Security Requirements

Download Report

Transcript Security Requirements

IT for Decision Makers
Networking and Security
By Sam Fonua for UNESCO
2002
Presentation Overview
Background on Security
Why Security
Threats and attacks
The motives, techniques and methods
Vulnerability
Security Policies
Internet
“Information Super Highway”
A network of Networks
One of the Most Valuable Resources of
the Information Age
Provides Access to User Networks
Runs without Single Entity in Charge
What is a LAN (Local Area Network)?
A data communication network
Often confined to a single room, building
or adjacent buildings
In a Larger scale - WAN (Wide Area
Network)
Today’s Network Environment
Interconnectivity
Computer Security
3 Facts
 Computers are critical to fulfill your
organization’s mission
 There are defined threats to your computer
system
 Computer system are vulnerable
What are these threats…as perceived by
many?
Unauthorized users
 those that have access to information that
they are not suppose to gain access to.
“In 1999, some students at the University of the South
Pacific managed to get access to the system and
retrieve a list of all students email passwords. This
allowed them to send abusive messages to others
using other students email account”
What are these threats…as perceived by
many?
Careless employees
those that can change, modify or damage
data intentionally or unintentionally,
A government Information Technology officer in the
Tuvalu Government accidentally deleted the
content of one of the Government Computer’s
Hard Disk early this year which contain hundreds
of official documents …no backups!!!
backing up of important data is not considered
important in most developing countries including
Pacific Island Countries.
Perceived threats…?
Malicious Attackers
hackers: those that use hacking tools to gain
access to networks, usually to exploit
vulnerabilities.
It is known that most Internet services Providers
(ISPs) in Developing countries are still very much
insecure.
It took a while for the Tonga ISP (Kalianet) to realize
that there was a hole in their security system. Allowing
hackers to crack their password system and gain
access to the internet free of charge. Entry into the
server would give access to most of the nations
emails
Perceived threats…?
Virus Attackers
Virus attack comes in many forms and it
has become the most common and
frustrating threat to many organization and
countries - large or small.
 These are small programs designed and
developed to cause problems in computer and
network systems.
Nasty viruses have costs firms millions of dollars
in damages or in protection measures.
Note: Further readings on viruses on handouts
Redefining Security
What do we protect
Information
Later security include
Privacy
confidentiality, and
Integrity
An Example...
“Chinese Foreign Ministry spokesman Zhu Bangzao
rejected allegations that China stole U.S. nuclear secrets,
saying such claims are meant to undermine China-U.S.
relations. Meanwhile, a CIA-led task force was assessing
how much damage may have been done to U.S. national
security after a Chinese scientist at the Los Alamos
National Laboratory in New Mexico allegedly shared
nuclear secrets.”
Electronic Mail
Personal Computer
Local Area Networks
Satellite Systems
Electronic Funds Transfer
E-Commerce
Cellular Phones
Distributed Database
Video Teleconferencing
Problem:
Information Overload
1. National Level - Information
Infrastructure
Education
Energy distribution and supply
Entertainment
Financial
Health care
Information Distribution
National Security, emergency preparedness &
public safety
Transportation
Security Requirements
Are driven by threat & vulnerability...
Security terms
Confidentiality - Privacy
Most Governments in the Pacific are still using national /
commercial ISP email servers for their own email.
Did you know the ISP can read your email?
How do Governments protect individuals privacy from ISPs
Does your Government have adequate policies to protect
confidential electronic data / communications?
Security terms
Data Integrity - absolute verification that data has
not been altered.
“The tribunal in Fiji could not prove the integrity of an email
message claimed to be originated from a government
employee which stated that one of Fiji’s former Finance
Minister ( Mr. Ah Koy) was one of the people behind the
Fiji coup in 2000.”
Security terms
Availability - Assurance of service on Demand
“A large computer software company (ASI) caught by
surprise in Australia, when they could not access
most of their services in the network due to an
outbreak of the Nirmada virus- September 2001”
Security terms
Authentication - verification of originator
Authorization - only authorized user access to
sensitive data
What is at Risk
Banking/Financial
Power and Utility Distribution
Telephone System/Public Switched Network
Stock Exchange/Security Trading
Reserves and Social Security
Governments and Important companies
Research and Development
Air traffic Control system
Schools and higher Institution
Organizational Impact
Compromise And Loss of Data
Loss of Confidence in System
Loss of Money
Loss of Time
Repair or Replacement of Equipment
Consequences
Spectrum includes most functions that constitute
the underlying fabric of the nation
Degradation of any of these functions constitute
a threat to national security, economic wellbeing or public safety
Technology to inflict massive disruptions exists
and is growing in availability and sophistication
Threats to Computer Systems
Threats by People
Unintentional Employee's Action =>10 - 60%
Intentional Employee Action =>15 - 20%
Outside Actions =>1 - 3%
Physical and Environment Threats
Fire damage => 10 - 15%
Water Damage =>1 - 5%
Natural Disaster => 1%
Other => 5 - 10%
Security Threats
Human
Malicious
Natural Disasters
Non malicious
Flood Fire
Earth Quakes
Ignorant
Outsiders
Insiders
Crackers/Hackers
Disgruntled
Hurricanes
Motives and Methods
Some Examples
Threats
Motives/Goals
Methods
Security
Policies
 Employees
 Deny services
 Social engineering
 Vulnerabilities
 Malicious
 Steal information
 Viruses, Trojan horses, worms
 Assets
 Ignorant
 Alter information
 Packet replay
 Non-employees
 Damage information  Packet modification
 Information and
data
 Outside attackers  Delete information
 IP spoofing
 Natural disasters  Make a joke
 Mail bombing
 Floods
 Various hacking tools
 Earthquakes
 Hurricanes
 Riots and wars
 Show off
 Password cracking
 Productivity
 Hardware
 Personnel
Some common sabotage
Changing data
Deleting data
Destroying data
Crashing systems
Destroying hardware or facilities
Entering data incorrectly
Malicious attack
Deleting or altering information - revenge or
prove a point
Theft and Fraud
Disrupt Normal business
Malicious Attacker
“ Last year a disgruntled former employee of
ITC (Fiji Information Technology Centre) walked
in early one morning to the Suva office, in to the
main server room, login to the server and
changed all administrative passwords on the
servers, and then catch a flight to Australia. ITC
staff to their surprised could not logon to any of
the system….”
Computer Crime is on the Rise
What is required for an attack
motive
+
=
method
+
Attacks
vulnerability
How to gain access...
Hack Attack
Real Hacker Attacks on the increase
thousands of intrusions reported last year
Attacks averaging one or more a day
 Intruders now focus on Entire Network
rather than individual computer or even
systems
Most penetrations are not detected
Virus Definitions
trapdoors - A trap door is a hidden software or
hardware mechanism included by the author of a
software that permits system protection systems to
be bypassed. Allow unhindered access to the
attacker.
Logic bomb program that causes damage when
a certain event(s) takes place.
Trojan Horse - a computer program
that looks
like a normal program hidden inside another
program. Once the valid program runs the hidden
code starts and may damaged or delete files remember “Melissa”
VirusDefinitions
Virus - A program which infects other programs by
modifying them to include a copy of itself.
Bacterium - A bacterium sometimes called a
“chain letter” is a program which propagates itself by
electronic mail to everyone in the victim's mailing list.
Very common today
Worm - These are programs that run independently
and travel from computer to computer across network
connections
The worst Viruses
Melissa
Code Red and many more
These virus have cost Companies millions of
dollars
“The Fiji government main computer systems
was affected by the Melissa virus in 2000
disrupting services for almost 2 days .”
Sources of Malicious code infections
 Shareware - free software
Commercial Software Packages
Networks - email etc
Sabotage by Employees, terrorists,
Crackers, or Spies
Pirated Software
Public Domain Software
How vulnerable are we?
“Growing dependence on networks for
essential daily activities HIGHTENS Risk”
Network Vulnerabilities
Access by unauthorized users
Lack of physical control
General lack of monitoring/auditing features
Identification of dial in users
Failure to backup critical data
Sensitive to outside interference
Virus infection
National Infrastructure is at risk
Increased Connectivity results in greater
Vulnerability
Dependence on unprotected information
infrastructure creates serious operational
readiness risks
Defense Infrastructure and National Information
Infrastructure offer minimal defense against
unauthorized access and use
The results….
How do we protect ourselves?
Protective Measures
Prevention
Prevent information from being damaged, altered
or stolen
Detection
take measures to detect damaged, altered or
stolen data, how and who?
Reaction
take measures that will allow recovery, if data is
damaged or lost
Security Standards & definitions
INFOSEC - Information Systems Security
The protection of information system against
unauthorized access to or modification of information,
whether in storage, processing, transit, and against the
denial of service to authorized users or the provision of
services to unauthorized users, including those
measures necessary to detect, document, and counter
such threats
Security Standards & definitions
COMSEC - Communications Security
Measures and controls taken to deny unauthorized
persons information derived from telecommunications
and ensure the authenticity of such as
telecommunication, this includes cryptosecurity,
transmission, emissions, and physical security of the
COMSEC material
Security Standards & definitions
COMPUSEC - Computer Security
Measures and controls that ensure confidentiality,
integrity, availability of information processed and stored
in the computer
INFOSEC Concerns
Compromise
The disclosure of information to person(s) not
authorized to receive such data
Integrity
The assurance that computer resources operate
correctly and that the data is correct
Denial of Service (DoS)
Any action that prevents any part of a system from
functioning in accordance with its intended
purpose, causing unauthorized destruction,
modification, or delay of service.
Risk Management
INFOSEC is based on Risk
“You cannot protect Everything from everybody
all the time”
RISK = Threat * Vulnerability - Security
Key Question...
“How Much is Enough?”
The Balancing Act
Level of Security
Levels of security are related to sensitivity of Information
Information available to general Public (Internet)
Information available to system users
Information available to Departments
Information available to Other
Organization Administrators
Information and System
privileges available to
system Managers
Assurance
Assurance = establishing a secure
environment
Architecture
Specification/verification
Facilities management
Testing
Disaster recovery/contingency planning
Compliance
Risk Management
A systematic method to analyze security
risks and bring in cost effective
safeguards to reduce risk
In simpler terms
Decide what you need to protect
Decide what to protect it from
Decide how to protect it
Preventing Virus Infection
Never boot up a system from an unprotected
diskette
Never use untested software
Minimize file and software sharing
Prohibit use of unapproved software from any
source
Educate users on downloading suspicious
internet files or emails
Use known anti-virus program and updates
regularly
Faulty Software was used by the New York
Bank in 1985 for paying Bills was not
accepting incoming electronic $ resulting in
$3.1 Million Loss in one day
It costs millions of dollars for companies if
Data is lost, tempered, stolen or damaged.
Firewalls
Prevents Unauthorized ACCESS to
PROTECTED systems by placing a
barrier between the Internet and the
organization.
INTERNET
Configuration management & control
Data Life Cycle
Retention Policy
Destruction Policy
System Life Cycle
Application Change procedures
Backup Policy
Upgrades
Hardware
Standard Operating Procedures
Upgrades
Elements of a protective Plan
System Description
Three Dimensional Model
Critical Information Characteristic
 confidentiality, Availability & integrity
Information states
transmission, storage & processing
Security Measures
policy, awareness, training & education
Information System Security
COUNTERMEASURES
The triad
Technology
Policy & Practices
Awareness, Training & Education
Policy and Security
How an organization policy affects
security
Lack of policy leads to
improper care and use of
resources/information
Inefficient duplication of data & application
costs money
Policy Intent
Defines access to information
Outline destination controls - who
should/shouldn’t be allowed to read or write
National Network Security
Are national ISPs liable for breach of
privacy?
Is the illegal entry into a private computer
network a crime in your country?
Policy and Security (Con’t.)
Policy Derivation
Laws, Regulations, Organization Policy
Often a reaction to defined threats and
vulnerabilities
Defines procedures for introducing new
applications - e.g. Virus scan policy
Guide Policies
Can use pre-written “off the shelf” as
guides
e.g.
http://www.securitypolicy.co.uk/secpolicy/
http://csrc.nist.gov/isptg/html/
http://www.network-and-it-security-policies.com/
www.gipipolicy.org
Discussion Topics
Topic 1: Future Security - The 21st
security
Topic 2: Smart Card - Can you feel a lot
secure
Topic 3: Cyber attack - Is this a threat to
Pacific Islands
Thank You