Information Security Guide

Table of contents


Illustration of multiple wireless devices and a desktop computer.

1.0 What is information security?

Information security is the set of procedures implemented to prevent unauthorized access, abuse, alteration, or denial of access to knowledge, data, or resources. This definition is broad because of the unique nature of the information. Since information takes many forms and is stored and used in many ways, information security presents distinctive problems.

The unique nature of information forces the information security professional to look at many different parameters when developing a sound security policy. This policy must consider the many different security forms to offer the complete protection of knowledge, data, and resources. Physical, communications, emission, computer, and network security are implemented when designing a complete information security policy.


1.1 Security types

1.1.1 Physical security

Everyone must protect physical assets against unauthorized access. This can include computer terminals, server rooms, routers and switches, backup tapes, CD-ROMS, disks, printouts, manuals, and paper files and records.

1.1.2 Communications security

Everyone should protect all communications between machines against interception. Beyond physically securing all transmission mediums, the communications themselves need to be secured. The easiest method of protecting all communications between the machines is to use encryption. Using technologies such as SSH, SSL, and PGP will ensure that the attacker will not know its message even if the communications are intercepted.

1.1.3 Emissions security

If communications are encrypted, then encryption will also protect emissions and transmissions. However, wireless communications should be treated with extra caution, as the encryption standards and techniques are still being developed and are revised often.

1.1.4 Computer security

With communications and emissions protected, the information on a computer has to be protected as well. This need for secure computing has lead to the introduction of user, group, and permission settings. Matching a user or group with the proper file permissions ensures that only authorized users can view, modify, or delete files.

1.1.5 Network security

Network security protects the Local Area Network (LAN) from the outside world. It can include elements such as traffic shaping, firewalls, and intrusion detection systems.

1.1.6 Information security

A good mix of physical, communication, emission, computer, and network security together make up the concept of information security. No one security type can protect the company; therefore, the concept of total information security is critical to the enterprise's success.


1.2 Information security products

  • Anti-virus
  • Access control
  • Firewalls
  • Smart cards
  • Biometrics
  • Intrusion detection
  • Policy management
  • Vulnerability testing
  • Encryption
  • Physical security products

2.0 Attack types

Before discussing the various types of attacks, you must first define a general understanding of an attack. An attack is any malicious disruption in the confidentiality, integrity, or availability of information and network resources. The four basic types of attacks are access, modification, denial of service, and repudiation. Attacks can come from many places, electronic, physical, or human. Electronic attacks may come from the external network (internet) or the internal network (intranet). Physical attacks come in hardware and equipment sabotage or theft, and human attacks most often come in social engineering.


2.1 Access attacks

Access attacks are unwanted or unintended access to protected or private information.

2.1.1 Snooping

Snooping is looking at files that may contain interesting information. This attack occurs through files being left on network shares or web servers.

2.1.2 Eavesdropping

Eavesdropping occurs when the attacker listens in on conversations they should not be privy to. This type of attack is most often done electronically.

2.1.3 Interception

Interception is when the attacker positions herself between the sender and the intended recipient. While a transmission occurs, the attacker "intercepts" the data, views or stores the information, and sends it to the intended party.


2.2 Modification attacks

Modification attacks are the unwanted or unintended modification of information by an attacker.

2.2.1 Changes

Changes to existing information is devastating to an individual or organization. The information in question is modified from its original state, thereby questioning all compromised machines' data. Change attacks can occur to sensitive information such as student grades or employee salary, or public information such as information on a web page or teaching curriculum.

2.2.2 Insertion

Insertion attacks add information that did not exist before. The attacker can add information to historical records, such as adding a class and grade to a student record.

2.2.3 Deletion

Deletion attacks erase information that existed in historical records before the attack. The attacker can delete unwanted information such as records of system access from logs.


2.3 Denial of service (DoS) Attacks

DoS attacks occur when information, applications, or services cannot be accessed when they are needed.

2.3.1 DoS to information

A DoS to information makes data unavailable to users that need it. Attackers usually rename files or move files to inaccessible locations on the system.

2.3.2 DoS to applications

A DoS to applications targets programs running on a system. This may mean the attacker exploits a known vulnerability on the application, or the attacker may close the application down.

2.3.3 DoS to systems

A DoS to systems occurs when the attacker brings an entire system down. This type of attack encompasses both information and application DoS attacks as the system, and everything it contains is unavailable.

2.3.4 DoS to communications

A DoS to communications is the most common type of DoS attack. The attacker targets a single address or an entire network and bombards it with excessive traffic. No damage to systems is done with these attacks; however, it is more devastating than a system DoS attack as access to all network resources may be halted.


2.4 Repudiation attacks

Repudiation attacks are an attempt to mislead or to deny an event took place.

2.4.1 Masquerading

Masquerading is when an attacker attempts to pose as someone or something that it is not. This can occur in human-to-human or machine-to-machine transactions.

2.4.2 Denial

A denial attack is when the attacker denies an event ever took place.


3.0 Information security primitives

To efficiently deal with the attacks that can plague a system, there are four basic elements that information security uses to aid in the generation of sound policy. These primitive elements are not mechanical devices or technical solutions. However, understanding these primitives and how they can generate security policies is critical to successfully deploying technical and mechanical security devices.

The four information security primitives are Confidentiality, Integrity, Availability, and Accountability. The security primitives match the attack types to generate a simple matrix that visually represents how the primitives can counteract the various attack types.

Figure 1: Information security matrix

  Security primitives
Attack type Confidentiality Integrity Availability Accountability
Access Yes     Yes
Modification   Yes   Yes
DoS     Yes  
Repudiation   Yes   Yes

3.1 Confidentiality

Confidentiality ensures the secrecy of information and counters access attacks. Confidentiality only allows authorized users access to information and denies access to everyone else. This applies not only to files and data but also to transmission and communications. A few examples of confidentiality solutions are physical security, identification, and authentication methods, file/folder permissions, and encryption.


3.2 Integrity

Integrity guarantees the correctness of the information and thwarts modification attacks. Integrity gives the end-users confidence that information is correct, unmodified, and uncorrupted. The integrity of files is ensured in many ways: prevent unauthorized access (see confidentiality), multiple copies of the information, digital signatures, encryption, authentication, and checksums.


3.3 Availability

Availability allows information to be functional to the end-user. This is done by ensuring the information will be available whenever it is needed. Availability counteracts DoS attacks, meaning that systems are always up and the communication channels are always clear. Several methods are employed to aid in information availability: backups, fail-over systems, and disaster recovery plans.


3.4 Accountability

Accountability does not stop attacks by itself. Instead, it is used in combination with the other primitives to make them more efficient. In particular, confidentiality and integrity efforts would fail if not for accountability. Simply put, accountability adds responsibility and redundancy of certain duties, actions, and processes into the planning and implementation of security policies.

3.4.1 Identification and authentication

Identification and authentication is the accounting method that identifies who is attempting to act and then verifies the identification process through a combination of something you know, something you have, or something you are. Something you know may be a password, a PIN, or a secret answer. Something you have, maybe a badge, a smart card, or a key. You are typically referring to biometric information such as fingerprints, retina scans, or voice recognition.

3.4.2 Auditing

Auditing provides a review of historical information. This information may be system access logs, network usage information, or file access records. As long as the audit records are protected from access and modification, they provide valuable information on what is happening within the network. These factors ensure that auditing can prevent repudiation attacks.


4.0 Legal issues

There are many legal issues that an administrator should be aware of while attempting to protect their network. However, due to the technical nature of laws and legal matters, the following is not legal advice, just a general discussion of the most prevalent legal issues facing network managers.


4.1 Computer fraud and abuse

(18 US Code 1030)

This is the major computer crime law. The most relevant part of this law to this discussion is that it is a crime to intentionally access a computer and view protected information without prior authorization. Further, the total damages must be at least $5000 (including the cost of investigating and correcting the break-in) before the prosecution will invoke the statute.


4.2 Copyrights

(18 US Code 2319)

This law describes the punishments for violating copyright law. The statute specifies that at least 10 copies of copyrighted works must be available, and the value of these copies must have a total value of at least $1000.


4.3 Interception

(18 US Code 2511)

This is the "wiretap" law. An attacker that places a packet sniffer on a network is most likely going to violate this statute. This statute has many sticky areas for network managers and security professionals alike. A general rule of thumb is that it can monitor the network to protect it from attack. Consult with a lawyer if there is any question about the legality of network monitoring.


4.4 Access to electronic information

(18 US Code 2701)

This law prohibits any unauthorized access to communications or systems that contain information about communications. The code makes an exception for the owner of the communication service.


5.0 Risk management

Risk is the chance of a loss occurring, which necessitates safeguarding. Without risk, there is no need for security. When discussing risk in security, the subject of risk is broken down into two components: threats and vulnerabilities.


5.1 Vulnerability

Vulnerability is any weakness in hardware, software, or procedures used by an attacker to infiltrate and harm the network. Typically, vulnerabilities are classified by the level of difficulty and skill needed to exploit it and the system's importance in question. If the vulnerability is high, it is easy to exploit, and the potential damage (sensitive files, critical systems) is considerable. If the vulnerability is low, it is assumed that the technical skill necessary to take advantage is great. The potential damage is low (public files, non-critical systems).


5.2 Threats

A threat is an event that may compromise the security of a system or the network. There are three main components of threats: targets, agents, and events.

5.2.1 Targets

The target of an attack is always one of the security primitives: confidentiality, integrity, accessibility, and accountability. Confidentiality becomes the target when specific information is sought after by unauthorized attackers. Integrity is the target when the attacker wishes to alter information. This may come from the modification or deletion of existing data or the addition of new data. Availability is targeted via DoS attacks. These are short-term or long-term attacks on individual systems or the entire network. Accountability is targeted when a repudiation or unauthorized access attack is to be attempted. However, due to the nature of this primitive, accountability must be co-targeted with one other primitive.

5.2.2 Agents

The agents are the individuals who mean to do the system harm; in other words, the attackers. To be a credible threat, an attacker must possess: access, knowledge, and motivation.

5.2.2.1 Access

The agent must have access to the system, network, or location. The access may be physical or electronic. The agent's ability to perform desired actions on the system depends on access.

5.2.2.2 Knowledge

The agent needs to know the target such as user id, passwords, phone numbers, or network addresses.

5.2.2.3 Motivation

The agent must decide to strike the target. To do so requires motivation, which is the challenge, greed, or other malicious intent.

Agents are almost anyone: employees, ex-employees, contractors, vendors, hackers, crackers, terrorists, visitors, and rivals should all be considered agents.

5.2.3 Events

Events are the methods and techniques in which an agent can attack a target. Events compromise the network or system security, including unauthorized access, altering information, data destruction, interference with normal operations, eavesdropping or intercepting communications, and theft.


5.3 Risk = threats + vulnerabilities

Now that there are clear definitions for both threats and vulnerabilities, a complete definition of risk is obtained. Risk can now be defined as the combination of threats and vulnerabilities which results in the chance of a loss occurring.


5.4 Identifying risk

Risk is identified by looking at an organization’s threats and vulnerabilities. This simple procedure gets difficult when attempting to identify all the vulnerabilities and real risks to the network. Identifying vulnerabilities is somewhat straightforward as access points to the network and systems are identified, a complete list of vulnerabilities is assessed. Identifying threats is a more ominous task. One way of measuring the threat level to a network is to create a threat matrix, where all possible threats are defined and their likelihood estimated.


5.5 Countermeasures

Countermeasures are tools that aid in securing a network or system. These countermeasures are designed specifically for a particular problem. When deciding which countermeasure to deploy, you must understand the attack type, primitive, threat, and vulnerability to be effective. A shortlist of countermeasures include:

  • Firewalls
  • Intrusion detection
  • Anti-virus
  • Badges and key cards
  • Biometrics
  • File access controls

5.6 Measuring Risk

Perfect security is most likely not obtainable, as there must always be a tradeoff between the usability and protection of systems. To best decide where your security resources go, risk must be measured and quantified. There are several methods of finding a risk number. Two such techniques are quantitative and qualitative risk analysis.

Figure 2: Quantitative risk assessment

Risk = probability of occurrence x probable loss

Some factors are considered when determining risk are money, time, and resources.

5.6.1 Money

Risk is measured in terms of the total potential cost of an attack.

5.6.2 Time

Measuring the length of a DoS attack, system downtime, time spent reinstating data, or investigating attacks are all considered when determining risk.

5.6.3 Resources

The loss of any person, computer, network, system, or hardware can influence the risk level.


5.7 Risk categories

Within each risk level, some sub-levels determine impact and severity. These are typically based on best-case, worst-case, and likely-case scenarios.


6.0 Network administrator’s best security practices

To aid in the day-to-day duties of system administration, a few simple guidelines are followed that can help make security part of your routine. The steps outlined below are not focused on any particular operating system or piece of hardware but rather on the security primitives and risks discussed above.


6.1 Self-training

It is essential that you not only know the ins and outs of the systems you administer but also that you keep up to date with this information. The computer field is in constant flux, with new applications, techniques, and threats appearing almost daily. Reading up on and knowing the newest security vulnerabilities or the availability of a new patch will make you a better network and security administrator.


6.2 Physical security

Protecting a network with an expensive firewall does you no good if an attacker can walk up to a machine and access its files or network. Ensure users have session timeouts configured on their workstations and control physical access to all machines on the network. Protect servers and critical systems in locked rooms with controlled access. Make sure that administrators log out of sessions before walking away from their workstations or servers.


6.3 System maintenance

Go over all the systems on a network and ensure that each machine runs the minimum number of services it needs to do its job. Keeping your machines light and free of unwanted or unneeded services will increase system stability, decrease vulnerability, and thus risk, as well as enable you to find a problem or hacked machine faster. Also, close off any TCP and UDP ports that that machine will not use (i.e., a web server only needs to have TCP port 80 open).


6.4 Passwords

Administrators should be careful when choosing their passwords. A system is only as secure as its weakest part, and attackers like to go after administrator passwords. Use lengthy passwords (eight characters or more) that do not contain any words found in the dictionary. Try to use numbers and special characters in the place of letters. Use mnemonics to remember long passwords. Use password-protection features on login servers (passwords character length, password expiration date).


6.5 Delegate and restrict superuser accounts

When an administrator adds a person to the superuser account, that person is typically granted administrator rights to the system/network. Operating systems such as Windows and Linux allow the administrator to assign only certain duties and permissions of superusers and deny them other rights. For example, a superuser may have the ability to change passwords for existing users but does not have the ability to create new users on the system/network. Also, a superuser is restricted to what files they can access. For example, a superuser does not need to see other superusers' private folders and documents.


6.6 Restrict user access

A user usually does not need system access 24 hours a day, 7 days a week. Nor does the user need to be able to log in from every system on the network. Restricting users to certain times and certain locations can ensure that unauthorized access is kept at a minimum. For example, if Larry always works at his desk Monday? Friday from 8 AM to 5 PM, then creating rules that state that Larry can only log into the network from his system from 8 AM to 5 PM Monday through Friday will ensure that nobody logs in as Larry when Larry isn't there. Unauthorized access attempts are discovered more easily this way through auditing systems logs. If Larry worked late one day, he would call the network administrator and allow a few more hours on the network.


6.7 User training

Ensure users understand and follow basic security procedures such as complex passwords and session time-outs. Offer periodic security information sessions where new risks are explained and how users can protect themselves. Make relevant security information readily available to users either through emails or on a webpage.


6.8 Patching systems

New system vulnerabilities become public constantly, and to counter the risks that stem from these vulnerabilities, administrators should patch every system frequently. There are patches for applications as well as operating systems. System administrators should always install operating system patches and service packs as soon as possible. administrators should test patches before being installed on machines.


6.9 Vulnerability testing

It’s a good idea to know more about your systems than the agent. This is true when discussing vulnerability and penetration testing. If you test for vulnerabilities regularly, you can take appropriate measures to minimize or eliminate the vulnerability.


6.10 System / network monitoring

Audit system logs regularly to analyze security elements such as login attempts, application performance, system performance, and file access history.


6.11 Documentation

It’s a good idea to document the network and system configuration. These documents are beneficial for disaster planning, troubleshooting problems, system planning, and intrusion detection.


6.12 Continuity and disaster planning

In the case of an attack, hack, or disaster, there must be redundancy built into the network. What plans have been generated that will ensure that the information is not compromised? A few methods can aid in the continuity of operations: good documentation, audit records, off-site storage of backups, and fail-over systems.


7.0 Incident response

If a system or network violation occurs, a team assembles to investigate and remediate the violation. The Computer Incident Response Team (CIRT) comprises experts from various parts of the organization. CIRT members differ according to situation needs. Typical members include:

  • Security team members
  • System administrators
  • Network operations
  • Help desk
  • Legal department
  • Other relevant team members

The CIRT follows a set of incident guidelines. These rules for investigating are:

  1. General remediation - what to do when a breach is discovered
  2. Detection - assemble CIRT team to investigate, verify source of notification what occurred
  3. Containment - locate computers physical location, determine possible causes for incident, begin forensic investigation
  4. Eradication - take compromised machine off network, notify other parties of incident (Police, FBI, etc.), remove all traces of corruption
  5. Restoration - CIRT restores machine to normal state and is returned to network
  6. Follow-up - Notify initial contact of case resolution, generate and submit incident reports

8.0 Platform-specific security

8.1 Windows security best practices

8.1.1 Microsoft update

Microsoft made it easier for administrators and end-users to apply patches to their systems through the use of the Microsoft Update program. This website scans a system and reports if any new patches or updates are available. It has made the process of keeping a system up-to-date as painless as possible.

8.1.2 Microsoft baseline security analyzer

In Microsoft’s push to provide better security to network administrators, they developed the Baseline Security Analyzer. This tool scans local as well as remote systems and checks for vulnerabilities. If it detects a known vulnerability, it reports the problem and lists several options to remedy the situation. It also provides links to Microsoft TechNet, which is an excellent source for Windows information.

8.1.3 System configuration

Knowledge of the Windows registry and proficiency with the tools available in the management console (MMC) will help the network administrator ?harden? their Windows system. Locking down such features as the Run command or hiding critical system files and folders may make the administration of the systems easier and limit the attacker's options.

8.1.4 System auditing

Turning on logging and auditing the system will help the administrator detect if the system was tampered with. For example, if unsuccessful login attempts are logged, the administrator will know what account was trying to access, when the access attempts, and how many times the individual attempted it. This can aid the administrator in determining who may be trying to gain unauthorized access to the system. Several items are logged, such as file creation/deletion, file access and modification, and system events, to name a few.


8.2 UNIX / Linux / Solaris security best practices

Note: this tutorial assumes you are using a distribution such as RedHat or Debian Linux that pre-configures a system during the install process.

8.2.1 Disable unused services

When your system starts up, it loads several services by default. Go through this list of startup files and turn off those that are not necessary for the system. For example, if the system is not using NFS to share files, then disable NFS from starting up at boot time. This will have a dual effect, the system will become more secure because there are fewer holes for an attacker to go after, and the system will become more stable as you will need less system overhead to run unwanted services.

8.2.2 Install patches often

As with any computer platform, you must update UNIX-based systems often to prevent attackers from exploiting known vulnerabilities. The nature of this platform guarantees that vulnerabilities are discovered often, and by the same token, the patches and bug-fixes come almost as quickly as the vulnerabilities are discovered.

8.2.3 Utilize IP-filtering and/or firewalls

It is generally a good idea to implement a simple IPTables-based firewall for workstations and a more robust one for servers. IP filtering can define what machines can and cannot connect to the system and provide an extra layer of defense against attackers.

8.2.4 Install ssh

Secure SHell (ssh) is an encrypted, remote terminal program that allows users to log into the system without having to be at the machine (think secure telnet. It allows the user to use the machine as if they were actually at the terminal; it also allows the encrypted transfer of files between machines (more secure than FTP). All communications are encrypted so that interception is negated. It also adds a layer of physical security as machines are locked away and do not have to be physically available.


Appendix

A.1 Networking Primer

Before setting out to secure a network from attackers, one must understand the theory, standards, and networking technology. Listed below are some suggested items that you should research further for a better understanding of implementation.

OSI Model

Network Layers

TCP/IP

Routing

Ports


A.2 Security Websites

UNT information security

Security focus

Microsoft security and privacy

SANS

HelpNet security

SecuriTeam

Linux security


A.3 References

Anonymous. (2000). Maximum Linux Security. Indianapolis: Sams Publishing.

Brenton. C. (1999). Mastering Network Security. San Francisco: Sybex.

Maiwald, E. (2001). Network Security: A Beginner’s Guide. New York: McGraw-Hill.

Miller, L., Gregory, P. (2002). CISSP For Dummies. New York: Wiley.

Panko, R. (2001). Business Data Communications and Networking. New Jersey: Prentice-Hall.

Scambray, J., McClure, S., Kurtz, G. (2001). Hacking Exposed. New York: McGraw-Hill.

University of North Texas. (2003). University of North Texas Information Resources Security Policy: Classification Number: 3.6. Retrieved 7/28/2003 from http://www.unt.edu / planning / UNT_Policy / volume2 / 3_6.html

University of North Texas. (2003). University of North Texas Computer Use Policy: Classification Number: 3.10. Retrieved 7/28/2003 from http://www.unt.edu / planning / UNT_Policy / volume2 / 3_10.html

University of Virginia Information Technology and Communication. (2003). UNIX/Linux Security Best Practices. Retrieved 06/21/2003 from http://www.itc.virginia.edu / unixsys / sec /