ch 13 Information Security
Download
Report
Transcript ch 13 Information Security
Information Security
Chapter 13
1
Modified by: Brierley
3/28/2016
Objectives
In this chapter, you will learn to:
List the key steps in assessing information security risks
Explain the elements and purpose of a security policy
Describe strategies for minimizing common security risks
associated with people, passwords, physical security, and
modem access
Discuss the most popular, current methods of encrypting
data
2
Modified by: Brierley
3/28/2016
Objectives
In this chapter, you will learn to:
Identify security threats to:
Public and private telephone networks and discuss ways to
prevent them
LAN- and WAN-based telecommunications and discuss
ways to prevent them
Wireless telecommunications and discuss ways to prevent
them
3
Modified by: Brierley
3/28/2016
Risk Assessment
A thorough analysis of an organization’s vulnerability to security
breaches and an identification of its potential losses.
A risk assessment should answer the following questions:
What resources or assets are at risk?
What methods could be taken to compromise those
resources?
Who or what are the most likely threats to resources?
What is the probability that the organization or its resources
will be compromised?
What are the consequences of those resources being
compromised?
4
Modified by: Brierley
3/28/2016
Risk Assessment
5
Modified by: Brierley
3/28/2016
Security Policy Goals
Ensuring that authorized users have appropriate access to the
resources where they have a “need to know”
Preventing unauthorized users from gaining access to facilities, cabling,
devices, systems, programs, or data
Protecting sensitive data from unauthorized access, from individuals
both internal and external to the organization
Preventing accidental or intentional damage to hardware, facilities, or
software
Creating an environment in which the network and its connected nodes
can withstand and, if necessary, quickly respond to and recover from
any type of threat
6
Modified by: Brierley
3/28/2016
Security Policy Content
Subheadings for security policy content:
Password policy
Software installation policy
Confidential and sensitive data policy
Network access policy
Telephone use policy
E-mail use policy
Internet use policy
Remote access policy;
Policies for connecting to remote locations, the Internet, and
customers’ and vendors’ networks;
Policies for use of laptops and loaner machines;
Cable Vault and Equipment room access policy.
7
Modified by: Brierley
3/28/2016
Response Policy
Suggestions for team roles:
Dispatcher: the person on call who first notices or is alerted
to the problem.
Manager - The team member who coordinates the
resources necessary to solve the problem.
Technical support specialists - The team members who
strive to solve the problem as quickly as possible.
Public relations specialist - The team member who acts as
official
spokesperson forModified
theby:organization
to the public. 3/28/2016
Brierley
8
Human Error, Ignorance, and
Omission
These cause more than half of all security
breaches sustained by voice and data networks.
Social engineering - involves manipulating social
relationships to gain access to restricted resources.
9
The best way to counter social engineering is to educate
all employees to ask the supposed technician for his
telephone number, agreeing to call him back with the
information.
Modified by: Brierley
3/28/2016
Human Error, Ignorance, and
Omission
Risks include:
Intruders or attackers using social engineering or snooping to
obtain user passwords.
Network administrators overlooking security flaws in network
design, hard-ware configuration, operating systems, or applications.
Network administrators overlooking security flaws in network
design, hard-ware configuration, operating systems, or applications.
An unused computer or terminal left logged on to the network,
thereby providing an entry point for an intruder.
Users
or administrators choosing
easy-to-guess passwords.
Modified by: Brierley
10
3/28/2016
Passwords
Guidelines for choosing passwords:
Always change system default passwords after installing new
programs or equipment.
Do not use familiar information, such as your birth date,
anniversary, pet’s name, child’s name, etc.
Do not use any word that might appear in a dictionary.
Make the password longer than six characters - the longer, the
better.
Change your password at least every 60 days, or more frequently,
Modified by: Brierley
3/28/2016
if11desired.
Physical Security
Locations on voice and data networks that warrant physical
security:
Inside a central office or POP:
•
•
•
•
•
12
Cable vaults
Equipment rooms
Power sources (for example, a room of batteries or a fuel tank)
Cable runs (ceiling and floor)
Work areas (anyplace where networked workstations and
telephones are located)
Modified by: Brierley
3/28/2016
Physical Security
Locations on voice and data networks that warrant physical
security:
Outside telecommunications facilities:
• Serving area interfaces and remote switching facilities
• Exterior cross-connect boxes
• Wires leading to or between telephone poles
• Base stations and mobile telephone switching offices used with
cellular telephone networks
Inside a business:
• Entrance facilities
• Equipment room (where servers, private switching systems,
and connectivity devices are kept)
• Telecommunications closet
Modified by: Brierley
3/28/2016
13
Physical Security
14
Modified by: Brierley
3/28/2016
Physical Security
Relevant questions:
Which rooms contain critical systems, transmission media, or data
and need to be secured?
How and to what extent are authorized personnel granted entry?
Are authentication methods (such as ID badges) difficult to forge or
circumvent?
Do supervisors or security personnel make periodic physical
security checks?
What is the plan for documenting and responding to physical
security
breaches?
Modified by: Brierley
15
3/28/2016
Modem Access
Modems are notorious for providing hackers with easy access to
networks.
Although modem ports on connectivity devices can open access
to significant parts of a network, the more common security risks
relate to modems that users attach directly to their workstations.
When modems are attached directly to networked modems, they
essentially provide a back door into the network.
Daemon dialers - computer programs that dial multiple
telephone numbers in rapid succession, attempting to access
and receive a handshake response from a modem.
16
Modified by: Brierley
3/28/2016
Encryption
The use of an algorithm to scramble data into a format that can
be read only by reversing the algorithm.
Encryption ensures that:
Data can only be viewed and voice signals can only be heard by
their intended recipient (or at their intended destination).
Data or voice information was not modified after the sender
transmitted it and before the receiver picked it up.
Data or voice signals received at their intended destination were
truly issued by the stated sender and not forged by an intruder.
17
Modified by: Brierley
3/28/2016
Key Encryption
18
Modified by: Brierley
3/28/2016
Private Key Encryption
19
Modified by: Brierley
3/28/2016
Public Key Encryption
Data is encrypted using two keys: One is a key known only to
a user (a private key) and the other is a public key associated
with the user.
Public-key server - a publicly accessible host (often, a server
connected to the Internet) that freely provides a list of users’
public keys.
Key pair - The combination of the public key and private key .
Digital certificate - a password-protected and encrypted file
that holds an individual’s identification information, including a
public key.
20
Modified by: Brierley
3/28/2016
Public Key Encryption
21
Modified by: Brierley
3/28/2016
Encryption Methods
Kerberos - a cross-platform authentication protocol that uses key
encryption to verify the identity of clients and to securely exchange
information after a client logs on to a system.
PGP (Pretty Good Privacy) - a public key encryption system that can
verify the authenticity of an e-mail sender and encrypt e-mail data in
transmission.
IPSec (Internet Protocol Security) - defines encryption,
authentication, and key management for TCP/IP transmissions.
22
Modified by: Brierley
3/28/2016
Encryption Methods
SSL (Secure Sockets Layer) - a method of encrypting TCP/IP
transmissions between a client and server using public key encryption
technology.
When a Web page’s URL begins with the prefix HTTPS, it is
requiring that its data be transferred from server to client and vice
versa using SSL encryption.
Each time a client and server establish an SSL connection, they
also establish a unique SSL session.
Handshake protocol - authenticates the client and server to each
other and establishes terms for how they will securely exchange
data.
23
Modified by: Brierley
3/28/2016
Eavesdropping
The use of a transmission or recording device to capture
conversations without the consent of the speakers.
Eavesdropping can be accomplished in one of four ways:
Bugging
Listening on one of the parties’ telephone extensions
Using an RF receiver to pick up inducted current near a telephone
wire pair
Wiretapping, or the interception of a telephone conversation by
signal
by: Brierley
3/28/2016
24accessing the telephoneModified
Eavesdropping
25
Modified by: Brierley
3/28/2016
Private Switch Security
A hacker might want to gain access to a PBX in order to:
Eavesdrop on telephone conversations, thus obtaining proprietary
information
Use the PBX for making long-distance calls at the company’s
expense, a practice known as toll fraud
Barrage the PBX with such a high volume of signals that it cannot
process valid calls, a practice known as a denial-of-service
(DOS) attack
Use the PBX as a connection to other parts of a telephone
network, such as voice mail, ACD, or paging systems
26
Modified by: Brierley
3/28/2016
Voice Mail Security
Voice mail - the service that allows callers to leave messages
for later retrieval, is a popular access point for hackers.
If a hacker obtains access to a voice mail system’s
administrator mailbox, she can set up additional mailboxes
for her private use. Valid voice mail users will never notice.
Privacy breaches - if a hacker guesses the password for a
mailbox, she can listen to the messages in that user’s
mailbox.
27
Modified by: Brierley
3/28/2016
Telecommunications Firewall
A type of fire-wall that monitors incoming and outgoing voice
traffic and selectively blocks telephone calls between different
areas of a voice network.
Performs the following functions:
Prevents incoming calls from certain sources from reaching the
PBX
Prevents certain types of outgoing calls from leaving the voice
network
Prevents all outgoing calls during specified time periods
Collects information about each incoming and outgoing call
Detects signals or calling patterns characteristic of intrusion
attempts, immediately terminates the suspicious connection, and
Modified by: Brierley
3/28/2016
then
of the potential breach
28 alerts the system administrator
Telecommunications Firewall
29
Modified by: Brierley
3/28/2016
Network Operating System
To begin planning client-server security, every network administrator
should understand which resources on the server all users need to
access.
Network administrators typically group users according to their security
levels as this simplifies the process of granting users rights to
resources.
Besides establishing client rights and restrictions to network resources,
a network administrator must pay attention to security precautions
when installing and using the network operating system.
A vigilant network administrator will also take care to keep her servers’
NOS software current.
30
Modified by: Brierley
3/28/2016
Network Operating System
Restrictions that an administrator may use to protect
network resources include:
Time of day - Use of logon IDs can be valid only during specific
hours, for example, between 8:00 A.M. and 5:00 P.M.
Total time logged in - Use of logon IDs may be restricted to a
specific number of hours per day.
Source address - Use of logon IDs can be restricted to certain
workstations or certain areas of the network
Unsuccessful logon attempts - As with PBX security, use of data
network security allows administrators
to block a connection after
a
Modified by: Brierley
3/28/2016
31
certain number of unsuccessful logon attempts.
Security Through Network Design
Risks inherent in data network hardware and
design:
Transmissions can be intercepted
Leased lines are vulnerable to eavesdropping
Shared media and broadcast traffic allow data
capture
Device ports can be exploited
Private IP addresses can be exploited
Private and public hosts on the same network
32
Modified by: Brierley
3/28/2016
Firewall
Packet-filtering
firewall - a device that
operates at the Data
Link and Transport
layers of the OSI model.
33
Modified by: Brierley
3/28/2016
Firewall
Criteria used to accept or deny data include:
Source and destination IP addresses
Source and destination ports
Use of the TCP, UDP, or ICMP transport protocols
A packet’s status as the first packet in a new data stream or
a subsequent packet
A packet’s status as inbound or outbound to or from a
private network
Modified by: Brierley
34
3/28/2016
Firewall
Factors to be considered when choosing a firewall:
Does the firewall support encryption?
Does the firewall support user authentication?
Does the firewall allow the network administrator to manage it
centrally and through a standard interface?
How easily can you establish rules for access to and from the
firewall?
Does the firewall support filtering at the highest layers of the OSI
model, not just at the DataModified
Linkby:and
Transport layers?
Brierley
3/28/2016
35
Proxy Servers
Proxy server (Gateway) - the network host that runs the proxy
service.
Proxy servers manage security at all layer’s of the OSI
model.
On a network, a proxy server is placed between the private
and public parts of a network.
Proxy service - a software application on a network host that
acts as an intermediary between the external and internal
networks, screening all incoming and outgoing traffic.
36
Modified by: Brierley
3/28/2016
Proxy Servers
37
Modified by: Brierley
3/28/2016
Virtual Private Networks (VPNs)
Private networks that uses public channels to
connect clients and servers.
Point-to-Point Tunneling Protocol (PPTP) - A Layer 2
protocol that encapsulates PPP so that any type of data can
traverse the Internet, masked as pure IP transmissions.
Layer 2 Tunneling Protocol (L2TP) - an enhanced version
of L2F that, like L2F, supports multiple protocols.
does not require costly hardware upgrades to implement
optimized to work with the next generation of IP (IPv6) and IPSec
38
Modified by: Brierley
3/28/2016
Cellular Network Security
Hackers intent on obtaining private information can find ways to
listen in on cellular conversations.
Potentially more damaging than eavesdropping is cellular
telephone fraud.
cellular telephone cloning - occurs when a hacker obtains a
cellular telephone’s electronic serial number (ESN), and then
reprograms another handset to use that ESN.
To combat cloning fraud, cellular telephones transmit their ESN
numbers in encrypted form.
39
Modified by: Brierley
3/28/2016
Wireless WAN Security
War driving - searching for unprotected wireless networks by
driving around with a laptop configured to receive and capture
wireless data transmissions.
Wired Equivalent Privacy (WEP) standard - a key encryption
technique that assigns keys to wireless nodes.
Extensible Authentication Protocol (EAP) - defined by the
IETF in RFC 2284.
Does not perform encryption. Instead, it is used with separate
encryption and authentication schemes.
40
Modified by: Brierley
3/28/2016
Summary
In a risk assessment, an organization analyzes its valuable
assets, ways in which the assets might be compromised, the
sources of threats to those assets, and the consequences that
would arise if those assets were stolen or damaged.
Key goals of a security policy include: preventing unauthorized
users from gaining access to facilities, cabling, devices,
systems, programs, or data, and preventing accidental or
intentional damage to hardware, facilities, or software;
Encryption acts as the last means of defense against
information eavesdropping, theft, or tampering.
41
Modified by: Brierley
3/28/2016
Information Security
Chapter 13
END
42
Modified by: Brierley
3/28/2016