Transcript Why we need IT security - Department of Computer Science and

Information technology security
Fundamentals of Information Technology
Session 8
Why we need IT security
• Estimated UK losses to cybercrime in 2011 were
in the region of £27 billion
– £21bn of costs to businesses
– £2.2bn to government
– £3.1bn to citizens.
• This accounts only for reported crimes; the
figure is probably much higher
Why we need IT security
UK Crime
2009
2010
2011
UK
Cybercrime
2009
2010
2011
What is cybercrime?
• Cybercrime is not new crime; it is old crime facilitated by
new digital technologies, e.g.
–
–
–
–
–
–
Theft
Fraud
Identity theft
Obscene publication
Slander
Copyright infringement
• Digital technology facilitates these crimes; in many
cases, it makes them easier and less risky to carry out
The role of computer networks in
cybercrime
• The growth of cybercrime correlates exactly with the
proliferation of computer networks, particularly the
Internet
• Large public networks, like the Internet, create
vulnerabilities which present opportunities for
criminals
• Vulnerabilities create the potential to develop new
threats. These threats create new risks for
organisations, which in turn have potential detrimental
impacts on information and/or financial assets
• In response to threats and risks, organisations must
seek to adopt a range of protective countermeasures
• These should be set out in an information security
management document
Vulnerabilities
• A vulnerability is a point where a system is weak
• In IT systems vulnerabilities exist:
–
–
–
–
At the interface between internal and external networks
Along lines of network communication
In loopholes in application code
Where data is stored
• Vulnerabilities in IT systems arise for several reasons:
– Human error/carelessness
– Technical weaknesses
– Lack of foresight/planning
Threats
• Threats are targeted at vulnerabilities in IT systems
• A threat is a malicious and/or illegal activity
conducted by individuals or groups. Common examples
of threats are:
–
–
–
–
–
–
–
Hacking
Sniffing
Malware infection (Viruses/Worms/Trojans)
Denial of service attack
Phishing
Copyright infringement
Software piracy
Risks
• Risks are the potential outcomes of threats being
carried out against organisations or individuals
Threat
Risks
Phishing
Identity theft. Fraud
Hacking
Loss of sensitive/personal data. Theft. Loss of trust
Virus/Malware Infection
Damage to systems. Loss of service
Denial of services
Loss/degradation of service. Loss of revenue and trust
• Organisations need to employ risk management
techniques to mitigate the likely occurrence and impact
of potential threats
Risk management
• The level of risk associated with a threat can be decided
by looking at likelihood and impact
Risk management
•
The countermeasures an organisation puts in place will be
determined by its attitude to risk. This may be that:
–
–
–
•
No risks are acceptable: all risks, whether low, medium or high, should
be treated.
Low risks are acceptable: only medium and high risks should be
treated.
Low and medium risks are acceptable: only high risks should be
treated.
Attitude to risk is generally determined by:
–
–
–
–
–
Available resources
Previous experience of information security breaches,
The current approach to risk of other organisations in the same sector.
Legislation or regulation
Contractual obligations
Countermeasures
Vulnerability
Threat
Risk
Possible countermeasure
Provision of IM
to employees
Sniffing
Loss of
company data
Encrypt IM transmissions
Customer
payments
Sniffing
Loss of
customer card
details. Loss of
trust
Implement TLS for payment
systems
Network
Unauthorised
access
Theft of
customer
details. Loss of
trust. Litigation
Establish more robust network
authorization policy
Invest in proxy server
Email system /
VoIP
Viruses/worms
Destruction of
data. System
degradation.
Loss of service
Invest in better anti-virus system.
Invest in firewall
Public website
Denial of
Service attack
Loss of public
presence. Loss
of trust. Loss
of revenue
Create mirror web site
Countermeasures
• Countermeasures need to be continually updated as
criminals learn how to overcome them (e.g. automatic
updates)
• Success in the development of countermeasures
generally means no more than staying just ahead of the
threat
• However, this is not always possible, as criminals are
continually looking for ways to circumvent
countermeasures either through the use of technology or
through human agents (e.g. crooked employees in bank
call centres)
• One countermeasure alone is never enough to protect
an organisation’s digital assets: a combination of
countermeasures needs to be adopted
Countermeasures – Encryption
• All communications across the Internet are vulnerable to
packet sniffing
Client
Message
(email, VoIP,
IM)
Internet
message
·
(Packet) Sniffing
software
·
·
·
Loss of personal or
organisational data
Theft
Identity theft
Fraud
Company
LAN
Countermeasures – Encryption
• Encrypting data sent across a network, makes it
impenetrable to third parties by converting it to
unreadable code
• Encryption should be used for sensitive communications
sent across the Internet
• All online payments should use security protocols like
Secure Socket Layer (SSL) or more recently
Transport Layer Security (TLS) that ensure privacy
between communicating applications
• TLS works by negotiating a unique encryption
algorithm and cryptographic keys between a client
and a server before data is exchanged.
Countermeasures – (Reverse)
Proxy server
• A reverse proxy server places an extra barrier between
an external network and an internal network’s assets
(e.g. the Internet and private company files)
• A reverse-proxy only allows internet users to indirectly
access certain internal servers
Countermeasures – (Reverse)
Proxy server
• Internet users then only see the IP address of the proxy
server, so the true identity of internal servers is hidden;
thus, making them less vulnerable to attack
• A reverse proxy server will first check to make sure a
request is valid. If a request is not valid, it will not
continue to process the request resulting in the client
receiving an error or a redirect.
• Reverse proxy servers are also used as a platform for
encrypted connection software such SSL or TLS
Countermeasures – Firewall
• A firewall is a system or group of systems that enforces
an access control policy between two networks, usually
the Internet and a Private LAN
• A firewall can also be used to secure sensitive sections
of private networks from unauthorised employee access
Company
LAN
Sensitive data
Internet
Web server
Client
Countermeasures – Firewall
• A firewall can be software (e.g. Windows Firewall), hardware or a
combination of hardware and software
• A firewall is used to:
– Inspect all inbound and outbound internet messages (Uses packet
filtering to distinguish between legitimate messages that are
responses to valid user activity and illegitimate messages that are
unsolicited). Makes its decisions based on message source address,
destination address and requested port and in many cases on previous
traffic history (stateful packet filtering)
– Block network traffic from specified applications that can serve as
conduits for threats (e.g. LimeWire, Yahoo Messenger)
– Block denial of service attacks
• Firewall rules must be pre-specified by the system administrator
• A firewall is a first line of defence; it does not stop viruses or other
malware
Countermeasures – Antivirus
• Antivirus software are computer programs that attempt to
identify, neutralize or eliminate malware (viruses, worms, trojans)
• Antivirus software commonly uses three approaches to identify
malware:
– Virus dictionary (Antivirus scans files in memory, the operating
system and registry and compares them to a dictionary of known
malware)
– Identifying suspicious behaviour (Antivirus notes the behaviour of
all executable programs and brings any suspicious activity to the
attention of the user, e.g. an executable is triggered by another
executable)
– Whitelisting (Rather than looking for only known bad software, this
approach prevents execution of all computer code except that which
has been previously identified as trustworthy by the system
administrator)
Countermeasures – Antivirus
• All three approaches have their weaknesses
– A virus dictionary only protects against known viruses. Antivirus
software only protects against 20-30% of zero day threats
– The suspicious behaviour approach tends to produce many false
positives, which in turn can result in the user becoming
desensitized
– Whitelisting is difficult in large, complex organisations where
there are a large number of applications. This makes keeping an
inventory of trusted applications difficult. It also reduces
flexibility of software installation
Fallback and Disaster recovery
• As well as first line countermeasures, fallback
measures also need to be factored into IT security
policies. This will include:
–
–
–
–
Mirror websites
Back up servers
Backed up data
Offsite hosting
• To prevent against outright disaster, an organisation
should develop a disaster recovery policy. This sets
out the procedures for dealing with any significant or
unusual incident that has long-term implications to
business
Education
• Technical countermeasures by themselves are never enough, as
many security breaches are the result of human error rather than
technical weakness. For example:
– Employee installs infected software
– Employee uses unsecured connection for transmission of sensitive
company data
– Administrator fails to set access privileges correctly
– Firewall software not updated
• To mitigate against human error companies need to develop
– An acceptable use policy which lays out to employees and other
users the rules for using the organisation’s IT Systems
– Training to disseminate security protocols and acceptable use policy
Legal obligations
• All organisations are legally obliged to have a minimum
level of IT security where they hold sensitive data on
individuals (e.g. customer data)
• Failure to ensure the minimum security measures can
result in prosecution under the Data Protection Act
1998 (DPA)
• Norwich Union was fined £1.26 million in 2007 for
allowing thieves to gain access to customer account
details and steal £3.3 million
FIT Session 8 – Activities
• Now do
– Activity 8 – IT security