Threat Analysis - systematically identify threats and rate seriousness
of each one
Security vs. Cost
Productivity - cost of implementing the security system versus cost of
recreating lost or compromised data
Administration - cost to implement the security system in the first place
versus cost to restore the system
Legal Liability - privacy-based liabilities with system versus privacy-based
liabilities without the system
Stress that Security Benefits Users
Data Security
Keeping Unauthorized People Off
Primarily exploitation of loopholes - install all security patches and
bug fixes
Set up user accounts for everyone who needs one
Use secure passwords
Change passwords frequently - require password change on first use
No dictionary words or easy to guess dates or numbers
Passwords should be at least 8 characters long and use punctuation, numbers,
and/or different case characters
Impersonation - usernames and passwords obtained through packet snooping
via a sniffer program
Password crackers - attempt to decrypt passwords
Sharing passwords is a violation of PA state law!
Limiting authorized people to specific resources
NT/2000 - set rights and permissions for individual users and groups
Individuals are assigned to one or more groups
Novell - rights set for organizational units (OU's)
Individuals are assigned to a single OU at a time
Home Directories - each individual may be assigned a private directory
on the LAN server in which personal files may be stored and (hopefully)
backed up
Shared Files
Each individual may have a "public" directory which other users may access;
owner has read/write access while everyone else has read-only access
Common Directories - individuals within a group or organizational unit
may be assigned a shard "common" directory in which all members have read/right
access
Applications and System Files - stored on secured areas on the server;
only the system administrator has right access to these areas
Public Key Infrastructure
Information flowing between two systems is encrypted through the use of
a Public key which is obtained either through published, mailed to the
individual doing the encryption, or available through databases at various
"Certificate Authorities".
Once encrypted, the only way to decrypt the information is with the cooresponding
Private key.
The two most widely used encryption protocols (S/MIME and PGP) are incompatible
even though they both conform to the International Telecommunication Union
(ITU) X.509 standard for digital certificates.
Both standards are problematic with encrypted messages sent out of the
country.
S/MIME - Secure Multipurpose Internet Mail Extensions
Proposed IETF Standard based on RSA Data Security, Inc.
Built into Netscape Messenger and Microsoft Outlook/Outlook Express
Digital certificate (i.e., Digital ID) obtained from a Certificate Authority
(e.g., VeriSign, Inc.). The process of obtaining the certificate also installs
it into Netscape or Internet Explorer on the machine from which the final
steps of the process are run.
Export the certificate for installation elsewhere.
For large-scale use an institution would want to run its own certificate
server.
Before encrypted electronic mail (including attachments) can be sent to
an individual, the public portion of that individual’s certificate must
first be obtained. This is obtained either:
Directly from the individual (via an e-mail message with a digital signature).
From directory search of server through which certificate was obtained
and/or registered.
Once a given installation of Netscape or Internet Explorer obtains the
public portion of an individual’s certificate, encrypted messages can be
sent to that individual at any time until the expiration date (e.g., 60
days, 1 year) of the certificate.
Assuming that the individual receiving the encrypted mail is on a machine
on which his or her private key is installed, no action is required on
the part of the message receiver to read the message (i.e., decryption
is automatic).
On machines without the private key, the receiver will simply see a box
labeled "Encrypted".
PGP - Pretty Good Privacy
Can be used as a stand-alone application.
Plug-ins available for various mail clients - automate encryption/decryption.
Certificate Public/Private keys created based on a pass-phrase.
SSL - Secure Socket Layer
TLS - Transport Layer Security
Based on Netscape’s Secure Sockets Layer (SSL)
Emerging IETF Standard
SSH - Secure Shell
HTTPS - Secure Hypertext Transfer Protocol
Authentication Systems
Kerberos
Trusted Authentication and Key Management
Secure communications between network nodes
RADIUS - Remote Dial-In User Service
Centralized authentication server for variety of clients
Initially connected to a network access server - passes authentication
information to an authentication server which authorizes connection
Firewalls
Deny access to everything
Explicitly allow permissions that are required
Rules - generic (apply to a range of IP addresses) through specific (apply
to a single IP address)
Virtual Private Networks
Private network running within a public network
Client/Server with authentication and data encryption
Access Point initially will only pass traffic to the authentication server
which then allows other traffic
Authentication server - RADIUS, LDAP, etc.
Threats to Network Security
Device Impersonation
Spoofed packets appear to be valid causing unwanted behaviors within the
network - e.g., Multiple DHCP servers - many networks use Dynamic Host
Configuration Protocol (DHCP) to provide hosts with an IP address and an
explicit default router - if a second DHCP server becomes available the
entire network may stop working since DHCP requests are going to the wrong
location
Denial of Service (DoS) Attacks
TCP SYN Flood - memory is allocated for stream of TCP connections leaving
no memory for other functions
Limit number of TCP connections a system will accept
Shorten the time a connection stays half open (i.e., the SYN packet opens
the connection; but the connection is never fully established)
land.c Attack - used to launch DoS attacks against various TCP implementations
- sends a TCP SYN packet with the target host's address as both the source
and destination, causing some systems to hang
Ping Bomb - constant stream of large ICMP (Internet Control Message Protocol)
ECHO request packets exceeds the receiving system's ability to respond
Ping of Death - exploits the fragmentation vulnerability of large ICMP
ECHO request packets - illegal packets (larger than 65,507 bytes) are sent
to a system which doesn't know how to handle them)
SMURF Attack - a large number of spoofed ICMP ECHO request packets are
sent to broadcast addresses which broadcast across the network - all systems
respond to the spoofed address
UDP (User Datagram Protocol) Flood - spoofed UDP packets are used to flood
a target system
Distributed Denial of Service Attack - multiple systems are rigged to simultaneously
send spoofed packets to a host system which tries to respond to the spoofed
address
Physical Security
Kids at Play!
Secure Everything Possible
Hubs, Routers, etc. - in locked closets
Servers - in climate controlled (at least somewhat) rooms
Viruses/Worms
Malicious Code - self-perpetuating viruses attached to another program,
worms which spread themselves, Trojan Horse "payloads", logic bombs
Always keep backup copies of your data files (e.g., term paper files, spreadsheets,
etc.).
Always run up-to-date virus detection software
Never open executable e-mail attachments (especially from someone
you do not know)!
Enable Macro Virus Protection in all software utilizing macros (e.g., Microsoft
Word, Excel).
Web Browsers - allow easy downloads of malicious software; only download
from reputable sites
Macro Viruses
Melissa - once infected via a Word macro, uses Microsoft Outlook to mail
itself (along with the most recently open Word document) to the first 50
names in each address book
Subject: Important Message From (your name here)
Text: Here is the document you asked for ...
ColdApe - macro virus which infects Visual Basic script files and continues
infecting all files as they are used even if the original macro is cleaned
up
Worms
Happy99 - displays fireworks on screen and attaches itself to various system
files - attaches itself to all messages sent from infected machine
Windows ExploreZip.worm - malicious worm sends itself as email attachment
zipped_files.exe with personalized message -if executed, program deletes
all Word, Excel and PowerPoint files
Trojan Programs
NetBus, Back Orifice - client/server software which allows others to control
yout computer - server portion can be attached to games or stand alone
executables - once infected, anyone with the client software can control
the infected machine
BuddyList, PennyTools, W95 Trojan.Cool - AOL password stealing programs
which mail the passwords to various accounts (e.g., xyz@Hotmail.com)
Program Viruses
CIH/Chernobyl - infects executable files as opened - some strains activate
April 26th, some on June 26th and some on 26th of every month - if activated,
virus wipes hard drive and tries to flash BIOS
W32/KRIZ.3862 - polymorphic virus attempts to erase the computer’s CMOS
and disk when an infected file is run on December 25 - attempts to flash
BIOS