S. Vamshidhar BabuCCNA, MCSE, CEH, CHFI, GNIIT

Team LeadAppLabs

Agenda

Security Fallacies What is Security? How to Secure? Layers of Security Operation model of Computer Security Security Principles Security Concerns Poor Security = Challenges When Implementing Security Threat Modeling Overview of Security technology

Security Fallacies

We have antivirus software, so we are secure We have a firewall, so we are secure The most serious threats come from the

outside I don’t care about security because I backup

my data daily Responsibility for security rests with IT security

Staff.

What is Security?

Its an technique for ensuring that data stored in a computer cannot be read or compromised by any individuals without authorization.

How to Secure?

What assets are you trying to protect? What are the risks to those assets? How are you trying to protect them? How well does your solution work? What other risks does your solution introduce?

Layers of Security

Physical Security Host Security Network Security Web Application Security

Physical Security Physical security consists of all mechanisms

used to ensure that physical access to the computer system and networks is restricted to only authorized users.Access Controls, physical barriers, etc…

Host security takes a granular view of security by focusing on protecting each computer and device individually instead of addressing protection of the network as a whole.Authentication and Logging MechanismsHost based IDSFile Integrity Checkers

Host Security

Network Security

In network security, an emphasis is placed on controlling access to internal computers from external entities.FirewallsIntrusion Detection Systems (IDS)Access Controls on network devicesVulnerability Scanners

Web Application Security

A Web application is an application, generally comprised of a collection of scripts, that reside on a Web server and interact with databases or other sources of dynamic content. Examples of Web applications include search

engines, Webmail, shopping carts and portal systems

Web Application Security Application attacks are the latest trend when it comes

to hacking. On average, 90% of all dynamic content sites have

vulnerabilities associated with them. No single web server and

database server combination has been found to be immune!

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer -

Gartner

Basic Security Terminology

CIAConfidentialityIntegrityAvailability

Conf

iden

tialit

y

Integrity

Availability

AAA Authorization Access Control Authentication

Basic Terminology of Attacks

Vulnerability: A weakness that may lead to undesirable consequences.

Threat: The danger that a vulnerability will actually occur.

Risk: A potential problem (Vulnerability + Threat + Extent of the

consequences) Example. Buffer overflow is the vulnerability, where the threat would be transmission of

a TCP/IP packet to cause buffer overflow and System crash is Risk.

Operational model of Computer Security

the focus of security was on prevention. If we could prevent somebody from gaining access to our computer systems and networks, then we assumed that we had obtained security. Protection was thus equated with prevention.

Protection = Prevention + (Detection + Response)

Security Model

Prevention

1.Access controls

2.Firewall

3.Encryption

Detection

1.Audit Logs

2.Intrusion Detection System

3.Honeypots

Response

1.Backups

2.Incident Response teams

3.Computer Forensics

Security Principles

Three ways to an organization to choose to address the protection of its network:Ignore Security IssuesProvide Host SecurityApproach security at a network level

Only last two Host and Network security, have prevention as well as detection and response components.

Security Concerns

Security concerns:Application reliance on the Internet Hacking, Cracking, Phreaking, Script kiddies Internal Security attacksExternal Security attacksViruses and Worms

Common Types of Attacks

Connection Fails

OrganizationalAttacks

Restricted Data

Accidental BreachesIn Security

AutomatedAttacks

Attackers

Viruses, Trojan Horses,

and Worms

Denial of Service (DoS)

DoS

Lay

ers

- Dan

gers

Examples of Security intrusions

CodeRed I & II ILoveYou Nimda Sniffing Spoofing Trojans Backdoors DDos

Attacker

Virus

Trojans

Poor Security = Serious damage

Website Deface System downtime Lost productivity Damage to business reputation Lost consumer confidence Severe financial losses due to lost revenue

Challenges When Implementing Security

Attacker needs to understand only one vulnerability

Defender needs to secure all entry points

Attackers have unlimited time

Defender works with time and cost constraintsAttackers vs. Defenders

Security vs. Usability

Secure systems are more difficult to use

Complex and strong passwords are difficult to remember

Users prefer simple passwords

Do I need security

…

Security As an Afterthought

Developers and management think that security does not add any business value

Addressing vulnerabilities just before a product is released is very expensive

Threat Modeling

Threat modeling is:A security-based analysis of an applicationA crucial part of the design process

Threat modeling: Reduces the cost of securing an applicationProvides a logical, efficient processHelps the development team:○ Identify where the application is most vulnerable○ Determine which threats require mitigation and how to

address those threats

Overview of Security Technology

EncryptionSecure communication FirewallsIDSVirus Protection

Encryption

Encryption is the process of encoding dataTo protect a user’s identity or data from being readTo protect data from being alteredTo verify that data originates from a particular user

Encryption can be:AsymmetricSymmetric

Symmetric vs. Asymmetric Encryption

Algorithm Type Description

Symmetric

Uses one key to:Encrypt the dataDecrypt the data

Is fast and efficient

Asymmetric

Uses two mathematically related keys:Public key to encrypt the dataPrivate key to decrypt the data

Is more secure than symmetric encryptionIs slower than symmetric encryption

Secure Communication How SSL Works

The user browses to a secure Web server by using HTTPS

The browser creates a unique session key and encrypts it by using the Web server’s public key, which is generated from the root certificate

The Web server receives the session key and decrypts it by using the server’s private key

After the connection is established, all communication between the browser and Web server is secure

1

2

3

4

Web ServerRoot Certificate

Message

Secure Web Server

HTTPSHTTPS

Secure Browser

1

2

34

Firewalls Firewalls can provide:

Secure gateway to the Internet for internal clients

Packet filteringApplication filtering

A system or group of systems that enforce a network access control policy

Filters data packet in and out of intended target Will mitigate the following attacks:

Denial of Services (DoS) Attacks Unauthorized Access Port-scanning and Probing

Intrusion Detection System (IDS) IDS is an application which detects attacks on

computer systems and / or networks. Network-based Intrusion Detection

Monitors real-time network traffic for malicious activitySimilar to a network snifferSends alarms for network traffic that meets certain attack

patterns or signatures Host-based Intrusion-Detection

Monitors computer or server files for anomoliesSends alarms for network traffic that meets a

predetermined attack signature

Virus Protection Software should be installed on all network servers,

as well as computers. Shall include the latest version, as well as signature

files (detected viruses) Should screen all software coming into your

computer or network system (files, attachments, programs, etc.)

Secure from:Viruses and WormsMalicious Code and Trojans

Questions ?

Thanks