KEMBAR78
2 Securityfundamentals | PDF | Security | Computer Security
Scribd
Upload
18 views15 pages

2 Securityfundamentals

The document outlines the fundamentals of security in the context of the Internet, emphasizing the need for confidentiality, integrity, and availability of information. It discusses key concepts such as access control, authentication, authorization, and accountability, as well as the importance of risk assessment and the development of effective security policies. Additionally, it highlights various threats, vulnerabilities, and motivations behind attacks on information systems.

Uploaded by

p.ezhil2284
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views15 pages

2 Securityfundamentals

The document outlines the fundamentals of security in the context of the Internet, emphasizing the need for confidentiality, integrity, and availability of information. It discusses key concepts such as access control, authentication, authorization, and accountability, as well as the importance of risk assessment and the development of effective security policies. Additionally, it highlights various threats, vulnerabilities, and motivations behind attacks on information systems.

Uploaded by

p.ezhil2284
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

6/20/17

Security Tutorial @ TWNOG

SECURITY FUNDAMENTALS

Why Security?
• The Internet was initially designed for connectivity
– Trust is assumed, no security
– Security protocols added on top of the TCP/IP
• Fundamental aspects of information must be protected
– Confidential data
– Employee information
– Business models
– Protect identity and resources
• The Internet has become fundamental to our daily activities
(business, work, and personal)

1
6/20/17

Internet Evolution

LAN connectivity Application-specific Application/data


More online content hosted in the “cloud”

Different ways to handle security as the


Internet evolves

Goals of Information Security


SECURITY

Confidentiality Integrity Availability

prevents safeguards the authorized


unauthorized accuracy and users have
use or completeness reliable and
disclosure of of information timely access
information to information

2
6/20/17

Access Control
• The ability to permit or deny the use of an object by a
subject.

• It provides 3 essential services:


– Authentication (identification of a user)
– Authorization (who is allowed to use a service)
– Accountability (what did a user do)

Authentication
• a means to verify or prove a user’s identity
• The term “user” may refer to:
– Person
– Application or process
– Machine or device
• Identification comes before authentication
– Provide username to establish user’s identity
• To prove identity, a user must present either of the following:
– What you know (passwords, passphrase, PIN)
– What you have (token, smart cards, passcodes, RFID)
– Who you are (biometrics such as fingerprints and iris scan, signature or voice)

3
6/20/17

Examples of Tokens

RFID cards
eToken

Smart Cards

Fingerprint scanner

Trusted Network
• Standard defensive-oriented technologies
– Firewall – first line of defense
– Intrusion Detection – second line of defense

• Build TRUST on top of the TCP/IP infrastructure


– Strong authentication
• Two-factor authentication
• something you have + something you know
– Public Key Infrastructure (PKI)

4
6/20/17

Strong Authentication
• An absolute requirement
• Two-factor authentication
– Passwords (something you know)
– Tokens (something you have)
• Examples:
– Passwords
– Tokens
– Tickets
– Restricted access
– PINs
– Biometrics
– Certificates

Two-factor Authentication
• Requires a user to provide at least two authentication ‘factors’ to prove
his identity
– something you know
– Username/userID and password
– something you have
– Token using a one-time password (OTP)
• The OTP is generated using a small electronic device in physical
possession of the user
– Different OTP generated each time and expires after some time
– An alternative way is through applications installed on your mobile device
• Multi-factor authentication is also common

5
6/20/17

Authorization
• Defines the user’s rights and permissions on a system
• Typically done after user has been authenticated
• Grants a user access to a particular resource and what actions
he is permitted to perform on that resource
• Access criteria based on the level of trust:
– Roles
– Groups
– Location
– Time
– Transaction type

Authentication vs. Authorization


Service

Authentication Authorization
Mechanism Mechanism

Client

“Authentication simply identifies a party, authorization defines whether they can


perform certain action” – RFC 3552

12

6
6/20/17

Accountability
• The security goal that generates the requirement for actions
of an entity to be traced uniquely to that entity
– Senders cannot deny sending information
– Receivers cannot deny receiving it
– Users cannot deny performing a certain action
• Supports nonrepudiation, deterrence, fault isolation,
intrusion detection and prevention and after-action recovery
and legal action
Source: NIST Risk Management Guide for
Information Technology Systems

Integrity
• Security goal that generates the requirement for protection
against either intentional or accidental attempts to violate
data integrity
• Data integrity
– The property that data has when it has not been altered in an
unauthorized manner
• System integrity
– The quality that a system has when it performs its intended function
in an unimpaired manner, free from unauthorized manipulation
Source: NIST Risk Management Guide for
Information Technology Systems

7
6/20/17

Risk, Threats, and Vulnerability


• Threat
– Any circumstance or event with the potential to cause harm to a
networked system
• Vulnerability
– A weakness in security procedures, network design, or
implementation that can be exploited to violate a corporate security
policy

• Risk
– The possibility that a particular vulnerability will be exploited

Threat
• “a motivated, capable adversary”
• Examples:
– Human Threats
• Intentional or unintentional
• Malicious or benign
– Natural Threats
• Earthquakes, tornadoes, floods, landslides
– Environmental Threats
• Long-term power failure, pollution, liquid leakage

8
6/20/17

Vulnerability
• A weakness in security procedures, network design, or
implementation that can be exploited to violate a corporate
security policy
– Software bugs
– Configuration mistakes
– Network design flaw
– Lack of encryption
• Where to check for vulnerabilities?
• Exploit
– Taking advantage of a vulnerability

Risk
• Likelihood that a vulnerability will be exploited
• Some questions:
– How likely is it to happen?
– What is the level of risk if we decide to do nothing?
– Will it result in data loss?
– What is the impact on the reputation of the company?

• Categories:
Risk = Threat * Vulnerability
– High, medium or low risk (* Impact)

9
6/20/17

What are Security Goals?


• Controlling Data Access
• Controlling Network Access
• Protecting Information in Transit
• Ensuring Network Availability
• Preventing Intrusions
• Responding To Incidences

Goals are Determined by


• Services offered vs. security provided
– Each service offers its own security risk

• Ease of use vs. security


– Easiest system to use allows access to any user without password

• Cost of security vs. risk of loss


– Cost to maintain

Goals must be communicated to all users, staff, managers,


through a set of security rules called “security policy”

10
6/20/17

Causes of Security Related Issues

• Protocol error
– No one gets it right the first time
• Software bugs
– Is it a bug or feature ?
• Active attack
– Target control/management plane
– Target data plane
– More probable than you think !
• Configuration mistakes
– Most common form of problem

Why Worry About Security?


• How much you worry depends on risk assessment analysis
– Risk analysis: the process of identifying security risks, determining
their impact, and identifying areas requiring protection
• Must compare need to protect asset with implementation
costs
• Define an effective security policy with incident handling
procedures

11
6/20/17

Characteristics of a Good Policy


1. Can it be implemented technically?
2. Are you able to implement it organizationally?
3. Can you enforce it with security tools and/or sanctions?
4. Does it clearly define areas of responsibility for the users,
administrators, and management?
5. Is it flexible and adaptable to changing environments?

RFC 2916 - http://www.ietf.org/rfc/rfc2196.txt

Impact and Consequences


• Data compromise
– Stolen data
– can be catastrophic for a financial institution
• Loss of data integrity
– Negative press or loss or reputation (bank, public trust)

• Unavailability of resources
– The average amount of downtime following a DDoS attack is 54 minutes
– The average cost of one minute of downtime due to DDoS attack is
$22,000*
* Based on a Ponemon Institute study (2012)

12
6/20/17

Attack Motivation
• Criminal
– Criminal who use critical infrastructure as a tools to commit crime
– Their motivation is money
• War Fighting/Espionage/Terrorist
– What most people think of when talking about threats to critical
infrastructure
• Patriotic/Principle
– Large groups of people motivated by cause - be it national pride or a
passion aka Anonymous

Attack Motivation
• Nation States want SECRETS
• Organized criminals want MONEY
• Protesters or activists want ATTENTION
• Hackers and researchers want KNOWLEDGE

Source: NANOG60 keynote presentation by Jeff Moss, Feb 2014

13
6/20/17

The Threat Matrix

Advanced
Opportunistic
hacks
Persistent
Threats

Joy hacks Targeted attacks

Degree of Focus

27

28

14
6/20/17

Thank You!
END OF SESSION

29

15

You might also like