Professional Documents
Culture Documents
Outline
• Introduction
• Risk assessment
• Controlling disruption, destruction and
disaster
• Controlling unauthorized access
– Preventing, detecting, and correcting
Unauthorized Access
• Best practice recommendations
Introduction
• Security - always a major business concern
– Protection of physical assets with locks, barriers,
guards, etc
– Protection of information with passwords, coding
• Introduction of computers and Internet
– Redefined the nature of information security
• Laws and enforcement
– Slow to catch-up
– Now a federal crime in the U.S. (breaking into a
computer)
– New laws against cyberborder crimes; difficult to
enforce
Computer Security Incidents
• Growing at a rate of 100% per year
– 1988: a virus shut down 10% of the computers on the
Internet
→ Establishment of Computer Emergency Response
Team (CERT) with US DoD support
Number of Incidents
Reported to CERT
Financial Impact of Security
• 2003 Computer Security Institute/FBI Computer
Crime and Security Survey
– 90% of the respondents reported security breaches in
the last 12 months
– 75% reported a financial loss due to security breaches
– Average loss: $2 million
• Worldwide total annual cost of security losses
– Exceeds $2 trillion
• Reason for the increase in security problems
– Availability of sophisticated tools to break into networks
Why Networks Need Security
• Organizations becoming vulnerable
– Becoming increasingly dependent on computers, networks
– Becoming increasingly vulnerable to due widely available
Internet access to its computers and networks
• Huge losses due to security breaches
– $2 M average loss + losses related to less consumer
confidence as a result of publicity of breaches
– Potential losses from disruption of applications (Bank of
America estimates $50 M per day)
• Protecting consumer privacy
– Strong laws against unauthorized disclosures (California:
$250 K for each such incident)
• Protecting organizations’ data and application sw
– Value of data and applications >> network cost
Primary Goals in Providing Security
• Confidentiality
– Protection of data from unauthorized
disclosures of customers and proprietary data
• Integrity
– Assurance that data have not been altered or
destroyed
• Availability
– Providing continuous operations of hardware
and software so that parties involved can be
assured of uninterrupted service
Types of Security Threats
• Business continuity planning related threats
– Disruptions
• Loss or reduction in network service
• Could be minor or temporary (a circuit failure)
– Destructions of data
• Viruses destroying files, crash of hard disk
– Disasters (Natural or manmade disasters )
• May destroy host computers or sections of network
• Unauthorized access
– Hackers gaining access to data files and resources
– Most unauthorized access incidents involve employees
– Results: Industrial spying; fraud by changing data, etc.
Network Controls
• Mechanisms that reduce or eliminate the threats to
network security
• Types of controls:
– Preventative controls
• Mitigate or stop a person from acting or an event from
occurring (e.g., locks, passwords, backup circuits)
• Act as a deterrent by discouraging or retraining
– Detective controls
• Reveal or discover unwanted events (e.g., auditing)
• Documenting events for potential evidence
– Corrective controls
• Rectify an unwanted event or a trespass (e.g.,
reinitiating a network circuit)
Risk Assessment
• A key step in developing a secure network
• Assigns level of risks to various threats
– By comparing the nature of threats to the
controls designed to reduce them
• Use a control spreadsheet
– List down network assets on the side
– List threats across the top
– List the controls that are currently in use to
address each threat in the corresponding cells
Sample Control Spreadsheet
Threats Disruption, Destruction, Disaster Unauthorized Access
Fire Flood Power Circuit Virus External Internal Eaves-
Assets (with Priority) Loss Failure Intruder Intruder drop
(92) Mail Server
Mission critical • For example, for an Internet bank, the Web site is mission critical
applications
Common Security Threats
• Virus infection – most likely event
• Unauthorized access
– By internal and external hackers
– High cost to recover (both in $ and publicity)
• Device failure (not necessarily by a malicious act)
• Device theft, Natural Disaster
• Denial of Service attacks
– External attacks blocking access to the network
• Big picture messages:
– Viruses: most common threat with a fairly high cost
– Unauthorized access by employees: greater threat
Sample Control Spreadsheet
Threats Disruption, Destruction, Disaster Unauthorized Access
Fire Flood Power Circuit Virus External Internal Eaves-
Assets (with Priority) Loss Failure Intruder Intruder drop
(92) Mail Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10
(90) Web Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10
(90) DNS Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10
(50) Computers on 6th floor
1,2 1,3 7, 8 10, 11 10
(50) 6th floor LAN circuits 1,2 1,3
(80) Building A Backbone 1,2 1,3 6
(70) Router in Building A 7, 8
1,2 1,3 9 9
(30) Network Software 7, 8
9, 10, 11 9, 10
(100) Client Database 7, 8
9, 10, 11 9, 10
3
No security hole is created
by distributing the public
key, since B’s private key
has never been distributed.
message recipient
Digital Signatures
• Provide secure and authenticated message
transmission (enabled by PKE)
• Provides a proof identifying the sender
– Important for certain (legal) transactions
• Digital Signature:
– Includes the name of the sender and other key contents
(e.g., date, time, etc.,)
• Use of PKE in reverse (applied to Digital
Signature part of the message only)
– Outgoing: Encrypted using the sender’s private key
– Incoming: Decrypted using the sender’s public key
• Providing evidence who the message originated from
Transmission with Digital Signatures
Organization A
Organization B
Secure Sockets Layer (SSL)
• A protocol widely used on the Web HTTP, FTP, SMTP