CSUDH Network Appl Security 043007

advertisement
Network Security Applications:
Threats do Exists
Advance Network Based Application (CIS 471)
CSUDH
Robert Pittman Jr., M.P.A., CISM
Assistant CISO
County of Los Angeles
April 30, 2007
Student’s questions…
 What kind of security risks are involved with social networking sites like
MySpace, Facebook or Match.com?
 How often is there an attempt to steal information? How often is there a
breach?
 What is the demand for Security Professionals in the IT field like?
 Are Chief Security Officers common in corporations?
 What do you think will be the future of IT security demand? (more
demanding less demanding)
 From your experience, how difficult was it to get started in the IT field?
 How big is the career demand?
 What certifications, year of experience, and or degree are needed to
start a career in IT?
 As far as network security and any thing IT related, did you get any type
of training, from your company before you started?
Agenda
 OSI-Layer and the Zones
 Network Threats
 Mitigating Network Threats
 Wireless Networks Threats
 Wireless Networks Secured
 Web Appl (includes e-Commerce) Threats
 Mitigating Web Appl (includes e-Commerce) Issues
 Coding Web Appl (includes e-Commerce)
 Computer Crimes – the Latest News
 References
 Hacker Sites
OSI-Layer and the Zones







layer 7 - Application
layer 6 - Presentation
layer 5 - Session
layer 4 - Transport
layer 3 - Network
layer 2 - Data Link
layer 1 – Physical
 Internet  Demilitarized Zone  Intranet
(DMZ)
Network Threats




Denial of Service (DoS/DDoS)
Common Attacks (e.g. Back Door, etc.)
Voice over Internet Protocol (VoIP)
Network devices
> default SNMP community strings
> default accounts, passwords, & encryption
keys
> unnecessary Services (i.e., ports)
> unencrypted & unauthenticated Admin
passwords
> printers, fax machines, and scanners
Mitigating Network Threats
 Use of a Network Intrusion Detection System (NIDS)
 Use of a traffic regulator/governor
 Maintain software currency (OS, DBMS, etc.)
 Maintain currency of anti-virus and other security products
 Perform a Complete Configuration Audit
 Set up a syslog server
 Disable default accounts & change default passwords
 Disable unnecessary services
 Use encrypted & authenticated admin protocols
 Use port-level security
Wireless Networks Threats
 Ability to passively obtain confidential data
and leave no trace of the attack
 Positioned behind perimeter firewalls may
provide attackers with a backdoor
 Could serve as a launching pad for attacks
(i.e., zombie, etc.) on unrelated networks
 Provide convenient cover as identifying the
originator of an attack is difficult, if not
impossible
Wireless Networks Secured
 Isolate wireless networks
 Require stronger authentication
 Secure the handhelds (e.g., PDA’s laptops, etc.)
 WEP is not a security solution
 Eliminate the use of a descriptive name for SSID and






the Access Point
Hardcode MAC address that can use the AP
Change Encryption Keys frequently
Locate APs centrally
Change default AP passwords/IP addresses
DHCP should not be used
Identify Rogue APs
Web Appl (includes e-Commerce) Threats
 Spoofing identity
(RFC 2617)
 Data Tampering
 Repudiation
 Information disclosure
 Denial of Service
 Elevation of privilege
Mitigating Web Appl (includes e-Commerce)
Issues
 Source Code
 Authentication
 Session Handling
 Error Handling
 Database Handling
 Shopping Cart
 File Handling
 Application Audit Events
 Input Validation
 Sensitive Data in Cookies and Fields
Coding Web Appl (includes e-Commerce)
Do not…
 trust data received from any external source
 not rely on client-side data validation
 write unfiltered data to the web browser
 access files based on user input without validation
 put sensitive information in hidden form fields
 store passwords or other sensitive info in ASP pages
 leave comments in client-side HTML
 store unnecessarily sensitive info in the database
 put sensitive info in URLs
Do’s…
 disable the default error page
 properly quote external data used in SQL statements
 log suspicious activity
 specify a particular character set
Computer Crimes – the Latest News

Vermilion, Ohio Man Sentenced in Wire Fraud Case (April 19, 2007)

Former Navy Contractor Sentenced for Damaging Navy Computer System (April 5, 2007)

St. Joseph Woman Sentenced For $312,000 Wire Fraud (March 14, 2007)

Hackers from India Indicted for Online Brokerage Intrusion Scheme that Victimized Customers and Brokerage
Firms (March 12, 2007)

New CCIPS Publication, "Prosecuting Computer Crimes" Manual Now Available (March 10, 2007)

Defendant Sentenced For Conspiring To Commit Computer Fraud And Identity Theft (March 5, 2007)

Massachusetts Man Charged with Defrauding Cisco of Millions of Dollars Worth of Computer Networking
Equipment: Using False Identities and Private Mailboxes in at Least 39 States, Suspect Allegedly Carried out
the Fraud at Least 700 Times (February 28, 2007)

Washington State Man Pleads Guilty To Charges Of Transmitting Internet Virus (February 15, 2007)

Clovis and Fresno Residents Plead Guilty to Conspiracy to Commit Wire Fraud, Mail Fraud, and Copyright
Infringement (February 8, 2007)

Three Internal Revenue Service Employees Indicted for Computer Fraud/Abuse (February 8, 2007)

Man Pleads Guilty to Stealing Morgan Stanley Trade Secrets Relating to Hedge Funds (February 1, 2007)
References














csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf
www.cert.org/security-improvement/modules/m11.html
www.cisco.com
www.cisecurity.org
www.csoonline.com
www.ietf.org/rfc.html
www.linuxhomenetworking.com/cisco-hn/syslog-cisco.htm
www.netstumbler.com
www.nist.gov (not www.nist.org)
www.ntbugtraq.com
www.owasp.org
www.sans.org
www.usdoj.gov/criminal/cybercrime/cc.html
Hack Notes: Web Security Portable Reference, Mike Shema; 174
pages, 2003, McGraw-Hill Companies.
 Writing Secure Code, Microsoft Second Edition, Michael
Howard and David LeBlanc; 768 pages, 2003, Microsoft Press.
Hacker Sites
 www.2600.com
 www.antionline.com
 www.defcon.org
 www.hackers.com
 www.insecure.org
Thanks for listening!
Questions?
Download