Sunday, September 20, 2009

Security Technology: Week 8

1. Which architecture for deploying a firewall is most commonly used in businesses today? Why?

The most commonly used and dominant architecture is the screened subnet firewall. This type of firewall creates a DMZ (Demilitarized Zone). A demilitarized zone (DMZ) isolates hosts which are accessible from outside the network (e.g. a web server or FTP server) from internal servers. The external hosts are placed in a separate network zone, on a separate adapter, connected to the firewall. This creates the DMZ. This is easily achieved with a firewall with three or more interfaces.

Each sub network is also configured with its own security zone (e.g. the Finance network, the Sales network, etc.) by connecting it to a separate firewall adapter. All traffic between zones, and all traffic from the Internet to all zones, is checked by the firewall. In this way, each zone is isolated, and the systems in each zone only trust other systems within the same zone. Therefore, if a hacker succeeds in breeching an accessible host, the other hosts within the network are still safe. DMZs are often used for special servers, such as web servers, which must be accessible from two separate networks. Usually an organization has one Internet connection, one local network and one DMZ with servers that must be both internally and externally accessible.


http://docs.google.com/gview?a=v&q=cache:GtbH_BYYAHsJ:www.tech2u.com.au/products/dsl/pdf/Firewall_Architecture.pdf+firewall+architecture:+most+popular&hl=en

The screened subnet is an entire network segment that performs two functions:


· It protects the DMZ systems and information from outside threats by providing a network of intermediate security.
· It protects the internal networks by limiting how external connections can gain access to internal systems.

DMZs can also create extranets, segments of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public.

2.What are the reasons that VPN technology has become the dominant method for remote workers to connect to the organizational network?
In terms of security, dial up connections are deemed to be more vulnerable to attacks than compared to VPNs (Virtual Private Networks). Secure VPNs use cryptographic tunneling protocols to provide the intended confidentiality (blocking intercept and thus packet sniffing), sender authentication (blocking identity spoofing), and message integrity (blocking message alteration) to achieve privacy. This is the first and foremost reason for the dominance of this technology. Other reasons for popularity include:

- Cost savings

One way a VPN lowers costs is by eliminating the need for expensive long-distance leased lines. With VPNs, an organization needs only a relatively short dedicated connection to the service provider. This connection could be a local leased line (much less expensive than a long-distance one), or it could be a local broadband connection such as DSL service.

VPNs enable travelling employees to access the corporate network over the internet. By using remote sites’ existing Internet connections where available, and by dialling into a local ISP for individual access, expensive long distance charges can be avoided.

VPNs allow employees working at customer sites, business partners, hotels and other untrusted locations to access a corporate network safely over dedicated private connections.

VPNs allow an organization to provide customer support to clients using the internet while minimizing risks to the client’s computer networks.

3. Will biometrics involve encryption? How are biometric technologies dependent on the use of cryptography?

Biometrics is the science and technology of measuring and analysing biological data. In information technology, biometrics refers to technologies that measure and analyse human body characteristics, such as fingerprints, eye retinas and irises, voice patterns, facial patterns and hand measurements, for authentication purposes.

Encryption is a mathematical process that helps to disguise the information contained in messages that is either transmitted or stored in a database, and there are three main factors that determine the security of any crypto system; the complexity of the mathematical process or algorithm, the length of the encryption key used to disguise the message, and safe storage of the key, known as key management.

Yes, Biometrics will involve encryption. Biometric Encryption is the process of using a characteristic of the body as a method to code or scramble/descramble data. Physical characteristics such as fingerprints, retinas and irises, palm prints, facial structure, and voice recognition are just some of the many methods of biometric encryption being researched today. Since these characteristics are unique to each individual, biometrics are seen as the answer to combat theft and fraud, particularly when dealing with commerce over the internet. The reason that this new technology is believed to be superior to the use of passwords or personal identification numbers (PINs) is that a biometric trait cannot be lost, stolen, or recreated, at least not easily. As one industry expert put it, "Unless criminals are going to start cutting off peoples fingers to gain access to their accounts, biometric encryption is an excellent method for controlling access to those who should have it."

Cryptography is defined as the conversion of data into a secret code for transmission over a public network. Today, most cryptography is digital, and the original text ("plaintext") is turned into a coded equivalent called "Ciphertext" via an encryption algorithm. The Ciphertext is decrypted at the receiving end and turned back into plaintext.

Biometric data are noisy; being made of attributes of the human body; it makes the individual bits in the template unreliable; only an approximate match can be expected to a stored template. On the other hand, cryptography demands correctness in keys; it requires that keys be exactly right, or protocols will fail. It would be better to have a more general, protocol-level approach, combining cryptography and biometrics to achieve reliability and protection that biometrics alone will not provide.

Tuesday, September 15, 2009

Risk Management: Week 6


1.What is the best value that should be assessed when evaluating the worth of an information asset to the organization - replacement cost or lost income while repairing or replacing?

The best value that should be assessed while evaluating the worth of an information asset depends on the type of organization and the type of information assets it uses. Both aspects can be equally important depending on the type of job an organization does. A business may have an information asset that generates a lot of revenue, for some organizations, a lot of revenue depends on a particular asset, they may also be important to service delivery. In such cases, lost income is important. In other cases, organizations may be carrying unique assets that are highly valuable. Such machines/assets may be worth more than their cost as spare parts for such machines may not be easily available. In such cases, replacement costs need to be taken into consideration.

2. What is the likelihood value of a vulnerability that no longer must be considered?

Likelihood is defined as “the probability that a specific vulnerability within an organization will be successfully attacked”. While performing risk assessment, a numeric value is assigned to vulnerability, the stronger the vulnerability, the number assigned will be closed to 1.0 and vice versa. Therefore, the value of a vulnerability that no longer must be considered will be close to zero as chances of the vulnerability exisiting is zilch.

3. In what instances is baselining or benchmarking superior to cost benefit analysis?

Benchmarking is defined as ‘the process of seeking out and studying the practices used in other organizations that produce results you would like to duplicate in your organization’. Baselining is related to the concept of benchmarking where a ‘value or profile of a performance metric can be compared with changes in the performance metric’. Cost benefit Analysis on the other hand is an analysis of ‘the worth of the information asset to be protected and the loss in value if those information assets were compromised by the exploitation of a specific vulnerability. By using CBA (Cost Benefit Analysis), companies can determine whether or not an information asset is worth protection and if so, how much it is going to cost to place sufficient controls in order to protect the organization from threats and vulnerabilities. Baselining or benchmarking is viewed as superior to cost benefit analysis in cases where organisations want information regarding the performance of their company compared to another, it can be used to determine strategic areas of opportunity rather than just getting the financial value of information and whether or not it is acceptable to implement security as an acceptable percentage of that value.

4. How can we find out what an organization's risk appetite is? Why is this important?

Risk appetite is defined as ‘the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility’. Each organization has different views and they view risk differently. It is difficult to determine what an organizations risk appetite is unless one speaks to senior level management about this issue. The level of risk appetite also depends upon the type of work a company does. If it is a government organization, the risk appetite may be very low whereas if it’s a small business owner, the risk appetite may be high. It is important to know what the risk appetite of an organization is so that proper security measures can be put in place according to the needs, wants and budget of the business organization.
-------------------------------------------------------------------------------------------------
Notes on understanding the Chapter:
This chapter was a bit more technical with lots of IT terms that were used, other than that, once i had read the chapter thoroughly, I was able to make a basic understanding of risk management.

Tuesday, September 8, 2009

Legal, Ethical and Professional Issues: Week 5

Links:
http://www.privacy.gov.au/index.php?option=com_content&view=article&id=629&Itemid=848
- Provides information on the Privacy Act, State and Territory privacy laws and other relevant Australian and international legislation.

http://www.efa.org.au/Issues/Privacy/cybercrimeact.html
- Overview of Laws and Acts concerning cybercrime/computer crime legislation

http://www-07.ibm.com/systems/au/information_infrastructure/solutions/information_security/
- Company that provides Information security to its clients, provides services in securing information.

http://www.oecd.org/document/62/0,3343,en_21571361_36139259_36296830_1_1_1_1,00.html
- Provides a list of Australia’s initiatives towards information security

http://www.aisa.org.au/
- Australian Information security association where members can come together and contribute information regarding security.

http://www.dsd.gov.au/
- The official website for the Australian government department of Defence Intelligence and security.

Research Methodology

Google was the only search engine used for research. Using the keywords provided in Moodle, I initially performed a search for pages within Australia. After this initial search, I tried a combination of words relating to security. Once I opened a couple of websites, it snowballed from there, where I opened one website that consisted of links to other websites. This is how found the above resources.

Important Resources

I felt all the resources above where important and relevant, however, I have narrowed it down to three most important resources and they are:

- Electronic Frontiers Australia (Cybercrime/Computer Crime Legislation)
- AISA (Australian Information Security Association)
- Australian Government Privacy Law

The first resource to me was important as it provides an overview of how the Cybercrime legislation was formed and for users who are interested; there are links to other pages with in-depth explanations as well. The EFA is a credible source and hence the information provided in the website is deemed to be correct.

The second resource is also important as it claims to be the ‘information security hub of Australia’. It ‘promotes awareness and understanding of Information Security Issues in an independent and unbiased manner’. As it is a portal for all Australians to come together and exchange information about security among each other, it seems like a great platform where users are able to put their views, ideas and news that they come across. As such, users who visit this site will be able to gain an overall idea about what Information Security is.

The third resource is the Australian Government website dedicated to Privacy Law. This source is credible, up-to-date and provides a detailed explanation of the Privacy Act for each of the states of Australia. It provides comprehensive information and people will be able to get a detailed explanation of rules and regulations regarding Privacy in Australia.

Local and International Privacy Laws

Local Australian Privacy laws are no doubt different from other countries such as America or the UK. This difference can make it difficult for countries to enforce their laws regarding Information Security if a breach was to take place from another country. Although almost all authorities can act against a domestic data controller for the benefit of a foreign individual, many are limited in or uncertain about their authority to protect their own citizens from privacy breaches by a foreign controller. A report by the OECD titled ‘Report on the Cross- Border Enforcement of Privacy Laws’ states that “Work by the Council of Europe, the European Union, and APEC has helped establish frameworks for enforcement co-operation among enforcement authorities on a regional basis.” Hence countries have started to work together to combat these grey areas that are present due to the differences in privacy laws in different countries.

Sunday, September 6, 2009

Weekly Reflection: Week 4

I have an mp4 player that can be connected to a computer via a USB cable. A friend of mine wanted a couple of songs from there and so I decided to give him my mp4. He warned me saying: “I think I have a virus on my computer and I’ve tried to remove it many times, but it just does not go”. I told him I would take the risk and that if something went wrong with my laptop, it would be his fault. He copied the songs off my mp4. I had my free version of AVG antivirus ready- I plugged it into my computer, AVG detected and removed it. The virus was called ‘autorun.exe’. From what my friend told me, the virus did nothing except stop USB’s from auto running. I used google to find more information about the virus and there have been cases where the virus creates a large number of new files and folders with the names of real directories you have. I kept scanning my computer and mp4 player every 3 days for a couple of weeks just to make sure and was relieved to know that the virus had not been able to get onto my computer or my mp4 player.

Then I copied my free version of AVG and gave it to him so that he could remove the virus from his computer as well. Thinking about it now, I am sure it was a stupid thing for me to ‘take the risk’ and plug the USB in anyway, however now that I know of some of the consequences of having a virus on one’s computer, I will be more cautious before plugging anything into my laptop. I have also made it a point to update my antivirus definitions as well as scan my whole computer on a weekly basis.

This article is about how the US Marshall Office was infected by the Neeris Virus. The Virus is “a new malware variant that has been customised to exploit the same vulnerability as the notorious Conficker worm”. “Neeris and Conficker look for missing patches. If the PCs and servers are patched, the malware doesn't work”. The issue with the US Marshall Office was that they had an out-of-date antivirus program leaving the whole organization vulnerable and open to threat. Once employees started noticing suspicious changes on their computers, the IT staff were notified. As a result of the infection, the IT staff disconnected the marshals' computers from the Justice Department's network to prevent further spread and that the internet connection was shut off all day. In addition, the computers and servers were patched and an updated version of the antivirus was placed on all agency computers. According to the spokeswoman for the US Marshall Office, no data was compromised or at risk as a result of the virus infection.

At UB, to deal with threats from viruses, Trojan horses, Back Doors and worms, a list of measures have been put in place. These are as follows:
· state of the art firewalls (software and hardware)
· virus & spyware protection
· anti-spam software
· multi tiered password protection
· secure login via Access@UB
· secure data storage
· security alerts
· educating UB students and staff
· access to free anti-virus software (Sophos)

They also have important links on the UB website that provide information to users. Here is a list of links and a brief explanation of how it helps.
Warnings & alerts :- Alerts and Warnings about things happening on the net.
Security awareness campaigns:- Educating staff anf students about ICT Security.
Feature articles:- Things of interest and the odd surprise.
Monthly Statistics:- Some interesting facts and figures.
Free Anti-virus Software (Sophos):- Download Sophos anti-virus for FREE
Email & virus tips:- Some hints and tips about email and dealing with viruses.