cit 742: network administration and security desiamore 1 powered by desiamore

CIT 742: Network Administration and Security

DeSiaMore

1Powered by DeSiaMore

Establishing and Maintaining a Security Policy Secure system planning and administration is the human side

of computer security Administrators need a written guideline, that clearly outlines

what steps to take and what procedures to follow in the pursuit of security

The first step in maintaining security today is to set security policies for our organizations, and then to promote and maintain them

Although the security administrators carry out the security policy in terms of protection, detection, and enforcement, it is the users who must keep the security.

Sanctions to be imposed on those who violate it.


Cont … An example, a security policy may require regular

backups, but it's the administrator who must actually run the backups.

Users are then trained and managers must deal with noncompliance

The security policy is a living document that must be examined and updated regularly

What a security policy may contain Training users, administrating passwords, backing up system-critical files, setting up and tuning firewalls

and examining audit logs

This is the role of the security administrator.3Powered by DeSiaMore

Cont … An example, a security policy may require regular

backups, but it's the administrator who must actually run the backups.

Users are then trained and managers must deal with noncompliance

The security policy is a living document that must be examined and updated regularly

What a security policy may contain Training users, administrating passwords, backing up system-critical files, setting up and tuning firewalls

and examining audit logs

This is the role of the security administrator.4Powered by DeSiaMore

Administrative Security Falls into three general categories:

1. Overall security planning and administration Includes working with management to set a security policy for

your organization, publicizing it and gaining management support for it

performing risk analysis and disaster planning, monitoring employees, training users, answering their questions

2. Day-to-day security administration Includes creating accounts and assigning security profiles for

users for example, their initial passwords, their password controls (e.g., how often they must change their passwords)

login controls (e.g., what hours they can log in)


Cont …3. Day-to-day system administration

Includes keeping the system running, doing daily backups, trolling for breaches, and testing the condition of hardware and software

It is vital to any system though not security-relevant Remember that "availability" is a key goal of overall computer

security. Day-to-day system administration keeps the system available.


Cont … Most enterprises today are a heterogeneous

environment some legacy functions reside on creaky old mainframes, some business critical processes are accomplished on a fairly

modern computing core, and lots of client server networks unite a mixture of Windows and

Unix users Wireless implementations accommodate drop-in users and

guests There may even be a layer of mobile devices PDAs with radios

built in by which a few workers keep in touch with each other during meetings

Each of these systems requires its own series of administrative practices


Cont … Each requires administrators to carefully develop

security policies regarding its use. Scenario

Most organizations connect users to some kind of server or server cluster via a local area network, and the LAN usually connects at some point to the Internet, usually via a firewall

Bulky security policies may apply to it Security policies in this case may differ depending on the

network configuration But password administration and least privilege certainly

apply no matter what server and network configuration is in effect.

The more esoteric the network, the more administrator documentation the vendors supply. 8Powered by DeSiaMore

Overall Planning & Administration System administrators in this case become security

advocates sell security both to users and to upper management

9/11 was a wake-up call Corporate accounting firms defrauding millions of

dollars, increases the accountability issue of financial data

Privacy has been raised as an issue, likely because of fear of identity theft, based on personal and health data

Issue of copyrighted material software or MP3 music files are downloaded or distributed

using company property 9Powered by DeSiaMore

Cont … The increasing liability surrounding their computers and

networks, management is now much more interested in security.

Unfortunately, moving towards a more secure network is often handled on a sporadic basis

Analyzing Costs and Risks Computer security is a tradeoff When you want to use a security product, you have to

balance the cost of the product against the risk of doing without it

This is known as Risk Analysis10Powered by DeSiaMore

Cont … Risk analysis is a procedure used to estimate potential

losses that may result from system vulnerabilities and to quantify the damage that may result if certain threats occur.

The ultimate goal of risk analysis is to select cost-effective safeguards that reduce risks to an acceptable level.

Risk analysis is a way to figure out how important your system is how far you're willing to go in terms of equipment, people, and

budget to protect it


Cont … Risk analysis involves looking at your tangible assets

Your buildings Computers Other equipments

What would be your organization's most valuable asset?

When evaluating your organization's information asset and considering whether and how to protect it, you'll have a number of important questions to ask.


Cont … What information do you have, and how important

is it? Many different types of information:

national defense information describing military resources and deployment

corporate records showing projected profits, losses, and strategies

personnel records describing health, financial, academic, and employment history

You'll need to assess how important that information is to your own organization

Holding information is a two-edged sword. 13Powered by DeSiaMore

Cont … Legal safeguards today make it an expensive offense to

release information in your possession The Health Insurance and Portability and Accountability Act

protects patient records Gramm-Leach-Bliley Act of 1999, protects customer records in

the financial industry Family Educational Rights and Privacy Act, which applies to

educational records

How vulnerable is the information? Some information may be very important to you, but

may be of little interest to anyone else.


Cont … Everyone needs to worry about physical threats and

accidents caused by careless or untrained employees You will have to evaluate whether realistic attempts are

being made, or could be made, to break into your system for national defense information, you'll have to worry about

foreign intelligence. If you're protecting your business's data, you'll be concerned

about your competitors, crackers, and insider threats

Remember: threats to information tend to grow as people learn about your system's vulnerabilities and as methods of exploiting those vulnerabilities get cheaper and easier


Cont … What is the cost of losing or compromising the

information? Many different costs and consequences for failure to

secure computers and networks effectively the loss of vital national defense information, the cost of

information loss or leakage might be catastrophic If a medical experiment is disrupted, or if patient records are

lost or compromised, people might die If the security of an ATM is breached

a bank might lose a lot of money the bank might also suffer a loss of confidence by customers

Loss or compromise of each has its own risks, costs, and consequences, both tangible and intangible


Cont … What is the cost of protecting the information? There are certain basic costs that you must incur You must back up your data

No matter what security violation occurs natural disaster user mistake

There are many different types of additional costs Will you need to buy new equipment? Will the use of a security product slow down response time and

performance in a system that must provide quick customer service?

Will security controls detract from the user-friendliness of a system that you're marketing as easy to use?


Cont … You'll have to consider the different types of costs within

your own organization and to assess the impact of security costs in relation to expected security benefits

RULE OF THUMB

The cost of securing information shouldn't exceed the

financial and administrative cost of recovering that

Informational though certain types of information, such as

national defense information, can't necessarily be

quantified in this way


Cont … Who are you going to call? To whom to report computer attack The attacker may be in your city or across the globe Local agencies may not have the expertise or

jurisdiction to help you much A good rule of thumb is to start with higher authorities

first If a break-in you experienced has definitely resulted in

the release of confidential records, you might want to take steps to preserve any evidence and call the authorities


Cont … If you suspect some script kiddie is probing your

resources after school is out, you may want to tighten your firewall and hope she just goes away.

Review with counsel your rights and obligations before any incursions occur

Then put the steps for your plan into the security policy, and distribute it to all personnel likely to be affected.


Planning for Disaster To protect your organization from disaster, plan for that

disaster A disaster recovery plan (DRP) is a plan for keeping

your computer equipment and information available in case of an emergency

Disaster planning may spell the difference between a problem and a (possibly business-threatening) catastrophe.

Involves activities like: backing up data for storage at remote secure facilities and

arrange for computer facilities


Planning for Disaster Emergency sites are usually characterized as cold,

warm, or hot Cold sites are emergency facilities containing air conditioning

and cabling, but no computers Hot sites are emergency facilities containing computers,

backup data that works! Warm sites, a hybrid, are sites in which computers and

equipment are preinstalled, but not programs or backup data

It is no good having the backup site and the main site both fail due to the same calamity.

A DRP may greatly increase public confidence as well as the confidence of your employees


Cont … Backups are the key to disaster planning If a disaster occurs and you've backed up your system,

you'll be able to recover eventually

Setting Security Rules for Employees Some aspects of security are simply good management

Be sensible about who you hire what computer resources you let them use what you do when they leave your organization

Training Users No matter how diligent and careful a system

administrator you are, you can't underestimate the ability of your users to undermine your efforts


Cont … Teach your users how to use the hardware and

software Be sure they understand your organization's security

policy, and impress upon them the importance of observing good security practices


Day-to-Day Administration Focus on keeping your computers and networks running

smoothly by maintaining equipment Making sure there's sufficient space on the system

disks Protecting the system and its software from damage

making sure users can't modify system software checking each new release of a vendor's software, especially

fixes to security problems insisting that users or system administrators promptly patch any

security holes or other bugs that are discovered

It is essential to monitor various groups and news wires, as well as official sites of your vendors


Day-to-Day Administration Unfortunately, there are still instances where a patch to

one problem breaks something else, especially in cross-vendor situations

Most organizations maintain test networks in which checks for security fixes and bugs

Performing Backups Backups of your system and all the data stored on your

system are absolutely essential if you expect to be able to recover from a disaster

What kind of a disaster? Natural Crime vandalism


Day-to-Day Administration Whatever the cause, and whatever the extent of the

damage, you will be able to recover eventually if you have recent backups of all your system data.

In a PC environment, critical documents on a user's machine often disappear when a disk fails

To protect against this system admins provide personal folders in common space on a server.

How do you do backups? There are many systems for backup.

Many organizations have well-defined rules about performing backups


Hints for Backups Remember that your backups are the key to recovering

your system in case of a disaster. Back up all of your files, and follow these rules:

Encrypt your backups if they contain sensitive data. Keep extra backups off-site in a locked, fireproof location. Secure your backup tapes or disks in locked areas with a sign-

out sheet. Don't leave them on a desk for someone to steal or mistakenly use.

Verify your backups. Check periodically to make sure they've been produced correctly and haven't been damaged in any way

Sanitize your backups before discarding them. Be sure to delete all data by overwriting what's there

If you're throwing backups away, destroy the media first (by burning, crushing, or shredding.)

Consider buying an automatic backup program that runs full or incremental backups (without your intervention) every night.


Cont … What does it mean to perform regular backups?

it depends on the number of users in your system the volume of work and many other variables

Many organizations perform a full backup (of every file in the system) every night

Others do a full backup only once a month, or once a week, but they do an incremental backup (of everything that's changed since the last full backup) every day.

The best rule of thumb is to back up frequently enough that

you can afford to recreate the work that may be lost since

the last backup.29Powered by DeSiaMore

Cont … What does it mean to perform regular backups?

it depends on the number of users in your system the volume of work and many other variables

Many organizations perform a full backup (of every file in the system) every night

Others do a full backup only once a month, or once a week, but they do an incremental backup (of everything that's changed since the last full backup) every day.

The best rule of thumb is to back up frequently enough that

you can afford to recreate the work that may be lost since

the last backup.30Powered by DeSiaMore

Cont … Costs associated with backups

Network bandwidth and server capability Schedule backups in less desirable parts of the day

If your organization operates 24/7, it may be necessary to host redundant systems

so that one can be backed up while the other is live

Hardware and Software Security Tools There's a good variety of hardware and software tools

designed to prevent network incursion One of the most important is the firewall Another tool is an Intrusion Detection System (IDS)

Listens for unusual activity on the network


Cont … An IDS usually have large libraries of attack signatures,

that is, lists of the steps attackers typically take or have taken in the past to accomplish some attack

If the pattern of these attacks is repeated in a system being monitored by the IDS, the IDS will likely stop the transaction if it can, and place a page or call to an administrator informing of the attempted attack.

A honeypot sometimes called a honeynet is a decoy It is usually placed in an unprotected portion of the

network as a lure to attackers


Cont … Penetration testing, or pentesting is a programmed,

usually automated series of attacks that administrators carry out on their own network

The purpose of pentesting is to locate overlooked vulnerabilities


Performing a Security Audit It's a good idea to check on the security of your system

by performing periodic security audits A security audit is a search through your system for

security problems and vulnerabilities Check your system files and any system logs or audit

reports your system produces for dangerous situations or clues to suspicious activity. These include Accounts without passwords

They might have come with the system, or they might have been set up for guests or demos. Anyone can log in using such accounts.

Accounts with easily guessed passwords These might include passwords selected by users


Performing a Security Audit Dormant accounts

accounts of users who have left your organization, have gone on vacation, or have moved to a different group or system

New accounts Be sure these are accounts you have assigned and not accounts that an

intruder has created

Default accounts Many operating systems create "Everybody" or "Guest" or even

"Administrator" accounts automatically

Recent changes in file protection Individual users may have carelessly made their files accessible to

everyone in the system Monitor logs


Summary Security grows down into an organization once a written

policy dictates it is required The management creates and sustains the demand for

things to be done according to certain standards and levels

This requires that risks be categorized and prioritized, and the value of the asset to be protected is weighed against the cost of its protection

Security policies require procedures. Security procedures include holding regular security

audits, and implementing rules To insure people know how execute security procedures

requires security training36Powered by DeSiaMore

Powered by DeSiaMore

Questions

cit 742: network administration and security desiamore 1 powered by desiamore

Documents

security profiles

security administrators

security policies

overall security planning

system administrationincludes

system available

training users

systemcritical files