Embed Size (px)
DESCRIPTION
Citation preview
Network Security Overview
ByBob Larson
Security Concerns
Internet
Viruses
Denial of ServiceInformation Theft
Unauthorized Access
Industrial Espionage
HacktivismPublic Confidence
PrivacyPornography
The Need for Security – Then
Network designed and implemented in a corporate environment
Providing connectivity only to known parties and sites
No connections to public networks
The Need for Security – Now
Securing Network Resources
Hardware threats Environmental
threats Electrical threats Maintenance
threats
Trends Affecting Network Security
What motivates
companies?
What motivates
companies?
Security Expectations
Users can perform only authorized tasks Users can obtain only authorized
information Users can’t cause damage to
Data Applications Operating environment of a system
The Goals of Network Security
Confidentiality Securing data from prying eyes
Integrity Authenticating the source
Is the sender who they claim to be Authenticating the data
Has the data been modified Availability
Users need reasonable access to data they are authorized to use
Security Awareness
Security techniques and technologies Methodologies for evaluating (not the same)
Threats Vulnerabilities Risk
Selection criteria and planning required to implement controls
What if security is not maintained What is at risk What is the cost if a breach occurs (all costs)
Financial Reputation Loss of the resource Loss of competitive advantage
Threats, Vulnerabilities and Risk
Threats Something bad Something that can cause harm
Vulnerabilities Susceptible to attack or harm Without adequate protection
Risks Chance of something happening
Statistical odds
Threats and Consequences
Network Security Weaknesses
Technology weaknesses Configuration weaknesses Security policy weaknesses
Technology Weaknesses
All computer and network technologies have inherent security weaknesses or vulnerabilities.
Don’t overlook: Hardware issues Operating System issues Network protocol issues (even TCP/IP) Application vulnerabilities
Configuration Weaknesses
Insecure default settings If you left the defaults, you are dead.
Misconfigured network equipment A little knowledge is a dangerous thing
Insecure user accounts/passwords End-users can’t be trusted to use strong pws.
Misconfigured Internet services HTTP, Java, CGI, unneeded services.
What Is a Security Policy?
“A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.”
RFC 2196, Site Security Handbook
Could be applied to a family with kids!
Security Policy Weaknesses
Lack of a written security policy
Internal politics
Lack of business continuity Turnover in staff/management can be devastating
Logical access controls to network equipment not applied
Security administration is lax, including monitoring and auditing
Lack of awareness of having been attacked
Software or hardware installation and changes that don’t follow the policy
Security incident and disaster recovery procedures not in place
Security Resources
SecurityFocus.com—http://www.securityfocus.com SANS—http://www.sans.org
Security Policy Project – free templates Masters Degrees in Security
CERT—http://www.cert.org Center of Internet security expertise at Carnegie Mellon
U CIAC—http://www.ciac.org/ciac
US Dept of Energy CVE—http://cve.mitre.org
Common Vulnerabilities and Exposures – Homeland Security
Computer Security Institute—http://www.gocsi.com Center for Internet Security—ttp://www.cisecurity.org
National Security Agency (NSA) Guides
http://www.nsa.gov/snac/
Fin…
