THE NEED FOR NETWORK SECURITY

Thanos Hatziapostolou

PRESENTATION OBJECTIVES
Understand information security services
Be aware of vulnerabilities and threats

Realize why network security is necessary

What are the elements of a comprehensive security program
The Need for Web Security 2

TRENDS FOR INFORMATION

More information is being created, stored, processed and communicated using computers and networks Computers are increasingly interconnected, creating new pathways to information assets The threats to information are becoming more widespread and more sophisticated

Productivity, competitiveness, are tied to the first two trends Third trend makes it inevitable that we are increasingly vulnerable to the corruption or exploitation of information INFORMATION IS THE MOST VALUABLE ASSET
The Need for Web Security 3

Information Security Services

Confidentiality Integrity Authentication Nonrepudiation Access Control Availability
4

The Need for Web Security

Information Security Services

Confidentiality
Maintaining the privacy of data

Integrity
Detecting that the data is not tampered with

Authentication
Establishing proof of identity

Nonrepudiation
Ability to prove that the sender actually sent the data

Access Control
Access to information resources are regulated

Availability
Computer assets are available to authorized parties when needed
The Need for Web Security 5

What Is The Internet?

Collection of networks that communicate with a common set of protocols (TCP/IP) Collection of networks with no central control no central authority no common legal oversight or regulations no standard acceptable use policy wild west atmosphere
The Need for Web Security 6

Why Is Internet Security a Problem?

Security not a design consideration Implementing change is difficult Openness makes machines easy targets Increasing complexity
The Need for Web Security 7

Common Network Security Problems

Network eavesdropping Malicious Data Modification Address spoofing (impersonation) Man in the Middle (interception) Denial of Service attacks Application layer attacks
The Need for Web Security 8

Security Incidents are Increasing

High Sophistication of Hacker Tools

Technical Knowledge Required Low 1980 1990

The Need for Web Security

2000

-from Cisco Systems

HACKED WWW HOMEPAGES

CIA HOMEPAGE

DOJ HOMEPAGE

USAF
The Need for Web Security

HOMEPAGE
10
11/29/96

Problem is Worsening
Code Red

60000 50000 40000

Tequila Anna Kournikova Melissa & ILOVEYOU Good Times Badtrans Nimba

30000

20000 Jerusalem Michelangelo

10000
Source: CERT Coordination Center Carnegie Mellon

1990

1994

1998

1988

1989

1991

1992

1993

1995

1996

1997

1999

2000

The Need for Web Security

2001
11

VIRUSES
Risk Threat TROJ_SIRCAM.A W32.Navidad W95.MTX W32.HLLW.QAZ.A VBS.Stages.A VBS.LoveLetter VBS.Network Wscript.KakWorm W32.Funlove.4099 PrettyPark.Worm Happy99.Worm Discovered New !! 11/03/2000 8/17/2000 7/16/2000 6/16/2000 5/04/2000 2/18/2000 12/27/1999 11/08/1999 6/04/1999 1/28/1999
The Need for Web Security

Protection Latest DAT 11/06/2000 8/28/2000 7/18/2000 6/16/2000 5/05/2000 2/18/2000 12/27/1999 11/11/1999 6/04/1999 1/28/1999
12

Consider that
90% of companies detected computer security breaches in the last 12 months 59% cited the Internet as the most frequent origin of attack

74% acknowledged financial losses due to computer breaches

85% detected computer viruses
Source: Computer Security Institute

The Need for Web Security

13

WHO ARE THE OPPONENTS?

49% are inside employees on the internal network 17% come from dial-up (still inside people)

34% are from Internet or an external connection to another company of some sort

HACKERS
The Need for Web Security 14

HACKER MOTIVATIONS
Money, profit Access to additional resources Experimentation and desire to learn Gang mentality Psychological needs Self-gratification Personal vengeance Emotional issues Desire to embarrass the target
The Need for Web Security 15

Internet Security?

Replay Attack

Spoofing
The Need for Web Security 16

What Do People Do When They Hear All These?

Take the risks!
But there are solutions Ignoring the situation is not one of them
The Need for Web Security 17

THE MOST COMMON EXCUSES

No one could possibly be interested in my information Anti-virus software slows down my processor speed too much. I don't use anti-virus software because I never open viruses or e-mail attachments from people I don't know. So many people are on the Internet, I'm just a face in the crowd. No one would pick me out. I'm busy. I can't become a security expert--I don't have time, and it's not important enough
The Need for Web Security 18

SANS Five Worst Security Mistakes End Users Make

1. 2. Opening unsolicited e-mail attachments without verifying their source and checking their content first. Failing to install security patches-especially for Microsoft Office, Microsoft Internet Explorer, and Netscape. Installing screen savers or games from unknown sources. Not making and testing backups. Using a modem while connected through a local area network.
The Need for Web Security 19

3.
4. 5.

SECURITY COUNTERMEASURES
THREE PHASE APPROACH PROTECTION

DETECTION RESPONSE
The Need for Web Security 20

ELEMENTS OF A COMPREHENSIVE SECURITY PROGRAM

Have Good Passwords Use Good Antiviral Products Use Good Cryptography Have Good Firewalls Have a Backup System Audit and Monitor Systems and Networks Have Training and Awareness Programs Test Your Security Frequently
The Need for Web Security 21

CRYPTOGRAPHY
Necessity is the mother of invention, and computer networks are the mother of modern cryptography.
Ronald L. Rivest

Symmetric Key Cryptography Public Key Cryptography Digital Signatures

The Need for Web Security 22

Firewall
A system or group of systems that enforces an access control policy between two networks.
PC Servers
Visible IP Address

Internal Network

Host

The Need for Web Security

23

The Need for Web Security

24

THANK YOU
I have questions

The Need for Web Security

25