Chapter 11 - Indiana State University
Download
Report
Transcript Chapter 11 - Indiana State University
MIS 430 Chapter 11
Network Security
Chapter 11 Data Security
1
Mgt Focus 11-1: Western
Union
9/2000: hacker broke into Western
Union and stole 15,700 credit card
numbers
Caused by human error: left file
unprotected after web site revision
Routine security audit discovered break
in and site was shut down (5 days lost)
Cost over $1M !
Chapter 11 Data Security
2
I. Introduction
Some Threats .. See fig 11-2 p. 358
Data Center … Hardware
Software
Unauthorized access, copying, modification, destroy, theft
Errors and Omissions
Files
Protection failure, destruction
Unauthorized access, copy, modify, destroy, theft
Offline input/output
Disaster, vandalism, fraud/theft/extortion, errors and
omissions
Chapter 11 Data Security
3
Intro, contd.
More Threats …
Organization
Personnel
Unauthorized access, inadequate safety, transportation
exposure
External people
Dishonesty, gross error, incompetence
Physical Security
Inadequate functional separation, lack of security
responsibility
Disaster, vandalism, fraud/theft/extortion
Data communications circuit
Network unavailable, illegal access, lost messages
Chapter 11 Data Security
4
Intro, contd.
More threats..
Client Users
Masquerading, authorization bypass, unauthorized
input/output, manipulation
Avg loss: $1 M but is tip of the iceberg
Loss of consumer confidence costs much
more than lost business!
But business disruption due to lost
applications is even more costly!!
Bank of America says $50M loss if down 24 hours
Chapter 11 Data Security
5
Types of Threats
Disruptions: loss or reduction of network
services
Loss of circuits
Loss of data
Disasters that affect equipment
Unauthorized Access
Mostly employees, not hackers!
CERT: Computer Emergency Response Team from
Carnegie Mellon University http://www.cert.org/
ISU loss of 10,000 social security numbers
Chapter 11 Data Security
6
Network Controls
Control: mechanism to reduce or eliminate
threats to network security
Types of Controls
Prevention: stop act from occurring
Detection: reveal unwanted events
Correction: remedy unwanted event
Important: someone must be responsible for
controls and security, including updates and
making sure they are implemented ok.
Chapter 11 Data Security
7
Tech Focus 11-1 (p. 361)
Less complex is better
Control’s cost is
equivalent to risk
Preventing is better
than detecting and
correcting!
Adequate: just enough
to protect the network
Automated controls
better than manual!
Controls apply to all!
Document overrides;
overrides need controls
Control documents are
confidential
Names, uses, &
locations of network
HW are private
information
Controls ensure network
can be audited
Assume a hostile
environment
Chapter 11 Data Security
8
Tech Focus, contd
Convey an image of
high security by
education & training
Controls provide
separation of duties
Implement entrapment
to ID bad guys
When control fails,
network defaults to
tight security: deny
access
Controls still work when
only one part of
network fails
Don’t forget the LAN!
Central mgrs often just
worry about the WAN
Always assume your
opponent is smarter
than you are
Always have insurance
in case a control fails
Chapter 11 Data Security
9
II. Risk Assessment
Assign levels of risk to various threats
Compare nature of threats to controls
OCTAVE method http://www.cert.org/octave/
Control spreadsheet (fig 11-3, p. 362)
Assets (something of value) with priority in
parentheses
Threats in categories
Center includes controls now in use
Chapter 11 Data Security
10
Types of Assets (fig 11.4)
Hardware: servers, client computers, network
devices (hubs, routers, switches)
Circuits: LANs, BNs, contracted MAN and
WAN circuits, Internet access circuits
Network SW: server NOS, applications such
as mail server, web server
Client SW: OS, applications like Word, etc
Organizational data: DBs
Mission-Critical Apps: depends on organ.
Chapter 11 Data Security
11
Threat Likelihoods (fig 11.5)
Virus: 85%
Internet Hacker: 70%
Device Failure: 68%
Denial of Service (DoS): 60%
Theft of Equipment: 44%
Natural Disaster: 28%
Theft of Information: 9%
Fraud: 3%
From Insiders: 70% From Outsiders: 25%
Chapter 11 Data Security
12
Identify the Controls
After spreadsheet (assets,
threats) is done, work on the
controls(see fig. 11-6 p. 366)
Disaster recovery plan:
business continuity plan
Halon fire system in
machine room; sprinklers
Not below ground level
(beware of floods:
Chicago)
UPS on major servers
Contract guarantees from
interexchange carriers
Extra backbone fiber cable
laid in different conduits
Virus checking software
present on network
Extensive user training about
viruses
Strong password software
Extensive user training
about PW security
Application layer firewall
Chapter 11 Data Security
13
Evaluate Network’s Security
Evaluate adequacy of existing controls
as it relates to each threat
Do by an independent Delphi team who
makes the final decision
3-9 members
Therefore implement quickly
Chapter 11 Data Security
14
Mgt Focus 11-2: Microsoft I
Microsoft’s web sites 3rd most visited
All down for 22 hours in Jan 2001 due to a
technician’s error:
MS placed all 4 of its DNS servers on same network segment
Tech loaded incorrect routing table information into routers,
and nobody could reach any DNS servers
Had any one been on a different segment, no trouble!
MS lost $4M in ad revenue during 22 hours
More lost on sites like Expedia that sell services
Chapter 11 Data Security
15
Mgt Focus 11-3: World Trade
Center Disaster Recovery
TradeWeb HQ on 51st floor: destroyed!
Changed DNS entry to refer to London office to
get back on the web
Rebuilding database took longer
Allstate: lost NYC data center (but had a
plan)
No network: onslaught of claims!
Had 25 LAN in-a-box dial-up network kits from
office LAN to headquarters; needed 24 more
Remaining offices back up in 4 days
Chapter 11 Data Security
16
III. Controlling DDD:
Prevention
Use redundant hardware
UPS American Power Conversion www.apc.com
Fault tolerant server
Disk mirroring and RAID 1, 5 (not RAID 0)
Prevent natural disaster
Avoid basement rooms near rivers and oceans
State Farm data center: 6 foot thick SW walls: tornado
Install Halon fire prevention system (but phase out)
http://www.epa.gov/ozone/snap/fire/qa.html
Decentralize network resources: multiple servers, data
centers, even different parts of the country
Chapter 11 Data Security
17
Prevention Controls
Preventing Theft ($1B stolen annually)
Physical security methods for data center
Use security cables to attach HW to desks
Private security guards
Keep certain key network locations secret
Preventing viruses
Protect both servers and clients!
Macro viruses account for 75% of viruses
Use anti-virus software; keep it current weekly
Chapter 11 Data Security
18
Mgt Focus 11-4: NIMDA!
9-18-2001: NIMDA virus swept through
Windows servers around the world
Attached to email message; emailed to others in
Outlook address book
Also spread by servers, shared drives
Could get it through a browser click (Javascript)
Patches developed but it came back as
variants. Ask me about my !@@!# servers
5 months later, still the most common attack
– it was an attack suite: well written, tested
Chapter 11 Data Security
19
Prevention Controls
Preventing Denial of Service Attacks
Hacker floods network with messages so that
server cannot handle normal workload
Hackers use false IP addresses (IP spoofing)
Distributed DoS attack is more disruptive – hacker
controls many machines that all attack
simultaneously
Can set up several servers around the world (like
Microsoft has done)
Chapter 11 Data Security
20
Tech Focus 11-2: DoS Attack
Smurf attacks: flood with Ping ICMP requests
Fraggle attacks: similar to smurf but uses UDP
echo requests
TCP SYN floods: request to establish TCP
connection
UNIX process table attacks: like TCP SYN
Finger of death attacks: flood with finger
requests
DNS Recursion Attacks: spoof the from address
to be within the organization
Chapter 11 Data Security
21
Mgt Focus 11-5: Microsoft Part 2
DDoS attack 1/2001 caused MS to redesign networks
Hacker gained control of a large number of
computers, implanting DDoS software
SW targeted MS DNS servers, not web or mail
By focusing on routers on the segment containing the
DNS servers, brought net to a crawl
Put 4 DNS servers on separate network segments
MS Contracted with Akamai.com to hold most
popular web pages around the world
Pages served from Akamai server closest to customer,
reducing response time and providing redundancy
Chapter 11 Data Security
22
Controlling DDD: Detecting
Network management software should notify
management of problems
Can send alerts via email or even to pagers
Major problems easier to detect than minor
Network should log performance data which can
be compared to current performance
Caterpillar bulldozer agent: avoid any
unplanned downtime
Software agents and sniffers look for out of bound
measurements
Contact the command center to report possible
trouble
Chapter 11 Data Security
23
Controlling DDD: Correcting
Disaster Recovery Plan
Remember United DC-10 that lost
hydraulics and crash-landed in Iowa city?
Iowa City’s DRP helped save lives!
Provides various levels of response to a
number of possible disasters
See fig 11-7 p. 373 for elements of DRP
Managers (2), staff duties, priorities for what
done first, locations of spares, data comm
recovery, manual procedures, testing methods,
backups, actions for certain scenarios
Chapter 11 Data Security
24
Controlling DDD: Correcting
Disaster Recovery Plans
Good backups don’t mean data can be used!
Disaster Recovery Drills important
Two levels: internal redundancy, out sourced DR
service
Cold site: storage of data and applications
Hot site: dedicated equipment that is ready to run your
applications seamlessly
http://www.disasterrecoveryworld.com/ for
checklists, etc.
Disaster Recovery Journal http://www.drj.com/
Chapter 11 Data Security
25
IV. Controlling Access
Unauthorized access is 2nd main problem
Types of intruders
Casual hackers w/ limited knowledge of computers they
encounter (script kiddies)
Experts in security but enjoy the challenge (crackers)
Professional hackers who break in for specific purpose (most
dangerous kind)
Organization employees with legitimate access who gain
access to information they are not authorized to use (most
common kind of security breach)
Chapter 11 Data Security
26
Preventing Unauthorized Access
Be proactive! Routinely test security before the
intruder does
Don’t keep extremely sensitive data online
Store in networks that are isolated from other networks
Security Policy: define important assets and the
policies to access them; see fig 11-8 p. 376
Manager, incident reporting system, risk assessment with
priorities, effective controls at major access points, use min
# of controls to reduce inconvenience, acceptable use policy,
procedure to monitor changes to network devices, routine
training plan for users, routine test plan, annual security
audit
Chapter 11 Data Security
27
Security Policy
Security policy should define what employees
should and should not do
Password policies: don’t post, don’t tell,
change frequently, minimum length, cannot
reuse previous password
Use combinations of letters and numbers
Use upper and lower case: go4iT
See next slide for more hints
Apply different controls to different data items
Chapter 11 Data Security
28
Mgt Focus 11-10: Passwords
A good password is easy to remember, hard to guess
Don’t use birthdays, anniversaries, pet names, family names:
can guess easily
At least 7 characters; change at least every 90 days; include
numbers and some capital letters
Hot apple pie with ice cream and cheese: haPwicAc
ISU policy:
www.indstate.edu/adminaff/handbook/SectionV.pdf
p. 14
Change system PW every 90 days, user PW every 180 days
Don’t use same password for non-ISU accounts!
Don’t put PW in (plain text) email
Use strong passwords: >=8 char, not in dictionary, use upper and
lower case characters, have a punctuation symbol, not based on
personal or family information
Don’t write it down anywhere or share it
Use pass phrase for public key encryption
Chapter 11 Data Security
29
User Profiles
Specifies for user what data and
network
What resources can they access
How they can access it (R, W, C, D)
When can they access the resources (days,
times, locations)
How many incorrect log-ins are permitted?
Group profiles: shared permissions
Chapter 11 Data Security
30
Physical Security
Biometrics: finger prints, hand geometry, face
geometry, iris prints, retina scans
Smart cards: embedded microprocessor with
a clock that constantly changes PWs
Computer locks: hardware, software PWs
Hide cables behind walls and ceilings
Alarm systems
USAF uses pressurized cables that show a break-in
and sounds alarm
Locked wiring closets for routers, hubs, etc.
Chapter 11 Data Security
31
Dial-In Security
This is a major security risk!
Change phone numbers periodically
Change dial-up PW periodically
One-time PWs
Use smart card PW
Require call backs to designated place
Use embedded ID chip in computer that dials
Use VPNs – encrypted sessions
Chapter 11 Data Security
32
Firewalls
Sits between network and the outside world
Examines packets as they enter/leave the
network
HW (router) or SW varieties of firewalls
Packet-level firewall (examines source and
destination IP addresses of each packet)
Application-level firewall (intermediate host that
authenticates: more complex)
IP Spoofing: hacker changes actual source IP
address to a “good” one that is not stopped
Chapter 11 Data Security
33
Tech Focus 11-4: Packet Level
Firewalls
Could delete any packets coming from a
different subnet or different network
Could delete packets from certain IPs
Could keep certain types of packets
from reaching the network (FTP, Telnet,
etc)
Software is constantly updated
Chapter 11 Data Security
34
NAT: Network Address Translation
(previously covered)
This is cool: you can share 1 IP address
across several computers on network
Translates between set of private IP addresses
inside network and outside proxy IP addresses
Ex: outside IP is 139.102.180.36.
Inside IP addresses are 192.168.1.1 through
192.168.1.5 (local, private IP addresses)
Could also use 10.X.X.X IP range
NAT device (proxy server) has two NICs – one
inside and the other outside the firewall
Chapter 11 Data Security
35
More NAT
When inside client makes a request, its IP
address and a unique port number are placed
in the packet, then packet is sent to server
Server remembers that port number, replaces
the internal IP address with the outside IP
address, then sends it along to Internet
When return packet appears, it contains
unique port number; server substitutes inside
IP address for the computer with that port,
passes it to inside network
Slower, but very nice to share one IP
address!!
Chapter 11 Data Security
36
DMZ (Demilitarized) Zone
DMZ is the network behind the firewall
Open a hole in the firewall to some of the
computers
Contains some but not complete security
Can have better protected internal
networks inside the DMZ that are fully
protected
Use DMZ for servers that need partial
access to/from the outside world
Chapter 11 Data Security
37
Security Holes
This is a bug that permits unauthorized
access: quickly circulates on Internet
Ex: I left anonymous FTP turned on and left FTP
write access on
This allowed hackers to store huge amounts of
MP3 and illegal files in FTP area of server
Solution: turn off anonymous FTP access, but still
allow Write for authenticated FTP sessions
Real Solution: do MS Critical Updates and
keep servers and clients current!!!
Chapter 11 Data Security
38
Encryption History
Germans used Enigma Machine during WW II
– we broke the code
Looked like a typewriter with 3 or 4 code wheels
We also broke the Japanese code in WW II
US used the Navajo Code Talkers who spoke
in their native language – never broken!
Plain text vs. cipher text
Key needed to “unlock” the cipher text into
plain text
Chapter 11 Data Security
39
Symmetric Encryption
Use mathematical algorithm to disguise
Good encryption does not require that the algorithm
be kept secret, only the keys
DES: Data Encryption Standard
Symmetric: uses same key to encrypt and decrypt
Assymetric: Encrypt and decrypt keys are not same
56-bit key, but was broken in 22 hours using 10,000 PCs
distributed over the Internet
3DES – uses DES 3 times, much harder to break
RC4: up to 256 bit key; still can be broken
A version of RC4 is available in MS Excel for a file
Tools | Options | Security
Can set password, assign digital signature
Chapter 11 Data Security
40
Public Key Encryption
PKI–set of HW, SW, organizations, and
policies to make public key encryption work
Two keys, 512 or 1024 bits long!
Public key is used to encrypt the message
Will have a different public key for each destination
organization
Private key is used to decrypt the message and is
only known to the destination
Could encrypt with private key and decrypt
with public key to trace the original sender
Chapter 11 Data Security
41
Other Encryption
PGP – Pretty Good Privacy
Freeware public key software where users post their public
key on a web page
Someone sends that user a secret message encrypted by
that public key
SSL – Secure Sockets Layer
Used to encrypt web pages for credit card data
Creates a public/private key on the fly for the session
Much slower than regular web page, though!
Done by the web server hosting the page
Chapter 11 Data Security
42
More Encryption
IPSec-IP Security Protocol
Like SSL but focused on more than just Web
activities.
IPSec sits between IP at network layer and and
TCP/UDP at the transport layer
Two parties use Internet Key Exchange to decide
on encryption technique and public/private keys
Tunnel mode: IPSec encrypts entire IP packet and
encapsulates it in another packet; this cloaks the
actual sender and destination. Used with VPN
sessions
Chapter 11 Data Security
43
Detecting Unauthorized Access
IDS: Intrusion Detection System
Network-based IDS
Host-based IDS
Application-based IDS
Techniques
Misuse detection: compares monitored activities
with signatures of known attacks
Anomaly detection: compares monitored activities
with normal set of activities (e.g., flood of Pings,
etc)
Chapter 11 Data Security
44
Correcting Unauthorized
Access
Have a “SWAT” team to call into action
Computer forensics uses computer analysis
techniques to gather evidence for criminal
prosecution
Criminal law has been slow to keep up with
computers and the Internet
Companies use entrapment techniques to bait
hackers to a false network (like the fake deer near
the highway)
This special server has sophisticated SW to monitor access
and gather evidence for prosecution!
Called a “honey pot”
Chapter 11 Data Security
45
For More Information …
Enroll in Dr. Moates’ Computer Security
class (MIS 475)
NIST CSRC web page
CERT Coordination Center
http://csrc.nist.gov/
http://www.cert.org/
Microsoft Security & Privacy site
http://www.microsoft.com/security/
Chapter 11 Data Security
46