Upload
nobitaajeng
View
218
Download
0
Embed Size (px)
Citation preview
7/30/2019 FCNS Training
1/51
FCNS Training
Security Overview
7/30/2019 FCNS Training
2/51
7/30/2019 FCNS Training
3/51
The Security, functionality and ease of use
Triangle
7/30/2019 FCNS Training
4/51
Understanding Attack types
Understanding the different types of attacks and
methods that hackers are using to compromise
systems is essential to understanding how to
secure your environment
There are two major types of attacks :
Social Engineering Attacks
Network Attacks
7/30/2019 FCNS Training
5/51
There is No
Patch to Human
Stupidity
7/30/2019 FCNS Training
6/51
Social Engineering Attacks
Social Engineering is the human side of
breaking into network system
Through an email message or phone calland tricks the individual into divulging
information that can be used to
compromise security
The information that the victim divulges tohacker would most likely be used in a
subsequent attack to gain unauthorized
access to a system or network
7/30/2019 FCNS Training
7/51
Types of Social Engineering
Human- based : Gathers sensitive information by interaction
Attacks of this category exploits trust, fear and helping nature ofhumans
Computer-based :
Social engineering is carried out with the aid of computers
Social Engineering can be
divided into two categories :
7/30/2019 FCNS Training
8/51
Posing as VIP of a target company, valuable customer, etc.
Hi! This is Kevin, CFO Secretary, Im working on an urgentproject and lost system password. Can you help me out?
Human-Based Social Engineering
Gives identity and asks for the sensitive information
Hi! This is John, from Department X, I have forgotten my
password. Can I get it?
Posing as Legitimate End User
Posing as an Important User
7/30/2019 FCNS Training
9/51
7/30/2019 FCNS Training
10/51
Hoax letters are emails that issue warnings to user on new virus, Trojans and worms
that may harm the users system
Chain letters are emails that offer free gifts such as money and software on thecondition that if the user forwards the mail to said number of persons
Computer-Based Social Engineering
Windows that suddenly pops up, while surfing the internet and asksfor users information to login or sign-in
Pop-up Windows
Hoax and chain letters
7/30/2019 FCNS Training
11/51
Computer-Based Social Engineering
Instant Chat Messenger Gathering of personal information by chatting with a selected
online user to attempt to get information such as a birth dates
and maiden names
Acquired data is a later used for cracking the users accounts
Spam email Email sent to many recipients without prior permission intended
for commercial purposes
Irrelevant, unwanted and unsolicited email to collect financialinformation, social security numbers and network information
7/30/2019 FCNS Training
12/51
Computer-Based Social Engineering
An illegitimate email falsely claiming to be from alegitimate site attempts to acquire users personal
or account information Lures online users with statements such as
Verify your account
Update your information
Your account will be closed or suspended
Spam filters, anti-phising tools integrated withweb browsers can be used to protect from Phisers
Phising
7/30/2019 FCNS Training
13/51
Eavesdropping attack: This widely used type of attack typically involves the
use of network monitoring tools to analyze and read communications on
the network
Spoof attack : in this attack, the hacker modifies the source address of the
packets he or she is sending so that they appear to be coming from
someone else. This may be an attempt to bypass your firewall rules
Hijack attack : in this attack, a hacker takes over a session between you and
another individual and disconnects the other individual fromcommunication. You still believe that you are talking to the original party
and may send private information to the hacker unintentionally
Network-Based Attacks
Most types of attacks are considered network-based attacks
where the hacker performs the attack from a remote system
There are number of different types of network attacks:
7/30/2019 FCNS Training
14/51
Network-Based Attacks
Buffer overflow : this attack is when the attacker send more data to anapplication than is expected. A buffer overflow attack usually results in the
attacker gaining administrative access to the system in a command prompt
or shell
Exploit attack : in this type of attack, the attacker knows of the security
problem within the operating system or piece of software and leveragesthat knowledge by exploiting the vulnerability
Denial of service : This is a type of attack that causes the system or its
services to crash. As a result, the system cannot performs its purpose and
provide those services
Password attack : an attacker tries to crack passwords stored in a networkaccount database or password-protected file
7/30/2019 FCNS Training
15/51
Network-Based Attacks
Distributed denial of service (DDOS): Thehacker uses multiple systems to attack a
single target system
A good example is the SMURF attackin
which the hacker pings a number of
computers but modifies the source address
of those packets so that they appear tocome from other system (the victim in this
case). When all the systems receive the
ping request, all the systems will reply to
the same address, essentially
overburdening that system with data.
http://arstechnica.com/security/2007/05/massive-ddos-
attacks-target-estonia-russia-accused/
http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/7/30/2019 FCNS Training
16/51
Understanding Physical Security
7/30/2019 FCNS Training
17/51
Physical Security
7/30/2019 FCNS Training
18/51
7/30/2019 FCNS Training
19/51
Physical Security Checklist :
Company Surroundings
7/30/2019 FCNS Training
20/51
Gates
7/30/2019 FCNS Training
21/51
7/30/2019 FCNS Training
22/51
Physical Security Checklist :
Premises
7/30/2019 FCNS Training
23/51
Physical Security Checklist :
Reception
7/30/2019 FCNS Training
24/51
7/30/2019 FCNS Training
25/51
Physical Security Checklist :
Workstation Area
7/30/2019 FCNS Training
26/51
Physical Security Checklist :
Wireless Access Points
7/30/2019 FCNS Training
27/51
7/30/2019 FCNS Training
28/51
Physical Security Checklist :
Access Control
7/30/2019 FCNS Training
29/51
Physical Security Checklist :
Biometric Devices
7/30/2019 FCNS Training
30/51
Smart cards
7/30/2019 FCNS Training
31/51
Security Token
7/30/2019 FCNS Training
32/51
Wiretapping
7/30/2019 FCNS Training
33/51
Remote Access
7/30/2019 FCNS Training
34/51
Defense in-Depth
is an information assurance (IA) concept in which multiple layer of
security control (defense) are placed throughout an Information
Technology (IT) system. Its intent to provide redundancy in the event a
security control fails or a vulnerability is exploited that can cover aspects
of personnel, procedural, technical and physical for the duration of the
systems life cycle
The idea behind the defense
in-depth approach is to
defend a system against any
particular attack using
several, varying methods
7/30/2019 FCNS Training
35/51
Information Security Attribute
7/30/2019 FCNS Training
36/51
7/30/2019 FCNS Training
37/51
IDENTITY, AUTHENTICATION & AUTHORIZATION
Dont Authentication and Identity mean samething?
If we have a authentication and identity do we
need authorization?
7/30/2019 FCNS Training
38/51
means the approval,
permission orempowerment for
someone or something todo something
is the process ofconfirming the
correctness of theclaimed identity
IDENTITY, AUTHENTICATION & AUTHORIZATION
is the process forestablishing whomsomeone or what
something claims to be
Identity : whom someone or what somethingThis identity may be of a human being, a program ,
a computer or a data
A motorist identifies himself to a police officer and presents a drivers
license for confirmation. The officer compares the photograph , description
and signature with that of the motorist to authenticate the identity
Identification Authentication Authorization
7/30/2019 FCNS Training
39/51
Authentication
Something you know
Something you have
Something you are
Based on Something you know, should besomething only you know and can
keep to your self
This might be the PIN to your bank
account or a password
Something you have, might be
a photo ID or a security token
Something you are is biometric
based
7/30/2019 FCNS Training
40/51
Authentication
The method used to authenticate a user depends on the network environmentand can assume forms such as the following:
Username and password : when the users start the computer or connect tothe network, they type a username and password that is associatedwith their particular network user account
Smartcard : Using a smartcard for logon is very similar to accessing your bank
account at a teller machineTo log on to the network you insert a device similar to a debit card, known as asmartcard into a smartcard reader and then supply a PIN. To beauthenticated, you must have the smartcard and know its password
Biometrics : the user would provide a retina scan or fingerprint as a credential.It is becoming a very popular solution in highly secure environments where
special biometric devices would be used
When users provide credentials such as a username and a password, theusername and password are passed to the server using an authentication method
7/30/2019 FCNS Training
41/51
is your level privilege within theoperating system to perform a task
For example : When companiesdeploy Windows XP Prof to all clientsystems on the network, users aresurprised that they cant change the
time on the computer if they wantto. This is because they dont haveThe Change System Time right
AUTHORIZATION
is your level of access to a resourcesuch as a file, folder or object. Thepermission is a characteristic of theresource and not characteristic ofthe user account
For example : if you would like to
give Bob read permission to a file,you would go to the properties ofthat file and set the permissions.Notice that you dont go to the useraccount to assign the permissions
Once you have been authenticated to the network, you willthen be authorized to access the network resources
Permission A right
7/30/2019 FCNS Training
42/51
Data Classification
We classify data with differing levels of sensitivity
Top Secret - The highest level of protection are given to this data; it is critical to
protect
Secret - this data is important and it is release could harm national security
Confidential - this is important and it could be detrimental to national security if
release
Sensitive But Unclassified(SBU) This generally is information that is sensitive and
should not be released
Unclassified They prefer to keep it from being released but the nation would not
be harmed if it were
7/30/2019 FCNS Training
43/51
R l ti Ri k Th t d V l bilit d
7/30/2019 FCNS Training
44/51
Relating Risk, Threat and Vulnerability and
Impact
Risk = Threat x Vulnerability
Risk = Threat x Vulnerability x Impact
7/30/2019 FCNS Training
45/51
Security Policies
7/30/2019 FCNS Training
46/51
7/30/2019 FCNS Training
47/51
7/30/2019 FCNS Training
48/51
7/30/2019 FCNS Training
49/51
Classification of Security Policy
7/30/2019 FCNS Training
50/51
Classification of Security Policy
7/30/2019 FCNS Training
51/51