Sunteți pe pagina 1din 56

Copyright 1997, The University of New Mexico

The University of New Mexico


Top Schools in Ghaziabad
By:
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-2
Security Fundamentals
What is security?
Why do I need security?
Levels of security
Some scenarios
Security Policy
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-3
What is Security?
Procedures that protect
you, your employees, and your peers
Paper or electronic media
Hardware, software, and networks
Protect from damage, theft, or change
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-4
What is Security?
Protect assets and resources against
Human error
Intruders from outside
Dishonest employees
Technical sabotage
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-5
Why do I Need Security?
Typical bank robbery: $9000
Typical embezzlement or white collar crime:
$25,000
Typical electronic crime: $650,000
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-6
Why do I Need Security?
Name a company, its been broken into
What does this cost a year? (Estimate $5 billion)
17% of US companies had losses due to lack of
security
CERT reports a 77% increase in computer break-
ins from 1994-1995
It is estimated that 85%-97% of computer
intrusions go undetected
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-7
Why do I Need Security?
Statistics (Who is breaking into you)
Current employees 81%
Former employees 6%
Outsiders 13%
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-8
Why do I Need Security?
Statistics (What are they doing)
Alteration of information 12%
Theft of service 10%
Trespass 2%
Money theft 44%
Theft of information 16%
Damage to software 16%
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-9
Why do I Need Security?
Statistics (Damage to data)
Dishonest employees 10%
Terrorism 3%
Technical sabotage 10%
Water 10%
Fire 15%
Human error 55%
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-10
Why do I Need Security?
The growth of the internet and client/server
applications has moved more business data onto
the network. This means more to lose if that data
is tampered with or stolen.
Internetworking is great for data sharing but
decreases security.
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-11
Why do I Need Security?
Protect yourself from an attack on your account or
network
Protect others from being attacked by your account
or network
Disaster recovery
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-12
Levels of Security
The United States Department of Defense has
defined 7 levels of computer OS security in a
document known as the Trusted Computer
Standards Evaluation Criteria.
The levels are used to define different levels of
protection for hardware, software, and stored
information.
The system is additive - higher ratings include the
functionality of the levels below.
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-13
Levels of Security
D1 is the lowest form of security available and
states that the system is untrusted
A D1 rating is never awarded because this is
essentially no security at all
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-14
Levels of Security
C1 is the lowest level of security.
The system has file and directory read and write
controls and authentication through user login.
However, root is considered an unsecure function
and auditing (system logging) is not available.
Most Unix machines would be classified as C1.
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-15
Levels of Security
C2 features an auditing function to record all
security-related events and provides stronger
protection on key system files, such as the
password file.
Most Unix machines have the capability with
addition of software to become C2 compliant.
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-16
Levels of Security
B1 supports multi-level security, such as secret and
top secret, and mandatory access control, which
states that a user cannot change permissions on
files or directories
B2 requires that every object and file be labeled
according to its security level and that these labels
change dynamically depending on what is being
used.
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-17
Levels of Security
B3 extends security levels down into the system
hardware; for example, terminals can only connect
through trusted cable paths and specialized system
hardware to ensure there is no unauthorized access
A1 is the highest level of security validated
through the Orange Book. The design must be
mathematically verified; all hardware and software
must have been protected during shipment to
prevent tampering.
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-18
Types of Attacks?
A fire burned in an office. The fire destroyed all
software, the computer, and most of the files. The
office was that of the departmental administrator
who did grades, budgets, and contract functions.
Prevention?
What to do?
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-19
Disaster Recovery Plan
Backup policy
Steps to be taken when you have a disaster
Contact names
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-20
Disaster Recovery (Backups)
Create a backup policy
There are 2 reasons to do backups
Recovery of accidentally deleted files
Disaster recovery
Follow your policy and take backups regularly.
Verify these backups at some interval.
Keep backups off-site
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-21
Backups
Purchase good software and hardware for backups
Decide on which data to backup and on what
interval
Get a routine
Daily, weekly, and monthly
Full and Incremental
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-22
Disaster Recovery (Recovery)
What do you do when you have a major disaster?
Dont panic
Remember you have good backups
Follow your plan (You did write up a plan for this
right?)
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-23
Types of Attacks?
In an open, well traveled, multi-cubicle office you
have financial resource access that you must
transfer to your network departmental computer.
How do you perform your work on the mainframe,
Novell and your PC while doing other clerical
duties that often take you from your desk?
Without compromising your data?
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-24
Protection from Theft or Change
Risks analysis
What are the potential risks?
Who wants to see this data?
Who wants to change this data?
Possible attacks from inside?
You must create a security policy!
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-25
Protection from Theft or Change
Protect from the public wandering the area
Keep good passwords and screen savers with
passwords
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-26
Types of Attacks
Using commonly accessible hacker tools your
password is guessed and somebody uses your
account to then break into another account.
Prevention?
What to do?
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-27
Password Hacker (Prevention)
Good password
Change it often
Watch the last time logged in info (Unix)
Monitor for new and changed files, things you
didnt do
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-28
Passwords (User)
Dont panic
Change your password
Contact your security administrator
Get help looking for back doors left by the intruder
such as your .rhosts file under Unix
Continue to monitor for new and changed file,
things you didnt do
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-29
Passwords (Security Admin)
Continue to monitor for new and changed file,
things the user didnt do
Look for back doors left behind by the intruder
such as the .rhosts file
Check the password file for new accounts
Look for other sites the user went to. Contact
those sites and let them know that they have a
hacker.
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-30
Passwords (Security Admin)
Have accounting turned on so you can track the
commands this person ran
Contact your vendor for patches for any security
holes that might have been exploited
Search the web and news groups for security info
(Remember this is where the hackers get their info
also)
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-31
Passwords
DON'T use your login name in any form (as is,
reversed, capitalized, doubled, etc.)
DON'T use your first, middle, or last name in any
form or use your spouse's or child's name
DON'T use other information easily obtained about
you. This includes license plate numbers, telephone
numbers, social security numbers, the make of
your automobile, the name of the street you live on,
etc
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-32
Passwords
DON'T use a password of all digits, or all the same
letter
DON'T use a word contained in English or foreign
language dictionaries, spelling lists, or other lists of
words
DON'T use a password shorter than six characters
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-33
Passwords
DO use a password with mixed-case alphabetics
DO use a password with non-alphabetic characters
(digits or punctuation)
DO use a password that is easy to remember, so
you don't have to write it down
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-34
Types of Attacks
You are sitting in your office when your mail
server becomes unreachable. You eventually have
to reboot the machine because it has locked up. An
hour later it happens again. This time you notice
some weird network behavior right before it locks
up.
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-35
Denial of Service Attacks
SYN attacks take advantage of an inherent problem
in TCP/IP, and can cause a machine or a specific
port on the machine to stop responding
PING Floods can bring down your entire network
Any attack designed to make a service unusable
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-36
Denial of Service Attacks
A firewall can block most denial of service attacks
A router can also be used to hand block the IPs
that are doing the denial of service
Contacting your Internet Service provider to have
them trace and block the attack
Denial of service attacks can be difficult to stop
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-37
Types of Attacks
Your PC on your desk begins acting strangely, files
are disappearing and it keeps locking up. You do a
virus scan and find you have a virus.
Prevention?
What to do?
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-38
Viruses (Symptoms)
Erratic behavior
Slow performance
Strange activity
Dropping letters, file name changes, etc.
Lost files or directories
Positive report from your antiviral scanner
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-39
Viruses (Prevention)
Have a good backup. For some reason viruses
appear less when they know there is a backup
Scan all new floppies
Scan your system daily
Dont allow home disks to be used without proper
scanning
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-40
Viruses (What to do)
DONT PANIC
User your antiviral tools
Remember you have backups
Contact your Security Administrator if you need
help
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-41
Types of Attacks
A student brings you a list of accounts and
passwords that she found in a computer pod laying
by a PC. They appear to have been gotten with a
sniffer.
Prevention?
What to do?
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-42
Sniffer (Prevention)
Make sure publicly accessible PCs are protected in
some way
Dont let normal users install packages on them
Make each user sign up to use the PC
Authenticate the user before they are allowed to use the
PC
This will help you track who did what if something
does happen
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-43
Sniffer (Prevention)
Having a security policy will make it possible to
take action against parties that run sniffers
Remember that a sniffer can only watch its leg of a
switched network and cant watch across a router
either
There are vendors that provide Secure connections
to Unix hosts. Probably to other hosts as well.
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-44
Sniffer (What to do)
Contact the list of users and have them change their
passwords
Begin monitoring that list of users to see if
anybody attempts to break into those accounts
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-45
Security Policy
The first rule of security is basically whatever you
did not expressly say I could not do I am allowed
to do.
A good security policy should start by denying all
access and then expressly add back access for
specific needs.
Consider the goals and the mission of your site
A military site will have different requirements than an
educational site, as well as departments within each site
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-46
Security Policy
The site policy will have to conform with existing
policy so identify any existing policy before you
begin.
You will need to address the global picture in the
policy by addressing not only security issues
developing at your local site from remote users but
security issues caused by your local users on a
remote site.
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-47
Security Policy
Policy creation should be done by may different
people within the organization such as decision
makers, technical people, and the end user.
A site security policy which is unusable,
unimplementable, or unenforceable is useless.
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-48
Security Policy
Create a list of assets that need to be protected
Hardware
Software
Data
Documentation
Supplies
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-49
Risk Assessment
What are your risks?
What type of data are you protecting?
What are you protecting it from?
There are companies and consultants that can do this for
you
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-50
Risk Assessment
The process of examining all of your risks, and
ranking those risks by level of severity.
This process involves making cost-effective
decisions on what you want to protect.
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-51
Risk Assessment - Possible Risks
Unauthorized usage
Unavailable service
Theft of data
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-52
Risk Assessment
Use a scheme to weight the risks against the
importance of the data.
This will allow the policy to be tailored towards
what you need to protect most.
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-53
Acceptable Use
Who can use?
What can they use it for?
Who can grant use?
Resource consumption?
What is abuse of the systems?
Users permitted to share accounts?
Who provides backups?
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-54
Acceptable Use
Email privacy?
Policy on obscenity?
Policy on mail forgery?
What else?
Who will interpret this policy? A committee or a
person or?
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-55
Auditing
Use the tools on your machines to look at log files
Check for non standard times for users to log in
Check for users logging in from different sites than
normal
Check for failed logins
Check for a large number of error messages
school.edhole.com
Copyright 1997, The University of New Mexico
The University of New Mexico
I-56
Review
If you dont review you will get passed by with the
latest way to be broken into.
At a specific interval you should review and
reassess your risk.
Things change often!
school.edhole.com