Section 1 Internet Overview - PowerPoint PPT Presentation

1 / 39

About This Presentation

Title:

Section 1 Internet Overview

Description:

INTERNET SECURITY - Advanced – PowerPoint PPT presentation

Number of Views:162

Avg rating:3.0/5.0

Slides: 40

Provided by: Michell491

Category:

more less

Transcript and Presenter's Notes

Title: Section 1 Internet Overview

1
INTERNET SECURITY - Advanced
2
Advanced Security Concepts

Detailed look at the types of attacks
Advanced Explanation of Solutions and
Technologies

3
Types of Attack (STRIDE)

Spoofing
Spoofing is attempting to gain access to a system
by using a false identity
Tampering Tampering
is the unauthorized modification of data
Repudiation Repudiation
is the ability of users (legitimate or otherwise)
to deny that they performed specific actions or
transactions

4
Types of Attack (STRIDE)

Information disclosure Information
disclosure is the unwanted exposure of private
data
Denial of service
Denial of service is the process of making a
system or application unavailable
Elevation of privilege Elevation of
privilege occurs when a user with limited
privileges assumes the identity of a privileged
user to gain privileged access to an application.

5
Microsoft Guide
6
Microsoft Guide
Category Guidelines
Input Validation Do not trust input consider centralized input validation. Do not rely on client-side validation. Be careful with canonicalization issues. Constrain, reject, and sanitize input. Validate for type, length, format, and range.
Authentication Partition site by anonymous, identified, and authenticated area. Use strong passwords. Support password expiration periods and account disablement. Do not store credentials (use one-way hashes with salt). Encrypt communication channels to protect authentication tokens. Pass Forms authentication cookies only over HTTPS connections.
Authorization Use least privileged accounts. Consider authorization granularity. Enforce separation of privileges. Restrict user access to system-level resources.
Configuration Management Use least privileged process and service accounts. Do not store credentials in plaintext. Use strong authentication and authorization on administration interfaces. Do not use the LSA. Secure the communication channel for remote administration. Avoid storing sensitive data in the Web space.
Sensitive Data Avoid storing secrets. Encrypt sensitive data over the wire. Secure the communication channel. Provide strong access controls on sensitive data stores. Do not store sensitive data in persistent cookies. Do not pass sensitive data using the HTTP-GET protocol.
Session Management Limit the session lifetime. Secure the channel. Encrypt the contents of authentication cookies. Protect session state from unauthorized access.
Cryptography Do not develop your own. Use tried and tested platform features. Keep unencrypted data close to the algorithm. Use the right algorithm and key size. Avoid key management (use DPAPI). Cycle your keys periodically. Store keys in a restricted location.
Parameter Manipulation Encrypt sensitive cookie state. Do not trust fields that the client can manipulate (query strings, form fields, cookies, or HTTP headers). Validate all values sent from the client.
Exception Management Use structured exception handling. Do not reveal sensitive application implementation details. Do not log private data such as passwords. Consider a centralized exception management framework.
Auditing and Logging Identify malicious behavior. Know what good traffic looks like. Audit and log activity through all of the application tiers. Secure access to log files. Back up and regularly analyze log files.
7
FBI Guide
BEST PRACTICES FOR ENTERPRISE NETWORK SECURITY MANAGEMENT(A.C.T.I.O.N.S) BEST PRACTICES FOR ENTERPRISE NETWORK SECURITY MANAGEMENT(A.C.T.I.O.N.S)
Authentication Implement processes and procedures to authenticate, or verify, the users of the network. This may include techniques such as PKI using smart cards, secure tokens, biometrics, or a combination of efforts.
Configuration management Plan enterprise architecture and deployment with security in mind. Manage configurations to know exactly what hardware, operating systems and software are in use, including specific versions and patches applied create robust access and software change controls, segregate responsibilities implement best practices and, do not use default security settings.
Training Train all employees on the need for IT security and ensure that security is factored into developing business operations. Foster an enterprise culture of safety and security.
Incident response Develop an enterprise capability for responding to incidents, mitigating damage, recovering systems, investigating and capturing forensic evidence, and working with law enforcement.
Organization network Organize enterprise security management, IT management, and risk management functions to promote efficient exchange of information and leverage corporate knowledge.
Network management Create a regular process to assess, remediate, and monitor the vulnerabilities of the network consider developing automated processes for vulnerability reporting, patching, and detecting insider threats. Internal and external IT security audits can also supplement these efforts.
Smart procurement Ensure that security is embedded in the business operations and the systems that support them. Embedding security is easier than bolting it on after the fact.
Source President's Critical Infrastructure Protection Board, National Strategy to Secure Cyberspace Source President's Critical Infrastructure Protection Board, National Strategy to Secure Cyberspace
8
The Technological Solutions

Access controls
Software (e.g. Challenge/Response)
Hardware (e.g. Firewalls, VPNs)
Cryptography
Encryption (e.g. private/public keys)
Digital certificates (e.g. SSL)

9
The technologies

SSL (Secure Socket Layer)
SSL protocol is widely used to protect
communications to and from the World Wide Web.
Originally developed by Netscape Communications
Corporation, SSL is built into most browsers and
Web servers to provide data encryption, server
authentication, message integrity, and optional
client authentication.

10
The technologies

FirewallsFirewalls provide a perimeter defense
to guard a network or its nodes against
unauthorized users.
VPNs (Virtual Private Networks)VPNs enable
enterprises to enjoy secure connectivity with
branch offices, business partners, and remote
users far beyond the reach of private networks.
Encrypted VPNs carry the private network traffic
on a logical connectiona secure, encrypted
"tunnel" over a public network

11
Point-to-Point Tunnelling
Virtual Private Network via PPTP
12
The technologies

Windows Challenge/Response
does not send a password across the network
uses the Internet standard MD4 hashing algorithm
to produce a 16-byte (128-bit) hash
impossible (theoretically) to take both the hash
and the algorithm and mathematically reverse the
process to determine the password
the password serves as a "private key"

13
Server security

Windows Server software has strong levels of
security - C2
Web service restricted to specified virtual roots
e.g. WWWROOT
IP filtering e.g. port 80 only
WWW Authentication
Anonymous
Basic Authentication
Challenge Response
Access rights (now Active Directory)
by user, by file, by directory (now object)

14
Server security

Configuration of server is key
Security tips for server configuration, see
resources at the end
Holes are always being found in server software,
so keep an eye on updates

15
Cryptography

Ancient mathematical science
Algorithm strength
Key length
USA Export Restrictions
Key management
How do you keep keys secret
Huge global scale

16
Factoring

Factoring a number means finding its prime factors

10 2 x 5 60 2 x 2 x 3 x 5 252601 41 x 61 x
101 2113 - 1 3391 x 23279 x 65993 x
1868569 x 1066818132868207
around 40 quadrillion years to factora
125-digit number Ron Rivest (1977)
In 1994, a 129 digit number was factored
17
Evolution

Factoring the 129-digit number in 1994 required
5000 MIPS-years and used the idle time on 1600
computers around the world over an eight-month
period
All predictions are out of date once they are
made!

18
Symmetric Cryptography
19
Asymmetric Cryptography
20
Digital Signatures
21
Certificate Authorities

Trusted third parties
Certificate contents include
Certificate Authority name
Certificate serial number
Identity of subject name/organization/address
Public key of subject
Validity timestamps
Signed by Certificate Authoritys private key
X.509 defines the standards

22
Secure Channels (SSL/SET)

Certification Authority (e.g. Verisign/Thawte)
Creates Certificate
Verifies Certificate owner
Provides
Client Authentication
Server Authentication
Encryption
Non repudiation
Data Integrity
Message Authentication
Stops
Imposters
Spies
Vandals

23
Secure Channels - authentication
Suppose Alice wants to verify Bob
Alice examines certificate using CA public key.
Checks the user is Bob and retrieves Bobs public
key
Alice can verify the user is Bob by using Bobs
public key and checking for a match.
24
Secure Channels - authentication
A bad guy Klone could do
Klone does not have Bobs private key and so
cannot construct a message that Alice will believe
25
Secure Channels - encryption
Alice can now send a message that only Bob can
decipher
Both sides now know the Secret key and can use a
symmetric cryptographic algorithm for future
transmissions
Lots of debate about how long a secret key should
be in order to be effective.
26
Secure Channels - message auth.
A bad guy Sniffer could do
Sniffer is unlikely to produce a valid message -
but he might get lucky !!! Alice is trusting Bob
so would act upon the message
27
Secure Channels - message auth.

Message Authentication Code (MAC)
Calculated using digest algorithm on message (or
part of) and secret
Sniffer does not know secret
Cannot compute right value
Chance of guessing is remote

28
Secure Sockets

TCP/IP - designed to operate in layers

Security protocols e.g. Secure Sockets Layer
(SSL)
Encryption
Authentication of messages
Authentication of end-points i.e.client and server

29
SEC - Secure Electronic Commerce

Satisfy customer requirements for secure payment
Consumers
Merchants
Banks
Brands
Enable electronic commerce applications
Provide interoperability

30
Viruses

Accountability

Digital Code Signatures (Authenticode)
Provides accountability for Java applets and
ActiveX Controls
Issued by a Certificate Authority
Contents include
Certificate Authority name
Certificate serial number
Identity of subject name/organization/address
Public key of subject
Validity timestamps
Signed by C.A. private key
X.509 defines the standards

31
Summary

Many facets
Biggest danger is internal
Not implementing or fully understanding the
available technologies
Risk assessment
Suitable response
Process that must evolve

32
Advanced Resources

ASP/MTS/ADSI Web Security, Richard Harrison,
1999, Prentice Hall
Latest Microsoft Security bulletins
http//www.microsoft.com/technet/security/current.
asp
Microsoft IIS Security Checklist
http//www.microsoft.com/technet/treeview/default.
asp?url/technet/security/tools/iis5chk.asp
Apache Security Tips http//httpd.apache.org/docs/
misc/security_tips.html
Top Ten Security Issues http//www.sans.org/topten
.htm
How SSL works http//developer.netscape.com/tech/s
ecurity/ssl/howitworks.html
Secure Applications Using Microsoft Technologies
http//msdn.microsoft.com/library/default.asp?url
/library/en-us/dnnetsec/html/ThreatCounter.asp