powerpoint presentation
TRANSCRIPT
1
Beyond CIPA Compliance - Planning a Truly Secure Network Infrastructure
CoSN, February 28, 2002, Session 4A
[email protected] of this material is permitted, with attribution, for non-commercial purposes. This presentation represents the
professional opinion of the author. Verizon accepts no liability, expressed or implied, for the material contained herein.
2
What’s your SecurityQ? Why Network Security? What is Network Security Where can Verizon help you?
Today’s Agenda
3
Why should I care about Security?
It’s important to ensure that Students & Staff experience a “safe” computing environment
If you don’t comply with CIPA, YOU LOSE E-RATE DISCOUNTS, AND MUST REPAY ANY DISCOUNTS ALREADY RECEIVED
Citizen’s care about security– Heightened by 9/11– Security breaches are widely & frequently reported– Many laws (other than CIPA) deal with security & privacy– Individuals have right of action under Tort
4
What is “CIPA Compliant”?
Internet Safety Policy The Internet Safety Policy must address the following
issues: – access by minors to inappropriate matter on the Internet and
World Wide Web;
– the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications;
– unauthorized access, including so-called "hacking," and other unlawful activities by minors online;
– unauthorized disclosure, use, and dissemination of personal information regarding minors; and
– measures designed to restrict minors' access to materials harmful to minors.
5
What is Security?
6
State of the Art Security
pre-Gunpowder!
State of the Art Security
pre-Gunpowder!
7
What is Security?
Classical definition:– Confidentiality– Integrity– Availability
How privacy can be assured:– Administratively– Physically– Technically
8
Information Security Lifecycle
Security Assurance
TestingReportingMonitoringTraining
Policy andArchitecture
RiskAssessment
Security Policy
Technology Implementation
VPN,Encryption, Firewalls,
Authentication, IDS
Solution Design and SelectionSecurity Design
Technology Selection
Business Applications and Services
Networks, Intranet, Internet, Remote Access
Hardware and Operating Systems
Building BlocksSecurity is aprocessnot aproduct...
People Process Technology
9
What is Privacy?
“The right to be left alone is the most comprehensive of rights...” US Supreme Court Justice Brandeis, 1928
“You already have zero privacy. Get over it.” Scott McNealy, CEO Sun Microsystems, 1999
Consumer attitudes - The Pew Internet & American Life Project, 2000
– 86% favor opt-in privacy policies, requiring permission for use– 54% view web-site tracking of users as invasion of privacy– 54% have provided personal info. to use a web site– 48% have bought on-line using a credit card– 55% have sought medical info. on the web– 43% have sought financial info.– 27% will never divulge personal information on-line
10
Privacy versus Security
Privacy is what you promise to do Security is about how you fulfil the promise Networks are how the authorized (and unauthorized) get
access Therefore network security is of paramount importance
11
5 Principles of Fair Information Practices
Openness– Existence and purpose of record-keeping systems must be publicly known.Individual Participation– Individual right to see records and assure quality of information.Security– Reasonable safeguards for confidentiality, integrity, and availability of
information.Accountability– Violations result in reasonable penalties and mitigation.Limits on Collection, Use, and Disclosure– Information collected only with knowledge and consent of subject.– Information used only in ways relevant to the purpose for which the data
was collected.– Information disclosed only with consent or legal authority.
12
Physical Security
Card Access Systems Closed Circuit TV (CCTV) Fire Suppression Systems Alarm Systems Power Systems
13
Two-Factor Authentication
3 ways to authenticate a person:– What they know – Password– What they have – Token– Who they are - Biometrics
14
Biometrics
Fingerprint / Palm Print Hand Geometry Iris Scanning Keyboard Dynamics Signature Characteristics Facial Recognition Voice Recognition
15
PKI / LDAP / X.500
Digital Certificates & PKI (X.509 v3)– Digital document attesting to the binding of a public key to an individual
or other entity. Use two encrypted soft key’s public & private keys, need certificate authority (notary), strong authentication
16
RADIUS
17
More communications/network controls
Firewalls for Internet (and other) connections– The DMZ concept– Importance of proper installation & maintenance
Strong encryption & digital signature on “public network”
Encryption on private networks (?) Regular virus checking Standardized client & server configurations Periodic census of network software & hardware Vulnerability assessment & intrusion detection
18
Firewalls & Intrusion Detection Systems
Internet
19
Encryption
Encryption provides confidentiality– Symmetric (Secret) Key– Asymmetric (Public) Key
VPNs provide a secure channel
VPN
VPN
NetworkNetwork
20
Areas of unusual concern
E-mail & fax Telecommuting IT applications Logging & Audit trails Suspect activity & security incidents
21
IT Applications
What enhanced security features will vendors provide?
Interoperability in “best of breed” environment Audit trails & logs Access & authorization controls “Single sign-on”
– Valuable protection, or– A more attractive target?
22
Suspect Activity & Incidents
Suspect activity– Regular vulnerability assessments– Intrusion detection– Surveillance of traffic
Incident response– Treat like crime!– Get forensic help - evidence gathering & protection– Change policy, procedure & technology as appropriate
• How incidents are identified
• Ensuring staff report incidents
• Knowing what is unauthorized
23
You Can be more Secure!
Services for a Trusted Environment– Confidentiality– Integrity– Availability– Identification & Authentication– Authorization & Access Control– Non-repudiation– Forensics
24
Vulnerability Testing Services
External Port Scan Vulnerability Scan of External Network Penetration Testing Phone Sweep
25
• Comprehensive review of a client’s security
• Designed to assess and prioritize a client’s security risks and develop a comprehensive action plan
Security Assessment Services
26
Technology Planning
3rd Party Best-of-Breed Solutions
• Firewalls
• Intrusion Detection
• Anti-Virus/Content Filtering
• Auditing
• Strong Authentication
• VPN
• PKI
• Physical Security
• Biometrics
27
Training Programs
Security Awareness Program Technical Training Intelligence Programs
Thank you for your time, please contact your Verizon Account Manager for
further information regarding solutions for your Security needs.