2. Today’s Chocolate Bar
Snickers – AGAIN!
• In 1930, the
Mars family
introduced its
second
product,
Snickers,
named after
one of their
favorite horses
• Snickers is the
best selling
chocolate bar
of all time and
has annual
global sales of
US$2 billion
3. Nutty Cisco Video
• Watch video
• Think about what you would
do to protect you server area,
using your knowledge gained
so far in the class
• Split into groups of four, come
up with a mini presentation
• Talk to class for 3 minutes
4. Network Security
• Why didn’t we talk about this
on day one?
• Bringing it all together
• protect the network and the
network-accessible resources
from unauthorized access and
consistent and continuous
monitoring and measurement
of its effectiveness
5. Network Security vs. Computer
Security
• Securing network
infrastructure is like securing
possible entry points of
attacks on a country by
deploying appropriate
defense.
• Computer security is more like
providing means to protect a
single PC against outside
intrusion.
6. Network Security
• Prevents users from ever
being exposed to attacks
• Protection of all entry points
and shared resources
• Printers, Network attached
storage (NAS), Iphones, etc.
• Attacks stop at entry points,
BEFORE they spread
7. Computer Security
• Focused on an individual host
• A computer’s security is
vulnerable to people who have
higher access privileges than
the protection mechanism.
• While this is also true with
Network Security, it is less
likely.
8. Attributes Of A Secure Network
• Authentication
• Authorization
• Firewall
• Intrusion Prevention System
• Antivirus
• Honeypots
• Monitoring
10. Authorization
• Determining the level of
access that a given individual
should have
• Authorization is done after
authentication
11. Firewall
• An integrated collection of
security measures designed to
prevent unauthorized
electronic access to a
networked computer system.
It is also a device or set of
devices configured to permit,
deny, or proxy all computer
traffic between different
security domains based upon
a set of rules and other
criteria.
12. Intrusion Prevention System
• An intrusion prevention
system is a network security
device that monitors network
and/or system activities for
malicious or unwanted
behavior and can react, in
real-time, to block or prevent
those activities.
13. Antivirus and Anti-Malware
• Scans and cleanses data in
storage and as it travels
across the network, so end
users are not exposed to this
type of threat
14. Honeypots
• Essentially decoy network-
accessible resources, could be
deployed in a network as
surveillance and early-warning
tools.
15. Security Management
• Depends on environment
• Small, medium and large
businesses, educational
institutions, government.
16. Small Business
• A basic firewall.
• For Windows users, basic antivirus
and anti-spyware/anti-malware
software.
• When using a wireless connection,
use a robust password.
• Use the strongest security
supported by your wireless
devices, such as WPA or WPA2.
17. Medium Business
• A strong firewall
• Strong Antivirus software and
Internet Security Software.
• For authentication, use strong
passwords and change it on a
monthly basis.
• When using a wireless connection,
use a robust password.
• Raise awareness about physical
security to employees.
• Use an optional network analyzer
or network monitor.
18. Large Business
• A strong firewall and proxy to keep
unwanted people out.
• A strong Antivirus software
package and Internet Security
Software package.
• For authentication, use strong
passwords and change it on a
weekly/bi-weekly basis.
• When using a wireless connection,
use a robust password.
• Exercise physical security
precautions to employees.
19. Large Business
• Prepare a network analyzer or network
monitor and use it when needed.
• Implement physical security
management like closed circuit television
for entry areas and restricted zones.
• Security fencing to mark the company's
perimeter.
• Fire extinguishers for fire-sensitive areas
like server rooms and security rooms.
• Security guards can help to maximize
security.
20. Educational Institutions
• An adjustable firewall
• Strong Antivirus software and Internet
Security Software packages.
• Wireless connections that lead to
firewalls.
• Children's Internet Protection Act
compliance.
• Supervision of network to guarantee
updates and changes based on popular
site usage.
• Constant supervision by teachers,
librarians, and administrators to
guarantee protection against attacks by
both internet and sneakernet sources.
21. Federal Government
• A strong strong firewall and proxy to
keep unwanted people out.
• Strong Antivirus software and Internet
Security Software suites.
• Strong encryption, usually with a 256 bit
key.
• Whitelist authorized wireless connection,
block all else.
• All network hardware is in secure zones.
• All host should be on a private network
that is invisible from the outside.
• Put all servers in a DMZ, or a firewall
from the outside and from the inside.
• Security fencing to mark perimeter and
set wireless range to this.
22. Change Control
• A general term describing the
procedures used to ensure
that changes (normally, but
not necessarily, to IT systems)
are introduced in a controlled
and coordinated manner
23. Goals of Change Management
• Minimal disruption to services
• Reduction in back-out
activities
• Economic utilization of
resources involved in
implementing change
• Ensure that a product, service
or process is only modified in
line with the identified
necessary change
24. Why Is Change Control
Important In IS Security?
• It is particularly related to
software development
because of the danger of
unnecessary changes being
introduced without
forethought, introducing faults
(bugs) into the system or
undoing changes made by
other users of the software.
Later it became a fundamental
process in quality control.
25. The Change Control Process
• Record / Classify
• Assess
• Plan
• Build / Test
• Implement
• Close / Gain Acceptance.
26. Record and Classify
• A formal request is received for
something to be changed, known
as the "Change Initiation".
• Someone then records and
classifies or categorizes that
request. Part of the classification
would be to assign a Category to
the change, i.e. is the change a
"major business change", "normal
business change" or "minor
business change".
28. Assessment
• The impact assessor make
their risk analysis typically by
answering a set of questions
concerning risk, both to the
business and to the IT estate,
and follow this by making a
judgment on who or whom
should carry out the change.
29. Build and Test
• Plan their change in detail, and
also construct a regression plan, if
it all goes wrong
• The plan should be checked out by
an independent reviewer
• Build the solution, which will then
be tested
• Seek approval and maybe a review
and request a time and date to
carry out the implementation
phase.
30. Implementation
• The Change Manager
approves the change with an
“Authority to Implement” flag
• The change can then be
implemented but only at the
time and date agreed
• Following Implementation, it is
usual to carry out a “Post
Implementation Review”
• When the client agrees all is
OK, the change can be closed.
31. Outsourcing Related Security
Issues
• Two main issues with collaborative
design (outsourcing) revolve
around TRUST:
– Confidentiality (of product design data
in storage or in transit)
– Access Control (read, write, delete
privileges)
• Suppliers can be competitors, or
have close relationships with
competitors
32. Potential Threats of Outsourcing
• Theft of trade secrets, or
intellectual property
• Introduction of
viruses/malware to the
network
• Lack of understanding of
corporate systems could result
in damage or data loss
• Loss of control over sharing of
sensitive data
33. Potential Threats of Outsourcing
• Spoofing: A competitor uses
manager’s or outsourcer’s ID to
gain access to valuable product
data to use in their own designs
• Tampering: Changing the product
information in the database to ruin
the final product design. Changing
access controls allowing competing
companies access to each other’s
information
• Repudiation: User goes in and
performs a malicious act (submits
false product data) and says that it
was not him who did it
34. Countermeasures
• Electronic Vault
• Engineering Change Control
• Release-Management Process
• Flexible Access Control
• Data Set Access Control
• Scheduled Access Control
35. Electronic Vault
• Keeps files in native form
while still encrypting files
• End-to-end security
– Encryption
– Access Control
• Creates tamper-evident audit
trails (any and all access to a
document is logged)
36. Electronic Vault Advantages
Document accuracy
– Maintains print streams in native format
• Document quality
– Streams are compressed in electronic
vault without loss of resolution
• Flexibility
– Easy to enhance, modify, combine,
engineer streams
37. Electronic Vault Advantages
(cont.)
Speed
– Loaded into vault with almost no
disruption of operations
Long-term viability
– Since native format is allowed,
electronic vault can be used in the
future
38. Engineering Change Control
• Defines and controls the
process of reviewing and
approving changes to the
product data
• Prevents tampering with
accountability factor
• New version of data is
released in database to allow
for reversal if necessary
39. Release-Management
Process
• Data released when approved
• Access based on project,
password, and other controls
that user defines
• Allows for auditing and
tracking of information
• Creates relationships among
product data
• Prevents information leaking
of competing suppliers actions
40. Flexible Access Control
• Role-based
• Allows for project to have
users change groups and roles
• Enables distributed design
data access and sharing
41. Scheduled Access Control
• Schedule for suppliers to work
on certain resources
• Privileges granted at certain
periods when they are needed
in the design process
• Revoked when not needed
42. Data Set Access Control
• Data are assigned roles
• Different views of data based
on how organizations and
individuals behave in a task
• Least Privilege Security
Principle
44. Security Principles Applied
• Practice defense in depth
– Role based access control, data
based access control, electronic
vault, release management
• Follow the principle of least
privilege
– Access controls only allow
privileges to those who need it
45. Security Principles Applied
(cont.)
• Compartmentalize
– Various versions of data. Information
split up based on part of design for
users who will need access to it
• Promote privacy
– Accountability so users will want to
keep passwords and information
secret
• Be reluctant to trust
– System is based on least privilege and
does not disclose information until
necessary