Table of Contents. An Introduction to Network Cyber Security

Size: px
Start display at page:

Download "Table of Contents. An Introduction to Network Cyber Security"

Transcription

1

2 Table of Contents 1. Overview Introduction to Networks Network Cyber Security As Part Of A Holistic Approach Application Security Network Security Physical Security Understanding Networks Building Blocks Address Services Internet Exchange Points and Topology Authentication through Certificates Protocols Network Cyber Security Vulnerabilities Anonymity and Attribution Denial of Service Attacks Spoofing and Man-in-the-Middle Attacks Network Interception and Black-holes Fake Certificates and Certificate Authorities Protocol Attacks Sizes of Networks and Traffic Netflow Network Cyber Security Defense Capabilities Protect Network Infrastructure VPNs Backbone Hardening Firewalls Defend Network Operations Intrusion Detection Systems Malware Signatures Deep Packet Inspection Analyze Network Activity Situational Awareness Test Network Security Black, Grey and White Hat Hackers Penetration Testing Vulnerability Scanning The Exploit Wheel of Life Virtual Task Forces and Information Exchanges Virtuous Cycle Growth Figures Markets Protection Defense/Interception Analysis and Situational Awareness Active Test Growth Areas Ultra Solutions Ultra Electronics, 3eTI May 2012

3 1. Overview This paper provides an overview of network cyber security, what it is, and an explanation of some of the terms. Cyberspace can be divided into the following assets: devices, data, networks, and people (Diagram 1). Securing those assets is the job of cyber security. Many of us are familiar with cyber security products designed to protect devices, such as anti-virus or login passwords. We are also familiar with the concept of encryption to protect data, but what about network security? Data needs to be communicated and therefore networks are required in order to make use of that data in a wider context. We use cryptos on networks (such as military data-link cryptos, or hardware VPN cryptos) but these devices are really just protecting the data flowing over the networks rather than the infrastructure or operation of the network itself. Cryptography plays a large role in network cyber security, but it is not the only one. Cryptography can also play a larger role than just traffic encryption within network cyber security, and some of those ideas will be presented here. Networks are easy to understand and have many obvious analogies in the real world. This paper should help the reader understand what computer networks are, facilitate ongoing discussions and avoid confusion, by providing a common understood baseline and terminology How to read this document This document is divided into three sections; an introduction into how networks work and how they are vulnerable, an overview of the different network cyber security protection areas, and a model and market assessment of the network cyber security space. While it is possible to solely read the last section and bypass the other content, this is not advisable. Networks are commonly misunderstood especially with regards to network cyber security. Just reading the model section or concluding strategy could perpetuate the misunderstandings, and confuse the reader further. In this vein, some may find the analogies used in this document too simple, and for that, an apology is offered. However, networks are for the most part simple to understand and it is the author s intent to provide examples that will prove to be enlightening. Ultra Electronics, 3eTI May 2012

4 2. Introduction to Networks Computer networks are one of those technologies which most people have heard of, and have an idea of what they are, but do not necessarily understand. When most people hear the term computer network they immediately think of wires and cables strung between boxes. Networks do not exist without the wires or physical network, but it is not what makes transportation across them possible. A good analogy when thinking of computer networks is the road infrastructure. The surface of the road defines where the road is, but it is the extra elements such as traffic lights, speed limits, drivers licenses, cars, lorries, bridges and roadmaps etc., that make transportation across it possible. Without highway laws, safe vehicles, signposts and maps, the roads would just be stretches of tarmac without any purpose. Computer networks are the same, the easy part is putting the cables in the ground and connecting them together, the hard part is getting traffic to flow through them correctly and reliably from source to destination all across the world! Attackers can manipulate and disrupt a network and its traffic by hacking these other elements. It is the role of network cyber security to act as the police of the system and to try and ensure the infrastructure remains as reliable and accessible as possible. Ultra Electronics, 3eTI May 2012

5 3. Network Cyber Security As Part Of A Holistic Approach As we said in the introduction, cyberspace can be divided into devices, data, networks and people. Each one of these areas needs their own cyber-security in order to protect the whole. Putting advanced cryptography between the computers on a network will protect against anyone listening into your communications, but will do nothing to stop the spread of malware introduced from an infected USB stick. Instead a holistic approach across all of these areas is required (Diagram 1). Diagram 1 Cyber Security Defined 3.1. Application Security Application security sits at the nexus between devices and data. Applications are made from data, but they are created to manipulate devices. For instance your computer is a device, but what makes it useful is the software that runs on it manipulating the 1 s and 0 s stored in memory. Therefore applications are written for the purpose of performing a task. If the application behaves as expected, then given a known input the application should provide a deterministic output. Should an attacker manipulate the input to an application or even the application s behavior itself then the output would no longer be what the creator or operator had intended and could have damaging consequences. While this can prove frustrating on a home computer, it can have a severe impact on an industrial control system such as a power station. Applications therefore need some security controls to protect them from malicious manipulation. This is not easy as applications are very complex, therefore it is difficult to identify standard and non-standard behavior. Manipulations can also be very subtle, making their presence difficult to detect. Applications therefore use a variety of techniques such as memory randomization (where it s code doesn t always exist in the same location when it is run), encryption, permissions (define who can do what), and input checking to protect themselves from outside manipulation. Applications can also be cryptographically signed to authenticate to the user and device that they haven t been manipulated since they were produced by their creator. There are also specific security applications such as anti-virus whose function it is to look for and identify malicious applications or behavior denoting an attack. However, this is not easy, as there is a constantly changing array of malicious applications that the anti-virus application has never even seen before. One interesting statistic to look at is that it is estimated that there is one software bug in every thousand lines of code, which when typical applications run into the millions of lines of code provides a large number of software bugs. It are these bugs that attackers exploit, using them to make an application Ultra Electronics, 3eTI May 2012

6 perform in an non-standard manner, and potentially allowing them to do unauthorized or designed tasks. Anti-virus products themselves are large complex pieces of software, and themselves are not immune to being the vector through which an attacker successfully gains control over a system. As a result, the application space is not an open no-holes barred playground. Operating systems and vendors have worked hard to try and enforce stricter rules on access and authentication for certain operations. A simple username and login prompt can provide an acceptable level of application security in certain circumstances. Otherwise, granular control over which files, folders and system operations a user can manipulate can be implemented to protect against malicious behavior. This stops an exploited piece of software such as a word processing application from being able to maliciously change the underlying operating system. However, because the application space is all software and it is very difficult to write perfect bug free software, application security will always be required. Without it, there could be no guarantee that a computer or task was being carried out as the designer and operator intended Network Security Just as a system can be attacked in a number of different ways, there are a number of different types of defenses that can be used to protect it. We are all familiar with the use of encryption as a way to harden a network and add confidentiality. This is an example of an infrastructure hardening process a static security control that by virtue of its operation stops a number of attacks from succeeding. However, as we pointed out with the USB example, these protections can be overcome, so real-time monitoring controls are also used. Monitors and intelligence gathering tools sit in a system and attempts to discover and stop attacks by inspecting ongoing activity. One common example of a device monitoring control is software anti-virus. Anti-virus sits on your computer and tries to detect malware infections in real-time. Between hardening and monitoring a large number of attacks can be prevented, however these protections are never perfect. Imperfections in the way a system operates or communicates can introduce vulnerabilities that are not protected against. Therefore a third layer of security control is required to cover these situations. These analysis controls sit outside of the day-to-day operation of a system or network, and observe behavior. Then through the reported information the analysis controls try to identify when anomalous behavior is occurring or if there are other signs of compromise. The analysis products can be thought of as providing situational awareness on the activity of a network or system, and able to find needles representing attackers in a haystack of normal activity. There is a final level of security called exploit, in which hired experts test the veracity of your security. In cyber security these are known as penetration tests or ethical hacking. These levels of cyber security have analogies in the physical space. We build walls and doors representing hardened controls, we use night watchmen and security guards as monitoring controls. And we have police investigation teams and forensic examiners to discover evidence of successful attacks. Together these three types of security create defense in depth preventing many attacks and minimizing the impact from successful ones. Throughout the rest of this paper the subject of networks and network security will be explored in more detail, as this is one of the clearest examples of where security is more than encryption, and where encryption provides more than just confidentiality. Ultra Electronics, 3eTI May 2012

7 3.3. Physical Security Critical Infrastructure (CI) must be built on a foundation of both physical and cyber security. Infrastructure and site surveillance is imperative with the increasing concern for security and safety due to the threat of terrorism and protection of critical assets. The best chance of preventing disruption to a facility is to create an interactive perimeter that detects intruders and alerts you to potential threats before they occur. Physical security likewise provides a valuable piece of the cyber security solution. Specifically it can be used to enhance the protection against attacks by people (whether intentional or unintentional). Users are one of the most common vectors for cyber attack. For instance manipulating someone into using an infected USB stick can compromise an air-gapped system, or socially engineering someone in giving an unauthorized person access a restricted or critical area. By protecting and monitoring access to critical servers, removing physically access to USB drives, or identifying when tampering occurs to remote systems, the whole cyber security posture is elevated. Diagram 2 Physical Security Integrated Ultra Electronics, 3eTI May 2012

8 4. Understanding Networks 4.1. Building Blocks Almost all IP networks are built from the same few building blocks, from small office scale networks to the expanse of the Internet. Combined together, these building blocks create a useful network infrastructure over which any type of data can flow. The utility of a network is its purpose, should an attacker successfully attack one of the building blocks, they will then disrupt the usefulness of the network and therefore cause the same damage as if they cut the wires themselves. So what are these building blocks? (Diagram 2) Diagram 3 - Network Building Blocks With the exception of certificates, each of these technologies were designed to make networking easier rather than more secure and are therefore inherently insecure and vulnerable. Security researchers are only now beginning to try and add security to these elements, and new vulnerabilities within them are being discovered all the time Address Services The Address Services are the phone directory of the network. They provide each device with a unique address (e.g. phone number) within the network. They also provide the translation service from a textual web address, such as google.com, into the unique numerical IPv4/6 address, such as The most common address service protocols are DHCP, which provides your computer with an IP address on a local network, and DNS which translates web addresses into Internet IP addresses Internet Exchange Points and Topology The Internet is not, as is commonly thought, one large mesh network of computers all interconnected. Instead, think of it as many cities connected to each other via large highways. Each Internet Service Provider (ISP) can be thought of as a city, comprising a large number of houses (or computers); these are called Autonomous Systems (AS). All of the AS s are joined together via big, super-fast connections. In Ultra Electronics, 3eTI May 2012

9 order to get from one house in one AS (city) to another house in another AS, you have to plan your journey just as you do for a road trip, which involves traversing the city s roads as well as the inter-city highways. The same is true for networks, you use internal routers to get through each AS, and external routers to get between AS s. Both external and internal routers are needed if large networks are to be deployed. Do not confuse the geographical topology of networks with the network topology of ASs. There is some commonality due to the locations of wires and computers, but the network topology is primarily determined by an AS s architecture across its user base. The Internet was initially designed to be robust and adaptable to the loss of any given link. The Internet is still very capable of quickly routing around lost connections, but it is not as robust as most people think. Due to economic pressures, the Internet actually has a relatively small number of critical nodes (called Internet Exchange Points) through which a very large amount of traffic passes. Should these be disrupted or destroyed, it is uncertain how well the rest of the network would operate. These include the Deutscher Commercial Internet Exchange (1120 Gbps), Amsterdam Internet Exchange (912 Gbps), Equinox Exchange (990 Gbps) and London Internet Exchange (743 Gbps) with their average throughputs. The Internet Topology (Diagram 4) clearly illustrates some of these primary interconnects. Diagram 4 The Internet Topology (Opte Project: Authentication through Certificates Computer networks are intrinsically anonymous. Anyone can obtain an IP address and therefore be reached from anywhere else, but ironically having an IP address does not tell you anything about the computer at the end of it. Similar to the phone network, you can sometimes misdial or become erroneously connected. We therefore rely upon the trustworthiness of the person at the other end of the phone to answer and correctly identify themselves. The phone system does not have any way to do the authentication for us. The same is true of computer networks; we rely on the computer at the other end of the IP address to be who they say they are. While this scenario is acceptable for family, friends, etc., it does not provide enough authentication for businesses such as banks or the government. Computers therefore utilize certificates (similar to passports) to provide identification. These certificates are issued by a third party (called a certificate authority), and are secured against duplication or fraudulent use through encryption. When a user connects to a remote computer, the remote computer sends back their correctly issued certificate, bound to their address so as to prove their identity. These certificates cannot easily be altered, and as they are tied to an identity such as a web address (e.g. google.com), an attacker cannot substitute one of their own. Obviously should an attacker obtain a certificate for a site they do not own, it is possible that they can reliably masquerade as that site. This is exactly what happened at the certificate authorities Commodo and DigiNotar and caused a large upheaval to Internet operations Protocols The final IP network building block involves protocols. Protocols can be thought of as the Highway Code, everyone needs to know them and follow them in order to use the network. The most common ones are; Ultra Electronics, 3eTI May 2012

10 IPv4 which describes how to label a packet, and TCP which describes how to reliably send packets. There are many more which are intrinsic to the working of a network, but it is not necessary for the purposes of this discussion to look at these in detail. What is important to understand is that networks are bound to these protocols; they need to use them in order to interoperate. Network protocols are open and available for anyone to understand and implement, and as a result, computers and networks operate in a predictable and pre-determined manner. Networks are designed to carry traffic, therefore there are some aspects of network operation and network security which require viewing the traffic itself. Inspecting the traffic through a network could be thought of as a part of data cyber security, however there is a fine line differentiating the two, so for the purposes of this discussion, they will be deemed as part of network cyber security. Networks operate by inspecting the headers of the traffic that flows across them as this is where the destination addresses are given. A great deal of extra information can be obtained by looking further into a packet of data rather than just observing its header. Network monitors are designed to do just this, and is termed deep packet inspection or analysis (DPI). DPI sounds impressive, but it only describes the act of looking at more than just the header. As with real-life, reading is the easy part, it s the understanding of what you have just read that is difficult. Ultra Electronics, 3eTI May 2012

11 5. Network Cyber Security Vulnerabilities We have discussed that networks are made up of lots of computers all delicately stitched together using a few key building blocks. Keeping these building blocks running efficiently is the job of network management, and keeping them safe from attack is the job of network cyber security. Attackers are typically trying to attack or manipulate one or more of these building blocks in order to achieve their objective. The majority of standard networks (including the Internet) were designed and implemented with no inherent authentication, access control or attribution. Instead it was designed for utility and robustness Anonymity and Attribution Security was not really a consideration when the majority of network infrastructure components were invented. As a result, networks are inherently vulnerable to a number of attacks. One of the largest and most intractable is that attackers, and their attacks, are for all intents and purposes anonymous. The only indication of where an attack came from is the sender address of the attack packet, but an address does not prove who sent it, only where it was sent from, and even then this address can easily be forged. It is common for attackers to use a previously infected system as an unwitting victim from which to launch their attack on a more sophisticated target. This maneuver will lead any subsequent investigation by a sophisticated investigator to the first victim rather than the attacker. This begs the question, are all attacks that seem to originate from China actually the result of Chinese hackers? Or are attackers routing their attacks through China knowing no further investigation from there will be possible? Due to the lack of inbuilt security, each building block of the network is vulnerable to different attacks. Networks by definition are broadcast mediums, any device along a packet s journey can view the packets going through it, and so in that regard confidentiality is not expected. Therefore encryption devices such as in-line encryptors are used to make data confidential before they ever enter the network Denial of Service Attacks IP computer networks were originally designed to solve the availability problem, by utilizing a packet switched architecture, IP networks are able to reroute around congestion or broken connections and they make full use of the capacity of a link in a way that circuit switched networks could never do. What they were not designed to protect against was intentional flooding of data to a single destination. This is what is known as a denial-of-service (DoS) attack. There are so many spam packets sent to a receiver that they do not have the resources to sort through and ignore the bad packets and only handle the legitimate ones. As a result, the receiver shuts down under the load and legitimate communications are undelivered Spoofing and Man-in-the-Middle Attacks The most dangerous element of a network to attack is the integrity of it. If an attacker can manipulate the addressing, routing or certificates of a network, they can then control who talks to whom and impersonate anyone they want (e.g. your bank or your company). Just like maps only work if the road layout and signposts are correct, networks only work if the routing, addressing and certificates of the network are accurate and not manipulated. Address services are vulnerable to two main types of attack; corruption and impersonation. Clients send requests to address services, such as what is the IP address of google.com, or what is the address of the Wi-Fi base station, and address servers return the answers. If an attacker can manipulate the information Ultra Electronics, 3eTI May 2012

12 in the address servers, then they will give clients the wrong information and clients will unwittingly connect to the wrong destination. The other way to manipulate the address services is to impersonate it. If an attacker can listen for a client s request and impersonate a reply before the real address server can, then the client will use the information provided by the attacker. This is known as spoofing, and occurs because there is an historical inherent trust of the address services. This is slowly changing with the addition of technologies such as Domain Name System Security Extensions (DNSSEC), but we are far from this point yet. Apart from directing computers to the wrong destinations, attackers can also pretend to be the Internet access point, and have computers connect through them. This enables them to act as a man-in-the-middle and view all the traffic and manipulate it as they see fit. The ability to act as a fake destination or gateway allows an attacker to completely control the conversation and manipulate any of the data passing through it. An attacker could for example, capture all of your login information or even send fake from your account. It is the integrity and legitimacy of address services that are attacked by hackers; if they control the address services they control the destination of traffic. Network defenders are therefore on the lookout for address service impersonators or manipulations to the address service information, but as attacks become more sophisticated this becomes more difficult Network Interception and Black-holes Router and address service attacks are sometimes confused with one another, but in reality are very different. Referencing a postcard analogy, address service attacks attempt to change the address of the postcard but let the postal service deliver it as normal. Whereas router attacks leave the address on the postcard alone, but manipulate the post office into sending the postcard to the wrong depot. Routers, both internal and external, are constantly communicating with each other, passing information about congestion, open/closed links, and whom they are connected to. This enables all the routers to maintain a common operational picture (COP) of the overall network. As long as all the routers have a similar and accurate COP, they can then route any packet to any destination reliably and accurately. If an attacker can manipulate this information, e.g. tell the U.S. that the quickest way to communicate with the U.K. is through South America, then just like your GPS system will re-route you along the fastest roads, traffic will begin to flow along the manipulated sub-optimal route. There are two reasons for doing this, either the attacker would like to monitor all of your communications, and therefore route that traffic through their own systems, or they want to stop any traffic reaching a destination so they purposely route traffic away from it. Traffic routed away so it never reaches its destination is called black-holing. Network black holes are areas unreachable by other parts of the network due to routing inaccuracies. If an attacker does not want to black-hole a destination, but rather intercept and read all of their traffic, then they change the routes so that all traffic goes through them en-route to the destination. So for the correct and reliable operation of a network, defenders need to ensure that the routing information is accurate and not manipulated. Defenders however, cannot lock down routing tables and stop them from being changed without limiting the ability of routers to handle changing conditions. Optimal routes change all the time due to network outages/maintenance or congestion, routers need to keep abreast of these changes to ensure a continuously reliable and robust network. If routers cannot exchange operational information and update routing tables they will become brittle and potentially collapse. Ultra Electronics, 3eTI May 2012

13 5.5. Fake Certificates and Certificate Authorities Networks can be manipulated and therefore clients need to ensure the identity of the computer at the other end of the network. Certificates are used as a form of ID, therefore if any attacker manipulates the address or routing of traffic, the resultant destination computer will not be able to provide the correct ID and the client will know something is amiss. When browsing the Internet, any site that uses HTTPS is using a certificate to verify its identity and so theoretically can be trusted. However, just like with any form of ID, you need to prevent an attacker from forging a fake one. This is done by using certificate authorities (CA) whose job it is to verify the identity of the requester and sign their certificate. Every browser comes with a copy of these CA s signatures so they can validate the authenticity of any certificate it receives. If the certificate is not signed by one of the trusted CAs, it will warn the user that it is potentially fraudulent and dangerous. But how do you sign certificates for sites all around the world in different countries and jurisdictions? There does not exist an international U.N. style body that can oversee this operation, so computer web-browsers end up having to trust at least 50 independent CAs from all around the world. These range from small companies to large ones and include the Hong Kong Post Office and Coventry City Council, and the scary part is that the web-browsers trust them all equally regardless of who they are! Attackers routinely target these CAs and attempt to get their fake certificate IDs signed by the CA to make them appear legitimate. If they are able to do this, then they could have a victim connect to the wrong destination and send them a legitimate appearing certificate for their bank, thus bypassing the computer s inbuilt security tools and giving no warning to the user of the fraudulent activity Protocol Attacks CA attacks aside, most network attacks (including some on address services) are in actuality attacks on protocols. Every computer follows set rules for how they communicate with each other, hackers periodically find out that if they go off script in certain ways, they can then manipulate the protocol and do things they should not be able to do. Network defenders need to look for times when deviations to network protocols are occurring and try and prevent any impact arising from it. This is notoriously difficult to do, because at first glance both parties are following the protocol. Protocol manipulation is analogous to a Derren Brown magic trick (see plenty of YouTube clips for more explanation). As you can imagine, cyber attacks to a network s availability tend to be obvious and destructive, either a denial-of-service flood or traffic is routed to the completely wrong destination. Attacks to a network s integrity tend to be more subtle and difficult to identify, especially when you are not looking for them. Thus network cyber defenders introduce proactive security measures such as DNSSEC, and firewalls to prevent these attacks, and use network monitoring measures such as intrusion detection, and DPI to detect signs of an attack that has penetrated their protections Sizes of Networks and Traffic Like all investigative security controls, it is very difficult to detect an attacker or attack amongst all the legitimate activity. This is especially the case within computer networks. The Internet currently routes around 7,700 GB/s, which is around 1,600 DVDs every! It is inconceivable that anybody or machine could look at, or effectively analyze that volume of data in real-time let alone store it. Monitoring the backbone of the Internet is not feasible, therefore instead of capturing and looking at a large amount of data, situational awareness is normally achieved through lots of sensors or probes distributed throughout the infrastructure, each looking at smaller amounts of data, and then fusing the results. A dispersed set of network monitors can provide a good picture of what is happening across the whole network at any given moment, and tools can be used to measure the pattern of traffic now versus Ultra Electronics, 3eTI May 2012

14 historically. This trend analysis is utilized to identify anomalous data streams and potential attacks. To describe this as looking for a needle in a haystack is very apt although a little misleading, because most security assessors actually remove all of the hay until just needles remain. In other words, they identify normal traffic and then discard it from the analysis until only the unusual traffic remains Netflow Even within a medium sized office, the amount of traffic flowing over the network will probably be too large to capture and store without being prohibitively expensive. Attempting to copy all of the letters a postman delivers in one day is almost impossible, but asking him to make a note of the sender and destination post codes (zip codes) is not. In the network cyber security arena this function is called Netflow. Network monitoring systems, such as Intrusion Detection Systems (IDS), make a log of netflow which allows them to keep track of who is talking to whom without actually storing what is being said. Netflow can be thought of a social network map of a network. Obviously this data in and of itself is very interesting, and there are many products and systems in the cyber space to analyze and make inferences on netflow data. Ultra Electronics, 3eTI May 2012

15 6. Network Cyber Security Defense Capabilities So now we understand the basics of computer networks, their building blocks and some of the inherent vulnerabilities. In this section we will describe the main cyber security areas which work to keep networks running reliably and identify attacks (identifying attackers still runs into the attribution problem). We separate network cyber security into 4 main areas: 1. Protect the network infrastructure 2. Defend network operations 3. Analyze network activity 4. Test network security (or attack if you prefer) Each area has a unique role in securing networks and all four are required in order to maintain the operational reliability and integrity of computer networks. As we look at each in detail we will see that the securing of networks is really the securing of the integrity of networks, which is to say that we continue to ensure that network operational information is both accurate and authentic Protect Network Infrastructure A large part of protecting the network infrastructure involves protecting the network traffic which can be achieved through encryption, but also includes firewalls and network access controllers VPNs In addition to the standard in-line encryption, networks also utilize virtual private networks (VPNs) to protect network traffic. Most business people are familiar with VPNs, and that it is a technology that allows them to gain access to their company s networks while out of the office. VPNs are in fact a suite of protocols that are used to securely identify and authenticate both your computer and your office s network over a public network (e.g. the Internet) and to exchange encryption keys. Once both parties have guaranteed the identity of each other, they utilize an encrypted tunnel to securely communicate. The VPN protocols used are just part of the IPSec suite of protocols or HAIPE (for government use). The traffic will be protected provided that authentication and identification steps are properly executed. However, as was discussed in the previous certificates section, if someone else is able to obtain a false certificate, they could potentially intercept your traffic and view all of your data Backbone Hardening Obviously traffic encryption must be performed between two points, and for individual traffic streams, this is easy to accomplish using software or in-line encryption such as IPSec or HAIPE. In this example, the traffic is encrypted between source and destination. What about a network backbone, can that be encrypted? The first question that should be asked is why? If you are encrypting the network backbone then by definition, before traffic reaches the backbone, it will be unencrypted. When it leaves the backbone it will have to be likewise unencrypted. Therefore the only reasonable assumption for encrypting a backbone is that you are concerned that someone will manipulate or read the information while it resides on the network. Given the size and speed of a network bandwidth, this assumption is far-fetched, and the addition of any encryption would negatively impact the operation of the backbone routing causing larger issues. Ultra Electronics, 3eTI May 2012

16 Once you have protected the data and want to send over the network, you then need to ensure that the data reaches the correct destination reliably. Specifically, this means ensuring that the routing tables and link advertisements communicated by internal and external routers are accurate and originate from an appropriate source, e.g. they have not been made up or modified by an attacker. Integrity and authenticity is possible through the use of digital signatures and certificates. Each router digitally signs their information before they circulate it, removing the possibility of an attacker spamming the network with false information. This requires all routers to have crypto hardware within them to perform the signature protocols. The cost of doing this is very expensive in terms of resources and time. It is most costly when links are changing which is the exact moment that you do not want extra overheads! Furthermore, this only prevents non-routers from advertising false topology information and does not prevent a malicious router from producing false topological information. Whilst this is not necessarily a problem when the entire network is under your control, the Internet relies on external routers all around the world to share information including those in Russia and China. Although we could determine that the information they sent to us is authentic and accurate as provided, we have no idea as to its veracity. In addition to secure routing, there needs to be secure addressing so that you can accurately determine your own location, the gateway to the network and your final destination. Mechanisms such as Secure DNS are being deployed to provide solutions to some of the issues, but other ones such as gateway discovery (through the ARP protocol) are still vulnerable. Just as with securing router advertisements, secure DNS utilizes certificates and digital signatures to provide integrity and authenticity of its data. Thus the protection or hardening of networks is not necessarily through the encryption of the data passing through them, so much as ensuring the integrity and authenticity of the operational and management data. This means that as network hardening is rolled out, there will be an increasing reliance on certificates and the security of root authorities (certificate signers), and thus on the encryption devices used within them. The more signatures and certificates are used, the more need there is for crypto Firewalls Firewalls are one of the cornerstones of the protection of network security they are the stateful machines that stop unsolicited communications from entering a system. Firewalls only allow traffic out of the network and only allow traffic from a known and specified source in. Typically the known source is either specifically listed (e.g. another company office) or it is the reply from a site with whom someone inside the network is trying to communicate with. For the most part firewalls are very good at keeping out unwanted traffic, however sophisticated attacks such as TCP injection can find holes in their operation Defend Network Operations Protecting the network traffic and hardening the infrastructure will help create a reliable and robust communications medium for computers. The increased use of encryption and certificates will help prevent attacks on the infrastructure, but will not prevent them all. Furthermore, they will prevent attacks targeting end-devices that only use the network as a delivery and communications tool. Many attacks such as Advanced Persistent Threats and computer viruses use the network to infiltrate a company s systems and continue their attack. These attacks actually require the continued existence and reliable operation of the network in order to succeed. Therefore, one of the most important and often overlooked aspects of network cyber security is to monitor the activity over the network and search for attacks or patterns. Given Ultra Electronics, 3eTI May 2012

17 that networks operate and are attacked at network speeds, the network defenses also need to operate at these speeds which means being directly connected to and monitoring the network traffic in real-time Intrusion Detection Systems One common network inspection tool is the Intrusion Detection System (IDS). This is a fancy name for a system that monitors the netflow of a network and looks for anomalous activity indicative of an attack or signs of a previously identified one. These systems are not perfect and tend to produce a lot of false positives and negatives, but they are getting better. The reason for using them is that attacks typically happen in machine time and the volume of data produced by a network is too great for human analysis alone. Therefore, computer systems are used to help remove all of the hay before a human analyst looks at the remainder for signs of needles Malware Signatures Just like policemen use mug shots to look for known criminals, network inspection systems use signatures to look for known attacks. Malware is made of 1s and 0s, therefore when you find a unique string of 1s and 0s in a piece of malware you could use it as a signature to look for it again. This has worked very well, however recently malware writers have begun to create polymorphic code which is code that constantly changes every time it copies itself. This essentially means it is constantly putting on a new disguise making it harder and harder for the network police to recognize them. Thus advances in pattern recognition, intelligent processing and inference are required to build more intelligent network policemen Deep Packet Inspection The more sophisticated defensive network inspection tools are called deep-packet-inspection systems (DPI). IDSs are only really looking at the netflow of packets, and looking for malware signatures. DPI systems look more closely at the packets and how they fit into known protocols. This allows them to identify if a traffic stream is encrypted, if it is real time (e.g. audio/video), if it is command and control information, or just a web page. The purpose of a DPI system is to look at traffic streams and infer all the information possible about it (the meta-data). Computers and networks operate according to known protocols, they must follow these if they are to effectively communicate with each other. DPI systems look at the network traffic and identify what protocol/language they are speaking, where in the conversation they are, and who is talking. If the data is unencrypted it will also be able to understand what is being said. The real power of DPI systems is not just in the ability to understand a conversation, but to record that information in a database, and use sophisticated analytical techniques to look for patterns and anomalies. Due to the complexity and variability of the data, human analysis is almost always required. Clever visualization and rendering applications are required to help analysts identify what they are looking at Analyze Network Activity Network monitors are the police force of a network, constantly looking at activity for anything suspicious, such as late night connections to servers in Russia, or short periodic encrypted transmissions to similar port numbers at different locations. And just like a police force they are divided into two camps, those that are on the street looking for crime in progress, and those back in the office going over evidence looking for an attack or analyzing a successful one. Ultra Electronics, 3eTI May 2012

18 Situational Awareness There are plenty of viruses and malware in existence that have yet to be classified and a signature produced, and there are more and more sophisticated malware for which signatures may never be produced. Therefore instead of looking for exact pieces of malware, network activity analysis looks for signs/indications of the presence of malware and who might be infected. This type of monitoring and analysis is mainly performed by artificial intelligence techniques. They look at large volumes of historical data, make assumptions regarding what is considered normal and then look for instances where something abnormal happens, or if something normal fails to happen. This can be done on a very large enterprise and carrier scale, or on a small LAN/computer scale. Due to the increase in sophistication of attacks and malware, there is a corresponding increase in the demand for and innovation in situational awareness intelligence gathering systems. Due to the large and varied input these systems collect, there needs to be a powerful database system underlying it, and a powerful graphical interface to visualize and display all the information to an analyst. Humans are still better at looking for signs of malware than computers, even if they are slower at it. Therefore any situational awareness system will be judged according to how easy and capable the viewing and manipulation aspects of the analysis tool is, not just on what it can detect and record. There are three basic steps that all network analyzers follow when using network analysis systems. Look for patterns and anomalies, investigate and identify that information to see if it is an attack and if it is an attack, to look to see how often it has occurred. This requires inspection of traffic, logging of information, and analysis of that information. The inspection can look at the data being transmitted, the traffic flows, the protocols used, historical information or any combination of them Test Network Security So far we have discussed the protection and policing aspects of cyber network defense. These are based on a current knowledge of attacks, attackers and defensive capabilities. However, the environment and attack space evolves over time, so periodically you need to refresh your knowledge. Penetration testing provides a good way of reassessing your defensive capabilities and thus what attacks you are vulnerable against Black, Grey and White Hat Hackers Within the cyber security community the terms hackers and hacking do not have a malicious connotation to them, they describe an action or capability rather than an intention. Hacking is just the manipulation of a system so that it performs an unanticipated or unspecified action. Performing the unauthorized manipulation or destruction of a system is known as black hat hacking. Performing the same action only when authorized (e.g. after being hired to test a system) is known as white hat hacking. However, the majority of hackers are people who like solving puzzles and figuring out problems. Therefore, sometimes they end up hacking systems without authorization just to see if they can, therefore its unauthorized but non-malicious hacking, these are the grey hat hackers. In reality the majority of hackers are grey hat hackers, with the exception of a few dedicated black hat ones. Ultra Electronics, 3eTI May 2012

19 Penetration Testing Penetration testing is the action of deliberately trying to attack and defeat the network protections you have in place. It is a red team exercise against your system. It is normally performed by experienced white or grey hat hackers, i.e. those who are very technical and adept at defeating cyber defenses. They normally have a toolkit of exploits that they run your system against, searching for the weak link in your armor Vulnerability Scanning While penetration testing is very beneficial, it is not feasible or economical to perform it on a continuous basis and therefore vulnerability scanners are used. If penetration testing is pretending to be a burglar and trying to get access to your house, then vulnerability scanners are tools that go around and test all the doors and windows to see if any of them are open. Vulnerability scanners are deployed on most enterprise systems to ensure that any miss-configurations or vulnerabilities are discovered as soon as possible. For instance should an employee plug a Wi-Fi dongle into their computer so they can connect their laptop, then the vulnerability scanner should detect the presence of that device and quickly notify the administrator. Many of the tests that penetration testers run can then be rolled into the vulnerability scanning software to ensure that your system isn t vulnerable to any known exploit The Exploit Wheel of Life Not all vulnerabilities are known, in fact there are a great number of either unknown or undisclosed vulnerabilities in existence. The reason why many vulnerabilities are undisclosed is that once they are, they can be patched to stop them from being exploited and its worth diminishes. There is a large black market in undisclosed vulnerabilities, so companies such as Google try to combat this by offering rewards for any vulnerability found in their software that is disclosed to them. Many top security researchers and hackers have their own private store of exploits they have discovered or shared that they use as part of their penetration testing and research. The saying that it takes a thief to catch a thief is very apt here! Some of these exploits could be simple such as a software bug, or more sophisticated such as leaking part of an encryption key in the power consumption of a chip Virtual Task Forces and Information Exchanges Most vulnerabilities do not exist in isolation, for example if a software coder made a mistake or used a fault bit of code at one point in the software, then chances are they made the same mistake elsewhere as well. Knowledge and understanding of the current wave of known but undisclosed vulnerabilities helps security researchers predict where more attacks of the same family are likely to target. This is especially true of government researchers. Due to their intelligence gathering arms such as US-CERT and the UK CPNI (as well as NSA/GCHQ), governments will have a toolbox of undisclosed vulnerabilities and situational awareness of attack vectors/families. Governments are in a unique position to help provide industry with advanced knowledge of potential attacks and help develop security patches and vulnerability scans to detect if they can be exploited. This distribution of known and potential vulnerabilities is normally done via an information exchange program such as a virtual task force. Ultra Electronics, 3eTI May 2012

20 Virtuous Cycle Once an attack has been disclosed, the software vendor affected can review their code, understand the nature of the vulnerability and patch it so that it can t be exploited in the future. There is still a period of time from when a patch is created until the time that it is deployed in which a system is vulnerable. Not everyone downloads and installs security patches in a timely manner so security researchers develop automated tools to take advantage of those exploits and fold them into pentesting and vulnerability scanning toolkits. Toolkits such as Metasploit automate many of these attacks, and have easy to use interfaces effectively allowing exploitation with the push of a button. The virtuous cycle of cyber security is: Software is deployed with a vulnerability The vulnerability is discovered An exploit is developed to take advantage of that vulnerability The vulnerability is disclosed (either by a researcher or through analysis of a successful attack) A patch is developed and sporadically deployed An automated exploit is developed and rolled into pen-test/vulnerability scanning software The earlier you know and understand the nature of the vulnerability, the sooner you can deploy a test or attack. The same is true when looking at the evolving styles of attack; if you can see where attackers are shifting their focus, then you can shift your defenses and tests accordingly. This is why many of the top cyber security companies employ teams of security researchers and pen-testers. Staying on top of new attacks allows them to develop better defenses. Deployed Patched Discovered Knowledge of Attacks (Pen-Test) Knowledge of Defense (Vulnerability Scanners) Disclosed Exploited Diagram Growth Figures Given that we have broken the network cyber security market into market segments, what are their sizes and growths? Similar to the whole cyber security market, we can break the numbers obtained from Frost and Sullivan, Forrester, Accenture and Pike Research reports into these market areas (Diagram X). There Ultra Electronics, 3eTI May 2012

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

Cyber Watch. Written by Peter Buxbaum

Cyber Watch. Written by Peter Buxbaum Cyber Watch Written by Peter Buxbaum Security is a challenge for every agency, said Stanley Tyliszczak, vice president for technology integration at General Dynamics Information Technology. There needs

More information

The Benefits of SSL Content Inspection ABSTRACT

The Benefits of SSL Content Inspection ABSTRACT The Benefits of SSL Content Inspection ABSTRACT SSL encryption is the de-facto encryption technology for delivering secure Web browsing and the benefits it provides is driving the levels of SSL traffic

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7 20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

THE ROLE OF IDS & ADS IN NETWORK SECURITY

THE ROLE OF IDS & ADS IN NETWORK SECURITY THE ROLE OF IDS & ADS IN NETWORK SECURITY The Role of IDS & ADS in Network Security When it comes to security, most networks today are like an egg: hard on the outside, gooey in the middle. Once a hacker

More information

Taxonomy of Intrusion Detection System

Taxonomy of Intrusion Detection System Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use

More information

OCT Training & Technology Solutions Training@qc.cuny.edu (718) 997-4875

OCT Training & Technology Solutions Training@qc.cuny.edu (718) 997-4875 OCT Training & Technology Solutions Training@qc.cuny.edu (718) 997-4875 Understanding Information Security Information Security Information security refers to safeguarding information from misuse and theft,

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM Okumoku-Evroro Oniovosa Lecturer, Department of Computer Science Delta State University, Abraka, Nigeria Email: victorkleo@live.com ABSTRACT Internet security

More information

Cyber Security: Beginners Guide to Firewalls

Cyber Security: Beginners Guide to Firewalls Cyber Security: Beginners Guide to Firewalls A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers This appendix is a supplement to the Cyber Security: Getting Started

More information

Beyond the Hype: Advanced Persistent Threats

Beyond the Hype: Advanced Persistent Threats Advanced Persistent Threats and Real-Time Threat Management The Essentials Series Beyond the Hype: Advanced Persistent Threats sponsored by Dan Sullivan Introduction to Realtime Publishers by Don Jones,

More information

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

ITEC441- IS Security. Chapter 15 Performing a Penetration Test 1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and

More information

Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events

Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events Abstract Effective Security Operations throughout both DoD and industry are requiring and consuming unprecedented

More information

COORDINATED THREAT CONTROL

COORDINATED THREAT CONTROL APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,

More information

T.38 fax transmission over Internet Security FAQ

T.38 fax transmission over Internet Security FAQ August 17, 2011 T.38 fax transmission over Internet Security FAQ Give me a rundown on the basics of T.38 Fax over IP security. Real time faxing using T.38 SIP trunks is just as secure as sending faxes

More information

BlackRidge Technology Transport Access Control: Overview

BlackRidge Technology Transport Access Control: Overview 2011 BlackRidge Technology Transport Access Control: Overview 1 Introduction Enterprises and government agencies are under repeated cyber attack. Attacks range in scope from distributed denial of service

More information

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft) 1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction

More information

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

defending against advanced persistent threats: strategies for a new era of attacks agility made possible defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been

More information

Networks. Connecting Computers. Measures for connection speed. Ethernet. Collision detection. Ethernet protocol

Networks. Connecting Computers. Measures for connection speed. Ethernet. Collision detection. Ethernet protocol Connecting Computers Networks Computers use networks to communicate like people use telephones or the postal service Requires either some sort of cable point-to-point links connect exactly 2 computers

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

E-Guide. Sponsored By:

E-Guide. Sponsored By: E-Guide Signature vs. anomaly-based behavior analysis News of successful network attacks has become so commonplace that they are almost no longer news. Hackers have broken into commercial sites to steal

More information

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA 98104 www.watchguard.com

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA 98104 www.watchguard.com SMALL BUSINESS NETWORK SECURITY GUIDE WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION AUGUST 2004 SMALL BUSINESS NETWORK SECURITY GUIDE: WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION

More information

INTRUSION DETECTION SYSTEMS and Network Security

INTRUSION DETECTION SYSTEMS and Network Security INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS

More information

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013 CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

PROFESSIONAL SECURITY SYSTEMS

PROFESSIONAL SECURITY SYSTEMS PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security

More information

Security Issues with Integrated Smart Buildings

Security Issues with Integrated Smart Buildings Security Issues with Integrated Smart Buildings Jim Sinopoli, Managing Principal Smart Buildings, LLC The building automation industry is now at a point where we have legitimate and reasonable concern

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities Learning Objectives Name the common categories of vulnerabilities Discuss common system

More information

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005 State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology

More information

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household This appendix is a supplement to the Cyber Security: Getting Started Guide, a non-technical reference essential for business managers, office managers, and operations managers. This appendix is one of

More information

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better,

More information

Secure Software Programming and Vulnerability Analysis

Secure Software Programming and Vulnerability Analysis Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview

More information

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

A Review of Anomaly Detection Techniques in Network Intrusion Detection System A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In

More information

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide Cyber Security Beginners Guide to Firewalls A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Multi-State Information Sharing and Analysis Center (MS-ISAC) U.S.

More information

Network Management and Monitoring Software

Network Management and Monitoring Software Page 1 of 7 Network Management and Monitoring Software Many products on the market today provide analytical information to those who are responsible for the management of networked systems or what the

More information

Intrusion Detection for Mobile Ad Hoc Networks

Intrusion Detection for Mobile Ad Hoc Networks Intrusion Detection for Mobile Ad Hoc Networks Tom Chen SMU, Dept of Electrical Engineering tchen@engr.smu.edu http://www.engr.smu.edu/~tchen TC/Rockwell/5-20-04 SMU Engineering p. 1 Outline Security problems

More information

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those

More information

On-Premises DDoS Mitigation for the Enterprise

On-Premises DDoS Mitigation for the Enterprise On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has

More information

October Is National Cyber Security Awareness Month!

October Is National Cyber Security Awareness Month! (0 West Virginia Executive Branch Privacy Tip October Is National Cyber Security Awareness Month! In recognition of National Cyber Security Month, we are supplying tips to keep you safe in your work life

More information

Top five strategies for combating modern threats Is anti-virus dead?

Top five strategies for combating modern threats Is anti-virus dead? Top five strategies for combating modern threats Is anti-virus dead? Today s fast, targeted, silent threats take advantage of the open network and new technologies that support an increasingly mobile workforce.

More information

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and

More information

Ovation Security Center Data Sheet

Ovation Security Center Data Sheet Features Scans for vulnerabilities Discovers assets Deploys security patches easily Allows only white-listed applications in workstations to run Provides virus protection for Ovation Windows stations Aggregates,

More information

Net Integrator Firewall

Net Integrator Firewall Net Integration Technologies, Inc. http://www.net itech.com Net Integrator Firewall Technical Overview Version 1.00 TABLE OF CONTENTS 1 Introduction...1 2 Firewall Architecture...2 2.1 The Life of a Packet...2

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2 Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning

More information

Banking Security using Honeypot

Banking Security using Honeypot Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information

More information

COSC 472 Network Security

COSC 472 Network Security COSC 472 Network Security Instructor: Dr. Enyue (Annie) Lu Office hours: http://faculty.salisbury.edu/~ealu/schedule.htm Office room: HS114 Email: ealu@salisbury.edu Course information: http://faculty.salisbury.edu/~ealu/cosc472/cosc472.html

More information

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human

More information

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security ITSC Training Courses Student IT Competence Programme SI1 2012 2013 Prof. Chan Yuen Yan, Rosanna Department of Engineering The Chinese University of Hong Kong SI1-1 Course Outline What you should know

More information

Cyber Threats in Physical Security Understanding and Mitigating the Risk

Cyber Threats in Physical Security Understanding and Mitigating the Risk Cyber Threats in Physical Security Understanding and Mitigating the Risk Synopsis Over the last few years, many industrial control systems, including security solutions, have adopted digital technology.

More information

Fighting Advanced Threats

Fighting Advanced Threats Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.

More information

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program. 2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program. Entry Name HFA Submission Contact Phone Email Qualified Entries must be received by

More information

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..

More information

Networking for Caribbean Development

Networking for Caribbean Development Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n

More information

WHITE PAPER WHAT HAPPENED?

WHITE PAPER WHAT HAPPENED? WHITE PAPER WHAT HAPPENED? ENSURING YOU HAVE THE DATA YOU NEED FOR EFFECTIVE FORENSICS AFTER A DATA BREACH Over the past ten years there have been more than 75 data breaches in which a million or more

More information

Ovation Security Center Data Sheet

Ovation Security Center Data Sheet Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations

More information

Firewalls, IDS and IPS

Firewalls, IDS and IPS Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning SECURITY TERMS: Advisory - A formal notice to the public on the nature of security vulnerability. When security researchers discover vulnerabilities in software, they usually notify the affected vendor

More information

Why The Security You Bought Yesterday, Won t Save You Today

Why The Security You Bought Yesterday, Won t Save You Today 9th Annual Courts and Local Government Technology Conference Why The Security You Bought Yesterday, Won t Save You Today Ian Robertson Director of Information Security Michael Gough Sr. Risk Analyst About

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is 1 2 This slide shows the areas where TCG is developing standards. Each image corresponds to a TCG work group. In order to understand Trusted Network Connect, it s best to look at it in context with the

More information

13 Ways Through A Firewall

13 Ways Through A Firewall Industrial Control Systems Joint Working Group 2012 Fall Meeting 13 Ways Through A Firewall Andrew Ginter Director of Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright

More information

2010 White Paper Series. Layer 7 Application Firewalls

2010 White Paper Series. Layer 7 Application Firewalls 2010 White Paper Series Layer 7 Application Firewalls Introduction The firewall, the first line of defense in many network security plans, has existed for decades. The purpose of the firewall is straightforward;

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

Bio-inspired cyber security for your enterprise

Bio-inspired cyber security for your enterprise Bio-inspired cyber security for your enterprise Delivering global protection Perception is a network security service that protects your organisation from threats that existing security solutions can t

More information

Hacking Book 1: Attack Phases. Chapter 1: Introduction to Ethical Hacking

Hacking Book 1: Attack Phases. Chapter 1: Introduction to Ethical Hacking Hacking Book 1: Attack Phases Chapter 1: Introduction to Ethical Hacking Objectives Understand the importance of information security in today s world Understand the elements of security Identify the phases

More information

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009 Proxy Blocking: Preventing Tunnels Around Your Web Filter Information Paper August 2009 Table of Contents Introduction... 3 What Are Proxies?... 3 Web Proxies... 3 CGI Proxies... 4 The Lightspeed Proxy

More information

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network Pioneering Technologies for a Better Internet Cs3, Inc. 5777 W. Century Blvd. Suite 1185 Los Angeles, CA 90045-5600 Phone: 310-337-3013 Fax: 310-337-3012 Email: info@cs3-inc.com The Reverse Firewall: Defeating

More information

End-user Security Analytics Strengthens Protection with ArcSight

End-user Security Analytics Strengthens Protection with ArcSight Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security

More information

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014 Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014 Introduction: Cyber attack is an unauthorized access to a computer

More information

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work How Firewalls Work By: Jeff Tyson If you have been using the internet for any length of time, and especially if

More information

Building A Secure Microsoft Exchange Continuity Appliance

Building A Secure Microsoft Exchange Continuity Appliance Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building

More information

Detailed Description about course module wise:

Detailed Description about course module wise: Detailed Description about course module wise: Module 1: Basics of Networking and Major Protocols 1.1 Networks and its Types. 1.2 Network Topologies 1.3 Major Protocols and their Functions 1.4 OSI Reference

More information

Denial of Service Attacks, What They are and How to Combat Them

Denial of Service Attacks, What They are and How to Combat Them Denial of Service Attacks, What They are and How to Combat Them John P. Pironti, CISSP Genuity, Inc. Principal Enterprise Solutions Architect Principal Security Consultant Version 1.0 November 12, 2001

More information

Cyber Security Where Do I Begin?

Cyber Security Where Do I Begin? ISPE Automation Forum Cyber Security Where Do I Begin? Don Dickinson Project Engineer Phoenix Contact ..50% more infected Web pages Click in the on one last and three you months won t of notice 2008 than

More information

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How Network Security Is Breached Network Security Policy

More information

Network Based Intrusion Detection Using Honey pot Deception

Network Based Intrusion Detection Using Honey pot Deception Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.

More information

IS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS

More information

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover Sound Business Practices for Businesses to Mitigate Corporate Account Takeover This white paper provides sound business practices for companies to implement to safeguard against Corporate Account Takeover.

More information

From Network Security To Content Filtering

From Network Security To Content Filtering Computer Fraud & Security, May 2007 page 1/10 From Network Security To Content Filtering Network security has evolved dramatically in the last few years not only for what concerns the tools at our disposals

More information

Cisco IPS Tuning Overview

Cisco IPS Tuning Overview Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.

More information

SIP and VoIP 1 / 44. SIP and VoIP

SIP and VoIP 1 / 44. SIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels Signaling and VoIP Complexity Basic SIP Architecture Simple SIP Calling Alice Calls Bob Firewalls and NATs SIP URIs Multiple Proxies

More information

What is Really Needed to Secure the Internet of Things?

What is Really Needed to Secure the Internet of Things? What is Really Needed to Secure the Internet of Things? By Alan Grau, Icon Labs alan.grau@iconlabs.com The Internet of Things (IoT) has become a ubiquitous term to describe the tens of billions of devices

More information

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015 Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence AIBA Quarterly Meeting September 10, 2015 The Answer 2 Everyone The relationship between the board, C-suite, IT, and compliance leaders

More information

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express

More information

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager Should Ask Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager/Executive Must Answer in Order

More information

Network Instruments white paper

Network Instruments white paper Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features

More information

DeltaV System Cyber-Security

DeltaV System Cyber-Security January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Deploying Firewalls Throughout Your Organization

Deploying Firewalls Throughout Your Organization Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense

More information

Securing the Intelligent Network

Securing the Intelligent Network WHITE PAPER Securing the Intelligent Network Securing the Intelligent Network New Threats Demand New Strategies The network is the door to your organization for both legitimate users and would-be attackers.

More information

Fail-Safe IPS Integration with Bypass Technology

Fail-Safe IPS Integration with Bypass Technology Summary Threats that require the installation, redeployment or upgrade of in-line IPS appliances often affect uptime on business critical links. Organizations are demanding solutions that prevent disruptive

More information