COMP1321 COMP1321

Networks in OrganisationsNetworks in Organisations

Richard HensonRichard Henson

March 2014March 2014

Protecting Organisational Data

By the end of this session you should be By the end of this session you should be able to:able to:– explain why the internal network user is explain why the internal network user is

potentially a threatpotentially a threat– explain the importance of protecting entry to explain the importance of protecting entry to

the network by outsidersthe network by outsiders– suggest ways to identify vulnerabilities of suggest ways to identify vulnerabilities of

the network, so action can be taken to the network, so action can be taken to reduce the riskreduce the risk

Network ManagementNetwork Management

A network manager has two (conflicting?) A network manager has two (conflicting?) responsibilitiesresponsibilities– provide facilities and services that users need to provide facilities and services that users need to

do their jobsdo their jobs– protect the network against abuse by naïve or protect the network against abuse by naïve or

malign usersmalign users General perception (by users!)…General perception (by users!)…

– network managers are more concerned with network managers are more concerned with “protecting the network” than servicing the needs “protecting the network” than servicing the needs of its usersof its users

The “good insider”.. Threat (?)The “good insider”.. Threat (?) Users: employees, who (generally) want to do Users: employees, who (generally) want to do

their job, and do it well…their job, and do it well… Possible conflict with the “security-orientated” Possible conflict with the “security-orientated”

or “nanny-state” approach to network or “nanny-state” approach to network managementmanagement

PersonalPersonal opinion: needs balance opinion: needs balance– the network IS there for the benefit of the users…the network IS there for the benefit of the users…

» fulfill business objectivesfulfill business objectives

– the network MUST be as secure as reasonably the network MUST be as secure as reasonably possiblepossible

» protect valuable company dataprotect valuable company data

““unthinking” insidersunthinking” insiders

Employees who do stupid things on the Employees who do stupid things on the networknetwork– bring in virusesbring in viruses– spread passwords aroundspread passwords around– forward email inappropriatelyforward email inappropriately– engage with phishing emails…engage with phishing emails…– etc…etc…

Bad InsidersBad Insiders

Could be disillusionedCould be disillusioned– just plain corrupt just plain corrupt – maybe a temp?maybe a temp?

Could cause real damageCould cause real damage– bring network downbring network down– put company out of business…put company out of business…

What to do about the What to do about the Insider Threat?Insider Threat?

A matter for organisational A matter for organisational managementmanagement– Establish policyEstablish policy

» negotiated with users…negotiated with users…

– Educate/train usersEducate/train users– Enable breaches of policy to be detected…Enable breaches of policy to be detected…– Enforce policy!Enforce policy!

What about Outsiders?What about Outsiders?

Two types:Two types:– employees working “in the field”employees working “in the field”– the rest of the world…the rest of the world…

Organisational management can’t Organisational management can’t enforce policy on the latter…enforce policy on the latter…– network only protected through good, well-network only protected through good, well-

resourced network managementresourced network management

...

Firewall

INTERNET

InternalNetwork

Firewalls: checking/blocking Firewalls: checking/blocking data coming in and out…data coming in and out…

Do we have a problem?Do we have a problem? Perceptions “from the inside” quite Perceptions “from the inside” quite

different from “outside looking in”different from “outside looking in”

Should we find out…?Should we find out…?

Almost impossible to tell if the network Almost impossible to tell if the network is secure from within…is secure from within…– could just hope so (!)could just hope so (!)– could go outside, and try to penetrate could go outside, and try to penetrate

defencesdefences– better still, the organisation could get a better still, the organisation could get a

benign expert to do it for them…benign expert to do it for them…

Assuming no security…Assuming no security…

Data cannot be made completely Data cannot be made completely secure if it uses a public networksecure if it uses a public network– naïve to think sonaïve to think so

Also (especially…) true on a wireless Also (especially…) true on a wireless public networkpublic network– necessary to have a system that ensures necessary to have a system that ensures

data that is hacked en route is unintelligibledata that is hacked en route is unintelligible

Authentication Authentication had better be good…had better be good…

Generally means control via the Generally means control via the desktop or application layerdesktop or application layer– Browser/Windows desktopBrowser/Windows desktop

If Internet-based, should use PKIIf Internet-based, should use PKI» public-key encrypted emailpublic-key encrypted email

user digital certificate tied to computer & email user digital certificate tied to computer & email addressaddress

» public-key encrypted web pagespublic-key encrypted web pages use https protocoluse https protocol server has an SSL certificateserver has an SSL certificate

End-device End-device controlled security controlled security

Two types of identification (as in Two types of identification (as in previous e.g.):previous e.g.):– via computer (device) IDvia computer (device) ID– via user IDvia user ID

Either/both can (should?) have a Either/both can (should?) have a password to control accesspassword to control access

Security & PrivacySecurity & Privacy Closely related technologiesClosely related technologies

– important differences important differences Privacy Privacy

– about informational self-determinationabout informational self-determination» ability to decide what information about you goes ability to decide what information about you goes

wherewhere

SecuritySecurity– offers the ability to be confident that offers the ability to be confident that

privacy decisions are respectedprivacy decisions are respected

Privacy, Security, and Privacy, Security, and WebsitesWebsites

Many potential vulnerabilities….Many potential vulnerabilities….– openly displayed “sensitive” textopenly displayed “sensitive” text

““Hidden” web pages not really hiddenHidden” web pages not really hidden Access to web server, or ftp server, by Access to web server, or ftp server, by

finding website administrators details…finding website administrators details… Hacking web databases via SQL Hacking web databases via SQL

Injection…Injection…

Privacy, Security and Privacy, Security and Mobile NetworksMobile Networks

Mobile voice privacyMobile voice privacy– can someone listen in on my call?can someone listen in on my call?

» privacy goal: allow user to say noprivacy goal: allow user to say no

» security technology, e.g. encryption: allows user to security technology, e.g. encryption: allows user to enforce itenforce it

Sometimes goals of security and Sometimes goals of security and privacy are the sameprivacy are the same– other times orthogonal, or even in conflictother times orthogonal, or even in conflict

Security/Privacy v AvailabilitySecurity/Privacy v Availability

““I want it all, and I want it now…”I want it all, and I want it now…”– http://www.youtube.com/watch?http://www.youtube.com/watch?

v=1pm4fQRl72k v=1pm4fQRl72k ““Only if your request conforms with the Only if your request conforms with the

rules…”rules…”– society: bad for other peoplesociety: bad for other people– organisational: confidentialityorganisational: confidentiality– personal: human rightspersonal: human rights

Balancing Rules on Balancing Rules on Privacy/SecurityPrivacy/Security

Ideal:Ideal:– keeps the data secure…keeps the data secure…– allows the user freedom to do their allows the user freedom to do their

job, participate in legitimate leisure job, participate in legitimate leisure activity, etc.activity, etc.

Unnecessarily restrictive or Unnecessarily restrictive or unexplained rules…unexplained rules…– users get frustrated…users get frustrated…

NOT Getting the balance right…NOT Getting the balance right…

Worrying survey & report (BBC, 19/11/10):Worrying survey & report (BBC, 19/11/10):http://www.bbc.co.uk/news/business-http://www.bbc.co.uk/news/business-11793436 11793436

BBC’s own network users so frustrated BBC’s own network users so frustrated about IT restrictions stopping them doing about IT restrictions stopping them doing their jobs that many (typically 41% according their jobs that many (typically 41% according to a CISCO survey) ignored the rules!to a CISCO survey) ignored the rules!

Is it the same everywhere? Is it the same everywhere? Is it any better today?Is it any better today?