Chapter 11 Data Security1 MIS 430 Chapter 11 Network Security.

Chapter 11 Data Security 1

MIS 430 Chapter 11

Network Security


Mgt Focus 11-1: Western Union

9/2000: hacker broke into Western Union and stole 15,700 credit card numbers

Caused by human error: left file unprotected after web site revision

Routine security audit discovered break in and site was shut down (5 days lost)

Cost over $1M !


I. Introduction Some Threats .. See fig 11-2 p. 358

Data Center … Hardware Protection failure, destruction

Software Unauthorized access, copying, modification, destroy,

theft Errors and Omissions

Files Unauthorized access, copy, modify, destroy, theft

Offline input/output Disaster, vandalism, fraud/theft/extortion, errors and

omissions


Intro, contd. More Threats …

Organization Inadequate functional separation, lack of security

responsibility Personnel

Dishonesty, gross error, incompetence Physical Security

Unauthorized access, inadequate safety, transportation exposure

External people Disaster, vandalism, fraud/theft/extortion

Data communications circuit Network unavailable, illegal access, lost messages


Intro, contd. More threats..

Client Users Masquerading, authorization bypass, unauthorized

input/output, manipulation

Avg loss: $1 M but is tip of the iceberg Loss of consumer confidence costs much

more than lost business! But business disruption due to lost

applications is even more costly!! Bank of America says $50M loss if down 24 hours


Types of Threats Disruptions: loss or reduction of network

services Loss of circuits Loss of data Disasters that affect equipment

Unauthorized Access Mostly employees, not hackers! CERT: Computer Emergency Response Team from

Carnegie Mellon University http://www.cert.org/ ISU loss of 10,000 social security numbers


Network Controls Control: mechanism to reduce or

eliminate threats to network security Types of Controls

Prevention: stop act from occurring Detection: reveal unwanted events Correction: remedy unwanted event

Important: someone must be responsible for controls and security, including updates and making sure they are implemented ok.


Tech Focus 11-1 (p. 361) Less complex is

better Control’s cost is

equivalent to risk Preventing is better

than detecting and correcting!

Adequate: just enough to protect the network

Automated controls better than manual!

Controls apply to all!

Document overrides; overrides need controls

Control documents are confidential

Names, uses, & locations of network HW are private information

Controls ensure network can be audited

Assume a hostile environment


Tech Focus, contd Convey an image of

high security by education & training

Controls provide separation of duties

Implement entrapment to ID bad guys

When control fails, network defaults to tight security: deny access

Controls still work when only one part of network fails

Don’t forget the LAN! Central mgrs often just worry about the WAN

Always assume your opponent is smarter than you are

Always have insurance in case a control fails


II. Risk Assessment Assign levels of risk to various threats

Compare nature of threats to controls OCTAVE method http://www.cert.org/octave/

Control spreadsheet (fig 11-3, p. 362) Assets (something of value) with priority in

parentheses Threats in categories Center includes controls now in use


Types of Assets (fig 11.4) Hardware: servers, client computers,

network devices (hubs, routers, switches)

Circuits: LANs, BNs, contracted MAN and WAN circuits, Internet access circuits

Network SW: server NOS, applications such as mail server, web server

Client SW: OS, applications like Word, etc Organizational data: DBs Mission-Critical Apps: depends on organ.


Threat Likelihoods (fig 11.5)

Virus: 85% Internet Hacker: 70% Device Failure: 68% Denial of Service (DoS): 60% Theft of Equipment: 44% Natural Disaster: 28% Theft of Information: 9% Fraud: 3% From Insiders: 70% From Outsiders: 25%


Identify the Controls After spreadsheet (assets,

threats) is done, work on the controls(see fig. 11-6 p. 366)

Disaster recovery plan: business continuity plan

Halon fire system in machine room; sprinklers

Not below ground level (beware of floods: Chicago)

UPS on major servers

Contract guarantees from interexchange carriers

Extra backbone fiber cable laid in different conduits

Virus checking software present on network

Extensive user training about viruses

Strong password software Extensive user training

about PW security Application layer firewall


Evaluate Network’s Security

Evaluate adequacy of existing controls as it relates to each threat Do by an independent Delphi team

who makes the final decision 3-9 members Therefore implement quickly


Mgt Focus 11-2: Microsoft I Microsoft’s web sites 3rd most visited All down for 22 hours in Jan 2001 due to a

technician’s error: MS placed all 4 of its DNS servers on same network

segment Tech loaded incorrect routing table information into

routers, and nobody could reach any DNS servers Had any one been on a different segment, no

trouble! MS lost $4M in ad revenue during 22 hours More lost on sites like Expedia that sell

services


Mgt Focus 11-3: World Trade Center Disaster Recovery

TradeWeb HQ on 51st floor: destroyed! Changed DNS entry to refer to London

office to get back on the web Rebuilding database took longer

Allstate: lost NYC data center (but had a plan)

No network: onslaught of claims! Had 25 LAN in-a-box dial-up network kits

from office LAN to headquarters; needed 24 more

Remaining offices back up in 4 days


III. Controlling DDD: Prevention

Use redundant hardware UPS American Power Conversion www.apc.com Fault tolerant server Disk mirroring and RAID 1, 5 (not RAID 0)

Prevent natural disaster Avoid basement rooms near rivers and oceans State Farm data center: 6 foot thick SW walls:

tornado Install Halon fire prevention system (but phase out)

http://www.epa.gov/ozone/snap/fire/qa.html Decentralize network resources: multiple servers,

data centers, even different parts of the country


Prevention Controls Preventing Theft ($1B stolen annually)

Physical security methods for data center Use security cables to attach HW to desks Private security guards Keep certain key network locations secret

Preventing viruses Protect both servers and clients! Macro viruses account for 75% of viruses Use anti-virus software; keep it current

weekly


Mgt Focus 11-4: NIMDA! 9-18-2001: NIMDA virus swept through

Windows servers around the world Attached to email message; emailed to others

in Outlook address book Also spread by servers, shared drives Could get it through a browser click (Javascript)

Patches developed but it came back as variants. Ask me about my !@@!# servers

5 months later, still the most common attack – it was an attack suite: well written, tested


Prevention Controls Preventing Denial of Service Attacks

Hacker floods network with messages so that server cannot handle normal workload

Hackers use false IP addresses (IP spoofing) Distributed DoS attack is more disruptive –

hacker controls many machines that all attack simultaneously

Can set up several servers around the world (like Microsoft has done)


Tech Focus 11-2: DoS Attack

Smurf attacks: flood with Ping ICMP requests Fraggle attacks: similar to smurf but uses

UDP echo requests TCP SYN floods: request to establish TCP

connection UNIX process table attacks: like TCP SYN Finger of death attacks: flood with finger

requests DNS Recursion Attacks: spoof the from

address to be within the organization


Mgt Focus 11-5: Microsoft Part 2

DDoS attack 1/2001 caused MS to redesign networks Hacker gained control of a large number of

computers, implanting DDoS software SW targeted MS DNS servers, not web or mail By focusing on routers on the segment containing the

DNS servers, brought net to a crawl Put 4 DNS servers on separate network segments MS Contracted with Akamai.com to hold most

popular web pages around the world Pages served from Akamai server closest to customer,

reducing response time and providing redundancy


Controlling DDD: Detecting

Network management software should notify management of problems Can send alerts via email or even to pagers Major problems easier to detect than minor Network should log performance data which

can be compared to current performance Caterpillar bulldozer agent: avoid any

unplanned downtime Software agents and sniffers look for out of

bound measurements Contact the command center to report

possible trouble


Controlling DDD: Correcting

Disaster Recovery Plan Remember United DC-10 that lost

hydraulics and crash-landed in Iowa city? Iowa City’s DRP helped save lives!

Provides various levels of response to a number of possible disasters

See fig 11-7 p. 373 for elements of DRP Managers (2), staff duties, priorities for what

done first, locations of spares, data comm recovery, manual procedures, testing methods, backups, actions for certain scenarios


Controlling DDD: Correcting

Disaster Recovery Plans Good backups don’t mean data can be used! Disaster Recovery Drills important Two levels: internal redundancy, out sourced DR

service Cold site: storage of data and applications Hot site: dedicated equipment that is ready to run your

applications seamlessly http://www.disasterrecoveryworld.com/ for

checklists, etc. Disaster Recovery Journal http://www.drj.com/


IV. Controlling Access

Unauthorized access is 2nd main problem Types of intruders

Casual hackers w/ limited knowledge of computers they encounter (script kiddies)

Experts in security but enjoy the challenge (crackers) Professional hackers who break in for specific

purpose (most dangerous kind) Organization employees with legitimate access who

gain access to information they are not authorized to use (most common kind of security breach)


Preventing Unauthorized Access

Be proactive! Routinely test security before the intruder does

Don’t keep extremely sensitive data online Store in networks that are isolated from other

networks Security Policy: define important assets and

the policies to access them; see fig 11-8 p. 376 Manager, incident reporting system, risk assessment

with priorities, effective controls at major access points, use min # of controls to reduce inconvenience, acceptable use policy, procedure to monitor changes to network devices, routine training plan for users, routine test plan, annual security audit


Security Policy Security policy should define what

employees should and should not do Password policies: don’t post, don’t tell,

change frequently, minimum length, cannot reuse previous password Use combinations of letters and numbers Use upper and lower case: go4iT See next slide for more hints

Apply different controls to different data items


Mgt Focus 11-10: Passwords

A good password is easy to remember, hard to guess Don’t use birthdays, anniversaries, pet names, family

names: can guess easily At least 7 characters; change at least every 90 days;

include numbers and some capital letters Hot apple pie with ice cream and cheese: haPwicAc ISU policy: www.indstate.edu/adminaff/handbook/SectionV.pdf p.

14 Change system PW every 90 days, user PW every 180 days Don’t use same password for non-ISU accounts! Don’t put PW in (plain text) email Use strong passwords: >=8 char, not in dictionary, use

upper and lower case characters, have a punctuation symbol, not based on personal or family information

Don’t write it down anywhere or share it Use pass phrase for public key encryption


User Profiles

Specifies for user what data and network What resources can they access How they can access it (R, W, C, D) When can they access the resources

(days, times, locations) How many incorrect log-ins are

permitted? Group profiles: shared permissions


Physical Security Biometrics: finger prints, hand geometry,

face geometry, iris prints, retina scans Smart cards: embedded microprocessor

with a clock that constantly changes PWs Computer locks: hardware, software PWs Hide cables behind walls and ceilings

Alarm systems USAF uses pressurized cables that show a

break-in and sounds alarm Locked wiring closets for routers, hubs, etc.


Dial-In Security This is a major security risk! Change phone numbers periodically Change dial-up PW periodically

One-time PWs Use smart card PW

Require call backs to designated place Use embedded ID chip in computer that

dials Use VPNs – encrypted sessions


Firewalls Sits between network and the outside world

HW (router) or SW varieties of firewalls Examines packets as they enter/leave the

network Packet-level firewall (examines source and

destination IP addresses of each packet) Application-level firewall (intermediate host that

authenticates: more complex) IP Spoofing: hacker changes actual source IP

address to a “good” one that is not stopped


Tech Focus 11-4: Packet Level Firewalls

Could delete any packets coming from a different subnet or different network

Could delete packets from certain IPs Could keep certain types of packets

from reaching the network (FTP, Telnet, etc)

Software is constantly updated


NAT: Network Address Translation (previously covered)

This is cool: you can share 1 IP address across several computers on network Translates between set of private IP addresses

inside network and outside proxy IP addresses Ex: outside IP is 139.102.180.36.

Inside IP addresses are 192.168.1.1 through 192.168.1.5 (local, private IP addresses)

Could also use 10.X.X.X IP range NAT device (proxy server) has two NICs – one

inside and the other outside the firewall


More NAT When inside client makes a request, its IP

address and a unique port number are placed in the packet, then packet is sent to server

Server remembers that port number, replaces the internal IP address with the outside IP address, then sends it along to Internet

When return packet appears, it contains unique port number; server substitutes inside IP address for the computer with that port, passes it to inside network

Slower, but very nice to share one IP address!!


DMZ (Demilitarized) Zone DMZ is the network behind the firewall

Open a hole in the firewall to some of the computers

Contains some but not complete security Can have better protected internal

networks inside the DMZ that are fully protected

Use DMZ for servers that need partial access to/from the outside world


Security Holes This is a bug that permits unauthorized

access: quickly circulates on Internet Ex: I left anonymous FTP turned on and left

FTP write access on This allowed hackers to store huge amounts of

MP3 and illegal files in FTP area of server Solution: turn off anonymous FTP access, but

still allow Write for authenticated FTP sessions Real Solution: do MS Critical Updates and

keep servers and clients current!!!


Encryption History Germans used Enigma Machine during WW

II – we broke the code Looked like a typewriter with 3 or 4 code wheels We also broke the Japanese code in WW II

US used the Navajo Code Talkers who spoke in their native language – never broken!

Plain text vs. cipher text Key needed to “unlock” the cipher text into

plain text


Symmetric Encryption Use mathematical algorithm to disguise

Symmetric: uses same key to encrypt and decrypt Assymetric: Encrypt and decrypt keys are not same

Good encryption does not require that the algorithm be kept secret, only the keys

DES: Data Encryption Standard 56-bit key, but was broken in 22 hours using 10,000 PCs

distributed over the Internet 3DES – uses DES 3 times, much harder to break

RC4: up to 256 bit key; still can be broken A version of RC4 is available in MS Excel for a file Tools | Options | Security

Can set password, assign digital signature


Public Key Encryption PKI–set of HW, SW, organizations, and

policies to make public key encryption work Two keys, 512 or 1024 bits long!

Public key is used to encrypt the message Will have a different public key for each destination

organization Private key is used to decrypt the message and

is only known to the destination Could encrypt with private key and decrypt

with public key to trace the original sender


Other Encryption PGP – Pretty Good Privacy

Freeware public key software where users post their public key on a web page

Someone sends that user a secret message encrypted by that public key

SSL – Secure Sockets Layer Used to encrypt web pages for credit card data Creates a public/private key on the fly for the session Much slower than regular web page, though! Done by the web server hosting the page


More Encryption IPSec-IP Security Protocol

Like SSL but focused on more than just Web activities.

IPSec sits between IP at network layer and and TCP/UDP at the transport layer

Two parties use Internet Key Exchange to decide on encryption technique and public/private keys

Tunnel mode: IPSec encrypts entire IP packet and encapsulates it in another packet; this cloaks the actual sender and destination. Used with VPN sessions


Detecting Unauthorized Access

IDS: Intrusion Detection System Network-based IDS Host-based IDS Application-based IDS

Techniques Misuse detection: compares monitored

activities with signatures of known attacks Anomaly detection: compares monitored

activities with normal set of activities (e.g., flood of Pings, etc)


Correcting Unauthorized Access

Have a “SWAT” team to call into action Computer forensics uses computer analysis

techniques to gather evidence for criminal prosecution

Criminal law has been slow to keep up with computers and the Internet

Companies use entrapment techniques to bait hackers to a false network (like the fake deer near the highway)

This special server has sophisticated SW to monitor access and gather evidence for prosecution!

Called a “honey pot”


For More Information … Enroll in Dr. Moates’ Computer

Security class (MIS 475) NIST CSRC web page

http://csrc.nist.gov/ CERT Coordination Center

http://www.cert.org/ Microsoft Security & Privacy site

http://www.microsoft.com/security/

Chapter 11 Data Security1 MIS 430 Chapter 11 Network Security.

Documents

network security slide

access controls

network automated controls

data security3

network defaults

tight security

data security4 intro

data security5 intro