Richard Henson University of Worcester October 2016 COMP3371 Cyber Security Richard Henson University of Worcester October 2016
Week 3: Strategies for securing data held within digital systems Objectives: Explain tensions in principles of maintaining data confidentiality, integrity, availability Devise a security strategy for users in terms of using technical controls to protect access to resources, services and information Explain that total security is a myth; people are people, and computer technology is constantly evolving…
CIA in practice C = confidentiality A = Availability Tension between them… responsibility to keep data secure but people usually want data NOW!!! and security controls get in the way
Maintaining Data Integrity Personal or sensitive data needs to be protected against copying/modifying Up to the organisation to choose an appropriate strategy may be happy to just use the Microsoft domain model… but “read only” files could be changed (!) should monitor for changes (event viewer)
The Client-Server LAN Model Excellent way to centralise and control organisational resources client can still hold resources a lot (workstation) not much (thin client) better if on a server - accessible to all Microsoft LAN model: domain
Request and response All network users get access via clients Client requests information… 2. Server processes the request, sends a response back to the client
Principle of security “controls” Any method used to protect organisational data against being compromised… technical controls use hardware and software to protect data people controls provide procedures for people to follow to protect data management controls provide procedures for those managing data users
Technical Controls on Data Technologies for safe transport… wired or wireless processing… secure CPU/memory storage… Purpose: protect network resources from attacks and accidental loss of data
Useful Background Knowledge (from level 1 & 2 modules) Client-server networking link Windows Security model link Standards & ISO/OSI link Packet switching & TCP/IP link Windows Web servers and browsers link Virtualisation link
Security of Data on the move: Internal networks Most organisational computers regularly interchange data Data could in theory be copied (although not destroyed) by being intercepted: as it passes between computers through use of e/m waves (easy) in copper cables (difficult) In optical fibre cables (very difficult) The organisation therefore needs to vigilant…
Security and copper cables UTP (Unshielded Twisted Pair) cable is cheap, but not totally secure: electricity passing through a cable creates a magnetic field… can then be intercepted and used to recreate the original signal… Shielding stops the magnetic field spreading out STP (Shielded Twisted Pair) cabling available but more expensive… Stolen data
Security, cost and Fibre Optic Cables Fibre more secure than even shielded copper digital data transmitted as a high intensity light beam no associated magnetic field; data can’t be “tapped” Can carry much more data than twisted pair but: cost… of cables… of installation…
Discussion small network e.g home/microbusiness Which to choose, UTP, STP, optical fibre? cost v risk balancing act small network e.g home/microbusiness medium size network e.g business 50 employees large network, with multisite operation
What about Radio Waves? Ideal? no unsightly cables mobile availability cheap! Standard radio waves don’t carry much data (i.e. low bandwidth) Need to be high frequency… close to microwave frequency
E/m Wave systems Easy to install no cabling needed, just signal boosters BUT… without encryption & authentication, not secure at all! can be received by anyone within range and with the right equipment especially easy to pick up if transmitted as “fixed spectrum” “Spread spectrum” radio waves can only be picked up by equipment that can follow the changes in frequency such equipment MUCH more expensive…
Security and Network Hardware Very small networks may use peer-peer networking and cabling/wireless same arguments, same dangers… Whatever the size, networks use hubs, switches, and router(s) to connect everything and link to Internet data will be stored on these devices before forwarding plenty of hacks started by compromising a router!
Standard Internet Protocols and Security Early Internet: users military personnel, research centre admin, etc. all security vetted protocols not designed with security in mind about getting data safely & reliably from one place to another OSI model ordered protocols into a 7-layer stack: based on TCP and IP protocols user system security already built in at the session layer no inherent security for data on the move
Network-Network Connectivity Most networks now use TCP/IP for Internet connectivity based on digital data sent in 1000 byte chunks called “packets” Any intelligent device with an IP address and connected to the Internet theoretically visible across the network/Internet otherwise, packets couldn’t be navigated to it!
Navigating Data within a TCP/IP network Data on a network device could be: located using device IP address copied to another IP address on the network Just need: access via computer an appropriate network protocol (e.g. NFS – network file system, part of the TCP/IP suite)) It really is as simple as that!!!
Copying, Changing, or Deleting Data on a networked computer Data could be tapped in exactly the same way on any computer on the Intrnet! must have an IP address to participate on the Internet packets going to that computer have a destination IP address in the header, and headers can easily be read NFS can be used to manage data remotely on that computer – which could include copying or (perhaps worse) deleting that data, or even BOTH
Technologies for Implementing Security Controls Security means Protecting DATA!... The rest of this session focuses on ensuring the security of data on network devices, and associated storage hard disks, flash memory & CDs digital backup tapes USB sticks…
Client-Server Network: do’s and don'ts for administrators Only allow authorised (and TRUSTED) users to gain access to the network ensure users are always properly authenticated Only allow network administrators to have full access Monitor the network continually to provide alerts that unauthorised access is being sought Encrypt data that will be sent through UTP cables and/or held on computers that are connected to the Internet When using the www, use secure versions of network protocols and/or tunnelling protocols to encapsulate and hide data
The Virtual Private Network Secure sending of data through the Internet Only use a restricted and very secure set of Internet routers No IP address broadcasting, because all packets use the same route IP tunnelling protocol encapsulates data normal Internet users will therefore not be able to see the sending, receiving, or intermediate IP addresses Data sent is encrypted Potential hackers don’t get a look in!
Encyption/Decryption Technique of changing digital data in a mathematical reversible way Makes it impossible to get at the information… data representing it scrambled Coding data not new… been happening for millennia many clever techniques involved Encryption studies - cryptography
Types of Network Hardware Data can be captured between devices… could also be copied/compromised on any device with processing ability Devices categorised into two types: end devices (for input or output) connecting devices (passing data on…)
Addressing and Network Devices Addressing possible at two of the OSI software levels/layers: Hardware-compatible layer uses MAC addresses Internet-compatible layer uses IP addresses ARP (Address Resolution Protocol) converts addresses from IP to MAC
End Devices Computers Dumb Terminals Printers VOIP phones Scanners Anything that inputs or outputs…
Connecting Devices Routers Switches Hubs & Repeaters computers with two network cards work with IP addresses (OSI layer 3) Switches also two network cards work with MAC addresses (OSI layer 2) Hubs & Repeaters no processing but can boost signals
Connecting Devices & Configuration One of the keys to security… Routers & Switches often configured via Windows interface fine for small, simple changes More complex changes ned a command line interface (CLI)
Simulating a Network CISCO software: Packet Tracer Drag and drop tool used for planning networks very useful also for finding out about networks! practical after the break…
A Simulated Domain in action… using packet tracer Also download CISCO Packet Tracer for your own use… http://getintopc.com/softwares/network/cisco-packet-tracer-6-1-free-download/