Network Security Risks

IS Auditor Role Collect evidence to ascertain an

entities ability to: Safeguard assets Provide data integrity Efficiency of systems Effectiveness of systems

Networks Are Vulnerable to Attack

Hackers / Crackers Terrorists Insiders

Logical Attack Physical Attack

http://www.msnbc.com/news/482181.asp#BODY

$,trust,secrets,infrastructure

Financial Transactions-$Trillions/year EFT/Credit Card

Pentagon – 500,000 attempted attacks/year

Microsoft – Hacked

Denial of Service – February

Melissa – I Love You

Physical Access Attack

Sneaker Net

Hub

Clinic Clinic Clinic Clinic

Internet / VPN

ISP

CSU/DSU

T1

Router/Packet filtering firewall

Internet Gateway

PC PC PC PC PC PC

Hub

Switch

Admin- 330 PC's

Hub Hub

PC PC PC PC PC PC

Switch

Dr's Offices- 200 PC's

Switch

PC

PC

PC PC

PC

PC

Operating Rooms- 20 PC's

Switch

PC

PC

PC

PC

PC

Classrooms

Mainframe Switch Switch

Servers

WANISP 2

Fault tolerance

Routers, Firewalls, Gateways Firewalls-hardware/

software used to protect assets from untrusted networks

Gateway/proxy server allow information to flow between internal and external networks but do not allow the direct exchange of packets

DMZ - isolates internal network from vulnerable web servers

Router- manages network traffic forwards packets to their correct destination by the most efficient path

Filters packets by a pre-determined set of rules

IP source address, IP destination address, source port, and destination port

Are only as secure as quality of rule set designed

TCP/IP Internet Protocol IP - standard for internet

message exchange Does not guarantee delivery

of packets Packets using IP travel

similarly to a post card Does not provide for data

integrity or timeliness, security, privacy or confidentiality

TCP, with error correction services is stacked on top of IP to form TCP/IP

Port – address on host where application makes itself available to incoming data 23 – telnet 25 - SMTP

Packet – unit of information transmitted as a whole, inc. source and destination address

IP address – unique 32 bit number- 4 octets separated by periods 144.92.43.178 InterNIC

Securing Messages / Transactions

Authentication Something you

have

Something you are

Something you know

Smart card

Biometric devices

Password

Authentication Devices Biometric devices

Retinal scan Fingerprints Voice recognition Facial recognition

Secure ID tokens

something you have-token

something you know- pin used to generate password that changes once a minute

Passwords Proper maintenance & procedures essential Post-it notes - on monitors and under

keyboards ? Longer than 8 characters Not comprised of English words Include special characters Change regularly L0pht crack L0phtCrack

Symmetric Encryption

Secret key used for encryption and decryption is identical

Alice and Bob must exchange the secret key in advance

Impractical for large numbers of people to securely exchange shared secret keys

Asymmetric Encryption Public-private key pairs,,

used to overcome the problem of shared secret keys

Owner of the key knows private key

Public key is shared with everyone

Message confidentially- Bob encrypts a message with Alice’s public key and on receipt Alice decrypts the message with her private key

Encryption of data

Keys / Cipher length is important Expressed in bits 40 bit cipher can be broken in 3.5 hrs 56 bit - 22 hours 15 min, 64 bit - 33-34 days, 128 bit - > 2000 years

Message integrity

Authentication

Nonrepudiation

Message confidentiality

Message encryption

Digital signature

Message Digest

Securing Transactions Data theft Customer lists,

engineering blueprints and other company secrets

Company assets vulnerable since connected to public networks

Cracker Kevin Mitnick stole plans for Motorola’s StarTac

Used IP spoofing

Theft of money German Chaos

Computer Club used an Active X

control to schedule transfer of money from the victim’s online bank account to numbered bank account controlled by crackers

Stored Account System Similar to existing debit/credit card systems Use existing infrastructure/payment

systems based on electronic funds transfer Use settlement houses/clearing houses Highly accountable and traceable Traceable - raise privacy concerns “big

brother” Slow and expensive online verification is

necessary SET- secure electronic transaction,

CyberCash

Stored Value Systems – E-cash Private, no approval from bank needed Security stakes are high

Counterfeiting Absence of control & auditing

Potentially $8 trillion a year market People do not yet trust e-cash technology More popular in Europe E-cash superior to cash

Do not require proximity Do not create weight & storage problems of cash

New Systems DigiCash, Mondex and Visa Cash

Stored value and/or stored accounts E-cash is stored on an electronic device Use smart card or e-cash could be stored on a PC

Electronic wallet technology Merchant adds or subtracts e-cash value using

encrypted messaging between computers or by inserting the smart card in the merchant’s smart card reader

Mondex - Devices

Smart Cards Credit card sized devices w/ chip & memory Contain operating systems & applications Reader device attached PC can read smart

card Avoid problem of e-cash being stored on

insecure hard drives Smart cards disabled when physically attacked

Smart Cards Will be ubiquitous Loyalty information –

frequent flier miles Health records and

health insurance information

Debit, credit, and charge cards

E-cash Global system for mobile

communications

Pay TV Mass transit ticketing Access controls Digital signatures Biometrics Travel and entertainment Drivers license and social

security information

Secure Sockets Layer Confidentiality & authentication of web sessions Encrypts the communication channel uses

private key Server & client and server agree to private

session key & private encryption/ hashing protocols for confidentiality & data integrity

Client authenticates server w/ certificate authority stored on client’s browser

Secure Electronic Transaction Protocol Open standard for secure internet payments Master Card and Visa, IBM and Microsoft Confidentiality of information,privacy, message

integrity, authentication, and nonrepudiation, and authenticates all parties

Encrypts credit card numbers, shielding from public & merchant

Party in a SET transaction must possess a digital certificate, carry digital wallets or smart cards

1,024 bit keys Securing private keys is problematic MasterCard International - Shop Smart! Demo

Public Key Infrastructure (PKI) Issue, manage, and maintain public-private key

pairs and digital certificates Digital certificates used to authenticate servers or clients using trusted third party, certificate authority

CA’s issue digital certificates to merchants, can be verified by the browser checking the digital signature of the CA against the public key of the CA, stored on the browser

Digital signatures have full legal standing 2000 VeriSign Training

IE –Tools – Internet Options - Content

Risks to the client Active content Cookies Modems Many clients mission critical Personal firewall software

Needed even if part of a network with other layers of protection

Black Ice and Zone Alarm

Active Content Programs that automatically download & execute

on user’s machine when user hits on web site with active content

Java applets, active X controls, JavaScript, VBScript, multimedia presentation files executed via browser “plug-ins” (Flash)

Can provide rich customized computing experience Could be malicious

Java applet coded to read client’s cookies including Passwords & id’s & send the information back to crackers

Active X Controls Can execute any function windows program

can execute Written in variety of languages- execute only

on Wintel machines Security measures designed to prevent

trusted active X controls from damaging machine do not exist

Security based on level of trust client places in author of active X control

Software publisher certificate from a certificate authority such as VeriSign

Java Applets Platform independent; Can run on

Windows or Unix machines Constrained from accessing resources

outside section of memory called the sandbox

Applet can play but not escape Trust of java applets based on restricting

the behavior of the applet Holes in the sandbox- bugs that allows

attack code

Cookies

Internet transactions do not maintain state, no memory of last visit

To restore state - cookies kept on users hard drive

Block of data on client that server can use to identify user, instruct server to send a customized version of a web page, submit the account information of user

If intercepted by third party, significant personal information about user compromised

Compromise user privacy

Operating System Risks Default configurations –on client node

allows java applets to load on server using root ID

Escalation of privileges – If an attacker gains “root” or administrator

privileges the cracker can do anything to the system he desires

Adaptive access control, automates access control process, assigning of permissions alleviates problems of manual access control

Operating System Risks 2 Windows 98 very insecure –

modems connected to internal network problematic

UNIX & windows NT operating systems- more secure but still full of bugs and security holes Patches available from vendors

Computer Emergency Response Team Coordination Center Experts on call for emergencies 24 hours a day Provides facilitation of communication among

experts on security problems Central point for the identification and correction

of security vulnerabilities Secure repository of computer security incident

information CERT Coordination Center

Viruses, Worms, Trojans Users need constant training and

surveillance System administrator - update virus

definitions on schedule Attack emergency and recovery plan Policies regulating users handling of

e-mail are important

Securing the Server Back-end databases must be protected Web servers particularly vulnerable to attack CGI Scripts – Web client request executes on server Crackers escalate privileges to arbitrarily execute

system commands deleting or stealing files placing Trojan horse programs on the server running denial of service attacks defacing web pages storing cracking tools for a later attack

Denial of Service Attacks Cripple or crash Web servers by flooding

server with too much data or too many requests

E-commerce merchants cannot afford financial consequences or loss of trust

 Online NewsHour -- Internet Security

Web Page Defacing

Act of rewriting web page

Motivations political, financial, &/or revenge

More than web server compromised ?

Malicious Web Sites EU study – possibly 60

billion euros lost Steal credit card

numbers Spy on hard drives Upload files Plant active content Example misspelled

URL’s

People & Security - Policies Embraced by management Security philosophy, user policies, incident

management, methods to prevent social engineering attacks, network disaster recovery, and consequences for lack of adherence

Programs to train staff & techniques to enhance security should be ongoing

Outside penetration study can be useful to document the true level of risk and vulnerability

Social Engineering Manipulating of employees natural tendencies Objectives: obtaining passwords, obtaining

configuration data to escalate user permissions in an operating system

Use telephone or email posing as IT staff or higher-level managers

Talk people into revealing damaging information Many devastating cracker exploits have

included social engineering

Insider Risks Authorized users commit 75% to

85% of all computer crime Not usually prosecuted – covered up Disgruntled employees - crashing

file servers, deleting data, selling critical data, and financial fraud

Internal network sniffing

Onion Approach Security solutions to vulnerabilities should

be implemented in a layered approach, the “onion” solution

Solutions should be preventive and predictive rather than reactive

Network security architectures rely upon layers of devices and software that provide multiple barriers to intruders and protect, detect and respond to threats

Tools Vulnerability scanning tools

determination of remote systems weaknesses extremely dangerous in the wrong hands discover open ports how services respond to incoming requests

Intrusion Detection System (IDS) detect intruders breaking into a system or to detect legitimate users misusing system resources well-configured IDS will prohibit all activity not expressly

allowed analysis of audit trail data, especially operating system

activity is important

Tools 2 Logging enhancement tools - supplement

operating system logging & can provide independent audit data

System evaluation tools Configuration checking Permissions checking Analysis of accounts and groups Evaluation of registry settings Verification of up to date patch installation

Network sniffers Intercept and analyze network traffic Can be extremely useful but also are very

dangerous Illegal to sniff a network without permission Possible to read packets with a sniffer After an intrusion sniffer logs can be essential Sniffers can be hardware or software based Also called “packet dumpers”

Questions & Discussion