PowerPoint Presentation

The University of AkronSummit CollegeBusiness Technology Dept.2440: 141Web Site Administration Introduction to SecurityInstructor: Enoch E. DamsonInformation SecurityConsists of the procedures and measures taken to protect each component of information systemsProtecting data, hardware, software, networks, procedures and peopleThe concept of information security is based on the C.I.A triangle (according to the National Security Telecommunications and Information Security Committee NSTISSC)C ConfidentialityI IntegrityA AvailabilityIntroduction to Security2ConfidentialityAddresses two aspects of security with subtle differencesPrevents unauthorized individuals from knowing or accessing informationSafeguards confidential information and disclosing secret information only to authorized individuals by means of classifying informationIntroduction to Security3IntegrityEnsures data consistency and accuracyThe integrity of the information system is measured by the integrity of its dataData can be degraded into the following categories:Invalid data not all data is validRedundant data the same data is recorded and stored in several placesInconsistent data redundant data is not identicalData anomalies one occurrence of repeated data is changed and the other occurrences are notData read inconsistency a user does not always read the last committed dataData non-concurrency multiple users can access and read data at the same time but loose read consistencyIntroduction to Security4AvailabilityEnsures that data is accessible to authorized individuals to access informationAn organizations information system can be unavailable because of the following security issuesExternal attacks and lack of system protectionOccurrence of system failure with no disaster recovery strategyOverly stringent and obscure security procedures and policiesFaulty implementation of authentication processes, causing failure to authenticate customers properlyIntroduction to Security5Information Security ArchitectureThe model for protecting logical and physical assetsThe overall design of a companys implementation of the C.I.A triangleComponents range from physical equipment to logical security tools and utilitiesIntroduction to Security6Components of Information Security ArchitectureThe components of information security architecture are:Policies and procedures documented procedures and company policies that elaborate on how security is to be carried outSecurity personnel and administrators people who enforce and keep security in orderDetection equipment devices to authenticate users and detect and equipment prohibited by the companyIntroduction to Security7Components of Information Security ArchitectureOther components of information security architecture include:Security programs tools to protect computer systems servers from malicious code such as virusesMonitoring equipment devices to monitor physical properties, users, and important assetsMonitoring applications utilities and applications used to monitor network traffic and Internet activities, downloads, uploads, and other network activitiesAuditing procedures and tools checks and controls to ensure that security measures are workingIntroduction to Security8Levels of SecurityThe levels of security include: Highly restrictiveModerately restrictiveOpenIntroduction to Security9Levels of SecurityBefore deciding on a level of security, answer these questions:What must be protected?From whom should data be protected?What costs are associated with security being breached and data being lost or stolen?How likely is it that a threat will actually occur?Are the costs to implement security and train users to use a secure network outweighed by the need to provide an efficient, user-friendly environment?Introduction to Security10Highly Restrictive Security PoliciesInclude features such as:Data encryptionComplex password requirementsDetailed auditing and monitoring of computer/network accessIntricate authentication methodsPolicies that govern use of the Internet/e-mailMight require third-party hardware and softwareImplementation cost is highCost of a security breach is highIntroduction to Security11Moderately Restrictive Security PoliciesMost organizations can opt for this type of policyRequires passwords, but not overly complex onesAuditing detects unauthorized logon attempts, network resource misuse, and attacker activityMost network operating systems contain authentication, monitoring, and auditing features to implement the required policiesInfrastructure can be secured with moderately priced off-the-shelf hardware and software (firewalls, etc)Costs are primarily in initial configuration and supportIntroduction to Security1212Open Security PoliciesPolicy might have simple or no passwords, unrestricted access to resources, and probably no monitoring and auditingMay be implemented by a small company with the primary goal of making access to basic data resourcesInternet access should probably not be possible via the company LANSensitive data, if it exists, might be kept on individual workstations that are backed up regularly and are physically inaccessible to other employeesIntroduction to Security13Securing the Web EnvironmentBoth Linux and Windows need to configured carefully to minimize security risksKeep software patches up to dateWeb servers with static pages are relatively easy to protect than those with dynamic pagesTo secure transmission, data may be encrypted with Secure Socket Layer (SSL) and Secure Shell (SSH)To isolate a Web server environment:Firewalls may be used to block unwanted access to portsProxy servers may be used to isolate computersTo discover whether and how attackers have penetrated a system, intrusion detection software may be usedIntroduction to Security14Identifying Threats and VulnerabilitiesHackers sometimes want the challenge of penetrating a system and vandalizing it other times they are after dataData can be credit card numbers, user names and passwords, other personal dataInformation can be gathered by hackers while it is being transmittedOperating system flaws can often assist hackersIntroduction to Security15Types of Attacks & VulnerabilitiesSome of the numerous methods to attack systems are as follows:Virus code that compromises the integrity and state of a systemWorm code that disrupts the operation of a systemTrojan horse malicious code that penetrates a computer system or network by pretending to be legitimate codeDenial of service the act of flooding a Web site or network system with many requests with the intent of overloading the system and forcing it to deny service to legitimate requestsSpoofing malicious code that looks like legitimate codeBugs software code that is faulty due to bad design, logic, or bothIntroduction to Security16Types of Attacks & VulnerabilitiesOther methods to attack systems include:Email spamming E-mail that is sent to many recipients without their permissionBoot sector virus code that compromises the segment in the hard disk containing the program used to start the computerBack door an intentional design element of some software that allows developers of a system to gain access to the application for maintenance or technical problemsRootkits and bots malicious or legitimate software code that performs functions like automatically retrieving and collecting information from computer systemsIntroduction to Security17Examining TCP/IPTCP/IP was not designed to be secure but to allow systems to communicateHackers often take advantage of the ignorance about TCP/IP to access computers connected to the InternetThe following are parts of the IP header most relevant to securitySource address start-point IP addressDestination address end-point IP addressPacket identification, flags, fragment offsetTotal length length of packet in bytesProtocol TCP, UDP, ICMPIntroduction to Security18Vulnerabilities of DNSHistorically, DNS has had security problemsBIND is the most common implementation of DNS and some older versions had serious bugsCurrent versions of BIND have been more secureIntroduction to Security19Vulnerabilities in Operating SystemsOperating systems are large and complexHence, more opportunities for attackInattentive administrators often fail to implement patches when availableSome attacks, such as buffer overruns, can allow the attacker to take over the computerIntroduction to Security20Vulnerabilities in Web serversStatic HTML pages pose virtually no problemProgramming environments and databases add complexity that a hacker can exploitIntroduction to Security21Vulnerabilities of E-mail ServersBy design, e-mail servers are openE-mail servers can be harmed by a series of very large e-mail messagesSending an overwhelming number of messages at the same time can prevent valid users from accessing the serverViruses can be sent to e-mail usersRetrieving e-mail over the Internet often involves sending your user name and password as clear textIntroduction to Security22Security BasicsSome of the basic security rules are as follows:Security and functionality are inversely related the more security you implement, the less functionality you will have, and vice versaNo matter how much security you implement and no matter how secure your site is, if hackers want to break in, they willThe weakest link in security is human beingsIntroduction to Security23Security MethodsPeoplePhysical limits on access to hardware and documentsThrough the processes of identification and authentication, make certain that the individual is who he/she claims to be through the use of devices, such as ID card, eye scans, passwordsTraining courses on the importance of security and how to guard assetsEstablishments of security policies and proceduresIntroduction to Security24Security MethodsApplicationsAuthentication of users who access applicationsBusiness rulesSingle sign-on (a method for signing on once for different applications and Web sites)Introduction to Security25Security MethodsNetworkFirewalls to block network intrudersVirtual private network (VPN) a remote computer securely connected to a corporate networkAuthentication Introduction to Security26Security MethodsOperating SystemAuthenticationIntrusion detectionPassword policyUsers accountsIntroduction to Security27Security MethodsDatabase Management SystemsAuthenticationAudit mechanismDatabase resource limitsPassword policyIntroduction to Security28Security MethodsData FilesFile permissionsAccess monitoringIntroduction to Security29Securing Access to DataSecuring data on a network has many facets:Authentication and authorization identifying who is permitted to access which network resourcesEncryption/decryption making data unusable to anyone except authorized usersVirtual Private Networks (VPNs) allowing authorized remote access to a private network via the public InternetFirewalls installing software/hardware device to protect a computer or network from unauthorized access and attacksIntroduction to Security3030Securing Access to DataOther facets of securing data on a network include:Virus and worm protection securing data from software designed to destroy data or make computer or network operate inefficientlySpyware protection securing computers from inadvertently downloading and running programs that gather personal information and report on browsing and habitsWireless security implementing unique measures for protecting data and authorizing access to the wireless networkIntroduction to Security3131Securing Data TransmissionTo secure data on a network, you need to encrypt the dataSecure Socket Layer (SSL) is commonly used to encrypt data between a browser and Web serverSecure Shell (SSH) is a secured replacement for TelnetIntroduction to Security32Securing the Operating SystemUse the server for only necessary tasksMinimize user accountsDisable services that are not neededMake sure that you have a secure passwordIntroduction to Security33Securing WindowsSome services that are not needed in Windows for most Internet-based server applications may be turned offExamples include:AlerterComputer browserDHCP clientDNS clientMessengerServerWorkstationAlso, the registry can be used to alter the configuration to make it more secure such as disabling short file namesIntroduction to Security34Securing LinuxOnly run needed daemonsGenerally, daemons are disabled by defaultThe command netstat -l gives you a list of daemons that are runningUse chkconfig to enable and disable daemonschkconfig imap on would enable imapIntroduction to Security35Securing E-mailTunneling POP3 can prevent data from being seenMicrosoft Exchange can also use SSL for protocols it usesSet a size limit for each mailbox to prevent someone from sending large e-mail messages until the disk is fullIntroduction to Security36Securing the Web ServerEnable the minimum featuresIf you do not need a programming language, do not enable itMake sure programmers understand security issuesImplement SSL where appropriate

Introduction to Security37Authenticating Web UsersBoth Apache and IIS use HTTP to enable authenticationIf HTTP tries to access a protected directory and fails then:it requests authentication from the user in a dialog boxAccesses directory with user informationUsed in conjunction with SSLIntroduction to Security38Using a FirewallA firewall implements a security policy between networksLimit access, especially from the Internet to your internal computersRestrict access to Web servers, e-mail servers, and other related serversIntroduction to Security39Types of FilteringPacket filteringLooks at each individual packetBased on rules, it determines whether to let it pass through the firewallCircuit-level filtering (stateful or dynamic filtering)Controls complete communication session, not just individual packetsAllows traffic initialized from within the organization to return, yet restricts traffic initialized from outsideApplication-levelInstead of transferring packets, it sets up a separate connection to totally isolate applications such as Web and e-mailIntroduction to Security40Using a Proxy ServerA proxy server delivers content on behalf of a user or server applicationProxy servers need to understand the protocol of the application that they proxy such as HTTP or FTPForward proxy servers isolate users from the InternetUsers contact proxy server which gets Web pageReverse proxy servers isolate Web server environment from the InternetWhen a Web page is requested from the Internet, the proxy server retrieves the page from the internal serverIntroduction to Security41Using Intrusion Detection SoftwareIntrusion detection is designed to show you that your defenses have been penetratedWith Microsoft Internet Security and Acceleration (ISA) Server, it only detects specific types of intrusionIn Linux, Tripwire tracks changes to filesIntroduction to Security42TripwireTripwire allows you to set policies that allow you to monitor any changes to the files on the systemTripwire can detect file additions, file deletions, and changes to existing files By understanding the changes to the files, you can determine which ones are unauthorized and then try to find out the cause of the changeIntroduction to Security43Implementing Secure Authentication and AuthorizationAdministrators must control who has access to the network (authentication) and what logged on users can do to the network (authorization)Network operating systems have tools to specify options and restrictions on how/when users can log on to networkFile system access controls and user permission settings determine what a user can access on a network and what actions a user can performIntroduction to Security44CryptographyThe science of encrypting and decrypting information to ensure that data and information cannot be easily understood or modified by unauthorized individualsAllows encryption of data from its original form into a form that can only be read with a correct decryption keySome of security functions addressed by cryptography methods are:AuthenticationPrivacyMessage integrityProvisions of data signaturesIntroduction to Security45Vocabulary of CryptographyCryptanalysis the process of evaluating cryptographic algorithms to discover their flawsCryptanalyst a person who uses cryptanalysis to find flaws in cryptographic algorithmsCryptographer a person trained in the science of cryptograpyAlphabet set of symbols used in cryptographic to either input or output messagesPlaintext (cleartext or raw data) the original data in its raw formCipher (algorithm) a cryptographic encryption algorithm for transforming data from one form to anotherCyphertext - the encrypted dataIntroduction to Security46EncryptionThe act of encoding readable data into a format that is unreadable without a decoding keyDecryption the act of decoding encoded data back into the original readable formatEncryption provides privacy (confidentiality)Introduction to Security47Encryption Methodology There are two elements in encryption:Encryption method (ciper or algorithm) specifies the mathematical process used in encryptionKey the special string of bits used in encryptionIntroduction to Security48Types of Cryptographic CiphersCiphers fall into one of two major categories:Symmetric (single-key) ciphers the same key is used to both encryption and decryptionAsymmetric (public-key) ciphers different keys are used for encryption and decryptionIntroduction to Security49Symmetric (Single Key) CiphersThe most common and simplest form of encryptionBoth parties in the encryption process use the same key and must keep the key secretSymmetric ciphers are divided into:Steam ciphers encrypt the bits of message one at a timeBlock ciphers encrypt a number of bits as a single unitSome symmetric ciphers include:Data Encryption Standard (DES), Triple-DES, DESX, RDES, Blowfish, Twofish, AES (Advanced Encryption Standard), and IDEA (International Data Encryption Algorithm), SerpentIntroduction to Security50Asymmetric (Public Key) CiphersThere are two keys for each partyThe sender and receiver each has a private and public keyPublic key senders will encrypt data using non-secure connections with the receivers public keyPrivate key the receivers use their private keys to decrypt dataThe only person who can decrypt the ciphertext is the owner of the private key that corresponds to the public key used for the encryptionWell regarded asymmetric techniques include: RSA (Rivest, Shamir, and Adleman), DSS (Digital Signature Standard), and EIGamalInternet protocols using asymmetric ciphers include: Secure Socket Layer (SSL), Transport Layer Security (TLS), Secure Shell (SSH), Pretty Good Privacy (PGP), and GNU Privacy Guard (GPG)Introduction to Security51Encryption ExampleAlphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZPlaintext: Meet me on the cornerCipher (algorithm): C = P + KC the ciphertext characterP the plaintext characterK the value of the keyKey: 3The algorithm simply states that to encrypt a plaintext character (P) and generate a ciphertext (C), add the value of the key (K) to the plaintext characterShift the plaintext character to the right of the alphabet by three charactersD replaces A, E replaces B, F replaces C, etcThe following message is generated:Ciphertext: Phhw ph rq wkh fruqhuIntroduction to Security52AuthenticationOne purpose of encryption is to prevent anyone who intercepts a message from being able to read the messageIt brings authorization (confidentiality) only authorized users can use dataIn contrast, authentication proves the senders identityIntroduction to Security53Forms of AuthenticationThere are many forms of authentication:PasswordsAuthentication cards ATMs use these with coded informationBiometrics measures body dimensions like finger-print analyzersPublic key authorization uses digital signaturesDigital signature the electronic version of a physical signature

Introduction to Security54Security ExpertsTwo of the most prominent computer security organizations are the CERT Coordination Center (CERT/CC) and the Systems Administration, Networking, and Security (SANS) InstituteCERT/CC a federally funded software engineering institute operated by Carnegie Mellon UniversitySANS a prestigious and well-regarded education and research organization with members including some of the leading computer security experts in the countryIntroduction to Security55Security ResourcesComputer Security Resourceshttp://www.sans.org (SANS Institute)http://www.cert.org (CERT/CC)http://www.first.org (FIRST Forum of Incident Response and Security Teams)http://csrc.nist.gov (NIST National Institute of Standards and Technology, Computer Security Resource Center)http://www.securityfocus.com (Security Focus Forum)Introduction to Security56