Network Security

Fundamental Aspects

Faculty of Information Technology

Hanoi University
Contents

 Information Security Definition and Concept

 AAA & CIA models
 Threats and Risks
 Some security guidelines
What is Security
 Security: “The quality or state of being secure—to be free from
danger”
 Security is The protection of information and its critical elements,
including systems and hardware that use, store, and transmit that
information
 Necessary tools: policy, awareness, training, education, technology
 Bảo mật: “Chất lượng hoặc trạng thái an toàn—không có nguy
hiểm”
 Bảo mật là Bảo vệ thông tin và các yếu tố quan trọng của thông tin,
bao gồm các hệ thống và phần cứng sử dụng, lưu trữ và truyền
thông tin đó
 Các công cụ cần thiết: chính sách, nhận thức, đào tạo, giáo dục,
công nghệ
 “This is, of course, untrue.
You can never secure yourself 100% from anything. Even I cannot help you
be 100% secure or 100% private.”
Layers of security
 A successful organization should have multiple
layers of security in place:
 1: Mission Critical Assets – This is the data you need to
protect*
 2: Data Security – Data security controls protect the storage
and transfer of data.
 3: Application Security – Applications security controls protect
access to an application, an application’s access to your
mission critical assets, and the internal security of the
application.
 4: Endpoint Security – Endpoint security controls protect the
connection between devices and the network.
 5: Network Security – Network security controls protect an
organization’s network and prevent unauthorized access of
the network.
 6: Perimeter Security – Perimeter security controls include
both the physical and digital security methodologies that
protect the business overall.
 7: The Human Layer – Humans are the weakest link in any
cybersecurity posture.
Human security controls include phishing simulations and
access management controls that protect mission critical
assets from a wide variety of human threats, including cyber
criminals, malicious insiders, and negligent users.
Building elements of Information
Security Authentication

AAA Triad

Auditing Access Control

Authentication

 Sender, receiver want to confirm identity of

each other

 Who am I talking to?

Example: FIT E-learning

ISP
ISPD
D
ISP
ISPBB FIT E-learning

ISP
ISPCC
ISP
ISPA
A

Student V
Authentication: Who am I
talking to?

ISP
ISPD
D
ISP
ISPBB FIT E-learning
Hello, I’m V

ISP
ISPCC
ISP
ISPA
A Is that
student
V?

Student V
Is that
FIT ?
Authentication

 Protection Mechanisms
 Password
 Manual
 One-Time Password
 Key Sharing
 Public-private keys
 Wifi
 Challenge-Response
 Multi-factor Authentication
Access Control

 Access control can be defined as a policy,

software component, or hardware component
that is used to grant or deny access to a
resource.
 Example of hardware components: A smart
card, a biometric device, or network access
hardware
Access Control

 Services must be accessible to appropriate

users

 Do you have adequate privileges to access

this information?
 Access control

ISP
ISPD
D
Mr. Anonymous ISP
ISPBB FIT E-learning

ISP
ISPCC
ISP
ISPA
A
Are Mr. T
allowed to
Student V view course
contents?
Access Control

 Protection mechanisms
 Access control list
 Firewall
 VPN
 Smart card
 Rules
Auditing

 Auditing is the process of tracking and

reviewing events, errors, access, and
authentication attempts on a system.
 Protection mechanism: logging system,
history.
Auditing
 Develop a path and trail system in the logging of the
monitored events that allows to track usage and access,
either authorized or unauthorized.
 It improves security and allows for better audit policies
and rules
 Phát triển hệ thống đường dẫn và dấu vết trong quá
trình ghi nhật ký các sự kiện được giám sát cho phép
theo dõi việc sử dụng và truy cập, được ủy quyền hoặc
không được ủy quyền.
 Nó cải thiện bảo mật và cho phép các chính sách và quy
tắc kiểm toán tốt hơn
Example: Enable auditing for
logon events
Go to Administrative Tools | Local Security Policy
Navigate to Local Policies | Audit Policy
Enable auditing for logon
events

Go to Event Viewer to see logs.

 Security Goal
Integrity

CIA TRIAD

Confidentiality Availability

21
INFO
RMA
TION ISO 27002:2005 defines Information Security as the
ATTR
IBUT preservation of:
ES
Ensuring that information is
accessible only to those
– Confidentiality authorized to have access

Safeguarding the
accuracy and
completeness of
– Integrity information and
processing methods

Ensuring that authorized

users have access to
information and
– Availability associated assets when
required

03/27/20
Mohan Kamat
25 22
Confidentiality

 Only sender, intended receiver should

“understand” message contents (Chỉ người
gửi, người nhận dự kiến ​mới có thể “hiểu” nội
dung tin nhắn)

 Is my data hidden from others?

Confidentiality

 Protection Mechanisms
 Data encryption
 Symmetric
 Asymmetric (public-private keys)
Confidentiality: Is my data
hidden?

ISP
ISPD
D
ISP
ISPBB FIT E-learning
Mr. T

ISP
ISPCC
ISP
ISPA
A

Student V
Can Mr. T see my
homework?
Integrity

 Sender, receiver want to ensure message not

altered (in transit, or afterwards) without
detection (Người gửi, người nhận muốn đảm
bảo tin nhắn không bị thay đổi (trong quá
trình truyền tải hoặc sau đó) mà không bị
phát hiện)

 Has my data been modified?

Integrity: Has my data been
modified?

ISP
ISPD
D
ISP
ISPBB FIT E-learning
Mr. T

ISP
ISPCC
ISP
ISPA
A

Can Mr. T
Student V modify student
V’s homework?
Integrity

 Protection mechanisms
 Digital signature
Availability

 Services must be available to users

 Can I reach the destination?

Availability: Can I reach the
destination?
Can I
access ISP
ISPD
D
FIT ISP
ISPBB FIT E-learning
during
midterm
? ISP
ISPCC
ISP
ISPA
A

Student V
Availability

 Protection mechanisms
 Backup and recovery
 Firewall
 Vulnerability scanning and patching
 Intrusion detection and response
 Virus scanning
W
H
AT
IS
What is Risk?
RI
S
K
Risk: A possibility that a threat exploits a vulnerability
in an asset and causes damage or loss to the
asset. (Rủi ro: Khả năng một mối đe dọa khai
thác lỗ hổng trong tài sản và gây ra thiệt hại
hoặc mất mát cho tài sản đó)
Threat: Something/Someone that can potentially
cause damage to the organisation, IT Systems
or network.

Vulnerability: A weakness in the organization, IT

Systems, or network that can be exploited
by a threat.(: Điểm yếu trong tổ chức, Hệ
thống CNTT hoặc mạng có thể bị khai thác
bởi mối đe dọa.)

32
INFO
SEC
URIT
Y
SUR
VEY • Information Security is “Organizational Problem”
rather than “IT Problem”
• More than 70% of Threats are Internal

• More than 60% culprits are First Time fraudsters

• Biggest Risk : People

• Biggest Asset : People

• Social Engineering is major threat

• More than 2/3rd express their inability to determine

“Whether my systems are currently compromised?”

03/27/20
Mohan Kamat
25 33
RISK
S&
THR
EATS
Potential
Threats

High User Theft,

Knowledge of IT Sabotage, Virus Attacks
Systems Misuse

Natural
Systems & Lack Of Lapse in
Calamities &
Network Documentation Physical
Fire
Failure Security

03/27/20
Mohan Kamat
25 34
 SO HOW DO
WE
OVERCOME
THESE
PROBLEMS?

03/27/20
Mohan Kamat
25 35
USE
R

nformation Security Policy

RESP
ONSI
BILIT
IES

IS Policy is approved by Top

Management
Policy is released on Intranet at
http://xx.xx.xx.xx/ISMS/index.htm

03/27/20
Mohan Kamat
25 36
 USE
R

Access Control - Physical

RESP
ONSI
BILIT
IES • Follow Security Procedures
• Wear Identity Cards and Badges
• Ask unauthorized visitor his credentials
• Attend visitors in Reception and Conference Room only
Thực hiện các thủ tục an ninh
• Đeo thẻ căn cước và phù hiệu
• Yêu cầu khách không được phép xuất trình giấy tờ tùy thân
• Chỉ tiếp khách tại phòng lễ tân và phòng họp

• Bring visitors in operations area without prior

permission
• Bring hazardous and combustible material in secure
area
• Practice “Piggybacking”
• Bring and use pen drives, zip drives, ipods, other
storage devices unless and otherwise authorized to do
so
• Đưa khách đến khu vực hoạt động mà không được phép
trước
•03/27/20
25 Mang vật liệu nguy hiểm và dễ cháy vào khu vực an toàn
Mohan Kamat
37
USE
R

Password Guidelines
RESP
ONSI
BILIT
IES

 Always use at least 8 character password with combination of

alphabets, numbers and special characters (*, %, @, #, $, ^)
 Use passwords that can be easily remembered by you
 Change password regularly as per policy
 Use password that is significantly different from earlier passwords

Use passwords which reveals your personal

information or words found in dictionary
Write down or Store passwords
Share passwords over phone or Email
Use passwords which do not match above complexity
criteria

03/27/20
Mohan Kamat
25 40
USE
R

Internet Usage
RESP
ONSI
BILIT
IES

 Use internet services for business purposes only

 Do not use internet for viewing, storing or transmitting

obscene or pornographic material
 Do not use internet for accessing auction sites
 Do not use internet for hacking other computer systems
 Do not use internet to download / upload commercial
software / copyrighted material

Technology Department is continuously monitoring Internet

Usage. Any illegal use of internet and other assets shall call
for Disciplinary Action.

03/27/20
Mohan Kamat
25 41
USE
R
E-mail Usage
RESP
ONSI
BILIT
IES
 Use official mail for business purposes only
 Follow the mail storage guidelines to avoid blocking of E-mails
 If you come across any junk / spam mail, do the following
a) Remove the mail.
b) Inform the security help desk
c) Inform the same to server administrator
d) Inform the sender that such mails are undesired

 Do not use official ID for any personal subscription purpose

 Do not send unsolicited mails of any type like chain letters or
E-mail Hoax
 Do not send mails to client unless you are authorized to do so
 Do not post non-business related information to large number
of users
 Do not open the mail or attachment which is suspected to be
virus or received from an unidentified sender

03/27/20
Mohan Kamat
25 42
 USE
R

Security Incidents
RESP
ONSI
BILIT
IES
Report Security Incidents (IT and Non-IT) to
Helpdesk through
• E-mail to [email protected]
• Telephone : xxxx-xxxx-xxxx
• Anonymous Reporting through Drop boxes

e.g.:
IT Incidents: Mail Spamming, Virus attack, Hacking, etc.
Non-IT Incidents: Unsupervised visitor movement, Information leakage,
Bringing unauthorized Media

• Do not discuss security incidents with any one outside organisation

• Do not attempt to interfere with, obstruct or prevent anyone from reporting
incidents

03/27/20
Mohan Kamat
25 43
USE
R
RESP
ONSI
BILIT  Ensure your Desktops are having latest antivirus updates
IES  Ensure your system is locked when you are away
 Always store laptops/ media in a lockable place
 Be alert while working on laptops during travel
 Ensure sensitive business information is under lock and key
when unattended
 Ensure back-up of sensitive and critical information assets
 Understand Compliance Issues such as
Cyber Law
IPR, Copyrights, NDA
Contractual Obligations with customer
 Verify credentials, if the message is received from unknown
sender
 Always switch off your computer before leaving for the day
 Keep your self updated on information security aspects

03/27/20
Mohan Kamat
25 44
Disable Non-essential
services, protocols,
processes,
Protocols, systems, andprograms
processes that rob systems of resources
and allow potential attacks to occur that could damage your
systems.
 If they are not being actively used, it is an unnecessary security risk.
 The solution is simply to disable or inactivate the service, protocol,
system, or process which is not needed
 Các giao thức, hệ thống và quy trình cướp đi tài nguyên của hệ
thống và cho phép các cuộc tấn công tiềm ẩn xảy ra có thể gây hại
cho hệ thống của bạn.
 Nếu chúng không được sử dụng tích cực, thì đó là rủi ro bảo mật
không cần thiết.
 Giải pháp đơn giản là vô hiệu hóa hoặc hủy kích hoạt dịch vụ, giao
thức, hệ thống hoặc quy trình không cần thiết
 But… Be Careful!

You need to understand what it is

and what you are doing!
Any questions?
Tutorial 1

 At home: Download Kali 2019 ISO +

VirtualBox
 Tut1 : Setup VB, Kali + Setup network