Security FundamentalsA Little About Me…Topics OutlineWhat Happened to Amazon®?What Happened to Yahoo®?If They’re Vulnerable…The Fundamental TheoremWhat Are You Protecting?Your InformationYour AvailabilityYour ReputationA Simple Network…… Attacked!What Are These Threats?What Are These Threats? (2)What Are These Threats? (3)What Are Threat Vectors?Threat Vectors - InternalThreat Vectors - ExternalWhat Are Threat Categories?Threat CategoriesThreat ConsequencesThe 3 Goals of SecurityThreats to AvailabilityThreats to IntegrityThreats to AuthorizationCountering These Threats…Defining SecurityNotes:Questions You Need to AskSlide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Recommendations You Really Want to MakeSlide 40So, What Is a Security Officer?What Does It All Mean?AcknowledgementsResources OnlineResources Online (2)Resources Online (3)Resources Online (4)Resources Online (5)Resources Online (6)25-SEPT-2001 1Security FundamentalsRobin AndersonUMBC, Office of Information Technology25-SEPT-2001 2A Little About Me…Unix SysAdmin, Specialist with the Office of Information Technology at UMBCTaught Unix Administration and SANS Level One Security courses at UMBCCertified by the SANS Institute GIAC program in UNIX Security and Incident Handling25-SEPT-2001 3Topics OutlinePost-Mortems in the News…Identifying ThreatsCountering ThreatsThe (Vulnerable) NetworkQuestions You Need to AskRecommendations You Want to MakeResources Online25-SEPT-2001 4What Happened to Amazon®?Website defacing: Hackers broke in & put up phony web pages(And now, newer worms/viruses are doing the same!)–September 2000: OPEC 1–February 2000: Amazon® , eBay® 2 –November 1999: NASA/Goddard 3–October 31,1999: Associated Press® 4–August 1999: ABC® 5–June 1999: U.S. Army25-SEPT-2001 5What Happened to Yahoo®?Denial of Service (DoS)–February 2000: Yahoo and CNN 1Multiple Hits–September 2000: Slashdot defaced–May 2000: Slashdot suffered DoS The irony is that slashdot.org is a popular "news for nerds" website25-SEPT-2001 6If They’re Vulnerable……then you are, too.25-SEPT-2001 7The Fundamental TheoremYou have computers because they perform some function that furthers your organization’s goalsIf you lose the use of those computers, their function is compromisedSo - anything that interferes with your organization’s effort to achieve its goals is a security concern25-SEPT-2001 8What Are You Protecting?InformationAvailability of the SystemsReputation & Goodwill25-SEPT-2001 9Your InformationCrown Jewels–Trade secrets, patent ideas, researchFinancial informationPersonnel recordsOrganizational structure25-SEPT-2001 10Your AvailabilityInternal use–When employees can’t use the network, servers, or other necessary systems, they can’t workWebsite / online transactions–Often when systems are unavailable, the organization is losing money25-SEPT-2001 11Your ReputationPublic trust–If your organization is hacked, how reliable will people think you are you in other areas?–Who wants to do business with companies that leak credit card information? Being a good neighbor–Your organization may be hacked so it can be used as a springboard to attack others25-SEPT-2001 12A Simple Network…InternetRouterFirewallRouter25-SEPT-2001 13 … Attacked!InternetRouterFirewallRouter7981654321025-SEPT-2001 14What Are These Threats?1. DoS coming from the Internet2. Severed Physical link3. Masquerader / Spoofer– They look like they’re already inside4. Password sniffer25-SEPT-2001 15What Are These Threats? (2)5. Alan brought a floppy from home that has a virus on it6. Beatrice is about to be fired – and she’s going to be angry about it7. Carter is careless with his passwords – he writes them down and loses the paper25-SEPT-2001 16What Are These Threats? (3)8. David has unprotected shares on his NT box9. Evan installed a modem on his PC (PCAnywhere)10. Severed Power / HVAC25-SEPT-2001 17What Are Threat Vectors?Vectors are the pathways by which threats enter your network25-SEPT-2001 18Threat Vectors - InternalCareless employees–“Floyd the clumsy janitor”–“Contraband” hardware / software –“Oops, did I just type that?”Random twits (somewhere between careless & malicious)Malicious employees–Current or former employees with axes to grindAnyone who can get physical access25-SEPT-2001 19Threat Vectors - ExternalCompetitors / spies / saboteursCasual & incidental hackers–Some hackers don’t want your systems except to use them to get at their real targetMalicious hackersAccidental touristsNatural disasters–Be ready to face down the hurricane25-SEPT-2001 20What Are Threat Categories?Categories are the different kinds of threat you may encounter25-SEPT-2001 21Threat CategoriesOpportunistic–Basic “ankle biters” and “script kiddies”–More advanced hackers, hacker groups out trollingTargeted–These attackers know what they want; anything from data to disruption to springboards“Omnipotent”–Government-sponsored professional hackers25-SEPT-2001 22Threat ConsequencesBad press–Breach of confidentiality•Medical data•Credit card information–Attack platform (you’ve been subverted!)Loss of income–How much does it cost you in sales to have your databases, website, etc, down for any given length of time?–Loss of trade secrets (crown jewels)25-SEPT-2001 23The 3 Goals of SecurityEnsure AvailabilityEnsure IntegrityEnsure Authorization & Authentication25-SEPT-2001 24Threats to AvailabilityDenial of Service (DoS)–Connection floodingDestroying data–Hardware failure–Manual deletion–Software agents: virus, trojans25-SEPT-2001 25Threats to IntegrityHardware failureSoftware corruption–Buggy software–Improperly terminated programsAttacker altering data25-SEPT-2001 26Threats to AuthorizationAttacker stealing dataLost / Stolen passwordsInformation Reconnaissance•Organization information25-SEPT-2001 27Countering These Threats……is what security is all about.25-SEPT-2001 28Defining SecuritySecurity is a process–Training is ongoing•Threats change, admins need to keep up•Security is inconvenient, all staff needs trainingSecurity is also about policiesThere is no silver bullet to fix it all–For example, a firewall won’t save you•Remember the Maginot Line25-SEPT-2001
View Full Document