Presentation on theme: "IT for Decision Makers Networking and Security By Sam Fonua for UNESCO 2002."— Presentation transcript:
IT for Decision Makers Networking and Security By Sam Fonua for UNESCO 2002
Presentation Overview zBackground on Security zWhy Security zThreats and attacks zThe motives, techniques and methods zVulnerability zSecurity Policies
Internet “Information Super Highway” zA network of Networks zOne of the Most Valuable Resources of the Information Age zProvides Access to User Networks zRuns without Single Entity in Charge
What is a LAN (Local Area Network)? zA data communication network zOften confined to a single room, building or adjacent buildings zIn a Larger scale - WAN (Wide Area Network)
Today’s Network Environment Interconnectivity
Computer Security 3 Facts y Computers are critical to fulfill your organization’s mission y There are defined threats to your computer system y Computer system are vulnerable
What are these threats…as perceived by many? zUnauthorized users y those that have access to information that they are not suppose to gain access to. “In 1999, some students at the University of the South Pacific managed to get access to the system and retrieve a list of all students email passwords. This allowed them to send abusive messages to others using other students email account”
What are these threats…as perceived by many? zCareless employees ythose that can change, modify or damage data intentionally or unintentionally, A government Information Technology officer in the Tuvalu Government accidentally deleted the content of one of the Government Computer’s Hard Disk early this year which contain hundreds of official documents …no backups!!! backing up of important data is not considered important in most developing countries including Pacific Island Countries.
Perceived threats …? zMalicious Attackers yhackers: those that use hacking tools to gain access to networks, usually to exploit vulnerabilities. yIt is known that most Internet services Providers (ISPs) in Developing countries are still very much insecure. It took a while for the Tonga ISP (Kalianet) to realize that there was a hole in their security system. Allowing hackers to crack their password system and gain access to the internet free of charge. Entry into the server would give access to most of the nations emails
Perceived threats…? zVirus Attackers yVirus attack comes in many forms and it has become the most common and frustrating threat to many organization and countries - large or small. y These are small programs designed and developed to cause problems in computer and network systems. yNasty viruses have costs firms millions of dollars in damages or in protection measures. Note: Further readings on viruses on handouts
Redefining Security zWhat do we protect yInformation zLater security include yPrivacy yconfidentiality, and yIntegrity
An Example... “Chinese Foreign Ministry spokesman Zhu Bangzao rejected allegations that China stole U.S. nuclear secrets, saying such claims are meant to undermine China-U.S. relations. Meanwhile, a CIA-led task force was assessing how much damage may have been done to U.S. national security after a Chinese scientist at the Los Alamos National Laboratory in New Mexico allegedly shared nuclear secrets.”
Problem: Information Overload Personal Computer Electronic Mail Local Area Networks Video Teleconferencing Electronic Funds Transfer E-Commerce Cellular Phones Satellite Systems Distributed Database
1. National Level - Information Infrastructure zEducation zEnergy distribution and supply zEntertainment zFinancial zHealth care zInformation Distribution zNational Security, emergency preparedness & public safety zTransportation
Security Requirements zAre driven by threat & vulnerability...
Security terms zConfidentiality - Privacy yMost Governments in the Pacific are still using national / commercial ISP email servers for their own email. yDid you know the ISP can read your email? yHow do Governments protect individuals privacy from ISPs yDoes your Government have adequate policies to protect confidential electronic data / communications?
Security terms zData Integrity - absolute verification that data has not been altered. “The tribunal in Fiji could not prove the integrity of an email message claimed to be originated from a government employee which stated that one of Fiji’s former Finance Minister ( Mr. Ah Koy) was one of the people behind the Fiji coup in 2000.”
Security terms zAvailability - Assurance of service on Demand “A large computer software company (ASI) caught by surprise in Australia, when they could not access most of their services in the network due to an outbreak of the Nirmada virus- September 2001”
Security terms zAuthentication - verification of originator zAuthorization - only authorized user access to sensitive data
What is at Risk zBanking/Financial zPower and Utility Distribution zTelephone System/Public Switched Network zStock Exchange/Security Trading zReserves and Social Security zGovernments and Important companies zResearch and Development zAir traffic Control system zSchools and higher Institution
Organizational Impact zCompromise And Loss of Data zLoss of Confidence in System zLoss of Money zLoss of Time zRepair or Replacement of Equipment
Consequences zSpectrum includes most functions that constitute the underlying fabric of the nation zDegradation of any of these functions constitute a threat to national security, economic well- being or public safety zTechnology to inflict massive disruptions exists and is growing in availability and sophistication
Threats to Computer Systems zThreats by People yUnintentional Employee's Action =>10 - 60% Intentional Employee Action =>15 - 20% yOutside Actions =>1 - 3% zPhysical and Environment Threats yFire damage => 10 - 15% yWater Damage =>1 - 5% yNatural Disaster => 1% zOther => 5 - 10%
Security Threats Human Natural Disasters MaliciousNon malicious Outsiders Crackers/Hackers Insiders Disgruntled I gnorant Flood Fire Earth Quakes Hurricanes
Motives and Methods
Some common sabotage zChanging data zDeleting data zDestroying data zCrashing systems zDestroying hardware or facilities zEntering data incorrectly
Malicious attack zDeleting or altering information - revenge or prove a point zTheft and Fraud Disrupt Normal business
Malicious Attacker “ Last year a disgruntled former employee of ITC (Fiji Information Technology Centre) walked in early one morning to the Suva office, in to the main server room, login to the server and changed all administrative passwords on the servers, and then catch a flight to Australia. ITC staff to their surprised could not logon to any of the system….”
Computer Crime is on the Rise
What is required for an attack Attacks = motivemethodvulnerabilit y ++
How to gain access...
Hack Attack zReal Hacker Attacks on the increase ythousands of intrusions reported last year yAttacks averaging one or more a day y Intruders now focus on Entire Network rather than individual computer or even systems Most penetrations are not detected
Virus Definitions trapdoors - A trap door is a hidden software or hardware mechanism included by the author of a software that permits system protection systems to be bypassed. Allow unhindered access to the attacker. zLogic bomb program that causes damage when a certain event(s) takes place. zTrojan Horse - a computer program that looks like a normal program hidden inside another program. Once the valid program runs the hidden code starts and may damaged or delete files - remember “Melissa”
VirusDefinitions zVirus - A program which infects other programs by modifying them to include a copy of itself. zBacterium - A bacterium sometimes called a “chain letter” is a program which propagates itself by electronic mail to everyone in the victim's mailing list. Very common today Worm - These are programs that run independently and travel from computer to computer across network connections
The worst Viruses zMelissa zCode Red and many more These virus have cost Companies millions of dollars “The Fiji government main computer systems was affected by the Melissa virus in 2000 disrupting services for almost 2 days.”
Sources of Malicious code infections z Shareware - free software zCommercial Software Packages zNetworks - email etc zSabotage by Employees, terrorists, Crackers, or Spies zPirated Software zPublic Domain Software
How vulnerable are we? “Growing dependence on networks for essential daily activities HIGHTENS Risk”
Network Vulnerabilities zAccess by unauthorized users zLack of physical control zGeneral lack of monitoring/auditing features zIdentification of dial in users zFailure to backup critical data zSensitive to outside interference Virus infection
National Infrastructure is at risk zIncreased Connectivity results in greater Vulnerability zDependence on unprotected information infrastructure creates serious operational readiness risks Defense Infrastructure and National Information Infrastructure offer minimal defense against unauthorized access and use
How do we protect ourselves?
Protective Measures zPrevention yPrevent information from being damaged, altered or stolen zDetection ytake measures to detect damaged, altered or stolen data, how and who? zReaction ytake measures that will allow recovery, if data is damaged or lost
Security Standards & definitions INFOSEC - Information Systems Security The protection of information system against unauthorized access to or modification of information, whether in storage, processing, transit, and against the denial of service to authorized users or the provision of services to unauthorized users, including those measures necessary to detect, document, and counter such threats
Security Standards & definitions COMSEC - Communications Security Measures and controls taken to deny unauthorized persons information derived from telecommunications and ensure the authenticity of such as telecommunication, this includes cryptosecurity, transmission, emissions, and physical security of the COMSEC material
Security Standards & definitions COMPUSEC - Computer Security Measures and controls that ensure confidentiality, integrity, availability of information processed and stored in the computer
INFOSEC Concerns zCompromise yThe disclosure of information to person(s) not authorized to receive such data zIntegrity yThe assurance that computer resources operate correctly and that the data is correct zDenial of Service (DoS) yAny action that prevents any part of a system from functioning in accordance with its intended purpose, causing unauthorized destruction, modification, or delay of service.
Risk Management zINFOSEC is based on Risk “ You cannot protect Everything from everybody all the time” RISK = Threat * Vulnerability - Security
Key Question... “How Much is Enough?” The Balancing Act
Level of Security Levels of security are related to sensitivity of Information Information available to general Public (Internet) Information available to system users Information available to Departments Information available to Other Organization Administrators Information and System privileges available to system Managers
Risk Management zA systematic method to analyze security risks and bring in cost effective safeguards to reduce risk zIn simpler terms yDecide what you need to protect yDecide what to protect it from Decide how to protect it
Preventing Virus Infection zNever boot up a system from an unprotected diskette zNever use untested software zMinimize file and software sharing zProhibit use of unapproved software from any source zEducate users on downloading suspicious internet files or emails Use known anti-virus program and updates regularly
Faulty Software was used by the New York Bank in 1985 for paying Bills was not accepting incoming electronic $ resulting in $3.1 Million Loss in one day It costs millions of dollars for companies if Data is lost, tempered, stolen or damaged.
Firewalls Prevents Unauthorized ACCESS to PROTECTED systems by placing a barrier between the Internet and the organization. INTERNET
Configuration management & control zData Life Cycle yRetention Policy yDestruction Policy zSystem Life Cycle yApplication Change procedures yBackup Policy yUpgrades zHardware yStandard Operating Procedures yUpgrades
Elements of a protective Plan zSystem Description zThree Dimensional Model yCritical Information Characteristic x confidentiality, Availability & integrity yInformation states xtransmission, storage & processing ySecurity Measures policy, awareness, training & education
Information System Security COUNTERMEASURES zThe triad Awareness, Training & Education Policy & Practices Technology
Policy and Security zHow an organization policy affects security yLack of policy leads to ximproper care and use of resources/information xInefficient duplication of data & application costs money yPolicy Intent xDefines access to information xOutline destination controls - who should/shouldn’t be allowed to read or write
National Network Security Are national ISPs liable for breach of privacy? zIs the illegal entry into a private computer network a crime in your country?
Policy and Security (Con’t.) zPolicy Derivation yLaws, Regulations, Organization Policy yOften a reaction to defined threats and vulnerabilities Defines procedures for introducing new applications - e.g. Virus scan policy
Guide Policies zCan use pre-written “off the shelf” as guides e.g. http://www.securitypolicy.co.uk/secpolicy/ http://csrc.nist.gov/isptg/html/ http://www.network-and-it-security- policies.com/ www.gipipolicy.org
Discussion Topics Topic 1: Future Security - The 21st security Topic 2: Smart Card - Can you feel a lot secure Topic 3: Cyber attack - Is this a threat to Pacific Islands