Network Security RisksIS Auditor RoleNetworks Are Vulnerable to AttackPowerPoint PresentationSneaker NetWANSlide 7Routers, Firewalls, GatewaysTCP/IP Internet ProtocolSecuring Messages / TransactionsAuthenticationAuthentication DevicesPasswordsSymmetric EncryptionAsymmetric EncryptionEncryption of dataSlide 17Securing TransactionsStored Account SystemStored Value Systems – E-cashNew SystemsSmart CardsSlide 23Secure Sockets LayerSecure Electronic Transaction ProtocolPublic Key Infrastructure (PKI)Slide 27Slide 28Risks to the clientActive ContentActive X ControlsSlide 32Java AppletsCookiesOperating System RisksOperating System Risks 2Computer Emergency Response Team Coordination CenterViruses, Worms, TrojansSecuring the ServerDenial of Service AttacksWeb Page DefacingMalicious Web SitesPeople & Security - PoliciesSocial EngineeringInsider RisksOnion ApproachToolsTools 2Network sniffersQuestions & DiscussionNetwork Security RisksIS Auditor RoleCollect evidence to ascertain an entities ability to:Safeguard assetsProvide data integrityEfficiency of systemsEffectiveness of systemsNetworks Are Vulnerable to AttackHackers / CrackersTerrorists InsidersLogical Attack Physical Attackhttp://www.msnbc.com/news/482181.asp#BODY$,trust,secrets,infrastructure Financial Transactions-$Trillions/year EFT/Credit CardPentagon – 500,000 attempted attacks/yearMicrosoft – HackedDenial of Service – FebruaryMelissa – I Love YouPhysical Access AttackSneaker NetHubClinicClinicClinicClinicInternet / VPNISPCSU/DSUT1Router/Packet filtering firewallInternet GatewayPCPCPCPCPCPCHubSwitchAdmin- 330 PC'sHubHubPCPCPCPCPCPCSwitchDr's Offices- 200 PC'sSwitchPCPCPCPCPCPCOperating Rooms- 20 PC'sSwitchPCPCPCPCPCClassroomsMainframeSwitchSwitchServersWANISP 2Fault toleranceRouters, Firewalls, GatewaysFirewalls-hardware/software used to protect assets from untrusted networksGateway/proxy server allow information to flow between internal and external networks but do not allow the direct exchange of packetsDMZ - isolates internal network from vulnerable web serversRouter- manages network traffic forwards packets to their correct destination by the most efficient pathFilters packets by a pre-determined set of rulesIP source address, IP destination address, source port, and destination portAre only as secure as quality of rule set designedTCP/IP Internet ProtocolIP - standard for internet message exchangeDoes not guarantee delivery of packetsPackets using IP travel similarly to a post cardDoes not provide for data integrity or timeliness, security, privacy or confidentialityTCP, with error correction services is stacked on top of IP to form TCP/IPPort – address on host where application makes itself available to incoming data23 – telnet25 - SMTPPacket – unit of information transmitted as a whole, inc. source and destination addressIP address – unique 32 bit number- 4 octets separated by periods144.92.43.178InterNICSecuring Messages / TransactionsAuthenticationSomething you haveSomething you areSomething you knowSmart cardBiometric devicesPasswordAuthentication DevicesBiometric devicesRetinal scanFingerprintsVoice recognitionFacial recognition Secure ID tokens something you have-tokensomething you know- pin used to generate password that changes once a minutePasswords Proper maintenance & procedures essential  Post-it notes - on monitors and under keyboards ? Longer than 8 characters Not comprised of English words  Include special characters Change regularly L0pht crack L0phtCrackSymmetric EncryptionSecret key used for encryption and decryption is identicalAlice and Bob must exchange the secret key in advanceImpractical for large numbers of people to securely exchange shared secret keysAsymmetric EncryptionPublic-private key pairs,, used to overcome the problem of shared secret keysOwner of the key knows private keyPublic key is shared with everyoneMessage confidentially- Bob encrypts a message with Alice’s public key and on receipt Alice decrypts the message with her private keyEncryption of data Keys / Cipher length is importantExpressed in bits 40 bit cipher can be broken in 3.5 hrs56 bit - 22 hours 15 min, 64 bit - 33-34 days, 128 bit - > 2000 yearsMessage integrityAuthenticationNonrepudiationMessage confidentialityMessage encryptionDigital signatureMessage DigestSecuring Transactions Data theftCustomer lists, engineering blueprints and other company secretsCompany assets vulnerable since connected to public networksCracker Kevin Mitnick stole plans for Motorola’s StarTacUsed IP spoofingTheft of money German Chaos Computer Clubused an Active X control to schedule transfer of money from the victim’s online bank account to numbered bank account controlled by crackersStored Account SystemSimilar to existing debit/credit card systemsUse existing infrastructure/payment systems based on electronic funds transferUse settlement houses/clearing housesHighly accountable and traceableTraceable - raise privacy concerns “big brother”Slow and expensive online verification is necessarySET- secure electronic transaction, CyberCashStored Value Systems – E-cashPrivate, no approval from bank neededSecurity stakes are highCounterfeitingAbsence of control & auditing Potentially $8 trillion a year marketPeople do not yet trust e-cash technologyMore popular in EuropeE-cash superior to cashDo not require proximityDo not create weight & storage problems of cashNew SystemsDigiCash, Mondex and Visa Cash Stored value and/or stored accountsE-cash is stored on an electronic device Use smart card or e-cash could be stored on a PC Electronic wallet technologyMerchant adds or subtracts e-cash value using encrypted messaging between computers or by inserting the smart card in the merchant’s smart card reader Mondex - DevicesSmart CardsCredit card sized devices w/ chip & memoryContain operating systems & applicationsReader device attached PC can read smart cardAvoid problem of e-cash being stored on insecure hard drivesSmart cards disabled when physically attackedSmart CardsWill be ubiquitousLoyalty information – frequent flier milesHealth records and health insurance informationDebit, credit, and charge