Network Security Overview

1
Network Security Overview

• By
• Bob Larson

2
Security Concerns
Privacy
Pornography
Viruses
Hacktivism
Unauthorized Access
Public Confidence
Information Theft

Denial of Service
Industrial Espionage
3
The Need for Security Then
Network designed and implemented in a corporate
environment Providing connectivity only to known
parties and sites No connections to public
networks
4
The Need for Security Now
5
Securing Network Resources

• Hardware threats
• Environmental threats
• Electrical threats
• Maintenance threats

6
Trends Affecting Network Security
What motivates companies?
7
Security Expectations

• Users can perform only authorized tasks
• Users can obtain only authorized information
• Users cant cause damage to
• Data
• Applications
• Operating environment of a system

8
The Goals of Network Security

• Confidentiality
• Securing data from prying eyes
• Integrity
• Authenticating the source
• Is the sender who they claim to be
• Authenticating the data
• Has the data been modified
• Availability
• Users need reasonable access to data they are
  authorized to use

9
Security Awareness

• Security techniques and technologies
• Methodologies for evaluating (not the same)
• Threats
• Vulnerabilities
• Risk
• Selection criteria and planning required to
  implement controls
• What if security is not maintained
• What is at risk
• What is the cost if a breach occurs (all costs)
• Financial
• Reputation
• Loss of the resource
• Loss of competitive advantage

10
Threats, Vulnerabilities and Risk

• Threats
• Something bad
• Something that can cause harm
• Vulnerabilities
• Susceptible to attack or harm
• Without adequate protection
• Risks
• Chance of something happening
• Statistical odds

11
Threats and Consequences
12
Network Security Weaknesses

• Technology weaknesses
• Configuration weaknesses
• Security policy weaknesses

13
Technology Weaknesses

• All computer and network technologies have
  inherent security weaknesses or vulnerabilities.
• Dont overlook
• Hardware issues
• Operating System issues
• Network protocol issues (even TCP/IP)
• Application vulnerabilities

14
Configuration Weaknesses

• Insecure default settings
• If you left the defaults, you are dead.
• Misconfigured network equipment
• A little knowledge is a dangerous thing
• Insecure user accounts/passwords
• End-users cant be trusted to use strong pws.
• Misconfigured Internet services
• HTTP, Java, CGI, unneeded services.

15
What Is a Security Policy?

• A security policy is a formal statement of the
  rules by which people who are given access to an
  organizations technology and information assets
  must abide.
• RFC 2196, Site Security Handbook

Could be applied to a family with kids!
16
Security Policy Weaknesses

• Lack of a written security policy
• Internal politics
• Lack of business continuity
• Turnover in staff/management can be devastating
• Logical access controls to network equipment not
  applied
• Security administration is lax, including
  monitoring and auditing
• Lack of awareness of having been attacked
• Software or hardware installation and changes
  that dont follow the policy
• Security incident and disaster recovery
  procedures not in place

17
Security Resources

• SecurityFocus.comhttp//www.securityfocus.com
• SANShttp//www.sans.org
• Security Policy Project free templates
• Masters Degrees in Security
• CERThttp//www.cert.org
• Center of Internet security expertise at Carnegie
  Mellon U
• CIAChttp//www.ciac.org/ciac
• US Dept of Energy
• CVEhttp//cve.mitre.org
• Common Vulnerabilities and Exposures Homeland
  Security
• Computer Security Institutehttp//www.gocsi.com
• Center for Internet Securityttp//www.cisecurity.
  org

18
National Security Agency (NSA) Guides
http//www.nsa.gov/snac/
19
Fin