Chapter 10 Network Security Networking in the Internet Age by Alan Dennis 1 Copyright 2002 John Wiley Sons Inc Copyright John Wiley Sons Inc All rights reserved Reproduction or translation of this work beyond that named in Section 117 of the United States Copyright Act without the express written consent of the copyright owner is unlawful Requests for further information should be addressed to the Permissions Department John Wiley Sons Inc Adopters of the textbook are granted permission to make back up copies for their own use only to make copies for distribution to students of the course the textbook is used in and to modify this material to best suit their instructional needs Under no circumstances can copies be made for resale The Publisher assumes no responsibility for errors omissions or damages caused by the use of these programs or from the use of the information contained herein 2 Chapter 10 Learning Objectives Be familiar with the major threats to network security Be familiar with how to conduct a risk assessment Understand how to prevent detect and correct disruptions destruction and disaster Understand how to prevent detect and correct unauthorized access 3 Chapter 10 Outline Introduction Why networks need security Types of Security Threats Network Controls Risk Assessment Develop a Control Spreadsheet Identify and Document the Controls Evaluate the Network s Security Controlling Disruption Destruction and Disaster Preventing Disruption Destruction and Disaster Detecting Disruption Destruction and Disaster Correcting Disruption Destruction and Disaster Controlling Unauthorized Access Preventing Unauthorized Access Detecting Unauthorized Access Correcting Unauthorized Access 4 Introduction 5 Introduction Security is a major networking concern 90 of the respondents to the 2000 Computer Security Institute FBI Computer Crime and Security Survey reported security breaches in the last 12 months Information Week estimates the annual cost of security losses worldwide at 1 6 trillion It means more than preventing a hacker from breaking into your computer it also includes being able to recover from temporary service problems or from natural disasters Figure 10 1 6 Figure 10 1 Threats to Network Security 7 Types of Security Threats Disruptions are the loss or reduction in network service Some disruptions may also be caused by or result in the destruction of data Natural or manmade disasters may occur that destroy host computers or large sections of the network Unauthorized access is often viewed as hackers gaining access to organizational data files and resources However most unauthorized access incidents involve employees 8 Security Problems Are Growing The Computer Emergency Response Team CERT at Carnegie Mellon University was established with USDoD support in 1988 after a computer virus shut down 10 of the computers on the Internet Figure 10 2 In 1989 CERT responded to 137 incidents In 2000 CERT responded to 21 756 incidents By this count security incidents are growing at a rate of 100 per year Breaking into a computer in the U S is now a federal crime 9 Figure 10 2 Number of Incidents Reported to CERT Source CERT Statistics www cert org stats cert stats html 10 Network Controls Developing a secure network means developing mechanisms that reduce or eliminate the threats to network security called controls There are three types of controls Preventative controls mitigate or stop a person from acting or an event from occurring e g passwords Detective controls reveal or discover unwanted events e g auditing software Corrective controls rectify an unwanted event or a trespass e g reinitiating a network circuit 11 Network Controls It is not enough to just establish a series of controls personnel need to be designated as responsible for network control and security This includes developing controls ensuring that they are operating effectively and updating or replacing controls Controls must also be periodically reviewed to ensure that the control is still present verification determine if the control is working as specified testing 12 Risk Assessment 13 Risk Assessment Risk assessment is the process of making a network more secure by comparing each security threat with the control designed to reduce it One way to do this is by developing a control spreadsheet Figure 10 3 Network assets are listed down the side Threats are listed across the top of the spreadsheet The cells of the spreadsheet list the controls that are currently in use to address each threat 14 Threats Assets with Priority Disruption Destruction Disaster Fire Flood Power Circuit Virus Loss Failure Unauthorized Access External Internal Eavesdrop Intruder Intruder 92 Mail Server 90 Web Server 90 DNS Server 50 Computers on 6th floor 50 6th floor LAN circuits 80 Building A Backbone 70 Router in Building A 30 Network Software 100 Client Database 100 Financial Database 70 Network Technical staff Figure 10 3 Sample control spreadsheet with some assets and threats 15 Network Assets Figure 10 4 Network assets are the network components including hardware software and data files The value of an asset is not simply its replacement cost it also includes personnel time to replace the asset along with lost revenue due to the absence of the asset For example lost sales because a web server is down Mission critical applications are also important assets These are programs on an information system critical to business operations 16 Hardware Servers such as mail servers web servers DNS servers DHCP servers and LAN file servers Client computers Devices such as hubs switches and routers Circuits Locally operated circuits such LANs and backbones Contracted circuits such as MAN and WAN circuits Internet access circuits Network Software Server operating systems and system settings Applications software such as mail server and web server software Client Software Operating systems and system settings Application software such as word processors Organizational Data Databases with organizational records Mission critical applications For example for an Internet bank the Web site is mission critical Figure 10 4 Types of Assets 17 Security Threats A network security threat is any potentially adverse occurrence that can harm or interrupt the systems using the network or cause a monetary loss to an organization Once the threats are identified they are then ranked according to their occurrence Figure 10 5 summarizes the most common threats to