1. COMP3123 Network and Internet Security Richard Henson University of Worcester September 2011

2. What this module is about n Understanding of the importance of protection information, and in particular of digital information n The important of information security policy and its enforcement in managing information security within an organisation n Understanding, controlling, managing the secure infrastructure developed for networks, with a focus on the Internet n An overview of the technologies available to secure data via each of the seven OSI layers and the vulnerabilities of data held on organisational networks

3. Week 1 – Strategies for securing data held within digital systems n Objectives:  Explain security as a “process”, not a product  Understand principles of maintaining data confidentiality, privacy, integrity, availability  Apply a security strategy in terms of denial of access to unauthorised us  Explain that total security is a myth; people are people, computer technology is constantly evolving; ISO27001 is the most effective response to date…

4. Data and Information n “A” level stuff?  yet the difference between the two is subtle but crucial. And should be clearly understood… n Exercise in pairs…  discuss what is (a) similar (b) different about data and information  give an example of (1) data and (2)  be prepared to explain why it can be categorised as such…

5. Data and Information? n All about context…  no other info…. just numbers & characters  correct related info… really important information n “Information” within the organisation/department may be “just data” outside…  e.g. data intercepted via a wireless link n BUT an internal “informer”…  can provide context for that information

6. Value of Data n If what is compromised remains just “data”, perhaps a breach is not so serious…  data worthless without context n However…  if the data becomes information… »will have a value  breach becomes very serious indeed »rival organisations could get corporate information »anyone could access customer personal information

7. How much is Data worth? n Information has intrinsic value  e.g. personal data record -  could become “personal information” »worth £50 on the black market?  could become financial or corporate information  may be worth a lot more than £50… n By contrast, data only has potential value  given the right context, it can become information, and will have the same value

8. Why keep data secure? n Data can easily become information, especially if in digital format with all the resources of the Internet available…  information can be very valuable  and very destructive! n Should be a prime concern of all organisations to take special care of digital data that could be contextualised to become information…

9. Information or Data security? n Until recently, always referred to as data security, and regarded as an IT matter n “Information Security” now the preferred description of research and activities that seek to protect what was often seen as “just data” n As previously demonstrated  data in the “right” hands can easily become information  should never be dismissed as “just data”

10. Information Security within Organisations n Organisations have always kept information n Important to the extent that the organisation IS its information  loss of vital data could therefore be curtains for the organisation!!! n Nowadays, usually held digitally

11. Information Security: Technology & Management n Need to be right to protect digital data  technology is useless if people won’t stick to procedures  procedures are equally useless if the technology can’t detect intrusions or prevent them n Principles should be applied to a “leisure” computer at home connected to the Internet…  e.g. family members could get hold of each other’s information n But all much, much more important when a whole organisation’s data is being managed…

12. Management of Information Security n Senior management...  used to the spoken or written word  often misconceptions about digital data… »e.g. what is data, what is information and the relationship between the two  security of data may therefore not be given sufficient prominence... (!) n Result: digital data is usually not properly managed…

13. Reasons to look after Data: 1. The Law n All UK organisations that hold data on people must register with the Information Commissioner's Office  criminal offence not to do so... n Personal data must be kept in accordance with eight principles of the Data Protection Act  not to do so can result in hefty fines  or even imprisonment

14. Reasons to look after Data: 1. The Law - continued n Financial data also covered under the law, through the Financial Services Authority (FSA)…  much more severe penalties than personal data watchdog (ICO)… »e.g. Nationwide fined in 2007 n approx £1million »e.g. HSBC fined in 2009 n £ several MILLION »e.g. Zurich Insurance fined recently n £ >1 million

15. 2. Losses do not look good for the business…  If a business loses its data  it won’t be able to trade efficiently, or even at all!  data availability -> 0  estimation: 10 days maximum to recover, or out of business! n If business gets data stolen, it may ALSO lose trade secrets, customer image, and market share

16. 2. Losses & not-for-profit organisations n Personal data often not regarded as so important, other than in legal terms  hence the catastrophic sequence of errors that led to 25 million records being lost by HMRC n HOWEVER… customers do expect their personal data to be safeguarded  Increasing concern about privacy in recent years  source of great embarrassment if data lost

17. The Threats to organisations… n Divided neatly into:  “internal” » well-meaning employees not following procedures and misusing data or allowing it to get into the wrong hands…. » “rogue” employees deliberately interfering with data  “external” » people logging in from outside, usually via the Internet » inside people accessing data from outside, and either accidentally or on purpose, misusing it

18. An Information Security Policy n As information is so important to organisations, security of information should be central to organisation’s strategic plan…  and therefore part of its organisation policy…  problem is that they are reluctant to do so…

19. An Information Security Policy n ONCE the organisation has finally accepted this, they can devise an Information Security policy based on organisational strategy n Information Security can then implemented tactically and operationally through the organisational structure n But HOW can information security come to be seen as so crucially important by senior management??? n Fortunately, it is now rapidly becoming a commercial imperative for do any on-line business with a credit card  thanks to recent (Oct 2009!) PCI DSS guidelines…  and being more rigorously enforced from Oct 2010

20. Who are “stakeholders” in organisational Information Security? n Who should be responsible for what? n (no responsibility… no accountability) n Exercise again in groups…

21. Stakeholders n A number of people will have jobs that involve security of data in one way or another e.g.:  Data Controller (Data Protection Act)  Head of Personnel  Department Heads n Who should bear the responsibility/carry the can??  probably none of the above – each may only have a partial picture of the organisation’s data

22. Typical organisational approaches n Outsource  buy in the services of a third party from outside the organisation to “look after security” n Seek an in-house solution… guru  appoint someone internally or from outside to look after security through an annual audit and allocating a resources budget n Seek an in-house solution… committee  get together a group of key stakeholders to agree a set of procedures that designated employees should go through at regular intervals as a matter of organisational policy

23. How would you set up an Information Security policy? n BREAK!!! n And discussion again in groups  why outsource?  how could it be done internally »Who would be the “stakeholders”?

24. Relative Merits of Paying a Third Party to do it for you… n Advantages:  pass responsibility on to someone else  pay someone a flat annual fee; easily budgeted n Disadvantages:  Data Controller still has DP Act responsibility…  may also pass control to someone else…  the third party may be looking after many other customers as well… »will they take the trouble to find out and understand how your particular organisation works? »would your organisation want them to know…?

25. Appointing a “security tzar” with Information Security budget n Will this work, as a single solution? n Is Information Security just an IT problem? n Groups… discuss…

26. “Middle Manager” Solution n Will this work, as a single solution? n Again… groups

27. Answers (to each) n 1. Of course not!!!  organisation still has responsibility!! n 2. Of course not!!!  this is a people problem…  data integrity errors  leaving data on physical devices that can be taken by a third party

28. If this WAS just an IT problem, would either approach be appropriate? n True that any computer network can be made completely secure at a particular point in time:  BUT may cost a lot of money and resources…  THEN the following day, a new security threat may be launched onto the Internet from any one of 250 million possible sources… n A good outsourcer should be on top of this… n But merely employing a “security supremo” to buy, install, configure security devices won’t solve the problem  securing data must be ONGOING…  supremo must put procedures into place…

29. Security as a “Process” n One thing that is sure in computing & computer networks, is that technology doesn’t stand still!!!  new area of human endeavour  constantly, relentlessly, moving on… n Therefore, security cannot ever be “done” because something new may be planned today, and rolled out tomorrow… n That “something new” could make the most secure network suddenly very vulnerable!

30. Managing Information Security as a Process n MUST acknowledge that security, like (e.g. accounting) is indeed a process  And make someone responsible for that process n THEN, as a first step…  identify all systems that carry information  test those systems for potential security breaches  secure as appropriate n Next step: once secure, develop a strategy to MANAGE the process over time...

31. Information Security Management n A set of procedures  administered at organisational level  acknowledge the iterative nature of information security & agree on rate of iteration n Appoint someone with institutional responsibility  realistic budget that takes into account the resource and human cost…  may use a third-party outsourcer to provide advice, expertise, implement procedures, but at least they are in control of the policy-making n Even better…. develop an Information Security Management System

32. Information as an Asset n Traditional organisational asset registers include hardware, that can be given a specific value n Information not given any monetary value… n Now recognised as a mistake  researchers have established methods to allocate value to information assets n Other institutional costs invoked if information is lost…

33. The Costs of securing data n Hardware/software cost  fixed and easily determined n Human resource cost  also depends on the human resource cost the organisation is needs to put into enforcing data security procedures  more difficult to quantify

34. Costs of Securing Data n Isolated LAN, with no internet connectivity  no need to worry about data in and data out via the Internet  less stringent procedures may be needed/enforced n LAN connected to the Internet:  organisations with “secret” data may wish to have more rigorous procedures, and implement them more frequently – more expensive  those with no real secrets (political or commercial) may wish to use a more infrequent cycle and less exhaustive procedures – less cost

35. The Costs of Data Loss n People not able to work… n Organisation not able to communicate effectively with customers… n Embarrassment of reporting in the media n Fines, etc., by FSA or ICO n Fall in stock market price n Increase in insurance premiums

36. Information Security Procedures n Now it’s your turn… n In small groups:  discuss possible procedures the organisation could set up…  and how expensive such procedures might be to implement…

37. The ISMS - Making an Information System secure n As ever, the success of rules and procedures depends on the people and how they are managed… n In practice, a set of standards have been developed based on the concept of an ISMS (Information Security Management System)

38. An ISMS that is “fit for purpose” n Each organisation is different! n ISO27001 standard for an ISMS has identified 133 possible controls  How many of these are actually needed depends on the organisational processes n ISMS needs to knowledge all aspects of how data is managed  requires an understanding of processes  and identification of where that data may need have security controls n Organisations need to undergo process analysis and risk assessment to determine where controls are needed  no point spending money on controls where they are not needed…

39. An Alternative Approach to Security Controls: PCI DSS n System devised by Credit Card Companies (i.e. banks…) n Guidelines for a number of years… n Now (from 1 st October 2010) a sting in the tail  fines  can refuse a business merchant facilities… n Will affect small businesses WORLDWIDE selling online directly to consumers

40. What is needed for PCI DSS compliance? (1) n Install and maintain a firewall configuration to protect cardholder data n Do not use vendor-supplied defaults for system passwords and other security parameters n Protect stored cardholder data n Encrypt transmission of cardholder data across open, public networks n Use and regularly update anti-virus software or programs

41. What is needed for PCI DSS compliance? (2) n Develop and maintain secure systems and applications n Restrict access to cardholder data by business need-to-know n Assign a unique ID to each person with computer access n Track and monitor all access to network resources and cardholder data n Regularly test security systems and processes n Maintain a policy that addresses information security for employees and contractors

42. PCI DSS issues n Is it realistic? n Is it essential? n How can it be policed? n Discussion in groups…

43. How??? Technologies for Implementing Security Controls n The rest of this session will concentrate on security of data “on the move”  through cabling systems  in radio waves  via human transportation systems stored on digital media »hard disks & CDs »digital backup tapes »USB sticks…

44. Assumed Technical Knowledge (covered in level 1 & 2 modules) n Client-server networking and basics of network user administration  security established through access levels determined at login n The Seven OSI layers n The TCP/IP protocol stack n Web servers and browsers n How firewalls fit in with the above…

45. Security of Data “on the move” through Internal networks n Most organisational computers regularly interchange data n Data could in theory be copied (although not destroyed) by being intercepted as it passes between computers through use of e/m waves (easy), in copper cables (difficult) and optical fibre cables (very difficult) n Depending on the nature of the data being compromised, this could be a real and present danger to the organisation…

46. Security and copper cables n UTP (Unshielded Twisted Pair) is cheap, but not secure:  electricity passing through a cable creates a magnetic field  that magnetic field can then be intercepted and used to recreate the original signal… n Shielding stops the magnetic field spreading out  STP (Shielded Twisted Pair) cabling available but more expensive… n Which to use? Good example of cost v risk balance

47. Security and Fibre Optic Cables n Much better than even shielded copper from a security point of view  digital data transmitted as a high intensity light beam  no associated magnetic field, so data can’t so easily be “tapped” n Also can carry much more data than UTP or STP n Disadvantage:  cost… of cables … of installation n Choice of cable: cost v risk balancing act

48. Security and Radio Waves n Easy to install n No cabling needed (except signal boosters) n BUT… no data security at all! n Data transmitted in all directions  can be received by anyone within range and with the right equipment  especially easy to pick up if transmitted as “fixed spectrum” n “Spread spectrum” radio waves can only be picked up by equipment that can follow the changes in frequency  But such equipment is MUCH more expensive…

49. Security and Network Hardware n Very small organisations may use peer- peer networking and simple cabling n However….  most organisational networks need to use intelligent hubs, bridges, and switches, to connect computers and cabling systems together  data will be stored for a short time on these devices before forwarding n Potentially a target for hackers!!!

50. 900 million Internet servers! Navigating data round the Internet

51. Standard Internet Protocols and Security n When the Internet was developed, the only users were military personnel, research centre administrators, etc. who had been security vetted  that protocols were not designed with security in mind  just for getting data safely and reliably from one place to another n As the OSI model became fashionable, the protocols become a complete stack:  based on TCP and IP  user system security already built in at the session layer  no inherent security for data on the move

52. Copying data on an (Inter)networked device n Most networks nowadays use TCP/IP for Internet connectivity n Any intelligent device with an IP address and connected to the Internet could theoretically be seen across the network/Internet  otherwise, packets couldn’t be navigated to it! n Data on such a device could be:  located using its IP address  copied to another destination using a remote computer and an appropriate network protocol (e.g. NFS – network file system, part of the TCP/IP suite)) n It really is as simple as that!!!

53. Copying, Changing, or Deleting Data on a networked computer n Data could be tapped in exactly the same way on any Internet computer  it must have an IP address to participate on the Internet  packets going to that computer have a destination IP address in the header, and headers can easily be read  NFS can be used to manage data remotely on that computer – which could include copying or (perhaps worse) deleting that data, or even BOTH

54. The Network: Strategies for preventing unauthorised access to data n Only allow authorised (and TRUSTED) users to gain access to the network and ensure they are always properly authenticated n Only allow network administrators to have full access n Monitor the network continually to provide alerts that unauthorised access is being sought n Encrypt data that will be sent through UTP cables and/or held on computers that are connected to the Internet n When using the www, use secure versions of network protocols and/or tunnelling protocols to encapsulate and hide data

55. The Virtual Private Network n When sending data through the Internet, only use a restricted and very secure set of routers n No IP address broadcasting, because all packets use the same route n IP tunnelling protocol encapsulates data  normal Internet users will therefore not be able to see the sending, receiving, or intermediate IP addresses n The data sent is encrypted n Potential hackers therefore don’t get a look in!

56. Future sessions will explore… a) theoretical aspects related to the technical implementation of information security b) the setting up policies, procedures controls and systems to manage information security See you next week?