CSUDH Network Appl Security 043007
advertisement
Network Security Applications: Threats do Exists Advance Network Based Application (CIS 471) CSUDH Robert Pittman Jr., M.P.A., CISM Assistant CISO County of Los Angeles April 30, 2007 Student’s questions… What kind of security risks are involved with social networking sites like MySpace, Facebook or Match.com? How often is there an attempt to steal information? How often is there a breach? What is the demand for Security Professionals in the IT field like? Are Chief Security Officers common in corporations? What do you think will be the future of IT security demand? (more demanding less demanding) From your experience, how difficult was it to get started in the IT field? How big is the career demand? What certifications, year of experience, and or degree are needed to start a career in IT? As far as network security and any thing IT related, did you get any type of training, from your company before you started? Agenda OSI-Layer and the Zones Network Threats Mitigating Network Threats Wireless Networks Threats Wireless Networks Secured Web Appl (includes e-Commerce) Threats Mitigating Web Appl (includes e-Commerce) Issues Coding Web Appl (includes e-Commerce) Computer Crimes – the Latest News References Hacker Sites OSI-Layer and the Zones layer 7 - Application layer 6 - Presentation layer 5 - Session layer 4 - Transport layer 3 - Network layer 2 - Data Link layer 1 – Physical Internet Demilitarized Zone Intranet (DMZ) Network Threats Denial of Service (DoS/DDoS) Common Attacks (e.g. Back Door, etc.) Voice over Internet Protocol (VoIP) Network devices > default SNMP community strings > default accounts, passwords, & encryption keys > unnecessary Services (i.e., ports) > unencrypted & unauthenticated Admin passwords > printers, fax machines, and scanners Mitigating Network Threats Use of a Network Intrusion Detection System (NIDS) Use of a traffic regulator/governor Maintain software currency (OS, DBMS, etc.) Maintain currency of anti-virus and other security products Perform a Complete Configuration Audit Set up a syslog server Disable default accounts & change default passwords Disable unnecessary services Use encrypted & authenticated admin protocols Use port-level security Wireless Networks Threats Ability to passively obtain confidential data and leave no trace of the attack Positioned behind perimeter firewalls may provide attackers with a backdoor Could serve as a launching pad for attacks (i.e., zombie, etc.) on unrelated networks Provide convenient cover as identifying the originator of an attack is difficult, if not impossible Wireless Networks Secured Isolate wireless networks Require stronger authentication Secure the handhelds (e.g., PDA’s laptops, etc.) WEP is not a security solution Eliminate the use of a descriptive name for SSID and the Access Point Hardcode MAC address that can use the AP Change Encryption Keys frequently Locate APs centrally Change default AP passwords/IP addresses DHCP should not be used Identify Rogue APs Web Appl (includes e-Commerce) Threats Spoofing identity (RFC 2617) Data Tampering Repudiation Information disclosure Denial of Service Elevation of privilege Mitigating Web Appl (includes e-Commerce) Issues Source Code Authentication Session Handling Error Handling Database Handling Shopping Cart File Handling Application Audit Events Input Validation Sensitive Data in Cookies and Fields Coding Web Appl (includes e-Commerce) Do not… trust data received from any external source not rely on client-side data validation write unfiltered data to the web browser access files based on user input without validation put sensitive information in hidden form fields store passwords or other sensitive info in ASP pages leave comments in client-side HTML store unnecessarily sensitive info in the database put sensitive info in URLs Do’s… disable the default error page properly quote external data used in SQL statements log suspicious activity specify a particular character set Computer Crimes – the Latest News Vermilion, Ohio Man Sentenced in Wire Fraud Case (April 19, 2007) Former Navy Contractor Sentenced for Damaging Navy Computer System (April 5, 2007) St. Joseph Woman Sentenced For $312,000 Wire Fraud (March 14, 2007) Hackers from India Indicted for Online Brokerage Intrusion Scheme that Victimized Customers and Brokerage Firms (March 12, 2007) New CCIPS Publication, "Prosecuting Computer Crimes" Manual Now Available (March 10, 2007) Defendant Sentenced For Conspiring To Commit Computer Fraud And Identity Theft (March 5, 2007) Massachusetts Man Charged with Defrauding Cisco of Millions of Dollars Worth of Computer Networking Equipment: Using False Identities and Private Mailboxes in at Least 39 States, Suspect Allegedly Carried out the Fraud at Least 700 Times (February 28, 2007) Washington State Man Pleads Guilty To Charges Of Transmitting Internet Virus (February 15, 2007) Clovis and Fresno Residents Plead Guilty to Conspiracy to Commit Wire Fraud, Mail Fraud, and Copyright Infringement (February 8, 2007) Three Internal Revenue Service Employees Indicted for Computer Fraud/Abuse (February 8, 2007) Man Pleads Guilty to Stealing Morgan Stanley Trade Secrets Relating to Hedge Funds (February 1, 2007) References csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf www.cert.org/security-improvement/modules/m11.html www.cisco.com www.cisecurity.org www.csoonline.com www.ietf.org/rfc.html www.linuxhomenetworking.com/cisco-hn/syslog-cisco.htm www.netstumbler.com www.nist.gov (not www.nist.org) www.ntbugtraq.com www.owasp.org www.sans.org www.usdoj.gov/criminal/cybercrime/cc.html Hack Notes: Web Security Portable Reference, Mike Shema; 174 pages, 2003, McGraw-Hill Companies. Writing Secure Code, Microsoft Second Edition, Michael Howard and David LeBlanc; 768 pages, 2003, Microsoft Press. Hacker Sites www.2600.com www.antionline.com www.defcon.org www.hackers.com www.insecure.org Thanks for listening! Questions?
