Material best practices in network security using ethical hacking

BEST PRACTICES IN NETWORK SECURITY

USING ETHICAL HACKING

Network Security DesignThe 12 Step Program

1. Identify network assets2. Analyze security risks3. Analyze security requirements and

tradeoffs4. Develop a security plan5. Define a security policy6. Develop procedures for applying security

policies

The 12 Step Program (continued)7. Develop a technical implementation strategy

8. Achieve buy-in from users, managers, and technical staff

9. Train users, managers, and technical staff

10. Implement the technical strategy and security procedures

11. Test the security and update it if any problems are found

12. Maintain security

Network Assets

• Hardware• Software• Applications• Data• Intellectual property• Trade secrets• Company’s reputation

Security Risks

• Hacked network devices– Data can be intercepted, analyzed, altered, or

deleted– User passwords can be compromised– Device configurations can be changed

• Reconnaissance attacks• Denial-of-service attacks

Security Tradeoffs

• Tradeoffs must be made between security goals and other goals:– Affordability– Usability– Performance– Availability– Manageability

A Security Plan

• High-level document that proposes what an organization is going to do to meet security requirements

• Specifies time, people, and other resources that will be required to develop a security policy and achieve implementation of the policy

A Security Policy

• Per RFC 2196, “The Site Security Handbook,” a security policy is a– “Formal statement of the rules by which people

who are given access to an organization’s technology and information assets must abide.”

• The policy should address– Access, accountability, authentication, privacy,

and computer technology purchasing guidelines

Security Mechanisms• Physical security

• Authentication

• Authorization

• Accounting (Auditing)

• Data encryption

• Packet filters

• Firewalls

• Intrusion Detection Systems (IDS)

• Intrusion Prevention Systems (IPS)

Encryption for Confidentiality and Integrity

Figure 8-1. Public/Private Key System for Ensuring Data Confidentiality

Figure 8-2. Public/Private Key System for Sending a Digital Signature

Modularizing Security Design

• Security defense in depth– Network security should be multilayered with

many different techniques used to protect the network

• Belt-and-suspenders approach– Don’t get caught with your pants down

Modularizing Security Design• Secure all components of a modular

design:– Internet connections– Public servers and e-commerce servers– Remote access networks and VPNs– Network services and network management– Server farms– User services– Wireless networks

Cisco SAFE

• Cisco SAFE Security Reference Model addresses security in every module of a modular network architecture.

http://www.cisco.com/en/US/netsol/ns954/index.html

Securing Internet Connections

• Physical security• Firewalls and packet filters• Audit logs, authentication, authorization• Well-defined exit and entry points• Routing protocols that support authentication

Securing Public Servers

• Place servers in a DMZ that is protected via firewalls

• Run a firewall on the server itself

• Enable DoS protection

– Limit the number of connections per timeframe

• Use reliable operating systems with the latest security patches

• Maintain modularity

– Front-end Web server doesn’t also run other services

Security Topologies

EnterpriseNetwork

DMZ

Web, File, DNS, Mail Servers

Internet

Security Topologies

Internet

Enterprise NetworkDMZ

Web, File, DNS, Mail Servers

Firewall

Securing Remote-Access and Virtual Private Networks

• Physical security

• Firewalls

• Authentication, authorization, and auditing

• Encryption

• One-time passwords

• Security protocols– CHAP

– RADIUS

– IPSec

Securing Network Services• Treat each network device (routers,

switches, and so on) as a high-value host and harden it against possible intrusions

• Require login IDs and passwords for accessing devices– Require extra authorization for risky

configuration commands

• Use SSH rather than Telnet• Change the welcome banner to be less

welcoming

Securing Server Farms• Deploy network and host IDSs to monitor server

subnets and individual servers

• Configure filters that limit connectivity from the server in case the server is compromised

• Fix known security bugs in server operating systems

• Require authentication and authorization for server access and management

• Limit root password to a few people

• Avoid guest accounts

Securing User Services• Specify which applications are allowed to

run on networked PCs in the security policy• Require personal firewalls and antivirus

software on networked PCs– Implement written procedures that specify

how the software is installed and kept current

• Encourage users to log out when leaving their desks

• Consider using 802.1X port-based security on switches

Securing Wireless Networks• Place wireless LANs (WLANs) in their own

subnet or VLAN– Simplifies addressing and makes it easier to

configure packet filters

• Require all wireless (and wired) laptops to run personal firewall and antivirus software

• Disable beacons that broadcast the SSID, and require MAC address authentication– Except in cases where the WLAN is used by

visitors

WLAN Security Options

• Wired Equivalent Privacy (WEP)• IEEE 802.11i• Wi-Fi Protected Access (WPA)• IEEE 802.1X Extensible Authentication

Protocol (EAP)– Lightweight EAP or LEAP (Cisco)– Protected EAP (PEAP)

• Virtual Private Networks (VPNs)• Any other acronyms we can think of? :-)

Wired Equivalent Privacy (WEP)

• Defined by IEEE 802.11• Users must possess the appropriate WEP

key that is also configured on the access point– 64 or 128-bit key (or passphrase)

• WEP encrypts the data using the RC4 stream cipher method

• Infamous for being crackable

WEP Alternatives

• Vendor enhancements to WEP• Temporal Key Integrity Protocol (TKIP)

– Every frame has a new and unique WEP key

• Advanced Encryption Standard (AES) • IEEE 802.11i• Wi-Fi Protected Access (WPA) from the Wi-

Fi Alliance

Extensible Authentication Protocol (EAP)

• With 802.1X and EAP, devices take on one of three roles:– The supplicant resides on the wireless LAN client– The authenticator resides on the access point– An authentication server resides on a RADIUS

server

EAP (Continued)• An EAP supplicant on the client obtains

credentials from the user, which could be a user ID and password

• The credentials are passed by the authenticator to the server and a session key is developed

• Periodically the client must reauthenticate to maintain network connectivity

• Reauthentication generates a new, dynamic WEP key

Cisco’s Lightweight EAP (LEAP)

• Standard EAP plus mutual authentication– The user and the access point must authenticate

• Used on Cisco and other vendors’ products

Other EAPs• EAP-Transport Layer Security (EAP-TLS) was developed by Microsoft

– Requires certificates for clients and servers.

• Protected EAP (PEAP) is supported by Cisco, Microsoft, and RSA Security

– Uses a certificate for the client to authenticate the RADIUS server

– The server uses a username and password to authenticate the client

• EAP-MD5 has no key management features or dynamic key generation

– Uses challenge text like basic WEP authentication

– Authentication is handled by RADIUS server

VPN Software on Wireless Clients• Safest way to do wireless networking for

corporations• Wireless client requires VPN software• Connects to VPN concentrator at HQ• Creates a tunnel for sending all traffic• VPN security provides:

– User authentication– Strong encryption of data– Data integrity

• ENTER THE JED1 “ THE DEMO”

32

Risk Management

How Much to Invest in Security?How much is too much?• Firewall• Intrusion Detection/Prevention• Guard• Biometrics• Virtual Private Network• Encrypted Data & Transmission• Card Readers• Policies & Procedures• Audit & Control Testing• Antivirus / Spyware• Wireless Security

How much is too little? Hacker attack Internal Fraud Loss of Confidentiality Stolen data Loss of Reputation Loss of Business Penalties Legal liability Theft & Misappropriation

Security is a Balancing Act between Security Costs & Losses

Risk Management

Internal Factors External Factors

Regulation

Indu

stryCulture

Corporate HistoryManagement’s

Risk Tolerance

Organizational

Maturity

Structure

Risk Mgmt Strategies are determined by both internal & external factorsRisk Tolerance or Appetite: The level of risk that management is comfortable with

Risk Management ProcessEstablishScope &

Boundaries

Identification

Analysis

Evaluation

Avoid Reduce Transfer Retain

Accept Residual Risk

Ris

k C

omm

unic

atio

n&

Mon

itorin

g

Ris

k A

sses

smen

tR

isk

Tre

atm

ent

What assets & risks exist?

What does this risk cost?What priorities shall we set?

What controls can we use?

What to investigate?What to consider?

Risk Appetite• Do you operate your computer with or without antivirus

software?• Do you have antispyware?• Do you open emails with forwarded attachments from friends

or follow questionable web links?• Have you ever given your bank account information to a

foreign emailer to make $$$?

What is your risk appetite?If liberal, is it due to risk acceptance or ignorance?

Companies too have risk appetites, decided after evaluating risk

Continuous Risk Mgmt Process

Identify &Assess Risks

Develop RiskMgmt Plan

Implement RiskMgmt Plan

ProactiveMonitoring

RiskAppetite

Risks change with time as business & environment changesControls degrade over time and are subject to failureCountermeasures may open new risks

Security Evaluation: Risk Assessment

Five Steps include:1. Assign Values to Assets:

– Where are the Crown Jewels?2. Determine Loss due to Threats & Vulnerabilities

– Confidentiality, Integrity, Availability3. Estimate Likelihood of Exploitation

– Weekly, monthly, 1 year, 10 years?4. Compute Expected Loss

– Loss = Downtime + Recovery + Liability + Replacement– Risk Exposure = ProbabilityOfVulnerability * $Loss

5. Treat Risk– Survey & Select New Controls– Reduce, Transfer, Avoid or Accept Risk– Risk Leverage = (Risk exposure before reduction) – (risk exposure after

reduction) / (cost of risk reduction)

Step 1: Determine Value of Assets

Identify & Determine Value of Assets (Crown Jewels):

• Assets include:– IT-Related: Information/data, hardware, software, services,

documents, personnel– Other: Buildings, inventory, cash, reputation, sales opportunities

• What is the value of this asset to the company?• How much of our income can we attribute to this asset?• How much would it cost to recover this?• How much liability would we be subject to if the asset were

compromised? • Helpful websites: www.attrition.org

Determine Cost of Assets

Sales

Product A

Product B

Product C

Risk: Replacement Cost=Cost of loss of integrity=Cost of loss of availability=Cost of loss of confidentiality=



Tangible $ Intangible: High/Med/Low

Costs

Matrix of Loss Scenario

Size of Loss

Repu-tation

Law-suit Loss

Fines/Reg. Loss

Mar-ket Loss

Exp.Yearly Loss

Hacker steals customer data; publicly blackmails company

1-10K Records

$1M-$20M

$1M-$10M

$1M-$35M

$1M-$5M

$10M

Employee steals strategic plan; sells data to competitor

3-year Min. Min. Min. $20M $2M

Backup tapes and Cust. data found in garbage; makes front-page news

10M Records

$20M $20M $10M $5M $200K

Contractor steals employee data; sells data to hackers

10K Records

$5M $10M Min. Min. $200K

Step 1: Determine Value of Assets

Asset Name$ Value

Direct Loss: Replacement

$ ValueConsequential

Financial Loss

Confidentiality, Integrity, and Availability

Notes

Laptop $1,000 Mailings=$130 x #CustReputation= $9,000

Conf., Avail.Breach Notification Law

Equipment $10,000 $2k per day in income

Availability(e.g., due to fire or theft)

Workbook

Step 2: Determine Loss Due to Threats

Natural: Flood, fire, cyclones, rain/hail/snow, plagues and earthquakes

Unintentional: Fire, water, building damage/collapse, loss of utility services, and equipment failure

Intentional: Fire, water, theft, vandalism

Intentional, non-physical: Fraud, espionage, hacking, identity theft, malicious code, social engineering, phishing, denial of service

Threat Agent Types

Hackers/ Crackers

Challenge, rebellion Unauthorized access

Criminals Financial gain, Disclosure/ destruction of info.

Fraud, computer crimes

Terrorists Destruction/ revenge/ extortion

DOS, info warfare

Industry Spies

Competitive advantage Info theft, econ. exploitation

Insiders Opportunity, personal issues

Fraud/ theft, malware, abuse

Step 2: Determine Threats Due to Vulnerabilities

System Vulnerabilities

Behavioral:Disgruntled employee,

uncontrolled processes,poor network design,improperly configured

equipment

Misinterpretation:Poorly-defined

procedures,employee error,Insufficient staff,

Inadequate mgmt,Inadequate compliance

enforcement

Coding Problems:

Security ignorance,poorly-defined requirements,

defective software,unprotected

communication

Physical Vulnerabilities:

Fire, flood,negligence, theft,kicked terminals,no redundancy

Step 3: Estimate Likelihood of Exploitation

Best sources:• Past experience• National & international standards &

guidelines: NIPC, OIG, FedCIRC, mass media• Specialists and expert advice• Economic, engineering, or other models• Market research & analysis• Experiments & prototypesIf no good numbers emerge, estimates can be

used, if management is notified of guesswork

Likelihood of Exploitation:Sources of Losses

Source: 2006 Annual Study: Cost of a Data Breach, PGP/VontuEvaluation of 31 organizations

Step 4: Compute Expected Loss Risk Analysis Strategies

Qualitative: Prioritizes risks so that highest risks can be addressed first

• Based on judgment, intuition, and experience• May factor in reputation, goodwill,

nontangiblesQuantitative: Measures approximate cost of

impact in financial termsSemiquantitative: Combination of

Qualitative & Quantitative techniques

Step 4: Compute Loss UsingQualitative Analysis

Qualitative Analysis is used:• As a preliminary look at risk• With non-tangibles, such as reputation, image

-> market share, share value• When there is insufficient information to

perform a more quantified analysis

Vulnerability Assessment Quadrant Map

Threat(Probability)

Vulnerability(Severity)

12

34

Hacker/CriminalMalware

Disgruntled Employee

Fire

Terrorist

FloodSpy

Snow emergencyIntruder

Workbook

Step 4: Compute Loss UsingSemi-Quantitative Analysis

Impact1. Insignificant: No

meaningful impact2. Minor: Impacts a small

part of the business, < $1M

3. Major: Impacts company brand, >$1M

4. Material: Requires external reporting, >$200M

5. Catastrophic: Failure or downsizing of company

Likelihood1. Rare2. Unlikely: Not seen within

the last 5 years3. Moderate: Occurred in

last 5 years, but not in last year

4. Likely: Occurred in last year

5. Frequent: Occurs on a regular basis

Risk = Impact * Likelihood

SemiQuantitative Impact Matrix

Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5)

Catastrophic (5)

Material(4)

Major(3)

Minor(2)

Insignificant(1)

SEVERE

HIGHM

EDIUM

LOW

Likelihood

Imp

act

Step 4: Compute Loss Using Quantitative Analysis

Single Loss Expectancy (SLE): The cost to the organization if one threat occurs once

– Eg. Stolen laptop=• Replacement cost + • Cost of installation of special software and data • Assumes no liability

– SLE = Asset Value (AV) x Exposure Factor (EF)• With Stolen Laptop EF > 1.0

Annualized Rate of Occurrence (ARO): Probability or frequency of the threat occurring in one year

– If a fire occurs once every 25 years, ARO=1/25Annual Loss Expectancy (ALE): The annual expected

financial loss to an asset, resulting from a specific threat– ALE = SLE x ARO

Risk Assessment Using Quantitative Analysis

Quantitative:• Cost of HIPAA accident with insufficient

protections– SLE = $50K + (1 year in jail:) $100K = $150K– Plus loss of reputation…

• Estimate of Time = 10 years or less = 0.1• Annualized Loss Expectancy (ALE)=

– $150 x .1 =$15K

Annualized Loss Expectancy

Asset Value->

$1K $10K $100K $1M

1 Yr 1K 10K 100K 1000K

5 Yrs 200 2K 20K 200K

10 Yrs 100 1K 10K 100K

20 Yrs 50 1K 5K 50KAsset Costs $10K Risk of Loss 20% per Year

Over 5 years, average loss = $10K

Spend up to $2K each year to prevent loss

QuantitativeRisk

Asset Threat Single LossExpectancy

(SLE)

AnnualizedRate of

Occurrence(ARO)

Annual LossExpectancy

(ALE)

Building

Fire $1M .05(20 years)

$50K

Laptop

Stolen $1K + $9K(breach notif)

0.2(5 years)

$1K

Workbook

Step 5: Treat RiskRisk Acceptance: Handle attack when necessary• E.g.: Comet hits• Ignore risk if risk exposure is negligibleRisk Avoidance: Stop doing risky behavior• E.g.: Do not use Social Security NumbersRisk Mitigation: Implement control to minimize vulnerability• E.g. Purchase & configure a firewallRisk Transference: Pay someone to assume risk for you• E.g., Buy malpractice insurance (doctor)• While financial impact can be transferred, legal responsibility

cannotRisk Planning: Implement a set of controls

System Characterization

Identify Threats

Identify Vulnerabilities

Analyze Controls

Determine Likelihood

Analyze Impact

Determine Risk

Recommend Controls

Document Results Risk AssessmentReport

Recommended Controls

Documented Risks

Impact Rating

Likelihood Rating

List of current &planned controls

List of threats& vulnerabilities

System boundarySystem functions

System/data criticalitySystem/data sensitivity

Activity Output

Company historyIntelligence agency

data: NIPC, OIG

Audit &test results

Business ImpactAnalysis

Data Criticality & Sensitivity analysis

Input

NIST RiskAssessmentMethodology

Control Types

ThreatCompensating

Control

Impact

Vulnerability

CorrectiveControl

DeterrentControl

DetectiveControl

PreventiveControl

Attack

Reduceslikelihood of

Decreases

Resultsin

Reduces

Protects

Creates

Reduceslikelihood of

Triggers

Discovers

Deterrent control

Mitigating control

Detective control

Preventive control

Corrective controlV

ULNERABILITY

IMPACT

Residual risk

Risk Probability

THREAT

Controls & Countermeasures

• Cost of control should never exceed the expected loss assuming no control

• Countermeasure = Targeted Control– Aimed at a specific threat or vulnerability– Problem: Firewall cannot process packets fast

enough due to IP packet attacks– Solution: Add border router to eliminate invalid

accesses

Analysis of Risk vs. ControlsWorkbook

Risk ALE or Score Control Cost ofControl

Stolen Laptop $1K($9K Breach Notif.

Law)

Encryption $60

Disk Failure $3K per day RAID $750

Hacker $9K Breach Notif. Law

Firewall $1K

Cost of Some Controls is shown in Case Study Appendix

Extra Step:Step 6: Risk Monitoring

Report to Mgmt status of security• Metrics showing current performance• Outstanding issues• Newly arising issues• How handled – when resolution is expected

Stolen Laptop In investigation $2k, legal issues

HIPAA Incident Response

Procedure being defined – incident response

$200K

Cost overruns Internal audit investigation $400K

HIPAA: Physical security

Training occurred $200K

Security Dashboard, Heat chart or Stoplight Chart

Training • Importance of following policies & procedures• Clean desk policy• Incident or emergency response• Authentication & access control • Privacy and confidentiality • Recognizing and reporting security incidents• Recognizing and dealing with social engineering

Security Control Baselines & Metrics

Baseline: A measurement of performance

• Metrics are regularly and consistently measured, quantifiable, inexpensively collected

• Leads to subsequent performance evaluation

• E.g. How many viruses is help desk reporting?

(Company data - Not real)

Risk Management

• Risk Management is aligned with business strategy & direction

• Risk mgmt must be a joint effort between all key business units & IS

• Business-Driven (not Technology-Driven)

Steering Committee:• Sets risk management priorities• Define Risk management objectives to achieve business strategy

Risk Management Roles

Governance & Sr Mgmt:Allocate resources, assess& use risk assessment results

Chief Info OfficerIT planning, budget,performance incl. risk

Info. Security Mgr Develops, collaborates, and manages IS risk mgmt process

Security TrainersDevelop appropriate training materials, includingrisk assessment, to educate end users.

Business Managers(Process Owners)Make difficult decisionsrelating to priority toachieve business goals

System / Info OwnersResponsible to ensurecontrols in place toaddress CIA.Sign off on changes

IT Security PractitionersImplement security requirem.into IT systems: network,system, DB, app, admin.

Due Diligence

Due Diligence = Did careful risk assessment (RA)Due Care = Implemented recommended controls from RA

Liability minimized if reasonable precautions taken

Senior Mgmt SupportRisk

Assessm

ent

Backup & Recovery

Policies & Procedures

Adequate Security Controls

Compliance

Monitoring

& Metrics Business Continuity &

Disaster Recovery

Question

Risk Assessment includes:1. The steps: risk analysis, risk treatment, risk

acceptance, and risk monitoring2. Answers the question: What risks are we prone

to, and what is the financial costs of these risks?

3. Assesses controls after implementation4. The identification, financial analysis, and

prioritization of risks, and evaluation of controls

Question

Single Loss Expectancy refers to:1. The probability that an attack will occur in

one year2. The duration of time where a loss is

expected to occur (e.g., one month, one year, one decade)

3. The cost of losing an asset once4. The average cost of loss of this asset per year

Question

The role(s) responsible for deciding whether risks should be accepted, transferred, or mitigated is:

1. The Chief Information Officer2. The Chief Risk Officer3. The Chief Information Security Officer4. Enterprise governance and senior business

management

Question

Which of these risks is best measured using a qualitative process?

1. Temporary power outage in an office building 2. Loss of consumer confidence due to a

malfunctioning website3. Theft of an employee’s laptop while traveling 4. Disruption of supply deliveries due to flooding

Question

The risk that is assumed after implementing controls is known as:

1. Accepted Risk2. Annualized Loss Expectancy3. Quantitative risk4. Residual risk

Question

The primary purpose of risk management is to:

1. Eliminate all risk2. Find the most cost-effective controls3. Reduce risk to an acceptable level4. Determine budget for residual risk

Question Due Diligence ensures that1. An organization has exercised the best possible security

practices according to best practices2. An organization has exercised acceptably reasonable

security practices addressing all major security areas3. An organization has implemented risk management and

established the necessary controls4. An organization has allocated a Chief Information Security

Officer who is responsible for securing the organization’s information assets

Question

ALE is:1. The average cost of loss of this asset, for a

single incident2. An estimate using quantitative risk

management of the frequency of asset loss due to a threat

3. An estimate using qualitative risk management of the priority of the vulnerability

4. ALE = SLE x ARO

Vocabulary to study

• Risk mgmt, risk appetite, risk analysis, risk assessment, risk treatment, residual risk

• Risk avoidance, risk reduction/risk mitigation, risk transference, risk retention/risk acceptance

• Threat, threat agent, vulnerability, • Qualitative risk analysis, quantitative risk analysis• SLE, ARO, ALE• Due diligence, due care

HEALTH FIRST CASE STUDYAnalyzing Risk

Jamie Ramon MDDoctor

Chris Ramon RDDietician

TerryMedical Admin

PatSoftware Consultant

Step 1: Define Assets


Consider Consequential Financial Loss

Asset Name $ ValueDirect Loss: Replacement

$ ValueConsequential Financial Loss

Confidentiality, Integrity, and

Availability Notes

Medical DB C? I? A?

Daily Operation (DO)

Medical Malpractice (M)

HIPAA Liability (H)

Notification Law Liability (NL)


Consider Consequential Financial Loss

Asset Name $ ValueDirect Loss: Replacement

$ ValueConsequential Financial Loss

Confidentiality, Integrity, and

Availability Notes

Medical DB DO+M_H+NL C I A

Daily Operation (DO) $

Medical Malpractice (M) $

HIPAA Liability (H) $

Notification Law Liability (NL)

$

HIPAA Criminal Penalties

$ Penalty Imprison-ment

Offense

Up to $50K Up to one year

Wrongful disclosure of individually identifiable health information

Up to $100K

Up to 5 years

…committed under false pretenses

Up to $500K

Up to 10 years

… with intent to sell, achieve personal gain, or cause malicious harm

Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …

Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation

• Normal threats: Threats common to all organizations

• Inherent threats: Threats particular to your specific industry

• Known vulnerabilities: Previous audit reports indicate deficiencies.

Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation

Step 4: Compute Expected LossStep 5: Treat Risk

Step 4: Compute E(Loss)ALE = SLE * ARO

Asset Threat Single Loss

Expectancy (SLE)

Annualized

Rate of Occurrence(ARO)

Annual Loss

Expectancy (ALE)

Step 5: Treat Risk Risk Acceptance: Handle

attack when necessary Risk Avoidance: Stop doing

risky behavior Risk Mitigation: Implement

control to minimize vulnerability Risk Transference: Pay

someone to assume risk for you Risk Planning: Implement a set

of controls

86

Physical (Environmental) Security

Physical Security

• From (ISC)2 Candidate Information Bulletin:– The Physical (Environmental) Security domain

addresses the threats, vulnerabilities, and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information. These resources include people, the facility in which they work, and the data, equipment, support systems, media, and supplies they utilize.

87

Introduction

• Threats to physical security include:– Interruption of services– Theft– Physical damage– Unauthorized disclosure– Loss of system integrity

88

Introduction

• Threats fall into many categories:– Natural environmental threats (e.g., floods, fire)– Supply system threats (e.g., power outages,

communication interruptions)– Manmade threats (e.g., explosions, disgruntled

employees, fraud)– Politically motivated threats (e.g., strikes, riots,

civil disobedience)

89

Introduction

• Primary consideration in physical security is that nothing should impede “life safety goals.”– Ex.: Don’t lock the only fire exit door from the

outside.• “Safety:” Deals with the protection of life and

assets against fire, natural disasters, and devastating accidents.

• “Security:” Addresses vandalism, theft, and attacks by individuals.

90

Physical Security Planning

• Physical security, like general information security, should be based on a layered defense model.

• Layers are implemented at the perimeter and moving toward an asset.

• Layers include: Deterrence, Delaying, Detection, Assessment, Response

91


• A physical security program must address:– Crime and disruption protection through deterrence

(fences, security guards, warning signs, etc.).– Reduction of damages through the use of delaying

mechanisms (e.g., locks, security personnel, etc.).– Crime or disruption detection (e.g., smoke detectors,

motion detectors, CCTV, etc.).– Incident assessment through response to incidents and

determination of damage levels.– Response procedures (fire suppression mechanisms,

emergency response processes, etc.).

92


• Crime Prevention Through Environmental Design (CPTED)– Is a discipline that outlines how the proper design

of a physical environment can reduce crime by directly affecting human behavior.

– Concepts developed in 1960’s.– Think: Social Engineering

93


• CPTED has three main strategies:– Natural Access Control– Natural Surveillance– Territorial Reinforcement

94


• Natural Access Control– The guidance of people entering and leaving a

space by the placement of doors, fences, lighting, and landscaping

– Be familiar with: bollards, use of security zones, access barriers, use of natural access controls

95


• Natural Surveillance– Is the use and placement of physical

environmental features, personnel walkways, and activity areas in ways that maximize visibility.

– The goal is to make criminals feel uncomfortable and make all other people feel safe and comfortable, through the use of observation.

96


• Territorial Reinforcement– Creates physical designs that highlight the

company’s area of influence to give legitimate owners a sense of ownership.

– Accomplished through the use of walls, lighting, landscaping, etc.

97


• CPTED is not the same as “target hardening”• Target hardening focuses on denying access

through physical and artificial barriers (can lead to restrictions on use, enjoyment, and aesthetics of the environment).

98


• Issues with selecting a facility site:– Visibility (terrain, neighbors, population of area,

building markings)– Surrounding area and external factors (crime rate,

riots, terrorism, first responder locations)– Accessibility (road access, traffic, proximity to

transportation services)– Natural Disasters (floods, tornados, earthquakes)

99


• Other facility considerations:– Physical construction materials and structure

composition• Be familiar with: load, light frame construction

material, heavy timber construction material, incombustible material, dire resistant material (know the fire ratings and construction properties).

100


• “Mantrap:” A small room with two doors. The first door is locked; a person is identified and authenticated. Once the person is authenticated and access is authorized, the first door opens and allows the person into the mantrap. The person has to be authenticated again in order to open the second door and access a critical area. The mantrap area could have a weight sensing floor as an additional control to prevent literal piggybacking.

101


• Automatic door lock configuration:• “Fail safe:” If a power disruption occurs, the

door defaults to being unlocked.• “Fail secure:” If a power disruption occurs,

the door defaults to being locked.

102


• Windows can also be used to promote physical security.

• Know the different types of glass:– Standard– Tempered– Acrylic– Wired– Laminated– Solar Window Film– Security Film

103


• Consider use of internal partitions carefully:– True floor to true ceiling to counter security issues– Should never be used in areas that house

sensitive systems and devices

104

Internal Support Systems

• Power issues:– A continuous supply of electricity assures the

availability of company resources.– Data centers should be on a different power

supply from the rest of the building– Redundant power supplies: two or more feeds

coming from two or more electrical substations

105


• Power protection:– UPS Systems

• Online UPS systems• Standby UPS System

– Power line conditioners– Backup Sources

106


• Other power terms to know:– Ground– Noise– Transient Noise– Inrush Current– Clean Power– EMI– RFI

107

Internal Support Systems• Types of Voltage Fluctuations

– Power Excess•Spike•Surge

– Power Loss•Fault •Blackout

– Power Degradation•Sag/dip•Brownout• Inrush Current

108


• Environmental Issues– Positive Drains– Static Electricity– Temperature

109


• Environmental Issues: Positive Drains– Contents flow out instead of in– Important for water, steam, gas lines

110


• Environmental Issues: Static Electricity– To prevent:

•Use antistatic flooring in data processing areas•Ensure proper humidity•Proper grounding•No carpeting in data centers•Antistatic bands

111


• Environmental Issues: Temperature– Computing components can be affected by

temperature:• Magnetic Storage devices: 100 Deg. F.• Computer systems and peripherals: 175 Deg. F.• Paper products: 350 Deg. F.

112


• Ventilation– Airborne materials and particle concentration

must be monitored for inappropriate levels.– “Closed Loop”– “Positive Pressurization”

113


• Fire prevention, detection, suppression• “Fire Prevention:” Includes training employees on

how to react, supplying the right equipment, enabling fire suppression supply, proper storage of combustible elements

• “Fire Detection:” Includes alarms, manual detection pull boxes, automatic detection response systems with sensors, etc.

• “Fire Suppression:” Is the use of a suppression agent to put out a fire.

114


• American Society for Testing and Materials (ASTM) is the organization that creates the standards that dictate how fire resistant ratings tests should be carried out and how to properly interpret results.

115

Internal Support Systems• Fire needs oxygen and fuel to continue to

grow.• Ignition sources can include the failure of an

electrical device, improper storage of materials, malfunctioning heating devices, arson, etc.

• Special note on “plenum areas:” The space above drop down ceilings, wall cavities, and under raised floors. Plenum areas should have fire detectors and should only use plenum area rated cabling.

116

Internal Support Systems• Types of Fire:

– A: Common Combustibles• Elements: Wood products, paper, laminates• Suppression: Water, foam

– B: Liquid• Elements: Petroleum products and coolants• Suppression: Gas, CO2, foam, dry powders

– C: Electrical• Elements: Electrical equipment and wires• Suppression: Gas, CO2, dry powders

– D: Combustible Metals• Elements: magnesium, sodium, potassium• Suppression: Dry powder

– K: Commercial Kitchens• Elements: Cooking oil fires• Suppression: Wet chemicals such as potassium acetate.

117


• Types of Fire Detectors– Smoke Activated– Heat Activated

– Know the types and properties of each general category.

118


• Different types of suppression agents:– Water– Halon and halon substitutes– Foams– Dry Powders– CO2– Soda Acid

– Know suppression agent properties and the types of fires that each suppression agent combats

– Know the types of fire extinguishers (A,B,C, D) that combat different types of fires

119


• Types of Sprinklers– Wet Pipe Systems (aka Closed Head System)– Dry Pipe Systems– Preaction Systems– Deluge Systems

120

Perimeter Security

• The first line of defense is perimeter control at the site location, to prevent unauthorized access to the facility.

• Perimeter security has two modes:– Normal facility operation– Facility closed operation

121

Perimeter Security

• Proximity protection components put in place to provide the following services:– Control of pedestrian and vehicle traffic– Various levels of protection for different security

zones– Buffers and delaying mechanisms to protect

against forced entry– Limit and control entry points

122

Perimeter Security

• Protection services can be provided by:– Access Control Mechanisms– Physical Barriers– Intrusion Detection– Assessment– Response– Deterrents

123

Perimeter Security

• Fences are “first line of de’fence’” mechanisms. (Small Joke!)

• Varying heights, gauge, and mesh provides security features (know them).

• Barbed wire direction makes a difference.

124

Perimeter Security

• Perimeter Intrusion Detection and Assessment System (PIDAS):

– A type of fencing that has sensors on the wire mesh and base of the fence.

– A passive cable vibration sensor sets off an alarm if an intrusion is detected.

125

Perimeter Security

• Gates have 4 distinct types:– Class I: Residential usage– Class II: Commercial usage, where general public

access is expected (e.g., public parking lot, gated community, self storage facility)

– Class III: Industrial usage, where limited access is expected (e.g., warehouse property entrance not intended to serve public)

– Class IV: Restricted access (e.g., a prison entrance that is monitored either in person or via CCTV)

126

Perimeter Security

• Locks are inexpensive access control mechanisms that are widely accepted and used.

• Locks are considered delaying devices.• Know your locks!

127

Perimeter Security

• Types of Locks– Mechanical Locks

•Warded & Tumbler– Combination Locks– Cipher Locks (aka programmable locks)

•Smart locks– Device Locks

•Cable locks, switch controls, slot locks, port controls, peripheral switch controls, cable traps

128

Perimeter Security

• Lock Strengths:– Grade 1 (commercial and industrial use)– Grade 2 (heavy duty residential/light duty commercial)– Grade 3 (residential and consumer expendable)

• Cylinder Categories– Low Security (no pick or drill resistance)– Medium Security (some pick resistance)– High Security (pick resistance through many different

mechanisms—used only in Grade 1 & 2 locks)

129

Perimeter Security

• Lighting– Know lighting terms and types of lighting to use in

different situations (inside v. outside, security posts, access doors, zones of illumination)

– It is important to have the correct lighting when using various types of surveillance equipment.

– Lighting controls and switches should be in protected, locked, and centralized areas.

130

Perimeter Security• “Continuous lighting:” An array of lights that provide an even amount of

illumination across an area.• “Controlled lighting:” An organization should erect lights and use

illumination in such a way that does not blind its neighbors or any passing cars, trains, or planes.

• “Standby Lighting:” Lighting that can be configured to turn on and off at different times so that potential intruders think that different areas of the facility are populated.

• “Redundant” or “backup lighting:” Should be available in case of power failures or emergencies.

• “Response Area Illumination:” Takes place when an IDS detects suspicious activities and turns on the lights within the specified area.

131

Perimeter Security

• Surveillance Devices– These devices usually work in conjunction with

guards or other monitoring mechanisms to extend their capacity.

– Know the factors in choosing CCTV, focal length, lens types (fixed v. zoom), iris, depth of field, illumination requirements

132

Perimeter Security

• “Focal length:” The focal length of a lens defines its effectiveness in viewing objects from a horizontal and vertical view.

• The sizes of images that will be shown on a monitor along with the area that can be covered by one camera are defined by focal length. – Short focal length = wider angle views– Long focal length = narrower views

133

Perimeter Security

• “Depth of field:” Refers to the portion of the environment that is in focus

• “Shallow depth of focus:” Provides a softer backdrop and leads viewers to the foreground object

• “Greater depth of focus:” Not much distinction between objects in the foreground and background.

134

Perimeter Security

• Intrusion Detection systems are used to detect unauthorized entries and to alert a responsible entity to respond.

• Know the different types of IDS systems (electro-mechanical v. volumetric) and changes that can be detected by an IDS system.

135

Perimeter Security

• Patrol Force and Guards– Use in areas where critical reasoning skills are

required• Auditing Physical Access

– Need to log and review:• Date & time of access attempt• Entry point• User ID• Unsuccessful access attempts

136

Physical Security

• Final Concept to Guide in Assessing Physical Security Issues on Exam:– Deterrence– Delay– Detection– Assessment– Response

137

Social Engineering: A Test of Your Common Sense

Social Engineering

• Monday morning, 6am; the electric rooster is telling you it's time to start a new work week. A shower, some coffee, and you're in the car and off. On the way to work you're thinking of all you need to accomplished this week.

• Then, on top of that there's the recent merger between your company and a competitor. One of your associates told you, you better be on your toes because rumors of layoff's are floating around.

Social Engineering• You arrive at the office and stop by the restroom

to make sure you look your best. You straighten your tie, and turn to head to your cube when you notice, sitting on the back of the sink, is a CD-ROM. Someone must have left this behind by accident. You pick it up and notice there is a label on it. The label reads "2005 Financials & Layoff's". You get a sinking feeling in your stomach and hurry to your desk. It looks like your associate has good reasons for concern, and you're about to find out for your self.

And so• The Game Is In Play: People Are The Easiest

Target

You make it to your desk and insert the CD-ROM. You find several files on the CD, including a spreadsheet which you quickly open. The spreadsheet contains a list of employee names, start dates, salaries, and a note field that says "Release" or "Retain". You quickly search for your name but cannot find it. In fact, many of the names don't seem familiar. Why would they, this is pretty large company, you don't know everyone.

Since your name is not on the list you feel a bit of relief. It's time to turn this over to your boss. Your boss thanks you and you head back to your desk.

Let's Take A Step Back In Time

•The CD you found in the restroom, it was not left there by accident. It was strategically placed there by me, or one of Security Consulting employees.

• You see, a firm has been hired to perform a Network Security Assessment on your company.

• In reality, they have been contracted to hack into your company from the Internet and have been authorized to utilize social engineering techniques.

Bingo - Gotcha• The spreadsheet you opened was not the only thing

executing on your computer.• The moment you open that file you caused a script to

execute which installed a few files on your computer. • Those files were designed to call home and make a

connection to one of our servers on the Internet. Once the connection was made the software on the Security firms servers responded by pushing (or downloading) several software tools to your computer.

• Tools designed to give the team complete control of your computer. Now they have a platform, inside your company's network, where they can continue to hack the network. And, they can do it from inside without even being there.

This is what we call a 180 degree attack.

• Meaning, the security consulting team did not have to defeat the security measures of your company's firewall from the Internet.

• You took care of that for us. • Many organizations give their employees unfettered access

(or impose limited control) to the Internet. • Given this fact, the security firm devised a method for

attacking the network from within with the explicit purpose of gaining control of a computer on the private network.

• All we had to do is get someone inside to do it for us.

Welcome to Social Engineering

• What would you have done if you found a CD with this type of information on it?

• Yes it is people who are the weakest link in any security system and Social Engineering Exploits that ---

Phisher Site Basics •Thief sends e-mail to customer claiming to be a legitimate company which has lost the customer’s personal information

•Customer reads e-mail and goes to fake website

•Customer enters credit card or other personal information on website

•Thief steals personal information

Phisher Site E-mail Example (part 1)From: EarthLink <[email protected]>To: <[email protected]>Date: 7/6/2003 11:50:02 AMSubject: Billing Department

Dear EarthLink User,We regret to inform you, but due to a recent system flush, the billing/personal information for your account is temporally unavailable, and we need to verify your identity.

<cont.>

Phisher Site E-mail Example (part 2)In order to continue using your EarthLink account and keeping it active, you must provide us with your full information within 24 hours of receiving this message.

To re-enter your account information and keep your account active visit:

www.billingdepartment-el.net

Sincerely,Sean WrightEarthLink Billing Department

http://www.billingdepartment-el.net/

Phisher Site Example

The Real EarthLink Web Site

How to Spot Phisher Sites TIP-OFFSTRICKS

• Claims of “lost” information

• Unfamiliar URL• Asks for credit card or

other personal info• No log in or not secure• Most companies will

not do this

• E-mail looks legit (at first)

• Prompts you to act quickly to keep service

• Website, html or fax form looks legit

Tips for Avoiding Phisher Sites • Be suspicious of email asking for credit

card or other personal info• URL should be familiar• Should require log-in• Should be a SECURE SITE• Call the company when in doubt• Always report spam/fraud to your ISP

1Since February 2001, complaint data have also been provided to the Clearinghouse by the Social Security Administration-Office of Inspector General. 2Projections for calendar year 2003 are based on complaints received from January through June 2003.

CY-1999

CY-2000 CY-2001 CY-2002 CY-20032

Total: 1,380

Total: 31,117

Total: 86,197

Total: 161,886

Projected Total: 210,000

Projected Cumulative Complaint Count 1999-2003:

490,000

Projection

(in

thousa

nds)

Federal Trade CommissionIdentity Theft Data Clearinghouse Complaints1

Federal Trade Commission

Federal Trade CommissionConsumer Sentinel Complaints1

- Identity Theft Complaints

139,007

220,088

380,170

1Percentages are based on the total number of Consumer Sentinel complaints by calendar year.

(in

thousa

nds)

- Fraud Complaints

107,890133,891

31,117

86,197

218,284

161,886


1-877-IDTHEFT

1-877-FTC-HELP

www.consumer.gov/idtheft

www.consumer.gov/sentinel


And Another

• The easiest way to break into any computer system is to use a valid username and password and the easiest way to get that information is to ask someone for it.

The Beginning

• Like many hacking techniques, social engineering got its start in attacks against the telephone company. The hacker (or phone phreaks, as they used to be called) would dial-up an operator and by using the right jargon, convince him or her to make a connection or share some information that should not have been shared.

In Reality

• social engineering is probably as old as speech, and goes back to the first lie.

• It is still successful today because people are generally helpful, especially to someone who is nice, knowledgeable, and / or insistent.

• No amount of technology can protect you against a social engineering attack.

So How Do You Protect Yourself from Yourself?

• Recognizing an Attack – You can prepare your organization by teaching

people how to recognize a possible social engineering attack. Do we have a Cyber Security & Ethics 101 Class?

• Prevent a successful attack – You can prepare a defense against this form of

social engineering by including instructions in your security policy for handling it.

So How Do You Protect Yourself from Yourself?

• Create a response plan – Your response plan should include instructions on

how to deal with inquiries relating to passwords or other classified information.

• Implement and Monitor the response plan and continue to reinforce with Training

Target And Attack• The basic goals of social engineering are the same as hacking

in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network.

• Typical targets include telephone companies and answering services, big-name corporations and financial institutions, military and government agencies, and hospitals.

• The Internet boom had its share of industrial engineering attacks in start-ups as well, but attacks generally focus on larger entities.

And Another

• One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network.

• How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises.

And so on…

• For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.

And so on…• The strangers knew the CFO was out of town, so they were

able to enter his office and obtain financial data off his unlocked computer.

• They dug through the corporate trash, finding all kinds of useful documents.

• They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands.

• The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.

Common Techniques

• Social Engineering by Phone• Dumpster Diving• On-line Social Engineering• Persuasion• Reverse Social Engineering• And many more….

Defining The Term "Social Engineering"

• In the world of computers and technology, social engineering is a technique used to obtain or attempt to obtain secure information by tricking an individual into revealing the information.

• Social engineering is normally quite successful because most targets (or victims) want to trust people and provide as much help as possible.

• Victims of social engineering typically have no idea they have been conned out of useful information or have been tricked into performing a particular task.

• The prey is not just you but your children and elders as well

A Challenge to the CSU

• This is the 21st Century The Time of CyberSpace

• Why is their No Formal GE Requirement for CyberSecurity and Ethics which can not only be taught at the CSU level but the CC level as well?

• Why don’t we extend this education to K-12 and Senior Centers as well?

Mt. SAC and Cal Poly Efforts

• NSF Grant Project – Establishment of a Regional Information Systems Security Center (RISSC see http://rissc.mtsac.edu/RISSC_NEW/default.asp )

• Cal Poly’s Participation in the Title V Grant and development of Network Security curriculum

• Cal Poly Pomona’s Establishment of a Center for Information Assurance (see http://www.bus.csupomona.edu/cfia.asp )

http://rissc.mtsac.edu/RISSC_NEW/default.asp

http://www.bus.csupomona.edu/cfia.asp

Please join US for

•Information Assurance SymposiumBuilding Information Assurance Capacity and Improving Infrastructure at Minority Serving Institutions

December 8 - 10, 2005Cal Poly Pomona8:30 a.m. - 5:00 p.m.

http://www.bus.csupomona.edu/include/Symposium.doc

Contribute to:

• Information Sharing• Curriculum Development• Awareness, Knowledge and Development of

initiatives to help others around us be better at practicing good security techniques

• Our thanks to Educause, ISACA, ISSA, IIA and HTCIA for their support

Building a SuccessfulSecurity Infrastructure

SecurityDomains

Application/SystemSecurity

OperationsSecurity

Telecommunication & Network Security

Physical Security

Cryptography

SecurityArchitecture

SecurityManagement

Access Control

Law, Investigations, and Ethics

Business Continuation& Disaster Recovery Planning

Ten Security Domains

Group Discussion• CryptographyCryptography• Law, Investigations & Ethics Law, Investigations & Ethics • Access Control Systems & MethodologyAccess Control Systems & Methodology• Security Management PracticesSecurity Management Practices• Security Architecture & ModelsSecurity Architecture & Models• Physical SecurityPhysical Security• Business Continuity & Disaster Recovery PlanningBusiness Continuity & Disaster Recovery Planning• Operations Security (Computers)Operations Security (Computers)• Application & Systems DevelopmentApplication & Systems Development• Telecommunications & Network SecurityTelecommunications & Network Security

Security Infrastructure

• Cryptography. - is the use of secret codes to achieve desired levels of confidentiality and integrity. Two categories focus on: (1) cryptographic applications and uses and (2) crypto technology and implementations. Included are basic technologies, encryption systems, and key management methods.


• Law, Investigation, and Ethics. Law involves the legal and regulatory issues faced in an information security environment. Investigation consists of guidelines and principles necessary to successfully investigate security incidents and preserve the integrity of evidence. Ethics consists of knowledge of the difference between right and wrong and the inclination to do the right thing.


• Access Control. Access control consists of all of the various mechanisms (physical, logical, and administrative) used to ensure that only authorized persons or processes are allowed to use or access a system. Three categories of access control focus on: (1) access control principles and objectives, (2) access control issues, and (3) access control administration.


• Security Management Policies, Standards, and Organization. Policies are used to describe management intent, standards provide a consistent level of security in an organization, and an organization architecture enables the accomplishment of security objectives. Four categories include: (1) information classification, (2) security awareness, (3) organization architecture, and (4) policy development.

People/Organization

Technologies

Processes

Policies

SecuredInfrastructure

Security Challenges?


• Security Architecture. Security architecture involves the aspects of computer organization and configuration that are employed to achieve computer security. In addition implementing system security to ensure mechanisms are used to maintain the security of system programs.

CryptographyPublic Key (RSA)

X.509 CertificatesDigital SignaturesDigital Envelopes

Hashing/Message DigestSymmetric EncryptionCertificate Authorities

Security InfrastructureDNS

DMZ, FirewallsDirectory Services

IDSVirus Checkers

VPNPKINAT

RADIUS, Remote AccessWeb Servers

DHCPWireless

ApplicationSingle Sign OnKerberos/DCE

Mixed/Integrated SecuritySmart Cards

Cryptographic APIsPDAs (PocketPC, Palm

Pilots)

Domain Trust ManagementDirectional TrustTransitive Trust

KerberosNTLM

SecurityServices

ProtocolsIPSEC

SSL/TLSKerberos

L2TPPPTPPPPEtc.

Security GoalsAuthentication

AuditingAvailability

AuthorizationPrivacyIntegrity

Non-Repudiation

Security AttacksViruses

Trojan HorsesBombs/WormsSpoofing/Smurf

Sniffing and TappingDOSEtc.

Security Architecture


• Physical Security. Physical security involves the provision of a safe environment for information processing activities with a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access control, and (3) microcomputer physical security.

Security Infrastructure• Business Continuity Planning and Risk Management. Risk

management encompasses all activities involved in the control of risk (risk assessment, risk reduction, protective measures, risk acceptance, and risk assignment). Business continuity planning involves the planning of specific, coordinated actions to avoid or mitigate the effects of disruptions to normal business information processing functions.


• Operations Security (Computer). Computer operations security involves the controls over hardware, media and the operators with access privileges to these. Several aspects are included — notably, operator controls, hardware controls, media controls trusted system operations, trusted facility management, trusted recovery, and environmental contamination control.


• Application and System Development. Application and system security involves the controls placed within the application and system programs to support the security policy of the organization. Topics discussed include threats, applications development, availability issues, security design, and application/data access control.


• Telecommunications & Network Security. Communications security involves ensuring the integrity and confidentiality of information transmitted via telecommunications media as well as ensuring the availability of the telecommunications media itself. Three categories of communications security are: (1) telecommunications security objectives, threats, and countermeasures; (2) network security; and (3) Internet security.

Multiple Combined Security Strategies

External Border Network Perimeter Security

Internal Network (LAN/WAN) Perimeter Security

Server Security

Desktop Security

User/Social Engineering Security

Security StrategiesSecurity Strategies DescriptionDescription

Least PrivilegeLeast Privilege This principle means the any object (e.g., user, administrator, program, system) This principle means the any object (e.g., user, administrator, program, system) should have only the necessary security privilege required to perform its assigned should have only the necessary security privilege required to perform its assigned tasks. tasks.

Defense in DepthDefense in Depth This principle recommends that multiple layers of security defense be This principle recommends that multiple layers of security defense be implemented. They should back each other up.implemented. They should back each other up.

Choke PointChoke Point Forces everyone to use a narrow channel, which you can monitor and control. A Forces everyone to use a narrow channel, which you can monitor and control. A firewall is good example.firewall is good example.

Weakest LinkWeakest Link This principle suggests that attackers seek out weakest link in your security. As a This principle suggests that attackers seek out weakest link in your security. As a result, you need to be aware of these weak links and take steps to eliminate them.result, you need to be aware of these weak links and take steps to eliminate them.

Fail-Safe StanceFail-Safe Stance In the event your system fails, it should fail in a position that denies access to In the event your system fails, it should fail in a position that denies access to resources. Most systems will adhere to a deny stance or permit stance.resources. Most systems will adhere to a deny stance or permit stance.

Universal ParticipationUniversal Participation To achieve maximum effectiveness, security systems should require participation To achieve maximum effectiveness, security systems should require participation of all personnel.of all personnel.

Diversity of DefenseDiversity of Defense This principle suggests that security effectiveness is also dependent on the This principle suggests that security effectiveness is also dependent on the implementation of similar products from different vendors. (This includes Circuit implementation of similar products from different vendors. (This includes Circuit Diversity)Diversity)

SimplicitySimplicity This principle suggests that by implementing simple things it is easier to manage. This principle suggests that by implementing simple things it is easier to manage.

Security through ObsolesceSecurity through Obsolesce This principle suggests that by implementing old technology no one will have the This principle suggests that by implementing old technology no one will have the knowledge to compromise the system.knowledge to compromise the system.

Security through ObscuritySecurity through Obscurity This principle recommends the hiding of things as a form of protection.This principle recommends the hiding of things as a form of protection.

Ten (10) Security Strategies

Security Requirements

• AAuthentication• AAvailability• AAuditing• AAuthorization• PPrivacy/Confidentiality• IIntegrity• NNon-repudiation

4APIN

Stages of Information and Classification

DDisseminatePProcessAAccumulate (Collect)SStoreTTransmit

D-PAST

N-Factor Authentication Methods

Someplace where you are located (SSITE).Something that you HHAVE.Something that you AARE.Something that you NNEED.Something that you K KNOW

SHANK

Security Assurance DomainsSecurity Assurance Domains RedRed YellowYellow GreenGreen

1. Cryptography 1. Cryptography

2. Law, Investigations & Ethics 2. Law, Investigations & Ethics

3. Access Control Systems & Methodology 3. Access Control Systems & Methodology

4. Security Management Practices 4. Security Management Practices

5. Security Architecture & Models 5. Security Architecture & Models

6. Physical Security 6. Physical Security

7. Business Continuity & Disaster Recovery Planning 7. Business Continuity & Disaster Recovery Planning

8. Operations Security (Computers) 8. Operations Security (Computers)

9. Application & Systems Development 9. Application & Systems Development

10. Telecommunications & Network Security 10. Telecommunications & Network Security

TLC’s Security Stoplight Chart

Security ControlsTypes of Control • Preventive• Detective• Corrective• Deterrent• Recovery• Compensating

Questions/Answers


Material best practices in network security using ethical hacking

Technology

Transcript of Material best practices in network security using ethical hacking