Assuring Reliable and Secure IT Services Chapter 6.
-
Upload
theodora-barrett -
Category
Documents
-
view
222 -
download
0
Transcript of Assuring Reliable and Secure IT Services Chapter 6.
![Page 1: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/1.jpg)
Assuring Reliable and Secure IT Services
Chapter 6
![Page 2: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/2.jpg)
Key Learning Objectives
•Understand factors that drive IT availability and how to provision high-availability systems•Recognize sources of IT systems risk and how to secure IT systems•Recognize trade-offs involved in IT risk management and the inevitability of incidents•Understand management approaches to contain and recover from such incidents
![Page 3: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/3.jpg)
• Redundancy: key to reliable systems– Internet robust enough to withstand
military attack• Exceptionally large number of potential
paths
– Buying extra equipment to guard against failures
–More complex, more difficult to manage
![Page 4: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/4.jpg)
Agenda
• Availability math• High-availability facilities• Securing infrastructure against
malicious threats• Risk management of availability and
security• Incident management and disaster
recovery
![Page 5: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/5.jpg)
Availability Math
• Reliability and availability– 98% available = running and ready to
be used 98 present of the time– Outage tolerance varies by system and
situation• Tasks• Planned or unplanned outage
– E.g. shut down for data backup
![Page 6: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/6.jpg)
Availability of components in series
• Five Components in Series (Each 98 percent available)
![Page 7: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/7.jpg)
Combining Components in Series Decreases Overall Availability
• 15 devices downtime exceed 25%
![Page 8: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/8.jpg)
The effect of redundancy on availability
• Five identical components in parallel (each 98 percent available)
• 99.99999968% available eight nines of availability
![Page 9: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/9.jpg)
High-availability facilities• Redundancy Increase Overall
Availability
![Page 10: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/10.jpg)
• Uninterruptible electric power delivery– Two or more power cables for each
computer– Uninterruptible power supplies (UPSs)
• Physical security– Security guards, closed-circuit television
monitors (CCTVs), biometric access control systems…
– Building “hardened” against external explosions, earthquakes, and other disaster
![Page 11: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/11.jpg)
• Climate control and fire suppression– Heating, ventilating, and air-conditioning (HVAC)
equipment – Smoke detecting, alarming and gas-based fire
suppression
• Network connectivity– 24x7network operation centre (NOC)– Three or more backbone providers
• Help desk and incident response procedures– Responding to unplanned incidents
• N+1 and N+N redundancy– For each type of critical component there should
be at least one unit standing by (N+1)– Twice as many mission-critical components as are
necessary (N+N)
![Page 12: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/12.jpg)
A Representative E-Commerce Infrastructure
![Page 13: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/13.jpg)
Securing infrastructure against malicious threats
• Spending less on information security than on coffee
• 2007 US 1/5 have been “targeted attack”
• Threat is evolving• Classification of
threats– External attacks– Intrusion– Viruses and worms
• Defensive measures– Security policies– Firewalls– Authentication– Encryption– Patching and change
management– Intrusion detection
and network monitoring
![Page 14: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/14.jpg)
External attacks
• Actions against computer infrastructures that harm it or degrade its services without actually gaining access to it
• Denial of service (DoS) attacks– Customers standing in line interacting with the
cashier and deciding not to buy anything– Filter out flood traffic based on the IP address
• Won’t work on distributed denial of service (DDoS) or spoofing
– Patterns of attack can be very similar to legitimate e-commerce traffic
![Page 15: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/15.jpg)
Denial of service (DoS) attacks
![Page 16: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/16.jpg)
A Distributed Denial-of-Service Attack
![Page 17: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/17.jpg)
“Spoofing”
![Page 18: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/18.jpg)
Intrusion
• Gain access to a company’s internal IT infrastructure by a variety of methods– Social engineering
• Low-tech but highly effective techniques for getting people to freely divulge information– Telephone
– Sniffer software– Port scanned: probed for vulnerability to intrusion– Time bombs
• Figuring out what exactly intruders might have done is difficult– Not knowing the consequences high PR penalty
![Page 19: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/19.jpg)
TJX companies
• https://www.youtube.com/watch?v=uLaiKWVI56I
• https://www.youtube.com/watch?v=GRNimxiRxQ4
![Page 20: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/20.jpg)
Viruses and worms
• Malicious software programs that replicate, spreading themselves to other computers– Could be used to launch a DoS attack
• Stuxnet– Targeting Iran’s nuclear program– https://www.youtube.com/watch?
v=cf0jlzVCyOI– https://www.youtube.com/watch?v=v4C
Ac_zGtoY– https://www.youtube.com/watch?
v=IfcYVgRXWdY
![Page 21: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/21.jpg)
Defensive measures
• Security A matter of degree rather than absolutes
• Security policies– Define what is
“inappropriate use”– Complexity of
password– Who can have
accounts– What are allowed to
download
• Firewalls– A collection of HW
and SW designed to prevent unauthorized access
Source: Glanceword.com
![Page 22: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/22.jpg)
• Authentication– Control who accesses
elements of computing infrastructure
– Host authentication, network authentication, data authentication
– Strong authentication• Passwords expire
regularly
• Encryption
• Patching and change management– Patches (fixes)– Detecting a change in
size, or files should not exist• Keeping detailed records of
all files that are supposed to be on production computers
• Intrusion detection and network monitoring– Combination of hardware
probes and software diagnostic systems• E.g. honeypot
![Page 23: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/23.jpg)
Source: http://searchsecurity.techtarget.com/feature/Honeypot-technology-How-honeypots-work-in-the-enterprise
![Page 24: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/24.jpg)
A security management framework
• Make deliberate security decisions• Consider security a moving target• Practice disciplined change
management• Educate Users• Deploy multilevel technical
measures, as many as you can afford
![Page 25: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/25.jpg)
Risk management of availability and security
• Prioritising involves computing the expected loss associated with incidents in these quadrants by multiplying the probability of an incident and its cost if it occurs
![Page 26: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/26.jpg)
Incident management and disaster recovery
• Managing incidents before they occur– Sound infrastructure
design– Disciplined execution
of operating procedures
– Careful documentation– Established crisis
management procedures
– Rehearsing incident response
• Managing during an incident– Obstacles when
handling a crisis• Emotional responses• Wishful thinking and
groupthink• Political manoeuvring• Leaping to conclusion
– Public relations inhibition
• Managing after an incident
![Page 27: Assuring Reliable and Secure IT Services Chapter 6.](https://reader035.fdocuments.in/reader035/viewer/2022062408/56649e4f5503460f94b4627a/html5/thumbnails/27.jpg)
Summary
• How available do our systems need to be?
• Are we taking security threats seriously enough?
• Do we have a solid security policy in place
• Do we have plans for responding to infrastructure incidents?
• Do we practice risk management in availability and security decisions?