Security

Myths about Business Risksin the Information Age

Security is only about protecting “things” We don’t have any information anyone would

want Security problems have never happened here. Firewalls provide enough security Technology will solve the security problem The “enemy” is outside Our people won’t tolerate tight security My PC is secure, so I’m secure The Internet can’t be used for secure

communications

The Economist and Arthur Andersen

SECURITY:

DeterDetectMinimize InvestigateRecover

Security Risks

Accidental Intentional

DestructionAlterationAccess

InternalExternal

Threats

Disaster and breakdownsAccess and disclosureAlteration or destructionImproper use

RISK ASSESSMENT

P1 Probability of attack P2 Probability of successL Cost of Loss

Expected Loss = P1 * P2 * L

Minimize Threat Categories

Security Policy

Security is always a cost to efficiency. It must be promoted to be effective.

From the topBefore installing hardwarePolitically charged

Writing a Security Policy

Assess the types of risksIdentify vulnerabilitiesAnalyze user needsWrite the policyDevelop change proceduresPlan implementationImplement

Risk Areas

Personnel Risk Background checks Segregation of

duties Terminated

employees

Physical Access Risk

Disaster Risk Disaster Recovery Backup/hot sites

Integrity RiskAccess RiskAvailability Risk

Infrastructure Capability

Denial of service

Integrity Risk

Risks associated with the authorization, completeness and accuracy of transactions

User interfaceProcessingError Processing Interfaces with other systems/databasesChange ManagementData

Privacy Backup

Access Risk

Risks associated with inappropriate access to systems or data

Identification, authentication and nonrepudiation What you know, what you have, what you are Encryption (algorithm and key)

Secret key, private/public keysmart cards, hardware tokens

Digital Signature (hashing and public key; encrypt with private key, send with private key, and then decode with public key)

Certification authority and digital certificates Security Protocols

Firewalls and Guards

Elements of Risk

Access

Threat

Asset

Administrative Controls:Limit the Threat

Standards, rules, procedures and discipline to assure that personnel abide by established policies. Includes segregation of functions.

Administrative Controls

Security organizationAuditsRisk assessmentAdministrative standards and

procedures

Protecting the Assets

Resource managementDisaster recoverySystem segregation

Resource Management

Backup planningJob schedulingRedundant designSelective decoupling

Disaster Management

Redundancy and fault tolerant systems

Backups and off site storageHot and cold sitesPlanning and procedures

Elements of Risk

Access

Threat

Asset

Vulnerabilities

ServersSecuring operating systems and

applicationsNetworks

Access protection from snooping, attacks, spoofing

Clients and modemsUser verification for PCAnywhere etc.

Viruses

Operating Systems

UNIXNovell NetwareWindows and Windows NT

Secure Operating Systems

U.S. Government Certification A1, B1, B2, B3, C1, C2 (most

commercial systems), DEase of useCERT (Computer Emergency

Response Team) www.cert.org

Top 12 SecurityRisks

1. Hosts run unnecessary services

3. Information leakage through network service programs

4. Misuse of trusted access5. Misconfigured firewall

access lists7. Misconfigured web servers10.Inadequate logging,

monitoring or detecting

Top 12 Security Risks

2. Unpatched, outdated or default configured software

6. Weak Passwords8.Improperly exported file

sharing services9. Misconfigured or

unpatched Windows NT servers

11.Unsecured remote access12.Lack of comprehensive

policies and standards

Tools

FirewallsNetwork partitioning and routersEncryptionTesting toolsConsultants

Firewall functions

Packet Filter: Blocks traffic based on IP address and/or port numbers.

Proxy Server: Serves as a relay between two

networks, breaking the connection between the two. Network Address Translation (NAT): Hides the

IP addresses of client stations in an internal network by presenting one IP address to the outside world.

Stateful Inspection: Tracks the transaction in order to verify that the destination of an inbound packet matches the source of a previous outbound request. Generally can examine multiple layers of the protocol stack.

Firewall Operation

Firewall Operation

1.A router sits between two networks

2.A programmer writes an access control list, which contains IP addresses that can be allowed onto the network.

3.A message gets sent to the router. It checks the address against the access control list. If address the is on the list, it can go through.

4.If the address isn't on the list, the message is denied access to the network.

Encryption

Keys and key lengthPublic key/private keyProcessing problemsLocation

Application Network Firewall Link

Encryption Techniques

How Public Encryption Works

1. Sue wants to send a message to Sam, so she finds his public key in a directory.

2. Sue uses the public key to encrypt the message and send it to Sam.

3. When the encrypted message arrives, Sam uses his private key to decrypt the data and read Sue's message.

Encryption at the Firewall

Authentication

Passwords“Credit” cardsBiometricsIsolationRemote location verification

Biometrics: how it works

Users "enroll" by having their fingerprints, irises, faces, signatures or voice prints scanned.

Key features are extracted and converted to unique templates, which are stored as encrypted numerical data.

Corresponding features presented by a would-be user are compared to the templates in the database.

Matches will rarely be perfect, and the owners of the system can vary a sensitivity threshhold so as to minimize either the rate of false rejections, which annoy users, or false acceptances, which jeopardize security. This offers far more flexibility than the binary

"Yes" or "No" answers given by password technologies.

INTRUSIVNESS EFFORT ACCURACY COST

Dynamic signatureverification

Excellent Fair Fair Excellent

Face geometry Good Good Fair Good

Finger scan Fair Good Good Good

Hand geometry Fair Good Fair Fair

Passive iris scan Poor Excellent Excellent Poor

Retina scan Poor Poor Very Good Fair

Voice print Very good Poor Fair Very Good

Common biometric techniques and how they rate

International Biometric Group, New Yorkas reported in Computerworld, Quick Study: Biometrics, 10/12/98

Security