320 likes | 446 Views
Computer and Network Security. Protecting Information Assets and Systems Dan Ryan Science Applications International Corporation. Trends.
E N D
Computer and Network Security Protecting Information Assets and Systems Dan Ryan Science Applications International Corporation
Trends • More information and more valuable information is being created, stored, processed and communicated using computers and computer-based systems and networks. • Computers are increasingly interconnected, creating new pathways to valuable information assets, and • Counterbalancing these positive trends, the threats to information assets and systems are becoming more widespread and more sophisticated.
Increasing Vulnerability • Productivity, and hence competitiveness, is inextricably tied to the increased use and connectivity of computers • Therefore, we are increasingly vulnerable to the corruption, destruction or exploitation of our valuable information assets and systems
Information Security • Information security is comprised of the technologies and methods we use to protect the • confidentiality (privacy), • integrity, and • availability of information and the computers, systems and networks that create, process, store and communicate our information.
Privacy • What information needs to be kept secret? • Military and diplomatic information • Personal information • Privileged information • Business secrets • Economic secrets • Geological, littoral or environmental information • How much protection is needed? • For how long must the information be kept secret?
Integrity • Information that cannot be trusted is worse than useless—it costs money and time to create and store, but provides no benefit • Non-repudiation: • Sender can prove message was received • Recipient can prove that sender sent the message • Both know that message was not changed en route Even more than privacy, integrity is vital to electronic commerce!
Availability • Information which is not available when required is of no use, even if its confidentiality is secure and its integrity intact • What information must we have readily available? • How readily must we be able to access the information? • Days? • Hours? • Minutes or seconds?
The Growing Threat • Meanwhile, the threat to our information and systems grows • How severe is the danger? • How widespread are such attacks? • How much damage do they do? • Are technology improvements diminishing the problem? • Is there potentially an Information Pearl Harbor in our future?
Computer Virii • 28,000 or more virii are in circulation today • 71 percent of all corporate networks admit to having been infected • Viruses are so pervasive that they have been detected in shrinkware shipped directly from the manufacturer • New ones crop up at a rate that exceeds twenty per week
But I Have An Antivirus Package • Antiviral packages are a valuable, even essential, part of a sound information security program, they are not in and of themselves sufficient • Good backup procedures, beta sites and sound policies designed to reduce the likelihood of a virus attack are also necessary
Directed Threats • Directed threats are capable and willing adversaries who target the confidentiality, integrity and availability of our information assets and systems • Computer hackers, criminals, industrial or state-sponsored spies, enemy armed forces, terrorists, psychotics, drug lords or saboteurs • Outside threats versus inside threats • The most serious threat is inside
TEMPEST (Transient Electromagnetic Pulse Emanation Standard) • An attacker, using off-the-shelf equipment, can monitor and retrieve sensitive information that is being processed without the user being aware of the attack • Equipment may be designed to reduce or eliminate compromising emanations • Rooms in which equipment is located may be designed and built to shield equipment by containing electromagnetic radiation • TEMPEST secure equipment or screen room add significantly to security costs
Social Engineering • Social engineering is the art of obtaining the information necessary to achieve access by subterfuge, by talking to lawful users or operators of systems and networks and asking for advice, assistance or other information that reduces the difficulty of penetration • The most successful social engineering attacks follow a period of intense research about the organization to be attacked and its systems • Attacks may take place over long periods of time
Business Protection Does Not Have To Be Expensive!! Protection of Information Assets • Protection • Steps taken to ensure that our information assets and systems keep information assets safe from disclosure, misuse or destruction • Detection • Steps taken to recognize that information assets are vulnerable or are under attack • Correction • Security Emergency Response Teams • Re-engineering to correct vulnerabilities
Protecting Information Assets and Systems • Protection in the wilderness - cryptography • Protection at the gates • Access control • Identification and Authentication • Firewalls • Protection inside the gates • Auditing and monitoring • Sound security policies, practices and procedures • Security training and awareness
Protect by Reducing Vulnerabilities • A vulnerability is some characteristic of a system or network that makes possible the disclosure, misuse or destruction of information assets by one or more threats • Vulnerabilities are often design flaws like weak and easily discoverable passwords on our computers and networks or easily penetrated access control mechanisms • Careful attention to the design of systems and networks can reduce or eliminate vulnerabilities • In general, security design enhancements are costly to retrofit, if it is possible to do so at all
Implement Countermeasures • Countermeasures are things we can do to the environment in which the system or network is operated to abate risk • All else being equal, more countermeasures mean less risk. • Guards can be hired, personnel subjected to background investigations or polygraph examinations, badges may be used to identify authorized personnel, procedures implemented in our computer systems and networks to backup data bases and to enforce sound password practices, and so forth.
Cryptography MEET ME AT DAWN MEET ME AT DAWN QUDTVG SG CIUZ Encrypt Decrypt Plaintext Ciphertext Plaintext Encryption Key(s) Decryption Key(s)
Symmetric Key Cryptography MEET ME AT DAWN MEET ME AT DAWN QUDTVG SG CIUZ XOR XOR Plaintext Ciphertext Plaintext Key Pseudorandom Number Generator
Key Management in Symmetric Cryptography • The longer a key is used the more likely it is compromised • Keys can be lost, stolen, or sold • Keys can be discovered by cryptanalysis • All communicating parties must have a key • You have to know who you plan to exchange messages with • 100 people means 10,000 different keys are needed • All need the keys ahead of time • Protect from Compromise • The keys have to be kept secret • Keys are a problem to distribute and store securely
Public Key Cryptography MEET ME AT DAWN MEET ME AT DAWN QUDTVG SG CIUZ Encrypt Decrypt Plaintext Ciphertext Plaintext Mathematically related key pair Encryption Public Key(s) Decryption Private Key(s)
Digital Signatures MEET ME AT DAWN MEET ME AT DAWN QUDTVG SG CIUZ Encrypt Decrypt Plaintext Ciphertext Plaintext Mathematically related key pair Encryption Public Key(s) Decryption Private Key(s)
Electronic Commerce • Three levels of electronic commerce • Financial institution to financial institution ($1,000-$1,000,000,000) • Medium scale purchases ($10-$10,000) • Small scale purchases (< $100) • Other types of electronic commerce • EDI, JIT, etc. (orders, not money) • On-line contracts
Why Access Control Is Important • Access control mitigates most disclosure attacks • People, roles or processes can read objects only when the access control policy allows the read • Access control also mitigates most data integrity attacks • People, roles or processes can write to a file, or destroy it, only if the policy allows write or destroy. • Doesn’t help against denial of service attacks • Doesn’t protect from viruses
Identification and Authentication • Access control assumes we know who is behind the user-id • “Identification” is the process of determining what entity (person, role, or process) is attempting to initiate a specific action • “Authentication” is the class of techniques we use to ensure that identification is done properly and that the information has not been changed by a third party • Who you are (Your identity), What you know (password), What you have (token), What you are (biometrics)
Firewalls • A firewall is a computer that sits between your internal network and the Internet wilderness outside and mediates information exchanges according to criteria you establish • Firewalls are unnecessary if everything else is done well • “Firewalls are the wrong approach. They don’t solve the general problem and they make it difficult or impossible to do many things.. On the other hand, if I were in charge of a corporate network, I’d never consider hooking onto the Internet without one.” Charlie Kaufman
Auditing and Monitoring • Auditing and monitoring of information transactions and activities on systems and networks is an essential component of security • Protection against successful penetration of systems networks from outside • Protection against abuse of privilege by insiders • Impractical to monitor every keystroke • Look for security-relevant events • Analyze statistical patterns of use
Training and Awareness • Executive level • Due diligence required • Professional level • Sysops • Security personnel • Computer services personnel • Enterprise wide Everyone in the organization has a responsibility for security of information assets and systems!
React and Correct • Uninterruptable Power Supplies, Beta sites and Backups • Network triage • Security Emergency Response Teams • Properly trained • Properly equipped • Re-engineering to eliminate vulnerabilities or implement countermeasures
What You Can Do • First, acquaint yourselves with the nature and scope of the problems that arise because of our increasing dependence on automated on-line information systems • Second, provide yourselves an understanding of the steps that can and should be taken to abate the risks encountered when on-line operations are adopted as part of an organization’s technology infrastructure
Thank You! Dan Ryan Corporate Vice President Science Applications International Corporation 8301 Greensboro Drive McLean, Virginia 220102 703.748.5340 FAX 703.734.5960 Daniel.Ryan@cpmx.saic.com http://members.tripod.com/~Dan_Ryan/ To download a copy a copy of the slides: http://members.tripod.com/~Dan_Ryan/CompSec.ppt