Network Security by HC12080713135

VIEWS: 0 PAGES: 68

									Network Security
                 Trivia 1
• How many percent of the restaurants
  opened today will be in business next
  year?

     a. 90 percent
     b. 50 percent
     c. 20 percent
     d. 10 percent
                Trivia 2
• How many percent of the restaurants
  opened today will be hacked next year?

    a. 90 percent
    b. 50 percent
    c. 20 percent
    d. 10 percent
              Introduction
• Technology became inseparable from
  hospitality operations.

• Technology becomes a part of the DNA of
  the company

• Information security is getting more
  important.
And we are all under compliance
Assurance is key
              Introduction
• Every day thousands of major security
  breaches occur in the public and private
  sector, resulting in serious financial and
  property losses (Flink, 2002).

• 75% of email is spam (EWeek, 2004)

• In 2004, every single computer was
  attacked by a virus at least one time.
 Computer viruses are most
  commonly spread by…
a) Reading jokes on    • To limited extent,
   the Internet          malicious code can be
                         picked up from
b) Opening e-mail
                         downloading files from the
   attachments           Internet
c) Downloading         • Most viruses are spread
   pictures from the     through attachments being
   web                   sent in e-mail.
d) Poorly chosen       • According to a recent
   computer              study by SANS, nearly
   passwords             40% of all e-mail
                         attachments are infected
                         by a virus.
      Does your organization use
        perimeter protection?
• We do not have a            • If you don’t have a firewall,
                                you are just asking for
  firewall.                     trouble. You even need
• We have a firewall, and       firewalls at each of your
  block only what we are        restaurants that connect to
                                the Internet.
  scared of.
                              • And even if you do have a
• We have a firewall with a     firewall, you have to set your
  default deny all policy,      policy by default to reject all
  and allow traffic through     traffic, and from there, only
  by exception.                 allow traffic through that you
                                want.
• We practice defense in      • And oh yeah, you better
  depth, we have a              have firewalls on your POS
  corporate firewall and        systems as well.
  host based firewalls
  wherever possible.
              True or false?
• Working away from      • False.
  the office gives you   • The company’s
  more freedom from        security standards
  the company’s            and policies are even
  security policies.       more important when
                           you are working away
                           from the office.
 Does your organization use
intrusion detection systems?
• We do not have IDSs.
                         • If you do not have intrusion
• We have IDSs, but do     detection systems (IDSes)
  not review system        throughout your
                           organization—extending to
  logs.                    your restaurants and any
• We have IDSs, and        other location that feeds info
                           directly to your
  review all system        headquarters—you could be
  logs.                    attacked without knowing it.
                         • And to make sense of it all,
• We have IDSs             you need to perform event
  throughout our           correlation to determine if
  network and perform      you are being hit by a
                           blended attack.
  event correlation.
              True or false?
• Off-site tapes and      • False
  anti-virus updates      • 90% of all
  automatically protect     organizations that do
  you from virus            not have a very tight
  infections.               security policy only
                            update their virus
                            definitions after they
                            have found new
                            viruses.
                          • Any virus that existed
                            during the backup
                            process is now
                            successfully backed
   Do you have a written set of
 security policies that have been
     tested in the last year?
• No, we do not have       • If you answered no,
  written security           you are in a world of
  policies.                  hurt.
• We have some             • If you haven’t tested
  policies, but only for     your security blanket
  critical elements or       from the outside of
  they are out of date.      your organization and
• We have a robust set       from the inside of
  of policies and            your organization, you
  employees are              are in a world of hurt.
  required to review
  them.
 Threats aren’t limited to viruses, worms, or
     denial of service attacks anymore
• Nimda had four propagation methods attached
  to it.
  – It embedded itself into .html files on the hotel’s
    “secure” sign-in page, compromising the users’
    computers that signed in without “live” virus
    protection.
  – It then harvested e-mail addresses from the mail box,
    sending out its own e-mails through its own SMTP
    sender application.
  – If the user had a “shared folder” on the computer, it
    proceeded to try and infect those files.
  – It then used the host computer to look for any
    computers running personal web servers, trying to
    use the Unicode Web Traversal exploit to gain control
    of the target.
   If you had brought the virus
           back with you
• Your own computer would have
  – Begun attacking other systems from within
    your network, bypassing your firewall
  – Continued to send out infected e-mails using
    your own mailbox addresses for a
    combination of sender and receiver
  – Probably confounded your net admins if they
    didn’t have an internal intrusion detection
    system
                   What you can lose…



  What can
  go awry
                 u
                 ments
               Doc       Apps   OSes   Storage        re
                                                 Hardwa    Network Power Building
Confidentia
        lity      4                       4         4         4              4
Integrity         4       4      4        4         4         4      4       4
Availability      4       4      4        4         4         4      4       4
                 A Hotel Computer System
                 TRAVEL            GLOBAL
                 AGENTS         RESERVATION
  FORECASTING                     SYSTEM
       &                                                                             CREDIT CARD                    REMOTE
  SCHEDULING                                                                       AUTHORIZATION                     SALES
                                                                                       & EFT                       MARKETING
                                                      CORPORATE      PAY PER
                      TIME &
                                                     RESERVATION      VIEW /
                                 CORPORATE                          CHECK OUT
                   ATTENDANCE      GUEST               SYSTEM
                                  HISTORY                                          MAID
                                                                                  DIAL-IN          SALES &
                                                          YIELD
                                                                                                   CATERING
                                         PMS           MANAGEMENT
                                                                                                   SYSTEM
      CORPORATE
                                                                                 ELECTRONIC                   MAINTENANCE
      ACCOUNTING                                                                   LOCK &
        SYSTEM                         BOH FOH                                    SECURITY
                                                                                                                 ENERGY
                                                                                                                  FIRE &
                                                                                   SYSTEM                      LIFE SAFETY
                                                                                              INROOM
                                                                                               ENERGY
                                        , MIS, EIS
                                                                                              CONTROL
  PURCHASING                                                           CALL
       &                                                            ACCOUNTING
   INVENTORY       FOOD &                                             SYSTEM          PBX
                  BEVERAGE                                             (CAS)                             VOICEMAIL
                 INVENTORY
                                                                                    (SWITCH              MESSAGE
                                                                    MINI                                 HANDLING
                   SYSTEM
                                                                    BAR
INTERFACE WITH                                        RESTAURANT
                          ELECTRONIC
DIRECTION OF                                          MANAGEMENT
                              BAR                                     Long                            WAKE-UP
DATA FLOW                  DISPENSER                    SYSTEM
                                                         (POS)        Distance                        SYSTEM


   SYSTEMS OFF PREMISE          SYSTEMS INHOUSE
                 TRAVEL            GLOBAL
                 AGENTS         RESERVATION
  FORECASTING                     SYSTEM
       &                                                                           CREDIT CARD                    REMOTE
  SCHEDULING                                                                     AUTHORIZATION                     SALES
                                                                                     & EFT                       MARKETING
                                                    CORPORATE      PAY PER
                      TIME &
                                                   RESERVATION      VIEW /
                                 CORPORATE                        CHECK OUT
                   ATTENDANCE      GUEST             SYSTEM
                                  HISTORY                                        MAID
                                                                                DIAL-IN          SALES &
                                                        YIELD
                                                                                                 CATERING
                                        PMS          MANAGEMENT
                                                                                                 SYSTEM
      CORPORATE
                                                                               ELECTRONIC                   MAINTENANCE
      ACCOUNTING                                                                 LOCK &
        SYSTEM                         BOH FOH                                  SECURITY
                                                                                                               ENERGY
                                                                                                                FIRE &
                                                                                 SYSTEM                      LIFE SAFETY
                                                                                            INROOM
                                                                                             ENERGY
                                        MIS, EIS
                                                                                            CONTROL
  PURCHASING                                                         CALL
       &                                                          ACCOUNTING
   INVENTORY       FOOD &                                           SYSTEM          PBX
                  BEVERAGE                                           (CAS)                             VOICEMAIL
                 INVENTORY
                                                                                  (SWITCH              MESSAGE
                                                                  MINI                                 HANDLING
                   SYSTEM
                                                                  BAR
INTERFACE WITH                                      RESTAURANT
                          ELECTRONIC
DIRECTION OF                                        MANAGEMENT
                              BAR                                   Long                            WAKE-UP
DATA FLOW                  DISPENSER                  SYSTEM
                                                       (POS)        Distance                        SYSTEM


   SYSTEMS OFF PREMISE          SYSTEMS INHOUSE
      Purpose of the Study
• to analyze security practices of
  electronic information, network
  threats and prevention techniques
  in hotels.
      Objective of the Study
• to help information technology
  directors or chief information officers
  with policy development for security
  of electronic information in hotels
        Problem Statement

• In every level of hotel management,
  networks are involved. (Cobanoglu &
  Cougias, 2003).
• In the property level, there are local area
  networks where reservation, front office,
  restaurant management, payroll,
  accounting, human resources, and other
  systems reside
• In addition, hotels may offer high speed
  Internet access (wireless or wired) to their
  guests in their hotel room or other areas in
  the hotel.
        Review of Literature
• The total volume of information is
  increasing at the rate of some 12 percent
  a year (Daler et. al. 1989).

• The Internet now goes into over 120
  nations around the world and has
  approximately 605 million users (NUA
  Internet, 2004)
      Security procedures protect
              hotel’s DNA
            Refunds   Supply Chain   AR/AP     Reporting Unstructured


Documents


             PMS      Back Office    Billing    Sales        Ops

Processes


             CRS       Inventory     CRM         POS        E-Mail

Datasets
                 Computer Crimes
• Hacking (also known as Cracking): Knowingly accessing a
  computer without authorization or exceeding authorization of
  a government computer or intentionally accessing a computer
  without authorization or exceeding authorization to acquire
  financial information of a bank, business or consumer.
• Theft of Technology: Knowingly accessing a computer with
  the intent to access or acquire technological information or
  secrets
• Fraud: Knowingly, and with intent to defraud, accessing a
  federal interest computer without authorization or exceeding
  authorization to further a fraud or obtain anything of value.




Source: (The Breaulier Law Office, 2003)
                 Phishing
• fishing for information
• phreaking

• false email in order to gain
  username/password
         Security Scenarios
• While doing a security audit, we took one
  of the main servers out of the building with
  a fake work-order.
• I had access to the network of Hospitality
  School in Thailand without any problem
• Try driving with your wireless enabled
  laptop in streets.
     Hacking: An art or crime?
• Whois (server address)
• Keylogger (tracks keyboard strikes)
• Netcraft (make and model of the server)
• Packet Internet Groper (PING)
• Name scan (find out computers in your
  network)
• Port scan (Advanced LAN Scanner)—finds
  open doors
• Attack (CGI, Unshielded directories, Trojan
  horses, etc.)
               Hacking
•   DNS Lookup
•   Finger
•   Name Lookup
•   Port Scan
•   Trace Route

• http://www.stayinvisible.com/index.pl/n
  etwork_tools
                Anonmyous IP




http://www.stayinvisible.com/index.pl/test_your_ip_nocache
              Trace Email
• http://www.stayinvisible.com/index.pl/test_
  your_email?action=showheaders&key=34
  9002755807
Netcraft
             Methodology

• Population: Hotel managers who is in charge
  of information security practices in the U.S.

• Sample: The target sample consisted of 1143
  technology managers that were current
  subscribers of Hospitality Technology
  magazine as of November 2004.
             Methodology
• The survey has been adapted and
  expanded from 2004 CSI/FBI Computer
  Crime and Security Survey (CSI, 2004).
• Self-administered online survey with four
  sections
  – Security technologies
  – Network security threats
  – Perception statements
  – Demographics and property characteristics
                Findings
• Out of 1143 sample members’ emails, 178
  emails were returned as “undeliverable”,
  reducing the effective sample size to 965.
• 234 filled out the questionnaire, thus
  yielding 24.2% response rate.
• The majority of the respondents (74.3%)
  were somebody who was directly
  responsible for information technology in
  their organizations.
    Top 5 Network Security Tools and
      Techniques Used by Hotels
•   Technique              %
•   Anti-virus Software   84.4%
•   Physical Security     82.7%
•   Hardware Firewall     79.7%
•   Software Firewall     77.6%
•   Access Control        75.3%
     Top 5 Network Security Tools and
      Techniques Not Used by Hotels
•   Technique                        %
•   Biometrics                      69.4%
•   Digital IDs                     68.1%
•   Image Servers                   63.0%
•   Vulnerability Assessment Scan   42.5%
•   Intrusion Detection Systems     35.5%
           Network Attacks
• Twenty percent of the respondents had a
  computer network attack within the last 12
  months.
• The size of the hotel seems to be
  positively correlated with the number of
  attacks observed within the last 12 months
  (r=.72; p=.001)
       Network Attack Types
• Virus Attack (15.4%) was reported most
  frequently, followed by
• Denial of Service (7.7%),
• Sabotage of data networks (7.7%),
• System penetration by an outsider (7.7%),
  and spoofing (5.1%).
 Who is responsible (%)?
              Disgruntled
              employees,
                  23

                              Foreign
                            Corporation
                               s, 15.3


                        Other, 7.9
Independent
  Hackers,
    53.8
             Other Findings
• The average financial loss created by these
  attacks was $10,375 per year.
• About 20% of the respondents hired reformed
  hackers or ethical hackers as consultants.
• Only 2.6% of the respondents reported computer
  network attacks to law enforcements.
• The mostly used prevention tool was patching
  (79.5%) the holes as they were released by
  manufacturers of hardware and software.
           Other Findings
• Only 40% has enough resources for
  security
• 56.4% has enough expertise
• 23.1% do not have a method of getting rid
  of old user accounts
• 20% are a member of IT security
  organization
• 38.5% never conduct IT security audit
             Conclusions
• This study is one of the first attempts to
  analyze computer network attacks and
  prevention techniques in the hotel
  industry.
• The results showed that computer
  network attacks create serious threats
  to hotels.
• Although, hotel companies use some
  prevention techniques, we observed a
  distributed solutions mix.
               Conclusions
• Some hoteliers prefer to outsource their network
  and information security systems. This may have
  two-fold impacts on hotels:
• 1) If the outsourcing company is a network and
  information security expert, then, the hotel
  network systems may be protected better;
• 2) The dependency on a different company in
  such an important issue may create some
  problems such as data privacy and ownership
         Recommendations
• A significant number of hotels do not use and
  plan to use in the future some important
  network and information security tools and
  techniques
• Some of these tools are so vital to network
  security that not using them is an open
  invitation to internal and external hackers.
• Hotel managers would do well by reviewing
  this list and comparing the tools used by
  them and implement and use multiple tools
 Recommendations- 4 step guide
1. Prevention through firewalls, anti-virus
   measures, ongoing anti-hacking analysis
2. Implement an intrusion detection system
3. Design a quick reaction team when you
   get hit with a virus or hack attack. Be
   ready to quarantine
4. Design an after-attack routine
         Scan your network
• Use several methods
  – From outside
  – From inside
• Some tools:
  – Symantec’s NetRecon
  – Open-source Nessus (attacker and tester)
  – Security Analyzer from NetIQ
  – Shields Up! For Internet Ports
  – MacAnalysis (performs 1300 attacks)
   Protection: Set up an Intrusion
         Detection System
• You want to know who is hitting and how
  they are hitting you.
• You do not want to back up a system that
  has been hacked.
• Some tools
  – Snort (open-source)
  – NetIQ’s Security Manager
• Know what is where (LANSurveyor)
Enter the Rule of Three
          1st Rule of Three
• Only blended protection can stop blended
  threats
  – Firewalls
  – Intrusion Detection Systems
  – Anti-Virus measures
• You have to use all three security methods
  together to ensure that you are really
  protected
Best practices in securing your
             data



                                 Corporate


                         Store




              Notebook
Corporate Defense
Store Defense
Notebook defense
 The only truly secure system is
           one that is
• powered off,
• cast in a block of concrete
• and sealed in a lead-lined room with
  armed guards

• and even then I have my doubts.
                         High         Point in Time   Point in Time              Archived
                       Availability     recovery       versioning                retrieval
Sites
• Business Groups
• Business Functions

Systems
• Servers
• Desktops
• Notebooks

Volumes
• Server
• OS/Apps
• Data Storage
                                                                          (WORM formats)
Data sets
• File system
• Applications
• Database(s)

Data
• Files
• Tables
• Records

                                         Time to restore & length of data life
The second rule of three
    Data Protection
The third rule of three
      Reporting
             Who can help?
• Vendors                   • Education
  – VERITAS is working        – The University of Delaware
                                is creating an HRIM
    on it. Look for             security specific e-learning
    information in the          course.
    news from them in
    November.
  – Symantec has recently
    purchased
    PowerQuest and is
    building a unified
    security-backup
    offering
  – NetIQ is directly

								
To top