Presentation is loading. Please wait.

Presentation is loading. Please wait.

This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed."— Presentation transcript:

1 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. NETW 05A: APPLIED WIRELESS SECURITY General Policy By Mohammad Shanehsaz

2 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Getting Started Risk Assessment Impact Analysis Security Auditing General Topics

3 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Explain necessary items to include in the creation and maintenance of a WLAN security checklist Describe and recognize the important of asset management and inventory procedures for WLANs

4 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Explain the importance of including WLANs in existing change management programs Explain the purpose and goals of the following WLAN security policies: Password policy User training On-going review (auditing) Acceptable use and abuse policy Consistent implementation procedure Centralized implementation and management guidelines and procedures

5 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Locate and identify WLANs within and around a facility Explain the assets to be protected through securing a WLAN Explain and demonstrate the inherent weaknesses in WLAN security Given a WLAN attack scenario, explain and respond to the attack Given a WLAN configuration, explain and implement all the necessary steps for securing the WLAN

6 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Perform an impact analysis for a series of WLAN attack scenarios which may include the following methods of attack Analysis, spoofing and information theft Denial of Service Malicious code or file insertion Target profiling Peer-to-peer hacking Physical security Social engineering WLAN hacking hardware and software

7 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Summarize risks to wired networks from wireless networks Summarize the security policy related to wireless public-access network use

8 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Wireless LAN security policy Wireless LAN security policy falls into two categories: General policy ( Items that do not fall into specific technical category e.g. corporate networking ) Functional policy

9 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Categories of General Policy Getting Started Risk Assessment Impact Analysis Security Auditing

10 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Getting Started Obtain organizational sponsorship! CEO or CIO Wireless implementation must be part of a security plan addressing: Resources  control access  prevent unauthorized users  limit consumption of wireless network resources (e.g. bandwidth) Privacy  control access  prevent unauthorized users  protect confidential or sensitive death Intrusion  monitor the environment  allows detection of unauthorized access or activities  respond with appropriate security measures

11 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Getting Started Include input from: End users Network operations team Financial people Management Independent/ external auditor Among the key decisions: What items will the policy cover? How will the policy be enforced? How will the policy be implemented? How user-friendly should the policy be?

12 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Getting Started General templates on corporate security policy can be found at : http://www.sans.org/resources/policies/ Your textbook has included a wireless LAN security policy template in Appendix A

13 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Risk Assessment topics Process 4 Themes Asset Protection Threat Prevention Legal Liabilities Costs

14 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Risk Assessment Examine each possible scenario which may lead to loss of $ due to negative events Rank predicted losses (level of severity) For each scenario make decisions on $- effective responses to Eliminate risks Mitigate risks

15 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Risk Assessment’s four themes What assets are we trying to protect ? What are we trying to prevent ? What is company’s legal liabilities? What is the cost ?

16 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Risk Assessment’s four themes All 4 themes require analysis prior to creating a security Asset Protection What assets must be protected? What are the costs/legal ramifications if these asset are compromised? Threat Prevention What is the organization trying to protect by securing the network? What kinds of attack, theft or breach of security are likely?

17 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Risk Assessment’s four themes Legal Liabilities What is an organization legally responsible for if the network is compromised or used to negatively impact another organization? What legal protection does a company have? Can the organization lose privileges (Internet service) due to abuse by intruders (spam)? Costs What are the costs associated with securing the wireless network? Are security costs worth the investment, considering the risks, in implementing a WLAN? If the network is compromised, what could the potential costs be? How does the potential cost of infiltration and compromise weigh against the costs associated with securing the network? May be external or internal auditors

18 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Asset Protection Whether they know it or not - all organizations have data worth protecting Must educate and enlighten management What we are trying to protect are: Sensitive Data Network Services

19 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Sensitive Data means different things to different organizations Determine what is important to protect - at all levels security professional must work with management to Ensure appropriate data is being protected what degree of protection is required

20 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Sensitive Data Types of sensitive data Intellectual property Trade secrets Formulas Customer Data  Identity information  credit card information  health information

21 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Network Services undermined network availability critical network services include: Email file services database services directory services Internet connectivity web-based applications virus/intrusion detection custom applications

22 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Threat Prevention when using WLANs, need to consider many threats Consider probability of threat Process Types of attacks

23 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Process identify vulnerabilities asses likelihood of compromise determine How to proceed How much to spend Where to spend it

24 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Types of attacks ( What we are trying to prevent ) Denial of Service (DoS) RF Jamming Packet Flooding Equipment Damage, Theft, or Replacement DEFENSE: Prioritized($) asset protection Unauthorized Access Access Point can be configured numerous ways DEFENSE: Credit Card Fraud Organizations may protect from Internet-based attacks, but forget about local hackers DEFENSE: Encryption

25 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Types of attacks ( What we are trying to prevent ) Identity Theft Information stored includes: DEFENSE: Encryption, VLANs Corporate Secrets Personal Information Exposure Malicious Data Insertion Viruses Invalid data Illegal/ unethical content

26 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Legal Liabilities Third Party Attacks Organizations network used for third party attack (e.g. SPAM) Result  Loss of access  Legal Liability  Other Illegal Data Insertion Pirated software web-site defacement

27 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Costs People Employees or Contractors Consultants - expensive, but may be worth the $ Training For:  End users  Administrators  Physical security personnel  Network security personnel  Management Installation and configuration Network Operations Training End-user Training

28 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Costs Equipment Time

29 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Impact Analysis An Impact Analysis identifies the degree of potential loss that could occur if an attack occurs, the risk includes: Risk to wired network from wireless LAN segment Risk of using wireless public access networks Legal Implications of a successful intrusion

30 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Must ask the following question: If a malicious hacker were to gain access to the most precious asset of a company, what would be the damage to the company? Worst case scenario

31 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Must: Identify threats Measure impact Direct financial terms  e.g. Lost sales due to outages Indirect financial terms  e.g. Reputation  Regulatory  Loss of customer confidence Exposure / exploitation of private information Consider:  Scenario  Intent of hacker  Organizational response  Value of Assets

32 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Legal Implications To truly understand the impact of information theft or the insertion of malicious information consider, Dollar Amount Legal liabilities

33 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Security Auditing Need to conduct periodic security reviews / audits Modifications or additions to the network might create new security holes Independent Testing Sources of Information

34 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Need to conduct periodic security reviews / audits Low risk - once per year Larger network/ sensitive data - quarterly or more

35 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Independent Testing May want to use consultants for: Design After installation Fresh perspective Role Use only as necessary - keep to a minimum aid in design locate weaknesses in existing security solutions aid in network redesign

36 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Sources of Information Hackers May not be malicious May report vulnerability to the organization Advice  Acknowledge their help  Fix the problem

Download ppt "This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed."

Similar presentations

Security Policy. TOPICS Objectives WLAN Security Policy General Security Policy Functional Security Policy Conclusion.

Security Policy. TOPICS Objectives WLAN Security Policy General Security Policy Functional Security Policy Conclusion.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Introducing Computer and Network Security

Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Similar presentations

Ads by Google