360 likes | 513 Views
Information Security. Risk Assessment. A thorough analysis of an organization’s vulnerability to security breaches and an identification of its potential losses. A risk assessment should answer the following questions: What resources or assets are at risk?
E N D
Risk Assessment • A thorough analysis of an organization’s vulnerability to security breaches and an identification of its potential losses. • A risk assessment should answer the following questions: • What resources or assets are at risk? • What methods could be taken to compromise those resources? • Who or what are the most likely threats to resources? • What is the probability that the organization or its resources will be compromised? • What are the consequences of those resources being compromised?
Security Policy Goals • Ensure that authorized users have appropriate access to the resources they need • Prevent unauthorized users from gaining access to facilities, cabling, devices, systems, programs, or data • Protect sensitive data from unauthorized access, from individuals both internal and external to the organization • Prevent accidental or intentional damage to hardware, facilities, or software • Create an environment in which the network and its connected nodes can withstand and, if necessary, quickly respond to and recover from any type of threat
Security Policy Content • What types of security policies should be defined: • Password policy • Software installation policy • Confidential and sensitive data policy • Network access policy • Telephone use policy • E-mail use policy • Internet use policy • Remote access policy • Cable Vault and Equipment room access policy.
Response Policy • Response Team roles: • Dispatcher: the person on call who first notices or is alerted to the problem. • Manager - The team member who coordinates the resources necessary to solve the problem. • Technical support specialists - The team members who strive to solve the problem as quickly as possible. • Public relations specialist - The team member who acts as official spokesperson for the organization to the public.
Common Security Risks Human Error, Ignorance, and Omission • These cause more than half of all security breaches sustained by voice and data networks. • Social engineeringstrategy - involves manipulating social relationships to gain access to restricted resources.
Human Error, Ignorance, and Omission • Risks include: • Intruders or attackers using social engineering or snooping to obtain user passwords. • Network administrators overlooking security flaws in network design, hard-ware configuration, operating systems, or applications. • Network administrators overlooking security flaws in network design, hard-ware configuration, operating systems, or applications. • An unused computer or terminal left logged on to the network, thereby providing an entry point for an intruder. • Users or administrators choosing easy-to-guess passwords.
Passwords Security • Guidelines for choosing passwords: • Always change system default passwords after installing new programs or equipment. • Do not use familiar information, such as your birth date, anniversary, pet’s name, child’s name, etc. • Do not use any word that might appear in a dictionary. • Make the password longer than six characters - the longer, the better. • Change your password at least every 60 days, or more frequently, if desired.
Physical Security • Locations on voice and data networks that warrant physical security: • Inside a central office : • Cable vaults • Equipment rooms • Power sources (for example, a room of batteries or a fuel tank) • Cable runs (ceiling and floor) • Work areas (anyplace where networked workstations and telephones are located)
Physical Security • Locations on voice and data networks that warrant physical security: • Outside telecommunications facilities: • Serving area interfaces and remote switching facilities • Exterior cross-connect boxes • Wires leading to or between telephone poles • Base stations and mobile telephone switching offices used with cellular telephone networks • Inside a business: • Entrance facilities • Equipment room (where servers, private switching systems, and connectivity devices are kept) • Telecommunications closet
Physical Security • Relevant questions: • Which rooms contain critical systems, transmission media, or data and need to be secured? • How and to what extent are authorized personnel granted entry? • Are authentication methods (such as ID badges) difficult to forge or circumvent? • Do supervisors or security personnel make periodic physical security checks? • What is the plan for documenting and responding to physical security breaches?
Remote Access • Modems are notorious for providing hackers with easy access to networks. • Although modem ports on connectivity devices can open access to significant parts of a network, the more common security risks relate to modems that users attach directly to their workstations. • When modems are attached directly to networked computers, they essentially provide a back door into the network. • War dialers - computer programs that dial multiple telephone numbers in rapid succession, attempting to access and receive a handshake response from a modem.
Encryption • The use of an algorithm to change data into a format that can be read only by reversing the algorithm. • Encryption ensures that: • Data can only be viewed and voice signals can only be heard by their intended recipient (or at their intended destination). • Data or voice information was not modified/altered after the sender transmitted it and before the receiver picked it up. • Data or voice signals received at their intended destination were truly issued by the stated sender and not forged by an intruder.
Public Key Encryption • Data is encrypted using two keys: One is a key known only to a user (a private key) and the other is a public key associated with the user. • Public-key server - a publicly accessible host (often, a server connected to the Internet) that freely provides a list of users’ public keys. • Key pair - The combination of the public key and private key . • Digital certificate - a password-protected and encrypted file that holds an individual’s identification information, including a public key.
Encryption Methods • Kerberos - a cross-platform authentication protocol that uses key encryption to verify the identity of clients and to securely exchange information after a client logs on to a system. • PGP (Pretty Good Privacy) - a public key encryption system that can verify the authenticity of an e-mail sender and encrypt e-mail data in transmission. • IPSec (Internet Protocol Security) - defines encryption, authentication, and key management for TCP/IP transmissions.
Encryption Methods • SSL (Secure Sockets Layer) - a method of encrypting TCP/IP transmissions between a client and server using public key encryption technology. • When a Web page’s URL begins with the prefix HTTPS, it is requires its data be transferred from server to client and vice versa using SSL encryption. • Each time a client and server establish an SSL connection, they also establish a unique SSL session. • Handshake protocol - authenticates the client and server to each other and establishes terms for how they will securely exchange data.
Eavesdropping • The use of a transmission or recording device to capture conversations without the consent of the speakers. • Eavesdropping can be accomplished in one of four ways in wired circuits: • Bugging • Listening on one of the parties’ telephone extensions • Using an RF receiver to pick up inducted current near a telephone wire pair • Wiretapping, or the interception of a telephone conversation by accessing the telephone signal
Private Switch Security • A hacker might want to gain access to a PBX in order to: • Eavesdrop on telephone conversations, thus obtaining proprietary information • Use the PBX for making long-distance calls at the company’s expense, a practice known as toll fraud • Flood the PBX with such a high volume of signals that it cannot process valid calls, a practice known as a denial-of-service attack • Use the PBX as a connection to other parts of a telephone network, such as voice mail, ACD, or paging systems
Voice Mail Security • Voice mail - the service that allows callers to leave messages for later retrieval, is a popular access point for hackers. • If a hacker obtains access to a voice mail system’s administrator mailbox, they can set up additional mailboxes for private use. Valid voice mail users will never notice. • Privacy breaches - if a hacker guesses the password for a mailbox, they can listen to the messages in that user’s mailbox.
Telecommunications Firewall • A type of fire-wall that monitors incoming and outgoing voice traffic and selectively blocks telephone calls between different areas of a voice network. • Performs the following functions: • Prevents incoming calls from certain sources from reaching the PBX • Prevents certain types of outgoing calls from leaving the voice network • Can prevents all outgoing calls during specified time periods • Collects information about each incoming and outgoing call • Detects signals or calling patterns characteristic of intrusion attempts, immediately terminates the suspicious connection, and then alerts the system administrator of the potential breach
Network Operating System • To begin planning client-server security, every network administrator should determine which resources on the server all users need to access. • Network administrators typically group users according to their security levels as this simplifies the process of granting users permissions to resources. • Attention is needed to ensure all security precautions are installed and monitoring the network operating system. • Updates and security patches to servers’ NOS software should be performed or monitored to ensure the highest level of security is currently implemented.
Network Operating System • Restrictions on network resources may include: • Time of day - Use of logon IDs can be valid only during specific hours, for example, between 8:00 A.M. and 5:00 P.M. • Total time logged in - Use of logon IDs may be restricted to a specific number of hours per day. • Source address - Use of logon IDs can be restricted to certain workstations or certain areas of the network • Unsuccessful logon attempts - As with PBX security, use of data network security allows administrators to block a connection after a certain number of unsuccessful logon attempts.
Firewall • Packet-filtering firewall - a device that operates at the Data Link and Transport layers of the OSI model.
Firewall • Traffic can be filtered based on criteria/policy: • Source and destination IP addresses • Source and destination ports • Use of the TCP, UDP, or ICMP transport protocols • A packet’s status as the first packet in a new data stream or a subsequent packet • A packet’s status as inbound or outbound to or from a private network
Firewall • Factors to be considered when choosing a firewall: • Does the firewall support encryption? • Does the firewall support user authentication? • Does the firewall allow the network administrator to manage it centrally and through a standard interface? • How easily can you establish rules for access to and from the firewall? • Does the firewall support filtering at the highest layers of the OSI model, not just at the Data Link and Transport layers?
Proxy Servers • Proxy server (Gateway) - a specialized network host that runs a proxy service (software). • Proxy servers manage security at all layer’s of the OSI model. • On a network, a proxy server is placed between the private and public parts of a network. • Proxy service - a software application on a network host that acts as an intermediary between the external and internal networks, screening all incoming and outgoing traffic.
Cellular Network Security • Hackers intent on obtaining private information can find ways to listen in on cellular conversations. • Potentially more damaging than eavesdropping is cellular telephone fraud. • cellular telephone cloning - occurs when a hacker obtains a cellular telephone’s electronic serial number (ESN), and then reprograms another handset to use that ESN. • To combat cloning fraud, cellular telephones that use CDMA and TDMA technology transmit their ESN numbers in encrypted form.
Wireless WAN Security • War driving - searching for unprotected wireless networks by driving around with a laptop configured to receive and capture wireless data transmissions. • Wired Equivalent Privacy (WEP) standard - a key encryption technique that assigns keys to wireless nodes. • Extensible Authentication Protocol (EAP) - defined by the IETF in RFC 2284. • Does not perform encryption. Instead, it is used with separate encryption and authentication schemes.