Security fundamentals Topic 1 Addressing security threats and vulnerabilities

Agenda Goals of security Risk assessment Common threats Types of attacks Common defences Security guidelines

Goals of security Confidentiality – Ensures that information is accessed only by those who are authorized to do so Integrity – Ensures that the information is modified or deleted only by those who are authorized to do so Availability – Ensures that information and equipment can be used only by those who are authorized to do so C-I-A triad – Trade-offs

Basic steps of risk assessment 1.Identifying assets, such as computers or data 2.Assigning a value to the assets 3.Assigning a likelihood that an event will occur that could cause loss or damage 4.Assigning values to that risk based on both the possible damage and the likelihood that an event will occur

Identifying assets Take an inventory of tangible and intangible assets. Tangible Assets – Physical items that the business owns, IT equipment, network, servers, desktops, applications, databases, procedures Intangible Assets – Goodwill, intellectual property, patents, copyrights, and trademarks, logos, reputation

Method Assign a value to the assets: 1.For tangible assets get the initial cost and adjust for depreciation 2.Make an estimate based on market value 3.Estimate of the value of revenue that could be generated from the asset 4.Compare to a similar asset’s value Assign a likelihood that an event will occur that could cause loss or damage: – Use a scale such as high, moderate, low Assign values to a risk based on both the possible damage and the likelihood that an event will occur: – Prioritise your risks

Key security terms 1.Risk 2.Threat 3.Vulnerability 4.Risk acceptance 5.Risk transfer 6.Risk avoidance 7.Risk mitigation

Risk management Identify the risks – List assets – Assign value to assets – Likelihood of damage – Assign priority Identify threats Identify vulnerabilities – Where are the weaknesses? Minimise risk – Minimise weakness by taking preventative steps Review

Identifying threats Disasters Natural disasters – eg flood, earthquake, fire Man made disasters – eg arson, loss of power Mishap – eg accidental deletion of data, misconfiguration Threats from attack – An attempt to bypass security controls – To defend from these threats you must understand the technology How severe will the impact be? What is the likelihood of the event happening?

Threats from attack Specific to business – DoS attack on the company Web Server Threats that are not directed – DDoS Widely known threats – worms, viruses External threats – originates from outside the company (not the network) Internal threats – originates from within the company (eg technically savvy users)

Intrusion points Physical access points – Access to the media (cable, devices, storage) – Security guards and locks and cameras Access points via the network – Wireless – Dial-in via phone lines – Hacking through security controls – Internet Data disposal – Printed material – Laptops and hard drives

Attack sources It is your responsibility to both defend against possible attacks and detect successful attacks. White hats: ethical security experts looking for vulnerabilities Black hats: hackers/crackers – Expert: finding areas of weakness – Intermediate: programmers creating exploits from the vulnerabilities – Novice: script kiddies – What motivates them?

Identifying attacks Scanning – Ping and port scans – is there an IP and an open port? Fingerprinting – What OS, applications and services are running, what versions and protocols? Denial of Service (DoS) – Shutting down or overloading a service so it becomes unavailable Spoofing – Disguising the source (IP, or others)

Identifying attacks Source routing – Route is specified in packet header and bypasses controls Man-in-middle – Messages are intercepted and reviewed or altered before being sent on to destination Back door – Unknown and undocumented way to access a program or system Left in by developers Installed by hackers

Identifying attacks Password guessing – Default passwords – Blank passwords – Easy to guess passwords – Short passwords – Common words – Automated scripts to find password hashes – Dictionary attack – Brute force attack

Identifying attacks Replay attack – Intercepting and recording a connection setup and replaying at a later time to gain authorised access Encryption breaking – Breaking the encryption algorithm or guessing the key used by the algorithm Hijacking – Taking over an existing connection- sending packets as if from source Malicious code – Viruses, worms and trojans

Identifying attacks Software exploitation – Buffer overflow attack – Cross site scripting – inserting malicious HTTP code on a webpage Social engineering – Manipulating people by exploiting their ignorance, fears or willingness to help – Impersonation, piggybacking entry into restricted areas – This is the most difficult to prevent

Defending against threats Defence in depth Must include multiple elements Layered defence Hacker must overcome multiple defence checks Each defence check is monitored and alarmed

Defending against threats Secure the network infrastructure – Network Access Control – Secure Communications Protocols – System hardening – systems, applications and resources (files and databases) Authenticating users – Passwords – Biometrics – Certificates – Tokens – Smart Cards Auditing – Monitoring operations – intrusion detection, logs

Basic security guidelines Physical security – Locks, facility access controls, surveillance – Circumvention threats, using bootable media to access hard drives, key loggers Trust – Trusting administrators – Trusting certificates – Servers trusting servers Privilege levels – Principle of least privilege – Standard, admin and root accounts

Maintaining documentation Document all procedures related to systems security: – Planning – Policies – Configurations – Monitoring and reporting – Archiving

Lesson summary Addressing security threats and vulnerabilities – Goals of security – Risks, threats and vulnerabilities – Risk assessment – Common threats – Types of attacks – Common defences – Basic security guidelines