Transcript Document
THE NEED FOR NETWORK SECURITY Thanos Hatziapostolou PRESENTATION OBJECTIVES Understand information security services Be aware of vulnerabilities and threats Realize why network security is necessary What are the elements of a comprehensive security program The Need for Web Security 2 TRENDS FOR INFORMATION More information is being created, stored, processed and communicated using computers and networks Computers are increasingly interconnected, creating new pathways to information assets The threats to information are becoming more widespread and more sophisticated Productivity, competitiveness, are tied to the first two trends Third trend makes it inevitable that we are increasingly vulnerable to the corruption or exploitation of information INFORMATION IS THE MOST VALUABLE ASSET The Need for Web Security 3 Information Security Services Confidentiality Integrity Authentication Nonrepudiation Access Control Availability The Need for Web Security 4 Information Security Services Confidentiality Maintaining the privacy of data Integrity Detecting that the data is not tampered with Authentication Establishing proof of identity Nonrepudiation Ability to prove that the sender actually sent the data Access Control Access to information resources are regulated Availability Computer assets are available to authorized parties when needed The Need for Web Security 5 What Is The Internet? Collection of networks that communicate with a common set of protocols (TCP/IP) Collection of networks with no central control no central authority no common legal oversight or regulations no standard acceptable use policy “wild west” atmosphere The Need for Web Security 6 Why Is Internet Security a Problem? Security not a design consideration Implementing change is difficult Openness makes machines easy targets Increasing complexity The Need for Web Security 7 Common Network Security Problems Network eavesdropping Malicious Data Modification Address spoofing (impersonation) ‘Man in the Middle’ (interception) Denial of Service attacks Application layer attacks The Need for Web Security 8 Security Incidents are Increasing High Sophistication of Hacker Tools Technical Knowledge Required Low 1980 1990 The Need for Web Security 2000 -from Cisco Systems 9 HACKED WWW HOMEPAGES CIA HOMEPAGE DOJ HOMEPAGE HOMEPAGE USAF The Need for Web Security 10 11/29/96 Problem is Worsening Code Red 60000 50000 Anna Kournikova Melissa & ILOVEYOU 40000 Tequila 30000 Badtrans Nimba Good Times 20000 Jerusalem Michelangelo The Need for Web Security 2001 2000 1999 1998 1997 1996 1995 1994 1993 1992 1991 1990 1989 Source: CERT® Coordination Center Carnegie Mellon 1988 10000 11 VIRUSES Risk Threat Discovered TROJ_SIRCAM.A New !! W32.Navidad 11/03/2000 W95.MTX 8/17/2000 W32.HLLW.QAZ.A7/16/2000 VBS.Stages.A 6/16/2000 VBS.LoveLetter 5/04/2000 VBS.Network 2/18/2000 Wscript.KakWorm 12/27/1999 W32.Funlove.4099 11/08/1999 PrettyPark.Worm 6/04/1999 Happy99.Worm 1/28/1999 The Need for Web Security Protection Latest DAT 11/06/2000 8/28/2000 7/18/2000 6/16/2000 5/05/2000 2/18/2000 12/27/1999 11/11/1999 6/04/1999 1/28/1999 12 Consider that… 90% of companies detected computer security breaches in the last 12 months 59% cited the Internet as the most frequent origin of attack 74% acknowledged financial losses due to computer breaches 85% detected computer viruses Source: Computer Security Institute The Need for Web Security 13 WHO ARE THE OPPONENTS? 49% are inside employees on the internal network 17% come from dial-up (still inside people) 34% are from Internet or an external connection to another company of some sort HACKERS The Need for Web Security 14 HACKER MOTIVATIONS Money, profit Access to additional resources Experimentation and desire to learn “Gang” mentality Psychological needs Self-gratification Personal vengeance Emotional issues Desire to embarrass the target The Need for Web Security 15 Internet Security? Replay Attack Spoofing The Need for Web Security 16 What Do People Do When They Hear All These? Take the risks! But there are solutions Ignoring the situation is not one of them The Need for Web Security 17 THE MOST COMMON EXCUSES No one could possibly be interested in my information Anti-virus software slows down my processor speed too much. I don't use anti-virus software because I never open viruses or e-mail attachments from people I don't know. So many people are on the Internet, I'm just a face in the crowd. No one would pick me out. I'm busy. I can't become a security expert--I don't have time, and it's not important enough The Need for Web Security 18 SANS Five Worst Security Mistakes End Users Make 1. 2. 3. 4. 5. Opening unsolicited e-mail attachments without verifying their source and checking their content first. Failing to install security patches-especially for Microsoft Office, Microsoft Internet Explorer, and Netscape. Installing screen savers or games from unknown sources. Not making and testing backups. Using a modem while connected through a local area network. The Need for Web Security 19 SECURITY COUNTERMEASURES THREE PHASE APPROACH PROTECTION DETECTION RESPONSE The Need for Web Security 20 ELEMENTS OF A COMPREHENSIVE SECURITY PROGRAM Have Good Passwords Use Good Antiviral Products Use Good Cryptography Have Good Firewalls Have a Backup System Audit and Monitor Systems and Networks Have Training and Awareness Programs Test Your Security Frequently The Need for Web Security 21 CRYPTOGRAPHY Necessity is the mother of invention, and computer networks are the mother of modern cryptography. Ronald L. Rivest Symmetric Key Cryptography Public Key Cryptography Digital Signatures The Need for Web Security 22 Firewall A system or group of systems that enforces an access control policy between two networks. PC Servers Visible IP Address Internal Network Host The Need for Web Security 23 The Need for Web Security 24 THANK YOU I have questions… The Need for Web Security 25