Title: Network Security Overview
1Network Security Overview
2Security Concerns
Privacy
Pornography
Viruses
Hacktivism
Unauthorized Access
Public Confidence
Information Theft
Denial of Service
Industrial Espionage
3The Need for Security Then
Network designed and implemented in a corporate
environment Providing connectivity only to known
parties and sites No connections to public
networks
4The Need for Security Now
5Securing Network Resources
- Hardware threats
- Environmental threats
- Electrical threats
- Maintenance threats
6Trends Affecting Network Security
What motivates companies?
7Security Expectations
- Users can perform only authorized tasks
- Users can obtain only authorized information
- Users cant cause damage to
- Data
- Applications
- Operating environment of a system
8The Goals of Network Security
- Confidentiality
- Securing data from prying eyes
- Integrity
- Authenticating the source
- Is the sender who they claim to be
- Authenticating the data
- Has the data been modified
- Availability
- Users need reasonable access to data they are
authorized to use
9Security Awareness
- Security techniques and technologies
- Methodologies for evaluating (not the same)
- Threats
- Vulnerabilities
- Risk
- Selection criteria and planning required to
implement controls - What if security is not maintained
- What is at risk
- What is the cost if a breach occurs (all costs)
- Financial
- Reputation
- Loss of the resource
- Loss of competitive advantage
10Threats, Vulnerabilities and Risk
- Threats
- Something bad
- Something that can cause harm
- Vulnerabilities
- Susceptible to attack or harm
- Without adequate protection
- Risks
- Chance of something happening
- Statistical odds
11Threats and Consequences
12Network Security Weaknesses
- Technology weaknesses
- Configuration weaknesses
- Security policy weaknesses
13Technology Weaknesses
- All computer and network technologies have
inherent security weaknesses or vulnerabilities. - Dont overlook
- Hardware issues
- Operating System issues
- Network protocol issues (even TCP/IP)
- Application vulnerabilities
14Configuration Weaknesses
- Insecure default settings
- If you left the defaults, you are dead.
- Misconfigured network equipment
- A little knowledge is a dangerous thing
- Insecure user accounts/passwords
- End-users cant be trusted to use strong pws.
- Misconfigured Internet services
- HTTP, Java, CGI, unneeded services.
15What Is a Security Policy?
- A security policy is a formal statement of the
rules by which people who are given access to an
organizations technology and information assets
must abide. - RFC 2196, Site Security Handbook
Could be applied to a family with kids!
16Security Policy Weaknesses
- Lack of a written security policy
- Internal politics
- Lack of business continuity
- Turnover in staff/management can be devastating
- Logical access controls to network equipment not
applied - Security administration is lax, including
monitoring and auditing - Lack of awareness of having been attacked
- Software or hardware installation and changes
that dont follow the policy - Security incident and disaster recovery
procedures not in place
17Security Resources
- SecurityFocus.comhttp//www.securityfocus.com
- SANShttp//www.sans.org
- Security Policy Project free templates
- Masters Degrees in Security
- CERThttp//www.cert.org
- Center of Internet security expertise at Carnegie
Mellon U - CIAChttp//www.ciac.org/ciac
- US Dept of Energy
- CVEhttp//cve.mitre.org
- Common Vulnerabilities and Exposures Homeland
Security - Computer Security Institutehttp//www.gocsi.com
- Center for Internet Securityttp//www.cisecurity.
org
18National Security Agency (NSA) Guides
http//www.nsa.gov/snac/
19Fin