security

1. Network Security
Fundamental Aspects
Msc. Vuong Thi Nhung
Faculty of Information Technology
Hanoi University
Aug 23, 2015

2. Contents
 History of Information Security
 Information Security Definition and Concept
 AAA & CIA models
 Threats and Risks
 Some security guidelines

3. The story of the Internet worm
 On November 2, 1988, Robert Morris, Jr., a
graduate student in Computer Science at Cornell,
wrote an experimental, self-replicating, self-
propagating program called a worm and injected it
into the Internet.
 He chose to release it from MIT, to disguise the fact
that the worm came from Cornell.
 Morris soon discovered that the program was
replicating and reinfecting machines at a much
faster rate than he had anticipated.
 Ultimately, many machines at locations around the
country either crashed or became “unreponsive”.

4.  When Morris realized what was happening, he
contacted a friend at Harvard to discuss a solution.
Eventually, they sent an anonymous message from
Harvard over the network, instructing programmers
how to kill the worm and prevent reinfection.
 However, because the network route was blocked,
this message did not get through until it was too
late.
 Computers were affected at many sites, including
universities, military sites, and medical research
facilities. The estimated cost of dealing with the
worm at each installation ranged from $200 to more
than $53,000.

5.  The program took advantage of a hole in the debug
mode of the Unix sendmail program, which runs on
a system and waits for other systems to connect to it
and give it email.
 People at the University of California and MIT had
copies of the program and were actively
disassembling it (returning the program back into its
source form) to try to figure out how it worked.
 Teams of programmers worked non-stop to come up
with at least a temporary fix, to prevent the
continued spread of the worm.
 The information didn't get out as quickly as it could
have, however, since so many sites had completely
disconnected themselves from the network.

6.  After a few days, things slowly began to return to
normalcy and everyone wanted to know who had
done it all. Morris was later named in The New York
Times as the author of incidents.
 Robert T. Morris was convicted of violating the
computer Fraud and Abuse Act (Title 18), and
sentenced to three years of probation, 400 hours of
community service, a fine of $10,050, and the costs
of his supervision. His appeal, filed in December,
1990, was rejected the following March.
http://www-swiss.ai.mit.edu/6805/articles/morris-worm.html

7.  After the incident, Morris was suspended from
Cornell for acting irresponsibly according to a
university board of inquiry. Later, Morris would obtain
his Ph.D. from Harvard University for his work on
modeling and controlling networks with large
numbers of competing connections.
 Robert Morris is currently an assistant professor
at MIT (apparently they forgave him for launching
his worm from their network) and a member of
their Laboratory of Computer Science in the
Parallel and Distributed Operating Systems
group. He teaches a course on Operating
System Engineering and has published
numerous papers on advanced concepts.

8. What is Security
 Security: “The quality or state of being secure—to
be free from danger”
 Security is The protection of information and its
critical elements, including systems and
hardware that use, store, and transmit that
information
 Necessary tools: policy, awareness, training,
education, technology

9. Layers of security
 A successful organization should have multiple
layers of security in place:
 Physical security - To protect the physical items, objects, or
areas of an organization from unauthorized access and
misuse.
 Personal security - To protect the individual or group of
individuals who are authorized to access the organization
and its operations.
 Operations security - To protect the details of a particular
operation or series of activities

10.  Communications security - To protect an organization’s
communications media, technology, and content.
 Network security - To protect networking components,
connections.
 Information security- To protect the confidentiality, integrity
and availability of information assets, whether in storage,
processing or transmission.
 It is achieved via the application of policy, education,
training and awareness, and technology.

11. Building elements of Information Security
Authentication
Access ControlAuditing

12. Authentication
 Sender, receiver want to confirm identity of
each other
 Who am I talking to?

13. Example: FIT E-learning
ISP A
ISP D
ISP C
ISP B
Student V
FIT E-learning

14. Authentication: Who am I talking to?
ISP A
ISP D
ISP C
ISP B
Hello, I’m V
FIT E-learning
Student V
Is that
student
V?
Is that
FIT ?

15. Authentication
 Protection Mechanisms
 Password
 Manual
 One-Time Password
 Key Sharing
 Public-private keys
 Wifi
 Challenge-Response
 Multi-factor Authentication

16. Access Control
 Access control can be defined as a policy,
software component, or hardware component
that is used to grant or deny access to a
resource.
 Example of hardware components: A smart
card, a biometric device, or network access
hardware

17. Access Control
 Services must be accessible to appropriate
users
 Do you have adequate privileges to access
this information?

18. Access control
ISP A
ISP D
ISP C
ISP BMr. Anonymous FIT E-learning
Student V
Are Mr. T
allowed to
view course
contents?

19. Access Control
 Protection mechanisms
 Access control list
 Firewall
 VPN
 Smart card
 Rules

20. Auditing
 Auditing is the process of tracking and
reviewing events, errors, access, and
authentication attempts on a system.
 Protection mechanism: logging system,
history.

21. Auditing
 Develop a path and trail system in the logging
of the monitored events that allows to track
usage and access, either authorized or
unauthorized.
 It improves security and allows for better
audit policies and rules

22. Example: Enable auditing for logon
events
Go to Administrative Tools | Local Security Policy
Navigate to Local Policies | Audit Policy

23. Enable auditing for logon events
Go to Event Viewer to see logs.

24. 24
Integrity
Confidentiality Availability
Security Goal

25. ISO 27002:2005 defines Information Security as the
preservation of:
– Confidentiality
Ensuring that information is
accessible only to those
authorized to have access
– Integrity
Safeguarding the accuracy and
completeness of information
and processing methods
– Availability
Ensuring that authorized
users have access to
information and associated
assets when required
I
N
F
O
R
M
A
T
I
O
N
A
T
T
R
I
B
U
T
E
S
9/10/201
5
25
Mohan Kamat

26. Confidentiality
 Only sender, intended receiver should
“understand” message contents
 Is my data hidden?

27. Confidentiality
 Protection Mechanisms
 Data encryption
 Symmetric
 Asymmetric (public-private keys)

28. Confidentiality: Is my data hidden?
ISP A
ISP D
ISP C
ISP B
Mr. T
FIT E-learning
Student V
Can Mr. T see my
homework?

29. Integrity
 Sender, receiver want to ensure message not
altered (in transit, or afterwards) without
detection
 Has my data been modified?

30. Integrity: Has my data been modified?
ISP A
ISP D
ISP C
ISP B
Mr. T
FIT E-learning
Student V
Can Mr. T
modify student
V’s homework?

31. Integrity
 Protection mechanisms
 Digital signature

32. Availability
 Services must be available to users
 Can I reach the destination?

33. Availability: Can I reach the destination?
ISP A
ISP D
ISP C
ISP B FIT E-learning
Student V
Can I
access
FIT
during
midterm
?

34. Availability
 Protection mechanisms
 Backup and recovery
 Firewall
 Vulnerability scanning and patching
 Intrusion detection and response
 Virus scanning

35. W
H
A
T
I
S
R
I
S
K
What is Risk?
Risk: A possibility that a threat exploits a
vulnerability in an asset and causes damage or
loss to the asset.
Threat: Something/Someone that can potentially
cause damage to the organisation, IT Systems
or network.
Vulnerability: A weakness in the organization, IT
Systems, or network that can be exploited
by a threat.
35

36. • Information Security is “Organizational Problem”
rather than “IT Problem”
• More than 70% of Threats are Internal
• More than 60% culprits are First Time fraudsters
• Biggest Risk : People
• Biggest Asset : People
• Social Engineering is major threat
• More than 2/3rd express their inability to determine
“Whether my systems are currently compromised?”
I
N
F
O
S
E
C
U
R
I
T
Y S
U
R
V
E
Y
9/10/201
5
36
Mohan Kamat

37. High User
Knowledge of IT
Systems
Theft,
Sabotage,
Misuse
Virus Attacks
Systems &
Network
Failure
Lack Of
Documentation
Lapse in
Physical
Security
Natural
Calamities &
Fire
R
I
S
K
S
&
T
H
R
E
A
T
S
9/10/201
5
37
Mohan Kamat
Potential Threats

38. SO HOW DO
WE
OVERCOME
THESE
PROBLEMS?
9/10/201
5
38
Mohan Kamat

39. U
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
T
I
E
S
Information Security Policy
IS Policy is approved by Top
Management
Policy is released on Intranet at
http://xx.xx.xx.xx/ISMS/index.htm
9/10/201
5
39
Mohan Kamat

40. U
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
T
I
E
S
Access Control - Physical
• Follow Security Procedures
• Wear Identity Cards and Badges
• Ask unauthorized visitor his credentials
• Attend visitors in Reception and Conference Room only
• Bring visitors in operations area without prior
permission
• Bring hazardous and combustible material in secure
area
• Practice “Piggybacking”
• Bring and use pen drives, zip drives, ipods, other storage
devices unless and otherwise authorized to do so
9/10/201
5
40
Mohan Kamat

41. U
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
T
I
E
S
Password Guidelines
 Always use at least 8 character password with combination of
alphabets, numbers and special characters (*, %, @, #, $, ^)
 Use passwords that can be easily remembered by you
 Change password regularly as per policy
 Use password that is significantly different from earlier passwords
Use passwords which reveals your personal
information or words found in dictionary
Write down or Store passwords
Share passwords over phone or Email
Use passwords which do not match above complexity
criteria
9/10/201
5
41
Mohan Kamat

42. U
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
T
I
E
S
Technology Department is continuously monitoring Internet
Usage. Any illegal use of internet and other assets shall call
for Disciplinary Action.
 Do not use internet for viewing, storing or transmitting
obscene or pornographic material
 Do not use internet for accessing auction sites
 Do not use internet for hacking other computer systems
 Do not use internet to download / upload commercial
software / copyrighted material
 Use internet services for business purposes only
Internet Usage
9/10/201
5
42
Mohan Kamat

43. U
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
T
I
E
S
E-mail Usage
 Do not use official ID for any personal subscription purpose
 Do not send unsolicited mails of any type like chain letters or
E-mail Hoax
 Do not send mails to client unless you are authorized to do so
 Do not post non-business related information to large
number of users
 Do not open the mail or attachment which is suspected to be
virus or received from an unidentified sender
Use official mail for business purposes only
Follow the mail storage guidelines to avoid blocking of E-mails
 If you come across any junk / spam mail, do the following
a) Remove the mail.
b) Inform the security help desk
c) Inform the same to server administrator
d) Inform the sender that such mails are undesired
9/10/201
5
43
Mohan Kamat

44. U
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
T
I
E
S
Security Incidents
Report Security Incidents (IT and Non-IT) to
Helpdesk through
• E-mail to info.sec@organisation.com
• Telephone : xxxx-xxxx-xxxx
• Anonymous Reporting through Drop boxes
e.g.:
IT Incidents: Mail Spamming, Virus attack, Hacking, etc.
Non-IT Incidents: Unsupervised visitor movement, Information
leakage, Bringing unauthorized Media
•Do not discuss security incidents with any one outside organisation
•Do not attempt to interfere with, obstruct or prevent anyone from reporting
incidents
9/10/201
5
44
Mohan Kamat

45. U
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
T
I
E
S
 Ensure your Desktops are having latest antivirus updates
 Ensure your system is locked when you are away
 Always store laptops/ media in a lockable place
 Be alert while working on laptops during travel
 Ensure sensitive business information is under lock and key
when unattended
 Ensure back-up of sensitive and critical information assets
 Understand Compliance Issues such as
Cyber Law
IPR, Copyrights, NDA
Contractual Obligations with customer
 Verify credentials, if the message is received from unknown
sender
 Always switch off your computer before leaving for the day
 Keep your self updated on information security aspects
9/10/201
5
45
Mohan Kamat

46. Disable Non-essential services,
protocols, processes, programs
 Protocols, systems, and processes that rob
systems of resources and allow potential attacks
to occur that could damage your systems.
 If they are not being actively used, it is an
unnecessary security risk.
 The solution is simply to disable or inactivate the
service, protocol, system, or process which is
not needed

47. But… Be Careful!
You need to understand what it is
and what you are doing!

48. Example: FIT E-learning
ISP A
ISP D
ISP C
ISP B
Student V
Mr. T
FIT E-learning

49. Example: FIT-E-learning
ISP A
ISP D
ISP C
ISP B
Hello, I’m V
FIT E-learning

50. Tutorial
 Using wireshark to sniff the network traffic.
 Let’s see if you can get some passwords?