THE NEED FORTHE NEED FORNETWORK NETWORK SECURITYSECURITY

PRESENTATION PRESENTATION OBJECTIVES:-OBJECTIVES:- Understand information security services

Be aware of vulnerabilities and threats

Realize why network security is necessary

What are the elements of a comprehensive security program

The

Nee

d fo

r W

eb S

ecur

ity

2

TRENDS FOR TRENDS FOR INFORMATION :-INFORMATION :- More information is being created, stored, processed

and communicated using computers and networks

Computers are increasingly interconnected, creating new pathways to information assets

The threats to information are becoming more widespread and more sophisticated

Productivity, competitiveness, are tied to the first two trends Third trend makes it inevitable that we are increasingly

vulnerable to the corruption or exploitation of information

INFORMATION IS THE MOST VALUABLE ASSET INFORMATION IS THE MOST VALUABLE ASSET ..

The

Nee

d fo

r W

eb S

ecur

ity

3

Information Security Information Security Services :-Services :-

Confidentiality Integrity Authentication Non repudiation Access Control Availability T

he N

eed

for

Web

Sec

urit

y

4

Information Security Services Confidentiality

Maintaining the privacy of data

Integrity Detecting that the data is not tampered with

Authentication Establishing proof of identity

Non repudiation Ability to prove that the sender actually sent the data

Access Control Access to information resources are regulated

Availability Computer assets are available to authorized parties when

needed

The

Nee

d fo

r W

eb S

ecur

ity

5

SERVICES

What Is The Internet?What Is The Internet?

The

Nee

d fo

r W

eb S

ecur

ity

6

Why Is Internet Why Is Internet Security a Problem?Security a Problem? Security not a design consideration

Implementing change is difficult

Openness makes machines easy targets

Increasing complexity

The

Nee

d fo

r W

eb S

ecur

ity

7

Common Network Common Network Security ProblemsSecurity Problems

Network eavesdroppingMalicious Data ModificationAddress spoofing (impersonation)

‘Man in the Middle’ (interception)Denial of Service attacksApplication layer attacks

The

Nee

d fo

r W

eb S

ecur

ity

8

Security Incidents are Security Incidents are

IncreasingIncreasing:-:-

The

Nee

d fo

r W

eb S

ecur

ity

9

Sophistication of Hacker Tools

19901980

Technical Knowledge Required

High

Low 2000 -from Cisco Systems

Problem is WorseningProblem is Worsening

The

Nee

d fo

r W

eb S

ecur

ity

10

60000

50000

40000

30000

20000

10000

19

88

19

89

19

90

19

91

19

92

19

93

19

94

19

95

19

96

19

97

19

98

19

99

20

00

20

01

Inte

r net

Secu

r ity

Vio

lat i

ons

Jerusalem

Tequila

Michelangelo

Good Times

Melissa & ILOVEYOU

Anna Kournikova

Code Red

Nimba

Badtrans

Source: CERT® Coordination Center Carnegie Mellon

VIRUSESVIRUSES

Risk Threat Discovered Protection TROJ_SIRCAM.A New !! Latest

DATW32.Navidad 11/03/2000 11/06/2000 W95.MTX 8/17/20008/28/2000 W32.HLLW.QAZ.A 7/16/20007/18/2000 VBS.Stages.A 6/16/2000

6/16/2000 VBS.LoveLetter 5/04/20005/05/2000 VBS.Network 2/18/20002/18/2000 Wscript.KakWorm

12/27/1999 12/27/1999 W32.Funlove.409911/08/1999 11/11/1999 PrettyPark.Worm

6/04/1999 6/04/1999 Happy99.Worm1/28/1999 1/28/1999

The

Nee

d fo

r W

eb S

ecur

ity

11

Consider that…Consider that…

90% of companies detected computer security breaches in the last 12 months

59% cited the Internet as the most frequent origin of attack

74% acknowledged financial losses due to computer breaches

85% detected computer viruses

Source: Computer Security Institute

The

Nee

d fo

r W

eb S

ecur

ity

12

WHO ARE THE OPPONENTS?

49% are inside employees on the internal network

17% come from dial-up (still inside people)

34% are from Internet or an external connection to another company of some sort

The

Nee

d fo

r W

eb S

ecur

ity

13

HACKERS

HACKER MOTIVATIONSHACKER MOTIVATIONS Money, profit Access to additional resources Experimentation and desire to

learn “Gang” mentality Psychological needs Self-gratification Personal vengeance Emotional issues Desire to embarrass the target

The

Nee

d fo

r W

eb S

ecur

ity

14

The

Nee

d fo

r W

eb S

ecur

ity

15

Internet Security?Internet Security?

Malicious Code

Malicious Code

Viruses

Worms

Buffer Overflows

Buffer Overflows

Session Hijacking

Port Scanning

Trojans

Denial of ServiceSpoSpooofingfing

Replay Attack

Man-in-the-middle

What Do People Do When They Hear All These?

Take the risks!

But there are solutions

Ignoring the situation is not one of them

The

Nee

d fo

r W

eb S

ecur

ity

16

THE MOST COMMON THE MOST COMMON EXCUSESEXCUSES

So many people are on the Internet, I'm just a face in the crowd. No one would pick me out.

I'm busy. I can't become a security expert--I don't have time, and it's not important enough

The

Nee

d fo

r W

eb S

ecur

ity

17

No one could possibly be interested in my information

Anti-virus software slows down my processor speed too much.

I don't use anti-virus software because I never open viruses or e-mail attachments from people I don't know.

SANS Five Worst Security SANS Five Worst Security Mistakes End Users MakeMistakes End Users Make

1. Opening unsolicited e-mail attachments without verifying their source and checking their content first.

2. Failing to install security patches-especially for Microsoft Office, Microsoft Internet Explorer, and Netscape.

3. Installing screen savers or games from unknown sources.

4. Not making and testing backups. 5. Using a modem while connected through a

local area network.

The

Nee

d fo

r W

eb S

ecur

ity

18

SECURITY SECURITY COUNTERMEASURESCOUNTERMEASURES:-:-

THREE PHASE APPROACH

PROTECTION

DETECTION

RESPONSE

The

Nee

d fo

r W

eb S

ecur

ity

19

ELEMENTS OF A ELEMENTS OF A COMPREHENSIVE SECURITY COMPREHENSIVE SECURITY PROGRAMPROGRAM

Have Good PasswordsUse Good Antiviral ProductsUse Good CryptographyHave Good FirewallsHave a Backup SystemAudit and Monitor Systems and

NetworksHave Training and Awareness

ProgramsTest Your Security Frequently

The

Nee

d fo

r W

eb S

ecur

ity

20

Principles

CRYPTOGRAPHYCRYPTOGRAPHYNecessity is the mother of invention, and computer networks are the mother of modern cryptography.

Ronald L. Rivest

Symmetric Key Cryptography

Public Key Cryptography

Digital Signatures

The

Nee

d fo

r W

eb S

ecur

ity

21

FirewallFirewall

The

Nee

d fo

r W

eb S

ecur

ity

22

Visible IP Address

InternalNetwork

PC Servers

Host

A system or group of systems that enforces an access control policy between two networks.

The

Nee

d fo

r W

eb S

ecur

ity

23

THANK YOUTHANK YOU

The

Nee

d fo

r W

eb S

ecur

ity

24

The

Nee

d fo

r W

eb S

ecur

ity

25