©Dr. Respickius Casmir IT Security In a Nutshell – Session 1 By Dr. Respickius Casmir

©Dr. Respickius Casmir Outline Introduction to IT Security Security Attacks, Mechanisms, and Services Methods of Defense Steps for Launching an Attack Security Policy Basics

©Dr. Respickius Casmir Information security in a bigger picture It is easy to overlook the fact that information security affects an entire organisation. But ultimately, it is a business problem. Information security is more than setting up a firewall, applying patches to fix newly discovered vulnerabilities in your system software, or locking the cabinet with your backup tapes.

©Dr. Respickius Casmir Information security in a bigger picture (2) Information security is determining what needs to be protected and why; what it needs to be protected from; and how to protect it for as long as it exists The burning question, of course, is how to assure your organisation an adequate level of security over time.

©Dr. Respickius Casmir Information security in a bigger picture (3) There are many answers to this challenging question, just as there are many approaches to managing an organisation’s security Unfortunately, there is no silver bullet, no single solution that will solve all your security problems.

©Dr. Respickius Casmir Attacks, Services and Mechanisms Security Attack: Any action that compromises the security of information. Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack. Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.

©Dr. Respickius Casmir Security Attacks

©Dr. Respickius Casmir Security Attacks Interruption: This is an attack on availability Interception: This is an attack on confidentiality Modification: This is an attack on integrity Fabrication: This is an attack on authenticity

©Dr. Respickius Casmir Security Goals Integrity Confidentiality Avalaibility

©Dr. Respickius Casmir

Security Services Confidentiality (privacy) Authentication (who created or sent the data) Integrity (has not been altered) Non-repudiation (the order is final) Access control (prevent misuse of resources) Availability (permanence, non-erasure) Denial of Service Attacks Virus that deletes files

©Dr. Respickius Casmir

Methods of Defense Encryption Software Controls (access limitations in a data base, in operating system protect each user from other users) Hardware Controls (smartcard) Policies (frequent changes of passwords) Physical Controls

©Dr. Respickius Casmir Steps for Launching an Attack Phase 1: Reconnaissance Phase 2: Scanning Phase 3: Gaining Access Phase 4: Maintaining Access Phase 5: Covering Tracks

©Dr. Respickius Casmir Phase 1: Reconnaissance When beginning an attack, the most effective attackers will do their homework to discover as much about their target as possible Inexperienced script kiddie will jump right in, indiscriminately trolling the Internet for weak systems without regard to who owns them More experienced attackers take their time by conducting detailed reconnaisance before launching a single attack packet against your network

©Dr. Respickius Casmir Phase 2: Scanning After the reconnaisance phase, the attacker is armed with some vital information about your infrastructure: a fee telephone numbers, domain names, IP addresses, technical contact information –a very good starting point Attackers will use this knowledge to begin scanning your systems looking for openings. This scaning phase is akin to a burglar turning doorknobs and trying to open windows to find a way into your house Unfortunately, this phase favours the attackers

©Dr. Respickius Casmir Phase 2: Scanning (2) Our goal as information security professionals is to secure every possible path into our systems; the attackers just have to find one way in to achieve their goals.

©Dr. Respickius Casmir Phase 3: Gaining Access Gaining Access at the Operating System and Application Level Gaining Access at the Nework Level Gaining Access and Denial-of-Service Attacks

©Dr. Respickius Casmir Phase 4: Maintaining Access After completing step 3, the attacker has gained access to the target systems or denied access to other legitemate users After gaining much-coveted access, attackers want to maintain that access To achieve this, attackers utilize techniques based on malicious software such as Trojan horses, backdoors, and rootKits.

©Dr. Respickius Casmir Phase 4: Maintaining Access (2) Traditional RootKits are a more insidious form of Trojan horse back door than their Application-level counterparts RootKits raise the ante by altering or replacing existing system components

©Dr. Respickius Casmir Phase 5: Covering Tracks After completing their missions, attackers will do everything it takes to cover their tracks

©Dr. Respickius Casmir Security Policy Development and mplementation Why do I need a formal security policy?

©Dr. Respickius Casmir Budgeting your security precautions You should now have a pretty good idea about what level of security you will be able to cost justify. This should include depreciable items (server hardware, firewalls, and construction of secured areas), as well as Recurring costs (security personnel, audits, and system maintenance).

©Dr. Respickius Casmir Budgeting your security precautions (2) Remember the old saying, “Do not place all of your eggs in one basket”?. This wisdom definitely applies to budgeting security. Do not spend all of your budget on one mode of protection. For example, it does little good to invest $15,000 in fire-walling technology if someone can simply walk through the front door and walk away with your corporate server.

©Dr. Respickius Casmir Budgeting your security precautions (3) The bottom line is to be creative. The further you can stretch your security budget, the more precautions you can take. Security is a proactive expenditure, meaning that we invest money in security precautions and procedures with hope that we will realize a return on our investment by not having to spend additional money later playing cleanup to a network disaster. The more precautions that can be taken, the less likely disaster is to strike.

©Dr. Respickius Casmir Documenting your findings You have now identified all your assets, analysed their worth to your day-to-day operations, and estimated the cost of recovery for each. Now take some time to formalize and document your findings. There are a number of reasons why this is worth your time.

©Dr. Respickius Casmir Documenting your findings (2) First, having some sort of document–whether electronic or hard copy gives you some backup when you begin the tedious process of justifying each of your countermeasures It is far more to argue with documented numbers and figures that it is to argue with an oral statement. This document should be considered fluid: expect to adjust it over time.

©Dr. Respickius Casmir Documenting your findings (4) This information is also extremely useful as you begin the process of formalizing a security policy. As you begin to generate your security policy, it is far easier to justify each policy item when you can place a dollar value on the cost on the cost of an intrusion or attack.

©Dr. Respickius Casmir Thank You! Dr. Respickius Casmir