drc -- cybersecurity concepts2015
TRANSCRIPT
Reunión del proyecto
2015 - Dartmouth Research & Consulting
T. J. Saotome
5 Basic Cybersecurity Concepts
You Must Know
Who/What Poses Threat?
2
•Hackers – casual or pro• Intruders – organized crime, states• Insiders – employees can steal•Contractors – hired guns can steal•Nature – hurricanes, fire, disasters•Human Error – input error, deletion
What’s the Problem?
3
•General Lack of Awareness– Vague understanding of users threats & risks
associated with computers and the Internet
•General Lack of Quality Help– Many view security as cumbersome– Many think it is complicated& expensive
•Complacency– Software is in place– Does not involve me
Key Areas of Concerns
4
• Do you accept the risk level?– Ignore it– Take insurance against it– Do something about it
• What are your concerns?
Policies/procedures &
education
Policies/procedures &
education
AuthenticationAuthentication
AvailabilityAvailability
ConfidentialityConfidentiality
IntegrityIntegrity
Non-repudiation
Non-repudiation
Security Model
Types of Threat
• Masquerade
• Interception
• Tampering
• Denial of Service
• No Evidence
• Complacency
Types of Solutions
• Authentication
• Confidentiality
• Integrity
• Availability
• Non-Repudiation
• Training & education
Is it Possible to Eliminate All Risks?
• You know the answer – No, impossible
• But you can get close by employing “Defense in Depth”
6
Prote
ction
Laye
rs Authentication
Access Control
Confidentiality
Availability
Concept #1 - Authentication
7
Permission to Access Resources
Password
Biometrics
Electronic Token
2 Factor Authentication
Passwords are easily “cracked”
By guessing
Social Engineering
Deception
Widely available cracking tools
Concept #2 - Confidentiality
Symmetric Encryption
Same key for encryption/decryption
RC4, DES, 3DES, AES, IDEA, Blowfish, Twofish
Asymmetric Encryption
Different keys for encryption/description
PGP, GnuPG, PKI (using X.509)
Cryptography promotes confidentiality
Concept #3 – Information Integrity
Hash Algorithm
MD5 (RFC 1321), SHA (RFC 3174)
Digital Signature
Combination of PKI & Hash technology
Digital Signature - Encrypted Hash of Private Key
Digital Signature Standard – US DSS uses SHA-1 for Hash & DSA (Digital Signature Algorithm) for encryption
Tampering can be detected by integrity mechanisms
Concept #4 - Availability
Denial of Service Attacks
Via Internet (e.g. Ping of Death)
Via errant applications on LAN
Via Trojan Horse
Guard Against DOS & Sabotage
Physical Security
Dual and Multi Paths
Redundant storage
Good backup is essential
Cryptography promotes confidentiality
Concept #5 - Non-Repudiation
Destroying Evidence
Log all access to covered entities
Separate sys admin rights to log access rights
Set event alarms for log tampering
Hacker or employee may cover tracks by destroying evidence
System & Network Intrusion
• Trojan Horse• Masquerading insider• Dormant malware• NetBIOS on TCP/IP
especially vulnerable
Many Faces of AttackData breach
Authenticationinfo
Denial of Service
Security Administration
13
• Operating System Security– Earlier versions of Windows OS lacked security
mechanism– “OS Hardening” needed for critical systems
• User account password/permission• Internet Security
– Encrypting communication (e.g. IPSec)– SSL and TLS for Web
• Scan for vulnerabilities
Mitigating Risk
Security Policies
Procedures
Backup & Recovery Plan
Off-site & Contingency Plan
User Education
●
●
Firewalls
Anti-VirusBiometrics
CryptographyPKI
15
Reducing Risks
• Non-Technical Solutions– Security Policies– Procedures– Backup and Disaster
Recovery Plan– Off-site and
Contingency Plan– User Education
• Security Technologies– Firewalls– Anti-Virus– Biometrics– Cryptography– PKI– Intrusion Detection– Logs
You must have a combination of
both to be effective
Reducing the Risks – How?
Policies & Procedures
• Define Security Policies• Define Security Process• Define Security Policies• Define Security Process
Security Technology
• Employ Security Technologies for enforcement• Automate Event Monitoring/Compliance• Employ Intelligent Event Correlation
• Employ Security Technologies for enforcement• Automate Event Monitoring/Compliance• Employ Intelligent Event Correlation
Residual Risks
• Recognize that there will be residual risks• Take insurance against it, or transfer the risks• Recognize that there will be residual risks• Take insurance against it, or transfer the risks
16
Security Policies – Key ElementsNetwork access/
permissionNetwork access/
permissionInformation Retention
Information Retention
PasswordsPasswords
Account AccessAccount Access
Virus UpdatesVirus UpdatesLog UpdatesLog Updates
Security FixesSecurity Fixes
Backup Restore & Verify
Backup Restore & Verify
Network security audit
Network security audit
How you can start
Objective Assessment
off the current state
& desired future state
Combination of policies & technology appropriate for the risks
Continuous User
Education
Monitoring & Due
Diligence
Periodic Audit & Fire
Drill
Resources
19
•These slides are available at– www.Dartmouth-research.com
•Security Templateswww.sans.org – Security Tools and Trainingwww.cert.org – CERT Coordination Centerwww.itl.nist.gov – NIST IT Security Checklist