Security Issues in Technology
Download
Report
Transcript Security Issues in Technology
Security
Myths about Business Risks
in the Information Age
Security is only about protecting “things”
We don’t have any information anyone would want
Security problems have never happened here.
Firewalls provide enough security
Technology will solve the security problem
The “enemy” is outside
Our people won’t tolerate tight security
My PC is secure, so I’m secure
The Internet can’t be used for secure
communications
The Economist and Arthur Andersen
SECURITY:
Deter
Detect
Minimize
Investigate
Recover
Security Risks
Internal
External
Accidental
Destruction
Alteration
Access
Intentional
Threats
Disaster and breakdowns
Access and disclosure
Alteration or destruction
Improper use
RISK ASSESSMENT
P1
P2
L
Probability of attack
Probability of success
Cost of Loss
Expected Loss = P1 * P2 * L
Minimize Threat Categories
Security Policy
Security is always a cost to efficiency. It
must be promoted to be effective.
From the top
Before installing hardware
Politically charged
Writing a Security Policy
Assess the types of risks
Identify vulnerabilities
Analyze user needs
Write the policy
Develop change procedures
Plan implementation
Implement
Risk Areas
Personnel Risk
Background checks
Segregation of duties
Terminated employees
Physical Access
Risk
Disaster Risk
Disaster Recovery
Backup/hot sites
Integrity Risk
Access Risk
Availability Risk
Infrastructure
Capability
Denial of service
Integrity Risk
Risks associated with the authorization,
completeness and accuracy of transactions
User interface
Processing
Error Processing
Interfaces with other systems/databases
Change Management
Data
Privacy
Backup
Access Risk
Risks associated with inappropriate access
to systems or data
Identification, authentication and
nonrepudiation
What you know, what you have, what you are
Encryption (algorithm and key)
Secret key, private/public key
smart cards, hardware tokens
Digital Signature (hashing and public key; encrypt with
private key, send with private key, and then decode with
public key)
Certification authority and digital certificates
Security Protocols
Firewalls and Guards
Elements of Risk
Asset
Threat
Access
Administrative Controls:
Limit the Threat
Standards, rules, procedures and
discipline to assure that personnel
abide by established policies.
Includes segregation of functions.
Administrative Controls
Security organization
Audits
Risk assessment
Administrative standards and procedures
Protecting the Assets
Resource management
Disaster recovery
System segregation
Resource Management
Backup planning
Job scheduling
Redundant design
Selective decoupling
Disaster Management
Redundancy and fault tolerant systems
Backups and off site storage
Hot and cold sites
Planning and procedures
Elements of Risk
Asset
Threat
Access
Vulnerabilities
Servers
Securing operating systems and applications
Networks
Access protection from snooping, attacks,
spoofing
Clients and modems
User verification for PCAnywhere etc.
Viruses
Operating Systems
UNIX
Novell Netware
Windows and Windows NT
Secure Operating Systems
U.S. Government Certification
A1, B1, B2, B3, C1, C2 (most commercial
systems), D
Ease of use
CERT (Computer Emergency Response
Team) www.cert.org
Top 12 SecurityRisks
1. Hosts run unnecessary
services
3. Information leakage through
network service programs
4. Misuse of trusted access
5. Misconfigured firewall access
lists
7. Misconfigured web servers
10.Inadequate logging,
monitoring or detecting
Top 12 Security Risks
2. Unpatched, outdated or
default configured software
6. Weak Passwords
8.Improperly exported file
sharing services
9. Misconfigured or unpatched
Windows NT servers
11.Unsecured remote access
12.Lack of comprehensive
policies and standards
Tools
Firewalls
Network partitioning and routers
Encryption
Testing tools
Consultants
Firewall functions
Packet Filter: Blocks traffic based on IP address and/or
port numbers.
Proxy Server: Serves as a relay between two networks,
breaking the connection between the two.
Network Address Translation (NAT): Hides the IP
addresses of client stations in an internal network by
presenting one IP address to the outside world.
Stateful Inspection: Tracks the transaction in order to
verify that the destination of an inbound packet matches
the source of a previous outbound request. Generally can
examine multiple layers of the protocol stack.
Firewall Operation
Firewall
Operation
1. A router sits between two
networks
2. A programmer writes an access control list,
which contains IP addresses that can be allowed
onto the network.
3. A message gets sent to the router. It checks the
address against the access control list. If
address the is on the list, it can go through.
4. If the address isn't on the list, the message is
denied access to the network.
Encryption
Keys and key length
Public key/private key
Processing problems
Location
Application
Network
Firewall
Link
Encryption
Techniques
How Public Encryption
Works
1. Sue wants to send a
message to Sam, so she
finds his public key in a
directory.
2. Sue uses the public key
to encrypt the message
and send it to Sam.
3. When the encrypted
message arrives, Sam
uses his private key to
decrypt the data and read
Sue's message.
Encryption at the Firewall
Authentication
Passwords
“Credit” cards
Biometrics
Isolation
Remote location verification
Biometrics: how it works
Users "enroll" by having their fingerprints, irises, faces,
signatures or voice prints scanned.
Key features are extracted and converted to unique
templates, which are stored as encrypted numerical data.
Corresponding features presented by a would-be user are
compared to the templates in the database.
Matches will rarely be perfect, and the owners of the
system can vary a sensitivity threshhold so as to minimize
either the rate of false rejections, which annoy users, or
false acceptances, which jeopardize security. This offers far
more flexibility than the binary "Yes" or "No" answers
given by password technologies.
Common biometric
techniques and how they rate
INTRUSIVNESS EFFORT
Dynamic signature Excellent
verification
Good
Face geometry
Fair
Finger scan
ACCURACY COST
Fair
Fair
Excellent
Good
Good
Fair
Good
Good
Good
Hand geometry
Passive iris scan
Fair
Poor
Good
Excellent
Fair
Excellent
Fair
Poor
Retina scan
Voice print
Poor
Very good
Poor
Poor
Very Good
Fair
Fair
Very Good
International Biometric Group, New York
as reported in Computerworld, Quick Study: Biometrics, 10/12/98
Security