Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey."— Presentation transcript:

1 Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey reported security breaches in the last 12 months. Information Week estimates the annual cost of security losses worldwide at $1.6 trillion. It means more than preventing a hacker from breaking into your computer, it also includes being able to recover from temporary service problems, or from natural disasters (Figure 1).

2 Figure 1 Threats to Network Security

3 Types of Security Threats
Disruptions are the loss or reduction in network service. Some disruptions may also be caused by or result in the destruction of data. Natural (or manmade) disasters may occur that destroy host computers or large sections of the network. Unauthorized access is often viewed as hackers gaining access to organizational data files and resources. However, most unauthorized access incidents involve employees.

4 Security Problems Are Growing
The Computer Emergency Response Team (CERT) at Carnegie Mellon University was established with USDoD support in 1988 after a computer virus shut down 10% of the computers on the Internet (Figure 2). In 1989, CERT responded to 137 incidents. In 2000, CERT responded to 21,756 incidents. By this count, security incidents are growing at a rate of 100% per year. Breaking into a computer in the U.S. is now a federal crime.

5 Figure 2 Number of Incidents Reported to CERT
Source: CERT Statistics,

6 Network Controls Developing a secure network means developing mechanisms that reduce or eliminate the threats to network security, called controls. There are three types of controls: Preventative controls - mitigate or stop a person from acting or an event from occurring (e.g. passwords). Detective controls - reveal or discover unwanted events (e.g., auditing software). Corrective controls - rectify an unwanted event or a trespass (e.g., reinitiating a network circuit).

7 Network Controls It is not enough to just establish a series of controls; personnel need to be designated as responsible for network control and security. This includes developing controls, ensuring that they are operating effectively, and updating or replacing controls. Controls must also be periodically reviewed to: ensure that the control is still present (verification) determine if the control is working as specified (testing)

8 Risk Assessment Risk assessment is the process of making a network more secure, by comparing each security threat with the control designed to reduce it. One way to do this is by developing a control spreadsheet (Figure 3). Network assets are listed down the side. Threats are listed across the top of the spreadsheet. The cells of the spreadsheet list the controls that are currently in use to address each threat.

9 Figure 3 Sample control spreadsheet with some assets and threats
Assets (with Priority) Disruption, Destruction, Disaster Fire Flood Power Circuit Virus Loss Failure Unauthorized Access External Internal Eavesdrop Intruder Intruder (92) Mail Server (90) Web Server (90) DNS Server (50) Computers on 6th floor (50) 6th floor LAN circuits (80) Building A Backbone (70) Router in Building A (30) Network Software (100) Client Database (100) Financial Database (70) Network Technical staff Threats Figure 3 Sample control spreadsheet with some assets and threats

10 Network Assets (Figure 4)
Network assets are the network components including hardware, software and data files. The value of an asset is not simply its replacement cost, it also includes personnel time to replace the asset along with lost revenue due to the absence of the asset. For example, lost sales because a web server is down. Mission critical applications are also important assets. These are programs on an information system critical to business operations.

11 Figure 4 Types of Assets Hardware Circuits Network Software
Hardware ·    Servers, such as mail servers, web servers, DNS servers, DHCP servers, and LAN file servers ·    Client computers ·    Devices such as hubs, switches, and routers Circuits ·      Locally operated circuits such as LANs and backbones ·        Contracted circuits such as MAN and WAN circuits ·        Internet access circuits Network Software ·        Server operating systems and system settings ·        Applications software such as mail server and web server software Client Software ·        Operating systems and system settings ·        Application software such as word processors Organizational Data ·        Databases with organizational records Mission critical applications ·    For example, for an Internet bank, the Web site is mission critical  Figure 4 Types of Assets

12 Security Threats A network security threat is any potentially adverse occurrence that can harm or interrupt the systems using the network, or cause a monetary loss to an organization. Once the threats are identified they are then ranked according to their occurrence. Figure 5 summarizes the most common threats to security. For example, the average cost to clean up a virus that slips through a security system and infects an average number of computers is £70,000/virus.

13 Figure 5 Common Security Threats

14 Identifying and Documenting Controls
Once the specific network threats and controls have been identified, you can begin working on the network controls. Each network component should be considered along with the specific threats to it. Controls to address those threats are then listed in terms of how each control will prevent, detect and/or correct that threat.

15 Disruption, Destruction, Disaster
Assets (w/ priority) Disruption, Destruction, Disaster Fire Flood Power Circuit Virus Loss Failure Unauthorized Access External Internal Eavesdrop Intruder Intruder (92) Mail Server 1,2 1, , , 8 9, 10, , 10 (90) Web Server (90) DNS Server (50) Computers on 6th floor 1,2 1, , 8 10, (50) 6th floor LAN circuits 1,2 1,3 (80) Building A Backbone 1,2 1, (70) Router in Building A (30) Network Software 7, 8 (100) Client Database (100) Financial Database (70) Network Technical staff Threats Figure 6 Sample control spreadsheet listing assets, threats, and controls

16 Figure 6 (cont.) Sample control spreadsheet list of controls
1. Disaster Recovery Plan 2. Halon fire system in server room. Sprinklers in rest of building 3. Not on or below ground level 4. Uninterruptible Power Supply (UPS) on all major network servers 5. Contract guarantees from inter-exchange carriers 6. Extra backbone fiber cable laid in different conduits 7. Virus checking software present on the network 8. Extensive user training on viruses and reminders in monthly newsletter 9. Strong password software 10. Extensive user training on password security and reminders in monthly newsletter 11. Application Layer firewall

17 Evaluate the Network’s Security
The last step in designing a control spreadsheet is evaluating the adequacy of the controls and the degree of risk associated with each threat. Based on this, priorities can be decided on for dealing with threats to network security. The assessment can be done by the network manager, but it is better done by a team of experts chosen for their in-depth knowledge about the network and environment being reviewed.

18 Controlling Disruption, Destruction and Disaster

19 Preventing Disruption, Destruction and Disaster
Preventing disruptions, destructions and disasters mean addressing a variety of threats including: Creating network redundancy “Preventing” natural disasters Preventing theft Preventing computer virus attacks Preventing denial-of-service attacks

20 Network Redundancy The key to in preventing or reducing disruption, destruction and disaster - is redundancy. Examples of components that provide redundancy include: Uninterruptible power supplies (UPS) Fault-tolerant servers Disk mirroring Disk duplexing Redundancy can be built into other network components as well.

21 Preventing Natural Disasters
Disasters are different from disruptions since the entire site can be destroyed. The best solution is to have a completely redundant network that duplicates every network component, but in a different location. Generally speaking, preventing disasters is difficult. The most fundamental principle is to decentralize the network resources. Other steps depend on the type of disaster to be prevented.

22 Preventing Theft Equipment theft can also be a problem if precautions against it are not taken. Industry sources indicate that about $1 billion is lost each year to theft of computers and related equipment. For this reason, security plans should include an evaluation of ways to prevent equipment theft.

Download ppt "Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey."

Similar presentations

Information Technology Disaster Recovery Awareness Program.

Information Technology Disaster Recovery Awareness Program.
Business Continuity Section 3(chapter 8) BC:ISMDR:BEIT:VIII:chap8:Madhu N PIIT1.

Business Continuity Section 3(chapter 8) BC:ISMDR:BEIT:VIII:chap8:Madhu N PIIT1.
CSI 2005 Computer Crime Survey Put together by J. Scott, 2006 Using Graphics and Text from the Published CSI/FBI 2005 Crime Survey.

CSI 2005 Computer Crime Survey Put together by J. Scott, 2006 Using Graphics and Text from the Published CSI/FBI 2005 Crime Survey.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.

DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
© 2009 EMC Corporation. All rights reserved. Introduction to Business Continuity Module 3.1.

© 2009 EMC Corporation. All rights reserved. Introduction to Business Continuity Module 3.1.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.

4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
12-1 Business Data Communications and Networking, 6 th ed. FitzGerald and Dennis.

12-1 Business Data Communications and Networking, 6 th ed. FitzGerald and Dennis.
Thursday 2/24/2011 Agenda: 1) Student security topics 2)Computer / Network security & fraud 3) Quiz 3 4) Last short paper: Cloud Computing 5) Final similar.

Thursday 2/24/2011 Agenda: 1) Student security topics 2)Computer / Network security & fraud 3) Quiz 3 4) Last short paper: Cloud Computing 5) Final similar.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
Lecture 10 Security and Control.

Lecture 10 Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Processing Integrity and Availability Controls

Processing Integrity and Availability Controls
Computer Security: Principles and Practice

Computer Security: Principles and Practice

Similar presentations

Ads by Google