Business Information Security - PowerPoint PPT Presentation

1 / 43
About This Presentation
Title:

Business Information Security

Description:

Free instant messaging services. Workgroup Policies ... Educate employees to activate a screensaver when away from their desks. Vulnerability Management ... – PowerPoint PPT presentation

Number of Views:74
Avg rating:3.0/5.0
Slides: 44
Provided by: drew53
Category:

less

Transcript and Presenter's Notes

Title: Business Information Security


1
Business Information Security
  • Joe Barneson
  • Sam Johnson
  • Drew Breske
  • Ela Akgun

2
Business Information Security
  • Physical Security
  • Wireless Network Security
  • Physical Network Security
  • Types and Application of Common Security Policies

3
Physical Security
  • Building Security
  • Server/Network Rooms
  • Remote Closets/Cabinets
  • Workstations and Laptops

4
Building Security
  • Out of IS security scope, but most critical
  • Restricted Access
  • Surveillance
  • First Responders (Security)

5
Server/Network Rooms
  • Restricted Access
  • Secured room entry with logged access
  • Key, Card, Biometrics, Manned Guard
  • Secured racks granting access to authorized users
    only
  • 24/7 lock-down
  • Maintenance and upgrading only
  • KVM Extenders and Switches
  • Surveillance
  • Tape or Digital
  • Motion Sensors

6
Remote Closets/Cabinets
  • Restricted Access
  • 24/7 lock-down
  • Redundant Power
  • Battery Backup (short-term)

7
Workstations and Laptops
  • Workstations should NOT store data locally
  • Weekly imaging of computers?
  • Viruses/spyware
  • Ensure local data is minimal
  • Loss of personal settings (productivity)

8
Workstations and Laptops
  • Data stored locally on laptops should be at a
    minimal
  • Daily synchronization with servers to ensure
    backups of local data
  • Crucial/Sensitive data stored on server
  • Remote access VPN and/or Dial-in
  • LIMIT REMOTE ACCESS

9
Wireless LAN Security
  • Overview
  • WEP
  • WPA
  • RSN

10
802.11 Characteristics
National Institute of Standards and Technology -
csrc.nist.gov/
11
Security Features of 802.11
  • Authentication
  • Four Way Handshake
  • Confidentiality
  • RC4 Algorithm
  • Integrity
  • CRC (Cyclic Redundancy Check)

12
WEP
(Wired Equivalent Privacy)
  • IEEE 802.11 standard defines WEP
  • Reasonably strong
  • Self-synchronizing
  • Exportable
  • Efficient
  • Optional

13
AuthenticationFour-Way Handshake
Generate Random Number
Encrypt (RC4)
Decrypt and Verify
14
WEP Encryption
  • 1.) 40-bit secret key IV
  • 2.) Key - pseudo-random number generator
  • 3.) Output a key sequence based on input key
  • 4.) sequence is used to encrypt data

15
WEP Encryption
National Institute of Standards and Technology -
csrc.nist.gov/
16
WEP Encryption
RC4 Algorithm
Securing Wireless LANs, Held
17
Whats wrong with WEP?
National Institute of Standards and Technology -
csrc.nist.gov/
18
Why is WEP Weak?
  • Key Management and Key Size
  • No Key management Specified with 802.11
  • Keys tend to be long lived
  • Key size
  • De jure Is 40-bit - Can be easily attacked
  • De facto is 108-bit (128) - resists brute force
  • Not considered Prime weakness of
  • Weakness in RC4 usage
  • WEP sends out weak keys.
  • Passive attackers capture packets and look for
    weak keys from interesting packets
  • Slow but Successful

19
WPA
(Wi-Fi Protected Access)
  • Developed as a solution to WEP while 802.11i was
    being developed
  • Still uses RC4 stream cipher
  • Not perfect but greatly enhanced
  • Currently preferred wireless security

20
InteractionFour-Way Handshake
21
How is it different?
  • 802.1X
  • RADIUS Server
  • Controls sessions and keys
  • TKIP

22
TKIP (Temporal Key Integrity Protocol)
  • Includes 4 new algorithms
  • Extends the IV space
  • Allows per-packet keys
  • New cryptography integrity
  • Manages keys

23
RSN
(Robust Security Network)
  • A.K.A. WPA2
  • Implements full elements of 802.11i
  • Ratified by IEEE in June 2004
  • Advanced Encryption Standard (AES)
  • Rijndael algorithm instead of RC4
  • http//en.wikipedia.org/wiki/Advanced_Encryption_S
    tandard

24
Physical Network Security
  • External components
  • Firewall
  • Routers
  • Internal Components
  • Problems with network security

25
Network Security
  • External
  • Have up-to-date software patches installed on all
    networked computers
  • Build a secure firewall for the network
  • -Host-based Firewalls (ZoneAlarm, Norton, and
    the Internet Connection Firewall (ICF) built
    into Windows XP)
  • -Network Firewalls (routers)

26
What are Firewalls?
  • Computer security borrows this term from
    firefighting, where it originated. In
    firefighting, a firewall is a barrier established
    to prevent the spread of fire

27
Firewalls
  • Act as a barrier between computers on a network
  • Located at the network gateway server
  • Without firewalls, intruders can destroy, tamper
    with or gain access to the files on your computer

28
How does a firewall work?
  • Function with a set of filters that are
    constantly monitoring traffic on the network.
  • Whenever a packet of information triggers one of
    the filters, the firewall prevents it from
    passing through in the attempt to prevent damage

29
Routers
Linksys wireless G WRT54GS Router
  • Can be configured to serve as a firewall
  • Any attacks from the network, are halted at the
    router thereby sparing any ill effects to the
    computer

NetGear RP614 Router
Belkin Wireless Pre-N (F5D8230-4) Router
30
Network Security
  • Internal
  • Create and maintain global groups with Active
    Directory users and Computers
  • Place restrictions on employees computers
  • Websites that may have malicious coding or
    malware

31
Problems with Network security
  • Flexibility
  • -Balancing security issues against employees'
    ability to access websites for their work

32
Types and Application of Common Security Policies
  • Individual Policies
  • Acceptable use
  • Password threat mitigation and management
  • Free instant messaging services
  • Workgroup Policies
  • Departmental Shared Account Management Policies
  • Corporate Access Control Policies

33
Acceptable Use Policies
  • Meet HR productivity goals
  • Meet legal liability concerns
  • Protect the organizations technical and
    information assets
  • Meet organizations security goals

34
Password Security Threats
  • Users can write them down
  • They can be guessed
  • Password strength policies
  • Maximum number of allowed failures
  • Password changing policies
  • They can be transmitted in plaintext
  • They can be stored in plaintext

35
Password Possibilities Based on Acceptable
Characters
36
Acceptable Password Selection
  • To ensure that the search space is sufficiently
    large
  • Passwords must be at least seven characters long.
  • Passwords must contain at least one letter, and
    at least one digit.
  • If this is compatible with your systems
    passwords must contain both uppercase and
    lowercase letters, and at least one punctuation
    mark or other special' character.
  • To eliminate easily guessed passwords
  • Passwords must not be based on the user's name or
    login ID.
  • Passwords must not be based on a dictionary word,
    in any language.
  • Passwords may not contain more than two paired
    letters (e.g. abbcdde is valid, but abbbcdd is
    not).

37
Password Synchronization
  • Synchronization is only as secure as the least
    secure system on the network
  • Synchronization can improve security if a user
    has to manage many passwords

38
Forgotten Password Resets
  • Help desk based resets
  • System based resets

39
Risks of Using Free Instant Messaging Services
  • Regulatory records retention concerns
  • The SEC requires all electronic communication in
    the banking and securities industry to be logged
    and monitored.
  • Legal Risks
  • Protection of customer data
  • Most free services do not offer secure
    transmission
  • Authentication and Presence Management
  • Is the incoming message really coming from who
    you think it is?
  • The security of user information is unknown
  • Is the person you are sending a message to really
    at their desk?
  • Vulnerability Management
  • Availability of patches varies
  • If there are several services being used it is
    difficult to maintain them all

40
Managing Instant Messaging Risks
  • Records retention
  • Identify job roles that have a business need for
    IM
  • Select a provider that allows for logging and
    monitoring (Lotuss Sametime, Microsofts Live
    Communications Server)
  • Legal Risks
  • Keep internal messaging within the corporate
    network
  • Educate employees on what can be transmitted to
    external clients
  • Authentication and Presence Management
  • More of a business issue than a security issue
  • Choose a provider that allows the business to
    manage user settings
  • Educate employees to activate a screensaver when
    away from their desks
  • Vulnerability Management
  • Select a vendor that provides timely patches
  • Use only one service

41
Managing Shared Accounts
  • Limit access as much as possible
  • Only allow root or administrator access if it is
    necessary to complete a task
  • If possible, enforce password changes
  • Exception if a database access password needs
    to be hard-coded into applications
  • Have system administrators manage the passwords,
    not the users
  • The users programmatically call the password
  • Re-justify need for access regularly

42
Types of Access Control
  • Mandatory Access Control
  • Divides users into groups based on what
    information they need to know and what they are
    allowed to change
  • Discretionary Access Control
  • Users apply for access and it is reviewed and
    granted by a person or department
  • Role Based Access Control
  • Access is granted based on role or job function

43
QUESTIONS?
Write a Comment
User Comments (0)
About PowerShow.com