Transcript Addressing security threats and vulnerabilities

Security fundamentals
Topic 1
Addressing security threats and
vulnerabilities
Agenda
•
•
•
•
•
•
Goals of security
Risk assessment
Common threats
Types of attacks
Common defences
Security guidelines
Goals of security
• Confidentiality – Ensures that information is
accessed only by those who are authorized to do so
• Integrity – Ensures that the information is modified
or deleted only by those who are authorized to do so
• Availability – Ensures that information and
equipment can be used only by those who are
authorized to do so
• C-I-A triad
– Trade-offs
Basic steps of risk assessment
1. Identifying assets, such as computers or data
2. Assigning a value to the assets
3. Assigning a likelihood that an event will occur
that could cause loss or damage
4. Assigning values to that risk based on both
the possible damage and the likelihood that
an event will occur
Identifying assets
Take an inventory of tangible and intangible
assets.
• Tangible Assets – Physical items that the
business owns, IT equipment, network,
servers, desktops, applications, databases,
procedures
• Intangible Assets – Goodwill, intellectual
property, patents, copyrights, and trademarks,
logos, reputation
Method
Assign a value to the assets:
1. For tangible assets get the initial cost and adjust for
depreciation
2. Make an estimate based on market value
3. Estimate of the value of revenue that could be
generated from the asset
4. Compare to a similar asset’s value
Assign a likelihood that an event will occur that could cause
loss or damage:
– Use a scale such as high, moderate, low
Assign values to a risk based on both the possible damage
and the likelihood that an event will occur:
– Prioritise your risks
Key security terms
1.
2.
3.
4.
5.
6.
7.
Risk
Threat
Vulnerability
Risk acceptance
Risk transfer
Risk avoidance
Risk mitigation
Risk management
• Identify the risks
–
–
–
–
List assets
Assign value to assets
Likelihood of damage
Assign priority
• Identify threats
• Identify vulnerabilities
– Where are the weaknesses?
• Minimise risk
– Minimise weakness by taking preventative steps
• Review
Identifying threats
Disasters
• Natural disasters – eg flood, earthquake, fire
• Man made disasters – eg arson, loss of power
• Mishap – eg accidental deletion of data, misconfiguration
Threats from attack
– An attempt to bypass security controls
– To defend from these threats you must understand the
technology
How severe will the impact be?
What is the likelihood of the event happening?
Threats from attack
• Specific to business – DoS attack on the
company Web Server
• Threats that are not directed – DDoS
• Widely known threats – worms, viruses
• External threats – originates from outside the
company (not the network)
• Internal threats – originates from within the
company (eg technically savvy users)
Intrusion points
Physical access points
– Access to the media (cable, devices, storage)
– Security guards and locks and cameras
Access points via the network
–
–
–
–
Wireless
Dial-in via phone lines
Hacking through security controls
Internet
Data disposal
– Printed material
– Laptops and hard drives
Attack sources
It is your responsibility to both defend against
possible attacks and detect successful attacks.
• White hats: ethical security experts looking for
vulnerabilities
• Black hats: hackers/crackers
– Expert: finding areas of weakness
– Intermediate: programmers creating exploits from the
vulnerabilities
– Novice: script kiddies
– What motivates them?
Identifying attacks
Scanning
–
Ping and port scans – is there an IP and an open port?
Fingerprinting
–
What OS, applications and services are running, what versions
and protocols?
Denial of Service (DoS)
–
Shutting down or overloading a service so it becomes
unavailable
Spoofing
–
Disguising the source (IP, email or others)
Identifying attacks
Source routing
– Route is specified in packet header and bypasses controls
Man-in-middle
– Messages are intercepted and reviewed or altered before
being sent on to destination
Back door
– Unknown and undocumented way to access a program or
system
• Left in by developers
• Installed by hackers
Identifying attacks
Password guessing
–
–
–
–
–
–
–
–
Default passwords
Blank passwords
Easy to guess passwords
Short passwords
Common words
Automated scripts to find password hashes
Dictionary attack
Brute force attack
Identifying attacks
Replay attack
– Intercepting and recording a connection setup and
replaying at a later time to gain authorised access
Encryption breaking
– Breaking the encryption algorithm or guessing the key
used by the algorithm
Hijacking
– Taking over an existing connection- sending packets as if
from source
Malicious code
– Viruses, worms and trojans
Identifying attacks
Software exploitation
– Buffer overflow attack
– Cross site scripting – inserting malicious HTTP code on a
webpage
Social engineering
– Manipulating people by exploiting their ignorance, fears or
willingness to help
– Impersonation, piggybacking entry into restricted areas
– This is the most difficult to prevent
Defending against threats
Defence in depth
• Must include multiple elements
• Layered defence
• Hacker must overcome multiple defence
checks
• Each defence check is monitored and
alarmed
Defending against threats
Secure the network infrastructure
– Network Access Control
– Secure Communications Protocols
– System hardening – systems, applications and resources
(files and databases)
Authenticating users
–
–
–
–
–
Passwords
Biometrics
Certificates
Tokens
Smart Cards
Auditing
– Monitoring operations – intrusion detection, logs
Basic security guidelines
Physical security
– Locks, facility access controls, surveillance
– Circumvention threats, using bootable media to access
hard drives, key loggers
Trust
– Trusting administrators
– Trusting certificates
– Servers trusting servers
Privilege levels
– Principle of least privilege
– Standard, admin and root accounts
Maintaining documentation
Document all procedures related to
systems security:
– Planning
– Policies
– Configurations
– Monitoring and reporting
– Archiving
Lesson summary
Addressing security threats and vulnerabilities
– Goals of security
– Risks, threats and vulnerabilities
– Risk assessment
– Common threats
– Types of attacks
– Common defences
– Basic security guidelines