message was modified in transmission Packet Replay: A past packet is transmitted again in order to gain access or otherwise cause damage

  18. Man-in-the-Middle Attack 10.1.1.1 10.1.1.3 (2) Login (1) Login (4) Password (3) Password 10.1.1.2

  19. Hacking Networks:Phase 4: Exploit/Maintain Access Control system: system commands, log keystrokes, pswd Useful utility actually creates a backdoor. Backdoor Trojan Horse Replaces system executables: e.g. Login, ls, du User-Level Rootkit Bots Spyware/Adware Replaces OS kernel: e.g. process or file control to hide Kernel-Level Rootkit Slave forwards/performs commands; spreads, list email addrs, DOS attacks Spyware: Collect info: keystroke logger, collect credit card #s, AdWare: insert ads, filter search results

  20. Botnets Botnets: Bots Handler Attacker China Hungary Bots: Host illegal movies, music, pornography, criminal web sites, … Forward Spam for financial gain Zombies

  21. Distributed Denial of Service Zombies Handler Victim Attacker Russia Bulgaria United States Can barrage a victim server with requests, causing the network to fail to respond to anyone Zombies

  22. Introduction • Threats -> Vulnerabilities -> Risk ->Controls • Technicalcontrols • Must be combined with sound policy and education, training, and awareness efforts • Examples of technical security mechanisms

  23. Sphere of Protection Source: Course Technology/Cengage Learning

  24. Access Controls • The four processes of access control • Identification • Authentication • Authorization • Accountability • A successful access control approach always incorporates all four of these elements

  25. Access Controls – Password Strength Table 10-1 Password power Source: Course Technology/Cengage Learning

  26. Acceptability of Biometrics • Note: Iris Scanning has experienced rapid growth in popularity and due to it’s acceptability, low cost, and effective security

  27. Firewalls • Any device that prevents a specific type of information from moving between two networks Types: • Packet Filtering • Application Level • Stateful Inspection Firewalls

  28. Packet filtering firewalls • Simple networking devices that filter packets by examining every incoming and outgoing packet header

  29. Application-level firewalls • Consists of dedicated computers kept separate from the first filtering router (edge router) • Commonly used in conjunction with a second or internal filtering router - or proxy server • Implemented for specific protocols

  30. Stateful inspection firewalls • Keeps track of each network connection established between internal and external systems using a state table • Can restrict incoming packets by allowing access only to packets that constitute responses to requests from internal hosts

  31. Firewall Architectures • Each firewall generation can be implemented in several architectural configurations • Common architectural implementations • Packet filtering routers • Screened-host firewalls • Dual-homed host firewalls • Screened-subnet firewalls

  32. Firewall Architectures:Packet filtering routers Most organizations with an Internet connection use some form of router between their internal networks and the external service provider

  33. Firewall Architectures:Screened-host firewall systems • Combine the packet filtering router with a separate, dedicated firewall such as an application proxy server

  34. Firewall Architectures:Dual-Homed host firewalls • The bastion host contains two network interfaces • One is connected to the external network • One is connected to the internal network

  35. Selecting the Right Firewall • Firewall Technology • Cost • Maintenance • Future Growth

  36. Managing Firewalls • Any firewall device must have its own configuration • Firewall Rules • Policy regarding firewall use • Firewall best practices • All traffic from the trusted network allowed out • The firewall is never accessible directly from the public network • Email Policies

  37. Intrusion Detection and Prevention Systems (IDPS) • The term intrusion detection/prevention system (IDPS) can be used to describe current anti-intrusion technologies • Like firewall systems, IDPSs require complex configurations to provide the level of detection and response desired

  38. Intrusion Detection and Prevention Systems (cont’d.) IDPS technologies can respond to a detected threat by attempting to prevent it from succeeding Network or Host Based Protection

  39. IDPS – Host vs. Network http://www.windowsecurity.com/articles-tutorials/intrusion_detection/Hids_vs_Nids_Part1.html

  40. Signature-Based IDPS • Examines data traffic for something that matches the preconfigured, predetermined attack pattern signatures • Weakness: slow and methodical attacks may slip undetected through the IDPS, as their actions may not match a signature that includes factors based on duration of the events

  41. Statistical Anomaly-Based IDPS • First collects data from normal traffic and establishes a baseline • Then periodically samples network activity, based on statistical methods, and compares the samples to the baseline • Advantage: Able to detect new types of attacks, because it looks for abnormal activity of any type

  42. Managing IDPS • IDPSs must be configured to differentiate between routine circumstances and low, moderate, or severe threats • A properly configured IDPS can translate a security alert into different types of notifications • Most IDPSs monitor systems using agents • Consolidated enterprise manager

  43. Honeypot & Honeynet Honeypot: A system with a special software application which appears easy to break into Honeynet: A network which appears easy to break into • Purpose: Catch attackers • All traffic going to honeypot/net is suspicious • If successfully penetrated, can launch further attacks • Must be carefully monitored Firewall Honey Pot External DNS VPN Server IDS Web Server E-Commerce

  44. Remote Access Protection • Network connectivity using external connections • Usually much simpler and less sophisticated than Internet connections • Simple user name and password schemes are usually the only means of authentication

  45. RADIUS and TACACS • Systems that authenticate the credentials of dial-up access users • Typical dial-up systems place the authentication of users on the system connected to the modems • Options: • Remote Authentication Dial-In User Service (RADIUS) • Terminal Access Controller Access Control(TACACS)

  46. Authentication Protocols RADIUS • Over-the-wire protocol from client to AAA (authentication, authorization, accounting) server

  47. TACACS+ Source: Course Technology/Cengage Learning

  48. Managing Connections • Organizations that continue to offer remote access must: • Determine how many connections the organization has • Control access to authorized modem numbers • Use call-back whenever possible • Use token-based authentication if at all possible

  49. Wi-Fi security • SSID should be a non-default value • SSID broadcast should be disabled • MAC access control • Authentication • Require ID and password, may use a RADIUS server • Encryption • WEP (Wired Equivalent Privacy) • WPA (Wireless Protected Access) • WPA2 (superset of WPA, full standard)

  50. Managing Wireless Connections • Regulate the wireless network footprint • Select WPA or WPA2 over WEP • Protect preshared keys

More Related