What is the level of Security Threat then
Download
Report
Transcript What is the level of Security Threat then
Security Trends
This chapter presents the following:
Evolution of computing and how it relates to security
Different areas that fall under the security umbrella
Politics that affect security
Introduction of information warfare
Examples of security exploits
A layered approach to security
Evolution of Computing
How Security became an issue?
The
era of ‘MAINFRAMES’, roughly 25 years ago:
Connectivity
through DUMB TERMINALS and have limited
functionality ‘Closed Environment’
Limited individuals with operating knowledge
Unavailability of point and click utilities
The
era of ‘MAINFRAMES’
Dependence
on ‘MAINFRAMES’ grew
Due to limited time and functionality, productivity is low
What
is the level of Security Threat then … ??
Evolution of Computing
How Security became an issue?
The
era of ‘CLIENT SERVERS’
Initially limited processing on end-user PC, key processing on
server
Later the PC became more efficient, they communicate with
Mainframes via Servers (Figure 2.1)
The
good things in life often have a darker side!!
Evolution of Computing
Evolution of Computing
How Security became an issue?
The era of ‘CLIENT SERVERS’
Companies realized that the employees has to be protected from
themselves
Need for the layered approach between Individuals, OS and Data
Lovely story, but what does it mean to security?
Computers are tools. Just as a knife can be a useful tool to cut meat
and vegetables, it can also be a dangerous tool in the hands of
someone with malicious intent.
“The level of dependence and the extent of integration that
technology has attained in our lives have made security a
much more necessary and essential discipline”.
Security Trends
“Computer security is a marathon to be run at a
consistent and continual pace. It is not a short sprint,
and it is not for those who lack dedication or
discipline.”
Areas of Security
Security has a wide base that touches on several
different areas.
Technology, hardware, people, and procedures are
woven together as a security fabric, as illustrated in
(Figure 2.2)
Areas of Security
Benign to Scary!!
Computers and networks touch every facet of modern
life
Communication
Funds Transfers
Utility Management
Government Services
Military Action / Defense Systems
Technology abused for illegal and malicious activities
Information Warfare?
Benign to Scary!!
In early days, Hackers carryout activities to impress the
peers
Now, Hacking for ‘Fun’ is disappeared by Hacking with
profit-driven motives
Individuals are hired by organized crime rings for illegal
objectives
In many cases, the greatest damage to the organization is
of reputation and consumer confidence
Product blueprints,
Financial information,
Business Contracts; etc
Evidence of the Evolution of Hacking
www.cybercrime.gov.pk
Some of the attacks that have made some of the headlines:
In July 2009 one of the gadgets that most of us are addicted to, the
BlackBerry, was compromised. Hackers sent a piece of code that
BlackBerry owners thought was a safe update for the Java code
that runs on this device, but instead it was a piece of spyware that
allowed the hackers to intercept e-mail and text messages. The
“update software” was labeled: “Etisalat network upgrade for
BlackBerry service. Please download to ensure continuous service
quality.” This sounds convincing enough. It is probable that many
BlackBerry devices have been infected by this malicious code, and it
is just laying dormant without the owners knowing about it.
Evidence of the Evolution of Hacking
Another loved gadget is the iPhone. In April 2009 a bug in the
software was discovered that allows someone to crash the
iPhone software, disconnect from the network that the iPhones
use, and potentially execute code remotely on it. The remote
code could allow someone to turn on the microphone of the
phone and allow it to become a bugging device. As of this
writing, this vulnerability is still being studied, but it is a good
indicator of what is going on in the world.
How are Nations Affected?
Intelligence agencies use of technology
develop new methods of collecting information on potential foreign
enemy movement,
conducting surveillance, and
proving guilt in criminal activities.
Disruption of communication in warfare / or even peace time
Technology guided combat system (e.g. Un-manned Drones)
US Department of Defense (DoD) believes that almost 20
countries have developed cyber war organizations to attack
other militaries and civilian targets through the internet.
How are Nations Affected?
Evidence of penetration activity:
During the Persian Gulf War in 1991, it was reported that
hackers from the Netherlands penetrated 34 American military
sites that supported Operation Desert Storm activities. They
extracted information about the exact location of military
troops, weapon details, and movement of American warships. It
could have been a different war if Saddam Hussein had
actually bought this information when it was offered to him, but
he did not - he thought it was a trick.
The future wars of nations would be targeted via these
new methods - computer-generated attacks.
How are Companies Affected?
Organizations have trade secrets and intellectual property
Can be stolen by employees who left to work for competitors
External attempts on organization’s databases (i.e. Credit Cards
No.)
Organizations developing clear policies to protect its
intellectual property and reputation
Compliance with privacy and confidentiality regulations:
Electronic Communication Policy (ECP)
Health Insurance Portability and Accountability Act (HIPPA)
Public Records Act (PRA)
Information Practices Act (IPA)
Sarbanes-Oxley Act of 2002; etc
How are Companies Affected?
More and more responsibilities on top management CEOs and
CFOs
Insurance option for natural disaster or a major security breach
A company wants to be in a position where all the
customers come to it when another company suffers a
security compromise, not the other way around.
The Government’s Action
Departments under the sponsorship of FBI
Critical Infrastructure Assurance Office (CIAO) under the Department
of Commerce,
Information Sharing and Analysis Centers (ISACs),
National Infrastructure Protection Center (NIPC)
In 2002, President Bush created the Department of Homeland
Security (DHS)
Prevention of Electronic Crimes Ordinance, 2007
Updated in 2008.
Politics and Laws
Trans-border issues pertaining to Cryptography
What can be encrypted, at what strength and by whom
‘Common Criteria’ for Security Evaluation
Difficult for jury, investigators and Law enforcement agencies
as they are not educated in these types of crimes.
Authorities face hard time in:
Collection of evidences for computer crimes
how to dump data from memory into a file,
recover data from formatted drive, etc
prevent data corruption
preserves data integrity
Crime-fighting agencies are increasing personnel with skills in
technology and security in many parts of these organizations.
So What does this all means
to US???
As our dependence on technology grows, so should
our protective measures.
Hacking and Attacking
Hacking, Cracking and Attacking
Availability of easy to use tools and utilities for hacking
Hackers were initially considered the IT Geeks,
Now, the individuals with evil / destructive goals.
GUI based vulnerability scanning tools
Tools working in ‘Quiet’ mode not detected by IDS
Require very limited knowledge to attack
Satisfy their curiosity and / or destructive goals
Considered as a challenge for computing and security
professionals to continuously improve the quality of products
and services
Management
Historically, management focus is towards ‘Financial Gain’, ‘Growth’; etc
and not much about ‘Firewalls’, ‘Hackers’ & ‘Security Breaches’.
A common ‘Perception’ is that IT department is responsible for security.
Why????
Is it a technical issue??
Lack of understanding about information and enterprise security
Information security is a management issue that may require technical
solutions.
It is management’s responsibility to set the tone for what role security will play
in the organization.
“Good security does not begin and end with erecting a firewall and installing
antivirus software. Good security is planned, designed, implemented, and
maintained, and is capable of evolving”
A Layered Approach
What is meant by a “Layer Approach” (or Defense in Depth
Approach)?
To protect an environment, you must truly understand the
environment, the fixes to be applied, the differences among the
numerous vendor applications and hardware variations, and how
attacks are actually performed.
Running antivirus software only on workstations is not a layered
approach in battling viruses. Running antivirus software on each
workstation, file server, and mail server and applying content
filtering via a proxy server is considered a layered approach
toward combating viruses.
How is file access protection provided in a layered approach?
A Layered Approach
To properly protect file access, the administrator must do
the following:
Configure application, file, and Registry access control lists (ACLs) to
provide more granularity to users’ and groups’ file permissions.
Configure the system default user rights (in a Windows environment)
to give certain types of users certain types of rights.
Consider the physical security of the environment and the
computers, and apply restraints where required.
Draft and enforce a strict logon credential policy so that not all
users are logging on as the same user.
Implement monitoring and auditing of file access and actions to
identify any suspicious activity.
An Architectural View
This applies to the various protocols, applications, hardware,
and security mechanisms that work at one or more of the seven
layers of the OSI model.
IP spoofing is an attack at the network layer,
ARP attacks happen at the data link layer,
Traffic sniffing occurs at several layers,
Viruses enter through the application layer.
To deploy a firewall with strict password rules is sufficient to
secure an environment?
“To look at the flow of data in and out of a network and how the
applications and devices work together is an architectural view,
versus a device or application view”.
An Architectural View
Each individual security component could be doing its job by
protecting its piece of the network, but the security function
may be lost when it is time to interrelate or communicate with
another security component.
A Layer Missed
A network that has a firewall with packet filtering, a proxy server
with content filtering, its public and private DNS records clearly
separated, SSL for Internet users, IPSec for VPN connections, and
public key infrastructure (PKI), as well as restricted service and
port configuration, may seem like a fortified environment, and a
network administrator most likely implemented these mechanisms
with the best intentions.
A Layer Missed
A network that has a firewall with packet filtering, a proxy server
with content filtering, its public and private DNS records clearly
separated, SSL for Internet users, IPSec for VPN connections, and
public key infrastructure (PKI), as well as restricted service and
port configuration, may seem like a fortified environment, and a
network administrator most likely implemented these mechanisms
with the best intentions.
Without a scanning device that probes the environment on a
scheduled basis or an IDS that looks out for suspicious activity,
the environment could be vulnerable even after the company has
spent thousands of dollars to protect it.
Education
For a security specialist, one must have the interest and
discipline to teach the security issues, go to seminars and
conferences all over the world, read stacks of books, and have
a wide range of experience in different environments.
Security should not be looked upon as an extra component or
an option to be added later. It should be interwoven into the
code as a program is being developed, and interwoven into
the education of our new professionals.
End of Chapter 1
Thank You