Why do I need Security

1
Why do I need Security?
2
Legal Stuff

• All information/materials in this course is for
  you to learn the technique to secure computer
  systems in future a work.
• Techniques learned in this course should only be
  used in authorized manner (you should always get
  permission from your superiors before running any
  security test).
• Unauthorized access is bad and illegal even if
  you are a network administrator.

3
Security Needs

• The need for computer security is always existed
  and client/server technology led to new security
  problems.
• Internet, an open network, disclosed information
  (including "unsecured information") to the
  public. Hence, the problem of ensuring system
  security became more important and difficult than
  ever before.
• Open network a group of servers and computers
  that allow free access. i.e. little built-in
  capacity for securing information.

4
2001 Computer Security Institute ''Computer Crime
and Security Survey''

• 85 of respondents detected computer security
  breaches within the last 12 months.
• 64 acknowledged a financial loss due to computer
  breaches.
• 35 were willing and/or able to quantify a
  financial loss due to computer crime. Total
  losses reported equaled 377,828,700.
• 34 organizations reported 151,230,100 in losses
  from theft of proprietary information.
• 21 organizations reported 92,935,500 in losses
  from financial fraud.
• Internet privilege abuse by employees was
  reported by 91 of respondents.
• 70 reported their Internet connection as a
  frequent point of attack.
• 31 reported their internal systems as a
  frequent point of attack.
• 40 of respondents detected system penetration
  from the outside.
• Computer viruses were detected by 94 of
  respondents.
• Denial-of-service attacks were detected by 31
  of respondents.

5
Computer crimes in Hong Kong

• According to the Hong Kong Police, computer crime
  cases rose from 207 in 2000 to 791 in 2008, an
  increase of 382. Information security became one
  of the major concerns for companies to conduct
  business.
• According to a Survey in 2000, nearly 20 of the
  companies experienced computer attacks in 2000.
  On average, each victimized company recorded 2.6
  incidents.
• SME suffered larger impact than large companies
  in cases of computer attack, with higher
  percentage of PCs being affected.
• ''Virus'' (99) was the dominant form of computer
  attack.
• In 2005 and caused HK7.8 million financial loss
  due to computer attacks.

6
Defining Security

• Preventing unauthorized access to data or
  resources.
• Bruce Schneier, a renowned security expert,
  considered security is a process and a state of
  mind, not just a service or collection of
  products installed at a company.
• Security can be think of a moving target as new
  flaws or vulnerabilities are constantly found in
  applications and products because the computing
  environment in a company's network is always
  changing.

7
What we are protecting?

• The optimization of the CIA triad

Confidentiality (Secret, Privacy)
Integrity
Availability
(Accuracy, Authenticity)
(Utility, Recovery)
8
What we are protecting? (con't)

• Confidentiality
• Protect Information from unauthorized disclosure
• Controlling who gets to access to information in
  computer data or programs
• Relevant issues are privacy, sensitivity, and
  secrecy
• Confidentiality Access Control Model
• Who can access what data and program in a
  computer system

9
What we are protecting? (con't)

• Integrity
• Protection information from unauthorized,
  unanticipated or unintentional modification and
  destruction
• Ensure accurate, completeness, and consistency of
  information within computer systems
• Ensure that computer programs are changed in a
  specified and authorized manner
• Integrity Access Control Model
• Deals with not only who can access what data but
  also how and when the data and program is accessed

10
What we are protecting? (con't)

• Availability
• Information must be available on a timely basis
• Assuring system users have uninterrupted access
  to information and system resources
• An Application-dependent issue

11
Other Security Concept

• Identification
• The process that enables recognition of an entity
  (subject or object) by a computer systems,
  generally by the use of unique machine-readable
  user names
• Privacy
• The right of individuals and organizations to
  control the collection, storage, and
  dissemination of their information or information
  about themselves
• Authorization
• The process by which access is established and
  the system verifies that the end user requesting
  access to the information is who they claim to be

12
Other Security Concept (con't)

• Accountability
• The process of assigning appropriate access and
  identification codes to user in order for them to
  access the information
• Non-Repudiation
• An authentication that with high assurance can be
  asserted to be genuine, and that cannot
  subsequently be refuted.
• Audit
• An independent review and examination of system
  records and activities to
• test for adequacy of system controls
• ensure compliance with established policy and
  operational procedure
• recommend any indicated changes in control,
  policy, or procedures

13
Importance of an Effective SecurityInfrastructure
/ Matrix

• Security matrix All components used by a company
  to provide a security strategy, includes
  hardware, software, employee training, security
  policy, etc.
• Covers
• Physical asserts (hard asserts) e.g. servers,
  workstations, network components
• Data e.g. client information, transaction
  record, company development plan.
• and Company Reputation. With e-business,
  sometimes it is even more important than
  protecting the physical assets
• Cost Effective
• Security and its underlying technology should not
  overshadow the business reason for implementing
  security. You never want to spend more money on a
  security solution than the cost of what you are
  protecting.

14
An example of Security Matrix
15
The Myth of 100 Percent Security

• Connectivity implies risk.
• Opportunity exists for abuse if legitimate users
  are allowed to access computers or networks.
• One popular saying is that the only completely
  secure computer is disconnected from network,
  shut off and locked in safe with the key thrown
  away.
• Yet, this solution secures the computer, but it
  makes the computer useless.

16
What should we do?

• As 100 security is a myth, what can we do?
• Although complete security is not possible, a
  level that prevents all but the most determined
  and skilled hackers from accessing the system
  would be reached.
• Proper security techniques minimize the negative
  effects of hacker activities. It may deter most
  of the hacker.
• e.g. Network permission of legitimate users is
  restricted to let users accomplishing their tasks
  but no more access than necessary. If a hacker
  stole a user's identity, he/she gains the level
  of access authorized to that user only. It
  confines any possible damage that a hacker may
  cause.

17
Developing a Security Plan

• Flexible
• A security plan must be able to be modified
  quickly and
• efficiently to reflect the changes in the
  company's direction
• Scalable
• A scalable security plan allows the security
  infrastructure to grow as the company grows.
• Easy to use
• If security is too difficult and cumbersome for
  users, they will find ways around it.
• Informative
• A good security plan provides a means for
  alarming and reporting. And the reporting needed
  to be detailed and timely.

18
What Are We Trying to Protect
19
Types of Attackers

• Hacker
• "Hacker" is currently synonymous with malicious
  intent when breaking into a system NOT TRUE!!!
• The original definition of hacker is someone that
  is very knowledgeable and curious about computers
• Cracker
• Crackers are hackers with malicious intent
• Crackers often make their attacks personal,
  defacing Web sites, creating denial-of-service
  attacks, and corrupting data belonging to
  companies they do not like.

20
Types of Attackers (con't)

• Script Kiddies
• The lowest form of cracker, they do mischief with
  scripts and rootkits written by others, often
  without understanding the exploit they are using.
• Script kiddies are generally young males with not
  much knowledge, but a lot of time on hands.
  Usually very noisy - bragging about their attacks
  in newsgroup - and easy to catch.
• The most common attacker you come across
• Malicious Insiders
• The biggest threat to your company's security
  comes form the inside. Most companies overlook.
• Keeping employees informed, educated, and
  involved is the best way to prevent these attacks.

21
Types of Attackers (con't)

• Industrial Espionage (Spy)
• Industrial espionage is a rapidly growing
  Internet business.
• Highly skilled and well paid, so difficult to
  catch
• The best defense is to implement a well-planned,
  effective security infrastructure

22
Security Standards (ISO 7498-2)

• The International Standards Organization (ISO)
  developed document 7498-2, ''Information
  Processing Systems - Open Systems Interconnection
  Basic Reference Model -Part 2 - Security
  Architecture.
• The document describes security architecture
  concepts such as security services and security
  mechanisms.
• It also outlines how security services can be
  placed in the OSI reference model.

23
Security Standards (ISO 7498-2) Security Services

• The ISO 7498-2 document further defines several
  security services.

24
Security Standards (ISO 7498-2) Security
Mechanisms

• A security mechanism is a technology, whether it
  is software or a procedure, that implements one
  or more security services. The main security
  mechanisms are
• Encryption
• Digital signatures
• Access control
• Data integrity checks
• Authentication exchange
• Traffic padding

25
Security Standards (BS7799)

• British Standard 7799
• Provides a series of mandatory controls that a
  company must successfully implement before
  obtaining certification.
• Divided into 10 Areas
• Information security policy
• Security organization
• Assets classification and control
• Personnel security
• Physical and environmental security
• Computer and network management
• System access control
• System development and maintenance
• Business continuity planning
• Compliance

26
Security Standards (Orange Book)

• The US government released a series of standards
  defining a common set of security levels. These
  standards were released in a series of books in
  different color cover, commonly called them the
  "Rainbow Series" .
• Particularly important was the "Orange Book", for
  it defines a series of standards, which begin
  with D (the lowest level) and continue through A1
  (the most secured). Unfortunately these standards
  have suffered from a few problems.
• One of the problems is age. As changes in
  capabilities of computers create gaps that become
  more significant over time.

27
Security Standards (TTAP)

• The Orange Book were designed specifically for
  government entities. Hence, National Security
  Agency (NSA) and National Institute of Standards
  and Technology (NIST) jointly released a new
  series of standards called Trust Technology
  Assessment Program (TTAP).
• TTAP defines sever security levels, beginning
  with Evaluation Assurance Level (EAL) 1 (lowest)
  and continuing through EAL7 (the most secured).
• To combat problems of long delays in evaluation,
  the NSA and NIST certifies third parties to
  conduct evaluations. Although still in its early
  development, TTAP show promise of helping in
  industry-wide security standardization.

28
Security Standards (The Common Criteria)

• A series of documents and procedures developed by
  an international consortium.
• Parties involved in the Common Criteria
• Communications-electronics Security Group (Great
  Britain)
• National Institute of Standards and Technology
  (United States)
• Communications Security Establishment
  Organization (Canada)
• Service Central de la Security des Systems
  d'Information (France).

29
Security Organizations

• SANS Institute
• www.sans.org
• A research and education organization focused on
  sharing the lessons and skills learned by its
  government, corporate, and educational entity
  members.
• Computer Security Institute
• www.gocsi.com
• Warning Services
• E.g. www.securityfocus.com, www.ntbugtraq.com

30
Security Professional Certification

• Certified Information System Security
  Professional (CISSP)
• provided by (ISC)2 (www.isc2.org) to a person who
  has 3 years of work related to information
  systems security, performed as a practitioner,
  auditor, consultant, vendor, investigator, or
  instructor, and who has successfully passed an
  exam and supports a code of ethics.
• Exam topics include policy, standards, legal
  issues, risk management and business continuity
  planning, computer architecture and system
  security, access control, cryptography, physical
  security, operations security, application
  security, and communications security.
• Re-certification is granted every 3 years after
  an individual earns 120 continuing education
  credits, which can be earned through activities
  such as courses, conference attendance,
  publications, and service on professional
  security boards

31
Security Professional Certification (con't)

• Certified Information Systems Auditor (CISA)
• The Information Systems Audit and Control
  Association (ISACA) (www.isaca.org) provides the
  CISA certification to individuals with 5 years of
  experience in information systems audit, control,
  and security (some academic work may be
  substituted for experience), who successfully
  pass an exam, and who support a code of ethics.
• The exam is based on job analysis of tasks
  performed by information systems audit, control,
  and security professionals. Topics on information
  systems include audit standards and practices,
  organization / management, process, integrity /
  confidentiality / availability, and development /
  acquisition / maintenance.
• Re-certification is granted every 3 years after a
  person earns 120 continuing education credits.

32
Security Professional Certification (con't)

• Certified Information Security Manager (CISM)
• Certification for information security managers
  awarded by the Information Systems Audit and
  Control Association (ISACA) (www.isaca.org).
  Individuals must pass a written examination and
  have at least 5 years of information security
  experience with a minimum 3 years of information
  security management work experience in particular
  fields.
• It requires demonstrated knowledge in 5
  functional areas of Information Security
  governance / risk management / program
  development / program management / Incident
  management
• Re-certification is granted every 3 years after a
  person earns 120 continuing education credits.

33
Security Professional Certification (con't)

• CIW Security Professional
• To become certified as a CIW Security
  Professional, students must pass the Foundations
  (1D0-410), and Security Professional (1D0-470)
  exams. Passing the Server Administrator (1D0-450)
  and Internetworking Professional (1D0-460) exams
  in addition will earn you the Master CIW
  Administrator designation.

34
Layered Approach

• What this approach accomplishes is to develop a
  layered security posture, or defense-in-depth.
• Advantages
• If one layer is breached, you have multiple
  layers beneath it to continue protecting your
  valuable assets.
• Example
• If an attacker manages to compromise your
  firewall, you still have your IDS and host
  security to protect you from a full network
  compromise. This give you the opportunity to
  focus your efforts on the firewall issue instead
  of worrying about what other systems have been
  compromised.