FCNS Training

Security Overview

Elements of Security
Security
A state of well-being information and infrastructure in which the possibility of successful yet undetected theft, tampering and disruption of information and services is kept low and tolerable

Any hacking event will affect any one or more of the essential security elements

The Security, functionality and ease of use Triangle

Understanding Attack types

Understanding the different types of attacks and methods that hackers are using to compromise systems is essential to understanding how to secure your environment

There are two major types of attacks : Social Engineering Attacks Network Attacks

There is No Patch to Human Stupidity

Social Engineering Attacks

Social Engineering is the human side of breaking into network system Through an email message or phone call and tricks the individual into divulging information that can be used to compromise security The information that the victim divulges to hacker would most likely be used in a subsequent attack to gain unauthorized access to a system or network

Types of Social Engineering

Social Engineering can be divided into two categories :
Human- based :
Gathers sensitive information by interaction Attacks of this category exploits trust, fear and helping nature of humans

Computer-based :
Social engineering is carried out with the aid of computers

Human-Based Social Engineering

Posing as Legitimate End User
Gives identity and asks for the sensitive information Hi! This is John, from Department X, I have forgotten my password. Can I get it?

Posing as an Important User

Posing as VIP of a target company, valuable customer, etc. Hi! This is Kevin, CFO Secretary, Im working on an urgent project and lost system password. Can you help me out?

Human-Based Social Engineering

Posing as Technical Support
Calls as a technical support staff, and request id & password to retrieve data Sir, this is Mathew, Technical support, X company. Last night we had a system crash here and we are checking for the lost data. Can you give me your ID and Password?

Computer-Based Social Engineering

Pop-up Windows
Windows that suddenly pops up, while surfing the internet and asks for users information to login or sign-in

Hoax and chain letters

Hoax letters are emails that issue warnings to user on new virus, Trojans and worms that may harm the users system Chain letters are emails that offer free gifts such as money and software on the condition that if the user forwards the mail to said number of persons

Computer-Based Social Engineering

Instant Chat Messenger
Gathering of personal information by chatting with a selected online user to attempt to get information such as a birth dates and maiden names Acquired data is a later used for cracking the users accounts

Spam email
Email sent to many recipients without prior permission intended for commercial purposes Irrelevant, unwanted and unsolicited email to collect financial information, social security numbers and network information

Computer-Based Social Engineering

Phising
An illegitimate email falsely claiming to be from a legitimate site attempts to acquire users personal or account information Lures online users with statements such as
Verify your account Update your information Your account will be closed or suspended

Spam filters, anti-phising tools integrated with web browsers can be used to protect from Phisers

Network-Based Attacks
Most types of attacks are considered network-based attacks where the hacker performs the attack from a remote system There are number of different types of network attacks:
Eavesdropping attack: This widely used type of attack typically involves the use of network monitoring tools to analyze and read communications on the network Spoof attack : in this attack, the hacker modifies the source address of the packets he or she is sending so that they appear to be coming from someone else. This may be an attempt to bypass your firewall rules Hijack attack : in this attack, a hacker takes over a session between you and another individual and disconnects the other individual from communication. You still believe that you are talking to the original party and may send private information to the hacker unintentionally

Network-Based Attacks
Buffer overflow : this attack is when the attacker send more data to an application than is expected. A buffer overflow attack usually results in the attacker gaining administrative access to the system in a command prompt or shell Exploit attack : in this type of attack, the attacker knows of the security problem within the operating system or piece of software and leverages that knowledge by exploiting the vulnerability Denial of service : This is a type of attack that causes the system or its services to crash. As a result, the system cannot performs its purpose and provide those services Password attack : an attacker tries to crack passwords stored in a network account database or password-protected file

Network-Based Attacks
Distributed denial of service (DDOS): The hacker uses multiple systems to attack a single target system A good example is the SMURF attack in which the hacker pings a number of computers but modifies the source address of those packets so that they appear to come from other system (the victim in this case). When all the systems receive the ping request, all the systems will reply to the same address, essentially overburdening that system with data.

http://arstechnica.com/security/2007/05/massive-ddosattacks-target-estonia-russia-accused/

Understanding Physical Security

Physical Security

What is the Need for Physical Security

Physical Security Checklist : Company Surroundings

Gates

Security Guards

Physical Security Checklist : Premises

Physical Security Checklist : Reception

Physical Security Checklist : Server

Physical Security Checklist : Workstation Area

Physical Security Checklist : Wireless Access Points

Physical Security Checklist : Other Equipment

Physical Security Checklist : Access Control

Physical Security Checklist : Biometric Devices

Smart cards

Security Token

Wiretapping

Remote Access

Defense in-Depth
is an information assurance (IA) concept in which multiple layer of security control (defense) are placed throughout an Information Technology (IT) system. Its intent to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical for the duration of the systems life cycle

The idea behind the defense in-depth approach is to defend a system against any particular attack using several, varying methods

Information Security Attribute

Information Security Attribute

Think C-I-A Confidentiality, Integrity and Availability
Confidentiality
Customers will expect that the privacy of their credit card numbers, their addresses and phone numbers and other information shared during the transaction be ensured

Integrity
They will expect quoted prices and product availability to be accurate, the quantities they order at the prices to which they agreed to not be changed and anything downloaded to be authentic and complete

Availability
Customers will expect to be able to place orders when convenient for them and the employer will want revenue stream to continue without disruption

IDENTITY, AUTHENTICATION & AUTHORIZATION Dont Authentication and Identity mean same thing? If we have a authentication and identity do we need authorization?

IDENTITY, AUTHENTICATION & AUTHORIZATION

Identity : whom someone or what something This identity may be of a human being, a program , a computer or a data Identification
is the process for establishing whom someone or what something claims to be

Authentication
is the process of confirming the correctness of the claimed identity

Authorization
means the approval, permission or empowerment for someone or something to do something

A motorist identifies himself to a police officer and presents a drivers license for confirmation. The officer compares the photograph , description and signature with that of the motorist to authenticate the identity

Authentication
Based on
Something you know
Something you know, should be
something only you know and can keep to your self This might be the PIN to your bank account or a password

Something you have

Something you have, might be a photo ID or a security token

Something you are

Something you are is biometric based

Authentication
The method used to authenticate a user depends on the network environment and can assume forms such as the following: Username and password : when the users start the computer or connect to the network, they type a username and password that is associated with their particular network user account Smartcard : Using a smartcard for logon is very similar to accessing your bank account at a teller machine To log on to the network you insert a device similar to a debit card, known as a smartcard into a smartcard reader and then supply a PIN. To be authenticated, you must have the smartcard and know its password Biometrics : the user would provide a retina scan or fingerprint as a credential. It is becoming a very popular solution in highly secure environments where special biometric devices would be used When users provide credentials such as a username and a password, the username and password are passed to the server using an authentication method

AUTHORIZATION
Once you have been authenticated to the network, you will then be authorized to access the network resources
Permission is your level of access to a resource such as a file, folder or object. The permission is a characteristic of the resource and not characteristic of the user account For example : if you would like to give Bob read permission to a file, you would go to the properties of that file and set the permissions. Notice that you dont go to the user account to assign the permissions A right is your level privilege within the operating system to perform a task For example : When companies deploy Windows XP Prof to all client systems on the network, users are surprised that they cant change the time on the computer if they want to. This is because they dont have The Change System Time right

Data Classification
We classify data with differing levels of sensitivity
Top Secret - The highest level of protection are given to this data; it is critical to protect Secret - this data is important and it is release could harm national security Confidential - this is important and it could be detrimental to national security if release

Sensitive But Unclassified(SBU) This generally is information that is sensitive and should not be released
Unclassified They prefer to keep it from being released but the nation would not be harmed if it were

Security essential Terminology

Threat
an action or event that might compromise security. A threat is a potential violation of security

Vulnerability
Existence of weakness, design or implementation error that can lead to an unexpected and undesirable event compromising the security system

Relating Risk, Threat and Vulnerability and Impact

Risk = Threat x Vulnerability

Risk = Threat x Vulnerability x Impact

Security Policies

Key elements of Security Policies

The Purpose and Goals of Security Policies

Role of Security Policy

Classification of Security Policy

Classification of Security Policy

Types of Security Policies