COMP 3371 Cyber Security Richard Henson University of

  • Slides: 41
Download presentation
COMP 3371 Cyber Security Richard Henson University of Worcester October 2019

COMP 3371 Cyber Security Richard Henson University of Worcester October 2019

Week 5: Securing Networks and Securing the Internet n Objectives Ø Explain the great

Week 5: Securing Networks and Securing the Internet n Objectives Ø Explain the great importance of availability and why organisations give it priority Ø Contrast between symmetric and asymmetric (public) key encryption, and explain how the latter has become “the norm” Ø Explain components of secure Internet i. e. PKI Ø Interpret a digital certificate

Backup! n If it can go wrong… it will ØMurphy’s Law!

Backup! n If it can go wrong… it will ØMurphy’s Law!

Local Hardware Fails… n An organisation runs its IT infrastructure 24/7 Ømoving parts wear

Local Hardware Fails… n An organisation runs its IT infrastructure 24/7 Ømoving parts wear out Øsilicon chips can overheat! Øanything electrical hates water! ØCyber attacks can hit hardware n Be prepared… Øspares immediately available!

Local Software Corrupts! n Only takes one byte, in one file… Øand whole application

Local Software Corrupts! n Only takes one byte, in one file… Øand whole application or even whole operating system could fail Øneed backup of » application/system software » important data! Øneed protection against malware

Internet Services Failure BT cable failure n Internet Access Service provider n Øsystems failure

Internet Services Failure BT cable failure n Internet Access Service provider n Øsystems failure Øgoes out of business n Cloud Service provider Øsystems failure Øgoes out of business

Think Failure! n Then you won’t be disappointed! Øyou’ll already have a cunning plan!

Think Failure! n Then you won’t be disappointed! Øyou’ll already have a cunning plan! n Aim: 100% availability… Øautomatic “switch in” of backup » hardware: e. g. spare “mirrored” hard disk » software: on spare computer… configured and ready to roll! » Internet providers… backup provider!

Affect of the World Wide Web!!! n Internet purpose and user changed… thanks to

Affect of the World Wide Web!!! n Internet purpose and user changed… thanks to Tim Berners-Lee! – world wide web (1992) » universal user access… » TCP/IP developed to run on Windows & Apple computers » people could access the Internet via telephone line… (initially only 14. 4 K bandwidth. Slow, but usable)

I want it now!!! n For the first time… users in control! – young

I want it now!!! n For the first time… users in control! – young people loved it… – more experienced hands concerned n Marketing made sure users could have it now, via www… – availability priority over confidentiality – fraud and cyber crime inevitably followed

Creating a Secure Internet n Entrepreneurs realised that the Internet could now be used

Creating a Secure Internet n Entrepreneurs realised that the Internet could now be used for anything – exchange of information… – pictures and movies – banking and business online n Big problem… – no security; everything on www was free! n Popular Solution… – secure protocols; – “secure” users through strong encryption

The Wireless Internet As if the www wasn’t enough! n IT Industry just starting

The Wireless Internet As if the www wasn’t enough! n IT Industry just starting to get on top of www issues n – then people had www phones! – naturally wanted to do e-commerce on them… n Cabled standards mature, wireless (especially Wi. Fi) much less so

Security & Wireless Data n Problem with Wireless Access Protocol (WAP) standard… Ø decryption

Security & Wireless Data n Problem with Wireless Access Protocol (WAP) standard… Ø decryption of data too easy… Ø needed authentication as well… n Revised twice, best standard WPA-2 Ø use a known SSID to provide authentication of remote device Ø other devices wouldn’t get access… Ø even WPA 2 had a bug (discovered in 2017!)

Size, Scalability and Management of Network Peer-Peer (up to 8, local) n Single domain

Size, Scalability and Management of Network Peer-Peer (up to 8, local) n Single domain (up to 200) n Several domains (up to 1000, domain tree) n Enterprise Network (10 K or more, domain forest…) n The Internet… n

Users and Responsibility Basic principle… accountability (another “A”) n If organisational users can’t be

Users and Responsibility Basic principle… accountability (another “A”) n If organisational users can’t be tracked they can’t be disciplined! (no evidence) n Need to log on! n Øneed to have a LAN! ØEither Linux (complex for SME) ØOr Windows (familiar interface)

Good Authentication Practice n 3 authentication types/factors available Ø Type 1: Knowledge based (what

Good Authentication Practice n 3 authentication types/factors available Ø Type 1: Knowledge based (what user knows) » information provided based on person’s unique knowledge Ø Type 2: Token based (what user has/does) » information comes from a token generated by a system n tied in some way to the user logging on » generally not considered a good idea on its own because someone else could have stolen/copied it Ø Type 3: Characteristic based (what user is) » biometric data from the person logging in

Which to use? n “Ideally” all three! Øat least 2 factors recommended: » e.

Which to use? n “Ideally” all three! Øat least 2 factors recommended: » e. g. password or PIN number (type 1) » card based record (type 2) Øfor best security… » type 3 retina scan or fingerprint (AS WELL!) n ALL 3 AVAILABLE SINCE 1996! Øhassle for user… availability thing!

1/2/3 factor authentication & Identity Theft n Factor 1 authentication alone is not good

1/2/3 factor authentication & Identity Theft n Factor 1 authentication alone is not good security Øusername/password may be stolen (or even borrowed with permission!) n Factors 2/3 provide proof: Øsomething only that person » would know… (knowledge) » would have… (Biometric data)

One time Passwords (OTP) n Can only be used once… Ø If user gets

One time Passwords (OTP) n Can only be used once… Ø If user gets it wrong, becomes invalid… » locked out » has to contact administrator to reset n Implemented as a type 2 factor Ø password characters randomly generated n If used properly… Ø very secure indeed Ø problem: “randomness” of character generation…

Managing Security on a LAN n n n n n n Information labelling and

Managing Security on a LAN n n n n n n Information labelling and handling Equipment siting and protection Supporting utilities Cabling security Maintenance Secure disposal or re-use Separation of development, test and operational facilities Controls against malicious code Controls against mobile code Information back-up Network controls Security of network services Electronic messaging On-line transactions Publicly available information Audit logging Auditing system use Protection of log information Clock synchronisation Privilege management Equipment identification in networks n n n n n Remote diagnostic and configuration port protection Segregation in networks Network connection control Network routing control Secure log-on procedures User identification and authentication Password management system Use of system utilities Session time-out Limitation of connection time Information access restriction Sensitive system isolation Input data Verification Control of internal processing, including Least Privilege Message integrity Output data Verification Cryptographic controls Key management Technical vulnerability management (patches and updates) Collection of evidence… A Checklist of areas to consider, abtracted from ISO/IEC 27001 / 27002 Control Sets [TSI/2012/183] © Copyright 2003 -2012

The “scatty” insider n Employees (generally) want to do their job, and do it

The “scatty” insider n Employees (generally) want to do their job, and do it well… Øsome forget Øothers just don’t know… ØALL threaten security n Such people are a nightmare for Network managers!!! Øgood, relevant, training helps a lot…

The “good” insider… still a threat to security (? ) n Employees (generally) want

The “good” insider… still a threat to security (? ) n Employees (generally) want to do their job, and do it well… Ø possible conflict with the “security-orientated” or “nanny-state” approach to network management n Needs balance Ø the network IS there for the benefit of its users… » fulfill business objectives Ø BUT must be as secure as reasonably possible » protect valuable company data

NOT Getting the balance right… n Worrying web page (BBC, 2011) Ø BBC’s own

NOT Getting the balance right… n Worrying web page (BBC, 2011) Ø BBC’s own network users were so frustrated about IT restrictions stopping them doing their jobs » that many ignored the rules! » typically 41% according to a CISCO survey covering many organisations… » this is probably still true today! n http: //www. bbc. co. uk/news/business 11793436

Single Sign On (SSO) n Logon once… Ø authenticated for all servers in that

Single Sign On (SSO) n Logon once… Ø authenticated for all servers in that environment n More a convenience matter than a security issue Ø only one set of authentication factors needed Ø single username/authentication factor database covering all servers n SOME very secure environments have dropped SSO in favour of separate logon for each server Ø arguable whether this is necessary but avoids the “all eggs in one basket” argument

Password Administration n Three aspects: Ø Selection » company IS policy includes rules for

Password Administration n Three aspects: Ø Selection » company IS policy includes rules for choosing passwords » generally no. of characters is a good match with strength – the higher the better Ø Management » selection & expiration period must comply with policy Ø Control » policy should be enforced by the network itself » usually achieved through use of “group policies”

Active Directory (Windows Domain Security)

Active Directory (Windows Domain Security)

Active Directory (AD) n Large database at the heart of any Windows “domain” network:

Active Directory (AD) n Large database at the heart of any Windows “domain” network: Ølinked domains -> enterprise network » database even larger on enterprise servers! n AD unlocks any logged on TCP/IP device’s stored data Øenables remote devices to be located and used effectively

Active Directory “store” n Global Catalog Østored as file NTFS. DIT when the first

Active Directory “store” n Global Catalog Østored as file NTFS. DIT when the first domain controller is created Ødistributed across all domain controllers » covers all “objects” on domain controllers n e. g. shared resources such as servers, files, printers; network user and computer accounts Ødirectory changes automatically replicated to all domain controllers

Security Features of Active Directory (1) § SSL (secure OSI level 5) § for

Security Features of Active Directory (1) § SSL (secure OSI level 5) § for e-commerce… § Internet Information Server (IIS) supports websites accessible only via https/SSL § LDAP over SSL/TLS § LDAP important for internet lookup § used with secure sockets layer (SSL) for checking server credentials for extranet and ecommerce applications

Security Features of Active Directory (2) n Trust on “Enterprise Networks” § default trust

Security Features of Active Directory (2) n Trust on “Enterprise Networks” § default trust between contiguous Windows domains in a domain tree § greatly reduces management overhead

Protecting the network administrator password! n Only the network manager can log on as

Protecting the network administrator password! n Only the network manager can log on as domain administrator Øbut if a user can guess the password… (!!!) n Strategies: Ø rename the administrator account to something more obscure Ø only give administrator password to one other person Ø change administrator password regularly

How AD Provides Security n Arranged through “security principal(s)” Øi. e. users, computers, groups,

How AD Provides Security n Arranged through “security principal(s)” Øi. e. users, computers, groups, or services (via service accounts) » each has a unique identifier (SID) » Manage which SIDs have access to what through “access tokens” n Validates the authentication process… Øfor computers, at startup Øfor users, at logon

n Active Directory and Controlling Users

n Active Directory and Controlling Users

Managing Groups of Users n n “Groups” already well established for managing users Active

Managing Groups of Users n n “Groups” already well established for managing users Active directory centrally organised resources including all computers Ø allowed groups to become more powerful for user management n However, users are… “human” Ø need to be trained on what/what not to do Ø preferably employment contracts should include adherence to information security policy

Managing Domain Users with Active Directory Same user information stored on all domain controllers

Managing Domain Users with Active Directory Same user information stored on all domain controllers n Users can be administered at or by secure access to administrator on any domain controller for that domain n Øflexibility but potential danger!

Group Policies and Network Access n Active directory controls access to all network resources

Group Policies and Network Access n Active directory controls access to all network resources ØAppropriate access achieved at client end through allocating users with correct group policies n Network administrator needs to know which policies to allocate to which user(s)… Øgroups must have appropriate settings

Managing Group Policy Software tool: Group Policy Management Console (Windows 2003 Server onwards…) n

Managing Group Policy Software tool: Group Policy Management Console (Windows 2003 Server onwards…) n Applies principles of MMC (Microsoft Management Console) to managing group profiles n Øparticularly useful for testing/viewing the resultant profile of interaction between several group profiles in a particular order

Mechanism of AD security n n Users are usually assigned to several groups When

Mechanism of AD security n n Users are usually assigned to several groups When a user attempts to access a directory object or network resource… Ø the security subsystem… » looks at the SID for the user and the SIDs of the security groups to which the user is a member » checks to see whether it/they match the security descriptors assigned to the resource n If there is a match… Ø user is granted the degree of access to the resource that is specified in the ACL

Power of Group IDs in Policy-based Security n Group Policy… n allows groups of

Power of Group IDs in Policy-based Security n Group Policy… n allows groups of users to be granted or denied access to or control over entire classes of objects and sets of resources n allows security & usage policies to be established separately for: » computer accounts » user accounts n scalable: can be applied at multiple levels: » users or computers residing in a specific domain » computers or users across a whole enterprise

User Rights n Users MUST NOT have access to sensitive parts of the system

User Rights n Users MUST NOT have access to sensitive parts of the system (e. g. network servers, local system software) Øoperating system can enforce this n Users SHOULD: Øhave access to basic software tools ØNOT be denied on the grounds that the software could be misused… » c. f. no-one is allowed to drive a car because some drivers cause accidents!

Monitoring Group Policy n Policies, like permissions, are ADDITIVE Ø watch simulation… (AGAIN!) n

Monitoring Group Policy n Policies, like permissions, are ADDITIVE Ø watch simulation… (AGAIN!) n Windows Network client logon Ø need to assess which specific cumulative set of policies were controlling the environment for a specific user or computer n Windows Server GPMC Ø tracking and reporting the Resultant Set of Policy (RSo. P): » net effect of each of the overlapping policies on a specific user or computer within the domain

n And now for the practical…

n And now for the practical…