Security AwarenessSecurity AwarenessTermphong Tanakulpaisal

Technical Manager IT Distribution Co.,LTD

AgendaIntroduction to network securityHow many type of assets in IT system?Whichs the most important asset?Why protect information? (most important one)So we need information securityHow to achieve the information security >> CIA conceptKey success factor summaryNetwork threatsWhats threat and example?How to overcome threat? (with security protection concept)How to overcome threat? (with tools)Network based protection systemHost based protection systemCase Study

Company AssetsHardware (Physical Assets)SoftwareSystem interfaces (e.g., internal and external connectivity)Data and informationPersons who support and use the IT systemSystem mission (e.g., the processes performed by the IT system)System and data criticality (e.g., the systems value or importance to an organization)System and data sensitivity

NIST SP 800-30

Information AssetsInformation is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protectedISO/IEC17799: 2000

Why Information Assets are the most important?Business RequirementsClient / customer / stakeholderMarketingTrustworthyInternal management toolLegal RequirementsRevenue DepartmentStock Exchange of ThailandCopyright, patents, .Business Continuity ManagementCompliance with Legal Requirement

Contractual Security ObligationsIntranet connections to other BUExtranets to business partnersRemote connections to staffVPNCustomer networksSupplier chainsSLA, contracts, outsourcing arrangementThird party accessInformation Security InfrastructureWhy Information Assets are the most important?(2)

Information security protects information from wide range of threats in order toEnsure Business ContinuityMinimize Business DamageMaximize ROI and Business OpportunitiesBusiness : Stable service to customerEducation : Availability of resources and integrity of information e.g. grade, profile, etc. ISO/IEC17799: 2000 page iii, Introduction

Why we need information Security?

Q: How much for that each company should spend or plan for their Information Security?

A: Baht / yearQ: How much for that each company should spend or plan for their Information System?

A: Baht / yearHow much should we spend on IT security?

Why we need information Security?(2) Business impact AnalysisHow much does it cost per hour if people in your organization cannot access their information?

(Business Impact Analysis)

One big Organization -> approx 10 mil / day -> working hours 8 hrs -> 1.25 mil / hr -> 10% margin = 125k / hrif weve got 10 sale persons it means that weve lose 12,500 baht / hr if 1 salesperson cant access their information

. some more calculations100 people start their day clearing junk mails, each receives 20 junk mails per day, each mail needs 10 seconds to open/read/deleteEach of these staffs gets average THB18,000 income/month from the companyCompany pays THB 102.27/staff/hr100 people x 10 sec/mail x 20 mails/day x 220 days/yr = 1,222.2 hrs/yearCompany pays for this clearing junk mail 125,000 Baht/yearDo you believe thatThere are only 20 junk mails per day?Average time spent is only 10 seconds/junk mail?You pay only 18,000 Baht/month?

. some more calculationsWhat is a typical cost when the system is attack by virus / worm?Amount of data destroyed and its costMan-hour of support staff to clean the virusIdle time of other staff waiting for the system to come backYour customers satisfactionYour companys reputationSo, a company spends .. Baht each time the virus attacks

Security ConceptSecurity is preservation of confidentiality, integrity and availability of information ConfidentialityEnsuring that information is accessible only to those authorized to have accessIntegritySafeguarding the accuracy and completeness of information and processing methodsAvailabilityEnsuring that authorized users have access to information and associated assets when requiredBS7799-2: 2002 page3, 3.1, 3.2, 3.3

Key success to obtain CIAPolicy/Process/PocedureClearCoverageCompliance Legal, Standard, guideline etc.PeopleAwareness (e.g. Password on screen) DisciplineTechnologyEnablersManagement Tools

What is Threat?Could be anything that harm your system e.g.UserHacker/ crackerVirusSpamEtc.

Key Factors Driving Threat over networkInternet connection speeds are increasing for SMB as prices and technology improves:DSL, cable modem, T1 (business class connection services)Increase in real-time Internet applicationsWeb apps, VoIP, downloads, etc. require real-time security processingEverything become online

Nowadays threat to you IT systemNon-Computerized systemMasqueradeSocial EngineeringTheftSystem malfunction (disaster, power interruption)IT Network ThreatNetwork LevelApplication Level

Threat Network LevelDenial of ServicesServices has been disable by excessive workload.Information sniffingInformation has been tapped and viewed by unauthorized personUnauthorized accessLow level worker can access to critical information.

Sample of ThreatsSnoopingm-y-p-a-s-s-w-o-r-dTelnet 203.152.145.121username:daengpassword:203.152.145.121202.104.10.5

Sample of Threats (cont.)3-way handshakeSYN REQSYN ACKACKWWW3-way handshake

Sample of Threats (cont.)SYN attackWWW203.152.145.121Attacker202.104.10.5SYN ACK D=202.104.10.5 S=203.152.145.121WAIT12

Sample of Threats (cont.)Smurf AttackICMP REQ D=192.168.1.255 S=203.152.149.2203.152.149.1Internet

Threat Application Level - VirusVirus vs Worms..?VirusViruses are computer programs that are designed to spread themselves from one file to another on a single computer. A virus might rapidly infect every application file on an individual computer, or slowly infect the documents on that computer, but it does not intentionally try to spread itself from that computer to other computers.

WormsWorms, on the other hand, are insidiousbecause they rely less (or not at all) upon human behavior in order to spread themselves from one computer to others.The computer worm is a program that is designed to copy itself from one computer to another over a network (e.g. by using e-mail).

Threat Application Level Spam MailE-mail spoofingPretend to be someone e.g. bill_gate@microsoft.com, Spam MailUnsolicited or unwanted e-mail or Phising

Threat Application Level - DesktopDesktop ThreatViruses, worms, Trojan, BackdoorCookiesJava Script and Java AppletZombies networkKey logger (Game-Online)

Real-life Problem with Blended ThreatVirus infected cause unnecessary traffic within network and malfunction machineExisting safeguard is not effective anymore (dont want to throw it away but new system is duplicate and more expensive)Existing system are insufficient in both licenses and performanceVirus and spammail protection is needed but cant effort on growing licenses issuesMobile users are sending information by using plain text and dont have any protection when theyre at home (Their machine could become host)Ive 2 internet link with limited security budget but need to utilize both of themEtc.

How to overcome Threat?We need control which are Policy & Process security control to provide guideline and framework People to control user behaviorTechnology will be a tool in order to enforced Policy throughout the organization effectively.

Policy & Process ControlPolicy Compliance ISO 17799Compliance CheckingCobiT Audit ToolsNIST security standard guidelineNIST 800 seriesOrganization ControlBusiness Continuity Plan

People ControlSecurity Awareness TrainingSecurity Learning ContinuumAwareness, Training, EducationResponsibility ControlNeed to know basis

People Control - Example (2)Don't install free utilities on your computerRun the current version of supported antivirus software and set it for regular, automatic updatesAssign a complex, hard-to-guess password to your computer (on-screen, pool)Be alert for "phishing" scams that can result in identity theftPromptly apply security "patches" for your operating system.Activate your systems firewall (Windows XP & Macintosh OS X)

Technology ControlComputer Security is the process of preventing and detecting unauthorized use of your computerPrevention measures help you to stop unauthorized users (intruders) from accessing any part of you computer networkDetection helps you to determine whether or not someone attempted to break into your system, if they were successful, and what they may have done.Network and Host Based SecuritySecurity Devices (Hardware) or Security Software

Network Security Protection

Firewall (Access control)IDS/IPSVPN & SSL VPN (Data Encryption)Anti-Spam (preventing un-wanted email)QoS (Quality of Services - Bandwidth Management)Web Content FilteringIM & P2P

Firewall (Access Control)Web Traffic customers, partners, employeesEmail Traffic Applications/Web Services Traffic partners, customers, internalVPN Traffic remote and mobile usersInternal security threat Contractors/disgruntled employeesRemote user

Type of firewallType of firewallPacket filteringApplication FirewallStateful Inspection Type of implementationPacket FilterScreened host Dual home HostScreen Subnet (DMZ)

References: CISSP Certification

Basic Firewall Implementation

Known Attacks DOS/DDOSZero-day AttacksIntrusion Detection & Intrusion Prevention SolutionLaptop Desktop Server Core Edge Branch OfficeHost IPSNetwork IPS

IDS/IPSDetection & Prevention SystemSignature & Behavior & Anomaly based

Virtual Private Network (VPN)Encryption & DecryptionPublic Key & Private KeyEncryption TechnologyDES3DESAES

Anti-SpamSource: Symantec/ Brightmail

How serious spam is?Why do they spam?0.0005$ vs 1.21$ -> 0.02B vs 48.4B1/100,000 count as successHow much does spam is? ~6 e-mail/sec 360 e-mail/min 21,600 e-mail/hrHow do they get my e-mail?Webboard, forum, etc.Does spam legal?How to Protect yourself from getting spam?

1)Lost Employee ProductivityEmployees deleting spamEmployees complaining about spamEmployees are spending 50 or more hours per year dealing with spam With AntiSpam solutions costing $10-15 per year significant positive ROIProblemsSymptomsBusiness Impacts2)Unnecessary IT CostsIT administrator salaryMail server CPUStorage BandwidthIT administrators responding to help desk tickets to fight spam with no toolsSpam requiring constant upgrading of mail infrastructure capacityWhy Spam Matters for BusinessBefore: a nuisance -> Today: a serious business problem

3)Phishing and email fraudEmployees and customers falling victim to fraud and identify theftDamage to brandSupport cost

Phising Example

Phising Example

Phishing Example (2)

Spam control

Web-Content FilteringCracks and Hacks Tools WebsiteSpyware, Trojan, Virus, etc.Banner & AdvertisingAdware, Toolbar, Spam Subscribe, Credit card no., etc.Drugs, Gambling, Weapon, etc.Pornography, Nude, Adult MaterialsShopping Online (Credit card issues)

FortiGuard Web Filtering EnhancementsBlock Override Authoritative user logs in to enable site block overrideBypasses filter block on a users session and lasts until timer expiresRate ImageURL rating capabilities are extended to include image URLs contained in web page rates gif, jpeg, png, bmp, and tiff imagesWeb Filter ConsolidationWeb filter menu items of URL Exempt, URL Block, and Web Pattern have been consolidated to a single menu item to speed configurationActive Directory IntegrationSingle sign-onPolicy based on AD User/GroupRequires FSAE agent software

Web Filtering: Banned Word

Desktop SecurityAnti VirusVPN - ClientPersonal FirewallIDSWeb-FilteringSmall group, Home used, Computer Laboratory, etc.

URL Filtering

Instant Messaging(IM)/Peer-to-Peer(P2P)IMVirusExploitVoice ChatP2PBandwidth UsageSpywareBackDoor

Traffic bottlenecksWorms programmed to chatEnterprise IM, P2P ChallengesVirus via malicious URLRootkit via file installInternetConfidentiality breechViruses, wormsLack of visibility / management tools Lack of usage & user controlsProtecting against new threatsGaining control of bandwidth usageManagement & reporting insight

IM & P2P Access Control

Gartners Analysis

Regulations Dont Matter, but Auditors Do

Convergence Brings Evolutionary Efficiencies

Cyberthreat Hype Cycle

Hype Cycle for Information Security, 2005

ConclusionPPTSecurity system without performance degradation"You don't put brakes on a car to go slower, you put brakes on a car to go faster, more safely. Along the same lines, IT security is not meant to slow down a company, but rather to enhance and facilitate the growth of a company... safer growth."--Quoted from Gartner Group's Information Security Show, June 2001

***********************************(The purpose of this slide is to educate customers on why they need both technologies):

McAfee Intrusion Prevention delivers business availability by reliably stopping known and unknown attacks on your IT infrastructure.

Industrys most comprehensive intrusion prevention solution protecting servers to desktops and network core to edge from the threat of known, Zero-day and encrypted attacks

Utilizing the complementary, overlapping technologies of Entercept and IntruShield, customers benefit from the best of both products:

McAfee Entercept 5.0Firewall and host IPS IntegrationBehavioral rules & signatures Application-specific protection

McAfee IntruShield 2.1Firewall and network IPS Integration Protection against encrypted attacksHost & network IPS event integration

Why customers need both:

Network IPS has broad network visibility and is ideal place to detect and block malicious traffic before it can arrive at a host: Frees up host IPS from having to process high volumes of suspicious trafficPlatform & application independence means broad coverage for heterogeneous environmentEase of deployment of protection

Host IPS is last line of defense for attacks that evade other tools, ensuring protection when all other tools fail. Some traffic may avoid detection by NIPS:Contractor plugging in a segment that is behind of a NIPS sensor & attacking a server farmVPN/IP SEC encrypted traffic that appears normal to NIPSLocal attack at the server itself

************************Were talking about network PROTECTION, which is broader than just SECURITY