comp3123 network and internet security richard henson university of worcester september 2011
TRANSCRIPT
COMP3123COMP3123Network and Internet Network and Internet
SecuritySecurity
Richard HensonRichard Henson
University of WorcesterUniversity of Worcester
September 2011September 2011
What this module is aboutWhat this module is about Understanding of the importance of protection Understanding of the importance of protection
information, and in particular of digital informationinformation, and in particular of digital information
The important of information security policy and its The important of information security policy and its enforcement in managing information security within enforcement in managing information security within an organisationan organisation
Understanding, controlling, managing the secure Understanding, controlling, managing the secure infrastructure developed for networks, with a focus infrastructure developed for networks, with a focus on the Interneton the Internet
An overview of the technologies available to secure An overview of the technologies available to secure data via each of the seven OSI layers and the data via each of the seven OSI layers and the vulnerabilities of data held on organisational vulnerabilities of data held on organisational networksnetworks
Week 1 – Strategies for securing Week 1 – Strategies for securing data held within digital systemsdata held within digital systems
Objectives:Objectives:Explain security as a “process”, not a productExplain security as a “process”, not a productUnderstand principles of maintaining data Understand principles of maintaining data
confidentiality, privacy, integrity, availabilityconfidentiality, privacy, integrity, availabilityApply a security strategy in terms of denial of Apply a security strategy in terms of denial of
access to unauthorised us access to unauthorised us Explain that total security is a myth; people Explain that total security is a myth; people
are people, computer technology is are people, computer technology is constantly evolving; ISO27001 is the most constantly evolving; ISO27001 is the most effective response to date…effective response to date…
Data and InformationData and Information
““A” level stuff? A” level stuff? yet the difference between the two is subtle but yet the difference between the two is subtle but
crucial. And should be clearly understood… crucial. And should be clearly understood…
Exercise in pairs…Exercise in pairs… discuss what is (a) similar (b) different about data discuss what is (a) similar (b) different about data
and informationand information give an example of (1) data and (2) give an example of (1) data and (2) be prepared to explain why it can be categorised be prepared to explain why it can be categorised
as such…as such…
Data and Information?Data and Information?
All about context…All about context… no other info…. just numbers & charactersno other info…. just numbers & characters correct related info… really important informationcorrect related info… really important information
““Information” within the Information” within the organisation/department may be “just data” organisation/department may be “just data” outside…outside… e.g. data intercepted via a wireless linke.g. data intercepted via a wireless link
BUT an internal “informer”…BUT an internal “informer”… can provide context for that informationcan provide context for that information
Value of DataValue of Data
If what is compromised remains just “data”, If what is compromised remains just “data”, perhaps a breach is not so serious…perhaps a breach is not so serious… data worthless without contextdata worthless without context
However… However… if the data becomes information…if the data becomes information…
» will have a valuewill have a value
breach becomes very serious indeedbreach becomes very serious indeed» rival organisations could get corporate informationrival organisations could get corporate information
» anyone could access customer personal informationanyone could access customer personal information
How much is Data worth?How much is Data worth?
Information has intrinsic valueInformation has intrinsic value e.g. personal data record -e.g. personal data record - could become “personal information” could become “personal information”
» worth £50 on the black market?worth £50 on the black market?
could become financial or corporate informationcould become financial or corporate information may be worth a lot more than £50… may be worth a lot more than £50…
By contrast, data only has potential valueBy contrast, data only has potential value given the right context, it can become information, given the right context, it can become information,
and will have the same valueand will have the same value
Why keep data secure?Why keep data secure?
Data can easily become information, Data can easily become information, especially if in digital format with all the especially if in digital format with all the resources of the Internet available…resources of the Internet available… information can be very valuableinformation can be very valuable and very destructive!and very destructive!
Should be a prime concern of all Should be a prime concern of all organisations to take special care of digital organisations to take special care of digital data that could be contextualised to become data that could be contextualised to become information…information…
Information or Data security?Information or Data security?
Until recently, always referred to as data Until recently, always referred to as data security, and regarded as an IT mattersecurity, and regarded as an IT matter
““Information Security” now the preferred Information Security” now the preferred description of research and activities that description of research and activities that seek to protect what was often seen as “just seek to protect what was often seen as “just data”data”
As previously demonstratedAs previously demonstrated data in the “right” hands can easily become data in the “right” hands can easily become
informationinformation should never be dismissed as “just data”should never be dismissed as “just data”
Information SecurityInformation Securitywithin Organisationswithin Organisations
Organisations have always kept Organisations have always kept informationinformation
Important to the extent that the Important to the extent that the organisation IS its informationorganisation IS its informationloss of vital data could therefore be loss of vital data could therefore be
curtains for the organisation!!!curtains for the organisation!!! Nowadays, usually held digitallyNowadays, usually held digitally
Information Security: Information Security: Technology & ManagementTechnology & Management
Need to be right to protect digital dataNeed to be right to protect digital data technology is useless if people won’t stick to technology is useless if people won’t stick to
proceduresprocedures procedures are equally useless if the technology procedures are equally useless if the technology
can’t detect intrusions or prevent themcan’t detect intrusions or prevent them Principles should be applied to a “leisure” Principles should be applied to a “leisure”
computer at home connected to the Internet…computer at home connected to the Internet… e.g. family members could get hold of each other’s e.g. family members could get hold of each other’s
informationinformation But all But all much, muchmuch, much more important when a more important when a
whole organisation’s data is being managed…whole organisation’s data is being managed…
Management of Management of Information SecurityInformation Security
Senior management... Senior management... used to the spoken or written wordused to the spoken or written wordoften misconceptions about digital data…often misconceptions about digital data…
» e.g. what is data, what is information and the e.g. what is data, what is information and the relationship between the tworelationship between the two
security of data may therefore not be given security of data may therefore not be given sufficient prominence... (!)sufficient prominence... (!)
Result: digital data is usually not properly managed…Result: digital data is usually not properly managed…
Reasons to look after Data: Reasons to look after Data: 1. The Law1. The Law
All UK organisations that hold data on people All UK organisations that hold data on people must register with the Information must register with the Information Commissioner's OfficeCommissioner's Office criminal offence not to do so...criminal offence not to do so...
Personal data must be kept in accordance Personal data must be kept in accordance with eight principles of the Data Protection with eight principles of the Data Protection ActAct not to do so can result in hefty finesnot to do so can result in hefty fines or even imprisonmentor even imprisonment
Reasons to look after Data: Reasons to look after Data: 1. The Law - continued1. The Law - continued
Financial data also covered under the law, Financial data also covered under the law, through the Financial Services Authority through the Financial Services Authority (FSA)…(FSA)… much more severe penalties than personal data much more severe penalties than personal data
watchdog (ICO)…watchdog (ICO)…» e.g. Nationwide fined in 2007e.g. Nationwide fined in 2007
approx £1millionapprox £1million
» e.g. HSBC fined in 2009e.g. HSBC fined in 2009 £ several MILLION£ several MILLION
» e.g. Zurich Insurance fined recentlye.g. Zurich Insurance fined recently £ >1 million£ >1 million
2. Losses do not look good for 2. Losses do not look good for the business…the business…
If a business loses its dataIf a business loses its datait won’t be able to trade efficiently, or even it won’t be able to trade efficiently, or even
at all!at all!data availability -> 0data availability -> 0
estimation: 10 days maximum to recover, or estimation: 10 days maximum to recover, or out of business!out of business!
If business gets data stolen, it may ALSO If business gets data stolen, it may ALSO lose trade secrets, customer image, and lose trade secrets, customer image, and market sharemarket share
2. Losses & not-for-profit 2. Losses & not-for-profit organisationsorganisations
Personal data often not regarded as so Personal data often not regarded as so important, other than in legal termsimportant, other than in legal termshence the catastrophic sequence of errors hence the catastrophic sequence of errors
that led to 25 million records being lost by that led to 25 million records being lost by HMRCHMRC
HOWEVER… customers do expect HOWEVER… customers do expect their personal data to be safeguardedtheir personal data to be safeguardedIncreasing concern about privacy in recent Increasing concern about privacy in recent
yearsyearssource of great embarrassment if data lostsource of great embarrassment if data lost
The Threats to organisations…The Threats to organisations… Divided neatly into:Divided neatly into:
““internal”internal”» well-meaning employees not following procedures well-meaning employees not following procedures
and misusing data or allowing it to get into the and misusing data or allowing it to get into the wrong hands….wrong hands….
» ““rogue” employees deliberately interfering with datarogue” employees deliberately interfering with data““external”external”
» people logging in from outside, usually via the people logging in from outside, usually via the InternetInternet
» inside people accessing data from outside, and either inside people accessing data from outside, and either accidentally or on purpose, misusing itaccidentally or on purpose, misusing it
An Information Security PolicyAn Information Security Policy
As information is so important to As information is so important to organisations, security of information organisations, security of information should be central to organisation’s should be central to organisation’s strategic plan…strategic plan…and therefore part of its organisation and therefore part of its organisation
policy…policy…problem is that they are reluctant to do problem is that they are reluctant to do
so…so…
An Information Security PolicyAn Information Security Policy
ONCE the organisation has finally accepted this, they ONCE the organisation has finally accepted this, they can devise an Information Security policy based on can devise an Information Security policy based on organisational strategyorganisational strategy
Information Security can then implemented tactically Information Security can then implemented tactically and operationally through the organisational structureand operationally through the organisational structure
But HOW can information security come to be seen But HOW can information security come to be seen as so crucially important by senior management???as so crucially important by senior management???
Fortunately, it is now rapidly becoming a commercial Fortunately, it is now rapidly becoming a commercial imperative for do any on-line business with a credit imperative for do any on-line business with a credit cardcard thanks to recent (Oct 2009!) PCI DSS guidelines…thanks to recent (Oct 2009!) PCI DSS guidelines… and being more rigorously enforced from Oct 2010and being more rigorously enforced from Oct 2010
Who are “stakeholders” in Who are “stakeholders” in organisational Information organisational Information
Security?Security?
Who should be responsible for what?Who should be responsible for what? (no responsibility… no accountability)(no responsibility… no accountability) Exercise again in groups…Exercise again in groups…
StakeholdersStakeholders
A number of people will have jobs that involve A number of people will have jobs that involve security of data in one way or another e.g.:security of data in one way or another e.g.: Data Controller (Data Protection Act)Data Controller (Data Protection Act) Head of PersonnelHead of Personnel Department HeadsDepartment Heads
Who should bear the responsibility/carry the Who should bear the responsibility/carry the can??can?? probably none of the above – each may only have probably none of the above – each may only have
a partial picture of the organisation’s dataa partial picture of the organisation’s data
Typical organisational Typical organisational approachesapproaches
OutsourceOutsource buy in the services of a third party from outside the buy in the services of a third party from outside the
organisation to “look after security”organisation to “look after security” Seek an in-house solution… guruSeek an in-house solution… guru
appoint someone internally or from outside to look appoint someone internally or from outside to look after security through an annual audit and allocating after security through an annual audit and allocating a resources budgeta resources budget
Seek an in-house solution… committeeSeek an in-house solution… committee get together a group of key stakeholders to agree a get together a group of key stakeholders to agree a
set of procedures that designated employees should set of procedures that designated employees should go through at regular intervals as a matter of go through at regular intervals as a matter of organisational policyorganisational policy
How would you set up an How would you set up an Information Security policy?Information Security policy?
BREAK!!!BREAK!!! And discussion again in groupsAnd discussion again in groups
why outsource?why outsource?how could it be done internallyhow could it be done internally
» Who would be the “stakeholders”?Who would be the “stakeholders”?
Relative Merits of Paying a Third Relative Merits of Paying a Third Party to do it for you…Party to do it for you…
Advantages:Advantages: pass responsibility on to someone elsepass responsibility on to someone else pay someone a flat annual fee; easily budgetedpay someone a flat annual fee; easily budgeted
Disadvantages:Disadvantages: Data Controller still has DP Act responsibility…Data Controller still has DP Act responsibility… may also pass control to someone else…may also pass control to someone else… the third party may be looking after many other the third party may be looking after many other
customers as well…customers as well…» will they take the trouble to find out and understand how your will they take the trouble to find out and understand how your
particular organisation works?particular organisation works?
» would your organisation want them to know…?would your organisation want them to know…?
Appointing a “security tzar” with Appointing a “security tzar” with Information Security budgetInformation Security budget
Will this work, as a single solution?Will this work, as a single solution? Is Information Security just an IT Is Information Security just an IT
problem?problem? Groups… discuss…Groups… discuss…
““Middle Manager” SolutionMiddle Manager” Solution
Will this work, as a single solution?Will this work, as a single solution? Again… groupsAgain… groups
Answers (to each)Answers (to each)
1. Of course not!!!1. Of course not!!! organisation still has responsibility!!organisation still has responsibility!!
2. Of course not!!!2. Of course not!!! this is a people problem…this is a people problem… data integrity errorsdata integrity errors leaving data on physical devices that can be taken leaving data on physical devices that can be taken
by a third partyby a third party
If this WAS just an IT problem, would If this WAS just an IT problem, would either approach be appropriate?either approach be appropriate? True that any computer network can be made True that any computer network can be made
completely secure at a particular point in time:completely secure at a particular point in time: BUT may cost a lot of money and resources… BUT may cost a lot of money and resources… THEN the following day, a new security threat may be THEN the following day, a new security threat may be
launched onto the Internet from any one of 250 million launched onto the Internet from any one of 250 million possible sources…possible sources…
A good outsourcer should be on top of this…A good outsourcer should be on top of this… But merely employing a “security supremo” to buy, But merely employing a “security supremo” to buy,
install, configure security devices won’t solve the install, configure security devices won’t solve the problemproblem securing data must be ONGOING…securing data must be ONGOING… supremo must put procedures into place…supremo must put procedures into place…
Security as a “Process”Security as a “Process”
One thing that is sure in computing & One thing that is sure in computing & computer networks, is that technology doesn’t computer networks, is that technology doesn’t stand still!!!stand still!!! new area of human endeavournew area of human endeavour constantly, relentlessly, moving on…constantly, relentlessly, moving on…
Therefore, security cannot ever be “done” Therefore, security cannot ever be “done” because something new may be planned because something new may be planned today, and rolled out tomorrow… today, and rolled out tomorrow…
That “something new” could make the most That “something new” could make the most secure network suddenly very vulnerable!secure network suddenly very vulnerable!
Managing Information Security Managing Information Security as a Processas a Process
MUST acknowledge that security, like (e.g. MUST acknowledge that security, like (e.g. accounting) is indeed a processaccounting) is indeed a process And make someone responsible for that processAnd make someone responsible for that process
THEN, as a first step…THEN, as a first step… identify all systems that carry informationidentify all systems that carry information test those systems for potential security breachestest those systems for potential security breaches secure as appropriate secure as appropriate
Next step: once secure, develop a strategy to Next step: once secure, develop a strategy to MANAGE the process over time...MANAGE the process over time...
Information Security Information Security ManagementManagement
A set of proceduresA set of procedures administered at organisational level administered at organisational level acknowledge the iterative nature of information security & acknowledge the iterative nature of information security &
agree on rate of iterationagree on rate of iteration
Appoint someone with institutional responsibilityAppoint someone with institutional responsibility realistic budget that takes into account the resource and realistic budget that takes into account the resource and
human cost…human cost… may use a third-party outsourcer to provide advice, expertise, may use a third-party outsourcer to provide advice, expertise,
implement procedures, but at least they are in control of the implement procedures, but at least they are in control of the policy-making policy-making
Even better…. develop an Information Security Even better…. develop an Information Security Management SystemManagement System
Information as an AssetInformation as an Asset
Traditional organisational asset registers Traditional organisational asset registers include hardware, that can be given a specific include hardware, that can be given a specific valuevalue
Information not given any monetary value…Information not given any monetary value… Now recognised as a mistakeNow recognised as a mistake
researchers have established methods to allocate researchers have established methods to allocate value to information assetsvalue to information assets
Other institutional costs invoked if information Other institutional costs invoked if information is lost…is lost…
The Costs of The Costs of securing data securing data
Hardware/software costHardware/software cost fixed and easily determined fixed and easily determined
Human resource costHuman resource cost also depends on the human resource cost the also depends on the human resource cost the
organisation is needs to put into enforcing data organisation is needs to put into enforcing data security proceduressecurity procedures
more difficult to quantifymore difficult to quantify
Costs of Securing DataCosts of Securing Data Isolated LAN, with no internet connectivityIsolated LAN, with no internet connectivity
no need to worry about data in and data out via no need to worry about data in and data out via the Internetthe Internet
less stringent procedures may be less stringent procedures may be needed/enforcedneeded/enforced
LAN connected to the Internet:LAN connected to the Internet: organisations with “secret” data may wish to have organisations with “secret” data may wish to have
more rigorous procedures, and implement them more rigorous procedures, and implement them more frequently – more expensivemore frequently – more expensive
those with no real secrets (political or commercial) those with no real secrets (political or commercial) may wish to use a more infrequent cycle and less may wish to use a more infrequent cycle and less exhaustive procedures – less cost exhaustive procedures – less cost
The Costs of Data LossThe Costs of Data Loss
People not able to work…People not able to work… Organisation not able to communicate Organisation not able to communicate
effectively with customers…effectively with customers… Embarrassment of reporting in the mediaEmbarrassment of reporting in the media Fines, etc., by FSA or ICOFines, etc., by FSA or ICO Fall in stock market priceFall in stock market price Increase in insurance premiumsIncrease in insurance premiums
Information Security Information Security ProceduresProcedures
Now it’s your turn…Now it’s your turn… In small groups:In small groups:
discuss possible procedures the discuss possible procedures the organisation could set up…organisation could set up…
and how expensive such procedures might and how expensive such procedures might be to implement…be to implement…
The ISMS - Making an The ISMS - Making an Information System secureInformation System secure
As ever, the success of rules and As ever, the success of rules and procedures depends on the people and procedures depends on the people and how they are managed…how they are managed…
In practice, a set of standards have been In practice, a set of standards have been developed based on the concept of an developed based on the concept of an ISMS (Information Security Management ISMS (Information Security Management System)System)
An ISMS that is “fit for purpose”An ISMS that is “fit for purpose”
Each organisation is different!Each organisation is different! ISO27001 standard for an ISMS has identified 133 possible ISO27001 standard for an ISMS has identified 133 possible
controlscontrols How many of these are actually needed depends on the How many of these are actually needed depends on the
organisational processesorganisational processes ISMS needs to knowledge all aspects of how data is managedISMS needs to knowledge all aspects of how data is managed
requires an understanding of processesrequires an understanding of processes and identification of where that data may need have security and identification of where that data may need have security
controlscontrols Organisations need to undergo process analysis and risk Organisations need to undergo process analysis and risk
assessment to determine where controls are neededassessment to determine where controls are needed no point spending money on controls where they are not needed…no point spending money on controls where they are not needed…
An Alternative Approach to An Alternative Approach to Security Controls: PCI DSSSecurity Controls: PCI DSS
System devised by Credit Card Companies System devised by Credit Card Companies (i.e. banks…)(i.e. banks…)
Guidelines for a number of years…Guidelines for a number of years… Now (from 1Now (from 1stst October 2010) a sting in the tail October 2010) a sting in the tail
finesfines can refuse a business merchant facilities…can refuse a business merchant facilities…
Will affect small businesses WORLDWIDE Will affect small businesses WORLDWIDE selling online directly to consumersselling online directly to consumers
What is needed for PCI DSS What is needed for PCI DSS compliance? (1)compliance? (1)
Install and maintain a firewall configuration to Install and maintain a firewall configuration to protect cardholder dataprotect cardholder data
Do not use vendor-supplied defaults for Do not use vendor-supplied defaults for system passwords and other security system passwords and other security parametersparameters
Protect stored cardholder dataProtect stored cardholder data Encrypt transmission of cardholder data Encrypt transmission of cardholder data
across open, public networks across open, public networks Use and regularly update anti-virus software Use and regularly update anti-virus software
or programsor programs
What is needed for PCI DSS What is needed for PCI DSS compliance? (2)compliance? (2)
Develop and maintain secure systems and Develop and maintain secure systems and applications applications
Restrict access to cardholder data by Restrict access to cardholder data by business need-to-know business need-to-know
Assign a unique ID to each person with Assign a unique ID to each person with computer access computer access
Track and monitor all access to network Track and monitor all access to network resources and cardholder data resources and cardholder data
Regularly test security systems and Regularly test security systems and processes processes
Maintain a policy that addresses information Maintain a policy that addresses information security for employees and contractorssecurity for employees and contractors
PCI DSS issuesPCI DSS issues
Is it realistic?Is it realistic? Is it essential?Is it essential? How can it be policed?How can it be policed?
Discussion in groups…Discussion in groups…
How??? Technologies for How??? Technologies for Implementing Security ControlsImplementing Security Controls
The rest of this session will concentrate The rest of this session will concentrate on security of data “on the move”on security of data “on the move”through cabling systemsthrough cabling systemsin radio wavesin radio wavesvia human transportation systems stored via human transportation systems stored
on digital mediaon digital media» hard disks & CDshard disks & CDs» digital backup tapesdigital backup tapes» USB sticks…USB sticks…
Assumed Technical Knowledge Assumed Technical Knowledge (covered in level 1 & 2 modules)(covered in level 1 & 2 modules)
Client-server networking and basics of Client-server networking and basics of network user administrationnetwork user administrationsecurity established through access levels security established through access levels
determined at logindetermined at login The Seven OSI layersThe Seven OSI layers The TCP/IP protocol stackThe TCP/IP protocol stack Web servers and browsersWeb servers and browsers How firewalls fit in with the above…How firewalls fit in with the above…
Security of Data “on the move” Security of Data “on the move” through Internal networksthrough Internal networks
Most organisational computers regularly Most organisational computers regularly interchange datainterchange data
Data could in theory be copied (although not Data could in theory be copied (although not destroyed) by being intercepted as it passes destroyed) by being intercepted as it passes between computers through use of e/m between computers through use of e/m waves (easy), in copper cables (difficult) and waves (easy), in copper cables (difficult) and optical fibre cables (very difficult)optical fibre cables (very difficult)
Depending on the nature of the data being Depending on the nature of the data being compromised, this could be a real and compromised, this could be a real and present danger to the organisation…present danger to the organisation…
Security and copper cablesSecurity and copper cables UTP (Unshielded Twisted Pair) is cheap, but UTP (Unshielded Twisted Pair) is cheap, but
not secure:not secure: electricity passing through a cable creates a electricity passing through a cable creates a
magnetic fieldmagnetic field that magnetic field can then be intercepted and that magnetic field can then be intercepted and
used to recreate the original signal…used to recreate the original signal… Shielding stops the magnetic field spreading Shielding stops the magnetic field spreading
outout STP (Shielded Twisted Pair) cabling available but STP (Shielded Twisted Pair) cabling available but
more expensive…more expensive… Which to use? Good example of cost v risk Which to use? Good example of cost v risk
balancebalance
Security and Security and Fibre Optic CablesFibre Optic Cables
Much better than even shielded copper from Much better than even shielded copper from a security point of viewa security point of view digital data transmitted as a high intensity light digital data transmitted as a high intensity light
beambeam no associated magnetic field, so data can’t so no associated magnetic field, so data can’t so
easily be “tapped”easily be “tapped” Also can carry much more data than UTP or Also can carry much more data than UTP or
STPSTP Disadvantage:Disadvantage:
cost… of cables … of installationcost… of cables … of installation Choice of cable: cost v risk balancing actChoice of cable: cost v risk balancing act
Security and Radio WavesSecurity and Radio Waves
Easy to installEasy to install No cabling needed (except signal boosters)No cabling needed (except signal boosters) BUT… no data security at all!BUT… no data security at all! Data transmitted in all directionsData transmitted in all directions
can be received by anyone within range and with can be received by anyone within range and with the right equipmentthe right equipment
especially easy to pick up if transmitted as “fixed especially easy to pick up if transmitted as “fixed spectrum”spectrum”
““Spread spectrum” radio waves can only be Spread spectrum” radio waves can only be picked up by equipment that can follow the picked up by equipment that can follow the changes in frequencychanges in frequency But such equipment is MUCH more expensive…But such equipment is MUCH more expensive…
Security and Security and Network HardwareNetwork Hardware
Very small organisations may use peer-Very small organisations may use peer-peer networking and simple cablingpeer networking and simple cabling
However…. However…. most organisational networks need to use most organisational networks need to use
intelligent hubs, bridges, and switches, to intelligent hubs, bridges, and switches, to connect computers and cabling systems connect computers and cabling systems togethertogether
data will be stored for a short time on these data will be stored for a short time on these devices before forwardingdevices before forwarding
Potentially a target for hackers!!!Potentially a target for hackers!!!
900 million Internet servers!
Navigating data round the Navigating data round the InternetInternet
Standard Internet Protocols Standard Internet Protocols and Securityand Security
When the Internet was developed, the only users When the Internet was developed, the only users were military personnel, research centre were military personnel, research centre administrators, etc. who had been security vettedadministrators, etc. who had been security vetted that protocols were not designed with security in mindthat protocols were not designed with security in mind just for getting data safely and reliably from one place just for getting data safely and reliably from one place
to anotherto another As the OSI model became fashionable, the As the OSI model became fashionable, the
protocols become a complete stack:protocols become a complete stack: based on TCP and IPbased on TCP and IP user system security already built in at the session user system security already built in at the session
layerlayer no inherent security for data on the moveno inherent security for data on the move
Copying data on an Copying data on an (Inter)networked device(Inter)networked device
Most networks nowadays use TCP/IP for Most networks nowadays use TCP/IP for Internet connectivityInternet connectivity
Any intelligent device with an IP address and Any intelligent device with an IP address and connected to the Internet could theoretically be connected to the Internet could theoretically be seen across the network/Internetseen across the network/Internet otherwise, packets couldn’t be navigated to it!otherwise, packets couldn’t be navigated to it!
Data on such a device could be:Data on such a device could be: located using its IP addresslocated using its IP address copied to another destination using a remote copied to another destination using a remote
computer and an appropriate network protocol (e.g. computer and an appropriate network protocol (e.g. NFS – network file system, part of the TCP/IP suite))NFS – network file system, part of the TCP/IP suite))
It really is as simple as that!!!It really is as simple as that!!!
Copying, Changing, or Deleting Copying, Changing, or Deleting Data on a networked computerData on a networked computer
Data could be tapped in exactly the same Data could be tapped in exactly the same way on any Internet computerway on any Internet computer
it must have an IP address to participate on the it must have an IP address to participate on the InternetInternet
packets going to that computer have a destination packets going to that computer have a destination IP address in the header, and headers can easily IP address in the header, and headers can easily be readbe read
NFS can be used to manage data remotely on that NFS can be used to manage data remotely on that computer – which could include copying or computer – which could include copying or (perhaps worse) deleting that data, or even BOTH(perhaps worse) deleting that data, or even BOTH
The Network: Strategies for preventing The Network: Strategies for preventing unauthorised access to dataunauthorised access to data
Only allow authorised (and TRUSTED) users to gain Only allow authorised (and TRUSTED) users to gain access to the network and ensure they are always access to the network and ensure they are always properly authenticatedproperly authenticated
Only allow network administrators to have full accessOnly allow network administrators to have full access
Monitor the network continually to provide alerts that Monitor the network continually to provide alerts that unauthorised access is being soughtunauthorised access is being sought
Encrypt data that will be sent through UTP cables Encrypt data that will be sent through UTP cables and/or held on computers that are connected to the and/or held on computers that are connected to the InternetInternet
When using the www, use secure versions of network When using the www, use secure versions of network protocols and/or tunnelling protocols to encapsulate protocols and/or tunnelling protocols to encapsulate and hide dataand hide data
The Virtual Private NetworkThe Virtual Private Network
When sending data through the Internet, When sending data through the Internet, only use a restricted and very secure set of only use a restricted and very secure set of routersrouters
No IP address broadcasting, because all No IP address broadcasting, because all packets use the same routepackets use the same route
IP tunnelling protocol encapsulates dataIP tunnelling protocol encapsulates data normal Internet users will therefore not be able to normal Internet users will therefore not be able to
see the sending, receiving, or intermediate IP see the sending, receiving, or intermediate IP addressesaddresses
The data sent is encryptedThe data sent is encrypted Potential hackers therefore don’t get a look Potential hackers therefore don’t get a look
in!in!
Future sessions will explore… Future sessions will explore…
a) theoretical aspects related to the a) theoretical aspects related to the technical implementation of technical implementation of
information securityinformation security
b) the setting up policies, procedures b) the setting up policies, procedures controls and systems to manage controls and systems to manage
information security information security
See you next week?See you next week?