Information Security - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

Information Security

Description:

What methods could be taken to compromise those resources? ... Network administrators overlooking security flaws in network design, hard-ware ... – PowerPoint PPT presentation

Number of Views:55
Avg rating:3.0/5.0
Slides: 37
Provided by: ING139
Category:

less

Transcript and Presenter's Notes

Title: Information Security


1
Information Security
2
Risk Assessment
  • A thorough analysis of an organizations
    vulnerability to security breaches and an
    identification of its potential losses.
  • A risk assessment should answer the following
    questions
  • What resources or assets are at risk?
  • What methods could be taken to compromise those
    resources?
  • Who or what are the most likely threats to
    resources?
  • What is the probability that the organization or
    its resources will be compromised?
  • What are the consequences of those resources
    being compromised?

3
Risk Assessment
4
Security Policy Goals
  • Ensure that authorized users have appropriate
    access to the resources they need
  • Prevent unauthorized users from gaining access to
    facilities, cabling, devices, systems, programs,
    or data
  • Protect sensitive data from unauthorized access,
    from individuals both internal and external to
    the organization
  • Prevent accidental or intentional damage to
    hardware, facilities, or software
  • Create an environment in which the network and
    its connected nodes can withstand and, if
    necessary, quickly respond to and recover from
    any type of threat

5
Security Policy Content
  • What types of security policies should be
    defined
  • Password policy
  • Software installation policy
  • Confidential and sensitive data policy
  • Network access policy
  • Telephone use policy
  • E-mail use policy
  • Internet use policy
  • Remote access policy
  • Cable Vault and Equipment room access policy.

6
Response Policy
  • Response Team roles
  • Dispatcher the person on call who first notices
    or is alerted to the problem.
  • Manager - The team member who coordinates the
    resources necessary to solve the problem.
  • Technical support specialists - The team members
    who strive to solve the problem as quickly as
    possible.
  • Public relations specialist - The team member who
    acts as official spokesperson for the
    organization to the public.

7
Common Security Risks
  • Human Error, Ignorance, and Omission
  • These cause more than half of all security
    breaches sustained by voice and data networks.
  • Social engineering strategy - involves
    manipulating social relationships to gain access
    to restricted resources.

8
Human Error, Ignorance, and Omission
  • Risks include
  • Intruders or attackers using social engineering
    or snooping to obtain user passwords.
  • Network administrators overlooking security flaws
    in network design, hard-ware configuration,
    operating systems, or applications.
  • Network administrators overlooking security flaws
    in network design, hard-ware configuration,
    operating systems, or applications.
  • An unused computer or terminal left logged on to
    the network, thereby providing an entry point for
    an intruder.
  • Users or administrators choosing easy-to-guess
    passwords.

9
Passwords Security
  • Guidelines for choosing passwords
  • Always change system default passwords after
    installing new programs or equipment.
  • Do not use familiar information, such as your
    birth date, anniversary, pets name, childs
    name, etc.
  • Do not use any word that might appear in a
    dictionary.
  • Make the password longer than six characters -
    the longer, the better.
  • Change your password at least every 60 days, or
    more frequently, if desired.

10
Physical Security
  • Locations on voice and data networks that warrant
    physical security
  • Inside a central office
  • Cable vaults
  • Equipment rooms
  • Power sources (for example, a room of batteries
    or a fuel tank)
  • Cable runs (ceiling and floor)
  • Work areas (anyplace where networked workstations
    and telephones are located)

11
Physical Security
  • Locations on voice and data networks that warrant
    physical security
  • Outside telecommunications facilities
  • Serving area interfaces and remote switching
    facilities
  • Exterior cross-connect boxes
  • Wires leading to or between telephone poles
  • Base stations and mobile telephone switching
    offices used with cellular telephone networks
  • Inside a business
  • Entrance facilities
  • Equipment room (where servers, private switching
    systems, and connectivity devices are kept)
  • Telecommunications closet

12
Physical Security
13
Physical Security
  • Relevant questions
  • Which rooms contain critical systems,
    transmission media, or data and need to be
    secured?
  • How and to what extent are authorized personnel
    granted entry?
  • Are authentication methods (such as ID badges)
    difficult to forge or circumvent?
  • Do supervisors or security personnel make
    periodic physical security checks?
  • What is the plan for documenting and responding
    to physical security breaches?

14
Remote Access
  • Modems are notorious for providing hackers with
    easy access to networks.
  • Although modem ports on connectivity devices can
    open access to significant parts of a network,
    the more common security risks relate to modems
    that users attach directly to their workstations.
  • When modems are attached directly to networked
    computers, they essentially provide a back door
    into the network.
  • War dialers - computer programs that dial
    multiple telephone numbers in rapid succession,
    attempting to access and receive a handshake
    response from a modem.

15
Encryption
  • The use of an algorithm to change data into a
    format that can be read only by reversing the
    algorithm.
  • Encryption ensures that
  • Data can only be viewed and voice signals can
    only be heard by their intended recipient (or at
    their intended destination).
  • Data or voice information was not
    modified/altered after the sender transmitted it
    and before the receiver picked it up.
  • Data or voice signals received at their intended
    destination were truly issued by the stated
    sender and not forged by an intruder.

16
Key Encryption
17
Private Key Encryption
18
Public Key Encryption
  • Data is encrypted using two keys One is a key
    known only to a user (a private key) and the
    other is a public key associated with the user.
  • Public-key server - a publicly accessible host
    (often, a server connected to the Internet) that
    freely provides a list of users public keys.
  • Key pair - The combination of the public key and
    private key .
  • Digital certificate - a password-protected and
    encrypted file that holds an individuals
    identification information, including a public
    key.

19
Public Key Encryption
20
Encryption Methods
  • Kerberos - a cross-platform authentication
    protocol that uses key encryption to verify the
    identity of clients and to securely exchange
    information after a client logs on to a system.
  • PGP (Pretty Good Privacy) - a public key
    encryption system that can verify the
    authenticity of an e-mail sender and encrypt
    e-mail data in transmission.
  • IPSec (Internet Protocol Security) - defines
    encryption, authentication, and key management
    for TCP/IP transmissions.

21
Encryption Methods
  • SSL (Secure Sockets Layer) - a method of
    encrypting TCP/IP transmissions between a client
    and server using public key encryption
    technology.
  • When a Web pages URL begins with the prefix
    HTTPS, it is requires its data be transferred
    from server to client and vice versa using SSL
    encryption.
  • Each time a client and server establish an SSL
    connection, they also establish a unique SSL
    session.
  • Handshake protocol - authenticates the client and
    server to each other and establishes terms for
    how they will securely exchange data.

22
Eavesdropping
  • The use of a transmission or recording device to
    capture conversations without the consent of the
    speakers.
  • Eavesdropping can be accomplished in one of four
    ways in wired circuits
  • Bugging
  • Listening on one of the parties telephone
    extensions
  • Using an RF receiver to pick up inducted current
    near a telephone wire pair
  • Wiretapping, or the interception of a telephone
    conversation by accessing the telephone signal

23
Eavesdropping
24
Private Switch Security
  • A hacker might want to gain access to a PBX in
    order to
  • Eavesdrop on telephone conversations, thus
    obtaining proprietary information
  • Use the PBX for making long-distance calls at the
    companys expense, a practice known as toll fraud
  • Flood the PBX with such a high volume of signals
    that it cannot process valid calls, a practice
    known as a denial-of-service attack
  • Use the PBX as a connection to other parts of a
    telephone network, such as voice mail, ACD, or
    paging systems

25
Voice Mail Security
  • Voice mail - the service that allows callers to
    leave messages for later retrieval, is a popular
    access point for hackers.
  • If a hacker obtains access to a voice mail
    systems administrator mailbox, they can set up
    additional mailboxes for private use. Valid voice
    mail users will never notice.
  • Privacy breaches - if a hacker guesses the
    password for a mailbox, they can listen to the
    messages in that users mailbox.

26
Telecommunications Firewall
  • A type of fire-wall that monitors incoming and
    outgoing voice traffic and selectively blocks
    telephone calls between different areas of a
    voice network.
  • Performs the following functions
  • Prevents incoming calls from certain sources from
    reaching the PBX
  • Prevents certain types of outgoing calls from
    leaving the voice network
  • Can prevents all outgoing calls during specified
    time periods
  • Collects information about each incoming and
    outgoing call
  • Detects signals or calling patterns
    characteristic of intrusion attempts, immediately
    terminates the suspicious connection, and then
    alerts the system administrator of the potential
    breach

27
Telecommunications Firewall
28
Network Operating System
  • To begin planning client-server security, every
    network administrator should determine which
    resources on the server all users need to access.
  • Network administrators typically group users
    according to their security levels as this
    simplifies the process of granting users
    permissions to resources.
  • Attention is needed to ensure all security
    precautions are installed and monitoring the
    network operating system.
  • Updates and security patches to servers NOS
    software should be performed or monitored to
    ensure the highest level of security is currently
    implemented.

29
Network Operating System
  • Restrictions on network resources may include
  • Time of day - Use of logon IDs can be valid only
    during specific hours, for example, between 800
    A.M. and 500 P.M.
  • Total time logged in - Use of logon IDs may be
    restricted to a specific number of hours per day.
  • Source address - Use of logon IDs can be
    restricted to certain workstations or certain
    areas of the network
  • Unsuccessful logon attempts - As with PBX
    security, use of data network security allows
    administrators to block a connection after a
    certain number of unsuccessful logon attempts.

30
Firewall
  • Packet-filtering firewall - a device that
    operates at the Data Link and Transport layers of
    the OSI model.

31
Firewall
  • Traffic can be filtered based on criteria/policy
  • Source and destination IP addresses
  • Source and destination ports
  • Use of the TCP, UDP, or ICMP transport protocols
  • A packets status as the first packet in a new
    data stream or a subsequent packet
  • A packets status as inbound or outbound to or
    from a private network

32
Firewall
  • Factors to be considered when choosing a
    firewall
  • Does the firewall support encryption?
  • Does the firewall support user authentication?
  • Does the firewall allow the network administrator
    to manage it centrally and through a standard
    interface?
  • How easily can you establish rules for access to
    and from the firewall?
  • Does the firewall support filtering at the
    highest layers of the OSI model, not just at the
    Data Link and Transport layers?

33
Proxy Servers
  • Proxy server (Gateway) - a specialized network
    host that runs a proxy service (software).
  • Proxy servers manage security at all layers of
    the OSI model.
  • On a network, a proxy server is placed between
    the private and public parts of a network.
  • Proxy service - a software application on a
    network host that acts as an intermediary between
    the external and internal networks, screening all
    incoming and outgoing traffic.

34
Proxy Servers
35
Cellular Network Security
  • Hackers intent on obtaining private information
    can find ways to listen in on cellular
    conversations.
  • Potentially more damaging than eavesdropping is
    cellular telephone fraud.
  • cellular telephone cloning - occurs when a hacker
    obtains a cellular telephones electronic serial
    number (ESN), and then reprograms another handset
    to use that ESN.
  • To combat cloning fraud, cellular telephones that
    use CDMA and TDMA technology transmit their ESN
    numbers in encrypted form.

36
Wireless WAN Security
  • War driving - searching for unprotected wireless
    networks by driving around with a laptop
    configured to receive and capture wireless data
    transmissions.
  • Wired Equivalent Privacy (WEP) standard - a key
    encryption technique that assigns keys to
    wireless nodes.
  • Extensible Authentication Protocol (EAP) -
    defined by the IETF in RFC 2284.
  • Does not perform encryption. Instead, it is used
    with separate encryption and authentication
    schemes.
Write a Comment
User Comments (0)
About PowerShow.com