Table of Contents
1.0 What is information security?
2.0 Attack Types
3.0 Information Security Primitives
4.0 Legal Issues
5.0 Risk Management
6.0 Network Administrator's Best Security Practices
7.0 Incident Response
8.0 Platform-Specific Security
Information security is the set of procedures implemented to prevent the unauthorized access, abuse, alteration, or denial of access to knowledge, data, or resources. This definition is broad because of the unique nature of information. Since information takes many forms and can be stored and used in many ways, the security of information presents distinctive problems.
The unique nature of information forces the information security professional to have to look at many different parameters when developing a sound security policy. This policy must take into account the many different forms of security to offer the most complete protection of knowledge, data, and resources. Physical, communications, emission, computer, and network security are all implemented when designing a complete information security policy. The diagram below is a visual representation of how all these security concepts fit within the scope of information security.
Figure 1: Information Security Overview
1.1 Security Types
1.1.1 Physical Security
Physical assets must be protected against unauthorized access. This can include computer terminals, server rooms, routers & switches, backup tapes, CD-ROMS, disks, as well as printouts, manuals, and paper files and records.
1.1.2 Communications Security
All communications between machines should be protected against interception. Beyond physically securing all transmission medium, the communications themselves need to be secured. The easiest method of protecting all communications between the machines is to use encryption. Using technologies such as SSH, SSL, and PGP will ensure that even if the communications are intercepted, the attacker will not be able to know what is in the message.
1.1.3 Emissions Security
If communications are encrypted, then emissions and transmissions will also be protected. However, wireless communications should be treated with extra caution, as the encryption standards and techniques are still being developed and are revised often.
1.1.4 Computer Security
With communications and emissions protected, the information on a computer has to be protected as well. This need for secure computing has lead to the introduction of user, group and permission settings. Matching a user or group with the proper file permissions ensures that only authorized users can view, modify, or delete files.
1.1.5 Network Security
Network security protects the Local Area Network (LAN) from the outside world. It can include elements such as traffic shaping, firewalls, and intrusion detection systems.
1.1.6 Information Security
A good mix of physical, communication, emission, computer, and network security together make up the concept of information security. No one security type can protect the company; therefore, the concept of total information security is critical to the success of the enterprise.
1.2 Information Security Products
Before a discussion of what the various types of attacks there are, a general understanding of what an attack is must first be obtained. Simply put, an attack is any malicious or accidental disruption in the confidentiality, integrity, or availability of information and network resources. The four basic types of attacks are: Access, Modification, Denial of Service, and Repudiation. Attacks can come from many places, electronic, physical, or human. Electronic attacks may come from the external network (Internet) or the internal network (Intranet); physical attacks can come in the form of hardware/equipment sabotage or theft, and human attacks most often come in the form of social engineering.
Access attacks are the unwanted or unintended access to protected or private information.
Snooping is looking at files that may contain interesting information. This attack occurs through files being left on network shares or on web servers.
Eavesdropping occurs when the attacker listens in on conversations they should not be privy to. This type of attack is most often done electronically.
Interception is when the attacker positions herself between the sender and intended recipient. While a transmission is occurring, the attacker "intercepts" the data, views or stores the information, and sends it on to the intended party.
Modification attacks are the unwanted or unintended modification of information by an attacker.
Changes to existing information can be devastating to an individual or organization. The information in question is modified from its original state, thereby bringing into question all data contained on the compromised machine. Change attacks can occur to sensitive information such as student grades or employee salary, or public information such as information contained on a web page or teaching curriculum.
Insertion attacks simply add information that did not exist before. The attacker can add information to historical records, such as adding a class and grade to a student record.
Deletion attacks erase information that existed in historical records before the attack. The attacker can delete unwanted information such as records of system access from logs.
DoS attacks occur when information, applications, or services cannot be accessed when they are needed.
2.3.1 DoS to Information
A DoS to information makes data unavailable to users that need it. Attackers usually rename files or move files to inaccessible locations on the system.
2.3.2 DoS to Applications
A DoS to applications targets programs running on a system. This may mean the attacker exploits a known vulnerability on the application, or the attacker may simply close the application down.
2.3.3 DoS to Systems
A DoS to systems occurs when the attacker brings an entire system down. This type of attack encompasses both information and application DoS attacks as the system and everything it contains is made unavailable.
2.3.4 DoS to Communications
A DoS to communications is the most common type of DoS attack. The attacker targets a single address or an entire network and bombards it with an excessive amount of traffic. No damage to systems is done with these attacks; however, it can be more devastating than a system DoS attack as access to all network resources may be halted.
Repudiation attacks are an attempt to mislead or to deny an event took place.
Masquerading is when an attacker attempts to pose as someone or something that it is not. This can occur in human-to-human or in machine-to-machine transactions.
A denial attack is when the attacker denies an event ever took place.
In order to efficiently deal with the attacks that can plaque a system, there are four basic elements that information security uses to aid in the generation of sound policy. These primitive elements are not mechanical devices or technical solutions. However, understanding these primitives and how they can be used to generate security policies is critical to the successful deployment of the technical and mechanical security devices.
The four information security primitives are: Confidentiality, Integrity, Availability, and Accountability. The security primitives can be matched up with the attack types to generate a simple matrix that gives a visual representation of how the primitives can be used to counteract the various attack types.
Figure 2: Information Security Matrix
Confidentiality ensures the secrecy of information and counters access attacks. Confidentiality only allows authorized users access to information, and denies access to everyone else. This applies not only to files and data, but also to transmission and communications. A few examples of confidentiality solutions are: physical security, identification and authentication methods, file/folder permissions, and encryption.
Integrity guarantees the correctness of information and thwarts modification attacks. Integrity gives the end users confidence that information is correct, unmodified, and uncorrupted. The integrity of files can be ensured in many ways: prevent unauthorized access (see confidentiality), multiple copies of the information, digital signatures, encryption, authentication, and checksums.
Availability allows information to be functional to the end user. This is done by ensuring the information will be available whenever it is needed. Availability counteracts DoS attacks, meaning that systems are always up and the communication channels are always clear. There are several methods that can be employed to aid in the availability of information: backups, fail-over systems, as well as disaster recovery plans.
Accountability does not stop attacks by itself. Instead it is used in combination with the other primitives to make them more efficient. In particular, confidentiality and integrity efforts would fail if not for accountability. Simply put, accountability adds responsibility and redundancy of certain duties, actions, and processes into the planning and implementation of security policies.
3.4.1 Identification and authentication is the accountability method that identifies who is attempting to perform an action, and then verifies the identification process through a combination of: something you know, something you have, or something you are. Something you know may be a password, a PIN, or a secret answer. Something you have may be a badge, a smart card, or a key. Something you are typically refers to biometric information such as fingerprints, retina scans, or voice recognition.
3.4.2 Auditing provides a review of historical information. This information may be system access logs, network usage information, or file access records. As long as the audit records are protected from access and modification, then they provide valuable information to what is happening within the network. These factors ensure that auditing can prevent repudiation attacks.
There are many legal issues that an administrator should be aware of while attempting to protect their network. However, due to the technical nature of laws and legal matters, the following is not legal advice, just a general discussion of the most prevalent legal issues facing network managers.
(18 US Code 1030)
This is the "biggie" law when it comes to computer crimes. The most relevant part of this law to this discussion is that it is a crime to intentionally access a computer and view protected information without prior authorization. Further, the total damages must be at least $5000 (including the cost of investigating and correcting the break-in) before the statute will be invoked.
(18 US Code 2319)
This law describes the punishments for violating copyright law. The statute specifies that at least 10 copies of copyrighted works must be available and the value of these copies must have a total value of at least $1000.
(18 US Code 2511)
This is the "wiretap" law. An attacker that places a packet sniffer on a network is most likely going to violate this statute. This statute has many sticky areas for network managers and security professionals alike. A general rule of thumb is that it is allowable to monitor the network in order to protect it from attack. Consult with a lawyer if there is any question about the legality of network monitoring.
(18 US Code 2701)
This law prohibits any unauthorized access to communications or systems that contain information about communications. The code makes an exception for the owner of the communication service.
Risk is the chance of a loss occurring which necessitates safeguarding. Without risk, there would be no need for security. When discussing risk in the context of security, the subject of risk can be broken down into two components: threats and vulnerabilities. The relationship between threats and vulnerabilities can be seen on the following graph.
Figure 3: Threat / Vulnerability Relationship
Vulnerability is any weakness in hardware, software or procedures that can be used by an attacker to infiltrate and harm the network. Typically, vulnerabilities are classified by the level of difficulty and skill needed in order to exploit it, and the importance of the system in question. If the vulnerability is high, then it is easy to exploit and the potential damage (sensitive files, critical systems) is considerable. If the vulnerability is low, then it can be assumed that the technical skill necessary to take advantage is great and the potential damage is low (public files, non-critical systems).
A threat is an event that may compromise the security of a system or the network. There are three main components to threats: targets, agents, and events.
The target of an attack is always one of the security primitives: confidentiality, integrity, accessibility, and accountability. Confidentiality becomes the target when specific information is sought after by unauthorized attackers. Integrity is the target when the attacker wishes to alter information. This may come in the form the modification or deletion of existing data or the addition of new data. Availability is targeted via DoS attacks. These can be short-term or long-term attacks to individual systems or the entire network. Accountability is targeted when a repudiation or unauthorized access attack is to be attempted. However, due to the nature of this primitive, accountability must be co-targeted with one other primitive.
The agents are the individuals who mean to do the system harm, in other words, the attackers. To be a credible threat, an attacker must possess: access, knowledge, and motivation.
22.214.171.124 Access - the agent must have access to the system, network, or location. The access may be physical or electronic. The agent?s ability to perform desired actions on the system depends on access.
126.96.36.199 Knowledge - the agent needs to have knowledge of the target such as: user id, passwords, phone numbers, or network addresses.
188.8.131.52 Motivation - the agent must decide to strike the target. To do so requires motivation, which can be the challenge, greed, or other malicious intent.
Agents can be almost anyone: employees, ex-employees, contractors, vendors, hackers, crackers, terrorists, visitors, and rivals should all be considered agents.
Events are the methods and techniques in which an agent can attack a target. Events can be any compromise of network or system security, including: unauthorized access, altering information, destruction of data, interference with normal operations, eavesdropping or intercepting communications, and theft.
Now that there are clear definitions for both threats and vulnerabilities, a more complete definition of risk can be obtained. Risk can now be defined as the combination of threats and vulnerabilities which results in the chance of a loss occurring.
Risk can be identified by simply looking at the threats and vulnerabilities that face the organization. This simple procedure gets difficult when attempting to identify all the vulnerabilities and real risks to the network. Identifying vulnerabilities is somewhat straightforward as access points to the network and systems are identified, a complete list of vulnerabilities can be assessed. Identifying threats can be a more ominous task. One way of measuring the threat level to a network is to create a threat matrix, where all possible threats are defined, and their likelihood is estimated.
Countermeasures are those tools that aid in securing a network or system. These countermeasures are designed specifically to deal a particular problem. When deciding what type of countermeasure to deploy, the attack type, primitive, threat, and vulnerability must all be understood in order for the countermeasure to be effective. A short list of countermeasures follows:
Badges & Key Cards
File Access Controls
Perfect security is most likely not obtainable, as there must always be a tradeoff between the usability and protection of systems. In order to best decide where your security resources go, risk must be measured and quantified. There are several methods of finding a risk number. Two such techniques are Quantitative and Qualitative Risk Analysis.
Figure 4: Quantitative Risk Assessment
Risk = Probability of Occurrence x Probable Loss
Figure 5: Qualitative Risk Measurement
Some factors that are considered when determining risk are: money, time, and resources.
5.6.1 Money - Risk can be measured in terms of total potential cost of an attack.
5.6.2 Time - Measuring the length of a DoS attack, system downtime, time spent reinstating data, or investigating attacks are all considered when determining risk.
5.6.3 Resources - The loss of any person, computer, network, system, or hardware can influence the risk level.
Within each risk level, there are sub-levels that determine impact and severity. These are typically based on best-case, worst-case, and likely-case scenarios.
To aid in the day-to-day duties of system administration, a few simple guidelines can be followed that can help in making security part of your routine. The steps outlined below are not focused on any particular operating system or piece of hardware, but rather on the security primitives and risks discussed above.
It is extremely important that you not only know the ins-and-outs of the systems you administer, but also that you keep up to date with this information. The computer field is in constant flux with new applications, techniques, and threats appearing almost daily. Reading up on and knowing the newest security vulnerabilities or the availability of a new patch will make you a better network and security administrator.
Protecting a network with an expensive firewall does you no good if an attacker can simply walk up to a machine and access its files or network. Make sure users have session timeouts configured on their workstations, and control physical access to all machines on network. Protect servers and critical systems in locked rooms with controlled access. Make sure that administrators log out of sessions before walking away from their workstations or servers.
Go over all the systems on a network and make sure that each machine is running the minimum number of services it needs to in order to do its job. Keeping your machines light and free of unwanted or unneeded services will increase system stability, decrease vulnerability and thus risk, as well as enable you to find a problem or hacked machine faster. In addition, close off any TCP and UDP ports that are not going to be used by that machine (i.e. a web server only needs to have TCP port 80 open).
Administrators should be careful when choosing their passwords. A system is only as secure as its weakest part, and attackers like to go after administrator passwords. Use lengthy passwords (eight characters or more) that do not contain any words found in the dictionary. Try to use numbers and special characters in the place of letters. Use mnemonics to remember longer passwords. Use password-protection features on login servers (passwords character length, password expiration date).
When an administrator adds a person to the superuser account, typically that person is granted administrator rights to the system/network. Operating systems such as Windows and Linux allow the administrator to assign only certain duties and permissions of superusers, and deny the supersuser other rights. For example, a superuser may have the ability to change passwords for existing users, but does not have the ability to create new users on the system/network. Also, a superuser can be restricted to what files they can access. For example, a superuser does not need to see other superusers' private folders and documents.
A user usually does not need system access 24 hours a day, 7 days a week. Nor does the user need to be able to login from every system on the network. Restricting users to certain times and certain locations can ensure that unauthorized access can be kept at a minimum. For example, if Larry always works at his desk Monday ? Friday from 8AM to 5PM, then creating rules that state that Larry can only log into the network from his system from the hours of 8AM to 5PM Monday through Friday will ensure that nobody log in as Larry when Larry isn't there. Unauthorized access attempts can be discovered more easily this way through auditing systems logs. If Larry should work late one day, he would call the network administrator and ask to allowed a few more hours on the network.
Make sure users understand and follow basic security procedures such as complex passwords and session time-out. Offer periodic security information sessions where new risks can be explained and how users can protect themselves. Make relevant security information readily available to users either through emails or on a webpage.
New system vulnerabilities become public constantly, and in order to counter the risk that stems from these vulnerabilities every system should be patched regularly. There are patches for applications as well as operating systems. Operating system patches and service packs should always be installed as soon as possible. Of course, patches should be tested before being installed on machines.
It is a good idea to know more about your systems than the agent. This is true when discussing vulnerability and penetration testing. If you test for vulnerabilities regularly you can take appropriate measures to minimize or eliminate the vulnerability.
Audit system logs regularly to analyze security elements such as login attempts, application performance, system performance, file access history.
It is a good idea to document the network and system configuration. These documents are extremely helpful in such endeavors as disaster planning, troubleshooting problems, system planning, and intrusion detection.
In the case of an attack, hack, or disaster, it is imperative that there is redundancy built into the network, and that plans have been generated that will ensure that availability to information is not compromised. A few methods that can aid in the continuity of operations: good documentation, audit records, off-site storage of backups, and fail-over systems.
In the event that a system or network violation has occurred, a team is assembled to investigate and remediate the violation. The Computer Incident Response Team (CIRT) is made up of experts from various parts of the organization. The members of the CIRT differ according to the needs of the situation. Typical members include:
The CIRT follows a set of guidelines for dealing with an incident. These rules for investigating an incident are:
8.1.1 Microsoft Update
Microsoft has made it easier for administrators and end users to apply patches to their systems through the use of the Microsoft Update program. This website will scan a system and report if any new patches or updates are available. It has made the process of keeping a system up-to-date as painless as possible.
8.1.2 Microsoft Baseline Security Analyzer
In Microsoft's push to provide better security to network administrators, they have developed the Baseline Security Analyzer. This tool will scan local as well as remote systems and will check for vulnerabilities. If it detects a known vulnerability, it will report the problem and lists several options that can be used to remedy the situation. It also provides links to Microsoft TechNet, which is an excellent source for Windows information.
8.1.3 System Configuration
Knowledge of the Windows registry and proficiency with the tools available in the management console (MMC) will help the network administrator ?harden? their Windows system. Locking down such features as the Run command, or hiding critical system files and folders may make administration of the systems easier as well as limit attacker?s options.
8.1.4 System Auditing
Turning on logging and auditing the system will aid the administrator in detecting if the system was tampered with. For example, if unsuccessful login attempts are logged, then the administrator will know what account was trying to be access, when the access attempts, and how many times it was attempted. This can aid the administrator in determining who may be trying to gain unauthorized access to the system. There are a number of items that can be logged, such as file creation/deletion, file access and modification, and system events, to name a few.
Note: this tutorial assumes you are using a distribution such as RedHat or Debian Linux that pre-configures a system during the install process.
8.2.1 Disable Unused Services
When your system starts up, it loads a number of services by default. Go through this list of startup files and turn off those that are not absolutely necessary for the system. For example, if the system is not using NFS to share files, then disable NFS from starting up at boot time. This will have a dual effect, the system will become more secure because there are less holes for an attacker to go after, and the system will become more stable as less system overhead will be needed to run unwanted services.
8.2.2 Install Patches Often
As with any computer platform, UNIX-based systems must be updated often to prevent attackers from exploiting known vulnerabilities. The nature of this platform guarantees that vulnerabilities are discovered often, and by the same token, the patches and bug-fixes come almost as quickly as the vulnerabilities are discovered.
8.2.3 Utilize IP-Filtering and/or Firewalls
It is generally a good idea to implement a simple IPTables-based firewall for workstations and a more robust one for servers. IP filtering can define what machines can and cannot connect to the system, and can provide an extra layer of defense against attackers.
8.2.4 Install ssh
Secure SHell (ssh) is an encrypted remote terminal program that allows users to log into the system with having to be at the machine (think a secure telnet. It allows the user to use the machine as if they were actually at the terminal; it also allows the encrypted transfer of files between machines (more secure than ftp). All communications are encrypted so that interception is negated. It also adds a layer of physical security as machines can be locked away and do not have to be physically available.
Before setting out to secure a network from attackers, it is imperative that one understands the theory, standards, and technology of networking. Listed below are some suggested items that should be researched further for a better understanding of implementation.
Anonymous. (2000). Maximum Linux Security. Indianapolis: Sams Publishing.
Brenton. C. (1999). Mastering Network Security. San Francisco: Sybex.
Maiwald, E. (2001). Network Security: A Beginner's Guide. New York: McGraw-Hill.
Miller, L., Gregory, P. (2002). CISSP For Dummies. New York: Wiley.
Panko, R. (2001). Business Data Communications and Networking. New Jersey: Prentice-Hall.
Scambray, J., McClure, S., Kurtz, G. (2001). Hacking Exposed. New York: McGraw-Hill.
University of North Texas. (2003). University of North Texas Information Resources Security Policy: Classification Number: 3.6. Retrieved 7/28/2003 from http://www.unt.edu / planning / UNT_Policy / volume2 / 3_6.html
University of North Texas. (2003). University of North Texas Computer Use Policy: Classification Number: 3.10. Retrieved 7/28/2003 from http://www.unt.edu / planning / UNT_Policy / volume2 / 3_10.html
University of Virginia Information Technology and Communication. (2003). UNIX/Linux Security Best Practices. Retrieved 06/21/2003 from http://www.itc.virginia.edu / unixsys / sec /