Business Information Security

1
Business Information Security

• Joe Barneson
• Sam Johnson
• Drew Breske
• Ela Akgun

2
Business Information Security

• Physical Security
• Wireless Network Security
• Physical Network Security
• Types and Application of Common Security Policies

3
Physical Security

• Building Security
• Server/Network Rooms
• Remote Closets/Cabinets
• Workstations and Laptops

4
Building Security

• Out of IS security scope, but most critical
• Restricted Access
• Surveillance
• First Responders (Security)

5
Server/Network Rooms

• Restricted Access
• Secured room entry with logged access
• Key, Card, Biometrics, Manned Guard
• Secured racks granting access to authorized users
  only
• 24/7 lock-down
• Maintenance and upgrading only
• KVM Extenders and Switches
• Surveillance
• Tape or Digital
• Motion Sensors

6
Remote Closets/Cabinets

• Restricted Access
• 24/7 lock-down
• Redundant Power
• Battery Backup (short-term)

7
Workstations and Laptops

• Workstations should NOT store data locally
• Weekly imaging of computers?
• Viruses/spyware
• Ensure local data is minimal
• Loss of personal settings (productivity)

8
Workstations and Laptops

• Data stored locally on laptops should be at a
  minimal
• Daily synchronization with servers to ensure
  backups of local data
• Crucial/Sensitive data stored on server
• Remote access VPN and/or Dial-in
• LIMIT REMOTE ACCESS

9
Wireless LAN Security

• Overview
• WEP
• WPA
• RSN

10
802.11 Characteristics
National Institute of Standards and Technology -
csrc.nist.gov/
11
Security Features of 802.11

• Authentication
• Four Way Handshake
• Confidentiality
• RC4 Algorithm
• Integrity
• CRC (Cyclic Redundancy Check)

12
WEP
(Wired Equivalent Privacy)

• IEEE 802.11 standard defines WEP
• Reasonably strong
• Self-synchronizing
• Exportable
• Efficient
• Optional

13
AuthenticationFour-Way Handshake
Generate Random Number
Encrypt (RC4)
Decrypt and Verify
14
WEP Encryption

• 1.) 40-bit secret key IV
• 2.) Key - pseudo-random number generator
• 3.) Output a key sequence based on input key
• 4.) sequence is used to encrypt data

15
WEP Encryption
National Institute of Standards and Technology -
csrc.nist.gov/
16
WEP Encryption
RC4 Algorithm
Securing Wireless LANs, Held
17
Whats wrong with WEP?
National Institute of Standards and Technology -
csrc.nist.gov/
18
Why is WEP Weak?

• Key Management and Key Size
• No Key management Specified with 802.11
• Keys tend to be long lived
• Key size
• De jure Is 40-bit - Can be easily attacked
• De facto is 108-bit (128) - resists brute force
• Not considered Prime weakness of
• Weakness in RC4 usage
• WEP sends out weak keys.
• Passive attackers capture packets and look for
  weak keys from interesting packets
• Slow but Successful

19
WPA
(Wi-Fi Protected Access)

• Developed as a solution to WEP while 802.11i was
  being developed
• Still uses RC4 stream cipher
• Not perfect but greatly enhanced
• Currently preferred wireless security

20
InteractionFour-Way Handshake
21
How is it different?

• 802.1X
• RADIUS Server
• Controls sessions and keys
• TKIP

22
TKIP (Temporal Key Integrity Protocol)

• Includes 4 new algorithms
• Extends the IV space
• Allows per-packet keys
• New cryptography integrity
• Manages keys

23
RSN
(Robust Security Network)

• A.K.A. WPA2
• Implements full elements of 802.11i
• Ratified by IEEE in June 2004
• Advanced Encryption Standard (AES)
• Rijndael algorithm instead of RC4
• http//en.wikipedia.org/wiki/Advanced_Encryption_S
  tandard

24
Physical Network Security

• External components
• Firewall
• Routers
• Internal Components
• Problems with network security

25
Network Security

• External
• Have up-to-date software patches installed on all
  networked computers
• Build a secure firewall for the network
• -Host-based Firewalls (ZoneAlarm, Norton, and
  the Internet Connection Firewall (ICF) built
  into Windows XP)
• -Network Firewalls (routers)

26
What are Firewalls?

• Computer security borrows this term from
  firefighting, where it originated. In
  firefighting, a firewall is a barrier established
  to prevent the spread of fire

27
Firewalls

• Act as a barrier between computers on a network
• Located at the network gateway server
• Without firewalls, intruders can destroy, tamper
  with or gain access to the files on your computer
  

28
How does a firewall work?

• Function with a set of filters that are
  constantly monitoring traffic on the network.
• Whenever a packet of information triggers one of
  the filters, the firewall prevents it from
  passing through in the attempt to prevent damage

29
Routers
Linksys wireless G WRT54GS Router

• Can be configured to serve as a firewall
• Any attacks from the network, are halted at the
  router thereby sparing any ill effects to the
  computer

NetGear RP614 Router
Belkin Wireless Pre-N (F5D8230-4) Router
30
Network Security

• Internal
• Create and maintain global groups with Active
  Directory users and Computers
• Place restrictions on employees computers
• Websites that may have malicious coding or
  malware

31
Problems with Network security

• Flexibility
• -Balancing security issues against employees'
  ability to access websites for their work

32
Types and Application of Common Security Policies

• Individual Policies
• Acceptable use
• Password threat mitigation and management
• Free instant messaging services
• Workgroup Policies
• Departmental Shared Account Management Policies
• Corporate Access Control Policies

33
Acceptable Use Policies

• Meet HR productivity goals
• Meet legal liability concerns
• Protect the organizations technical and
  information assets
• Meet organizations security goals

34
Password Security Threats

• Users can write them down
• They can be guessed
• Password strength policies
• Maximum number of allowed failures
• Password changing policies
• They can be transmitted in plaintext
• They can be stored in plaintext

35
Password Possibilities Based on Acceptable
Characters
36
Acceptable Password Selection

• To ensure that the search space is sufficiently
  large
• Passwords must be at least seven characters long.
  
• Passwords must contain at least one letter, and
  at least one digit.
• If this is compatible with your systems
  passwords must contain both uppercase and
  lowercase letters, and at least one punctuation
  mark or other special' character.
• To eliminate easily guessed passwords
• Passwords must not be based on the user's name or
  login ID.
• Passwords must not be based on a dictionary word,
  in any language.
• Passwords may not contain more than two paired
  letters (e.g. abbcdde is valid, but abbbcdd is
  not).

37
Password Synchronization

• Synchronization is only as secure as the least
  secure system on the network
• Synchronization can improve security if a user
  has to manage many passwords

38
Forgotten Password Resets

• Help desk based resets
• System based resets

39
Risks of Using Free Instant Messaging Services

• Regulatory records retention concerns
• The SEC requires all electronic communication in
  the banking and securities industry to be logged
  and monitored.
• Legal Risks
• Protection of customer data
• Most free services do not offer secure
  transmission
• Authentication and Presence Management
• Is the incoming message really coming from who
  you think it is?
• The security of user information is unknown
• Is the person you are sending a message to really
  at their desk?
• Vulnerability Management
• Availability of patches varies
• If there are several services being used it is
  difficult to maintain them all

40
Managing Instant Messaging Risks

• Records retention
• Identify job roles that have a business need for
  IM
• Select a provider that allows for logging and
  monitoring (Lotuss Sametime, Microsofts Live
  Communications Server)
• Legal Risks
• Keep internal messaging within the corporate
  network
• Educate employees on what can be transmitted to
  external clients
• Authentication and Presence Management
• More of a business issue than a security issue
• Choose a provider that allows the business to
  manage user settings
• Educate employees to activate a screensaver when
  away from their desks
• Vulnerability Management
• Select a vendor that provides timely patches
• Use only one service

41
Managing Shared Accounts

• Limit access as much as possible
• Only allow root or administrator access if it is
  necessary to complete a task
• If possible, enforce password changes
• Exception if a database access password needs
  to be hard-coded into applications
• Have system administrators manage the passwords,
  not the users
• The users programmatically call the password
• Re-justify need for access regularly

42
Types of Access Control

• Mandatory Access Control
• Divides users into groups based on what
  information they need to know and what they are
  allowed to change
• Discretionary Access Control
• Users apply for access and it is reviewed and
  granted by a person or department
• Role Based Access Control
• Access is granted based on role or job function

43
QUESTIONS?