Transcript Document
THE NEED FOR
NETWORK SECURITY
Thanos Hatziapostolou
PRESENTATION OBJECTIVES
Understand information security services
Be aware of vulnerabilities and threats
Realize why network security is necessary
What are the elements of a comprehensive
security program
The Need for Web Security
2
TRENDS FOR INFORMATION
More information is being created, stored, processed and
communicated using computers and networks
Computers are increasingly interconnected, creating new
pathways to information assets
The threats to information are becoming more widespread
and more sophisticated
Productivity, competitiveness, are tied to the first two trends
Third trend makes it inevitable that we are increasingly vulnerable
to the corruption or exploitation of information
INFORMATION IS THE MOST VALUABLE ASSET
The Need for Web Security
3
Information Security Services
Confidentiality
Integrity
Authentication
Nonrepudiation
Access Control
Availability
The Need for Web Security
4
Information Security Services
Confidentiality
Maintaining the privacy of data
Integrity
Detecting that the data is not tampered with
Authentication
Establishing proof of identity
Nonrepudiation
Ability to prove that the sender actually sent the data
Access Control
Access to information resources are regulated
Availability
Computer assets are available to authorized parties when needed
The Need for Web Security
5
What Is The Internet?
Collection of networks that communicate
with a common set of protocols (TCP/IP)
Collection of networks with
no central control
no central authority
no common legal oversight or
regulations
no standard acceptable use policy
“wild west” atmosphere
The Need for Web Security
6
Why Is Internet Security a
Problem?
Security not a design
consideration
Implementing change is
difficult
Openness makes
machines easy targets
Increasing complexity
The Need for Web Security
7
Common Network Security
Problems
Network eavesdropping
Malicious Data Modification
Address spoofing (impersonation)
‘Man in the Middle’ (interception)
Denial of Service attacks
Application layer attacks
The Need for Web Security
8
Security Incidents are Increasing
High
Sophistication
of Hacker Tools
Technical
Knowledge
Required
Low
1980
1990
The Need for Web Security
2000
-from Cisco Systems
9
HACKED WWW HOMEPAGES
CIA
HOMEPAGE
DOJ
HOMEPAGE
HOMEPAGE
USAF
The Need for Web Security
10
11/29/96
Problem is Worsening
Code Red
60000
50000
Anna Kournikova
Melissa &
ILOVEYOU
40000
Tequila
30000
Badtrans
Nimba
Good Times
20000 Jerusalem Michelangelo
The Need for Web Security
2001
2000
1999
1998
1997
1996
1995
1994
1993
1992
1991
1990
1989
Source: CERT®
Coordination Center
Carnegie Mellon
1988
10000
11
VIRUSES
Risk Threat
Discovered
TROJ_SIRCAM.A
New !!
W32.Navidad
11/03/2000
W95.MTX
8/17/2000
W32.HLLW.QAZ.A7/16/2000
VBS.Stages.A
6/16/2000
VBS.LoveLetter
5/04/2000
VBS.Network
2/18/2000
Wscript.KakWorm
12/27/1999
W32.Funlove.4099
11/08/1999
PrettyPark.Worm
6/04/1999
Happy99.Worm
1/28/1999
The Need for Web Security
Protection
Latest DAT
11/06/2000
8/28/2000
7/18/2000
6/16/2000
5/05/2000
2/18/2000
12/27/1999
11/11/1999
6/04/1999
1/28/1999
12
Consider that…
90% of companies detected computer
security breaches in the last 12 months
59% cited the Internet as the most
frequent origin of attack
74% acknowledged financial losses
due to computer breaches
85% detected computer viruses
Source: Computer Security Institute
The Need for Web Security
13
WHO ARE THE OPPONENTS?
49% are inside employees on
the internal network
17% come from dial-up (still
inside people)
34% are from Internet or an
external connection to another
company of some sort
HACKERS
The Need for Web Security
14
HACKER MOTIVATIONS
Money, profit
Access to additional resources
Experimentation and desire to
learn
“Gang” mentality
Psychological needs
Self-gratification
Personal vengeance
Emotional issues
Desire to embarrass the target
The Need for Web Security
15
Internet Security?
Replay Attack
Spoofing
The Need for Web Security
16
What Do People Do When They
Hear All These?
Take the risks!
But there are solutions
Ignoring the situation is not
one of them
The Need for Web Security
17
THE MOST COMMON EXCUSES
No one could possibly be interested in my information
Anti-virus software slows down my processor speed
too much.
I don't use anti-virus software because I never open
viruses or e-mail attachments from people I don't
know.
So many people are on the
Internet, I'm just a face in
the crowd. No one would
pick me out.
I'm busy. I can't become a
security expert--I don't have
time, and it's not important
enough
The Need for Web Security
18
SANS Five Worst Security Mistakes
End Users Make
1.
2.
3.
4.
5.
Opening unsolicited e-mail attachments without
verifying their source and checking their content
first.
Failing to install security patches-especially for
Microsoft Office, Microsoft Internet Explorer, and
Netscape.
Installing screen savers or games from unknown
sources.
Not making and testing backups.
Using a modem while connected through a local
area network.
The Need for Web Security
19
SECURITY COUNTERMEASURES
THREE PHASE APPROACH
PROTECTION
DETECTION
RESPONSE
The Need for Web Security
20
ELEMENTS OF A COMPREHENSIVE
SECURITY PROGRAM
Have Good Passwords
Use Good Antiviral Products
Use Good Cryptography
Have Good Firewalls
Have a Backup System
Audit and Monitor Systems and Networks
Have Training and Awareness Programs
Test Your Security Frequently
The Need for Web Security
21
CRYPTOGRAPHY
Necessity is the mother of invention, and
computer networks are the mother of modern
cryptography.
Ronald L. Rivest
Symmetric Key Cryptography
Public Key Cryptography
Digital Signatures
The Need for Web Security
22
Firewall
A system or group of systems that enforces an access control
policy between two networks.
PC Servers
Visible
IP
Address
Internal
Network
Host
The Need for Web Security
23
The Need for Web Security
24
THANK YOU
I have questions…
The Need for Web Security
25