Title: Business Information Security
1Business Information Security
- Joe Barneson
- Sam Johnson
- Drew Breske
- Ela Akgun
2Business Information Security
- Physical Security
- Wireless Network Security
- Physical Network Security
- Types and Application of Common Security Policies
3Physical Security
- Building Security
- Server/Network Rooms
- Remote Closets/Cabinets
- Workstations and Laptops
4Building Security
- Out of IS security scope, but most critical
- Restricted Access
- Surveillance
- First Responders (Security)
5Server/Network Rooms
- Restricted Access
- Secured room entry with logged access
- Key, Card, Biometrics, Manned Guard
- Secured racks granting access to authorized users
only - 24/7 lock-down
- Maintenance and upgrading only
- KVM Extenders and Switches
- Surveillance
- Tape or Digital
- Motion Sensors
6Remote Closets/Cabinets
- Restricted Access
- 24/7 lock-down
- Redundant Power
- Battery Backup (short-term)
7Workstations and Laptops
- Workstations should NOT store data locally
- Weekly imaging of computers?
- Viruses/spyware
- Ensure local data is minimal
- Loss of personal settings (productivity)
8Workstations and Laptops
- Data stored locally on laptops should be at a
minimal - Daily synchronization with servers to ensure
backups of local data - Crucial/Sensitive data stored on server
- Remote access VPN and/or Dial-in
- LIMIT REMOTE ACCESS
9Wireless LAN Security
10802.11 Characteristics
National Institute of Standards and Technology -
csrc.nist.gov/
11Security Features of 802.11
- Authentication
- Four Way Handshake
- Confidentiality
- RC4 Algorithm
- Integrity
- CRC (Cyclic Redundancy Check)
12WEP
(Wired Equivalent Privacy)
- IEEE 802.11 standard defines WEP
- Reasonably strong
- Self-synchronizing
- Exportable
- Efficient
- Optional
13AuthenticationFour-Way Handshake
Generate Random Number
Encrypt (RC4)
Decrypt and Verify
14WEP Encryption
- 1.) 40-bit secret key IV
- 2.) Key - pseudo-random number generator
- 3.) Output a key sequence based on input key
- 4.) sequence is used to encrypt data
15WEP Encryption
National Institute of Standards and Technology -
csrc.nist.gov/
16WEP Encryption
RC4 Algorithm
Securing Wireless LANs, Held
17Whats wrong with WEP?
National Institute of Standards and Technology -
csrc.nist.gov/
18Why is WEP Weak?
- Key Management and Key Size
- No Key management Specified with 802.11
- Keys tend to be long lived
- Key size
- De jure Is 40-bit - Can be easily attacked
- De facto is 108-bit (128) - resists brute force
- Not considered Prime weakness of
- Weakness in RC4 usage
- WEP sends out weak keys.
- Passive attackers capture packets and look for
weak keys from interesting packets - Slow but Successful
19WPA
(Wi-Fi Protected Access)
- Developed as a solution to WEP while 802.11i was
being developed - Still uses RC4 stream cipher
- Not perfect but greatly enhanced
- Currently preferred wireless security
20InteractionFour-Way Handshake
21How is it different?
- 802.1X
- RADIUS Server
- Controls sessions and keys
- TKIP
22TKIP (Temporal Key Integrity Protocol)
- Includes 4 new algorithms
- Extends the IV space
- Allows per-packet keys
- New cryptography integrity
- Manages keys
23RSN
(Robust Security Network)
- A.K.A. WPA2
- Implements full elements of 802.11i
- Ratified by IEEE in June 2004
- Advanced Encryption Standard (AES)
- Rijndael algorithm instead of RC4
- http//en.wikipedia.org/wiki/Advanced_Encryption_S
tandard
24Physical Network Security
- External components
- Firewall
- Routers
- Internal Components
- Problems with network security
25Network Security
- External
- Have up-to-date software patches installed on all
networked computers - Build a secure firewall for the network
- -Host-based Firewalls (ZoneAlarm, Norton, and
the Internet Connection Firewall (ICF) built
into Windows XP) - -Network Firewalls (routers)
-
26What are Firewalls?
- Computer security borrows this term from
firefighting, where it originated. In
firefighting, a firewall is a barrier established
to prevent the spread of fire
27Firewalls
- Act as a barrier between computers on a network
- Located at the network gateway server
- Without firewalls, intruders can destroy, tamper
with or gain access to the files on your computer
28How does a firewall work?
- Function with a set of filters that are
constantly monitoring traffic on the network. - Whenever a packet of information triggers one of
the filters, the firewall prevents it from
passing through in the attempt to prevent damage
29Routers
Linksys wireless G WRT54GS Router
- Can be configured to serve as a firewall
- Any attacks from the network, are halted at the
router thereby sparing any ill effects to the
computer
NetGear RP614 Router
Belkin Wireless Pre-N (F5D8230-4) Router
30Network Security
- Internal
- Create and maintain global groups with Active
Directory users and Computers - Place restrictions on employees computers
- Websites that may have malicious coding or
malware
31Problems with Network security
- Flexibility
- -Balancing security issues against employees'
ability to access websites for their work
32Types and Application of Common Security Policies
- Individual Policies
- Acceptable use
- Password threat mitigation and management
- Free instant messaging services
- Workgroup Policies
- Departmental Shared Account Management Policies
- Corporate Access Control Policies
33Acceptable Use Policies
- Meet HR productivity goals
- Meet legal liability concerns
- Protect the organizations technical and
information assets - Meet organizations security goals
34Password Security Threats
- Users can write them down
- They can be guessed
- Password strength policies
- Maximum number of allowed failures
- Password changing policies
- They can be transmitted in plaintext
- They can be stored in plaintext
35Password Possibilities Based on Acceptable
Characters
36Acceptable Password Selection
- To ensure that the search space is sufficiently
large - Passwords must be at least seven characters long.
- Passwords must contain at least one letter, and
at least one digit. - If this is compatible with your systems
passwords must contain both uppercase and
lowercase letters, and at least one punctuation
mark or other special' character. - To eliminate easily guessed passwords
- Passwords must not be based on the user's name or
login ID. - Passwords must not be based on a dictionary word,
in any language. - Passwords may not contain more than two paired
letters (e.g. abbcdde is valid, but abbbcdd is
not).
37Password Synchronization
- Synchronization is only as secure as the least
secure system on the network - Synchronization can improve security if a user
has to manage many passwords
38Forgotten Password Resets
- Help desk based resets
- System based resets
39Risks of Using Free Instant Messaging Services
- Regulatory records retention concerns
- The SEC requires all electronic communication in
the banking and securities industry to be logged
and monitored. - Legal Risks
- Protection of customer data
- Most free services do not offer secure
transmission - Authentication and Presence Management
- Is the incoming message really coming from who
you think it is? - The security of user information is unknown
- Is the person you are sending a message to really
at their desk? - Vulnerability Management
- Availability of patches varies
- If there are several services being used it is
difficult to maintain them all
40Managing Instant Messaging Risks
- Records retention
- Identify job roles that have a business need for
IM - Select a provider that allows for logging and
monitoring (Lotuss Sametime, Microsofts Live
Communications Server) - Legal Risks
- Keep internal messaging within the corporate
network - Educate employees on what can be transmitted to
external clients - Authentication and Presence Management
- More of a business issue than a security issue
- Choose a provider that allows the business to
manage user settings - Educate employees to activate a screensaver when
away from their desks - Vulnerability Management
- Select a vendor that provides timely patches
- Use only one service
41Managing Shared Accounts
- Limit access as much as possible
- Only allow root or administrator access if it is
necessary to complete a task - If possible, enforce password changes
- Exception if a database access password needs
to be hard-coded into applications - Have system administrators manage the passwords,
not the users - The users programmatically call the password
- Re-justify need for access regularly
42Types of Access Control
- Mandatory Access Control
- Divides users into groups based on what
information they need to know and what they are
allowed to change - Discretionary Access Control
- Users apply for access and it is reviewed and
granted by a person or department - Role Based Access Control
- Access is granted based on role or job function
43QUESTIONS?