Network Security

Fundamental Aspects

Msc. Vuong Thi Nhung

Faculty of Information Technology
Hanoi University
Aug 23, 2015
Contents

 History of Information Security

 Information Security Definition and Concept
 AAA & CIA models
 Threats and Risks
 Some security guidelines
The story of the Internet worm

 On November 2, 1988, Robert Morris, Jr., a

graduate student in Computer Science at Cornell,
wrote an experimental, self-replicating, self-
propagating program called a worm and injected it
into the Internet.
 He chose to release it from MIT, to disguise the fact
that the worm came from Cornell.
 Morris soon discovered that the program was
replicating and reinfecting machines at a much
faster rate than he had anticipated.
 Ultimately, many machines at locations around the
country either crashed or became “unreponsive”.
 When Morris realized what was happening, he
contacted a friend at Harvard to discuss a solution.
Eventually, they sent an anonymous message from
Harvard over the network, instructing programmers
how to kill the worm and prevent reinfection.
 However, because the network route was blocked,
this message did not get through until it was too
late.
 Computers were affected at many sites, including
universities, military sites, and medical research
facilities. The estimated cost of dealing with the
worm at each installation ranged from $200 to more
than $53,000.
 The program took advantage of a hole in the debug
mode of the Unix sendmail program, which runs on
a system and waits for other systems to connect to it
and give it email.
 People at the University of California and MIT had
copies of the program and were actively
disassembling it (returning the program back into its
source form) to try to figure out how it worked.
 Teams of programmers worked non-stop to come up
with at least a temporary fix, to prevent the
continued spread of the worm.
 The information didn't get out as quickly as it could
have, however, since so many sites had completely
disconnected themselves from the network.
 After a few days, things slowly began to return to
normalcy and everyone wanted to know who had
done it all. Morris was later named in The New York
Times as the author of incidents.
 Robert T. Morris was convicted of violating the
computer Fraud and Abuse Act (Title 18), and
sentenced to three years of probation, 400 hours of
community service, a fine of $10,050, and the costs
of his supervision. His appeal, filed in December,
1990, was rejected the following March.

http://www-swiss.ai.mit.edu/6805/articles/morris-worm.html
 After the incident, Morris was suspended from
Cornell for acting irresponsibly according to a
university board of inquiry. Later, Morris would obtain
his Ph.D. from Harvard University for his work on
modeling and controlling networks with large
numbers of competing connections.

 Robert Morris is currently an assistant professor

at MIT (apparently they forgave him for launching
his worm from their network) and a member of
their Laboratory of Computer Science in the
Parallel and Distributed Operating Systems
group. He teaches a course on Operating
System Engineering and has published
numerous papers on advanced concepts.
What is Security

 Security: “The quality or state of being secure—to

be free from danger”
 Security is The protection of information and its
critical elements, including systems and
hardware that use, store, and transmit that
information
 Necessary tools: policy, awareness, training,
education, technology
Layers of security

 A successful organization should have multiple

layers of security in place:
 Physical security - To protect the physical items, objects, or
areas of an organization from unauthorized access and
misuse.
 Personal security - To protect the individual or group of
individuals who are authorized to access the organization
and its operations.
 Operations security - To protect the details of a particular
operation or series of activities
 Communications security - To protect an organization’s
communications media, technology, and content.
 Network security - To protect networking components,
connections.
 Information security- To protect the confidentiality, integrity
and availability of information assets, whether in storage,
processing or transmission.
 It is achieved via the application of policy, education,
training and awareness, and technology.
Building elements of Information Security
Authentication

Auditing Access Control

Authentication

 Sender, receiver want to confirm identity of

each other

 Who am I talking to?

Example: FIT E-learning

ISP D
ISP B FIT E-learning

ISP C
ISP A

Student V
Authentication: Who am I talking to?

ISP D
ISP B FIT E-learning
Hello, I’m V

ISP C
ISP A Is that
student
V?

Student V
Is that
FIT ?
Authentication

 Protection Mechanisms
 Password
 Manual
 One-Time Password
 Key Sharing
 Public-private keys
 Wifi
 Challenge-Response
 Multi-factor Authentication
Access Control

 Access control can be defined as a policy,

software component, or hardware component
that is used to grant or deny access to a
resource.
 Example of hardware components: A smart
card, a biometric device, or network access
hardware
Access Control

 Services must be accessible to appropriate

users

 Do you have adequate privileges to access

this information?
 Access control

ISP D
Mr. Anonymous ISP B FIT E-learning

ISP C
ISP A

Are Mr. T
allowed to
Student V view course
contents?
Access Control

 Protection mechanisms
 Access control list
 Firewall
 VPN
 Smart card
 Rules
Auditing

 Auditing is the process of tracking and

reviewing events, errors, access, and
authentication attempts on a system.
 Protection mechanism: logging system,
history.
Auditing

 Develop a path and trail system in the logging

of the monitored events that allows to track
usage and access, either authorized or
unauthorized.
 It improves security and allows for better
audit policies and rules
Example: Enable auditing for logon
events
Go to Administrative Tools | Local Security Policy
Navigate to Local Policies | Audit Policy
Enable auditing for logon events

Go to Event Viewer to see logs.

 Security Goal
Integrity

Confidentiality Availability

24
I
N
ISO 27002:2005 defines Information Security as the
F
O preservation of:
R
M
A Ensuring that information is
– Confidentiality accessible only to those
T
authorized to have access
I A
O T
N T
R Safeguarding the accuracy and
completeness of information
I – Integrity and processing methods
B
U
T
E Ensuring that authorized
users have access to
S – Availability information and associated
assets when required

3/29/201
9
Mohan Kamat
25
Confidentiality

 Only sender, intended receiver should

“understand” message contents

 Is my data hidden?
Confidentiality

 Protection Mechanisms
 Data encryption
 Symmetric
 Asymmetric (public-private keys)
Confidentiality: Is my data hidden?

ISP D
ISP B FIT E-learning
Mr. T

ISP C
ISP A

Student V
Can Mr. T see my
homework?
Integrity

 Sender, receiver want to ensure message not

altered (in transit, or afterwards) without
detection

 Has my data been modified?

Integrity: Has my data been modified?

ISP D
ISP B FIT E-learning
Mr. T

ISP C
ISP A

Can Mr. T
Student V modify student
V’s homework?
Integrity

 Protection mechanisms
 Digital signature
Availability

 Services must be available to users

 Can I reach the destination?

Availability: Can I reach the destination?

Can I
access ISP D
FIT ISP B FIT E-learning
during
midterm
? ISP C
ISP A

Student V
Availability

 Protection mechanisms
 Backup and recovery
 Firewall
 Vulnerability scanning and patching
 Intrusion detection and response
 Virus scanning
W
H
A What is Risk?
T

I Risk: A possibility that a threat exploits a

S vulnerability in an asset and causes damage or
loss to the asset.
R
I
S
K Threat: Something/Someone that can potentially
cause damage to the organisation, IT Systems
or network.

Vulnerability: A weakness in the organization, IT

Systems, or network that can be exploited
by a threat.

35
I
N
F
O
• Information Security is “Organizational Problem”
S rather than “IT Problem”
E
C • More than 70% of Threats are Internal
U
• More than 60% culprits are First Time fraudsters
R
I • Biggest Risk : People
T
Y S
• Biggest Asset : People
U
• Social Engineering is major threat
R
V • More than 2/3rd express their inability to determine
E “Whether my systems are currently compromised?”
Y

3/29/201
9
Mohan Kamat
36
R
I
S Potential Threats
K
S

&

High User Theft,

Knowledge of IT Sabotage, Virus Attacks
Systems Misuse

T
H
R
E
A
T
S Natural
Systems & Lack Of Lapse in
Calamities &
Network Documentation Physical
Fire
Failure Security

3/29/201
9
Mohan Kamat
37
 SO HOW DO
WE
OVERCOME
THESE
PROBLEMS?

3/29/201
9
Mohan Kamat
38
U
S
E
R
Information Security Policy
R
E
S
P
O IS Policy is approved by Top
N Management
S Policy is released on Intranet at
I http://xx.xx.xx.xx/ISMS/index.htm
B
I
L
I
T
I
E
S

3/29/201
9
Mohan Kamat
39
U
S
E Access Control - Physical
R

• Follow Security Procedures

R
• Wear Identity Cards and Badges
E
• Ask unauthorized visitor his credentials
S
• Attend visitors in Reception and Conference Room only
P
O
N
S
I
B • Bring visitors in operations area without prior
I permission
L • Bring hazardous and combustible material in secure
I area
T
I • Practice “Piggybacking”
E • Bring and use pen drives, zip drives, ipods, other storage
S devices unless and otherwise authorized to do so

3/29/201
9
Mohan Kamat
40
U
S
E
R
Password Guidelines
 Always use at least 8 character password with combination of
R alphabets, numbers and special characters (*, %, @, #, $, ^)
E  Use passwords that can be easily remembered by you
S  Change password regularly as per policy
P  Use password that is significantly different from earlier passwords
O
N
S
I
B
I Use passwords which reveals your personal
L information or words found in dictionary
I Write down or Store passwords
T Share passwords over phone or Email
I
Use passwords which do not match above complexity
E
criteria
S

3/29/201
9
Mohan Kamat
41
U
S
E Internet Usage
R

R  Use internet services for business purposes only

E
S
P
 Do not use internet for viewing, storing or transmitting
obscene or pornographic material
O
N  Do not use internet for accessing auction sites
S  Do not use internet for hacking other computer systems
I  Do not use internet to download / upload commercial
B software / copyrighted material
I
L
I
T
I Technology Department is continuously monitoring Internet
E Usage. Any illegal use of internet and other assets shall call
S for Disciplinary Action.

3/29/201
9
Mohan Kamat
42
U
S
E E-mail Usage
R

Use official mail for business purposes only

R Follow the mail storage guidelines to avoid blocking of E-mails
E  If you come across any junk / spam mail, do the following
a) Remove the mail.
S
b) Inform the security help desk
P
c) Inform the same to server administrator
O d) Inform the sender that such mails are undesired
N
S
I
B  Do not use official ID for any personal subscription purpose
I  Do not send unsolicited mails of any type like chain letters or
L E-mail Hoax
I  Do not send mails to client unless you are authorized to do so
T  Do not post non-business related information to large
I number of users
E  Do not open the mail or attachment which is suspected to be
S
virus or received from an unidentified sender

3/29/201
9
Mohan Kamat
43
U
S
E
R
Security Incidents
Report Security Incidents (IT and Non-IT) to
R Helpdesk through
E • E-mail to info.sec@organisation.com
S • Telephone : xxxx-xxxx-xxxx
P • Anonymous Reporting through Drop boxes
O
N
S
e.g.:
I
B IT Incidents: Mail Spamming, Virus attack, Hacking, etc.
I
Non-IT Incidents: Unsupervised visitor movement, Information
L
leakage, Bringing unauthorized Media
I
T
I
E •Do not discuss security incidents with any one outside organisation
S
•Do not attempt to interfere with, obstruct or prevent anyone from reporting
incidents

3/29/201
9
Mohan Kamat
44
U
S
E
R  Ensure your Desktops are having latest antivirus updates
 Ensure your system is locked when you are away
 Always store laptops/ media in a lockable place
R
 Be alert while working on laptops during travel
E
S  Ensure sensitive business information is under lock and key
P
when unattended
O  Ensure back-up of sensitive and critical information assets
N  Understand Compliance Issues such as
S Cyber Law
I IPR, Copyrights, NDA
B Contractual Obligations with customer
I
 Verify credentials, if the message is received from unknown
L
sender
I
T
 Always switch off your computer before leaving for the day
I  Keep your self updated on information security aspects
E
S

3/29/201
9
Mohan Kamat
45
Disable Non-essential services,
protocols, processes, programs
 Protocols, systems, and processes that rob
systems of resources and allow potential attacks
to occur that could damage your systems.
 If they are not being actively used, it is an
unnecessary security risk.
 The solution is simply to disable or inactivate the
service, protocol, system, or process which is
not needed
 But… Be Careful!

You need to understand what it is

and what you are doing!
Example: FIT E-learning

ISP D
ISP B FIT E-learning
Mr. T

ISP C
ISP A

Student V
Example: FIT-E-learning

ISP D
ISP B FIT E-learning
Hello, I’m V

ISP C
ISP A
Tutorial

 Using wireshark to sniff the network traffic.

 Let’s see if you can get some passwords?