560 likes | 711 Views
The University of Akron Summit College Business Technology Dept. 2440: 141 Web Site Administration Introduction to Security Instructor: Enoch E. Damson. Information Security. Consists of the procedures and measures taken to protect each component of information systems
E N D
The University of AkronSummit CollegeBusiness Technology Dept. 2440: 141Web Site Administration Introduction to Security Instructor: Enoch E. Damson
Information Security • Consists of the procedures and measures taken to protect each component of information systems • Protecting data, hardware, software, networks, procedures and people • The concept of information security is based on the C.I.A triangle (according to the National Security Telecommunications and Information Security Committee – NSTISSC) • C – Confidentiality • I – Integrity • A – Availability Introduction to Security
Confidentiality • Addresses two aspects of security with subtle differences • Prevents unauthorized individuals from knowing or accessing information • Safeguards confidential information and disclosing secret information only to authorized individuals by means of classifying information Introduction to Security
Integrity • Ensures data consistency and accuracy • The integrity of the information system is measured by the integrity of its data • Data can be degraded into the following categories: • Invalid data – not all data is valid • Redundant data – the same data is recorded and stored in several places • Inconsistent data – redundant data is not identical • Data anomalies – one occurrence of repeated data is changed and the other occurrences are not • Data read inconsistency – a user does not always read the last committed data • Data non-concurrency – multiple users can access and read data at the same time but loose read consistency Introduction to Security
Availability • Ensures that data is accessible to authorized individuals to access information • An organization’s information system can be unavailable because of the following security issues • External attacks and lack of system protection • Occurrence of system failure with no disaster recovery strategy • Overly stringent and obscure security procedures and policies • Faulty implementation of authentication processes, causing failure to authenticate customers properly Introduction to Security
Information Security Architecture • The model for protecting logical and physical assets • The overall design of a company’s implementation of the C.I.A triangle • Components range from physical equipment to logical security tools and utilities Introduction to Security
Components of Information Security Architecture • The components of information security architecture are: • Policies and procedures – documented procedures and company policies that elaborate on how security is to be carried out • Security personnel and administrators – people who enforce and keep security in order • Detection equipment – devices to authenticate users and detect and equipment prohibited by the company Introduction to Security
Components of Information Security Architecture… • Other components of information security architecture include: • Security programs – tools to protect computer system’s servers from malicious code such as viruses • Monitoring equipment – devices to monitor physical properties, users, and important assets • Monitoring applications – utilities and applications used to monitor network traffic and Internet activities, downloads, uploads, and other network activities • Auditing procedures and tools – checks and controls to ensure that security measures are working Introduction to Security
Levels of Security • The levels of security include: • Highly restrictive • Moderately restrictive • Open Introduction to Security
Levels of Security… • Before deciding on a level of security, answer these questions: • What must be protected? • From whom should data be protected? • What costs are associated with security being breached and data being lost or stolen? • How likely is it that a threat will actually occur? • Are the costs to implement security and train users to use a secure network outweighed by the need to provide an efficient, user-friendly environment? Introduction to Security
Highly Restrictive Security Policies • Include features such as: • Data encryption • Complex password requirements • Detailed auditing and monitoring of computer/network access • Intricate authentication methods • Policies that govern use of the Internet/e-mail • Might require third-party hardware and software • Implementation cost is high • Cost of a security breach is high Introduction to Security
Moderately Restrictive Security Policies • Most organizations can opt for this type of policy • Requires passwords, but not overly complex ones • Auditing detects unauthorized logon attempts, network resource misuse, and attacker activity • Most network operating systems contain authentication, monitoring, and auditing features to implement the required policies • Infrastructure can be secured with moderately priced off-the-shelf hardware and software (firewalls, etc) • Costs are primarily in initial configuration and support Introduction to Security
Open Security Policies • Policy might have simple or no passwords, unrestricted access to resources, and probably no monitoring and auditing • May be implemented by a small company with the primary goal of making access to basic data resources • Internet access should probably not be possible via the company LAN • Sensitive data, if it exists, might be kept on individual workstations that are backed up regularly and are physically inaccessible to other employees Introduction to Security
Securing the Web Environment • Both Linux and Windows need to configured carefully to minimize security risks • Keep software patches up to date • Web servers with static pages are relatively easy to protect than those with dynamic pages • To secure transmission, data may be encrypted with Secure Socket Layer (SSL) and Secure Shell (SSH) • To isolate a Web server environment: • Firewalls may be used to block unwanted access to ports • Proxy servers may be used to isolate computers • To discover whether and how attackers have penetrated a system, intrusion detection software may be used Introduction to Security
Identifying Threats and Vulnerabilities • Hackers sometimes want the challenge of penetrating a system and vandalizing it – other times they are after data • Data can be credit card numbers, user names and passwords, other personal data • Information can be gathered by hackers while it is being transmitted • Operating system flaws can often assist hackers Introduction to Security
Types of Attacks & Vulnerabilities • Some of the numerous methods to attack systems are as follows: • Virus – code that compromises the integrity and state of a system • Worm – code that disrupts the operation of a system • Trojan horse – malicious code that penetrates a computer system or network by pretending to be legitimate code • Denial of service – the act of flooding a Web site or network system with many requests with the intent of overloading the system and forcing it to deny service to legitimate requests • Spoofing – malicious code that looks like legitimate code • Bugs – software code that is faulty due to bad design, logic, or both Introduction to Security
Types of Attacks & Vulnerabilities… • Other methods to attack systems include: • Email spamming – E-mail that is sent to many recipients without their permission • Boot sector virus – code that compromises the segment in the hard disk containing the program used to start the computer • Back door – an intentional design element of some software that allows developers of a system to gain access to the application for maintenance or technical problems • Rootkits and bots – malicious or legitimate software code that performs functions like automatically retrieving and collecting information from computer systems Introduction to Security
Examining TCP/IP • TCP/IP was not designed to be secure but to allow systems to communicate • Hackers often take advantage of the ignorance about TCP/IP to access computers connected to the Internet • The following are parts of the IP header most relevant to security • Source address – start-point IP address • Destination address – end-point IP address • Packet identification, flags, fragment offset • Total length – length of packet in bytes • Protocol – TCP, UDP, ICMP Introduction to Security
Vulnerabilities of DNS • Historically, DNS has had security problems • BIND is the most common implementation of DNS and some older versions had serious bugs • Current versions of BIND have been more secure Introduction to Security
Vulnerabilities in Operating Systems • Operating systems are large and complex • Hence, more opportunities for attack • Inattentive administrators often fail to implement patches when available • Some attacks, such as buffer overruns, can allow the attacker to take over the computer Introduction to Security
Vulnerabilities in Web servers • Static HTML pages pose virtually no problem • Programming environments and databases add complexity that a hacker can exploit Introduction to Security
Vulnerabilities of E-mail Servers • By design, e-mail servers are open • E-mail servers can be harmed by a series of very large e-mail messages • Sending an overwhelming number of messages at the same time can prevent valid users from accessing the server • Viruses can be sent to e-mail users • Retrieving e-mail over the Internet often involves sending your user name and password as clear text Introduction to Security
Security Basics • Some of the basic security rules are as follows: • Security and functionality are inversely related – the more security you implement, the less functionality you will have, and vice versa • No matter how much security you implement and no matter how secure your site is, if hackers want to break in, they will • The weakest link in security is human beings Introduction to Security
Security Methods • People • Physical limits on access to hardware and documents • Through the processes of identification and authentication, make certain that the individual is who he/she claims to be through the use of devices, such as ID card, eye scans, passwords • Training courses on the importance of security and how to guard assets • Establishments of security policies and procedures Introduction to Security
Security Methods… • Applications • Authentication of users who access applications • Business rules • Single sign-on (a method for signing on once for different applications and Web sites) Introduction to Security
Security Methods… • Network • Firewalls – to block network intruders • Virtual private network (VPN) – a remote computer securely connected to a corporate network • Authentication Introduction to Security
Security Methods… • Operating System • Authentication • Intrusion detection • Password policy • Users accounts Introduction to Security
Security Methods… • Database Management Systems • Authentication • Audit mechanism • Database resource limits • Password policy Introduction to Security
Security Methods… • Data Files • File permissions • Access monitoring Introduction to Security
Securing Access to Data • Securing data on a network has many facets: • Authentication and authorization – identifying who is permitted to access which network resources • Encryption/decryption – making data unusable to anyone except authorized users • Virtual Private Networks (VPNs) – allowing authorized remote access to a private network via the public Internet • Firewalls – installing software/hardware device to protect a computer or network from unauthorized access and attacks Introduction to Security
Securing Access to Data… • Other facets of securing data on a network include: • Virus and worm protection – securing data from software designed to destroy data or make computer or network operate inefficiently • Spyware protection – securing computers from inadvertently downloading and running programs that gather personal information and report on browsing and habits • Wireless security – implementing unique measures for protecting data and authorizing access to the wireless network Introduction to Security
Securing Data Transmission • To secure data on a network, you need to encrypt the data • Secure Socket Layer (SSL) is commonly used to encrypt data between a browser and Web server • Secure Shell (SSH) is a secured replacement for Telnet Introduction to Security
Securing the Operating System • Use the server for only necessary tasks • Minimize user accounts • Disable services that are not needed • Make sure that you have a secure password Introduction to Security
Securing Windows • Some services that are not needed in Windows for most Internet-based server applications may be turned off • Examples include: • Alerter • Computer browser • DHCP client • DNS client • Messenger • Server • Workstation • Also, the registry can be used to alter the configuration to make it more secure such as disabling short file names Introduction to Security
Securing Linux • Only run needed daemons • Generally, daemons are disabled by default • The command netstat -lgives you a list of daemons that are running • Use chkconfig to enable and disable daemons • chkconfigimap onwould enable imap Introduction to Security
Securing E-mail • Tunneling POP3 can prevent data from being seen • Microsoft Exchange can also use SSL for protocols it uses • Set a size limit for each mailbox to prevent someone from sending large e-mail messages until the disk is full Introduction to Security
Securing the Web Server • Enable the minimum features • If you do not need a programming language, do not enable it • Make sure programmers understand security issues • Implement SSL where appropriate Introduction to Security
Authenticating Web Users • Both Apache and IIS use HTTP to enable authentication • If HTTP tries to access a protected directory and fails then: • it requests authentication from the user in a dialog box • Accesses directory with user information • Used in conjunction with SSL Introduction to Security
Using a Firewall • A firewall implements a security policy between networks • Limit access, especially from the Internet to your internal computers • Restrict access to Web servers, e-mail servers, and other related servers Introduction to Security
Types of Filtering • Packet filtering • Looks at each individual packet • Based on rules, it determines whether to let it pass through the firewall • Circuit-level filtering (stateful or dynamic filtering) • Controls complete communication session, not just individual packets • Allows traffic initialized from within the organization to return, yet restricts traffic initialized from outside • Application-level • Instead of transferring packets, it sets up a separate connection to totally isolate applications such as Web and e-mail Introduction to Security
Using a Proxy Server • A proxy server delivers content on behalf of a user or server application • Proxy servers need to understand the protocol of the application that they proxy such as HTTP or FTP • Forward proxy servers isolate users from the Internet • Users contact proxy server which gets Web page • Reverse proxy servers isolate Web server environment from the Internet • When a Web page is requested from the Internet, the proxy server retrieves the page from the internal server Introduction to Security
Using Intrusion Detection Software • Intrusion detection is designed to show you that your defenses have been penetrated • With Microsoft Internet Security and Acceleration (ISA) Server, it only detects specific types of intrusion • In Linux, Tripwire tracks changes to files Introduction to Security
Tripwire • Tripwire allows you to set policies that allow you to monitor any changes to the files on the system • Tripwire can detect file additions, file deletions, and changes to existing files • By understanding the changes to the files, you can determine which ones are unauthorized and then try to find out the cause of the change Introduction to Security
Implementing Secure Authentication and Authorization • Administrators must control who has access to the network (authentication) and what logged on users can do to the network (authorization) • Network operating systems have tools to specify options and restrictions on how/when users can log on to network • File system access controls and user permission settings determine what a user can access on a network and what actions a user can perform Introduction to Security
Cryptography • The science of encrypting and decrypting information to ensure that data and information cannot be easily understood or modified by unauthorized individuals • Allows encryption of data from its original form into a form that can only be read with a correct decryption key • Some of security functions addressed by cryptography methods are: • Authentication • Privacy • Message integrity • Provisions of data signatures Introduction to Security
Vocabulary of Cryptography • Cryptanalysis – the process of evaluating cryptographic algorithms to discover their flaws • Cryptanalyst – a person who uses cryptanalysis to find flaws in cryptographic algorithms • Cryptographer – a person trained in the science of cryptograpy • Alphabet – set of symbols used in cryptographic to either input or output messages • Plaintext (cleartext or raw data)– the original data in its raw form • Cipher (algorithm)– a cryptographic encryption algorithm for transforming data from one form to another • Cyphertext - the encrypted data Introduction to Security
Encryption • The act of encoding readable data into a format that is unreadable without a decoding key • Decryption – the act of decoding encoded data back into the original readable format • Encryption provides privacy (confidentiality) Introduction to Security
Encryption Methodology • There are two elements in encryption: • Encryption method (ciper or algorithm)– specifies the mathematical process used in encryption • Key – the special string of bits used in encryption Introduction to Security
Types of Cryptographic Ciphers • Ciphers fall into one of two major categories: • Symmetric (single-key) ciphers – the same key is used to both encryption and decryption • Asymmetric (public-key) ciphers – different keys are used for encryption and decryption Introduction to Security
Symmetric (Single Key) Ciphers • The most common and simplest form of encryption • Both parties in the encryption process use the same key and must keep the key secret • Symmetric ciphers are divided into: • Steam ciphers – encrypt the bits of message one at a time • Block ciphers – encrypt a number of bits as a single unit • Some symmetric ciphers include: • Data Encryption Standard (DES), Triple-DES, DESX, RDES, Blowfish, Twofish, AES (Advanced Encryption Standard), and IDEA (International Data Encryption Algorithm), Serpent Introduction to Security