Richard Henson University of Worcester October 2019 COMP3371 Cyber Security Richard Henson University of Worcester October 2019
Week 2: “Defensive Security” Strategies for securing data held within digital systems Objectives: Explain tensions in key principles of maintaining data confidentiality, integrity, availability Devise a security strategy for users in terms of using technical controls to protect access to resources, services and information Explain that total security is a myth; people are people, and computer technology is constantly evolving…
CIA in practice… (1) Generally about… Secure it! Want it NOW! C = confidentiality A = Availability Secure it! Want it NOW! Data
CIA in Practice…(2) Massive Tension… network managers: responsibility to keep data secure (CONFIDENTIALITY) users: just want data… NOW!!! AVAILABILITY security controls just get in the way
The “I” in the middle Maintaining Data: Integrity Enforced by Law… personal or sensitive data MUST be protected against copying/modifying Recently tightened up (GDPR) big fines possible! users need to be aware of the data/information dichotomy!
IS Policy and CIA (1) As CIA is the key to good cyber security… All three aspects should be basic to IS policy C… good security of network data I… as above… A… backend systems should work efficiently with desktops and have excellent backups
IS Policy and CIA (2) Data needs to be looked after!! Technical responsibility… network engineers needs to make sure data is looked after by systems boundaries need to be protected against malicious data Management responsibility need to make sure data is looked after by appropriately trained people
Policy and Strategy Strategy… plans for the future Policy… the means for implementing the strategy To manage CIA properly… Strategy must come first! Policy should follow…
Strategy: (1) Protects Data (2) Enables users to do their jobs Up to the organisation to choose how to do this… Login or each user ESSENTIAL necessary for accountability immediate issue for “start ups” ESSENTIAL for users to get appropriate system access to do their job… Who decides what is appropriate? How?
Implementing Strategy… Usual technical option… network devices linked together provide access to the Internet for all linked devices through a server (Internet Gateway) Software (either/or): Windows networks Some form of Unix/Linux
Principle of security “controls” Any method used to protect organisational data against being compromised… technical controls use hardware and software to protect data people controls provide procedures for people to follow to protect data management controls provide procedures for those managing data users
Technical Controls Ways to protect the data once users have logged in… Log in is a management control implemented through technical means! Password use is a user control, which is assisted by technical rules (e.g. length and “complexity” of password)
Client-server or Peer-peer? Client-Server essential unless small number of devices (<8) may be happy to just use the Microsoft domain model… but have in mind the weakness that “read only” files could be changed (!) essential to monitor for changes via server logging (event viewer) makes users accountable
Features of Client-Server LANs Centralised server(s) control user access via login to system to the organisational resources they need… Client end can still hold resources in memory and secondary storage a lot (workstation) not much (thin client)
Request and response All network users get access via clients Client requests information… 2. Server processes the request, sends a response back to the client
Technical Controls on Data Technologies for safe transport… wired or wireless processing… secure CPU/memory storage… Purpose: protect network resources from attacks and accidental loss of data
Domains: basic hardware infrastructure Basic principle… resources and security controlled via server(s) and accessible to all everything needs at least one back up Plan hardware and connectivity first… software could be Windows or Unix/Linux
Microsoft Implementation Microsoft domains… server(s) set up first clients attached physically & logically to server Users controlled through policy files on server(s)
Types of Network Hardware Devices categorised into two types: end devices (for input or output) connecting devices (passing data on…) End device Connecting device End device
Addressing and Network Devices Addressing possible at two of the OSI software levels/layers: Hardware-compatible layer uses MAC addresses Internet-compatible layer uses IP addresses ARP (Address Resolution Protocol) converts addresses from IP to MAC
End Devices Computers Dumb Terminals Printers VOIP phones Scanners Anything that inputs or outputs…
Connecting Devices Routers or Firewalls Switches Hubs & Repeaters computers with two network interfaces routers use IP addresses (OSI layer 3) firewalls also use TCP ports (level 4) Switches also two network cards work with MAC addresses (OSI layer 2) Hubs & Repeaters no processing but can boost signals
Switches Handle network traffic efficiently within a LAN provide cabled connectivity between server/router and user device software control using IEEE802.3 (Ethernet) standard physical layer… transfer of electrical signals MAC addresses and transporting data frames
Routers Provide connectivity between LANs and LAN segments two network interfaces (“internal”, “external”) needs same protocol as Internet (IP addressing) may control LAN IP addresses using DHCP protocol may be ethernet or wireless (IEEE802.11x) for internal interface
IP addresses For packets to move between devices, each device must have an IP address e.g. 192.168.2.22 Three ways to allocate an IP address to a Windows PC: manually… just type it into client interface from DHCP server/router (between fixed range) through autoconfig (randomly allocated from a range of IP addresses)
Switches and IP addresses Switches (and routers) link devices together By default, a switch will create a virtual LAN (VLAN) allows communication between devices on allocated IP address (e.g. 192.168.1.0-63) fine for small networks regular cause of lack of connectivity!
Configuring Switches Have an operating system (Cisco iOS) Come with default configurations for VLANs may need changing… use a CLI IP address needs to be consistent with devices being connected need IP addresses on the same subnet
VLANs Segment of a LAN controlled using a switch Router (sets IP Addresses) Segment of a LAN controlled using a switch addressing of data to/from VLAN using IP address packets need routing addressing between switch and its connected devices using MAC addresses frames not packets… more efficient… no routing needed IP packets switch MAC frames
Malvern Innovation Festival: Cyber Security Annual event… Thursday focuses on cyber security aspects of each LO will be covered Cyber security academics and practitioners present lots of opportunities for final year students dress: smart casual why not brush up your cv?
Encryption Three potentially vulnerable places for hackers to capture organisational data: physically stored e.g. hard disk, CD, USB system stored e.g. memory of computer, router, or other intermediate device on the move e.g. through cables or the air Hackers want information, not data without context! useless to them if stored & sent in scrambled form…
Security of Data on the move: inside the organisation Most organisational computers regularly interchange dataComputer A Data could in theory be copied (although not destroyed) by being intercepted: as it passes between computers/devices through use of e/m waves (easy) in copper cables (possible but difficult) In optical fibre cables (very difficult) Computer A Computer B
Security and copper (UTP) cables UTP (Unshielded Twisted Pair) cable is cheap, but not totally secure: electricity passing through a cable creates a magnetic field… can then be intercepted and used to recreate the original signal… Stolen data cable
Security and copper cables: STP Apart from security concerns, UTP is also vulnerable to stray electro-magnetic waves (e.g. nearby electric motor) Shielding stops the magnetic field spreading out and stray fields getting in STP (Shielded Twisted Pair) cabling recommended or vulnerable environments but more expensive… SECURITY ALWAYS HAS A PRICE!
Security, cost and Fibre Optic Cables Fibre more secure than even shielded copper digital data transmitted as a high intensity light beam no associated magnetic field; data can’t be “tapped” Can carry much more data than twisted pair but: cost… of cables… of installation…
Discussion small network e.g. home/microbusiness Which to choose, UTP, STP, optical fibre? cost v risk balancing act small network e.g. home/microbusiness medium size network e.g. business 50 employees large network, with multisite operation
Using Radio Waves… Ideal? no unsightly cables mobile availability cheap! Standard radio waves don’t carry much data (i.e. low bandwidth) need to be high frequency… close to microwave frequency
Wireless Security Waves radiating out in all directions Much more vulnerable to “tapping” than cabled systems Device A Hacker…
E/M Wave systems Easy to install no cabling needed, just signal boosters BUT… must have encryption & authentication! can be received by anyone within range and with the right equipment especially easy to pick up if transmitted as “fixed spectrum” “spread spectrum” radio waves can only be picked up by equipment that can follow the changes in frequency AGAIN, MUCH MORE EXPENSIVE! Invention of spread-spectrum radio (ww2): https://www.youtube.com/watch?v=k2ZuUG-eV0A
Encyption/Decryption Changing digital data in a mathematical reversible way makes it impossible to get at the information… data representing it is scrambled Secret codes for data not new… been happening for millennia many clever techniques involved encrypting etc. is a science… cryptography
Why not Encrypt Everything? Modern encryption… complex mathematical operations lot of processing power slows down processing if every block of data stored has to be encrypted every block of data processed has to be decrypted first… Simple answer… takes up CPU power!
Security and Network Hardware Very small networks may use peer-peer networking and cabling/wireless same vulnerabilities, same dangers… Whatever the size, networks use hubs, switches, router(s), maybe a firewall to connect everything and link to Internet data stored on these devices before forwarding plenty of hacks started by compromising a router!
Standard Internet Protocols and Security Early Internet (1970s): users: military personnel, research centre admin, etc. all security vetted protocols not designed with security in mind about getting data safely & reliably from one place to another OSI model (1978 on) ordered protocols into a 7- layer stack: based on TCP and IP protocols user system security already built in at the session layer no inherent security for data on the move each device must have an IP address
Network-Network Connectivity Most networks now use TCP/IP for Internet connectivity based on digital data sent in 1000 byte chunks called “packets” Devices must have an IP address to participate in TCP/IP theoretically visible across the network/Internet otherwise, packets couldn’t be navigated to it!
Navigating Data within a TCP/IP network Data on a network device could be: located using device IP address copied to another IP address on the network Just need: access via computer (logon? anonymous…) an appropriate level 7 protocol service (e.g. NFS – network file system, part of the TCP/IP suite) really is as simple as that!!!
Copying, Changing, or Deleting Data on a networked computer Data could be tapped in exactly the same way on any device on the Internet! just needs an IP address to participate on the Internet packets going to that computer have a destination IP address in the header; headers can easily be read NFS protocol can be used to manage data remotely on that computer – could include copying or deleting data, or even BOTH!
Connecting Devices & Configuration One of the keys to security… Routers & Switches often configured via Windows interface fine for small, simple changes More complex changes need a command line interface (CLI)
The Virtual Private Network Secure sending of data through the Internet Only use a restricted and very secure set of Internet routers No IP address broadcasting needed… all packets use the same route! IP tunnelling protocol encapsulates data normal Internet users will therefore not be able to see the sending, receiving, or intermediate IP addresses data sent is encrypted Potential hackers don’t get a look in!
Simulating a Network CISCO software: Packet Tracer Drag and drop tool used for planning and implementing networks very useful also for finding out about network infrastructure and connectivity! practical after the break…
Download a copy of the latest CISCO Packet Tracer for your own use from netacad.com…