Introduction to Network Defense
Introduction to Network Defense
INFSCI 1075: Network Security – Spring 2013
Amir Masoumzadeh
Outline
2
Network defense and security process
Assessment
Protection
Detection
Response
Defense
3
What does network security mean in terms of defense?
Security is the process of maintaining an acceptable level of
perceived risk
Note acceptable, not completely eliminating risk
Remember: cost vs. benefit
It is a continual process
Security must continually be checked and updated
It is an uncertain process
You never really know how secure you are
Security Process
4
Just as attacks have general stages (or processes), so
does defense
Also, like attacks, there is no one de-facto standard
The security process involves several steps
Assessment
Protection
Detection
Response
Security Process: Assessment
5
Preparation for the remaining three stages
Assessment often deals with the following processes
Business evaluation of security
Cost vs. Benefit
Technical evaluation of security
Current status and feasibility
Policy and procedure development
Laws and regulations
What security measures a business must use
Other managerial concerns
Team assembly, budgeting, support, etc.
Risk Analysis
6
A critical part of the assessment stage
Types
Qualitative
–
enumerating attacks and their impacts
Consideration of organizational goals, asset value, threats,
vulnerabilities and effectiveness of current safeguards
Subjective in nature measured by “High, Medium, or Low”
values given by staff/experts, etc.
Quantitative
–
estimating the likelihood of attacks
Precise measurement of risks based on modeling and analysis
together with historical data
Assigns objective numeric values to components of risk analysis
and potential loss
Risk Analysis
7
Includes
Asset identification and valuation
Threat definition
Threat vector – Information about a threat, its origin and the target
assets
Likelihood and impact analysis
Basic risk analysis assumes that threats are equally likely
and merely identifies assets
A more advanced analysis values assets, classifies threats,
and analyzes the threat on each asset
Surveys such as CSI – e.g., internal threats usually amount to 70-80%
Take a look at CSI survey 2010/2011 and Sophos report 2013
(available on CourseWeb)
CSI 2010/2011: Types of attacks by
percentage of respondents
8
Risk Analysis
9
Once risk has been clearly defined, it dictates
What needs to be protected
What is threatened? What is vulnerable? What is of value?
What the priorities of assets / protections are
What is most threatened or vulnerable? What is of most
value?
What protections should be used
What measures counter the vulnerabilities?
How much is OK to spend on preventative measures?
You can think of protections as decreasing the risk
Security Process: Protection
10
Involves the realization of information gained and plans
made in the assessment stage
Drafting of policies and procedures
Including the training of employees, etc.
Deploying software and hardware protections
Firewalls, IDS/IPS
Password policies, access control policies, etc.
Monitoring and logging
Patching
One key assumption that security personnel should make
is that protections will eventually fail
Security Process: Detection
11
Assumes that assessment and protection will fail
Aims at detecting attacks once in progress
Security breaches are hard to prevent (zero day
exploits, user
vulnerabilities, etc.)
Detection ensures that
when
protections fail, an organization
knows in order to respond
Assumes that assessment and protection have
been conducted properly
Assumes continual monitoring and assessment of
existing protections
Security Process: Response
12
Validates the findings of detection
The response stage may include
Removing the attacker
Or “jailing” the attacker
Or even just ignoring him/her
Preventing damage
Or recovering from it
Patching holes and closing backdoors
Documenting evidence
May include taking machines offline
May have to trade off with rapid recovery
Prosecuting the attacker
Security Process Cycle
13
A repeating and evolving process
Defense Models
14
There is always a defense model, e.g.,
Perimeter security model if firewall is the primary defense
mechanism
Layered model if multiple defense mechanisms are employed
Effective security infrastructure requires understanding
the defense model as well as trust definitions
What is fully trusted?
What is partially trusted?
What is not trusted?
Lollipop Model of Defense
15
Most common model
Focuses on perimeter security
Protection is concentrated on
keeping the outsider out
Has many limitations
Once attacker penetrated the
outside wall, no other defense
measures
Does not provide different levels of
security appropriate to the assets
i.e., it protects everything equally
against everything
Does not protect against insider
attacks
Onion Model od Defense
16
Defense is deployed in many
layers
Does not rely on one, single
layer of defense
Much harder to predict and
penetrate than lollipop model
Can be achieved in many ways
Segmenting network (based on
access and need)
Defining zones of trust
Protections at various levels
Network
System
personal firewall software, system
access controls, etc.
Application
Multi-factor authentication,
authorization levels, etc.
The fundamentals of network defense as taught by Amir Masoumzadeh in the INFSCI 1075 course. Learn about essential techniques and strategies to protect networks from cyber threats in the spring of 2013.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Introduction to Network Defense INFSCI 1075: Network Security Spring 2013 Amir Masoumzadeh
Outline Network defense and security process Assessment Protection Detection Response 2
Defense What does network security mean in terms of defense? Security is the process of maintaining an acceptable level of perceived risk Note acceptable, not completely eliminating risk Remember: cost vs. benefit It is a continual process Security must continually be checked and updated It is an uncertain process You never really know how secure you are 3
Security Process Just as attacks have general stages (or processes), so does defense Also, like attacks, there is no one de-facto standard The security process involves several steps Assessment Protection Detection Response 4
Security Process: Assessment Preparation for the remaining three stages Assessment often deals with the following processes Business evaluation of security Cost vs. Benefit Technical evaluation of security Current status and feasibility Policy and procedure development Laws and regulations What security measures a business must use Other managerial concerns Team assembly, budgeting, support, etc. 5
Risk Analysis A critical part of the assessment stage Types Qualitative enumerating attacks and their impacts Consideration of organizational goals, asset value, threats, vulnerabilities and effectiveness of current safeguards Subjective in nature measured by High, Medium, or Low values given by staff/experts, etc. Quantitative estimating the likelihood of attacks Precise measurement of risks based on modeling and analysis together with historical data Assigns objective numeric values to components of risk analysis and potential loss 6
Risk Analysis Includes Asset identification and valuation Threat definition Threat vector Information about a threat, its origin and the target assets Likelihood and impact analysis Basic risk analysis assumes that threats are equally likely and merely identifies assets A more advanced analysis values assets, classifies threats, and analyzes the threat on each asset Surveys such as CSI e.g., internal threats usually amount to 70-80% Take a look at CSI survey 2010/2011 and Sophos report 2013 (available on CourseWeb) 7
CSI 2010/2011: Types of attacks by percentage of respondents 8
Risk Analysis Once risk has been clearly defined, it dictates What needs to be protected What is threatened? What is vulnerable? What is of value? What the priorities of assets / protections are What is most threatened or vulnerable? What is of most value? What protections should be used What measures counter the vulnerabilities? How much is OK to spend on preventative measures? You can think of protections as decreasing the risk 9
Security Process: Protection Involves the realization of information gained and plans made in the assessment stage Drafting of policies and procedures Including the training of employees, etc. Deploying software and hardware protections Firewalls, IDS/IPS Password policies, access control policies, etc. Monitoring and logging Patching One key assumption that security personnel should make is that protections will eventually fail 10
Security Process: Detection Assumes that assessment and protection will fail Aims at detecting attacks once in progress Security breaches are hard to prevent (zero day exploits, user vulnerabilities, etc.) Detection ensures that when protections fail, an organization knows in order to respond Assumes that assessment and protection have been conducted properly Assumes continual monitoring and assessment of existing protections 11
Security Process: Response Validates the findings of detection The response stage may include Removing the attacker Or jailing the attacker Or even just ignoring him/her Preventing damage Or recovering from it Patching holes and closing backdoors Documenting evidence May include taking machines offline May have to trade off with rapid recovery Prosecuting the attacker 12
Security Process Cycle A repeating and evolving process 13
Defense Models There is always a defense model, e.g., Perimeter security model if firewall is the primary defense mechanism Layered model if multiple defense mechanisms are employed Effective security infrastructure requires understanding the defense model as well as trust definitions What is fully trusted? What is partially trusted? What is not trusted? 14
Lollipop Model of Defense Most common model Focuses on perimeter security Protection is concentrated on keeping the outsider out Has many limitations Once attacker penetrated the outside wall, no other defense measures Does not provide different levels of security appropriate to the assets i.e., it protects everything equally against everything Does not protect against insider attacks 15
Onion Model od Defense Defense is deployed in many layers Does not rely on one, single layer of defense Much harder to predict and penetrate than lollipop model Can be achieved in many ways Segmenting network (based on access and need) Defining zones of trust Protections at various levels Network System personal firewall software, system access controls, etc. Application Multi-factor authentication, authorization levels, etc. 16
