INTERNET SECURITY - An Introduction. Internet Security Security Security is a ‘Hygiene Factor’ ...
-
Upload
hilary-benson -
Category
Documents
-
view
217 -
download
1
Transcript of INTERNET SECURITY - An Introduction. Internet Security Security Security is a ‘Hygiene Factor’ ...
INTERNET SECURITY
- An Introduction
Internet Security
SecuritySecurity
Security is a ‘Hygiene Factor’ When there, noone should notice When not there, can mean the
end of a business overnight
Internet Security
SecuritySecurity
Security is the sum of: Access controls Authentication methods Availability of data/systems Confidentiality of data/info Data Integrity Non-repudiation of transactions Policies Reliability of data/systems
Internet Security
TopicsTopics
What are the risks? What are the solutions? Which issues are specific to
the Utilities Industry? Which issues are specific to
the World Wide Web?
Internet Security
Security - the hypeSecurity - the hype
Internet Security
How Real Is The Risk?How Real Is The Risk?
31% of all companies (private and public) have experienced 1-3 “major security breaches” in the past 6 months
Real number is HIGHER! Companies keep breaches secret!
Internet Security
How Real Is The Risk To Utilities?How Real Is The Risk To Utilities?
Risk is very real Bad publicity is risky Govt requirements:
Privacy of info Reliability of info Availability of systems
Internet Security
What Is The Biggest Risk?What Is The Biggest Risk?
Not having good security procedures? Having good security procedures that
are not followed? Terrorism? Hackers? Internal misuse/errors? Viruses/worms? Trojan Horses?
Internet Security
Biggest Risk? Internal Users!Biggest Risk? Internal Users!
Human error is the most significant cause of IT security breaches (63%)*
Research shows that good training would be the most effective way of improving security in most organizations
*Computing Technology Industry Assoc (CompTIA)
Internet Security
Biggest Risk? InternalBiggest Risk? Internal
Internal security breaches seen as a much bigger threat than external ones by 51% of respondents to an Oracle/Institute of Directors survey
Threat can be to: Privacy of data Corruption of data Loss of data integrity Loss of data altogether Loss of whole system!
Internet Security
Solutions? Company PoliciesSolutions? Company Policies
Chase up references Do background/ security checks
on staff Check out Temp staff carefully Give Temp staff limited access Get staff to signup to security
policy Switch off rights of ex-employees Ensure it is very clear which staff
have which roles and responsibilities
Internet Security
Solutions? Company PoliciesSolutions? Company Policies
Clean desk policy Lock sensitive documents/disks
away Physically secure laptops and PCs Ensure passwords are not written
down Employee records/contracts etc
hidden
Internet Security
Solutions? TrainingSolutions? Training
Good, effective training Training is an ongoing process
66 per cent believe that staff training/certification has improved their IT security, primarily through increased
awareness, as well as through proactive risk identification (source:CompTia)
Internet Security
Solutions? TrainingSolutions? Training
22 per cent said none of their IT employees have received security-related training
69 per cent have fewer than 25 per cent of their IT staff were security-trained
Only 11 per cent said that all of their IT employees have received security training.
Internet Security
Solutions? Physical SecuritySolutions? Physical Security
Visitors/guests accompanied at all times Reception area manned at all times All staff must wear a pass Access to work areas by pass only Access to sensitive areas by keycode Servers housed in a room with no
windows, inaccessible to unauthorised personnel, air conditioned with failover power
Internet Security
Solutions? Network SecuritySolutions? Network Security
Internet Security
Solutions? Network SecuritySolutions? Network Security
Use roles and groups Restrict access to minimum possible Use VPNs to allow external access Keep intranet protected from
internet using Firewalls
Enforce policy on passwords change regularly not easy to guess minimum length must contain numerics can’t reuse
Internet Security
Solutions? Application SecuritySolutions? Application Security
Access Controls Authentication (userid and
password) Digital keys (public and
private) Access to info by user ‘class’ Code quality Programmers should be
security aware Code walkthroughs Testing/QA procedures Source code control/version
control Bug/defect tracking
Internet Security
Solutions? Disaster RecoverySolutions? Disaster Recovery
Redundancy essential Of servers, firewalls, hubs,
routers, air conditioning, power Of ISP (in case ISP fails!) Physically separate location Have disaster recovery plans Test those plans! Test those plans regularly!
Video on Security and Company Policieshttp://webevents.broadcast.com/ZDAUwebcast/enemy/index.asp?loc=1
Internet Security
Problems on the InternetProblems on the Internet
Payment Fraud Viruses (e.g. MyDoom) Hackers Denial of Service attacks Spam Imposters
Internet Security
Viruses/worms/trojan horsesViruses/worms/trojan horses
Programs that do damage Often attachments to emails Can be downloaded from websites Often ‘attached’ to benign software May send emails using addressbook May delete files on hard disk
A virus is copied by a user A worm replicates automatically A trojan horse seems benign
Internet Security
Solutions? IE and MailSolutions? IE and Mail
Internet Explorer Permissions Internet Options ->Security Zones Internet Options->Privacy Internet Options->Advanced
Enforce default policy for IE across company
Don’t open email from anyone you don’t know
Don’t download files/attachments from emails or web pages unless from a trusted source (esp .exe or .vbs files)
Internet Security
Problems on the InternetProblems on the Internet
No centralised infrastructure Huge global scale - millions of
potential users 24 x 7 availability Initial conception was openness and
robustness - not security Organisations must provide a
window into their networks
Internet Security
Solutions? Monitor UsageSolutions? Monitor Usage
Log usage Carry out regular audits/checks of logs Disable access if misuse detected Auto send emails of ‘exception’ usage
Internet Security
Solutions? Web Server SecuritySolutions? Web Server Security
Internet Security
Solutions? SoftwareSolutions? Software
Install ‘protection software’: Firewalls Proxy Servers Anti-Virus software
Update key software regularly: Web servers Operating systems Mail software Anti-virus software
Don’t forget patches!!
Internet Security
Solutions? SoftwareSolutions? Software
Use SSL (Secure Socket Layer) Protects private information Encrypted using digital key Especially for payment data
Use public/private keys To authenticate parties To encrypt data To ‘digitally sign’ documents Some have whole infrastructures*
* Verisign Onsite Managed Trust Services
Internet Security
Security QuizSecurity Quiz
1. What number (or e-mail address) should you contact if you want to report suspicious activity?
2. What type of corporate data are you allowed to store on your personal home computer?
3. When is it ok to give your password to someone else?
4. Create a multiple-choice question about which types of corporate information would be sensitive
Answer: key security contacts at your company
Answer: none
Answer: never
Answer: all of it
Internet Security
ResourcesResources
‘Web Security and Commerce’ Garfunkel and Spafford (O’Reilly)
http://wp.netscape.com/security/ - intro to security concepts
http://www.netcraft.com/security/diary.html - security diary
http://www.mcaffee.com – mailing list of security issues
http://www.verisign.com – general security issues
http://groups.google.com – groups / news groups
http://way2goal.com/internet/is.html - security issues
Internet Security
ResourcesResources
Apogee Interactive Inc. http://www.apogee.net Michelle Johnston 770 270 6516 Email [email protected]
Security reviews/IT reviews/Audits Code reviews Training Web site reviews/audits ELearning