Information technology security Fundamentals of Information Technology Session 8
Information technology security
Fundamentals of Information TechnologySession 8
Why we need IT security
• Estimated UK losses to cybercrime in 2011 were in the region of £27 billion– £21bn of costs to businesses– £2.2bn to government – £3.1bn to citizens.
• This accounts only for reported crimes; the figure is probably much higher
Why we need IT security
2009 2010
UK Cybercrime
2009 2010
UK Crime
2011
2011
What is cybercrime?
• Cybercrime is not new crime; it is old crime facilitated by new digital technologies, e.g. – Theft – Fraud– Identity theft– Obscene publication– Slander – Copyright infringement
• Digital technology facilitates these crimes; in many cases, it makes them easier and less risky to carry out
The role of computer networks in cybercrime
• The growth of cybercrime correlates exactly with the proliferation of computer networks, particularly the Internet
• Large public networks, like the Internet, create vulnerabilities which present opportunities for criminals
• Vulnerabilities create the potential to develop new threats. These threats create new risks for organisations, which in turn have potential detrimental impacts on information and/or financial assets
• In response to threats and risks, organisations must seek to adopt a range of protective countermeasures
• These should be set out in an information security management document
Vulnerabilities
• A vulnerability is a point where a system is weak
• In IT systems vulnerabilities exist:– At the interface between internal and external networks– Along lines of network communication– In loopholes in application code– Where data is stored
• Vulnerabilities in IT systems arise for several reasons:– Human error/carelessness – Technical weaknesses – Lack of foresight/planning
Threats
• Threats are targeted at vulnerabilities in IT systems
• A threat is a malicious and/or illegal activity conducted by individuals or groups. Common examples of threats are:– Hacking– Sniffing– Malware infection (Viruses/Worms/Trojans)– Denial of service attack – Phishing – Copyright infringement – Software piracy
Risks
• Risks are the potential outcomes of threats being carried out against organisations or individuals
• Organisations need to employ risk management techniques to mitigate the likely occurrence and impact of potential threats
Threat Risks
Phishing Identity theft. Fraud
Hacking Loss of sensitive/personal data. Theft. Loss of trust
Virus/Malware Infection
Damage to systems. Loss of service
Denial of services Loss/degradation of service. Loss of revenue and trust
Risk management
• The level of risk associated with a threat can be decided by looking at likelihood and impact
Risk management
• The countermeasures an organisation puts in place will be determined by its attitude to risk. This may be that:– No risks are acceptable: all risks, whether low, medium or
high, should be treated.– Low risks are acceptable: only medium and high risks should
be treated.– Low and medium risks are acceptable: only high risks should
be treated.• Attitude to risk is generally determined by:
– Available resources – Previous experience of information security breaches, – The current approach to risk of other organisations in the
same sector. – Legislation or regulation – Contractual obligations
Countermeasures
Vulnerability Threat Risk Possible countermeasure
Provision of IM to employees
Sniffing Loss of company data
Encrypt IM transmissions
Customer payments
Sniffing Loss of customer card details. Loss of trust
Implement TLS for payment systems
Network Unauthorised access
Theft of customer details. Loss of trust. Litigation
Establish more robust network authorization policy Invest in proxy server
Email system / VoIP
Viruses/worms
Destruction of data. System degradation. Loss of service
Invest in better anti-virus system. Invest in firewall
Public website Denial of Service attack
Loss of public presence. Loss of trust. Loss of revenue
Create mirror web site
Countermeasures
• Countermeasures need to be continually updated as criminals learn how to overcome them (e.g. automatic updates)
• Success in the development of countermeasures generally means no more than staying just ahead of the threat
• However, this is not always possible, as criminals are continually looking for ways to circumvent countermeasures either through the use of technology or through human agents (e.g. crooked employees in bank call centres)
• One countermeasure alone is never enough to protect an organisation’s digital assets: a combination of countermeasures needs to be adopted
Countermeasures – Encryption
• All communications across the Internet are vulnerable to packet sniffing
Client
Message(email, VoIP,
IM)Internet Company
LANmessage
(Packet) Sniffingsoftware
· Loss of personal or organisational data
· Theft· Identity theft· Fraud
Countermeasures – Encryption
• Encrypting data sent across a network, makes it impenetrable to third parties by converting it to unreadable code
• Encryption should be used for sensitive communications sent across the Internet
• All online payments should use security protocols like Secure Socket Layer (SSL) or more recently Transport Layer Security (TLS) that ensure privacy between communicating applications
• TLS works by negotiating a unique encryption algorithm and cryptographic keys between a client and a server before data is exchanged.
Countermeasures – (Reverse) Proxy server
• A reverse proxy server places an extra barrier between an external network and an internal network’s assets (e.g. the Internet and private company files)
• A reverse-proxy only allows internet users to indirectly access certain internal servers
Countermeasures – (Reverse) Proxy server
• Internet users then only see the IP address of the proxy server, so the true identity of internal servers is hidden; thus, making them less vulnerable to attack
• A reverse proxy server will first check to make sure a request is valid. If a request is not valid, it will not continue to process the request resulting in the client receiving an error or a redirect.
• Reverse proxy servers are also used as a platform for encrypted connection software such SSL or TLS
Countermeasures – Firewall
• A firewall is a system or group of systems that enforces an access control policy between two networks, usually the Internet and a Private LAN
• A firewall can also be used to secure sensitive sections of private networks from unauthorised employee access
Internet
Company LAN
Sensitive data
Web server
Client
Countermeasures – Firewall• A firewall can be software (e.g. Windows Firewall),
hardware or a combination of hardware and software • A firewall is used to:
– Inspect all inbound and outbound internet messages (Uses packet filtering to distinguish between legitimate messages that are responses to valid user activity and illegitimate messages that are unsolicited). Makes its decisions based on message source address, destination address and requested port and in many cases on previous traffic history (stateful packet filtering)
– Block network traffic from specified applications that can serve as conduits for threats (e.g. LimeWire, Yahoo Messenger)
– Block denial of service attacks
• Firewall rules must be pre-specified by the system administrator
• A firewall is a first line of defence; it does not stop viruses or other malware
Countermeasures – Antivirus
• Antivirus software are computer programs that attempt to identify, neutralize or eliminate malware (viruses, worms, trojans)
• Antivirus software commonly uses three approaches to identify malware:– Virus dictionary (Antivirus scans files in memory, the
operating system and registry and compares them to a dictionary of known malware)
– Identifying suspicious behaviour (Antivirus notes the behaviour of all executable programs and brings any suspicious activity to the attention of the user, e.g. an executable is triggered by another executable)
– Whitelisting (Rather than looking for only known bad software, this approach prevents execution of all computer code except that which has been previously identified as trustworthy by the system administrator)
Countermeasures – Antivirus
• All three approaches have their weaknesses– A virus dictionary only protects against known viruses.
Antivirus software only protects against 20-30% of zero day threats
– The suspicious behaviour approach tends to produce many false positives, which in turn can result in the user becoming desensitized
– Whitelisting is difficult in large, complex organisations where there are a large number of applications. This makes keeping an inventory of trusted applications difficult. It also reduces flexibility of software installation
Fallback and Disaster recovery
• As well as first line countermeasures, fallback measures also need to be factored into IT security policies. This will include:– Mirror websites– Back up servers– Backed up data– Offsite hosting
• To prevent against outright disaster, an organisation should develop a disaster recovery policy. This sets out the procedures for dealing with any significant or unusual incident that has long-term implications to business
Education
• Technical countermeasures by themselves are never enough, as many security breaches are the result of human error rather than technical weakness. For example:– Employee installs infected software – Employee uses unsecured connection for transmission of
sensitive company data– Administrator fails to set access privileges correctly – Firewall software not updated
• To mitigate against human error companies need to develop – An acceptable use policy which lays out to employees and
other users the rules for using the organisation’s IT Systems– Training to disseminate security protocols and acceptable use
policy
Legal obligations
• All organisations are legally obliged to have a minimum level of IT security where they hold sensitive data on individuals (e.g. customer data)
• Failure to ensure the minimum security measures can result in prosecution under the Data Protection Act 1998 (DPA)
• Norwich Union was fined £1.26 million in 2007 for allowing thieves to gain access to customer account details and steal £3.3 million
FIT Session 8 – Activities
• Now do – Activity 8 – IT security