* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Develop Security Framework - NSW Department of Education
Survey
Document related concepts
Zero-configuration networking wikipedia , lookup
Computer network wikipedia , lookup
Airborne Networking wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Network tap wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Deep packet inspection wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Wireless security wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Transcript
Develop security framework 1 2004 Overview Image: Overview In this topic we will look at how to develop a security framework in an information technology environment. In this topic you will learn how to: determine level of required security identify and document security threats prepare protection plans and determine impact appraisals/costs review firewall features identify security perimeters within client server system evaluate intrusion detection system (IDS) investigate framework for secure electronic communication infrastructure (SECI) investigate the use of virtual private network (VPN) determine hardware and software needs according to security plan prepare cost benefit analysis for proposed security shield and finalise framework develop related policies and procedures. This topic contains: reading notes activities references a topic quiz. As you work through the reading notes you will be directed to activities that will help you practise what you are learning. The topic also includes references to aid further learning and a topic quiz to check your understanding. 2 2004 Download a print version of this whole topic: Develop security framework (953 KB 2817.doc) 3 2004 Reading notes Image: Reading notes Determine security level According to the 2006 computer crimes and security survey, published by AusCERT at http://www.auscert.org.au/, about twenty five percent of respondents had experienced some type of security breach. Network security focuses on three key principles: confidentiality, integrity and availability (C-I-A): confidentiality – prevent unauthorised disclosure of sensitive information integrity – prevent information from being modified by unauthorised users and prevent information from being unintentionally modified by authorised users availability – provide timely and uninterrupted access to the system; ’five nines’ are typically used to measure availability, 99.999% system uptime allows for five minutes of downtime per year. The following terms are also important to network security: identification – such as using a login id or smart card authentication – such as using a password authorisation – system resources that an authenticated user is allowed to access accountability – ensuring that each user is responsible for authorised interactions with the system access control – limiting information only to authorised persons or systems in the network. 4 2004 Organisations will require varying levels of these principles. For instance, an online auction site might consider availability to be most important, whereas an online bank might choose integrity instead. The following graph shows why security is important to businesses: Image: Bar chart showing 71% Damage to a company image after a security breach; 70% Legal liabilities resulting from a security breach; 60% Lost revenues from security breaches; 57% Need for customer/supplier confidence in e-business; 45% Fear of theft; 37% Fear of fraud; 21% Loss of employee morale; 21% Wireless connectivity; 8% Other Figure 1: Security drivers While security risks cannot be completely eliminated, effective risk management through proactive preparedness can minimise the impact of a security breach. It is up to each organisation to implement a security plan that can support its business needs. Before a security plan is deployed, the following information must be identified: current business requirements future business requirements business strategic plan client expectations. In this part of the reading, we saw the importance of security within an organisation. TCP/IP remains the most popular protocol for the Internet and is used by most organisations. Later you will learn about the inherent weakness of TCP/IP’s and how hackers use these known vulnerabilities and weaknesses. We will also look at methods for protecting your organisation’s system. 5 2004 Identify security threats Security threats To develop an effective security plan you need to understand the various types of security threats. A security plan is a vital part of improving the organisation’s security defence by recording vulnerabilities and identifying threats. The four classes of security threats are: unstructured threats – typically from inexperienced individuals using hacking tools that are freely available on the Internet structured threats – typically from highly competent individuals or groups who can develop and use sophisticated hacking tools to penetrate systems, usually for fraud or theft external threats – individuals, external to the organisation, using the Internet or dialup to access system resources internal threats – individuals internal to the organisation causing damage. Security attack methods The three methods of security attack are reconnaissance access denial of service. Reconnaissance Reconnaissance is where a potential threat checks out a system for vulnerable points to enter. If successful, denial of service or data manipulation can result. Reconnaissance is also known as information gathering. The intruder may ping sweep the target network for live IP addresses. Next, a port scanner will determine which IP ports are active. Gathering IP port numbers helps in identifying application type, versions and operating systems information. The attacker can then search for known application or operating system problems and launch an attack. How is reconnaissance done? By using ping sweep to identify IP addresses that return successful ICMP replies. You can use port scanners (Nmap, nslookup, ping, netcat, telnet, finger, rpcinfo, Fine Explorer, srvinfo, dumpacl, SATAN (Security Administrator Tool for Analysing Networks), 6 2004 Nessus, custom scripts, etc.)) to record a response from the target. Also, you can implement other attack methods using whois, DNS and Web pages. Following the attack, the hacker can collect information on the following: TCP/IP address ranges host names DNS (domain name service) SMTP (simple mail transfer protocol) HTTP (hypertext transfer protocol) HTTPS/SSL (HTTP secure over secure socket layer) possible presence of firewalls. Eavesdropping is an example of reconnaissance. It is also called network snooping or packet sniffing. For example, a TCP/IP vulnerability exists with SNMP version 1 where community strings are sent in clear text. Eavesdropping can produce information on network devices and how they are configured. Another example is to capture usernames and passwords as they traverse a network by using a protocol analyser tool. A protocol analyser tool intercepts data streams and decodes the contents. Password authentication protocol (PAP) is susceptible to this type of threat because it doesn’t use encryption. You can minimise the risk of eavesdropping by: implementing a security policy that prevents the use of vulnerable protocols using data encryption that is sufficient to deter attacks without overburdening the system or authorised users; since UDP (user datagram protocol) and TCP (transmission control protocol) data packets must traverse networks using header information, encryption is performed only on the payload or where the actual data content resides detecting and removing sniffer programs on the internal network. Activity 1 To practise eavesdropping, complete Activity 1 – Packet sniffing, located in the Activities section of the Topic menu. Access Access is where the intruder attempts to penetrate an unauthorised system. The following are considered to be access threats: 7 2004 Password attack Passwords are easily cracked by using software that can use a dictionary of commonly known words (not just those found in a dictionary – for example, words like SK8, ICQ and so on) or brute-force computation. Dictionary cracking is a broad term to crack passwords that contain words found in a dictionary and may also include well-known names of countries, brands, people, music bands, slang and so on. The following sample passwords can give the intruder a starting point: o John123 o 4australia44 Brute-force computation occurs where specialised programs are used to produce countless variations of potential passwords to crack just one password. You can create better passwords by: applying user creativity to form more secure passwords using acronyms for passwords; for example, start with a sentence like ‘I want to use this password for all my Internet logons’, use the first letter of each word to create a secure password that you can use by remembering the sentence you have created: ‘Iw2utp4amil’ Note that the password becomes even more difficult to crack when we combine capital letters and symbols, for example, ‘T@qEZa$5w0bd$’. Man-in-the-middle attack Man-in-the-middle attacks allow a threat to read, insert and change the communication between two parties without their consent or knowledge. The security risks involve theft of information, hijack of a live session, corrupting transmitted data, introducing new information, etc. 8 2004 Image: Unsuspecting user on a computer in a house connects to a bank via the internet. The communication path is not encrypted, represented by the open padlock. A thief intercepts the communication between the user and bank and steals important information. Figure 2: Man in the middle Trust exploitation Various servers on a network provide multiple services like DNS, SMTP, HTTP and FTP. For these services to run effectively, there must be a type of trust between each computer. This allows a computer from one domain to use the services of a server in another domain. A trust relationship allows a user to log on in one domain and then use services on another domain without having to be authenticated again. This trust relationship is exploitable. For example, a public web server that is operating outside a corporate firewall may have a trust relationship with a system that is inside the firewall. By compromising security on the outside server, the intruder can use the trust relationship to access the inside system. Privilege escalation refers to authorised users who may have been given additional but unnecessary access rights by their network administrators. The intruder tries to assume the identity of such users to install network sniffers, delete log files, create backdoor accounts, etc. Social engineering Social engineering is where an intruder can trick a user to reveal sensitive information such as usernames, passwords, location of files, server names, gateway IP addresses, etc. Social engineering is probably the easiest method for a threat to use since it does not require a high level of technical knowledge. The Security Focus website at http://www.securityfocus.com/ 9 2004 has an interesting article which demonstrates an example of social engineering. Session replay Session replay is where an intruder captures a stream of data packets that contain sensitive information. Following manipulation, the intruder then resends or replays the packets to gain access. Auto rooters Auto rooters are sophisticated programs used to automate the entire hacking process. Typically, a Rootkit is installed on a compromised computer, which in turn begins the automated hacking process. A successful intruder can scan hundreds of thousands of systems within a short period. To learn more about rootkits, go to http://www.rootkit.com/. Data manipulation Data manipulation is where an intruder can capture, manipulate and replay data transmission. Two types are: graffiti - where website pages may be altered data alteration - where files such as password files may be altered. Spoofing Spoofing is where an intruder manipulates packets by spoofing. This injects a false source IP address so that it appears to be a valid address to the recipient. This is called a one-way masquerade since the intruder can inject information into the system but not receive any replies. To receive replies a two-way masquerade - the intruder must change all routing tables to direct all replies to the spoofed IP address. Tools that may be used for spoofing are 1664, Hunt and rbone. Back doors Back doors are undetected access points into a computer system. A common method of creating a back door is by using a back-door Trojan. An example of a back-door Trojan is Backdoor.Dvldr. A back door allows a remote hacker to take control of the computer without the knowledge of the user. Back doors are used in denial and distributed denial of service (DoS and DDoS) attacks. You can read more about this at http://www.symantec.com/security_response/writeup.jsp?docid=2003031016-5849-99. Denial of service Denial of service (DoS) is probably the most feared of all attacks. It occurs where a system is prevented from providing critical services. There are many different types of DoS threats, including: 10 2004 CPU hogging - Trojan horses or viruses are typically used to keep the CPU busy, hence preventing it from performing critical operations email bombs monopolise email services to send out bulk emails to users, lists, domains, etc land.c confuses the target system by sending TCP SYN packets that use the target address as being both the source and destination; the same port, either 113 or 139, may be used to create further confusion to freeze the target system malicious applets destroy or tie up system resources using Java, JavaScript, ActiveX, etc., that act as Trojan horses or viruses out-of-band attacks send out-of-band data to port 139, especially to Win98 or WinNT systems; WinNuke has been the most common tool for this type of attack packet fragmentation and reassembly - buffer-overrun bugs in hosts and networking devices provide the basis of this type of attack ping of death causes the receiving system to crash when it receives data packets with altered IP headers; basically, the altered data packet carries less data than what is indicated in the IP header reconfiguring routers - web traffic may be disabled when routers are reconfigured by an intruder SYN flood attack - occurs where the target computer is kept busy trying to respond to numerous bogus requests; by opening many TCP ports, the target computer is made to wait for responses that will never come targa.c - simultaneous attacks to include land, nestea, bonk, syndrop, jolt, netear, WinNuke teardrop.c - where target systems crash when trying to reassemble specially fragmented IP packets. Distributed denial of service (DDoS) Instead of targeting individual computers, whole networks can be overwhelmed in a DDoS attack. There are three types of DDoS attacks: Smurf, Tribe flood network (TFN) and Stacheldraht. Smurf - this is where a single attacker sends out numerous spoofed ICMP (Internet control message protocol) echo requests to broadcast addresses. Each receiving host responds by replying and this can overload the network. One way to deter this type of attack is to turn off directed broadcasts. Tribe flood network - the intruder successfully creates a TFN network complete with a TFN master, TFN servers/daemons, and TFN agents. As instructed by the TFN master, coordinated attacks are launched to target IP addresses. 11 2004 Stacheldraht - meaning barbed wire in German, is a form of TFN attack except that communication between TFN members and the attacker are encrypted. Prepare a security plan A security plan is an action document that states what will be done and when. Three key areas need to be considered: services, usability and cost. services - each service carries its own security risk. There are instances when it may be better to eliminate the service than try and secure it. usability - too much security can make the system cumbersome to access and use. cost - security can be expensive depending on the level an organisation wants to achieve. However, risk of loss must also be considered. Revenue-generating systems such as web servers may not be able to operate after a security breach. Therefore, the loss of this revenue must be considered against the cost of implementing security measures. What are the steps? There are five steps in preparing a security plan: inventory risk assessment evaluation finalise sign off. Inventory In this step, the physical and information assets are identified. This can be done by creating a spreadsheet or diagram that will document the individual items you want to protect. There are also software products that can scan the network and create an inventory list automatically: hardware: name the item. software: name the applications, provide licensed quantities system interfaces: internal and external connectivity, RAS, VPNs, ISDN, VOIP, etc. 12 2004 type of information: accounting data, production designs, client information, etc. critical/confidential information: degree of importance to maintain security owner: Who can claim ownership? Click here to see a pdf version of the image below (390 KB 2817_f04.pdf) Image: Logical network diagram displaying multiple servers. Each server shows its IP address, network name and server function. Figure 3: Diagrammatic inventory Image: Excel spread sheet show in columns Network Name, Product Description, IP Address, Administrator, Operating System, Manufacturer,CPU,RAM,db-sales01, Database server,10.1.1.23,Rani Contra, Redhat Linux,EBM,2 x Dual Core Opteron 2.6Ghz,2048,db-sales-02,Database server,10.1.1.24,Rani Contra, Redhat Linux,EBM,2 x Dual Core Opteron 2.6Ghz,2048,,db-sales-03,Database server,10.1.1.25,Rani Contra, Redhat Linux,EBM,4 x Dual Core Opteron 2.6Ghz,4096,web-sales-01,Web server,10.1.1.26,Juan Cruz, Redhat Linux,IPS,1 x Pentium D 1.8 Ghz,1024. 13 2004 Figure 4: Spreadsheet inventory Risk assessment Risk assessment is evaluating each risk and determining the risk priority levels. The risk priority level is determined by how often a threat occurs (probability) and the consequence of that threat on the organisation (impact). To determine the probability of a threat occurring, you need to know how the threat can occur and the current controls in place. The probability of a threat occurring can be classed as low – not probable, may occur every three or more years medium – probable, may occur every two to three years high – highly likely, may occur more than once a year. The impact of the threat occurring has financial and non-financial cost. The impact of a threat can be classed as low – little or no impact on the operation of a business; users are inconvenienced and little financial cost associated to the impact medium – IT services not easily recoverable, impact on users and other areas of the business, financial losses experienced. high – severe impact on services, heavy financial losses experienced. Therefore, if we draw up a matrix of probability and impact we can get the following security levels: Image: Matrix of security levels with Probability on the left axis and Security level on the top and Impact on the bottom axis. Columns fro left to right read High Medium Low, Medium, Medium, Low, Low, High Medium Medium Medium, High High Medium High. Figure 5: Security levels matrix 14 2004 When conducting a risk assessment, three areas to assess are information confidentiality information integrity information availability. Information confidentiality refers to the impact of intrusion on information assets, such as client information, passwords, databases, etc. Information integrity refers to what the impact might be if inaccurate data is used to make business or management decisions. The release of inaccurate data to clients, regulators, shareholders or the public could lead to a loss of business, possible legal action or public embarrassment. Information availability also refers to business disruption risk. What would the probability and impact be if a system was rendered inoperable following a security attack? Review the following simple scenario: The accounting department performs a full data backup of the payroll system onto tapes. These tapes are then stored in a locked, fireproof safe next to the payroll server. Probability level: What is the likelihood that the server and the fireproof safe could be stolen or destroyed at the same time? Low, medium or high? Impact level: What will be the cost of replacing the financial information and how will it affect business continuity and employee morale? Low, medium or high? Evaluation An actual security plan will endeavour to cover all risk areas, not only those associated with computer technologies. Use the Evaluation checklist located at http://rusecure.rutgers.edu/sec_plan/checklist.php as a guide to developing a security plan. Review each of the major headings in the checklist. The checklist provides the opportunity to respond with a positive or a negative answer. You will need to evaluate the responses and divide them into positive and negative responses. The positive responses are used to create an evaluation report. The negative responses are collated and will need to be addressed by the security plan. Review the example given at http://rusecure.rutgers.edu/sec_plan/eval_sample.php. Typically, evaluation is performed by the relevant department head or by a Security Committee. Individual security items are reviewed and action plans are developed. Action plans are then matched with target dates and included into a security plan document. 15 2004 Finalise and sign-off The security plan should be accepted and signed off by the appropriate persons. It is recommended that the security plan be signed off by senior management and the security officer. Also, system specific documentation should be approved by the owner of the system. They need to check for currency and correctness. Maintenance The security plan will need to be reviewed periodically for currency. Create a schedule for reviewing the security plan at regular intervals. The intervals should not be greater than yearly. A review should also take place if a major security incident occurs or there have been changes to the information system or business environment. Third-party organisations may be employed to conduct security audits on a regular basis. Audit results are then compared to the security plan to either confirm the successful completion of an action or to modify the action. In order to effectively protect itself against internal and external threats to security, an organisation must have a comprehensive security policy that addresses all of the threats you have identified in your risk analysis. It provides a framework around which you can implement your security measures. This will be particularly important when we look at firewall functionality. Activity 2 To practise preparing for a security plan, complete Activity 2 – Identify IT assets and document threats, located in the Activities section of the Topic menu. Review firewall features What is a network firewall? A firewall is designed to protect a network from untrustworthy networks, intruders or even trusted users. A firewall exists to block or permit data traffic. Firewalls often employ greater emphasis to either block or permit data traffic. 16 2004 Why are firewalls needed? The Internet is basically a group of users. However, it is also plagued with people who enjoy the electronic equivalent of painting graffiti on other people's property. Some people work on the Internet, while others need to share sensitive or proprietary data on the Internet. A firewall's main purpose is to keep data transmissions secured against intrusion. Many organisations enforce computing security policies and procedures that must be adhered to. Firewalls are used to support these policies and procedures. Firewalls are also installed at servers that share public or private information about corporate products and services, files to download or bug fixes. What can a firewall protect against? Some firewalls permit only email traffic to protect the network against attacks that might use non-email traffic. Other firewalls provide less strict protections and block services that are known to be problems. Firewalls are configured to protect against unauthenticated logins from the external world. More sophisticated firewalls block incoming traffic, but permit users on the inside to communicate with the external world. Firewalls also provide a single point where security and audit can be imposed. What can't a firewall protect against? Firewalls can't protect against attacks that bypass the firewall. Organisations that connect to the Internet are extremely concerned about proprietary data leaking out. Unfortunately, a magnetic tape can be used to export proprietary data. Firewall policies must be realistic and reflect the level of security in the entire network. For example, a site with highly confidential or classified data should not be connected to the external world in the first place. Hence, this will negate the need for a firewall. Firewalls cannot prevent incoming viruses. There are too many ways to encode binary files for transfer over networks. There are also too many different architectures and viruses to implement search and destroy mechanisms. Firewalls cannot protect against data-driven attacks where internal hosts are used to execute malicious programs that were emailed in. 17 2004 Basic design decisions in a firewall Many factors affect how firewalls should be configured. The most basic method is to deny all services except mission-critical services such as connecting to the Internet for email and http services. Use the firewall to monitor traffic and provide logs and reports on network activity. Security benchmarks need to be established to specify acceptable risk levels. The Center for Internet Security publishes security benchmarks tools for operating systems, network devices and applications. Use the link below to download any of the security benchmark tools on offer: http://www.cisecurity.org/index.html Financial decisions need to be made to determine investment levels for security. Firewalls range from being free to upwards of $100,000. Ongoing support costs need to be addressed as well. A decision could be made to position a server outside the corporate network. This server will not be connected to the corporate network. In this scenario, the server can provide services for Telnet, FTP, News, etc., without the need for a firewall. In most cases, hardware firewalls are used to provide routing services between the internal and external environments. Costs will escalate as more stringent demands are made to configure such devices. Firewall-related terms Host-based firewall - a firewall where the security is implemented in software running on a general-purpose computer of some sort. Security in host-based firewalls is generally at the application level rather than at a network level. Router-based firewall - a firewall where the security is implemented using screening routers as the primary means of protecting the network. Screening route - a router that is used to implement part of the security of a firewall by configuring it to selectively permit or deny traffic at a network level. Bastion host - a host system that is a ‘strong point’ in the network's security perimeter. Bastion hosts should be configured to be particularly resistant to attack. In a host-based firewall, the bastion host is the platform on which the firewall software is run. Bastion hosts are also referred to as ‘gateway hosts’. Dual-homed gateway - a firewall consisting of a bastion host with two network interfaces, one of which is connected to the protected 18 2004 network, the other to the Internet. IP traffic forwarding is usually disabled, restricting all traffic between the two networks to whatever passes through some kind of application proxy. Application proxy - an application that forwards application traffic through a firewall. Proxies tend to be specific to the protocol they are designed to forward and may provide increased access control or audit. Screened subnet - a firewall architecture in which a ‘sandbox’ or ‘de-militarised zone’ network is set up between the protected network and the Internet, with traffic between the protected network and the Internet blocked. Conceptually, this is similar to a dualhomed gateway except that an entire network rather than a single host is reachable from the outside. Image: Network diagram showing a network segmented into three subnets. The Internet service provider (ISP), demilitarised zone (DMZ) and local area network (LAN). The ISP is connected to the internet and also to the clients demilitarised zone via an internet gateway. The DMZ has internet accessible server like http, smtp, dns. The LAN is connected to the DMZ by internet gateway. Figure 6: Network diagram 19 2004 A network security policy identifies a network's resources and threats, defines network use and responsibilities, and details action plans for when the security policy is violated. When you deploy a network security policy, you want it to be strategically enforced at defensible boundaries within your network. These strategic boundaries are known as security perimeters. Security perimeters To establish your security perimeters, you must designate networks and systems that you wish to protect and define the security mechanisms to protect them. To have a successful security perimeter, firstly a welldesigned and secure network topology must exist. Secondly, a firewall server must be the gateway for all communications between trusted networks and untrustworthy or unknown networks. Each network can contain multiple security perimeters. Three types of security perimeters are often used. They are the outermost perimeter, the internal perimeters and the innermost perimeter. The following illustration shows the security perimeters. Click here to watch a demonstration about multiple perimeters using the diagram below (1 KB 2817_f07_flash.html). Image: Three layers of network defence protecting a computer. The outer perimeter is the first line of defence. It is represented by a sharpened staked fence. The internal perimeter, the second line of defence, is represented by a high 20 2004 corrugated fence. The innermost perimeter, the third line of defence, is represented by a brick wall. Figure 7: Security perimeters The outermost perimeter is the separation point between the assets that you control and the assets that you do not control. Typically, this point is the gateway that you use to separate your network from the Internet. The outermost perimeter is the most insecure area of your network. Normally, this area will contain routers, firewall servers and public Internet servers and front-end mail servers. This area of the network is the easiest area to gain access to and therefore is the most frequently attacked, usually in an attempt to gain access to the internal networks. By taking a layered approach to securing the perimeter, you will harden the perimeter and limit the damage of a breach when an attack is successful. A layered approach to security, or as it is commonly known defence in depth, focuses on securing people, technology and polices. For more information on defence in depth visit some of the following websites: http://www.nsa.gov/snac/support/defenseindepth.pdf https://www.microsoftelearning.com/catalog/security.aspx http://www128.ibm.com/developerworks/views/global/tutorials.jsp?topic_by=Security Internal perimeter networks represent additional boundaries where you have other security mechanisms in place, such as intranet firewalls and filtering routers, domain separation, authentication, and so on. The following diagram shows two security perimeters (an outermost perimeter and an internal perimeter) defined by the placement of the internal and external routers and the firewall server. Placing your firewall between an internal and external router provides little additional protection from attack, but it reduces the amount of traffic the firewall must evaluate. 21 2004 Image: Two security perimeters (an outermost perimeter and an internal perimeter) defined by the placement of the internal and external routers and the firewall server. Placing your firewall between an internal and external router provides little additional protection from attack, but it reduces the amount of traffic the firewall must evaluate. Figure 8: Network security perimeters This is not the only type of networking topology that you should consider. The systems and service that are running will determine how many layers of security is needed. At the following site there is a multi-tier approach to securing the system: http://www.isaserver.org/tutorials/Creating-MultipleSecurity-Perimeters-Multihomed-ISA-Firewall-Part1.html Installing a firewall between an internal and external router provides little protection from attacks on either side. However, it greatly reduces the amount of traffic that the firewall server must evaluate. From the perspective of external users, the firewall server represents all accessible computers on the trusted network. It defines a choke point through which all communications must pass. Intrusion detection system An intrusion detection system (IDS) identifies inappropriate, incorrect or unusual activities on the network and can alert the appropriate person about the activities. An IDS is either host-based or network-based. 22 2004 Host-based IDS Host-based IDS typically involves a computer that needs to be monitored. Relevant programs are installed to use log files or the system's auditing agents as sources of data. The person responsible for monitoring the IDS needs to be a competent system administrator who is familiar with the host machine, network connections, users and their habits and all software installed on the machine. Many intrusions have been contained by attentive system administrators who have noticed something unusual about their machines or noticed a logged-on user at a time when the user should not be on the system. The host-based IDS monitors incoming and outgoing communications, checks the integrity of system files and watches for suspicious processes. You need to install the host-based IDS software on each computer to get complete coverage at your site. There are two primary classes of host-based IDS: host wrappers/personal firewalls - host-based IDS is more effective at detecting trusted-insider attacks, also known as anomalous activities agent-based software. Both host-based and network-based IDSs are effective for detecting externally sourced attacks. Host wrappers or personal firewalls can be configured to monitor all network packets, connection attempts or login attempts. This can also include dial-in attempts or other non-network-related communication ports. The best-known examples of wrapper packages are TCPWrappers for Unix and Nuke Nabber for Windows. Personal firewalls can also detect software on the host attempting to connect to the network, such as WRQ's AtGuard. Host-based agents monitor access, changes to critical system files and changes in user privileges. Well-known commercial versions include products from AXENT, CyberSafe, ISS and Tripwire. UNIX has numerous software tools to perform intrusion detection. Since no single package will do everything, each software package could be tailored to each computer that is to be monitored. Monitoring software includes system and user log files (syslog), connectivity monitoring (TCPwrappers, lastlog), process monitoring (lsof), process accounting, disk usage monitoring (quotas), session monitoring (options to ftpd to log all file transfers, process accounting) and system auditing (audit). UNIX host-based intrusion detection is only as good as the logging that's done. Scripts can be written to analyse log files and alert the system administrator via email or text messaging when something is unusual. Click here to watch a demonstration about host-based IDS using the diagram below (1 KB 23 2004 2817_f09_flash.html). Click here to read a text version of the demonstration (79 KB 2817_f09.doc). Image: Diagram with Internet outside the firewall and the switch on the other side of the firewall connecting to hosts which have individual IDS’ on each. As normal packets from the internet enter through the firewall and arrive at the destination, no alarm is given. As soon as the IDS detects an abnormal packet, the IDS sends out an alarm. Figure 9: Intrusion detection system Network-based IDS Network-based IDS uses traffic on its network segment as a data source. This is done by placing the network interface card in promiscuous mode to capture all network traffic that crosses its network segment. Network traffic on other segments and traffic on other means of communication (like phone lines) needs to be monitored by other means. Both network-based and hostbased ID sensors have pros and cons. Network-based IDS involves monitoring data packets on the network. Packets are considered interesting if they match a signature. Three primary types of signatures are: string signatures port signatures header condition signatures. 24 2004 Click here to see an animated version of the illustration below (2 KB 2817_f10_flash.htm). Click here to read a text version of the demonstration (79 KB 2817_f10.doc). Image: Diagram with Internet outside the firewall NIDS on the other side of the firewall connected to a switch which connects to the computers in the network. Network-based IDS has one IDS for the network which sends out an alarm to hosts when abnormal packets come through the firewall Figure 10: Network-based IDS String signatures String signatures look for a text string that indicates a possible attack. An example string signature for UNIX might be "cat "+ +" > /.rhosts", which if successful - might cause a UNIX system to become extremely vulnerable to network attack. To refine the string signature to reduce the number of false positives, it may be necessary to use a compound string signature. A compound string signature for a common web server attack might be "cgibin" AND "aglimpse" AND "IFS". Port signatures Port signatures watch for connection attempts to well-known, frequently attacked ports. Examples of these ports include telnet (TCP port 23), FTP (TCP port 21/20), SUNRPC (TCP/UDP port 111) and IMAP (TCP port 143). If any of these ports aren’t used by the site, then incoming packets to these ports are considered suspicious. 25 2004 Header signatures Header signatures watch for dangerous or illogical combinations in packet headers. The most famous example is WinNuke, where a packet is destined for a NetBIOS port and the Urgent pointer or Out Of Band pointer is set. This results in the ‘blue screen of death’ for Windows systems. Another well-known header signature is a TCP packet with both the SYN and FIN flags set, signifying that the requestor wishes to start and stop a connection at the same time. Well-known, network-based intrusion detection systems include AXENT, Cisco, CyberSafe, ISS and Shadow. Two types of intrusion detection tools are knowledge-based and behaviourbased intrusion detection. Knowledge-based intrusion detection Almost all IDS tools today are knowledge-based. Knowledge-based intrusion detection techniques apply the knowledge accumulated about specific attacks and system vulnerabilities. The intrusion detection system contains information about these vulnerabilities and looks for attempts to exploit these vulnerabilities. When such an attempt is detected, an alarm is triggered. Any action that is not explicitly recognised as an attack is considered acceptable. As such, regular updates of knowledge about attacks are required. Advantages of the knowledge-based approaches are that they offer lower false-alarm rates. Furthermore, the contextual analysis proposed by the IDS is more detailed and makes it easier for the security officer to take preventative or corrective action. Weaknesses lie in the need to keep up-to-date with new vulnerabilities and environments. The knowledge base requires a time-consuming analysis of each vulnerability. Knowledge about attacks is highly specific, dependent on the operating system, version, platform and application. The resulting intrusion detection tool is therefore customised for a given environment. Behaviour-based intrusion detection Few tools today implement this approach even though the founding paper by Denning (D Denning, ‘An intrusion detection model: IEEE transactions on software engineering’) recognises this as a requirement for IDSs. 26 2004 Behaviour-based intrusion detection techniques assume that an intrusion can be detected by observing a deviation from normal or expected behaviour of the system or the users. The model for normal or acceptable behaviour is extracted from reference information collected by various means. The intrusion detection system later compares this model with the current activity. An alarm is generated when a deviation is observed. The intrusion detection system might be too complete to the point that numerous false alarms are also captured. Advantages of behaviour-based approaches are that they can detect attempts to exploit new and unforeseen vulnerabilities. They can even discover new attacks. They are less dependent on operating system-specific environments. They can also detect 'abuse of privileges' types of attacks that do not actually involve exploiting any security vulnerability. This paranoid approach assumes that any new activity is considered potentially dangerous. The high false-alarm rate makes this approach undesirable. Furthermore, behaviour can change over time. This introduces the need for periodic online retraining of the behaviour profile. This can cause the intrusion detection system to be periodically unavailable. You can read more about host-based IDS vs. Network-based IDS at http://www.windowsecurity.com/articles/Hids_vs_Nids_Part1.html Secure electronic communication infrastructure (SECI) Understanding SECI can be daunting since our use of electronic communication is growing exponentially. A good way to understand SECI is to review a sample Email Policy. We will focus on one highly important aspect of SECI, that is, emails in the corporate world. Review the 4phones email policy. Secure electronic communication protects the integrity of information and maintains the privacy of end users. To ensure the security of communication such as e-mail and Instant Messaging (IM), organisations must have an electronic messaging infrastructure with extensive security and privacy features. They are: User authentication: Ensures that users are who they say they are. This is fundamental to secure communication using e-mail or IM. Message and session encryption: Encryption is used to maintain privacy of e-mails and IMs, as well as private information and sensitive data that is associated with users. 27 2004 Virus and spam protection: Since e-mails and IMs are notoriously vulnerable to the effects of viruses and spam, the electronic messaging infrastructure must include robust protection against these intrusions. E-mail and IM archiving: Many governmental regulations require organisations to store and provide access to electronic records. As such, organisational policies must address the retention of electronic communication for compliance. Integrity of the communication data must be protected whilst maintaining the privacy of the communicator. Privacy options: Privacy of communication has become an important requirement for messaging over public networks. Users want to be able to control who can see their online status for subsequent communication. Secure access: Identity management infrastructure is used to secure electronic communication. Identity-based access policy, centralised user management, and single sign-on (SSO) across messaging are used to provide secure access. Virtual Private Network (VPN) on demand may be used to provide convenient access without compromising security. Listed below is a link that provides more information about secure electronic communication: http://www.sun.com/software/products/communications/wp_secure_electro nic_comm.pdf Virtual private network (VPN) VPN (Virtual private network) represents an IP connection between two sites over a public IP network such as the Internet. Virtual networks imply that the data paths between the source and destination are shared by other transmissions. You can read more about VPN at this website: http://computer.howstuffworks.com/vpn.htm One way to better understand VPNs is to see how telephones work. When you telephone a friend, your private conversation is actually transmitted over a public telephone network. VPNs are similar except that computers use the Internet to make the private connections. An advantage of VPN is that companies do not have to pay for dedicated private lines of communication. In this reading you will see how communicating over public lines can still be kept secure. 28 2004 VPN tunnels A VPN maintains privacy by using tunnels. A VPN tunnel establishes an end-to-end connection and encapsulates the data with new packet headers to be delivered to the specified destination. The connection is considered private because network traffic can only enter the tunnel at an endpoint. This restriction is maintained by adhering to specific user groups. A site-tosite intranet VPN (say between Microsoft-Australia and Microsoft-USA), an extranet VPN (say between BHP Australia and Toyota Australia) and a remote-access VPN can be established by creating tunnels between each site’s access point and service provider and then between the service providers. VPN tunnels are not concerned with making the transmissions secure. Rather, confidentiality is maintained by data encryption. Some protocols that implement encryption techniques are point-to-point tunnelling protocol, layer 2 forwarding, layer 2 tunnelling protocol and IP security. Image: Diagram showing unsecured data going through a VPN gateway, on the left and on the right, where it is encrypted and transferred as secured data Figure 11: VPN tunnels Point-to-point tunnelling protocol (PPTP) This was developed by Internet Engineering Task Force (IETF), Microsoft, and US Robotics (now part of 3COM). 29 2004 It uses Microsoft’s proprietary point-to-point encryption algorithm to provide encryption and authentication for remote dialup and LAN-to-LAN connections. For dialup users, PPTP is either provided directly by the client or indirectly by the ISP. A control session establishes and maintains a secure tunnel from sender to receiver and a data session provides data transmission. In LAN-to-LAN applications, a tunnel is established between servers. PPTP supports several protocols such as IP, IPX, NetBEUI and NetBIOS. Layer 2 forwarding (L2F) L2F is a Cisco proprietary protocol and provides tunnelling between the ISP dialup server and the public network. Once a user establishes a dialup point-to-point (PPP) connection to the ISP’s server, this server wraps PPP frames inside an L2F frame and forwards to a layer-3 device (a router) for network transmission. The router is responsible for providing user authentication and network addressing. L2F does not provide any data encryption, and its user authentication is weak. It relies on participating routers for these functions. Layer 2 tunnelling protocol (L2TP) L2TP basically defines a method for tunnelling layer-two circuits across a packet network (IP). It is common for PPP to use L2TP for tunnelling. L2TP typically depends on IPSec for encryption. You can read more about this at http://rfc.net/rfc3931.html. See the next point as well. IP security (IPSec) IPSec is a suite of protocols developed by IETF. IPSec operates at layer 3 of the OSI model and is the most popular encryption technique in use. You can read more about this at http://rfc.net/rfc4301.html. Among the previously mentioned protocols, only IPSec creates encrypted tunnels. As such, the VPN Consortium supports only IPSec, PPTP with RC4 encryption and L2TP under IPSec as acceptable VPN security strategies. The suite includes Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE). The AH protocol provides address authentication and protection against replays. AH relies on ESP to provide data encryption. IKE provides automated key exchanges between sender and receiver nodes. For more information on IPSec visit the following websites: 30 2004 http://technet2.microsoft.com/WindowsServer/en/Library/fa2c6e21-a6934a7c-bc0f-c171477928de1033.mspx?mfr=true (Microsoft Technet - IPSec technical reference) http://rfc.net/rfc4301.html (IPSec) http://rfc.net/rfc4302.html (Authentication Header (AH)) http://rfc.net/rfc4303.html (Encapsulating Security Payload (ESP)) http://rfc.net/rfc4306.html (Internet Key Exchange IKE)) VPN costs A VPN strategy can offer companies considerable savings when compared to competing technologies that cost between 30 to 70 per cent more. Site savings can be as much as 70 per cent when compared to private-line solutions. A VPN strategy also provides the best worldwide access. Typical VPN configurations Based on need and financial resources, there are numerous possibilities. Some of the more popular VPN configurations are: router-to-router VPN-on-demand tunnel connections between sites; as the name suggests, routers provide VPN services. Between two VPN-capable routers, an encrypted link is established for all traffic. Also called an encrypted tunnel facility, a tunnel is created when the user connects and the tunnel remains available until the user disconnects. Highly vendor-specific, routers at both ends must be VPN compatible to provide services such as key exchange and cryptographic support. router-to-router VPN-on-demand multiprotocol tunnel connections between sites over an IP network; this is similar to the previous example except that routed protocols other than IP are supported, such as IPX or AppleTalk. With the dominance of the IP protocol, it is expected that this configuration may not be popular soon. router-to-router VPN-on-demand encrypted session connections between sites; in this case, routers are not expected to be VPN compatible. Therefore, each session is encrypted and match paired on the periphery of the public network. While this is simpler to manage session-wise than a tunnel, greater overhead may be required for highly connected applications between the peripheral sites. firewall-to-firewall VPN-on-demand tunnel connections between sites; this is where firewalls are configured to set the VPN rules, 31 2004 instead of routers whilst offering more features. This includes traffic management, auditing, authentication, data encryption and so on. IPSec can provide these features; however, it is important to note that some vendors offering IPSec do not interoperate with other vendors and may only support their own firewall configurations. firewall-to-firewall VPN-on-demand multiprotocol connections between sites over an IP network; this is similar to the router approach, but the firewall must be capable of handling multipleprotocol filtering and security. client-to-firewall IP tunnel VPN facilities; this is where a client system, such as a laptop, is installed with VPN tunnel manager and encryptor software package. The firewall on the server end implements a proxy facility to provide access to the client system. When connected, the client system will negotiate a VPN tunnel using the VPN client software. An example is the V-One implementation called SmartGate, which implements a proxy on the firewall side and either a soft-token or hard-token software package on the client side to connect. client-to-server IP tunnel VPN facilities; companies like Microsoft are implementing a VPN tunnelling facility to allow client software to connect a VPN tunnel to a local or a remote server. This method uses PPTP and IP. client and server firewall implementation with full VPN capabilities; this method is probably the most complex to implement but is also the most secure. Full firewall facilities are implemented on every system on the network. An example is the client and server versions of Network-1 Security Solutions’ FireWall/Plus. dedicated VPN box; these are dedicated systems that can connect whether in front or behind a router to implement VPN features between a company and a public network like the Internet. They are simpler to implement and typically provide higher performance than software-based solutions. This solution is best suited for site-to-site access. Determine hardware and software needs Securing a network relies on people, process and information technology. The organisation’s security plan will have outlined the weakest points on the network. It is now important to identify technologies that can harden those weakest points. Unfortunately, most organisations do not have enough funds to implement all capital works projects, so it is vital that you select the technology that will mitigate the highest risks. This is done by referring to the security plan and identifying the risks with a high probability and a severe impact. Research what technologies are available to mitigate the 32 2004 risks. When reviewing technologies, remember to build multiple layers of security as this will make it much harder to compromise and will afford the most protection. Hardware and software needs Click here to see an animated version of the illustration below (2 KB 2817_f12_flash.htm). Click here to read a text version of the demonstration (79 KB 2817_f12.doc). Image: Diagram showing multiple hardware devices such as servers, routers and hosts protected by firewalls. Figure 12: Multiple hardware devices Multiple hardware and software devices will need to be installed and configured to safeguard your network. One of the most common hardware and software devices is a firewall. An individual firewall will not guarantee a secure network – the firewall will need to work in conjunction with other devices to provide a secure environment. Many factors will influence how well the device provides a secure environment, including placement – a poorly placed device is virtually useless in stopping security threats configuration – poor configuration or no configuration will render the device virtually useless patch management – software vulnerabilities are discovered daily; therefore, a device is only as effective as the last software update. 33 2004 Some of the hardware, software and services that an organisation needs to secure the network are proxy servers NAT certificate authorities VPN server encryption services firewall routers switch virus server workstation IDS software update server. An organisation will purchase hardware and software based on their business needs. In other words, they do not begin by deciding which operating system to use and then proceed to purchase related equipment. They determine what the opportunity or need is, then use technology, people and processes to achieve better productivity. A large organisation may decide on an accounting application system first. This application system will then mandate which hardware platform it must operate on. The hardware platform may then mandate which operating system is required. Servers: Intel/AMD-based hardware, typically for MS-Windows or UNIX and Apple Macintosh RISC-based hardware, typically for UNIX IBM or Motorola-based hardware, typically for Apple systems Mainframe hardware, typically sourced from IBM. Workstations: Intel/AMD-based hardware, RISC-based hardware, data terminal hardware Networking devices: routers, switches, firewalls, gateways, concentrators Software: 34 2004 operating system software: MS Windows, UNIX, Linux, Novell Netware, Apple OSX, IBM OS/400, Sun Solaris, etc. application software: high number of choices to support business operations database software: Oracle, PeopleSoft, JD Edwards, MS-SQL, MySQL, Informix, etc networking software: Cisco IOS, also provided by operating systems Biometrics In biometrics, the physical characteristics of a person are used to identify authorised personnel. This includes the use of any or a combination of the outline of a hand, scanned fingerprint, scanned retina and facial photos. Organisations that use biometric devices in their security plan will have additional hardware and software requirements for these specialised devices Once hardware and software needs have been identified, action plans and target dates are developed. Action plans with their target dates are then compiled into the Security Plan. In some instances, changing circumstances might prevent the successful completion of an action as specified in the Security Plan. Should this happen, hardware and software needs may need to be re-assessed and the Security Plan updated. Prepare cost-benefit analysis It should not be surprising that - like all business projects - the cost to implement security must be weighed against the benefits. Following the identification of security risks, the organisation must take appropriate actions to minimise those risks. Though selecting and implementing appropriate security controls in a live production environment can be a daunting task, security is one area that must not be ignored, especially for organisations that use the Internet as part of their business operations. In today’s world, it is difficult to imagine any organisation that does not depend on the Internet. Due to the technical complexities of security, an organisation’s security effort can easily turn into a spending spree. The cost-benefit analyses for security investment reaches far beyond whether an organisation should invest in security or not. Security compliance boosts and attracts investors to buy a company’s shares. Security compliance can also encourage customer spending on their products or services. Internet-based revenue-generating companies can benefit from security compliance. 35 2004 The first step in performing a cost benefit analysis is to estimate the costs of the solution the benefits or savings that the solution will provide to the company. Estimating costs The costs of the solution can be broken down into two main divisions: development costs operating costs. Development costs include all of the costs associated with developing a system to secure the system and, for that reason, occur once only. These are sometimes called one-off costs. Operating costs include all of the costs involved in running the system on an ongoing basis, and are often referred to as recurring costs or life cycle costs, since they occur throughout the life of the system. They are usually defined on an annual basis. For an IT solution, to estimate the development costs of the new system you must include the costs associated with obtaining the additional equipment that is needed the costs of developing or purchasing any necessary software. Development costs These include all of the costs of developing and implementing the new solution and - for an IT solution - can be broken down into capital costs, software development costs and conversion costs. Capital costs are the costs of purchasing the necessary equipment to implement the new system and will include computer hardware computer software office equipment. Once you have determined what equipment is needed, these capital costs can be estimated by contacting potential suppliers. Software development costs are the costs associated with developing the new system and include things like 36 2004 computer charges, e.g. costs of running the computer to develop the system personnel charges, e.g. salaries of staff employed just for this project training of computer personnel to use any new software development tools office supplies, e.g. stationery work lost due to disruption, e.g. time spent by the users in interviews, etc. communication charges, e.g. telephone costs travel, e.g. costs of staff travelling to JAD sessions contingency costs—an allowance added to the estimate to cover any unexpected costs that may arise. Conversion costs are the costs associated with converting the existing system to the new system and may include training of the employees to understand and use the new system parallel running – if the old system is going to continue to operate at the same time as the new system for a period to ensure that there are no problems in the changeover, then there will be extra costs associated with running two systems to achieve the same outcome. Development costs may be difficult to determine. It is not easy to anticipate what problems may occur during the development that could affect the cost. Operating costs Operating costs are the costs of running the new system and are usually calculated for a one year period. These annual operating costs may be either fixed costs or variable costs. Fixed costs are things like administrative costs salaries for the permanent staff hardware and software maintenance licensing and leasing fees, for hardware and software. Variable costs are those that may vary each year, such as depreciation of hardware – there are depreciation scales set by the tax department which allow different percentages of deductions for depreciation each year for several years. 37 2004 supplies – the volume of supplies you use each year will vary depending on the volume of business that the company does. wages for temporary staff – if you need to employ temporary staff, the number of these staff and the time periods that you employ them for may vary each year depending on the workload on your permanent staff. Intangible benefits Intangible benefits are those that cannot be measured or cannot have a dollar value put on them but are nevertheless important to the success of the business, such as goodwill increased customer satisfaction public image improved employee morale improved environmental conditions. Estimate the costs of doing nothing Keep in mind that in some circumstances there may be costs associated with doing nothing and you should take these into account where they occur. Do the costs outweigh the benefits? Now that you have identified and estimated all of the costs and benefits of the security solutions, you will be able to work out if the benefits will outweigh the costs of implementation. If they do not, then it is highly unlikely that you will be given the go-ahead to continue with this solution. When you start to examine the costs and benefits, you will see that the costs are incurred during the period of development, whereas the benefits occur over the following, say, one or five years. Finalise security framework components We are now in a position to finalise security framework components having the done the following: 38 2004 determined the level and nature of security required for the organisation based on current and future needs identified and documented various types of security threats prepared a security plan reviewed firewall features identified security perimeters within client/server systems evaluated IDS methods investigated a framework for SECI investigated the use of VPNs determined hardware and software needs reviewed a cost-benefit analysis. Our final step will be to develop related policies and procedures. When finalising the security framework components, it is important to ensure that all possible areas are covered. From an organisational point of view, security is not limited just to information technology but to all other areas as well. As such, it is imperative to get as many of the staff involved as possible. Traditionally, security framework components are circulated as hard-copies, whether as a whole document or in parts. As you can imagine, it may be a long and daunting document to read as a whole. Specific parts may be sent off to each department to be reviewed and signed off. Nowadays, an e-mail with the document attached tends to be more popular. Third-party security consultants may be employed to review and recommend additional components that may have been missed. Here is an example: Through a collaborative effort, a bank has developed security framework components and had all department heads sign off on the document. A third-party security review has discovered that - in the event of a power failure - the security screen in front of the tellers will not operate. It was therefore recommended that an independent power source be made available. Note: due to constantly changing business environments, security frameworks should be regularly reviewed and updated. The Chief Executive Officer (CEO) or a Security Committee may sign off on the latest version of the document. 39 2004 Develop related policies and procedures There are a number of security issues that a security policy should address, including acceptable use information protection user account remote access network connection firewall management. You can develop individual policies or include all of the above within the one security policy. The following steps are involved in developing a security policy: Create a policy development team A policy development team should consist of IT security specialist(s) management representatives end users. Management will be at the forefront to ensure compliance with the security policy. However, it is critical to involve users. End users often complain that they do not have access to the services they require to do their jobs and/or that the organisation is monitoring their every move. So their understanding of security issues and their input to the process is crucial for its success. Determine specific details of each policy The specifics of what employees can and cannot do on the network should be determined in specific detail for the following: internal systems Internet use email use. It is also important to determine how compliance will be monitored and the penalties for non-compliance. 40 2004 Write the policy Once the policy team have agreed on the details of the policy, it needs to be written. Generally, the IT security specialist(s) will write the policy. For an example of a security policy, have a look at the 4phones Security Policy. Review the policy The first draft of the security policy will be reviewed by the policy team. Once the final draft is complete, the policy will need to be signed off by the IT Manager and other designated managers before it can be implemented. Implement the policy Any changes required to IT software and/or systems need to be made to reflect policy changes. Every member of staff within the organisation must be advised of the existence of the security policy and must read it. They must also be advised of their responsibilities and the penalties should they not comply with the security policy. Making changes Security policies should be changed whenever there is a change in the security measures adopted by the organisation. Changes to the security measures used by an organisation will generally be made in response to a newly-identified threat. The same steps listed above should be followed to update existing security policies. The disaster recovery plan If network security is breached and a disaster occurs, you need to have documented strategies to address the immediate threat to the network. These strategies should be part of the disaster recovery plan. Think for a moment: what would be the main disaster recovery strategies for an organisation’s network security? Strategies may include the following: virus-checking software should always be used to eradicate viruses audit trails and logs should be used to trace the source of security breaches 41 2004 the damage to the network should be identified - i.e. files that have been stolen or corrupted or accessed - and then appropriate action taken to minimise the loss or leaking of confidential information where there has been external unauthorised access to the network, the firewall should be audited to determine how the network was accessed and appropriate action should be taken to 'plug' the security gap in the network where email security policy has been breached, the individual’s email should be audited and stored for future reference where Internet security policy has been breached, the individual’s Internet logs should be audited and stored for future reference where there has been unauthorised access to an application and fraud or sabotage has occurred, the application code should be audited to determine how security was breached and immediate action should be taken to alter the application code where unauthorised access has been internal to the organisation, logon and logoff audit reports should be examined including historical audit reports to determine the extent of the unauthorised access. How the staff member was able to obtain access to the network or application should be determined and rectified immediately. Activity 3 To practise developing a security plan complete Activity 3 – Security plan development, located in the Activities section of the Topic menu. 42 2004 Activities Image: Activities Activity 1 – Packet sniffing In this activity, you will download two programs to help you sniff your network. You will need a computer running MS-Windows XP Professional or MS-Windows 2000 Professional with administrative rights to install programs. Step 1 Get WinPcap 3.1: Go to http://www.winpcap.org/install/default.htm and click on the link to WinPcap auto-installer (driver +DLLs) Install the program Step 2 Get Wireshark 0.10.14: Go to http://www.wireshark.org/download.html and install the program. Launch wireshark: click on Capture menu option click on Options drop-down menu select the network interface to capture data packets in the Stop Capture section, tick and select …after 1 minute/s click on Start 43 2004 generate some traffic by doing the following: o open your browser and go to http://www.microsoft.com/ after 1 minute, Ethereal will report data captured packets Top section: o examine the IP addresses of the Source and Destination o examine the protocol used o examine the Info columns to view activities Middle section: o select one line in the top section o expand the lines in this section Bottom section: o select one line in the middle section o view the packet details as shown in hexadecimal numbers. Repeat this activity using: o longer capture time periods o perform more meaningful traffic generating actions: Step 3 Download a small file from http://www.tucows.com/ Visit a website known for giving out cookies, such as, http://www.mp3.com/ perform a Ping test in your DOS window Ping http://www.cisco.com/ perform Trace Route tests in your DOD window Tracert http://www.google.com/ log in to your Internet-based website account Can you identify your logon username? Though encrypted, can you identify the password portion in the data packet? Activity 2 – Identify IT assets and document threats For this activity, you will need access to a LAN/WAN diagram from your organisation or review the CME network diagram (739 KB 2817_activity2.pdf) or a network diagram will be provided by your teacher. 44 2004 The three major network areas are the core layer distribution layer access layer. Document the possible threats and list the attack methods. Feedback The four classes of security threats are unstructured threats – typically from inexperienced individuals using hacking tools that are freely available on the Internet structured threats – typically from highly competent individuals or groups who can develop and use sophisticated hacking tools to penetrate systems, usually for fraud or theft external threats – individuals, external to the organisation, using the Internet or dialup to access system resources internal threats – individuals internal to the organisation causing damage. Attack methods include reconnaissance access denial of service. Activity 3 – Security plan development In this activity, you will develop a security plan. Review the section in the Reading notes on Prepare Security Plan to develop your own. Use materials and documentation available within your organisation. You may modify the sample security plan to suit your organisation. 45 2004 References Image: References Print Gallo MA and Hancock WM Networking Explained (2nd ed), Digital Press. Fundamentals of Network Security, Cisco Press. Northcutt S and Novak J Network Intrusion Detection: An analyst’s handbook (2nd ed), New Riders Publishing. Cole E, Krutz R and Conley JW Network Security Bible, Wiley Publishing. ISBN: 0-7645-7397-7 Morrison M and Morrison J Database-Driven Web Sites (2nd ed), Course Technology. Andrews J i-Net+ Guide to the Internet (2nd ed), Course Technology. Flynn N E-Policy Best Practices, St Bernard Software, The ePolicy Institute Gordan ME The Joy of SOX, Cybertrust, Regulatory Affairs Internet DoS attacks: http://www.dcita.gov.au/__data/assets/pdf_file/41314/DoS_CIO_Executive _Summary.pdf Developing security plan: http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1final.pdf 46 2004 Topic quiz Image: Topic quiz This quiz will help you review the content you have learned in this topic. Answer the questions, check the feedback at the end of each question and take note of the areas you need to review. 1. Which of the following is NOT a security attack method? man-in-the-middle access control trust exploitation session replay Feedback Correct! Access control is NOT a security attack method. Incorrect. Go to the Reading notes and review the section on Identify security threats. 2. A protocol analyser is used to do what? rearrange the sequence numbers determine the layers of the OSI model determine the contents of a packet analyse the switch operating system Feedback Correct! A protocol analyser is used to determine the contents of a packet. 47 2004 Incorrect. Go to the Reading notes and review the section on Security attack methods. 3. A network-based denial-of-service attack can best be achieved by which of the following? SYN flood power outage access violation social engineering Feedback Correct! A network-based denial-of-service attack can best be achieved by SYN flood. Incorrect. Go to the Reading notes and review the section on Security attack methods. 4. Which VPN protocol creates encrypted tunnels? IPSec PPTP L2FTP L2TP Feedback Correct! IPSec protocol creates encrypted tunnels. Incorrect. Go to the Reading notes and review the section on Virtual Private Network tunnels. 5. Payload typically refers to source address destination address data none of the above Feedback 48 2004 Correct! Payload typically refers to data. Incorrect. Go to the Reading notes and review the section on Identify security threats. 6. CPU hogging is most often caused by Trojan horses email bombs host-based IDS network-based IDS Feedback Correct! CPU hogging is most often caused by Trojan horses. Incorrect. Go to the Reading notes and review the section on Security attack methods. 7. Which security level is required for high-probability and medium-impact risk? high medium low none of the above Feedback Correct! High security level is required for high-probability and mediumimpact risk. Incorrect. Go to the Reading notes and review the section on Determine hardware and software needs. 49 2004