160 likes | 223 Vues
IT security notes. An overview of the subject Oct 2006 kristoffer miklas. What ?. To protect against misuse of assets. To ensure availability/usability of assets. …and… it’s a contradicting balance What will we discuss? Only half of the story: Protection against….
E N D
IT security notes An overview of the subject Oct 2006 kristoffer miklas
What ? • To protect against misuse of assets. • To ensure availability/usability of assets. …and… it’s a contradicting balance • What will we discuss? • Only half of the story: • Protection against…
Is security a technical question? • Absolutely not. It’s a business (money) question. • Asset owner must asses the value of assets. • Assess risk probability and effect on business in case of event. • examples: • Product details, Customer data base, Prices and deals offered to customers. • In short: what is protected, and at what level • examples... • American mil contractor. • Banking money loss • Money safe • Are you security guy, or just the tech part of the jigsaw?
Security is a moving target. • Examples… • bla, bla…. • Conclusion: there is no absolute security. • There is just a cost level.
Who are the bad guys? • Script kiddies or wannabees. • Amatures or embezzlers. • Real crackers • Artists • Grafitti kids • Pride and fame • Enrichment • Crime • Corporations • Governements (French story) • External attackers • Insiders (disgrunted employees, selling info, example from Swedish gov.)
Protection methods. • Perimeter security • Additional point security • Intrusion detection (alarm) • Audit (checking) • Emergence plan • Example: • Telia vs Felia (1996) • CIA
Attacking methods • Mapping / staking out / info collection • Public info, dumpster diving, on site • Social engineering • Physical access • Proxy (insider) • Remote Access • Catch asset in transport • cool but cost ineffective • And…. good old fashion break in (Finnish story)
example • Object: steal credit card data • Physical (restautant) • Remote access (database) • Intercept network transport (ridicilous)
Delimiting discussion area • IT Security • Systems • Data • Data security • During storage • During transport
Data protection • User Authetication • Data Integrity • Data Secrecy • Transaction non-repudiation
Authentication • What you know • What you have • What you are
Encryption as a tool • Symetric encryption • Secrecy • Key distribution problem • Asymetric encryption (public encryption) • Integrity, secrecy, key distribution • Lack real time efficeny
Encyption details • Check the book….
Firewalls… • Border, DMZ • Packet filter • Stateful inspection • Application proxies • Bastion Hosts • Attacking the FW OS • What about contents (airport analogy)
Content anaysis • At FW • At MX server
Security • It’s a business problem • Tech is just one piece of the jigsaw • Jurnos are friendly idiots • ”Experts” are at best harmless • Owners are often avoiding responsibility • Bean counters are the enemies best friends