Presentation is loading. Please wait.

Presentation is loading. Please wait.

Richard Henson University of Worcester October 2019

Published byTarja Seppälä Modified over 5 years ago

Similar presentations

Presentation on theme: "Richard Henson University of Worcester October 2019"— Presentation transcript:

1 Richard Henson University of Worcester October 2019
COMP3371 Cyber Security Richard Henson University of Worcester October 2019

2 Week 2: “Defensive Security” Strategies for securing data held within digital systems
Objectives: Explain tensions in key principles of maintaining data confidentiality, integrity, availability Devise a security strategy for users in terms of using technical controls to protect access to resources, services and information Explain that total security is a myth; people are people, and computer technology is constantly evolving…

3 CIA in practice… (1) Generally about… Secure it! Want it NOW!
C = confidentiality A = Availability Secure it! Want it NOW! Data

4 CIA in Practice…(2) Massive Tension…
network managers: responsibility to keep data secure (CONFIDENTIALITY) users: just want data… NOW!!! AVAILABILITY security controls just get in the way

5 The “I” in the middle Maintaining Data: Integrity
Enforced by Law… personal or sensitive data MUST be protected against copying/modifying Recently tightened up (GDPR) big fines possible! users need to be aware of the data/information dichotomy!

6 IS Policy and CIA (1) As CIA is the key to good cyber security…
All three aspects should be basic to IS policy C… good security of network data I… as above… A… backend systems should work efficiently with desktops and have excellent backups

7 IS Policy and CIA (2) Data needs to be looked after!!
Technical responsibility… network engineers needs to make sure data is looked after by systems boundaries need to be protected against malicious data Management responsibility need to make sure data is looked after by appropriately trained people

8 Policy and Strategy Strategy… plans for the future
Policy… the means for implementing the strategy To manage CIA properly… Strategy must come first! Policy should follow…

9 Strategy: (1) Protects Data (2) Enables users to do their jobs
Up to the organisation to choose how to do this… Login or each user ESSENTIAL necessary for accountability immediate issue for “start ups” ESSENTIAL for users to get appropriate system access to do their job… Who decides what is appropriate? How?

10 Implementing Strategy…
Usual technical option… network devices linked together provide access to the Internet for all linked devices through a server (Internet Gateway) Software (either/or): Windows networks Some form of Unix/Linux

11 Principle of security “controls”
Any method used to protect organisational data against being compromised… technical controls use hardware and software to protect data people controls provide procedures for people to follow to protect data management controls provide procedures for those managing data users

12 Technical Controls Ways to protect the data once users have logged in…
Log in is a management control implemented through technical means! Password use is a user control, which is assisted by technical rules (e.g. length and “complexity” of password)

13 Client-server or Peer-peer?
Client-Server essential unless small number of devices (<8) may be happy to just use the Microsoft domain model… but have in mind the weakness that “read only” files could be changed (!) essential to monitor for changes via server logging (event viewer) makes users accountable

14 Features of Client-Server LANs
Centralised server(s) control user access via login to system to the organisational resources they need… Client end can still hold resources in memory and secondary storage a lot (workstation) not much (thin client)

15 Request and response All network users get access via clients
Client requests information… 2. Server processes the request, sends a response back to the client

16 Technical Controls on Data
Technologies for safe transport… wired or wireless processing… secure CPU/memory storage… Purpose: protect network resources from attacks and accidental loss of data

17 Domains: basic hardware infrastructure
Basic principle… resources and security controlled via server(s) and accessible to all everything needs at least one back up Plan hardware and connectivity first… software could be Windows or Unix/Linux

18 Microsoft Implementation
Microsoft domains… server(s) set up first clients attached physically & logically to server Users controlled through policy files on server(s)

19 Types of Network Hardware
Devices categorised into two types: end devices (for input or output) connecting devices (passing data on…) End device Connecting device End device

20 Addressing and Network Devices
Addressing possible at two of the OSI software levels/layers: Hardware-compatible layer uses MAC addresses Internet-compatible layer uses IP addresses ARP (Address Resolution Protocol) converts addresses from IP to MAC

21 End Devices Computers Dumb Terminals Printers VOIP phones Scanners
Anything that inputs or outputs…

22 Connecting Devices Routers or Firewalls Switches Hubs & Repeaters
computers with two network interfaces routers use IP addresses (OSI layer 3) firewalls also use TCP ports (level 4) Switches also two network cards work with MAC addresses (OSI layer 2) Hubs & Repeaters no processing but can boost signals

23 Switches Handle network traffic efficiently within a LAN
provide cabled connectivity between server/router and user device software control using IEEE802.3 (Ethernet) standard physical layer… transfer of electrical signals MAC addresses and transporting data frames

24 Routers Provide connectivity between LANs and LAN segments
two network interfaces (“internal”, “external”) needs same protocol as Internet (IP addressing) may control LAN IP addresses using DHCP protocol may be ethernet or wireless (IEEE802.11x) for internal interface

25 IP addresses For packets to move between devices, each device must have an IP address e.g Three ways to allocate an IP address to a Windows PC: manually… just type it into client interface from DHCP server/router (between fixed range) through autoconfig (randomly allocated from a range of IP addresses)

26 Switches and IP addresses
Switches (and routers) link devices together By default, a switch will create a virtual LAN (VLAN) allows communication between devices on allocated IP address (e.g ) fine for small networks regular cause of lack of connectivity!

27 Configuring Switches Have an operating system (Cisco iOS)
Come with default configurations for VLANs may need changing… use a CLI IP address needs to be consistent with devices being connected need IP addresses on the same subnet

28 VLANs Segment of a LAN controlled using a switch
Router (sets IP Addresses) Segment of a LAN controlled using a switch addressing of data to/from VLAN using IP address packets need routing addressing between switch and its connected devices using MAC addresses frames not packets… more efficient… no routing needed IP packets switch MAC frames

29 Malvern Innovation Festival: Cyber Security
Annual event… Thursday focuses on cyber security aspects of each LO will be covered Cyber security academics and practitioners present lots of opportunities for final year students dress: smart casual why not brush up your cv?

30 Encryption Three potentially vulnerable places for hackers to capture organisational data: physically stored e.g. hard disk, CD, USB system stored e.g. memory of computer, router, or other intermediate device on the move e.g. through cables or the air Hackers want information, not data without context! useless to them if stored & sent in scrambled form…

31 Security of Data on the move: inside the organisation
Most organisational computers regularly interchange dataComputer A Data could in theory be copied (although not destroyed) by being intercepted: as it passes between computers/devices through use of e/m waves (easy) in copper cables (possible but difficult) In optical fibre cables (very difficult) Computer A Computer B

32 Security and copper (UTP) cables
UTP (Unshielded Twisted Pair) cable is cheap, but not totally secure: electricity passing through a cable creates a magnetic field… can then be intercepted and used to recreate the original signal… Stolen data cable

33 Security and copper cables: STP
Apart from security concerns, UTP is also vulnerable to stray electro-magnetic waves (e.g. nearby electric motor) Shielding stops the magnetic field spreading out and stray fields getting in STP (Shielded Twisted Pair) cabling recommended or vulnerable environments but more expensive… SECURITY ALWAYS HAS A PRICE!

34 Security, cost and Fibre Optic Cables
Fibre more secure than even shielded copper digital data transmitted as a high intensity light beam no associated magnetic field; data can’t be “tapped” Can carry much more data than twisted pair but: cost… of cables… of installation…

35 Discussion small network e.g. home/microbusiness
Which to choose, UTP, STP, optical fibre? cost v risk balancing act small network e.g. home/microbusiness medium size network e.g. business 50 employees large network, with multisite operation

36 Using Radio Waves… Ideal?
no unsightly cables mobile availability cheap! Standard radio waves don’t carry much data (i.e. low bandwidth) need to be high frequency… close to microwave frequency

37 Wireless Security Waves radiating out in all directions
Much more vulnerable to “tapping” than cabled systems Device A Hacker…

38 E/M Wave systems Easy to install
no cabling needed, just signal boosters BUT… must have encryption & authentication! can be received by anyone within range and with the right equipment especially easy to pick up if transmitted as “fixed spectrum” “spread spectrum” radio waves can only be picked up by equipment that can follow the changes in frequency AGAIN, MUCH MORE EXPENSIVE! Invention of spread-spectrum radio (ww2):

39 Encyption/Decryption
Changing digital data in a mathematical reversible way makes it impossible to get at the information… data representing it is scrambled Secret codes for data not new… been happening for millennia many clever techniques involved encrypting etc. is a science… cryptography

40 Why not Encrypt Everything?
Modern encryption… complex mathematical operations lot of processing power slows down processing if every block of data stored has to be encrypted every block of data processed has to be decrypted first… Simple answer… takes up CPU power!

41 Security and Network Hardware
Very small networks may use peer-peer networking and cabling/wireless same vulnerabilities, same dangers… Whatever the size, networks use hubs, switches, router(s), maybe a firewall to connect everything and link to Internet data stored on these devices before forwarding plenty of hacks started by compromising a router!

42 Standard Internet Protocols and Security
Early Internet (1970s): users: military personnel, research centre admin, etc. all security vetted protocols not designed with security in mind about getting data safely & reliably from one place to another OSI model (1978 on) ordered protocols into a 7- layer stack: based on TCP and IP protocols user system security already built in at the session layer no inherent security for data on the move each device must have an IP address

43 Network-Network Connectivity
Most networks now use TCP/IP for Internet connectivity based on digital data sent in 1000 byte chunks called “packets” Devices must have an IP address to participate in TCP/IP theoretically visible across the network/Internet otherwise, packets couldn’t be navigated to it!

44 Navigating Data within a TCP/IP network
Data on a network device could be: located using device IP address copied to another IP address on the network Just need: access via computer (logon? anonymous…) an appropriate level 7 protocol service (e.g. NFS – network file system, part of the TCP/IP suite) really is as simple as that!!!

45 Copying, Changing, or Deleting Data on a networked computer
Data could be tapped in exactly the same way on any device on the Internet! just needs an IP address to participate on the Internet packets going to that computer have a destination IP address in the header; headers can easily be read NFS protocol can be used to manage data remotely on that computer – could include copying or deleting data, or even BOTH!

46 Connecting Devices & Configuration
One of the keys to security… Routers & Switches often configured via Windows interface fine for small, simple changes More complex changes need a command line interface (CLI)

47 The Virtual Private Network
Secure sending of data through the Internet Only use a restricted and very secure set of Internet routers No IP address broadcasting needed… all packets use the same route! IP tunnelling protocol encapsulates data normal Internet users will therefore not be able to see the sending, receiving, or intermediate IP addresses data sent is encrypted Potential hackers don’t get a look in!

48 Simulating a Network CISCO software: Packet Tracer
Drag and drop tool used for planning and implementing networks very useful also for finding out about network infrastructure and connectivity! practical after the break…

49 Download a copy of the latest CISCO Packet Tracer for your own use from netacad.com…

Download ppt "Richard Henson University of Worcester October 2019"

Similar presentations

Subnetting.

Subnetting.
Computer Networks Eyad Husni Elshami. Computer Network A computer network is a group of interconnected computers to share data resources ( printer, data.

Computer Networks Eyad Husni Elshami. Computer Network A computer network is a group of interconnected computers to share data resources ( printer, data.
Networking DSC340 Mike Pangburn. Networking: Computers on the Internet  1969 – 4  1971 – 15  1984 – 1000  1987 – 10,000  1989 – 100,000  1992 –

Networking DSC340 Mike Pangburn. Networking: Computers on the Internet  1969 – 4  1971 – 15  1984 – 1000  1987 – 10,000  1989 – 100,000  1992 –
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
This is the way an organisation distributes the data across its network. It uses different types of networks to communicate the information across it.

This is the way an organisation distributes the data across its network. It uses different types of networks to communicate the information across it.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Computer communication

Computer communication
Chapter 4: Managing LAN Traffic

Chapter 4: Managing LAN Traffic
Chapter 5 Networks Communicating and Sharing Resources

Chapter 5 Networks Communicating and Sharing Resources
Slide 1 What is a Computer Network? A computer network is a linked set of computer systems capable of sharing computer power and resources such as printers,

Slide 1 What is a Computer Network? A computer network is a linked set of computer systems capable of sharing computer power and resources such as printers,
Common Devices Used In Computer Networks

Common Devices Used In Computer Networks
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.
ACM 511 Chapter 2. Communication Communicating the Messages The best approach is to divide the data into smaller, more manageable pieces to send over.

ACM 511 Chapter 2. Communication Communicating the Messages The best approach is to divide the data into smaller, more manageable pieces to send over.
Computer Concepts 2014 Chapter 5 Local Area Networks.

Computer Concepts 2014 Chapter 5 Local Area Networks.
COMP1321 Digital Infrastructure Richard Henson February 2014.

COMP1321 Digital Infrastructure Richard Henson February 2014.
NETWORKING COMPONENTS AN OVERVIEW OF COMMONLY USED HARDWARE Christopher Johnson LTEC 4550.

NETWORKING COMPONENTS AN OVERVIEW OF COMMONLY USED HARDWARE Christopher Johnson LTEC 4550.
Networks and Protocols CE00997-3 Week 2a. Network hardware.

Networks and Protocols CE Week 2a. Network hardware.
OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.

OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.
First, by sending smaller individual pieces from source to destination, many different conversations can be interleaved on the network. The process.

First, by sending smaller individual pieces from source to destination, many different conversations can be interleaved on the network. The process.
NETWORK HARDWARE CABLES NETWORK INTERFACE CARD (NIC)

NETWORK HARDWARE CABLES NETWORK INTERFACE CARD (NIC)

Similar presentations

Ads by Google