FCNS Training

7/30/2019 FCNS Training

1/51

FCNS Training

Security Overview


2/51


3/51

The Security, functionality and ease of use

Triangle


4/51

Understanding Attack types

Understanding the different types of attacks and

methods that hackers are using to compromise

systems is essential to understanding how to

secure your environment

There are two major types of attacks :

Social Engineering Attacks

Network Attacks


5/51

There is No

Patch to Human

Stupidity


6/51

Social Engineering Attacks

Social Engineering is the human side of

breaking into network system

Through an email message or phone calland tricks the individual into divulging

information that can be used to

compromise security

The information that the victim divulges tohacker would most likely be used in a

subsequent attack to gain unauthorized

access to a system or network


7/51

Types of Social Engineering

Human- based : Gathers sensitive information by interaction

Attacks of this category exploits trust, fear and helping nature ofhumans

Computer-based :

Social engineering is carried out with the aid of computers

Social Engineering can be

divided into two categories :


8/51

Posing as VIP of a target company, valuable customer, etc.

Hi! This is Kevin, CFO Secretary, Im working on an urgentproject and lost system password. Can you help me out?

Human-Based Social Engineering

Gives identity and asks for the sensitive information

Hi! This is John, from Department X, I have forgotten my

password. Can I get it?

Posing as Legitimate End User

Posing as an Important User


9/51


10/51

Hoax letters are emails that issue warnings to user on new virus, Trojans and worms

that may harm the users system

Chain letters are emails that offer free gifts such as money and software on thecondition that if the user forwards the mail to said number of persons

Computer-Based Social Engineering

Windows that suddenly pops up, while surfing the internet and asksfor users information to login or sign-in

Pop-up Windows

Hoax and chain letters


11/51


Instant Chat Messenger Gathering of personal information by chatting with a selected

online user to attempt to get information such as a birth dates

and maiden names

Acquired data is a later used for cracking the users accounts

Spam email Email sent to many recipients without prior permission intended

for commercial purposes

Irrelevant, unwanted and unsolicited email to collect financialinformation, social security numbers and network information


12/51


An illegitimate email falsely claiming to be from alegitimate site attempts to acquire users personal

or account information Lures online users with statements such as

Verify your account

Update your information

Your account will be closed or suspended

Spam filters, anti-phising tools integrated withweb browsers can be used to protect from Phisers

Phising


13/51

Eavesdropping attack: This widely used type of attack typically involves the

use of network monitoring tools to analyze and read communications on

the network

Spoof attack : in this attack, the hacker modifies the source address of the

packets he or she is sending so that they appear to be coming from

someone else. This may be an attempt to bypass your firewall rules

Hijack attack : in this attack, a hacker takes over a session between you and

another individual and disconnects the other individual fromcommunication. You still believe that you are talking to the original party

and may send private information to the hacker unintentionally

Network-Based Attacks

Most types of attacks are considered network-based attacks

where the hacker performs the attack from a remote system

There are number of different types of network attacks:


14/51


Buffer overflow : this attack is when the attacker send more data to anapplication than is expected. A buffer overflow attack usually results in the

attacker gaining administrative access to the system in a command prompt

or shell

Exploit attack : in this type of attack, the attacker knows of the security

problem within the operating system or piece of software and leveragesthat knowledge by exploiting the vulnerability

Denial of service : This is a type of attack that causes the system or its

services to crash. As a result, the system cannot performs its purpose and

provide those services

Password attack : an attacker tries to crack passwords stored in a networkaccount database or password-protected file


15/51


Distributed denial of service (DDOS): Thehacker uses multiple systems to attack a

single target system

A good example is the SMURF attackin

which the hacker pings a number of

computers but modifies the source address

of those packets so that they appear tocome from other system (the victim in this

case). When all the systems receive the

ping request, all the systems will reply to

the same address, essentially

overburdening that system with data.

http://arstechnica.com/security/2007/05/massive-ddos-

attacks-target-estonia-russia-accused/
http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/http://arstechnica.com/security/2007/05/massive-ddos-attacks-target-estonia-russia-accused/


16/51

Understanding Physical Security


17/51

Physical Security


18/51


19/51

Physical Security Checklist :

Company Surroundings


20/51

Gates


21/51


22/51


Premises


23/51


Reception


24/51


25/51


Workstation Area


26/51


Wireless Access Points


27/51


28/51


Access Control


29/51


Biometric Devices


30/51

Smart cards


31/51

Security Token


32/51

Wiretapping


33/51

Remote Access


34/51

Defense in-Depth

is an information assurance (IA) concept in which multiple layer of

security control (defense) are placed throughout an Information

Technology (IT) system. Its intent to provide redundancy in the event a

security control fails or a vulnerability is exploited that can cover aspects

of personnel, procedural, technical and physical for the duration of the

systems life cycle

The idea behind the defense

in-depth approach is to

defend a system against any

particular attack using

several, varying methods


35/51

Information Security Attribute


36/51


37/51

IDENTITY, AUTHENTICATION & AUTHORIZATION

Dont Authentication and Identity mean samething?

If we have a authentication and identity do we

need authorization?


38/51

means the approval,

permission orempowerment for

someone or something todo something

is the process ofconfirming the

correctness of theclaimed identity

IDENTITY, AUTHENTICATION & AUTHORIZATION

is the process forestablishing whomsomeone or what

something claims to be

Identity : whom someone or what somethingThis identity may be of a human being, a program ,

a computer or a data

A motorist identifies himself to a police officer and presents a drivers

license for confirmation. The officer compares the photograph , description

and signature with that of the motorist to authenticate the identity

Identification Authentication Authorization


39/51

Authentication

Something you know

Something you have

Something you are

Based on Something you know, should besomething only you know and can

keep to your self

This might be the PIN to your bank

account or a password

Something you have, might be

a photo ID or a security token

Something you are is biometric

based


40/51

Authentication

The method used to authenticate a user depends on the network environmentand can assume forms such as the following:

Username and password : when the users start the computer or connect tothe network, they type a username and password that is associatedwith their particular network user account

Smartcard : Using a smartcard for logon is very similar to accessing your bank

account at a teller machineTo log on to the network you insert a device similar to a debit card, known as asmartcard into a smartcard reader and then supply a PIN. To beauthenticated, you must have the smartcard and know its password

Biometrics : the user would provide a retina scan or fingerprint as a credential.It is becoming a very popular solution in highly secure environments where

special biometric devices would be used

When users provide credentials such as a username and a password, theusername and password are passed to the server using an authentication method


41/51

is your level privilege within theoperating system to perform a task

For example : When companiesdeploy Windows XP Prof to all clientsystems on the network, users aresurprised that they cant change the

time on the computer if they wantto. This is because they dont haveThe Change System Time right

AUTHORIZATION

is your level of access to a resourcesuch as a file, folder or object. Thepermission is a characteristic of theresource and not characteristic ofthe user account

For example : if you would like to

give Bob read permission to a file,you would go to the properties ofthat file and set the permissions.Notice that you dont go to the useraccount to assign the permissions

Once you have been authenticated to the network, you willthen be authorized to access the network resources

Permission A right


42/51

Data Classification

We classify data with differing levels of sensitivity

Top Secret - The highest level of protection are given to this data; it is critical to

protect

Secret - this data is important and it is release could harm national security

Confidential - this is important and it could be detrimental to national security if

release

Sensitive But Unclassified(SBU) This generally is information that is sensitive and

should not be released

Unclassified They prefer to keep it from being released but the nation would not

be harmed if it were


43/51

R l ti Ri k Th t d V l bilit d


44/51

Relating Risk, Threat and Vulnerability and

Impact

Risk = Threat x Vulnerability

Risk = Threat x Vulnerability x Impact


45/51

Security Policies


46/51


47/51


48/51


49/51

Classification of Security Policy


50/51

Classification of Security Policy


51/51

FCNS Training

Documents

Transcript of FCNS Training