Network Security Risks
Dec 21, 2015
IS Auditor Role Collect evidence to ascertain an
entities ability to: Safeguard assets Provide data integrity Efficiency of systems Effectiveness of systems
Networks Are Vulnerable to Attack
Hackers / Crackers Terrorists Insiders
Logical Attack Physical Attack
http://www.msnbc.com/news/482181.asp#BODY
$,trust,secrets,infrastructure
Financial Transactions-$Trillions/year EFT/Credit Card
Pentagon – 500,000 attempted attacks/year
Microsoft – Hacked
Denial of Service – February
Melissa – I Love You
Hub
Clinic Clinic Clinic Clinic
Internet / VPN
ISP
CSU/DSU
T1
Router/Packet filtering firewall
Internet Gateway
PC PC PC PC PC PC
Hub
Switch
Admin- 330 PC's
Hub Hub
PC PC PC PC PC PC
Switch
Dr's Offices- 200 PC's
Switch
PC
PC
PC PC
PC
PC
Operating Rooms- 20 PC's
Switch
PC
PC
PC
PC
PC
Classrooms
Mainframe Switch Switch
Servers
WANISP 2
Fault tolerance
Routers, Firewalls, Gateways Firewalls-hardware/
software used to protect assets from untrusted networks
Gateway/proxy server allow information to flow between internal and external networks but do not allow the direct exchange of packets
DMZ - isolates internal network from vulnerable web servers
Router- manages network traffic forwards packets to their correct destination by the most efficient path
Filters packets by a pre-determined set of rules
IP source address, IP destination address, source port, and destination port
Are only as secure as quality of rule set designed
TCP/IP Internet Protocol IP - standard for internet
message exchange Does not guarantee delivery
of packets Packets using IP travel
similarly to a post card Does not provide for data
integrity or timeliness, security, privacy or confidentiality
TCP, with error correction services is stacked on top of IP to form TCP/IP
Port – address on host where application makes itself available to incoming data 23 – telnet 25 - SMTP
Packet – unit of information transmitted as a whole, inc. source and destination address
IP address – unique 32 bit number- 4 octets separated by periods 144.92.43.178 InterNIC
Authentication Something you
have
Something you are
Something you know
Smart card
Biometric devices
Password
Authentication Devices Biometric devices
Retinal scan Fingerprints Voice recognition Facial recognition
Secure ID tokens
something you have-token
something you know- pin used to generate password that changes once a minute
Passwords Proper maintenance & procedures essential Post-it notes - on monitors and under
keyboards ? Longer than 8 characters Not comprised of English words Include special characters Change regularly L0pht crack L0phtCrack
Symmetric Encryption
Secret key used for encryption and decryption is identical
Alice and Bob must exchange the secret key in advance
Impractical for large numbers of people to securely exchange shared secret keys
Asymmetric Encryption Public-private key pairs,,
used to overcome the problem of shared secret keys
Owner of the key knows private key
Public key is shared with everyone
Message confidentially- Bob encrypts a message with Alice’s public key and on receipt Alice decrypts the message with her private key
Encryption of data
Keys / Cipher length is important Expressed in bits 40 bit cipher can be broken in 3.5 hrs 56 bit - 22 hours 15 min, 64 bit - 33-34 days, 128 bit - > 2000 years
Message integrity
Authentication
Nonrepudiation
Message confidentiality
Message encryption
Digital signature
Message Digest
Securing Transactions Data theft Customer lists,
engineering blueprints and other company secrets
Company assets vulnerable since connected to public networks
Cracker Kevin Mitnick stole plans for Motorola’s StarTac
Used IP spoofing
Theft of money German Chaos
Computer Club used an Active X
control to schedule transfer of money from the victim’s online bank account to numbered bank account controlled by crackers
Stored Account System Similar to existing debit/credit card systems Use existing infrastructure/payment
systems based on electronic funds transfer Use settlement houses/clearing houses Highly accountable and traceable Traceable - raise privacy concerns “big
brother” Slow and expensive online verification is
necessary SET- secure electronic transaction,
CyberCash
Stored Value Systems – E-cash Private, no approval from bank needed Security stakes are high
Counterfeiting Absence of control & auditing
Potentially $8 trillion a year market People do not yet trust e-cash technology More popular in Europe E-cash superior to cash
Do not require proximity Do not create weight & storage problems of cash
New Systems DigiCash, Mondex and Visa Cash
Stored value and/or stored accounts E-cash is stored on an electronic device Use smart card or e-cash could be stored on a PC
Electronic wallet technology Merchant adds or subtracts e-cash value using
encrypted messaging between computers or by inserting the smart card in the merchant’s smart card reader
Mondex - Devices
Smart Cards Credit card sized devices w/ chip & memory Contain operating systems & applications Reader device attached PC can read smart
card Avoid problem of e-cash being stored on
insecure hard drives Smart cards disabled when physically attacked
Smart Cards Will be ubiquitous Loyalty information –
frequent flier miles Health records and
health insurance information
Debit, credit, and charge cards
E-cash Global system for mobile
communications
Pay TV Mass transit ticketing Access controls Digital signatures Biometrics Travel and entertainment Drivers license and social
security information
Secure Sockets Layer Confidentiality & authentication of web sessions Encrypts the communication channel uses
private key Server & client and server agree to private
session key & private encryption/ hashing protocols for confidentiality & data integrity
Client authenticates server w/ certificate authority stored on client’s browser
Secure Electronic Transaction Protocol Open standard for secure internet payments Master Card and Visa, IBM and Microsoft Confidentiality of information,privacy, message
integrity, authentication, and nonrepudiation, and authenticates all parties
Encrypts credit card numbers, shielding from public & merchant
Party in a SET transaction must possess a digital certificate, carry digital wallets or smart cards
1,024 bit keys Securing private keys is problematic MasterCard International - Shop Smart! Demo
Public Key Infrastructure (PKI) Issue, manage, and maintain public-private key
pairs and digital certificates Digital certificates used to authenticate servers or clients using trusted third party, certificate authority
CA’s issue digital certificates to merchants, can be verified by the browser checking the digital signature of the CA against the public key of the CA, stored on the browser
Digital signatures have full legal standing 2000 VeriSign Training
Risks to the client Active content Cookies Modems Many clients mission critical Personal firewall software
Needed even if part of a network with other layers of protection
Black Ice and Zone Alarm
Active Content Programs that automatically download & execute
on user’s machine when user hits on web site with active content
Java applets, active X controls, JavaScript, VBScript, multimedia presentation files executed via browser “plug-ins” (Flash)
Can provide rich customized computing experience Could be malicious
Java applet coded to read client’s cookies including Passwords & id’s & send the information back to crackers
Active X Controls Can execute any function windows program
can execute Written in variety of languages- execute only
on Wintel machines Security measures designed to prevent
trusted active X controls from damaging machine do not exist
Security based on level of trust client places in author of active X control
Software publisher certificate from a certificate authority such as VeriSign
Java Applets Platform independent; Can run on
Windows or Unix machines Constrained from accessing resources
outside section of memory called the sandbox
Applet can play but not escape Trust of java applets based on restricting
the behavior of the applet Holes in the sandbox- bugs that allows
attack code
Cookies
Internet transactions do not maintain state, no memory of last visit
To restore state - cookies kept on users hard drive
Block of data on client that server can use to identify user, instruct server to send a customized version of a web page, submit the account information of user
If intercepted by third party, significant personal information about user compromised
Compromise user privacy
Operating System Risks Default configurations –on client node
allows java applets to load on server using root ID
Escalation of privileges – If an attacker gains “root” or administrator
privileges the cracker can do anything to the system he desires
Adaptive access control, automates access control process, assigning of permissions alleviates problems of manual access control
Operating System Risks 2 Windows 98 very insecure –
modems connected to internal network problematic
UNIX & windows NT operating systems- more secure but still full of bugs and security holes Patches available from vendors
Computer Emergency Response Team Coordination Center Experts on call for emergencies 24 hours a day Provides facilitation of communication among
experts on security problems Central point for the identification and correction
of security vulnerabilities Secure repository of computer security incident
information CERT Coordination Center
Viruses, Worms, Trojans Users need constant training and
surveillance System administrator - update virus
definitions on schedule Attack emergency and recovery plan Policies regulating users handling of
e-mail are important
Securing the Server Back-end databases must be protected Web servers particularly vulnerable to attack CGI Scripts – Web client request executes on server Crackers escalate privileges to arbitrarily execute
system commands deleting or stealing files placing Trojan horse programs on the server running denial of service attacks defacing web pages storing cracking tools for a later attack
Denial of Service Attacks Cripple or crash Web servers by flooding
server with too much data or too many requests
E-commerce merchants cannot afford financial consequences or loss of trust
Online NewsHour -- Internet Security
Web Page Defacing
Act of rewriting web page
Motivations political, financial, &/or revenge
More than web server compromised ?
Malicious Web Sites EU study – possibly 60
billion euros lost Steal credit card
numbers Spy on hard drives Upload files Plant active content Example misspelled
URL’s
People & Security - Policies Embraced by management Security philosophy, user policies, incident
management, methods to prevent social engineering attacks, network disaster recovery, and consequences for lack of adherence
Programs to train staff & techniques to enhance security should be ongoing
Outside penetration study can be useful to document the true level of risk and vulnerability
Social Engineering Manipulating of employees natural tendencies Objectives: obtaining passwords, obtaining
configuration data to escalate user permissions in an operating system
Use telephone or email posing as IT staff or higher-level managers
Talk people into revealing damaging information Many devastating cracker exploits have
included social engineering
Insider Risks Authorized users commit 75% to
85% of all computer crime Not usually prosecuted – covered up Disgruntled employees - crashing
file servers, deleting data, selling critical data, and financial fraud
Internal network sniffing
Onion Approach Security solutions to vulnerabilities should
be implemented in a layered approach, the “onion” solution
Solutions should be preventive and predictive rather than reactive
Network security architectures rely upon layers of devices and software that provide multiple barriers to intruders and protect, detect and respond to threats
Tools Vulnerability scanning tools
determination of remote systems weaknesses extremely dangerous in the wrong hands discover open ports how services respond to incoming requests
Intrusion Detection System (IDS) detect intruders breaking into a system or to detect legitimate users misusing system resources well-configured IDS will prohibit all activity not expressly
allowed analysis of audit trail data, especially operating system
activity is important
Tools 2 Logging enhancement tools - supplement
operating system logging & can provide independent audit data
System evaluation tools Configuration checking Permissions checking Analysis of accounts and groups Evaluation of registry settings Verification of up to date patch installation
Network sniffers Intercept and analyze network traffic Can be extremely useful but also are very
dangerous Illegal to sniff a network without permission Possible to read packets with a sniffer After an intrusion sniffer logs can be essential Sniffers can be hardware or software based Also called “packet dumpers”