1.1 Attacks and threats
To examine security needs of an organization (security products, rules, procedures, solutions), security administrator must include three aspects of information security:
- Security attack – any action that threatens data security
- Security mechanism – mechanism that will detect and capture the attack
- Security service – service that increases system security. Such service can have many security mechanisms.
Attack – action meant to threaten security of the data, systems and networks. There are four main groups of attacks:
- Interruption attack – will cut the delivery of the information in any way.
- Interception attack – will break the confidentiality of the information. This can be done by traffic sniffing, viewing traffic intensity, insight into sensitive information, etc. Usually, it is passive attack and is hard to discover since it does not change data (we just look at it). Also, it is preparation point for further attacks (attacker is analyzing traffic)
- Modification attack – will break the integrity of the data, it would change the original data, modify it. It is an active attack as attacker will capture the data, modify it, and then forward modified data to the receiver.
- Fabrication attack – will break the authenticity of the data. The attacker would generate fake information and send on behalf of the normal user.
Let’s mention attack preparations. It would include the following:
- Survey and access – Examine the target, identify and assess all its characteristics and create a “attack plan”. He will assess target’s services, protocols, their vulnerabilities, entry points…
- Exploit and penetrate – After assessing attack surface, the attacker tries to exploit the surface (mostly server). He will try to get in through the ports on which normal users get it.
- Escalate privileges – After penetration, the attacker tries to escalate his privileges and gain root access to the system.
- Maintain access – Setting up “back-door” programs, removes log files, hides his tracks.
- Deny service – Attacker that cannot get into the system, usually makes Denial of Service (DoS) attack (usually SYN flood attack) to prevent others to user the application.
Risk – the danger of having the possibility from potential damage, data loss, hardware, reputation, or anything related to the company or the network.
Risk = Threat x Vulnerability x Property value
Threat – the enemy, the situation, or possibility to exploit the vulnerability. Threats are divided into:
- Passive threat: does not affect behavior of the system. It includes sniffing, eavesdropping, revealing content of messages…
- Active threat: does affect behavior of the system. It includes masquerading (pretending to be someone else), replay attacks (repeating network traffic to congest it)…
Vulnerability – weakness in some service or in anything that will reveal/expose things that are not meant to be exposed. They are consequences of
- Bad planning: mistake made by system administrator, or by system engineer.
- Bad implementation: responsibility by the client who installs the product.
Property value – not all hardware components have same value. Two same servers can have different values. For example, server on which database of all bank users and their credit cards is stored has higher value than the same server on which testing is done.
The most frequent attacks and threats:
- Denial of Service, DoS attack – DoS causes the service or program to stop working, making hard time for normal users to work with those services or programs. It is being done in Transport layer by sending huge numbers of SYN packets to the server. To resolve this problem, server must have a system which controls number of incoming SYN packets per second.
- Spoofing attack – The attacker would collect IP addresses in IP packets and try to present himself as the other machine.
- Sniffing attack – The attacker intercepts traffic that goes through the system and looks in its content.
- Trojan horse – illegal code injected into the program. His goal is to change the function of the program.
- Trap door – Author of the program can make (intentionally or deliberately) trap door in his program.
- Buffer overflow – The attacker uses mistake in a source code. He will send more input characters than the program can accept.
- Worms – Standalone malware programs spreading from system to system. Usually send through e-mail or Internet services. It can degrade system performance.
- Virus – Code fragments injected into the programs.
1.2 What is security?
Security – process of maintaining low risk. It is never a finished product, it cannot be. Security is a on-going process and there is no absolute security. Investment in security reduces risk of vulnerabilities. However, that investment has cost. It is crucial to balance investment cost and the margin where company is satisfied with their security. Security consists of four main parts:
- Assessment (planning) – Step as preparation for other three parts. Any mistake in planning part can result in problems with other steps.
- Protection (prevention) – Step where countermeasures are developed to reduce attack surface.
- Detection – Step where we identify what will happen when attack has been done.
- Response – The recovery part from the attack. This could include patching, using copies from backups, getting system into previous state, or even trial which includes forensics and collecting sensitive data.
Confidentiality, Integrity, Availability (CIA) represent three fundamental principles of information security.
- Confidentiality – Tries to eliminate possibilities of revealing personal or any information. Confidentiality is the service to provide safe access to information only for users which are authorized to access that information, and to no-one else.
- Integrity – Tries to eliminate possibilities of changing data by any unauthorized personnel. Also, authorized personnel cannot change the data.
- Availability – Tries to eliminate possibilities to improve the overall availability of the data. The systems must be up and working all the time (not possible but at least 5 nines)
Security service – service that increases system security. Security service includes security mechanisms (they detect attacks and/or recover from attacks). Security services are solutions, technologies, rules, procedures, we implement on the system. They are updated and upgraded regularly.
- Privacy – Data must be kept private from unauthorized access. Only users who are authorized can view/modify the data. This is privacy. No one, rather than you, can view your private data.
- Authentication – Service that seeks some kind of proof you are who you claim you are. It would ask for username, ID, password, or something else, to prove you have access to this user’s account.
- Integrity – Service that provides wholeness to the data. It makes sure no-one can modify it. Data must be kept intact from unauthorized modifications.
- Non–repudiation – Service that proves user who did something, actually did it, so he cannot deny it. The goal of this service is to help speed up controversy/litigation
- Access control – Allowing users to access the resource with proper authentication. It creates rule where everyone knows who has access to what.
- Availability – Service that provides availability of data it serves.
Services and mechanisms cannot provide security without its planned implementation and strategy. The most widely used strategy is layered approach where information is kept inside the ring, and user must complete different security services and mechanisms in order to get to the center of the ring where data is kept. Let’s say this system has four layers of protection. First layer he encounters is layer that is faced toward the Internet. In this part, user will probably hit firewall, or DMZ (part of network that is publicly available). Second layer PKI infrastructure, VPN, and more network barriers. Third layer would have CIA elements (confidentiality, integrity, availability) provided on the system. The inner layer protects data and services are access control (passwords, identity checks) passwords, digital signing, auditing and logging…
1.3 Classifying information
Ownership – means that every service, resource, entity (database, device, directory…) has an owner who is responsible for them. The owner needs to classify information, define who can access them, and be responsible for their protection.
Data can be classified into following categories:
- Public information – Data is not confidential and can be public without any consequences for the company.
- Internal information – Data is confidential and should not be put on the public Internet or shared with anyone.
- Classified information – Data is extremely confidential and must not be shared on the Internet or with anyone.
- Secret information – Unauthorized access or internal access to these information could be deadly for the company. Data can be accessed by small number of people, and approached with policies and rules.
1.4 Protection methods
Protection methods are evolving and changing as the IT industry progresses. There are protection methods on:
- application level – includes software protection for example securing the software from buffer overflow, using specific protocols to increase security,
- operating system level – includes OS patching, updates…
- network level – includes firewalls, blocking unused ports, using strong encryption methods, isolate route paths…
- policy level – rules for protection, procedures, attack detection, preventive counter-measures, system vulnerability, employee education…
Examples from real world
- Forming DMZ – DMZ is neutral zone between public and private network. Routers, firewalls, proxy servers, and software programs are used to detect and prevent attacks.
- Software testing – Before installing any software in any environment, it is important to test that software in test environment. The testing includes testing web servers, FTP servers, mail servers, databases…
- FTP and Telnet – These should be blocked to prevent other unauthorized users to access their systems.
- Using passwords – Extremely important to change them frequently.
- Update software – Always update the software to newer versions. Older software versions have security leaks which can be used by the attackers.
ISC stands for International Information System Security Certification Consortium. ISC is non-profit organization that made CISSP (Certified Information Security Professional) certificate which includes following topics:
- Systems for access control
- Applications and systems security
- Planning recovery from the attacks
- Ethical aspects of security
- Physical security
- Managing security systems
- Architecture security and models
- Communication and computer network security
To create a project based on the above mentioned topics, the following steps must be done:
- Person responsible for the project
- Identification methods of the users and terminal
- Ownership schemes
- Detection methods for unauthorized access
- Recovery methods from damaged data
- Recovery methods from system failure
- Use cryptography or not