Transcript Network Security Risks

Network Security Risks
IS Auditor Role

Collect evidence to ascertain an
entities ability to:
Safeguard assets
 Provide data integrity
 Efficiency of systems
 Effectiveness of systems

Networks Are Vulnerable to
Attack





Hackers / Crackers
Terrorists
Insiders
Logical Attack
Physical Attack
http://www.msnbc
.com/news/48218
1.asp#BODY
$,trust,secrets,infrastructure
Financial Transactions$Trillions/year EFT/Credit Card
Pentagon – 500,000 attempted
attacks/year
Microsoft – Hacked
Denial of Service – February
Melissa – I Love You
Physical Access
Attack
Sneaker Net
Clinic
Clinic
Clinic
Clinic
Internet / VPN
WAN
ISP
Fault
tolerance
T1
ISP 2
CSU/ DSU
Router/ Packet
filtering firewall
Servers
Internet Gateway
Mainframe
Switch
Switch
Admin- 330 PC's
Dr's Offices- 200 PC's
Switch
Switch
Hub
Hub
Operating Rooms- 20 PC's
Switch
Hub
Hub
PC
PC
PC
PC
PC
PC
PC
PC
PC
PC
PC
PC
PC
PC
PC
Classrooms
Switch
PC
PC
PC
PC
PC
PC
PC
PC
Routers, Firewalls, Gateways



Firewallshardware/software used to
protect assets from
untrusted networks
Gateway/proxy server
allow information to flow
between internal and
external networks but do
not allow the direct
exchange of packets
DMZ - isolates internal
network from vulnerable
web servers




Router- manages network
traffic forwards packets to
their correct destination by
the most efficient path
Filters packets by a predetermined set of rules
IP source address, IP
destination address,
source port, and
destination port
Are only as secure as
quality of rule set
designed
TCP/IP Internet Protocol





IP - standard for internet
message exchange
Does not guarantee delivery
of packets
Packets using IP travel
similarly to a post card
Does not provide for data
integrity or timeliness, security,
privacy or confidentiality
TCP, with error correction
services is stacked on top of
IP to form TCP/IP



Port – address on host
where application makes
itself available to incoming
data
 23 – telnet
 25 - SMTP
Packet – unit of
information transmitted as
a whole, inc. source and
destination address
IP address – unique 32
bit number- 4 octets
separated by periods
 144.92.43.178
 InterNIC
Securing Messages / Transactions
Authentication

Something you
have

Something you are

Something you
know

Smart card

Biometric devices

Password
Authentication Devices

Secure ID tokens
something
something
you have-token
you know- pin
used to generate password
that changes once a minute

Biometric devices




Retinal scan
Fingerprints
Voice recognition
Facial recognition
Passwords







Proper maintenance & procedures essential
Post-it notes - on monitors and under
keyboards ?
Longer than 8 characters
Not comprised of English words
Include special characters
Change regularly
L0pht crack L0phtCrack
Symmetric Encryption



Secret key used for
encryption and decryption
is identical
Alice and Bob must
exchange the secret key in
advance
Impractical for large
numbers of people to
securely exchange shared
secret keys
Asymmetric Encryption




Public-private key pairs,,
used to overcome the
problem of shared secret
keys
Owner of the key knows
private key
Public key is shared with
everyone
Message confidentiallyBob encrypts a message
with Alice’s public key
and on receipt Alice
decrypts the message
with her private key
Encryption of data
Keys / Cipher length is important
 Expressed in bits
 40 bit cipher can be broken in 3.5 hrs
 56 bit - 22 hours 15 min,
 64 bit - 33-34 days,
 128 bit - > 2000 years

Message
encryption
Digital
signature
Message
Digest
Message
confidentiality
Message
integrity
Authentication
Nonrepudiation
Securing Transactions





Data theft
Customer lists,
engineering blueprints
and other company
secrets
Company assets
vulnerable since
connected to public
networks
Cracker Kevin Mitnick
stole plans for
Motorola’s StarTac
Used IP spoofing



Theft of money
German Chaos
Computer Club
used an Active X
control to schedule
transfer of money
from the victim’s
online bank account
to numbered bank
account controlled by
crackers
Stored Account System







Similar to existing debit/credit card
systems
Use existing infrastructure/payment
systems based on electronic funds transfer
Use settlement houses/clearing houses
Highly accountable and traceable
Traceable - raise privacy concerns “big
brother”
Slow and expensive online verification is
necessary
SET- secure electronic transaction,
CyberCash
Stored Value Systems – E-cash


Private, no approval from bank needed
Security stakes are high






Counterfeiting
Absence of control & auditing
Potentially $8 trillion a year market
People do not yet trust e-cash technology
More popular in Europe
E-cash superior to cash


Do not require proximity
Do not create weight & storage problems of cash
New Systems

DigiCash, Mondex and Visa Cash





Stored value and/or stored accounts
E-cash is stored on an electronic device
Use smart card or e-cash could be stored on a PC
Electronic wallet technology
Merchant adds or subtracts e-cash value using
encrypted messaging between computers or by
inserting the smart card in the merchant’s smart card
reader
Mondex - Devices
Smart Cards





Credit card sized devices w/ chip & memory
Contain operating systems & applications
Reader device attached PC can read smart
card
Avoid problem of e-cash being stored on
insecure hard drives
Smart cards disabled when physically attacked
Smart Cards






Will be ubiquitous
Loyalty information –
frequent flier miles
Health records and
health insurance
information
Debit, credit, and charge
cards
E-cash
Global system for mobile
communications







Pay TV
Mass transit ticketing
Access controls
Digital signatures
Biometrics
Travel and entertainment
Drivers license and
social security
information
Secure Sockets Layer




Confidentiality & authentication of web sessions
Encrypts the communication channel uses
private key
Server & client and server agree to private
session key & private encryption/ hashing
protocols for confidentiality & data integrity
Client authenticates server w/ certificate
authority stored on client’s browser
Secure Electronic
Transaction Protocol








Open standard for secure internet payments
Master Card and Visa, IBM and Microsoft
Confidentiality of information,privacy, message
integrity, authentication, and nonrepudiation,
and authenticates all parties
Encrypts credit card numbers, shielding from
public & merchant
Party in a SET transaction must possess a digital
certificate, carry digital wallets or smart cards
1,024 bit keys
Securing private keys is problematic
MasterCard International - Shop Smart! Demo
Public Key Infrastructure (PKI)




Issue, manage, and maintain public-private key
pairs and digital certificates Digital certificates
used to authenticate servers or clients using
trusted third party, certificate authority
CA’s issue digital certificates to merchants, can
be verified by the browser checking the digital
signature of the CA against the public key of the
CA, stored on the browser
Digital signatures have full legal standing 2000
VeriSign Training
IE –Tools – Internet Options - Content
Risks to the client
Active content
 Cookies
 Modems
 Many clients mission critical
 Personal firewall software

Needed even if part of a network with
other layers of protection
 Black Ice and Zone Alarm

Active Content




Programs that automatically download &
execute on user’s machine when user hits on
web site with active content
Java applets, active X controls, JavaScript,
VBScript, multimedia presentation files
executed via browser “plug-ins” (Flash)
Can provide rich customized computing
experience Could be malicious
Java applet coded to read client’s cookies
including Passwords & id’s & send the
information back to crackers
Active X Controls





Can execute any function windows
program can execute
Written in variety of languages- execute
only on Wintel machines
Security measures designed to prevent
trusted active X controls from damaging
machine do not exist
Security based on level of trust client
places in author of active X control
Software publisher certificate from a
certificate authority such as VeriSign
Java Applets





Platform independent; Can run on
Windows or Unix machines
Constrained from accessing resources
outside section of memory called the
sandbox
Applet can play but not escape
Trust of java applets based on restricting
the behavior of the applet
Holes in the sandbox- bugs that allows
attack code
Cookies





Internet transactions do not maintain
state, no memory of last visit
To restore state - cookies kept on users
hard drive
Block of data on client that server can use
to identify user, instruct server to send a
customized version of a web page, submit
the account information of user
If intercepted by third party, significant
personal information about user
compromised
Compromise user privacy
Operating System Risks


Default configurations –on client node
allows java applets to load on server
using root ID
Escalation of privileges –


If an attacker gains “root” or administrator
privileges the cracker can do anything to the
system he desires
Adaptive access control, automates access control
process, assigning of permissions alleviates
problems of manual access control
Operating System Risks 2
Windows 98 very insecure –
modems connected to internal
network problematic
 UNIX & windows NT operating
systems- more secure but still full
of bugs and security holes


Patches available from vendors
Computer Emergency Response
Team Coordination Center





Experts on call for emergencies 24 hours a day
Provides facilitation of communication among
experts on security problems
Central point for the identification and correction
of security vulnerabilities
Secure repository of computer security incident
information
CERT Coordination Center
Viruses, Worms, Trojans
Users need constant training and
surveillance
 System administrator - update virus
definitions on schedule
 Attack emergency and recovery plan
 Policies regulating users handling of
e-mail are important

Securing the Server




Back-end databases must be protected
Web servers particularly vulnerable to attack
CGI Scripts – Web client request executes on
server
Crackers escalate privileges to arbitrarily
execute system commands





deleting or stealing files
placing Trojan horse programs on the server
running denial of service attacks
defacing web pages
storing cracking tools for a later attack
Denial of Service Attacks
Cripple or crash Web servers by flooding
server with too much data or too many
requests
 E-commerce merchants cannot afford
financial consequences or loss of trust
 Online NewsHour -- Internet Security

Web Page Defacing



Act of rewriting web
page
Motivations political,
financial, &/or
revenge
More than web server
compromised ?
Malicious Web Sites






EU study – possibly
60 billion euros lost
Steal credit card
numbers
Spy on hard drives
Upload files
Plant active content
Example misspelled
URL’s
People & Security - Policies




Embraced by management
Security philosophy, user policies, incident
management, methods to prevent social
engineering attacks, network disaster recovery,
and consequences for lack of adherence
Programs to train staff & techniques to enhance
security should be ongoing
Outside penetration study can be useful to
document the true level of risk and vulnerability
Social Engineering





Manipulating of employees natural tendencies
Objectives: obtaining passwords, obtaining
configuration data to escalate user permissions
in an operating system
Use telephone or email posing as IT staff or
higher-level managers
Talk people into revealing damaging information
Many devastating cracker exploits have
included social engineering
Insider Risks
Authorized users commit 75% to
85% of all computer crime
 Not usually prosecuted – covered up
 Disgruntled employees - crashing
file servers, deleting data, selling
critical data, and financial fraud
 Internal network sniffing

Onion Approach



Security solutions to vulnerabilities should
be implemented in a layered approach,
the “onion” solution
Solutions should be preventive and
predictive rather than reactive
Network security architectures rely upon
layers of devices and software that
provide multiple barriers to intruders and
protect, detect and respond to threats
Tools

Vulnerability scanning tools





determination of remote systems weaknesses
extremely dangerous in the wrong hands
discover open ports
how services respond to incoming requests
Intrusion Detection System (IDS)




detect intruders breaking into a system or to
detect legitimate users misusing system resources
well-configured IDS will prohibit all activity not
expressly allowed
analysis of audit trail data, especially operating
system activity is important
Tools 2


Logging enhancement tools - supplement
operating system logging & can provide
independent audit data
System evaluation tools





Configuration checking
Permissions checking
Analysis of accounts and groups
Evaluation of registry settings
Verification of up to date patch installation
Network sniffers







Intercept and analyze network traffic
Can be extremely useful but also are very
dangerous
Illegal to sniff a network without permission
Possible to read packets with a sniffer
After an intrusion sniffer logs can be essential
Sniffers can be hardware or software based
Also called “packet dumpers”
Questions & Discussion