Security Threats Overview: Wired, Wireless, and Mobile PDF

CHAPTER 4 Security Threats Overview: Wired, Wireless, and Mobile Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com. Learning Objective(s) and Key Concepts Learning Objective(s) Key Concepts Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Describe security threats and risks  Threats to wireless networks and associated with wired, wireless, mobile devices and mobile networks.  Risk mitigation  Authorization and access control  Information security standards  Regulatory compliance What to Protect? Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com What are you trying to protect? Why are you trying to protect it? What is the value of the asset? What are you protecting it from? What constraints prevent you from protecting the asset? General Threat Categories  Who or what you are protecting the assets from  External attackers? Employees? Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Most companies employ practice of least privilege  Which assets you want to protect  Security measures should be proportional to the value of the assets, and should not create an impediment to the assets’ purpose and function  Key is to ensure that information security processes, practices, and techniques are aligned with the business’s plans, goals, objectives, and functions Expanded Principles of Information Security Preventing unauthorized disclosure of Confidentiality Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com information Preventing unauthorized modification of Integrity information Preventing unauthorized withholding of Availability resources or services Accountability Making users accountable for their actions Preventing the denial that an action has Nonrepudiation been taken Confidentiality Must consider both Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Privacy of information (protecting data from being seen) Secrecy of information (hiding knowledge of data’s existence or whereabouts) Must protect confidentiality of data stored on laptops, smartphones, and tablets Any time information leaves an organization’s property, it becomes vulnerable Internet of Things (IoT) devices A great deal of information can be gleaned about people and organizations by tracking devices usage, on and off times, and settings Integrity  Refers to assurance that information:  Is genuine Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Remains true to its original form  Has not been manipulated or tampered with  Many applications use message-digests or hashes to ensure integrity of a document or file  Hash algorithms provide assurance of data integrity when data is passing over unsecured networks such as the Internet  Also provide a method for mitigating man-in-the-middle attacks Availability Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Concerned with ensuring that systems and services: Are available to users when they need them Are not withheld by unauthorized means Aims to prevent denial of service (DoS) attacks Attackers commonly launch DoS attacks through synchronization (SYN) flooding of Transmission Control Protocol/Internet Protocol (TCP/IP) devices on the Internet to disrupt the three-way handshake used by TCP to establish a session Accountability A system’s access controls can be bypassed accidentally or Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com deliberately Serious security breaches sometimes occur from within network, originated by authorized users rather than unauthorized attackers outside the firewalls Need mechanisms in place for the accountability of internal users Examples: Audit trails, logs, authentication Nonrepudiation Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Addresses when someone denies he or she took a certain action Provides undeniable evidence that the action was taken, and by whom Is important in e-commerce and financial transactions such as online trading Examples: Email read receipts, digital signatures Threats to Wireless and Mobile Devices Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Data theft threats Device control threats System access threats Data Theft Threats  Hackers look for personally  Mobile-specific attacks designed to identifiable information (PII) steal data Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Sniffing (also called snooping)  Areas of interest for cybercriminals:  Malicious applications (malware)  Credentials for personal or  Browser exploits business accounts  Wireless phishing  Credentials for business or personal information  Lost or stolen devices  Credentials for remote access  System or device takeover software for business networks  Access to data and phone services Device Control Threats Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Unauthorized and modified clients Ad hoc connections and software-based access points Endpoint attacks Bluetooth Wi-Fi hacks Near field communication (NFC) and proximity hacking System Access Threats An attacker tries to prevent legitimate access Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Denial of service (DoS) attacks to a system or service by making it unavailable An access point (AP) is set to the same network name (SSID) as a legitimate WLAN or Evil twin access points hotspot, fooling unsuspecting users into connecting Usually due to poor site planning, controlled by Rogue access points conducting regular site survey sweeps Risk Mitigation Key risk-mitigation methods for mobile: Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Mobile device screen locks and password protection  Remote locks and data wipes for mobile devices  Mobile GPS location and tracking  Stored data encryption Mitigating the Risk of BYOD Mobile device management Mobile application management Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com (MDM) (MAM) Enables network security Administers and manages administrators to manage mobile applications on mobile devices devices remotely Controls the provisioning and Sends over-the-air signals to distribution of in-house mobile mobile devices to distribute applications and, in some cases, applications and configuration commercially available settings applications through an Can be expensive; capital enterprise application store expense can be avoided with a Mitigation methods: secure Software as a Service (SaaS) applications, secure network cloud-based MDM solution access, encryption Other Risks with BYOD Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Legal separation between personal and business use Leakage of company data into the wild Enforcement of policy and governance Threat of loss and theft BYOD for Small-to-Medium Businesses Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Desktop virtualization The reproduction of the user’s desktop on an Internet-accessible server By connecting to virtual representation of their own company desktop, users can circumvent many of security problems related to remote access Users can execute, write, read, and edit files, but the files remain on a company server Is an alternative to MDM and MAM Defense in Depth (1 of 4) Security measures that safeguard the Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Physical controls environment, such as doors, locks, cameras, security gates, and fences Include hardware and software devices and appliances that protect the network, such as Logical/technical controls antivirus software, firewalls, host intrusion protection, and network intrusion protection Include security policies, processes, and Administrative controls procedures Defense in Depth (2 of 4) Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com FIGURE 4-1 Defense in depth is the practice of deploying multiple forms of security to reduce the risk of deep penetration from unauthorized users. Unauthorized users would have to breach several forms of security to reach an intended target. Defense in Depth (3 of 4) Multi-access (wired, wireless, mobile) network security Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com requires multiple layers: External network layer: Where web servers and services are exposed to the Internet; layered firewalls provide a secure demilitarized zone (DMZ) Perimeter network layer: Uses an inner firewall to segregate the external network from internal resources; normally hosts more secure and restricted web services Defense in Depth (4 of 4) Multi-access (wired, wireless, mobile) network security Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com requires multiple layers: Internal network: Where user hosts reside Application server network: Inner security zone protected by another layer of highly restrictive firewall rules Database server network: Tight security policies and multitiered access restrictions, segregated by very high security configuration and firewalls with limited open ports Authorization and Access Control Authentication Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com The process of validating a claimed identity, whether a user, device, or application Authorization A process that works in conjunction with authentication to grant access rights to a user, group, system, or application Accountability A chronological record of system activity that can be forensically examined to reconstruct a sequence of system events Context-Aware Security Devices A method of providing greater granularity in applying access controls Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Security policy dictates rules that apply to authentication process Rules take into consideration the user’s details, which device that person is using, and the location and time By considering these extra criteria, security administrators can apply different access rights and authorization to different contexts Context-aware firewalls: Flexible, application-based rule structures Access and authentication are gatekeeper functions of security Once security device has authenticated and authorized the user, activity be policed to: Protect company assets Prevent information from leaving the network Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ISO/IEC 27002:2013 NIST SP 800-53 Information Security Standards ISO/IEC 27001:2013 ISO/IEC 27001:2013 Standard  Provides requirements for establishing, implementing, Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com maintaining and continuously improving an Information Security Management Act Plan System (ISMS)  Heavily reliant on the Plan-Do-Check-Act (PDCA) cycle Check Do ISO/IEC 27002:2013 Standard (1 of 2)  Consists of guidelines, techniques, and general principles for initiating, implementing, managing, and improving information security within an Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com organization  Addresses 14 general groups, each with its own objectives  Suggests 114 controls that are seen as best practices for achieving those objectives ISO/IEC 27002:2013 Standard (2 of 2) 14 Groups Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Information security policies  Communications security  Organization of information security  System acquisition, development, and maintenance  Human resource security  Supplier relationships  Asset management  Information security incident  Access control management  Cryptography  Information security aspects of  Physical and environmental security business continuity management  Operations security  Compliance NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Organizations” Outlines a risk-management framework that addresses security controls for federal information NIST requires vendors seeking selection and implementation on federal networks to undergo a certification and accreditation process Controls include management, operational, and technical safeguards Regulatory Compliance (1 of 3) Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com The Sarbanes-Oxley Act Enacted to address investor confidence and corporate financial fraud through reporting standards for public companies The Gramm-Leach-Bailey Act Purpose is to secure and protect personally identifiable information held by financial institutions Regulatory Compliance (2 of 3) Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com The Health Insurance Portability and Accountability Act (HIPAA) Focuses on privacy and security for patients receiving health care Has a direct impact on IT with regard to how electronic information is stored and transferred The Health Information Technology For Economic and Clinical Health Act Addresses privacy and security concerns associated with electronic transmission of health information and supplements and strengthens enforcement of HIPAA rules Regulatory Compliance (3 of 3) Payment Card Industry Data Security Standard (PCI DSS) Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com A comprehensive industry standard aimed at ensuring the safe and secure handling of credit cardholder information at all steps of the payment process PCI DSS control objectives: Build and maintain a secure network Protect cardholders Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy GDPR and CCPA The General Data Protection Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Regulation (GDPR) has seven key California Customer Privacy Act principles: (CCPA) Lawfulness, fairness, and State of California’s version of the transparency GDPR Purpose limitation Relates to anyone who does Data minimization business with a Californian citizen Accuracy Aims to protect the privacy of Storage limitation Californians’ personal data from Integrity and confidentiality misuse and monetization by big (security) tech businesses Accountability Detrimental Effects of Regulations  Many regulations, such as SOX and HIPAA, do not actually address security Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com standards, techniques, or practices; they address inflexible business requirements  Confusion within security profession and in business in general about the difference between being secure and being compliant  Virtually every industry, country, state, and some cities created a data privacy regulation of its own, forcing companies that do business in their area of control to comply; in most cases, these regulations are redundant Summary  Threats to wireless networks and mobile devices Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Risk mitigation  Authorization and access control  Information security standards  Regulatory compliance Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Q&A

Security Threats Overview: Wired, Wireless, and Mobile PDF

Document Details

Tags

Related

Summary

Full Transcript