FIREWALLS & NETWORK SECURITY with Intrusion Detection and …people.ysu.edu/~mawelton/CSIS3755/CSIS 3755 - Chapter 1.pdf · 2010-08-30 · Firewalls & Network Security, 2nd ed. -

FIREWALLS & NETWORK SECURITY

with Intrusion Detection and VPNs,

2nd Edition

Chapter 1

Introduction to

Information Security

Firewalls & Network Security, 2nd ed. - Chapter 1 Slide 2 Firewalls & Network Security, 2nd ed. - Chapter 1

Learning Objectives

Upon completion of this chapter, you should be able to:

Explain the relationship among the component parts of information

security, especially network security

Define the key terms and critical concepts of information and

network security

Describe the organizational roles of information and network

security professionals

Understand the business need for information and network security

Identify the threats posed to information and network security, as

well as the common attacks associated with those threats

Differentiate threats to information within systems from attacks

against information within systems

Slide 3 Firewalls & Network Security, 2nd ed. - Chapter 1

Introduction

Firewalls and network security are critical

components in securing day-to-day operations

of nearly every organization in business today

Before learning to plan, design, and implement

firewalls and network security, it is important to

understand the larger topic of information

security and how these two components fit into

it

Slide 4

What Is Information Security?

Information security (InfoSec) is defined by

standards published by CNSS as the protection

of information and its critical elements, including

the systems and hardware that use, store, and

transmit that information

To protect information and related systems,

organizations must implement policy,

awareness training and education, and

technology

Firewalls & Network Security, 2nd ed. - Chapter 1 Slide 4

Slide 5 Firewalls & Network Security, 2nd ed. - Chapter 1 Slide 5

Figure 1-1

Components of Information Security

Slide 6

What is Information Security?

(continued)

C.I.A. triangle consists of Confidentiality,

Integrity, and Availability

List of characteristics has expanded over time,

but these three remain central

Successful organization maintains multiple

layers of security:

– Network security

– Physical security

– Personal security

– Operations security

– Communications security Firewalls & Network Security, 2nd ed. - Chapter 1 Slide 6


Critical Characteristics of Information

Availability enables authorized users to access

information without interference or obstruction

and to receive it in required format

Accuracy means information is free from error

and has the value the end user expects

Authenticity is quality or state of being genuine

or original, rather than reproduced or fabricated;

information is authentic when it is what was

originally created, placed, stored, or transferred

Slide 8

Critical Characteristics of Information

(continued)

Confidentiality is when information is protected

from exposure to unauthorized entities

Integrity is when information remains whole,

complete, and uncorrupted

Utility of information is quality or state of having

value for some end purpose; information must

be in a format meaningful to end user

Possession is ownership or control of some

object or item; information is in one’s

possession if one obtains it, independent of

format or other characteristics Firewalls & Network Security, 2nd ed. - Chapter 1 Slide 8


Figure 1-2

The CIA Triad and the McCumber Cube

Slide 10

Securing Components

When computer is subject of an attack, it is

used as active tool to conduct attack

When computer is object of an attack, it is entity

being attacked

Direct attack is when hacker uses a computer to

break into a system

Indirect attack is when a system is

compromised and used to attack other systems,

such as a botnet or other distributed denial-of-

service attack


Slide 11

Figure 1-3 Computer as the

Subject and Object of an Attack


Slide 12

Balancing Information Access and

Security

Information security cannot be an absolute; it is

a process, not a goal

Information security should balance protection

and availability

To achieve balance—to operate information

system to satisfaction of users and security

professionals—level of security must allow

reasonable access, yet protect against threats


Slide 13

Balancing Information Access and

Security (continued)


Slide 14

Business Needs First

Information security performs four important

organizational functions:

Protects organization’s ability to function

Enables safe operation of applications

implemented on organization’s IT systems

Protects data the organization collects and uses

Safeguards technology assets in use at the

organization


Slide 15

Security Professionals and the

Organization

Chief Information Officer

– Senior technology officer

– Primarily responsible for advising senior

executive(s) for strategic planning

Chief Information Security Officer

– Individual primarily responsible for assessment,

management, and implementation of securing

information in the organization

– May also be referred to as Manager for Security,

Security Administrator, or a similar title


Slide 16

Security Professionals and the

Organization (continued)

Information security project team should consist of

individuals experienced in one or more facets of

vast array of technical and nontechnical areas:

Champion

Team leader

Security policy developers

Risk assessment specialists

Security professionals

System, network, and storage administrators

End users


Slide 17 Firewalls & Network Security, 2nd ed. - Chapter 1 17

Data Ownership

Data owner: responsible for the security and

use of a particular set of information

Data custodian: responsible for the storage,

maintenance, and protection of the information

Data users: the end systems users who work

with the information to perform their daily jobs

supporting the mission of the organization

Slide 18

Threats

Sun Tzu Wu:

―If you know the enemy and know yourself, you

need not fear the result of a hundred battles.

If you know yourself but not the enemy, for

every victory gained you will also suffer a

defeat.

If you know neither the enemy nor yourself, you

will succumb in every battle.‖


Slide 19

Threats (continued)

To make sound decisions about information

security, management must be informed about

the various threats facing the organization, its

people, applications, data, and information

systems—that is, the enemy

In the context of information security, a threat is

an object, person, or other entity that represents

a constant danger to an asset


Slide 20

Threats (continued)



Human Error or Failure

Includes acts done without malicious intent

Caused by: inexperience, improper training, incorrect assumptions, and other circumstances

Employees are greatest threats to information security—closest to organizational data

Employee mistakes can easily lead to: – Revelation of classified data

– Entry of erroneous data

– Accidental deletion or modification of data

– Storage of data in unprotected areas

– Failure to protect information

Slide 22

Human Error or Failure (continued)

Many of these can be prevented with controls



Figure 1-5 Human Error or Failure


Compromises to Intellectual Property

Intellectual property is ―the ownership of ideas

and control over the tangible or virtual

representation of those ideas‖

Many organizations create intellectual property—

trade secrets, copyrights, trademarks, patents

Most common IP breach is software piracy

Watchdog organizations that investigate include:

– Software & Information Industry Association (SIIA)

– Business Software Alliance (BSA)

Slide 25

Compromises to Intellectual Property

(continued)

Copyright enforcement is attempted with

technical security mechanisms and online

registration



Espionage or Trespass

Category of activities that breach confidentiality

Unauthorized accessing of information

Competitive intelligence vs. espionage

Shoulder surfing can occur any place a person

is accessing confidential information

Controls are implemented to mark the

boundaries of an organization’s virtual territory,

giving notice to trespassers that they are

encroaching on the organization’s cyberspace

Slide 27

Espionage or Trespass (continued)

Hackers use skill, guile, or fraud to steal the

property of someone else



Figure 1-6 Shoulder Surfing


Figure 1-7 Hacker Profiles



Generally two skill levels among hackers:

– Expert hacker

• Develops software scripts and codes exploits

• Usually a master of many skills

• Often creates attack software to share with others

– Unskilled hackers (script kiddies)

• Hackers of limited skill

• Use expert-written software to exploit a system

• Do not usually fully understand systems they hack

Slide 31


Other terms for system rule breakers:

– Cracker: ―cracks‖ or removes protection

designed to prevent unauthorized duplication

– Phreaker: hacks the public telephone network



Information Extortion

Information extortion is an attacker or formerly

trusted insider stealing information from a

computer system and demanding compensation

for its return or non-use

Extortion found in credit card number theft


Sabotage or Vandalism

Individual or group who wants to deliberately sabotage operations of a computer system or business or perform acts of vandalism to either destroy an asset or damage image of the organization

Threats can range from petty vandalism to organized sabotage

Organizations rely on image so Web defacing can lead to dropping consumer confidence and sales

Rising threat of hacktivist or cyber-activist operations; most extreme version is cyber-terrorism


Theft

Illegal taking of another’s property—physical,

electronic, or intellectual

Value of information suffers when it is copied

and taken away without the owner’s knowledge

Physical theft can be controlled—wide variety of

measures used from locked doors to guards or

alarm systems

Electronic theft is more complex problem to

manage and control; organizations may not

even know it has occurred


Software Attacks

When an individual or group designs software to attack systems, they create malicious code called malware

Designed to damage, destroy, or deny service to target systems

Includes: – Virus (macro virus or boot virus )

– Worms

– Trojan horses

– Back door or trap door

– Polymorphic

– Virus and worm ―hoaxes‖


Figure 1-8 Trojan Horse Attack


Forces of Nature

Forces of nature, force majeure, or acts of God are dangerous because they are unexpected and can occur with very little warning

Can disrupt not only the lives of individuals, but also the storage, transmission, and use of information

Include fire, flood, earthquake, and lightning as well as electrostatic discharge

Since it is not possible to avoid many of these threats, management must implement controls to limit damage and also prepare contingency plans for continued operations


Deviations in Quality of Service

Situations of product or services not delivered

as expected

Information system depends on many inter-

dependent support systems

Service issues that dramatically affect the

availability of information and systems include:

– Internet service

– Communications service

– Power irregularities


Internet Service Issues

Loss of Internet service can lead to considerable loss in availability of information since organizations have customer sales staff and telecommuters working at remote locations

When an organization outsources its Web servers, outsourcer assumes responsibility for all Internet services as well as for hardware and operating system software used to operate the Web site


Communications and Other Service

Provider Issues

Other utility services have potential impact

Among these are:

– Telephone

– Water & wastewater

– Trash pickup

– Cable television

– Natural or propane gas

– Custodial services

The threat of loss of services can lead to

inability to function properly


Power Irregularities

Power irregularities are common and lead to fluctuations such as:

– Spike: momentary increase

– Surge: prolonged increase

– Sag: momentary low voltage

– Brownout: prolonged drop

– Fault: momentary loss of power

– Blackout: prolonged loss

Electronic equipment is susceptible to fluctuations; controls can be applied to manage power quality


Hardware Failures or Errors

Technical hardware failures or errors occur

when manufacturer distributes to users

equipment containing flaws

These defects can cause system to perform

outside of expected parameters, resulting in

unreliable service or lack of availability

Some errors are terminal, in that they result in

unrecoverable loss of equipment; some errors

are intermittent, in that they only periodically

manifest, resulting in faults that are not easily

repeated


Software Failures or Errors

This category of threats comes from purchasing

software with unrevealed faults

Large quantities of computer code are written,

debugged, published, and sold only to

determine that not all bugs were resolved

Sometimes, unique combinations of certain

software and hardware reveal new bugs

Sometimes, these items aren’t errors, but are

purposeful shortcuts left by programmers for

honest or dishonest reasons


Obsolescence

When infrastructure becomes antiquated or outdated, it leads to unreliable and untrustworthy systems

Management must recognize that when technology becomes outdated, there is a risk of loss of data integrity to threats and attacks

Ideally, proper planning by management should prevent risks from technology obsolesce, but when obsolescence is identified, management must take action


Attacks

An attack is a deliberate act that exploits

vulnerability

Accomplished by threat agent to damage or

steal organization’s information or physical

asset

– Exploit is a technique to compromise a system

– Vulnerability is an identified weakness of a

controlled system whose controls are not present

or are no longer effective

– Attack is the use of an exploit to achieve the

compromise of a controlled system


Malicious Code

This kind of attack includes the execution of

viruses, worms, Trojan horses, and active Web

scripts with the intent to destroy or steal

information

The state of the art in attacking systems is the

multi-vector worm using up to six attack vectors

to exploit a variety of vulnerabilities in commonly

found information system devices


Table 1-2 Attack Replication Vectors

New Table


Attack Descriptions

―Hoaxes‖: a more devious approach to attacking

computer systems is transmission of a virus

hoax, with a real virus attached

Back doors: using a known or previously

unknown and newly discovered access

mechanism, an attacker can gain access to a

system or network resource

Password crack: attempting to reverse calculate

a password


Attack Descriptions (continued)

Brute force: the application of computing and

network resources to try every possible

combination of options of a password

Dictionary: the dictionary password attack

narrows the field by selecting specific accounts

to attack and uses a list of commonly used

passwords (the dictionary) to guide guesses



Denial-of-service (DoS): attacker sends a large

number of connection or information requests to

a target; so many requests are made that the

target system cannot handle them successfully

along with other, legitimate requests for service

– May result in a system crash or merely an

inability to perform ordinary functions

Distributed denial-of-service (DDoS): attack in

which a coordinated stream of requests is

launched against a target from many locations

at the same time


Figure 1-9 Denial-of-Service Attacks



Spoofing: technique used to gain unauthorized access whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host

Man-in-the-Middle: in this attack, an attacker sniffs packets from the network, modifies them, and inserts them back into the network; also called TCP hijacking

Spam: unsolicited commercial e-mail; while many consider spam a nuisance rather than an attack, it is emerging as a vector for some attacks


Figure 1-10 IP Spoofing


Figure 1-11 Man-in-the-Middle



Mail-bombing: another form of e-mail attack that is also a DoS, in which an attacker routes large quantities of e-mail to the target

Sniffer: program and/or device that can monitor data traveling over a network; can be used for both legitimate network management and for stealing information from a network

Social engineering: within the context of information security, the process of using social skills to convince people to reveal access credentials or other valuable information


Figure 1-12 The Nigerian National

Petroleum Company



―People are the weakest link. You can have the

best technology; firewalls, intrusion-detection

systems, biometric devices ... and somebody

can call an unsuspecting employee. That's all

she wrote, baby. They got everything.‖

– Kevin Mitnick



Buffer overflow: application error occurs when more data is sent to buffer than it can handle; when buffer overflows, attacker can make target system execute instructions or attacker can take advantage of some other unintended consequence of the failure

Timing attack: relatively new, works by exploring contents of Web browser’s cache; can allow collection of information on access to password-protected sites

– Another attack by the same name involves attempting to intercept cryptographic elements to determine keys and encryption algorithms

Slide 59

Chapter Summary

Firewalls and network security are essential

components for securing systems that

businesses use to run day-to-day operations

Information security is protection of information

and its critical elements, including systems and

hardware that use, store, and transmit that data

C.I.A. triangle based on confidentiality, integrity,

availability of info and systems that process it

CNSS Security model (McCumber Cube)

provides graphical description of approach used

in computer and information security

Firewalls & Network Security, 2nd ed. - Chapter 1 59

Slide 60

Chapter Summary (continued)

Computer can be subject of attack or object of

attack; two types of attacks: direct and indirect

Information security not an absolute: a process,

not a goal; should balance reasonable access

and availability while protecting against threats

Information security performs four functions:

– Protects organization’s ability to function

– Enables safe operation of applications

implemented on organization’s IT systems

– Protects data that organization collects and uses

– Safeguards technology assets of organization


Slide 61


Requires wide range of professionals and skill

sets to support information security program

Information security project team includes: team

leader, security policy developers, risk

assessment specialists, security professionals,

systems, network and storage administrators,

and end users

Three types of data ownership: data owner,

data custodian, and data user

Threat is object, person, or other entity that

represents a constant danger to assets


Slide 62


Attack is deliberate act or action that takes

advantage of vulnerability to compromise

controlled system

Vulnerability is identified weakness in controlled

system

Major types of attacks include: malicious code,

―hoaxes‖ of malicious code, back doors,

password cracking, DoS, DDoS, spoofing, man-

in-the-middle, spam, mail bombing, sniffers,

social engineering, buffer overflow, and timing

attacks


Documents

FIREWALLS & NETWORK SECURITY with Intrusion Detection and …people.ysu.edu/~mawelton/CSIS3755/CSIS 3755 - Chapter 1.pdf · 2010-08-30 · Firewalls & Network Security, 2nd ed. -