Download Network Security

Document related concepts

Michael Aldrich wikipedia , lookup

Computer security wikipedia , lookup

Transcript
Network Security
Trivia 1
• How many percent of the restaurants
opened today will be in business next
year?
a. 90 percent
b. 50 percent
c. 20 percent
d. 10 percent
Trivia 2
• How many percent of the restaurants
opened today will be hacked next year?
a. 90 percent
b. 50 percent
c. 20 percent
d. 10 percent
Introduction
• Technology became inseparable from
hospitality operations.
• Technology becomes a part of the DNA of
the company
• Information security is getting more
important.
And we are all under compliance
Assurance is key
Introduction
• Every day thousands of major security
breaches occur in the public and private
sector, resulting in serious financial and
property losses (Flink, 2002).
• 75% of email is spam (EWeek, 2004)
• In 2004, every single computer was
attacked by a virus at least one time.
Computer viruses are most
commonly spread by…
a) Reading jokes on
the Internet
b) Opening e-mail
attachments
c) Downloading
pictures from the
web
d) Poorly chosen
computer
passwords
• To limited extent, malicious
code can be picked up
from downloading files
from the Internet
• Most viruses are spread
through attachments being
sent in e-mail.
• According to a recent
study by SANS, nearly
40% of all e-mail
attachments are infected
by a virus.
Does your organization use
perimeter protection?
• We do not have a firewall.
• We have a firewall, and
block only what we are
scared of.
• We have a firewall with a
default deny all policy,
and allow traffic through
by exception.
• We practice defense in
depth, we have a
corporate firewall and
host based firewalls
wherever possible.
• If you don’t have a firewall,
you are just asking for
trouble. You even need
firewalls at each of your
restaurants that connect to
the Internet.
• And even if you do have a
firewall, you have to set your
policy by default to reject all
traffic, and from there, only
allow traffic through that you
want.
• And oh yeah, you better
have firewalls on your POS
systems as well.
True or false?
• Working away from
the office gives you
more freedom from
the company’s
security policies.
• False.
• The company’s
security standards
and policies are even
more important when
you are working away
from the office.
Does your organization use
intrusion detection systems?
• We do not have IDSs.
• We have IDSs, but do
not review system
logs.
• We have IDSs, and
review all system
logs.
• We have IDSs
throughout our
network and perform
event correlation.
• If you do not have intrusion
detection systems (IDSes)
throughout your
organization—extending to
your restaurants and any
other location that feeds info
directly to your
headquarters—you could be
attacked without knowing it.
• And to make sense of it all,
you need to perform event
correlation to determine if
you are being hit by a
blended attack.
True or false?
• Off-site tapes and
anti-virus updates
automatically protect
you from virus
infections.
• False
• 90% of all
organizations that do
not have a very tight
security policy only
update their virus
definitions after they
have found new
viruses.
• Any virus that existed
during the backup
process is now
successfully backed
Do you have a written set of
security policies that have been
tested in the last year?
• No, we do not have
written security
policies.
• We have some
policies, but only for
critical elements or
they are out of date.
• We have a robust set
of policies and
employees are
required to review
them.
• If you answered no,
you are in a world of
hurt.
• If you haven’t tested
your security blanket
from the outside of
your organization and
from the inside of
your organization, you
are in a world of hurt.
Threats aren’t limited to viruses, worms, or
denial of service attacks anymore
• Nimda had four propagation methods attached
to it.
– It embedded itself into .html files on the hotel’s
“secure” sign-in page, compromising the users’
computers that signed in without “live” virus
protection.
– It then harvested e-mail addresses from the mail box,
sending out its own e-mails through its own SMTP
sender application.
– If the user had a “shared folder” on the computer, it
proceeded to try and infect those files.
– It then used the host computer to look for any
computers running personal web servers, trying to
use the Unicode Web Traversal exploit to gain control
of the target.
If you had brought the virus
back with you
• Your own computer would have
– Begun attacking other systems from within
your network, bypassing your firewall
– Continued to send out infected e-mails using
your own mailbox addresses for a
combination of sender and receiver
– Probably confounded your net admins if they
didn’t have an internal intrusion detection
system
What you can lose…
What can
go awry
Docu
ments
Confidentia
lity
Apps
OSes
4
Storage
Hardwa
re
Network Power Building
4
4
4
4
Integrity
4
4
4
4
4
4
4
4
Availability
4
4
4
4
4
4
4
4
A Hotel Computer System
TRAVEL
AGENTS
GLOBAL
RESERVATION
SYSTEM
FORECASTING
&
SCHEDULING
TIME &
ATTENDANCE
CORPORATE
GUEST
HISTORY
CORPORATE
RESERVATION
SYSTEM
PMS
CORPORATE
ACCOUNTING
SYSTEM
PURCHASING
&
INVENTORY
SYSTEMS OFF PREMISE
ELECTRONIC
LOCK &
SECURITY
SYSTEM
BOH FOH
CALL
ACCOUNTING
SYSTEM
(CAS)
MINI
BAR
ELECTRONIC
BAR
DISPENSER
SYSTEMS INHOUSE
SALES &
CATERING
SYSTEM
YIELD
MANAGEMENT
FOOD &
BEVERAGE
INVENTORY
SYSTEM
INTERFACE WITH
DIRECTION OF
DATA FLOW
PAY PER
VIEW /
CHECK OUT
MAID
DIAL-IN
, MIS, EIS
RESTAURANT
MANAGEMENT
SYSTEM
(POS)
REMOTE
SALES
MARKETING
CREDIT CARD
AUTHORIZATION
& EFT
Long
Distance
INROOM
ENERGY
CONTROL
PBX
(SWITCH
MAINTENANCE
ENERGY
FIRE &
LIFE SAFETY
VOICEMAIL
MESSAGE
HANDLING
WAKE-UP
SYSTEM
TRAVEL
AGENTS
GLOBAL
RESERVATION
SYSTEM
FORECASTING
&
SCHEDULING
TIME &
ATTENDANCE
CORPORATE
GUEST
HISTORY
CORPORATE
RESERVATION
SYSTEM
PMS
CORPORATE
ACCOUNTING
SYSTEM
PURCHASING
&
INVENTORY
SYSTEMS OFF PREMISE
ELECTRONIC
LOCK &
SECURITY
SYSTEM
BOH FOH
CALL
ACCOUNTING
SYSTEM
(CAS)
MINI
BAR
ELECTRONIC
BAR
DISPENSER
SYSTEMS INHOUSE
SALES &
CATERING
SYSTEM
YIELD
MANAGEMENT
FOOD &
BEVERAGE
INVENTORY
SYSTEM
INTERFACE WITH
DIRECTION OF
DATA FLOW
PAY PER
VIEW /
CHECK OUT
MAID
DIAL-IN
MIS, EIS
RESTAURANT
MANAGEMENT
SYSTEM
(POS)
REMOTE
SALES
MARKETING
CREDIT CARD
AUTHORIZATION
& EFT
Long
Distance
INROOM
ENERGY
CONTROL
PBX
(SWITCH
MAINTENANCE
ENERGY
FIRE &
LIFE SAFETY
VOICEMAIL
MESSAGE
HANDLING
WAKE-UP
SYSTEM
Purpose of the Study
• to analyze security practices of
electronic information, network
threats and prevention techniques
in hotels.
Objective of the Study
• to help information technology
directors or chief information officers
with policy development for security
of electronic information in hotels
Problem Statement
• In every level of hotel management,
networks are involved. (Cobanoglu &
Cougias, 2003).
• In the property level, there are local area
networks where reservation, front office,
restaurant management, payroll,
accounting, human resources, and other
systems reside
• In addition, hotels may offer high speed
Internet access (wireless or wired) to their
guests in their hotel room or other areas in
the hotel.
Review of Literature
• The total volume of information is
increasing at the rate of some 12 percent
a year (Daler et. al. 1989).
• The Internet now goes into over 120
nations around the world and has
approximately 605 million users (NUA
Internet, 2004)
Security procedures protect
hotel’s DNA
Refunds
Supply Chain
AR/AP
Reporting Unstructured
PMS
Back Office
Billing
Sales
Ops
CRS
Inventory
CRM
POS
E-Mail
Documents
Processes
Datasets
Computer Crimes
• Hacking (also known as Cracking): Knowingly accessing a
computer without authorization or exceeding authorization of
a government computer or intentionally accessing a computer
without authorization or exceeding authorization to acquire
financial information of a bank, business or consumer.
• Theft of Technology: Knowingly accessing a computer with
the intent to access or acquire technological information or
secrets
• Fraud: Knowingly, and with intent to defraud, accessing a
federal interest computer without authorization or exceeding
authorization to further a fraud or obtain anything of value.
Source: (The Breaulier Law Office, 2003)
Phishing
• fishing for information
• phreaking
• false email in order to gain
username/password
Security Scenarios
• While doing a security audit, we took one
of the main servers out of the building with
a fake work-order.
• I had access to the network of Hospitality
School in Thailand without any problem
• Try driving with your wireless enabled
laptop in streets.
Hacking: An art or crime?
• Whois (server address)
• Keylogger (tracks keyboard strikes)
• Netcraft (make and model of the server)
• Packet Internet Groper (PING)
• Name scan (find out computers in your
network)
• Port scan (Advanced LAN Scanner)—finds
open doors
• Attack (CGI, Unshielded directories, Trojan
horses, etc.)
Hacking
•
•
•
•
•
DNS Lookup
Finger
Name Lookup
Port Scan
Trace Route
• http://www.stayinvisible.com/index.pl/n
etwork_tools
Anonmyous IP
http://www.stayinvisible.com/index.pl/test_your_ip_nocache
Trace Email
• http://www.stayinvisible.com/index.pl/test_
your_email?action=showheaders&key=34
9002755807
Netcraft
Methodology
• Population: Hotel managers who is in charge
of information security practices in the U.S.
• Sample: The target sample consisted of 1143
technology managers that were current
subscribers of Hospitality Technology
magazine as of November 2004.
Methodology
• The survey has been adapted and
expanded from 2004 CSI/FBI Computer
Crime and Security Survey (CSI, 2004).
• Self-administered online survey with four
sections
– Security technologies
– Network security threats
– Perception statements
– Demographics and property characteristics
Findings
• Out of 1143 sample members’ emails, 178
emails were returned as “undeliverable”,
reducing the effective sample size to 965.
• 234 filled out the questionnaire, thus
yielding 24.2% response rate.
• The majority of the respondents (74.3%)
were somebody who was directly
responsible for information technology in
their organizations.
Top 5 Network Security Tools and
Techniques Used by Hotels
•
•
•
•
•
•
Technique
Anti-virus Software
Physical Security
Hardware Firewall
Software Firewall
Access Control
%
84.4%
82.7%
79.7%
77.6%
75.3%
Top 5 Network Security Tools and
Techniques Not Used by Hotels
•
•
•
•
•
•
Technique
Biometrics
Digital IDs
Image Servers
Vulnerability Assessment Scan
Intrusion Detection Systems
%
69.4%
68.1%
63.0%
42.5%
35.5%
Network Attacks
• Twenty percent of the respondents had a
computer network attack within the last 12
months.
• The size of the hotel seems to be
positively correlated with the number of
attacks observed within the last 12 months
(r=.72; p=.001)
Network Attack Types
• Virus Attack (15.4%) was reported most
frequently, followed by
• Denial of Service (7.7%),
• Sabotage of data networks (7.7%),
• System penetration by an outsider (7.7%),
and spoofing (5.1%).
Who is responsible (%)?
Disgruntled
employees,
23
Foreign
Corporation
s, 15.3
Other, 7.9
Independent
Hackers,
53.8
Other Findings
• The average financial loss created by these
attacks was $10,375 per year.
• About 20% of the respondents hired reformed
hackers or ethical hackers as consultants.
• Only 2.6% of the respondents reported computer
network attacks to law enforcements.
• The mostly used prevention tool was patching
(79.5%) the holes as they were released by
manufacturers of hardware and software.
Other Findings
• Only 40% has enough resources for
security
• 56.4% has enough expertise
• 23.1% do not have a method of getting rid
of old user accounts
• 20% are a member of IT security
organization
• 38.5% never conduct IT security audit
Conclusions
• This study is one of the first attempts to
analyze computer network attacks and
prevention techniques in the hotel
industry.
• The results showed that computer
network attacks create serious threats
to hotels.
• Although, hotel companies use some
prevention techniques, we observed a
distributed solutions mix.
Conclusions
• Some hoteliers prefer to outsource their network
and information security systems. This may have
two-fold impacts on hotels:
• 1) If the outsourcing company is a network and
information security expert, then, the hotel
network systems may be protected better;
• 2) The dependency on a different company in
such an important issue may create some
problems such as data privacy and ownership
Recommendations
• A significant number of hotels do not use and
plan to use in the future some important
network and information security tools and
techniques
• Some of these tools are so vital to network
security that not using them is an open
invitation to internal and external hackers.
• Hotel managers would do well by reviewing
this list and comparing the tools used by
them and implement and use multiple tools
Recommendations- 4 step guide
1. Prevention through firewalls, anti-virus
measures, ongoing anti-hacking analysis
2. Implement an intrusion detection system
3. Design a quick reaction team when you
get hit with a virus or hack attack. Be
ready to quarantine
4. Design an after-attack routine
Scan your network
• Use several methods
– From outside
– From inside
• Some tools:
– Symantec’s NetRecon
– Open-source Nessus (attacker and tester)
– Security Analyzer from NetIQ
– Shields Up! For Internet Ports
– MacAnalysis (performs 1300 attacks)
Protection: Set up an Intrusion
Detection System
• You want to know who is hitting and how
they are hitting you.
• You do not want to back up a system that
has been hacked.
• Some tools
– Snort (open-source)
– NetIQ’s Security Manager
• Know what is where (LANSurveyor)
Enter the Rule of Three
1st Rule of Three
• Only blended protection can stop blended
threats
– Firewalls
– Intrusion Detection Systems
– Anti-Virus measures
• You have to use all three security methods
together to ensure that you are really
protected
Best practices in securing your
data
Corporate
Store
Notebook
Corporate Defense
Store Defense
Notebook defense
The only truly secure system is
one that is
• powered off,
• cast in a block of concrete
• and sealed in a lead-lined room with
armed guards
• and even then I have my doubts.
High
Availability
Point in Time
recovery
Point in Time
versioning
Archived
retrieval
Sites
• Business Groups
• Business Functions
Systems
• Servers
• Desktops
• Notebooks
Volumes
• Server
• OS/Apps
• Data Storage
Data sets
• File system
• Applications
• Database(s)
(WORM formats)
Data
• Files
• Tables
• Records
Time to restore & length of data life
The second rule of three
Data Protection
The third rule of three
Reporting
Who can help?
• Vendors
– VERITAS is working
on it. Look for
information in the
news from them in
November.
– Symantec has recently
purchased
PowerQuest and is
building a unified
security-backup
offering
– NetIQ is directly
• Education
– The University of Delaware
is creating an HRIM
security specific e-learning
course.