View
219
Download
1
Category
Tags:
Preview:
Citation preview
Network Security Applications:
Threats do Exists
Advance Network Based Application (CIS 471) CSUDH
Robert Pittman Jr., M.P.A., CISM Assistant CISO
County of Los Angeles April 30, 2007
Student’s questions… What kind of security risks are involved with social networking sites like
MySpace, Facebook or Match.com?
How often is there an attempt to steal information? How often is there a
breach?
What is the demand for Security Professionals in the IT field like?
Are Chief Security Officers common in corporations?
What do you think will be the future of IT security demand? (more
demanding less demanding)
From your experience, how difficult was it to get started in the IT field?
How big is the career demand?
What certifications, year of experience, and or degree are needed to
start a career in IT?
As far as network security and any thing IT related, did you get any type
of training, from your company before you started?
Agenda OSI-Layer and the Zones
Network Threats
Mitigating Network Threats
Wireless Networks Threats
Wireless Networks Secured
Web Appl (includes e-Commerce) Threats
Mitigating Web Appl (includes e-Commerce) Issues
Coding Web Appl (includes e-Commerce)
Computer Crimes – the Latest News
References
Hacker Sites
OSI-Layer and the Zones
layer 7 - Application layer 6 - Presentation layer 5 - Session layer 4 - Transport layer 3 - Network layer 2 - Data Link layer 1 – Physical
Internet Demilitarized Zone Intranet (DMZ)
Network Threats Denial of Service (DoS/DDoS) Common Attacks (e.g. Back Door, etc.) Voice over Internet Protocol (VoIP) Network devices > default SNMP community strings
> default accounts, passwords, & encryption keys
> unnecessary Services (i.e., ports)> unencrypted & unauthenticated Admin passwords> printers, fax machines, and scanners
Mitigating Network Threats
Use of a Network Intrusion Detection System (NIDS)
Use of a traffic regulator/governor
Maintain software currency (OS, DBMS, etc.)
Maintain currency of anti-virus and other security products
Perform a Complete Configuration Audit
Set up a syslog server
Disable default accounts & change default passwords
Disable unnecessary services
Use encrypted & authenticated admin protocols
Use port-level security
Wireless Networks Threats
Ability to passively obtain confidential data and leave no trace of the attack
Positioned behind perimeter firewalls may provide attackers with a backdoor
Could serve as a launching pad for attacks (i.e., zombie, etc.) on unrelated networks
Provide convenient cover as identifying the originator of an attack is difficult, if not impossible
Wireless Networks Secured Isolate wireless networks
Require stronger authentication Secure the handhelds (e.g., PDA’s laptops, etc.) WEP is not a security solution Eliminate the use of a descriptive name for SSID and
the Access Point Hardcode MAC address that can use the AP Change Encryption Keys frequently Locate APs centrally Change default AP passwords/IP addresses DHCP should not be used Identify Rogue APs
Web Appl (includes e-Commerce) Threats
Spoofing identity (RFC 2617)
Data Tampering
Repudiation
Information disclosure
Denial of Service
Elevation of privilege
Mitigating Web Appl (includes e-Commerce)
Issues Source Code Authentication Session Handling Error Handling Database Handling Shopping Cart File Handling Application Audit Events Input Validation Sensitive Data in Cookies and Fields
Coding Web Appl (includes e-Commerce)
Do not… trust data received from any external source not rely on client-side data validation write unfiltered data to the web browser access files based on user input without validation put sensitive information in hidden form fields store passwords or other sensitive info in ASP pages leave comments in client-side HTML store unnecessarily sensitive info in the database put sensitive info in URLs
Do’s… disable the default error page properly quote external data used in SQL statements log suspicious activity specify a particular character set
Computer Crimes – the Latest News
Vermilion, Ohio Man Sentenced in Wire Fraud Case (April 19, 2007)
Former Navy Contractor Sentenced for Damaging Navy Computer System (April 5, 2007)
St. Joseph Woman Sentenced For $312,000 Wire Fraud (March 14, 2007)
Hackers from India Indicted for Online Brokerage Intrusion Scheme that Victimized Customers and Brokerag
e Firms
(March 12, 2007)
New CCIPS Publication, "Prosecuting Computer Crimes" Manual Now Available (March 10, 2007)
Defendant Sentenced For Conspiring To Commit Computer Fraud And Identity Theft (March 5, 2007)
Massachusetts Man Charged with Defrauding Cisco of Millions of Dollars Worth of Computer Networking Equ
ipment: Using False Identities and Private Mailboxes in at Least 39 States, Suspect Allegedly Carried out the
Fraud at Least 700 Times
(February 28, 2007)
Washington State Man Pleads Guilty To Charges Of Transmitting Internet Virus (February 15, 2007)
Clovis and Fresno Residents Plead Guilty to Conspiracy to Commit Wire Fraud, Mail Fraud, and Copyright Inf
ringement
(February 8, 2007)
Three Internal Revenue Service Employees Indicted for Computer Fraud/Abuse (February 8, 2007)
Man Pleads Guilty to Stealing Morgan Stanley Trade Secrets Relating to Hedge Funds (February 1, 2007)
References csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf www.cert.org/security-improvement/modules/m11.html www.cisco.com www.cisecurity.org www.csoonline.com www.ietf.org/rfc.html www.linuxhomenetworking.com/cisco-hn/syslog-cisco.htm www.netstumbler.com www.nist.gov (not www.nist.org) www.ntbugtraq.com www.owasp.org www.sans.org www.usdoj.gov/criminal/cybercrime/cc.html Hack Notes: Web Security Portable Reference, Mike Shema; 174
pages, 2003, McGraw-Hill Companies. Writing Secure Code, Microsoft Second Edition, Michael
Howard and David LeBlanc; 768 pages, 2003, Microsoft Press.
Hacker Sites www.2600.com www.antionline.com www.defcon.org www.hackers.com www.insecure.org
Thanks for listening!
Questions?
Recommended