CSUDH Network Appl Security 043007
Download
Report
Transcript CSUDH Network Appl Security 043007
Network Security Applications:
Threats do Exists
Advance Network Based Application (CIS 471)
CSUDH
Robert Pittman Jr., M.P.A., CISM
Assistant CISO
County of Los Angeles
April 30, 2007
Student’s questions…
What kind of security risks are involved with social networking sites like
MySpace, Facebook or Match.com?
How often is there an attempt to steal information? How often is there a
breach?
What is the demand for Security Professionals in the IT field like?
Are Chief Security Officers common in corporations?
What do you think will be the future of IT security demand? (more
demanding less demanding)
From your experience, how difficult was it to get started in the IT field?
How big is the career demand?
What certifications, year of experience, and or degree are needed to
start a career in IT?
As far as network security and any thing IT related, did you get any type
of training, from your company before you started?
Agenda
OSI-Layer and the Zones
Network Threats
Mitigating Network Threats
Wireless Networks Threats
Wireless Networks Secured
Web Appl (includes e-Commerce) Threats
Mitigating Web Appl (includes e-Commerce) Issues
Coding Web Appl (includes e-Commerce)
Computer Crimes – the Latest News
References
Hacker Sites
OSI-Layer and the Zones
layer 7 - Application
layer 6 - Presentation
layer 5 - Session
layer 4 - Transport
layer 3 - Network
layer 2 - Data Link
layer 1 – Physical
Internet Demilitarized Zone Intranet
(DMZ)
Network Threats
Denial of Service (DoS/DDoS)
Common Attacks (e.g. Back Door, etc.)
Voice over Internet Protocol (VoIP)
Network devices
> default SNMP community strings
> default accounts, passwords, & encryption
keys
> unnecessary Services (i.e., ports)
> unencrypted & unauthenticated Admin
passwords
> printers, fax machines, and scanners
Mitigating Network Threats
Use of a Network Intrusion Detection System (NIDS)
Use of a traffic regulator/governor
Maintain software currency (OS, DBMS, etc.)
Maintain currency of anti-virus and other security products
Perform a Complete Configuration Audit
Set up a syslog server
Disable default accounts & change default passwords
Disable unnecessary services
Use encrypted & authenticated admin protocols
Use port-level security
Wireless Networks Threats
Ability to passively obtain confidential data
and leave no trace of the attack
Positioned behind perimeter firewalls may
provide attackers with a backdoor
Could serve as a launching pad for attacks
(i.e., zombie, etc.) on unrelated networks
Provide convenient cover as identifying the
originator of an attack is difficult, if not
impossible
Wireless Networks Secured
Isolate wireless networks
Require stronger authentication
Secure the handhelds (e.g., PDA’s laptops, etc.)
WEP is not a security solution
Eliminate the use of a descriptive name for SSID and
the Access Point
Hardcode MAC address that can use the AP
Change Encryption Keys frequently
Locate APs centrally
Change default AP passwords/IP addresses
DHCP should not be used
Identify Rogue APs
Web Appl (includes e-Commerce) Threats
Spoofing identity
(RFC 2617)
Data Tampering
Repudiation
Information disclosure
Denial of Service
Elevation of privilege
Mitigating Web Appl (includes e-Commerce)
Issues
Source Code
Authentication
Session Handling
Error Handling
Database Handling
Shopping Cart
File Handling
Application Audit Events
Input Validation
Sensitive Data in Cookies and Fields
Coding Web Appl (includes e-Commerce)
Do not…
trust data received from any external source
not rely on client-side data validation
write unfiltered data to the web browser
access files based on user input without validation
put sensitive information in hidden form fields
store passwords or other sensitive info in ASP pages
leave comments in client-side HTML
store unnecessarily sensitive info in the database
put sensitive info in URLs
Do’s…
disable the default error page
properly quote external data used in SQL statements
log suspicious activity
specify a particular character set
Computer Crimes – the Latest News
Vermilion, Ohio Man Sentenced in Wire Fraud Case (April 19, 2007)
Former Navy Contractor Sentenced for Damaging Navy Computer System (April 5, 2007)
St. Joseph Woman Sentenced For $312,000 Wire Fraud (March 14, 2007)
Hackers from India Indicted for Online Brokerage Intrusion Scheme that Victimized Customers and Brokerage
Firms (March 12, 2007)
New CCIPS Publication, "Prosecuting Computer Crimes" Manual Now Available (March 10, 2007)
Defendant Sentenced For Conspiring To Commit Computer Fraud And Identity Theft (March 5, 2007)
Massachusetts Man Charged with Defrauding Cisco of Millions of Dollars Worth of Computer Networking
Equipment: Using False Identities and Private Mailboxes in at Least 39 States, Suspect Allegedly Carried out
the Fraud at Least 700 Times (February 28, 2007)
Washington State Man Pleads Guilty To Charges Of Transmitting Internet Virus (February 15, 2007)
Clovis and Fresno Residents Plead Guilty to Conspiracy to Commit Wire Fraud, Mail Fraud, and Copyright
Infringement (February 8, 2007)
Three Internal Revenue Service Employees Indicted for Computer Fraud/Abuse (February 8, 2007)
Man Pleads Guilty to Stealing Morgan Stanley Trade Secrets Relating to Hedge Funds (February 1, 2007)
References
csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf
www.cert.org/security-improvement/modules/m11.html
www.cisco.com
www.cisecurity.org
www.csoonline.com
www.ietf.org/rfc.html
www.linuxhomenetworking.com/cisco-hn/syslog-cisco.htm
www.netstumbler.com
www.nist.gov (not www.nist.org)
www.ntbugtraq.com
www.owasp.org
www.sans.org
www.usdoj.gov/criminal/cybercrime/cc.html
Hack Notes: Web Security Portable Reference, Mike Shema; 174
pages, 2003, McGraw-Hill Companies.
Writing Secure Code, Microsoft Second Edition, Michael
Howard and David LeBlanc; 768 pages, 2003, Microsoft Press.
Hacker Sites
www.2600.com
www.antionline.com
www.defcon.org
www.hackers.com
www.insecure.org
Thanks for listening!
Questions?