information security
Download
Report
Transcript information security
Session 1
Introduction
Network Cyber Security
Network Security
Essentials
Application and
Standards
5th edition
William Stallings
Prentice Hall
2014
Acknowledgements: William Stallings.
All rights Reserved
1
Information Security
• Physical
• Administrative
• “Lockup the file cabinet”
Acknowledgements: William Stallings.
All rights Reserved
2
Private Networks
•
•
•
•
Isolated to individual organizations
Emergence of computer security
Sharing a system
Protecting data
Acknowledgements: William Stallings.
All rights Reserved
3
Networking
• Networks start talking to
each other
• Gateways
• Arpanet
• TCP/IP Everywhere
• Vinton Cerf,
“IP On Everything!”
Acknowledgements: William Stallings.
All rights Reserved
4
Maturing of the Internet
• Telephones used by 50% of worlds
population
• Internet attains similar level of growth
by 2010 – max growth
• Connecting computers and
programmable devices
• More devices than people
Acknowledgements: William Stallings.
All rights Reserved
5
Early Hacking
• Cap’n Crunch cereal prize
• Giveaway whistle
produces 2600 MHz tone
• Blow into receiver – free
phone calls
• “Phreaking” encouraged by
Abbie Hoffman
• Doesn’t hurt anybody
Acknowledgements: William Stallings.
All rights Reserved
6
Captain Crunch
• John Draper
• `71: Bluebox built by
many
• Jobs and Wozniak were
early implementers
• Developed “EasyWriter”
for first IBM PC
• High-tech hobo
• Whitehat hacker
Acknowledgements: William Stallings.
All rights Reserved
7
The Eighties
• 1983 – “War Games”
movie
• Federal Computer Fraud
and Abuse Act - 1986
• Robert Morris – Internet
worm -1988
• Brings over 6000
computers to a halt
• $10,000 fine
• His Dad worked for the
NSA!!!
Acknowledgements: William Stallings.
All rights Reserved
8
It Got Worse
• 1995 – Kevin Mitnick
arrested for the 2nd
time
• Stole 20,000 credit card
numbers
• First hacker on FBI’s
Most Wanted poster
• Tools: password
sniffers, spoofing
• www.2600.com
Acknowledgements: William Stallings.
All rights Reserved
9
Tracking Attacks
http://www.cert.org
Acknowledgements: William Stallings.
All rights Reserved
10
That Was Then; This Is Now
• Wget – retrieves content
from web server
• Can recursively download
entire web sites
• 2010 US Army intelligence
analyst PFC Bradley
Manning used Wget to
download cables and
reports
• Sent them to Wikileaks
Acknowledgements: William Stallings.
All rights Reserved
11
Cyber Warfare
• 61398 Building in Shanghai
where cyber attacks are
launched
Stuxnet attacks Iran’s
nuclear centrifuges
Acknowledgements: William Stallings.
All rights Reserved
12
Surprising (?) Revelations
• A former systems
administrator for the CIA
• Used Wget expose
thousands of classified NSA
documents
• Whistleblower/Hero or
Villain/Traitor?
• Much of this wasn’t new
Acknowledgements: William Stallings.
All rights Reserved
13
Hacking Has Matured
• Computer Security
Conference that
brings together a
variety of people
interested in
information
security
• Representatives of
government
agencies and
corporations attend,
along with hackers
Acknowledgements: William Stallings.
All rights Reserved
14
We Live In a New World
•
•
•
•
•
Big Data
Metadata
Intensive Marketing Analysis
Totally Connected
Internet of Things
Acknowledgements: William Stallings.
All rights Reserved
15
Cyber Security
“Just because you're
paranoid, doesn't
mean they aren't
after you”
― Joseph Heller,
Catch-22
Acknowledgements: William Stallings.
All rights Reserved
16
Services, Mechanisms, Attacks
(OSI Security Architecture)
• Services – enhance the security of data processing
systems and xfers – counter security attacks
• Mechanisms – detect, prevent or recover from a
security attack
• Attacks – actions that compromise the security of
information owned by an organization
Acknowledgements: William Stallings.
All rights Reserved
17
Security Attacks
Information
source
Information
destination
Normal Flow
Acknowledgements: William Stallings.
All rights Reserved
18
Security Attacks
Information
source
Information
destination
Interruption
•
Attack on availability
Acknowledgements: William Stallings.
All rights Reserved
19
Security Attacks
Information
source
Information
destination
Interception
•
Attack on confidentiality
Acknowledgements: William Stallings.
All rights Reserved
20
Security Attacks
Information
source
Information
destination
Modification
•
Attack on integrity
Acknowledgements: William Stallings.
All rights Reserved
21
Security Attacks
Information
source
Information
destination
Fabrication
•
Attack on authenticity
Acknowledgements: William Stallings.
All rights Reserved
22
Security Attacks
Passive threats
Release of
message contents
•
Traffic
analysis
eavesdropping, monitoring transmissions
Acknowledgements: William Stallings.
All rights Reserved
23
Security Attacks
Active
threats
Masquerade
•
Replay
Modification of
message contents
Denial of
service
some modification of the data stream
Acknowledgements: William Stallings.
All rights Reserved
24
Security Attacks
On the Internet, nobody knows you’re a dog
- by Peter Steiner, New York, July 5, 1993
Acknowledgements: William Stallings.
All rights Reserved
25
Security Attacks
Acknowledgements: William Stallings.
All rights Reserved
26
Security Services
• Confidentiality – protection from passive
attacks
• Authentication – you are who you say you are
• Integrity – received as sent, no modifications,
insertions, shuffling or replays
Acknowledgements: William Stallings.
All rights Reserved
27
Security Services
• Nonrepudiation – can’t deny a message was
sent or received
• Access Control – ability to limit and control
access to host systems and apps
• Availability – attacks affecting loss or reduction
on availability
Acknowledgements: William Stallings.
All rights Reserved
28
Network Security Model
Acknowledgements: William Stallings.
All rights Reserved
29
Network Security Model
Four basic tasks in designing a security service:
•
•
•
•
Design algorithm
Generate secret information to be used
Develop methods to distribute and share info
Specify a protocol to be used by the two
principals
Acknowledgements: William Stallings.
All rights Reserved
30
Protocols – Simple To Complex
Acknowledgements: William Stallings.
All rights Reserved
31
Network Access Security Model
Acknowledgements: William Stallings.
All rights Reserved
32
Internet Standards and RFCs
• Internet Architecture Board (IAB)
- overall architecture
• Internet Engineering Task Force (IETF)
- engineering and development
• Internet Engineering Steering Group (IESG)
- manages the IETF and standards process
Acknowledgements: William Stallings.
All rights Reserved
33
Request For Comments (RFC)
• RFCs are the working notes of the Internet
research and development community
Acknowledgements: William Stallings.
All rights Reserved
34
Standardization Process
•
•
•
•
•
Stable and well understood
Technically competent
Substantial operational experience
Significant public support
Useful in some or all parts of Internet
Key difference from ISO: operational experience
Acknowledgements: William Stallings.
All rights Reserved
35
RFC Publication Process
IETF
< 6 months
Internet
draft
IESG
> 6 months
Proposed
Experimental
Informational
standard
two independent
implementations
> 4 months
Draft
standard
Internet
standard
Historic
Acknowledgements: William Stallings.
All rights Reserved
36
Useful Websites
• http://www.williamstallings.com/NetworkSecurity/
NetSec5e-Student/
Some recommended sites by the text author
• http://www.rfc-editor.org/rfcsearch.html
Search RFCs
• http://www.cert.org
Center for Internet Security
• http://www.us-cert.gov/cas/alerts/
Some recent alerts from the Dept. Of Homeland
Security
Acknowledgements: William Stallings.
All rights Reserved
37
Homework
•
Read Chapter One
Acknowledgements: William Stallings.
All rights Reserved
38
See ya next attack session!!!
Acknowledgements: William Stallings.
All rights Reserved
39