The University of Akron Summit College Business Technology Dept.

1
The University of AkronSummit CollegeBusiness
Technology Dept.

• 2440 141Web Site Administration
• Introduction to Security
• Instructor Enoch E. Damson

2
Information Security

• Consists of the procedures and measures taken to
  protect each component of information systems
• Protecting data, hardware, software, networks,
  procedures and people
• The concept of information security is based on
  the C.I.A triangle (according to the National
  Security Telecommunications and Information
  Security Committee NSTISSC)
• C Confidentiality
• I Integrity
• A Availability

3
Confidentiality

• Addresses two aspects of security with subtle
  differences
• Prevents unauthorized individuals from knowing or
  accessing information
• Safeguards confidential information and
  disclosing secret information only to authorized
  individuals by means of classifying information

4
Integrity

• Ensures data consistency and accuracy
• The integrity of the information system is
  measured by the integrity of its data
• Data can be degraded into the following
  categories
• Invalid data not all data is valid
• Redundant data the same data is recorded and
  stored in several places
• Inconsistent data redundant data is not
  identical
• Data anomalies one occurrence of repeated data
  is changed and the other occurrences are not
• Data read inconsistency a user does not always
  read the last committed data
• Data non-concurrency multiple users can access
  and read data at the same time but loose read
  consistency

5
Availability

• Ensures that data is accessible to authorized
  individuals to access information
• An organizations information system can be
  unavailable because of the following security
  issues
• External attacks and lack of system protection
• Occurrence of system failure with no disaster
  recovery strategy
• Overly stringent and obscure security procedures
  and policies
• Faulty implementation of authentication
  processes, causing failure to authenticate
  customers properly

6
Information Security Architecture

• The model for protecting logical and physical
  assets
• The overall design of a companys implementation
  of the C.I.A triangle
• Components range from physical equipment to
  logical security tools and utilities

7
Components of Information Security Architecture

• The components of information security
  architecture are
• Policies and procedures documented procedures
  and company policies that elaborate on how
  security is to be carried out
• Security personnel and administrators people
  who enforce and keep security in order
• Detection equipment devices to authenticate
  users and detect and equipment prohibited by the
  company

8
Components of Information Security Architecture

• Other components of information security
  architecture include
• Security programs tools to protect computer
  systems servers from malicious code such as
  viruses
• Monitoring equipment devices to monitor
  physical properties, users, and important assets
• Monitoring applications utilities and
  applications used to monitor network traffic and
  Internet activities, downloads, uploads, and
  other network activities
• Auditing procedures and tools checks and
  controls to ensure that security measures are
  working

9
Levels of Security

• The levels of security include
• Highly restrictive
• Moderately restrictive
• Open

10
Levels of Security

• Before deciding on a level of security, answer
  these questions
• What must be protected?
• From whom should data be protected?
• What costs are associated with security being
  breached and data being lost or stolen?
• How likely is it that a threat will actually
  occur?
• Are the costs to implement security and train
  users to use a secure network outweighed by the
  need to provide an efficient, user-friendly
  environment?

11
Highly Restrictive Security Policies

• Include features such as
• Data encryption
• Complex password requirements
• Detailed auditing and monitoring of
  computer/network access
• Intricate authentication methods
• Policies that govern use of the Internet/e-mail
• Might require third-party hardware and software
• Implementation cost is high
• Cost of a security breach is high

12
Moderately Restrictive Security Policies

• Most organizations can opt for this type of
  policy
• Requires passwords, but not overly complex ones
• Auditing detects unauthorized logon attempts,
  network resource misuse, and attacker activity
• Most network operating systems contain
  authentication, monitoring, and auditing features
  to implement the required policies
• Infrastructure can be secured with moderately
  priced off-the-shelf hardware and software
  (firewalls, etc)
• Costs are primarily in initial configuration and
  support

13
Open Security Policies

• Policy might have simple or no passwords,
  unrestricted access to resources, and probably no
  monitoring and auditing
• May be implemented by a small company with the
  primary goal of making access to basic data
  resources
• Internet access should probably not be possible
  via the company LAN
• Sensitive data, if it exists, might be kept on
  individual workstations that are backed up
  regularly and are physically inaccessible to
  other employees

14
Securing the Web Environment

• Both Linux and Windows need to configured
  carefully to minimize security risks
• Keep software patches up to date
• Web servers with static pages are relatively easy
  to protect than those with dynamic pages
• To secure transmission, data may be encrypted
  with Secure Socket Layer (SSL) and Secure Shell
  (SSH)
• To isolate a Web server environment
• Firewalls may be used to block unwanted access to
  ports
• Proxy servers may be used to isolate computers
• To discover whether and how attackers have
  penetrated a system, intrusion detection software
  may be used

15
Identifying Threats and Vulnerabilities

• Hackers sometimes want the challenge of
  penetrating a system and vandalizing it other
  times they are after data
• Data can be credit card numbers, user names and
  passwords, other personal data
• Information can be gathered by hackers while it
  is being transmitted
• Operating system flaws can often assist hackers

16
Types of Attacks Vulnerabilities

• Some of the numerous methods to attack systems
  are as follows
• Virus code that compromises the integrity and
  state of a system
• Worm code that disrupts the operation of a
  system
• Trojan horse malicious code that penetrates a
  computer system or network by pretending to be
  legitimate code
• Denial of service the act of flooding a Web
  site or network system with many requests with
  the intent of overloading the system and forcing
  it to deny service to legitimate requests
• Spoofing malicious code that looks like
  legitimate code
• Bugs software code that is faulty due to bad
  design, logic, or both

17
Types of Attacks Vulnerabilities

• Other methods to attack systems include
• Email spamming E-mail that is sent to many
  recipients without their permission
• Boot sector virus code that compromises the
  segment in the hard disk containing the program
  used to start the computer
• Back door an intentional design element of some
  software that allows developers of a system to
  gain access to the application for maintenance or
  technical problems
• Rootkits and bots malicious or legitimate
  software code that performs functions like
  automatically retrieving and collecting
  information from computer systems

18
Examining TCP/IP

• TCP/IP was not designed to be secure but to allow
  systems to communicate
• Hackers often take advantage of the ignorance
  about TCP/IP to access computers connected to the
  Internet
• The following are parts of the IP header most
  relevant to security
• Source address start-point IP address
• Destination address end-point IP address
• Packet identification, flags, fragment offset
• Total length length of packet in bytes
• Protocol TCP, UDP, ICMP

19
Vulnerabilities of DNS

• Historically, DNS has had security problems
• BIND is the most common implementation of DNS and
  some older versions had serious bugs
• Current versions of BIND have been more secure

20
Vulnerabilities in Operating Systems

• Operating systems are large and complex
• Hence, more opportunities for attack
• Inattentive administrators often fail to
  implement patches when available
• Some attacks, such as buffer overruns, can allow
  the attacker to take over the computer

21
Vulnerabilities in Web servers

• Static HTML pages pose virtually no problem
• Programming environments and databases add
  complexity that a hacker can exploit

22
Vulnerabilities of E-mail Servers

• By design, e-mail servers are open
• E-mail servers can be harmed by a series of very
  large e-mail messages
• Sending an overwhelming number of messages at the
  same time can prevent valid users from accessing
  the server
• Viruses can be sent to e-mail users
• Retrieving e-mail over the Internet often
  involves sending your user name and password as
  clear text

23
Security Basics

• Some of the basic security rules are as follows
• Security and functionality are inversely related
  the more security you implement, the less
  functionality you will have, and vice versa
• No matter how much security you implement and no
  matter how secure your site is, if hackers want
  to break in, they will
• The weakest link in security is human beings

24
Security Methods

• People
• Physical limits on access to hardware and
  documents
• Through the processes of identification and
  authentication, make certain that the individual
  is who he/she claims to be through the use of
  devices, such as ID card, eye scans, passwords
• Training courses on the importance of security
  and how to guard assets
• Establishments of security policies and procedures

25
Security Methods

• Applications
• Authentication of users who access applications
• Business rules
• Single sign-on (a method for signing on once for
  different applications and Web sites)

26
Security Methods

• Network
• Firewalls to block network intruders
• Virtual private network (VPN) a remote computer
  securely connected to a corporate network
• Authentication

27
Security Methods

• Operating System
• Authentication
• Intrusion detection
• Password policy
• Users accounts

28
Security Methods

• Database Management Systems
• Authentication
• Audit mechanism
• Database resource limits
• Password policy

29
Security Methods

• Data Files
• File permissions
• Access monitoring

30
Securing Access to Data

• Securing data on a network has many facets
• Authentication and authorization identifying
  who is permitted to access which network
  resources
• Encryption/decryption making data unusable to
  anyone except authorized users
• Virtual Private Networks (VPNs) allowing
  authorized remote access to a private network via
  the public Internet
• Firewalls installing software/hardware device
  to protect a computer or network from
  unauthorized access and attacks

31
Securing Access to Data

• Other facets of securing data on a network
  include
• Virus and worm protection securing data from
  software designed to destroy data or make
  computer or network operate inefficiently
• Spyware protection securing computers from
  inadvertently downloading and running programs
  that gather personal information and report on
  browsing and habits
• Wireless security implementing unique measures
  for protecting data and authorizing access to the
  wireless network

32
Securing Data Transmission

• To secure data on a network, you need to encrypt
  the data
• Secure Socket Layer (SSL) is commonly used to
  encrypt data between a browser and Web server
• Secure Shell (SSH) is a secured replacement for
  Telnet

33
Securing the Operating System

• Use the server for only necessary tasks
• Minimize user accounts
• Disable services that are not needed
• Make sure that you have a secure password

34
Securing Windows

• Some services that are not needed in Windows for
  most Internet-based server applications may be
  turned off
• Examples include
• Alerter
• Computer browser
• DHCP client
• DNS client
• Messenger
• Server
• Workstation
• Also, the registry can be used to alter the
  configuration to make it more secure such as
  disabling short file names

35
Securing Linux

• Only run needed daemons
• Generally, daemons are disabled by default
• The command netstat -l gives you a list of
  daemons that are running
• Use chkconfig to enable and disable daemons
• chkconfig imap on would enable imap

36
Securing E-mail

• Tunneling POP3 can prevent data from being seen
• Microsoft Exchange can also use SSL for protocols
  it uses
• Set a size limit for each mailbox to prevent
  someone from sending large e-mail messages until
  the disk is full

37
Securing the Web Server

• Enable the minimum features
• If you don't need a programming language, do not
  enable it
• Make sure programmers understand security issues
• Implement SSL where appropriate

38
Securing Apache Web ServerDirectories

• You can restrict access to directories by using
  "allow" and "deny"
• The following only allows computers with the two
  IP addresses to access the directory
• ltDirectory "/var/www/html/reports"gt
• order allow, deny
• allow from 10.10.10.5 192.168.0.3
• deny from all
• lt/Directorygt

39
Securing the IIS Web Server

• The URLScan utility blocks potentially harmful
  page requests
• The IIS Lockdown utility has templates to ensure
  that you only enable what you need
• Change NTFS permissions in \inetpub\wwwroot from
  Everyone Full Control to Everyone Execute
• Delete extensions you do not use, such as .htr,
  .idc, .stm, and others

40
Authenticating Web Users

• Both Apache and IIS use HTTP to enable
  authentication
• If HTTP tries to access a protected directory and
  fails then
• it requests authentication from the user in a
  dialog box
• Accesses directory with user information
• Used in conjunction with SSL

41
Configuring User Authentication in IIS

• Four types of authenticated access
• Windows integrated authentication
• Most secure requires IE
• Digest authentication for Windows domain servers
• Works with proxy servers
• Requires Active Directory and IE
• Basic authentication
• User name and password in clear text
• Works with IE, Netscape, and others
• Passport authentication
• Centralized form of authentication
• Only available on Windows Server 2003

42
User Authentication in Apache

• Basic authentication is most common
• User names and passwords are kept in a separate
  file
• Create password file
• -c creates the users file
• -b adds a password when creating user
• htpasswd c users mnoia
• htpasswd users fpessoa
• htpasswd users lcamoes b lusiades

43
ApacheUser Authentication Directives
44
ApacheUser Authentication

• Assume you want to restrict the /newprods
  directory to any user in the users file
• ltLocation /newprodsgt
• AuthName "New Product Information"
• AuthType Basic
• AuthUserFile /var/www/users
• require valid-user
• lt/Locationgt

45
Using a Firewall

• A firewall implements a security policy between
  networks
• Limit access, especially from the Internet to
  your internal computers
• Restrict access to Web servers, e-mail servers,
  and other related servers

46
Types of Filtering

• Packet filtering
• Looks at each individual packet
• Based on rules, it determines whether to let it
  pass through the firewall
• Circuit-level filtering (stateful or dynamic
  filtering)
• Controls complete communication session, not just
  individual packets
• Allows traffic initialized from within the
  organization to return, yet restricts traffic
  initialized from outside
• Application-level
• Instead of transferring packets, it sets up a
  separate connection to totally isolate
  applications such as Web and e-mail

47
A Packet-filtering Firewall

• Consists of a list of acceptance and denial rules
• A firewall independently filters what comes in
  and what goes out
• It is best to start with a default policy that
  denies all traffic, in and out
• We can reject or drop a failed packet
• Drop (best) thrown away without response
• Reject ICMP message sent in response

48
Firewall on Linux - iptables

• Connections can be logged
• Initializing the firewall
• Remove any pre-existing rules
• iptables --flush
• Set default policy to drop packets
• iptables --policy INPUT DROP
• iptables --policy OUTPUT DROP
• At this point nothing comes in and nothing goes
  out

49
Describing the Packets to Accept

• -A (Append rule)
• INPUT or OUTPUT
• -i eth0 (input interface) or o eth0 (output)
• -p tcp or -p udp (protocol type)
• -s , -d (source, destination address)
• --sport, --dport (source, destination port)
• -j ACCEPT (this is a good rule)

50
Allowing Access to Web Server

• Allow packets from any address with an
  unprivileged port to the address on the server
  destined to port 80
• The following should be on a single line
• iptables A INPUT i eth0 p tcp --sport
  102465535 d 192.168.1.10 --dport 80 j ACCEPT
• Allow packets to go out port 80 from the server
  to any unprivileged port at any address
• iptables A OUTPUT o eth0 p tcp s 192.168.1.10
  
• --sport 80 --dport 102465535 j ACCEPT

51
Allowing Access to DNS

• DNS uses port 53
• UDP for resolving
• TCP for zone transfers
• iptables A INPUT i eth0 p udp --sport
  102465535 d 192.168.1.10 --dport 53 j ACCEPT
• iptables A OUTPUT o eth0 p udp s 192.168.1.10
  
• --sport 53 --dport 102465535 j ACCEPT
• iptables A INPUT i eth0 p tcp --sport
  102465535 d 192.168.1.10 --dport 53 j ACCEPT
• iptables A OUTPUT o eth0 p tcp s 192.168.1.10
  
• --sport 53 --dport 102465535 j ACCEPT

52
Allowing Access to FTP

• Port 21 for data, port 20 for control
• Data is transferred through unprivileged ports
• Opening unprivileged ports can be a problem
• iptables -A INPUT -i eth0 -p tcp --sport
  102465535 -d 192.168.1.10 --dport 21 -j ACCEPT
• iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10
  --sport 21 --dport 102465535 -j ACCEPT
• iptables -A INPUT -i eth0 -p tcp --sport
  102465535 -d 192.168.1.10 --dport 20 -j ACCEPT
• iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10
  --sport 20 --dport 102465535 -j ACCEPT
• iptables -A INPUT -i eth0 -p tcp --sport
  102465535 -d 192.168.1.10 --dport 102465535 -j
  ACCEPT
• iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10
  --sport 102465535 --dport 102465535 -j ACCEPT

53
Using a Proxy Server

• A proxy server delivers content on behalf of a
  user or server application
• Proxy servers need to understand the protocol of
  the application that they proxy such as HTTP or
  FTP
• Forward proxy servers isolate users from the
  Internet
• Users contact proxy server which gets Web page
• Reverse proxy servers isolate Web server
  environment from the Internet
• When a Web page is requested from the Internet,
  the proxy server retrieves the page from the
  internal server

54
Using Intrusion Detection Software

• Intrusion detection is designed to show you that
  your defenses have been penetrated
• With Microsoft ISA Server, it only detects
  specific types of intrusion
• In Linux, Tripwire tracks changes to files

55
Tripwire

• Tripwire allows you to set policies that allow
  you to monitor any changes to the files on the
  system
• Tripwire can detect file additions, file
  deletions, and changes to existing files
• By understanding the changes to the files, you
  can determine which ones are unauthorized and
  then try to find out the cause of the change

56
Tripwire

• After installing Tripwire, you configure the
  policy file to determine which files to monitor
• A default list of files is included but it will
  take time to refine the list
• A report can be produced to find out which files
  have been added, changed, and deleted
• Usually, it runs automatically at night

57
Intrusion Detection in ISA Server

• The following intrusions are tracked
• Windows out-of-band (WinNuke)A specific type of
  Denial-of-Service attack
• LandA spoofed packet is sent with the SYN flag
  set so that the source address is the same as the
  destination address, which is the address of the
  server. The server can then try to connect to
  itself and crash.
• Ping of death The server receives ICMP packets
  that include large files attachments, which can
  cause a server to crash.

58
Intrusion Detection in ISA Server

• Other intrusions that are tracked include
• IP half scan If a remote computer attempts to
  connect to a port by sending a packet with the
  SYN flag set and the port is not available, the
  RST flag is set on the return packet. When the
  remote computer does not respond to the RST flag,
  this is called an IP half scan. In normal
  situations, the TCP connection is closed with a
  packet containing a FIN flag.
• UDP bomb A UDP packet with an illegal
  configuration.
• Port scan You determine the threshold for the
  number of ports that are scanned (checked) before
  an alert is issued.

59
Implementing Secure Authentication and
Authorization

• Administrators must control who has access to the
  network (authentication) and what logged on users
  can do to the network (authorization)
• Network operating systems have tools to specify
  options and restrictions on how/when users can
  log on to network
• File system access controls and user permission
  settings determine what a user can access on a
  network and what actions a user can perform

60
Cryptography

• The science of encrypting and decrypting
  information to ensure that data and information
  cannot be easily understood or modified by
  unauthorized individuals
• Allows encryption of data from its original form
  into a form that can only be read with a correct
  decryption key
• Some of security functions addressed by
  cryptography methods are
• Authentication
• Privacy
• Message integrity
• Provisions of data signatures

61
Vocabulary of Cryptography

• Cryptanalysis the process of evaluating
  cryptographic algorithms to discover their flaws
• Cryptanalyst a person who uses cryptanalysis to
  find flaws in cryptographic algorithms
• Cryptographer a person trained in the science
  of cryptograpy
• Alphabet set of symbols used in cryptographic
  to either input or output messages
• Plaintext (cleartext or raw data) the original
  data in its raw form
• Cipher (algorithm) a cryptographic encryption
  algorithm for transforming data from one form to
  another
• Cyphertext - the encrypted data

62
Encryption

• The act of encoding readable data into a format
  that is unreadable without a decoding key
• Decryption the act of decoding encoded data
  back into the original readable format
• Encryption provides privacy (confidentiality)

63
Encryption Methodology

• There are two elements in encryption
• Encryption method (ciper or algorithm)
  specifies the mathematical process used in
  encryption
• Key the special string of bits used in
  encryption

64
Types of Cryptographic Ciphers

• Ciphers fall into one of two major categories
• Symmetric (single-key) ciphers the same key is
  used to both encryption and decryption
• Asymmetric (public-key) ciphers different keys
  are used for encryption and decryption

65
Symmetric (Single Key) Ciphers

• The most common and simplest form of encryption
• Both parties in the encryption process use the
  same key and must keep the key secret
• Symmetric ciphers are divided into
• Steam ciphers encrypt the bits of message one
  at a time
• Block ciphers encrypt a number of bits as a
  single unit
• Some symmetric ciphers include
• Data Encryption Standard (DES), Triple-DES, DESX,
  RDES, Blowfish, Twofish, AES (Advanced Encryption
  Standard), and IDEA (International Data
  Encryption Algorithm), Serpent

66
Asymmetric (Public Key) Ciphers

• There are two keys for each party
• The sender and receiver each has a private and
  public key
• Public key senders will encrypt data using
  non-secure connections with the receivers public
  key
• Private key the receivers use their private
  keys to decrypt data
• The only person who can decrypt the ciphertext is
  the owner of the private key that corresponds to
  the public key used for the encryption
• Well regarded asymmetric techniques include RSA
  (Rivest, Shamir, and Adleman), DSS (Digital
  Signature Standard), and EIGamal
• Internet protocols using asymmetric ciphers
  include Secure Socket Layer (SSL), Transport
  Layer Security (TLS), Secure Shell (SSH), Pretty
  Good Privacy (PGP), and GNU Privacy Guard (GPG)

67
Encryption Example

• Alphabet ABCDEFGHIJKLMNOPQRSTUVWXYZ
• Plaintext Meet me on the corner
• Cipher (algorithm) C P K
• C the ciphertext character
• P the plaintext character
• K the value of the key
• Key 3
• The algorithm simply states that to encrypt a
  plaintext character (P) and generate a ciphertext
  (C), add the value of the key (K) to the
  plaintext character
• Shift the plaintext character to the right of the
  alphabet by three characters
• D replaces A, E replaces B, F replaces C, etc
• The following message is generated
• Ciphertext Phhw ph rq wkh fruqhu

68
Authentication

• One purpose of encryption is to prevent anyone
  who intercepts a message from being able to read
  the message
• It brings authorization (confidentiality) only
  authorized users can use data
• In contrast, authentication proves the senders
  identity

69
Forms of Authentication

• There are many forms of authentication
• Passwords
• Authentication cards ATMs use these with coded
  information
• Biometrics measures body dimensions like
  finger-print analyzers
• Public key authorization uses digital
  signatures
• Digital signature the electronic version of a
  physical signature

70
Security Experts

• Two of the most prominent computer security
  organizations are the CERT Coordination Center
  (CERT/CC) and the Systems Administration,
  Networking, and Security (SANS) Institute
• CERT/CC a federally funded software engineering
  institute operated by Carnegie Mellon University
• SANS a prestigious and well-regarded education
  and research organization with members including
  some of the leading computer security experts in
  the country

71
Security Resources

• Computer Security Resources
• http//www.sans.org (SANS Institute)
• http//www.cert.org (CERT/CC)
• http//www.first.org (FIRST Forum of Incident
  Response and Security Teams)
• http//csrc.nist.gov (NIST National Institute
  of Standards and Technology, Computer Security
  Resource Center)
• http//www.securityfocus.com (Security Focus
  Forum)