Chapter 11 Data Security 1
MIS 430 Chapter 11
Network Security
Chapter 11 Data Security 2
Mgt Focus 11-1: Western Union
9/2000: hacker broke into Western Union and stole 15,700 credit card numbers
Caused by human error: left file unprotected after web site revision
Routine security audit discovered break in and site was shut down (5 days lost)
Cost over $1M !
Chapter 11 Data Security 3
I. Introduction Some Threats .. See fig 11-2 p. 358
Data Center … Hardware Protection failure, destruction
Software Unauthorized access, copying, modification, destroy,
theft Errors and Omissions
Files Unauthorized access, copy, modify, destroy, theft
Offline input/output Disaster, vandalism, fraud/theft/extortion, errors and
omissions
Chapter 11 Data Security 4
Intro, contd. More Threats …
Organization Inadequate functional separation, lack of security
responsibility Personnel
Dishonesty, gross error, incompetence Physical Security
Unauthorized access, inadequate safety, transportation exposure
External people Disaster, vandalism, fraud/theft/extortion
Data communications circuit Network unavailable, illegal access, lost messages
Chapter 11 Data Security 5
Intro, contd. More threats..
Client Users Masquerading, authorization bypass, unauthorized
input/output, manipulation
Avg loss: $1 M but is tip of the iceberg Loss of consumer confidence costs much
more than lost business! But business disruption due to lost
applications is even more costly!! Bank of America says $50M loss if down 24 hours
Chapter 11 Data Security 6
Types of Threats Disruptions: loss or reduction of network
services Loss of circuits Loss of data Disasters that affect equipment
Unauthorized Access Mostly employees, not hackers! CERT: Computer Emergency Response Team from
Carnegie Mellon University http://www.cert.org/ ISU loss of 10,000 social security numbers
Chapter 11 Data Security 7
Network Controls Control: mechanism to reduce or
eliminate threats to network security Types of Controls
Prevention: stop act from occurring Detection: reveal unwanted events Correction: remedy unwanted event
Important: someone must be responsible for controls and security, including updates and making sure they are implemented ok.
Chapter 11 Data Security 8
Tech Focus 11-1 (p. 361) Less complex is
better Control’s cost is
equivalent to risk Preventing is better
than detecting and correcting!
Adequate: just enough to protect the network
Automated controls better than manual!
Controls apply to all!
Document overrides; overrides need controls
Control documents are confidential
Names, uses, & locations of network HW are private information
Controls ensure network can be audited
Assume a hostile environment
Chapter 11 Data Security 9
Tech Focus, contd Convey an image of
high security by education & training
Controls provide separation of duties
Implement entrapment to ID bad guys
When control fails, network defaults to tight security: deny access
Controls still work when only one part of network fails
Don’t forget the LAN! Central mgrs often just worry about the WAN
Always assume your opponent is smarter than you are
Always have insurance in case a control fails
Chapter 11 Data Security 10
II. Risk Assessment Assign levels of risk to various threats
Compare nature of threats to controls OCTAVE method http://www.cert.org/octave/
Control spreadsheet (fig 11-3, p. 362) Assets (something of value) with priority in
parentheses Threats in categories Center includes controls now in use
Chapter 11 Data Security 11
Types of Assets (fig 11.4) Hardware: servers, client computers,
network devices (hubs, routers, switches)
Circuits: LANs, BNs, contracted MAN and WAN circuits, Internet access circuits
Network SW: server NOS, applications such as mail server, web server
Client SW: OS, applications like Word, etc Organizational data: DBs Mission-Critical Apps: depends on organ.
Chapter 11 Data Security 12
Threat Likelihoods (fig 11.5)
Virus: 85% Internet Hacker: 70% Device Failure: 68% Denial of Service (DoS): 60% Theft of Equipment: 44% Natural Disaster: 28% Theft of Information: 9% Fraud: 3% From Insiders: 70% From Outsiders: 25%
Chapter 11 Data Security 13
Identify the Controls After spreadsheet (assets,
threats) is done, work on the controls(see fig. 11-6 p. 366)
Disaster recovery plan: business continuity plan
Halon fire system in machine room; sprinklers
Not below ground level (beware of floods: Chicago)
UPS on major servers
Contract guarantees from interexchange carriers
Extra backbone fiber cable laid in different conduits
Virus checking software present on network
Extensive user training about viruses
Strong password software Extensive user training
about PW security Application layer firewall
Chapter 11 Data Security 14
Evaluate Network’s Security
Evaluate adequacy of existing controls as it relates to each threat Do by an independent Delphi team
who makes the final decision 3-9 members Therefore implement quickly
Chapter 11 Data Security 15
Mgt Focus 11-2: Microsoft I Microsoft’s web sites 3rd most visited All down for 22 hours in Jan 2001 due to a
technician’s error: MS placed all 4 of its DNS servers on same network
segment Tech loaded incorrect routing table information into
routers, and nobody could reach any DNS servers Had any one been on a different segment, no
trouble! MS lost $4M in ad revenue during 22 hours More lost on sites like Expedia that sell
services
Chapter 11 Data Security 16
Mgt Focus 11-3: World Trade Center Disaster Recovery
TradeWeb HQ on 51st floor: destroyed! Changed DNS entry to refer to London
office to get back on the web Rebuilding database took longer
Allstate: lost NYC data center (but had a plan)
No network: onslaught of claims! Had 25 LAN in-a-box dial-up network kits
from office LAN to headquarters; needed 24 more
Remaining offices back up in 4 days
Chapter 11 Data Security 17
III. Controlling DDD: Prevention
Use redundant hardware UPS American Power Conversion www.apc.com Fault tolerant server Disk mirroring and RAID 1, 5 (not RAID 0)
Prevent natural disaster Avoid basement rooms near rivers and oceans State Farm data center: 6 foot thick SW walls:
tornado Install Halon fire prevention system (but phase out)
http://www.epa.gov/ozone/snap/fire/qa.html Decentralize network resources: multiple servers,
data centers, even different parts of the country
Chapter 11 Data Security 18
Prevention Controls Preventing Theft ($1B stolen annually)
Physical security methods for data center Use security cables to attach HW to desks Private security guards Keep certain key network locations secret
Preventing viruses Protect both servers and clients! Macro viruses account for 75% of viruses Use anti-virus software; keep it current
weekly
Chapter 11 Data Security 19
Mgt Focus 11-4: NIMDA! 9-18-2001: NIMDA virus swept through
Windows servers around the world Attached to email message; emailed to others
in Outlook address book Also spread by servers, shared drives Could get it through a browser click (Javascript)
Patches developed but it came back as variants. Ask me about my !@@!# servers
5 months later, still the most common attack – it was an attack suite: well written, tested
Chapter 11 Data Security 20
Prevention Controls Preventing Denial of Service Attacks
Hacker floods network with messages so that server cannot handle normal workload
Hackers use false IP addresses (IP spoofing) Distributed DoS attack is more disruptive –
hacker controls many machines that all attack simultaneously
Can set up several servers around the world (like Microsoft has done)
Chapter 11 Data Security 21
Tech Focus 11-2: DoS Attack
Smurf attacks: flood with Ping ICMP requests Fraggle attacks: similar to smurf but uses
UDP echo requests TCP SYN floods: request to establish TCP
connection UNIX process table attacks: like TCP SYN Finger of death attacks: flood with finger
requests DNS Recursion Attacks: spoof the from
address to be within the organization
Chapter 11 Data Security 22
Mgt Focus 11-5: Microsoft Part 2
DDoS attack 1/2001 caused MS to redesign networks Hacker gained control of a large number of
computers, implanting DDoS software SW targeted MS DNS servers, not web or mail By focusing on routers on the segment containing the
DNS servers, brought net to a crawl Put 4 DNS servers on separate network segments MS Contracted with Akamai.com to hold most
popular web pages around the world Pages served from Akamai server closest to customer,
reducing response time and providing redundancy
Chapter 11 Data Security 23
Controlling DDD: Detecting
Network management software should notify management of problems Can send alerts via email or even to pagers Major problems easier to detect than minor Network should log performance data which
can be compared to current performance Caterpillar bulldozer agent: avoid any
unplanned downtime Software agents and sniffers look for out of
bound measurements Contact the command center to report
possible trouble
Chapter 11 Data Security 24
Controlling DDD: Correcting
Disaster Recovery Plan Remember United DC-10 that lost
hydraulics and crash-landed in Iowa city? Iowa City’s DRP helped save lives!
Provides various levels of response to a number of possible disasters
See fig 11-7 p. 373 for elements of DRP Managers (2), staff duties, priorities for what
done first, locations of spares, data comm recovery, manual procedures, testing methods, backups, actions for certain scenarios
Chapter 11 Data Security 25
Controlling DDD: Correcting
Disaster Recovery Plans Good backups don’t mean data can be used! Disaster Recovery Drills important Two levels: internal redundancy, out sourced DR
service Cold site: storage of data and applications Hot site: dedicated equipment that is ready to run your
applications seamlessly http://www.disasterrecoveryworld.com/ for
checklists, etc. Disaster Recovery Journal http://www.drj.com/
Chapter 11 Data Security 26
IV. Controlling Access
Unauthorized access is 2nd main problem Types of intruders
Casual hackers w/ limited knowledge of computers they encounter (script kiddies)
Experts in security but enjoy the challenge (crackers) Professional hackers who break in for specific
purpose (most dangerous kind) Organization employees with legitimate access who
gain access to information they are not authorized to use (most common kind of security breach)
Chapter 11 Data Security 27
Preventing Unauthorized Access
Be proactive! Routinely test security before the intruder does
Don’t keep extremely sensitive data online Store in networks that are isolated from other
networks Security Policy: define important assets and
the policies to access them; see fig 11-8 p. 376 Manager, incident reporting system, risk assessment
with priorities, effective controls at major access points, use min # of controls to reduce inconvenience, acceptable use policy, procedure to monitor changes to network devices, routine training plan for users, routine test plan, annual security audit
Chapter 11 Data Security 28
Security Policy Security policy should define what
employees should and should not do Password policies: don’t post, don’t tell,
change frequently, minimum length, cannot reuse previous password Use combinations of letters and numbers Use upper and lower case: go4iT See next slide for more hints
Apply different controls to different data items
Chapter 11 Data Security 29
Mgt Focus 11-10: Passwords
A good password is easy to remember, hard to guess Don’t use birthdays, anniversaries, pet names, family
names: can guess easily At least 7 characters; change at least every 90 days;
include numbers and some capital letters Hot apple pie with ice cream and cheese: haPwicAc ISU policy: www.indstate.edu/adminaff/handbook/SectionV.pdf p.
14 Change system PW every 90 days, user PW every 180 days Don’t use same password for non-ISU accounts! Don’t put PW in (plain text) email Use strong passwords: >=8 char, not in dictionary, use
upper and lower case characters, have a punctuation symbol, not based on personal or family information
Don’t write it down anywhere or share it Use pass phrase for public key encryption
Chapter 11 Data Security 30
User Profiles
Specifies for user what data and network What resources can they access How they can access it (R, W, C, D) When can they access the resources
(days, times, locations) How many incorrect log-ins are
permitted? Group profiles: shared permissions
Chapter 11 Data Security 31
Physical Security Biometrics: finger prints, hand geometry,
face geometry, iris prints, retina scans Smart cards: embedded microprocessor
with a clock that constantly changes PWs Computer locks: hardware, software PWs Hide cables behind walls and ceilings
Alarm systems USAF uses pressurized cables that show a
break-in and sounds alarm Locked wiring closets for routers, hubs, etc.
Chapter 11 Data Security 32
Dial-In Security This is a major security risk! Change phone numbers periodically Change dial-up PW periodically
One-time PWs Use smart card PW
Require call backs to designated place Use embedded ID chip in computer that
dials Use VPNs – encrypted sessions
Chapter 11 Data Security 33
Firewalls Sits between network and the outside world
HW (router) or SW varieties of firewalls Examines packets as they enter/leave the
network Packet-level firewall (examines source and
destination IP addresses of each packet) Application-level firewall (intermediate host that
authenticates: more complex) IP Spoofing: hacker changes actual source IP
address to a “good” one that is not stopped
Chapter 11 Data Security 34
Tech Focus 11-4: Packet Level Firewalls
Could delete any packets coming from a different subnet or different network
Could delete packets from certain IPs Could keep certain types of packets
from reaching the network (FTP, Telnet, etc)
Software is constantly updated
Chapter 11 Data Security 35
NAT: Network Address Translation (previously covered)
This is cool: you can share 1 IP address across several computers on network Translates between set of private IP addresses
inside network and outside proxy IP addresses Ex: outside IP is 139.102.180.36.
Inside IP addresses are 192.168.1.1 through 192.168.1.5 (local, private IP addresses)
Could also use 10.X.X.X IP range NAT device (proxy server) has two NICs – one
inside and the other outside the firewall
Chapter 11 Data Security 36
More NAT When inside client makes a request, its IP
address and a unique port number are placed in the packet, then packet is sent to server
Server remembers that port number, replaces the internal IP address with the outside IP address, then sends it along to Internet
When return packet appears, it contains unique port number; server substitutes inside IP address for the computer with that port, passes it to inside network
Slower, but very nice to share one IP address!!
Chapter 11 Data Security 37
DMZ (Demilitarized) Zone DMZ is the network behind the firewall
Open a hole in the firewall to some of the computers
Contains some but not complete security Can have better protected internal
networks inside the DMZ that are fully protected
Use DMZ for servers that need partial access to/from the outside world
Chapter 11 Data Security 38
Security Holes This is a bug that permits unauthorized
access: quickly circulates on Internet Ex: I left anonymous FTP turned on and left
FTP write access on This allowed hackers to store huge amounts of
MP3 and illegal files in FTP area of server Solution: turn off anonymous FTP access, but
still allow Write for authenticated FTP sessions Real Solution: do MS Critical Updates and
keep servers and clients current!!!
Chapter 11 Data Security 39
Encryption History Germans used Enigma Machine during WW
II – we broke the code Looked like a typewriter with 3 or 4 code wheels We also broke the Japanese code in WW II
US used the Navajo Code Talkers who spoke in their native language – never broken!
Plain text vs. cipher text Key needed to “unlock” the cipher text into
plain text
Chapter 11 Data Security 40
Symmetric Encryption Use mathematical algorithm to disguise
Symmetric: uses same key to encrypt and decrypt Assymetric: Encrypt and decrypt keys are not same
Good encryption does not require that the algorithm be kept secret, only the keys
DES: Data Encryption Standard 56-bit key, but was broken in 22 hours using 10,000 PCs
distributed over the Internet 3DES – uses DES 3 times, much harder to break
RC4: up to 256 bit key; still can be broken A version of RC4 is available in MS Excel for a file Tools | Options | Security
Can set password, assign digital signature
Chapter 11 Data Security 41
Public Key Encryption PKI–set of HW, SW, organizations, and
policies to make public key encryption work Two keys, 512 or 1024 bits long!
Public key is used to encrypt the message Will have a different public key for each destination
organization Private key is used to decrypt the message and
is only known to the destination Could encrypt with private key and decrypt
with public key to trace the original sender
Chapter 11 Data Security 42
Other Encryption PGP – Pretty Good Privacy
Freeware public key software where users post their public key on a web page
Someone sends that user a secret message encrypted by that public key
SSL – Secure Sockets Layer Used to encrypt web pages for credit card data Creates a public/private key on the fly for the session Much slower than regular web page, though! Done by the web server hosting the page
Chapter 11 Data Security 43
More Encryption IPSec-IP Security Protocol
Like SSL but focused on more than just Web activities.
IPSec sits between IP at network layer and and TCP/UDP at the transport layer
Two parties use Internet Key Exchange to decide on encryption technique and public/private keys
Tunnel mode: IPSec encrypts entire IP packet and encapsulates it in another packet; this cloaks the actual sender and destination. Used with VPN sessions
Chapter 11 Data Security 44
Detecting Unauthorized Access
IDS: Intrusion Detection System Network-based IDS Host-based IDS Application-based IDS
Techniques Misuse detection: compares monitored
activities with signatures of known attacks Anomaly detection: compares monitored
activities with normal set of activities (e.g., flood of Pings, etc)
Chapter 11 Data Security 45
Correcting Unauthorized Access
Have a “SWAT” team to call into action Computer forensics uses computer analysis
techniques to gather evidence for criminal prosecution
Criminal law has been slow to keep up with computers and the Internet
Companies use entrapment techniques to bait hackers to a false network (like the fake deer near the highway)
This special server has sophisticated SW to monitor access and gather evidence for prosecution!
Called a “honey pot”
Chapter 11 Data Security 46
For More Information … Enroll in Dr. Moates’ Computer
Security class (MIS 475) NIST CSRC web page
http://csrc.nist.gov/ CERT Coordination Center
http://www.cert.org/ Microsoft Security & Privacy site
http://www.microsoft.com/security/