INTERNET SECURITY

- An Introduction

Internet Security

SecuritySecurity

Security is a ‘Hygiene Factor’ When there, noone should notice When not there, can mean the

end of a business overnight

Internet Security

SecuritySecurity

Security is the sum of: Access controls Authentication methods Availability of data/systems Confidentiality of data/info Data Integrity Non-repudiation of transactions Policies Reliability of data/systems

Internet Security

TopicsTopics

What are the risks? What are the solutions? Which issues are specific to

the Utilities Industry? Which issues are specific to

the World Wide Web?

Internet Security

Security - the hypeSecurity - the hype

Internet Security

How Real Is The Risk?How Real Is The Risk?

31% of all companies (private and public) have experienced 1-3 “major security breaches” in the past 6 months

Real number is HIGHER! Companies keep breaches secret!

Internet Security

How Real Is The Risk To Utilities?How Real Is The Risk To Utilities?

Risk is very real Bad publicity is risky Govt requirements:

Privacy of info Reliability of info Availability of systems

Internet Security

What Is The Biggest Risk?What Is The Biggest Risk?

Not having good security procedures? Having good security procedures that

are not followed? Terrorism? Hackers? Internal misuse/errors? Viruses/worms? Trojan Horses?

Internet Security

Biggest Risk? Internal Users!Biggest Risk? Internal Users!

Human error is the most significant cause of IT security breaches (63%)*

Research shows that good training would be the most effective way of improving security in most organizations

*Computing Technology Industry Assoc (CompTIA)

Internet Security

Biggest Risk? InternalBiggest Risk? Internal

Internal security breaches seen as a much bigger threat than external ones by 51% of respondents to an Oracle/Institute of Directors survey

Threat can be to: Privacy of data Corruption of data Loss of data integrity Loss of data altogether Loss of whole system!

Internet Security

Solutions? Company PoliciesSolutions? Company Policies

Chase up references Do background/ security checks

on staff Check out Temp staff carefully Give Temp staff limited access Get staff to signup to security

policy Switch off rights of ex-employees Ensure it is very clear which staff

have which roles and responsibilities

Internet Security

Solutions? Company PoliciesSolutions? Company Policies

Clean desk policy Lock sensitive documents/disks

away Physically secure laptops and PCs Ensure passwords are not written

down Employee records/contracts etc

hidden

Internet Security

Solutions? TrainingSolutions? Training

Good, effective training Training is an ongoing process

66 per cent believe that staff training/certification has improved their IT security, primarily through increased

awareness, as well as through proactive risk identification (source:CompTia)

Internet Security

Solutions? TrainingSolutions? Training

22 per cent said none of their IT employees have received security-related training

69 per cent have fewer than 25 per cent of their IT staff were security-trained

Only 11 per cent said that all of their IT employees have received security training.

Internet Security

Solutions? Physical SecuritySolutions? Physical Security

Visitors/guests accompanied at all times Reception area manned at all times All staff must wear a pass Access to work areas by pass only Access to sensitive areas by keycode Servers housed in a room with no

windows, inaccessible to unauthorised personnel, air conditioned with failover power

Internet Security

Solutions? Network SecuritySolutions? Network Security

Internet Security

Solutions? Network SecuritySolutions? Network Security

Use roles and groups Restrict access to minimum possible Use VPNs to allow external access Keep intranet protected from

internet using Firewalls

Enforce policy on passwords change regularly not easy to guess minimum length must contain numerics can’t reuse

Internet Security

Solutions? Application SecuritySolutions? Application Security

Access Controls Authentication (userid and

password) Digital keys (public and

private) Access to info by user ‘class’ Code quality Programmers should be

security aware Code walkthroughs Testing/QA procedures Source code control/version

control Bug/defect tracking

Internet Security

Solutions? Disaster RecoverySolutions? Disaster Recovery

Redundancy essential Of servers, firewalls, hubs,

routers, air conditioning, power Of ISP (in case ISP fails!) Physically separate location Have disaster recovery plans Test those plans! Test those plans regularly!

Video on Security and Company Policieshttp://webevents.broadcast.com/ZDAUwebcast/enemy/index.asp?loc=1

Internet Security

Problems on the InternetProblems on the Internet

Payment Fraud Viruses (e.g. MyDoom) Hackers Denial of Service attacks Spam Imposters

Internet Security

Viruses/worms/trojan horsesViruses/worms/trojan horses

Programs that do damage Often attachments to emails Can be downloaded from websites Often ‘attached’ to benign software May send emails using addressbook May delete files on hard disk

A virus is copied by a user A worm replicates automatically A trojan horse seems benign

Internet Security

Solutions? IE and MailSolutions? IE and Mail

Internet Explorer Permissions Internet Options ->Security Zones Internet Options->Privacy Internet Options->Advanced

Enforce default policy for IE across company

Don’t open email from anyone you don’t know

Don’t download files/attachments from emails or web pages unless from a trusted source (esp .exe or .vbs files)

Internet Security

Problems on the InternetProblems on the Internet

No centralised infrastructure Huge global scale - millions of

potential users 24 x 7 availability Initial conception was openness and

robustness - not security Organisations must provide a

window into their networks

Internet Security

Solutions? Monitor UsageSolutions? Monitor Usage

Log usage Carry out regular audits/checks of logs Disable access if misuse detected Auto send emails of ‘exception’ usage

Internet Security

Solutions? Web Server SecuritySolutions? Web Server Security

Internet Security

Solutions? SoftwareSolutions? Software

Install ‘protection software’: Firewalls Proxy Servers Anti-Virus software

Update key software regularly: Web servers Operating systems Mail software Anti-virus software

Don’t forget patches!!

Internet Security

Solutions? SoftwareSolutions? Software

Use SSL (Secure Socket Layer) Protects private information Encrypted using digital key Especially for payment data

Use public/private keys To authenticate parties To encrypt data To ‘digitally sign’ documents Some have whole infrastructures*

* Verisign Onsite Managed Trust Services

Internet Security

Security QuizSecurity Quiz

1. What number (or e-mail address) should you contact if you want to report suspicious activity?

2. What type of corporate data are you allowed to store on your personal home computer?

3. When is it ok to give your password to someone else?

4. Create a multiple-choice question about which types of corporate information would be sensitive

Answer: key security contacts at your company

Answer: none

Answer: never

Answer: all of it

Internet Security

ResourcesResources

‘Web Security and Commerce’ Garfunkel and Spafford (O’Reilly)

http://wp.netscape.com/security/ - intro to security concepts

http://www.netcraft.com/security/diary.html - security diary

http://www.mcaffee.com – mailing list of security issues

http://www.verisign.com – general security issues

http://groups.google.com – groups / news groups

http://way2goal.com/internet/is.html - security issues

Internet Security

ResourcesResources

Apogee Interactive Inc. http://www.apogee.net Michelle Johnston 770 270 6516 Email mjohnston@apogee.net

Security reviews/IT reviews/Audits Code reviews Training Web site reviews/audits ELearning