This is information age. There are financial and corporate information, research and analysis reports, trends etc. There are trend-setting and military information. Information is being categorized, as confidential, sensitive and critical. There are automation tools for extracting and gleaning information. There are management solution products such as content management, knowledge management and document management for managing the collected information. There are different storage mechanisms for preserving information. Finally, on securing information, there are tools and techniques. In this white paper, we are to discuss about the three important types of information security, such as securing information from hackers, securing information while on transit and securing information stored in systems that can be lost or stolen. Finally a brief about wireless security has been described here.
Keywords: Authentication, Authorization, Integrity, Confidentiality, Cryptography, Security, Hackers, Firewall, Intrusion Detection System, Virtual Private Network, Viruses, Worms, Encryption, Digital Signature, Digital Certificate, Internet Protocols.
Information Access Value Vs. Risk
The Internet has become the information super highway. The evolving Internet and its related technologies have allowed businesses to communicate in new and strategic ways with various types of people and organizations. Over the years, there have been additions of feature upon feature to the Internet connections. As the needs have changed, human beings have come across the need of more robust services, faster connections, and more flexibility in what can be done. In the beginning, services like simple POP3-style email and Web access were the extent of an Internet connection. Today we have site-to-site Virtual Private Networks (VPNs), client-side and home-user VPNs, streaming media, Web-based training, exciting Internet applications, e-commerce, and business-to-business extranets. Thus the Internet evolves towards fulfilling various advanced needs of human society.
On the home front, the ability to connect to the Internet from a home computer has enriched many households by providing new sources of information and entertainment. Online news, weather, stock reports, film and reference guidance, and guides replace newspapers, periodicals, radio and television for many users. What few home users realize is that access to the Internet goes both ways: An unprotected computer or network of computers sharing an Internet connection can easily be infiltrated unless appropriate security is in place.
On enterprise side, as corporate users increasingly proliferate to information, access beyond the intranet enterprise, the need for ubiquitous, but secure, access for roaming users access multiple channels becomes increasingly prevalent. What was once a digital evolution within the confines of an enterprise or organization has transformed into ubiquitous access over multiple channels – the enterprise network, the Internet, mobile computing devices and WAP-enabled wireless phones. Traditionally securing these layered portals for trusted communications has relied not only on standard security implementations such as VPNs, IDSs and firewalls, but also to more advanced security tools such as PKI and Authorization or Privileged Management Infrastructure (PMI). More recently, organizations have additionally looked to an Authentication Management Infrastructure (AMI) model to providing conclusive user authentication. Thus a multifaceted security approach, a combination of security solutions, helps organizations to secure their corporate networks while not impeding resource access.
Many organizations have grown their Internet set of features across multiple devices or possibly multiple connections – a firewall for Web and mail traffic, a VPN appliance for remote connections, a different firewall for a business-to-business (B2B) relationship that may exist, or other possible combinations of lines and devices that can push Internet vulnerabilities beyond control. These services can even be distributed across multiple Internet service providers. Regardless of the number of devices that are on the Internet, each has different services that can be potentially exploited.
Ever since the first data exchange took place over the Internet involving a non-private part of the infrastructure, security has been one of the most critical design considerations of any Internet application. Hackers increasingly probe connected computers for weaknesses in their security and can gain access, wreaking havoc or stealing confidential information without the user even realizing it. Trojan horse programs and Spyware come from seemingly innocent sources, such as email attachments and file downloads. Once the user launches them they can secretly sending data including any sensitive personal or financial information stored on the PC and back out over the Internet.
As soon as a computer system is hooked into the Internet, it is exposed to risks of malicious, or even just curious, visitors accessing the system and sniffing for information that was not intended to be shared with anyone. That is, any connection to the Internet is vulnerable to exploitation. The most basic vulnerability that all connections face is that they could be made unavailable and brings down mission-critical services with them. The worst-case scenario could be a complete system failure, not involving just the host that was serving as the gateway to the Internet, but all other computers to which any path existed from that gateway machine.
Although information security has always had an important role as technology has advanced, it has become one of the hottest topics in the recent past. The Internet’s open design and the explosive usage along with rapid adoption of internetworking systems became the prime factor for the tremendous explosion in demand for security services.
As the number of potential targets grows, the sophistication of security threats is increasing. Traditional security products such as virus scanners and firewalls do not provide adequate protection against unknown threats and the thousands of mutations and variations of Spyware and viruses available to hackers on the Internet. With the Internet being used in so many ways, the security control of new applications and technologies requires an entirely new paradigm. Security, in this environment of constantly evolving threats, can only come from having complete control of the Internet connection including the ability to specify which applications, known and unknown, can be trusted to use the Internet.
Software infrastructure vendors, application developers, device manufacturers, Network operators and various research organizations and labs are working hard towards addressing the security needs of data and services being provided by connected computing systems.
Today we have some intelligent defenses against attacks, such as denial of service (DOS) attacks, as routers and other devices can be set to verify source addresses and ignore packets if they are bogus or carry a suspicious pattern. However, beyond the DOS of open ports, easy passwords, unsecured routers, and unknown features that any Internet device may have.
The International Data Corporation (IDC) forecasts that Authentication and Authorization industry, two security components are poised together to grow 28 percent annually to reach more than $7 billion by 2004. This steady growth has heightened security awareness among organizations struggling to mitigate risk while providing anytime, anyplace access to employees, customers, and partners. Security awareness is at an all time high as companies become increasingly Web-centric while breaches in security become mainstream news topics. The computer Security Institute’s annual security survey revealed that 90 percent of the respondents in large corporations and government agencies detected security breaches within the last 12 months.
A Primer on Information Security
Security is neither a software application that can be bought off the shelf and deployed to make a network secure nor a piece of hardware that can guard a network against attacks. A good secured system always ensures the following five basic tenets of security. They are
Authentication – To address the need to provide trusted access to critical applications, enterprises require solutions that provide authentication and authorization capabilities. Authentication is the process of validating the true identity of another party. Secure systems should incorporate some form of authentication in order to validate the user who is requesting interaction with the system.
Organizations need to be able to conclusively verify the identity of individuals and entities before providing the authority and access privileges that allow them to access confidential information or conduct transactions electronically. If users are not properly identified, and if that identification is not verified through authentication, an organization has no assurance that access to resources and services is properly controlled.
A robust Authentication platform should have the following capabilities.
The simplest form of authentication is a straightforward user name and a password. The basic assumption is that only the user knows his or her password and is trusted with its security. This mode of authentication works quite well when the other party is not a machine but a human. Often the username and password get transferred in plain text format over the public network using the Password Authentication Protocol (PAP). In order to prevent someone from sniffing the network packets and getting unauthorized access to the password and later on spoofing the identity of another user, there are some authentication protocols that use cryptography technology to encrypt the user name and password information during their transmission. The most commonly used protocol for this is the Challenge-Handshake Authentication Protocol (CHAP).
E-business systems need to authenticate users for a variety of reasons and at a variety of levels. While high-security and regulated environments such as financial services, healthcare and government will adopt advanced forms of authentication such as tokens and biometrics, the simplicity and familiarity of user name/password will extend its usage despite the hype of PKI and biometrics. The decision to move to stronger authentication techniques needs to be driven by the business impact of fraudulent identification.
Strong authentication generally requires at least two of the four types of authentication to be used in combination. Examples are smart cards plus PIN or biometric, digital certificate plus passwords, physical location, that is, access to a server console plus a password, or biometric plus a PIN.
The cost of moving from passwords to strong authentication can be significant. Smart cards and biometrics require reader devices, digital certificates require PKI and location-based authentication requires the use of GPS or other location technologies.
Because a biometric measures a unique physical or behavioral biological characteristic, an accurate biometric is the strongest possible way of identifying a user. However, like a clear-text reusable password, physical biometrics are vulnerable to capture and replay-type attacks via a network unless augmented with additional security. Biometric techniques can be broken down into two categories:
Physical: Scans retina, fingerprint, hand geometry or face
Behavioral: Analyzes voice or handwriting
Digital signatures are based on a combination of the traditional idea of data hashing with public-key based encryption. Most hash functions are similar to encryption functions; in fact, some hash functions are just slightly modified encryption functions. Most operate by grabbing a block of data at a time and repeatedly using a simple scrambling algorithm to modify the bits. If this scrambling is done repeatedly, then there is no known practical way to predict the outcome. It is almost impossible for some one to modify the original data in any way while ensuring that the same output will emerge from the hash function. These hash-based signature algorithms use a cryptographically secure hash function such Message Digest 5 (MD-5) or Secure Hash Algorithm (SHA) to produce a hash value from a given piece of data.
The first step is to take the original message and compute a “digest” of the outgoing message using a hashing algorithm. The result is a message digest, which is typically depicted as a long string of hexadecimal digits and manipulated by software as binary data.
The original message content, together with the encrypted digest, forms a digitally signed message, which is suitable for delivery to the recipient. On receipt, the receiver verifies the digital signature using an inverse set of steps: first the encrypted digest is decrypted using the sender’s public key. Next, this result is compared to an independent computation of the message digest value using the hashing algorithm. If the two values are the same, the message has been successfully verified.
A digital signature provides compelling evidence that only the intended signer could have created the message. Suppose interlopers have changed the original message in its transit, and then the decrypted, original message digest would not have matched the recomputed one for the changed data in the message. Verification of the digital signature would fail. Similarly, the creation of bogus signature is impractical because an interloper does not have the appropriate private key.
Digital certificates consist of data that is used for authentication and securing communications especially on unsecured networks such as the Internet. Certificates associate a public key to a user or other entity (a Computer or service) that has the corresponding private key. Certificates are digital IDs being issued by certification authorities (CAs), which are trusted entities that vouch for the identity of the user or computer. The CA digitally signs the certifications it issues, using its private key. The certificates are valid only for a specified time period
Certificate authorities are trusted third parties, like notaries. Certificates are files packaged in many different ways containing identifying information on an individual, such as name, organization, phone number, e-mail address and most importantly, the individual’s public key and the digital signature of the issuing certificate authority. Certificate authorities demand notarized documentation of a person’s identity before issuing a certificate that guarantees identity.
It is also critical to authenticate the machine or device through which the user is interacting with the system. For this purpose, the digital certificate technique is being used. A digital certificate certifies the bearer of the certificate and is being issued by an accredited certification agency. Generally for an identity card, the identifier is the photograph along with a signature that should match the signature on the check. In the case of digital certificates, it is a digital certificate carrying a public key of the subject, which can be used to identify the party and subsequently to encrypt the information sent to the user. The digital certificate is credible as it is being used by a recognized organization known as a Certification Authority (CA) after verifying the validity of the entity applying for the certificate.
Authentication is the most critical component of any security architecture as almost all other parts of security mechanism rely on the basic premise that the two parties involved in digital communication have been fully authenticated.
Securing a network consists of several crucial steps. The first and foremost one is devising a successful authentication strategy. One has to be sure the users trying to access resources actually are who they say they are. There are many ways to execute this authentication. In addition to basic structural elements such as credential input devices, demands on user data input, and layering of data validation, network authentication employs numerous methods and protocols to issue certificates and pass data packets back and forth. Here come some common authentication methods and protocols:
Kerberos Protocol – This was developed to provide secure authentication for Unix networks. Microsoft also started to support it with the release of Windows 2000. Kerberos uses temporary certificates called tickets, which contain credentials that identify the user to the servers on the network. In the latest version, the data contained in the tickets including the user’s password is encrypted. A Key Distribution Center (KDC) is a service that runs on a network server. The server issues a ticket called a Ticket Granting Ticket (TGT) to the clients that authenticates to the Ticket Granting Service (TGS). The client uses this TGT to access the TGS. The TGS issues a service or session ticket, which is being used to access a network service or resource.
Secure Socket Layer (SSL) – The SSL protocol is used to provide secure access to Web sites via a combination of public key technology and secret key technology. Secret key encryption, also referred to as symmetric encryption is faster, but asymmetric public key encryption provides for better authentication so SSL, being a hybrid one, has been designed to benefit form the advantages of both. The SSL is being supported in almost all the current Web browsers and Web servers. SSL operates at the application layer of the OSI reference model. This means applications must be written to use it.
SSL authentication is based on digital certificates that allow Web servers and user agents to verify each other identities before they establish a conversation. Thus there are two types of certificates: one for client and one for server.
Microsoft NT LAN Manager (NTLM) – It is used by Windows NT servers to authenticate clients to NT domain. Windows 2000 uses Kerberos authentication by default but retains support for NTLM authentication. Unix machines connecting to Microsoft networks via an SMB client also use NTLM to authenticate.
NTML uses a method called challenge/response, which uses the credentials that user provided at log on each time that user tries to access a resource. That is, the user credentials never get transferred across the network enhancing security. For this mechanism to work both the client and server have to reside in the same domain or there must be a trust relationship established between their domains.
Password Authentication Protocol (PAP) – PAP is used for authenticating a user over a remote access control. An important characteristic of PAP is that it sends user passwords across the networks to the authenticating server in the plain text. But the advantage is that it is compatible with many server types running on different OS.
Shiva PAP is an improvement over PAP in terms of security level, as it uses an encryption method being used by Shiva remote access servers. The client sends the user name along with the encrypted password, and the remote server decrypts the password. If the user name and password match the information in the server’s database, the remote server sends an Acknowledgement message and allows the connection. If not, a Negative Acknowledgement (NAK) is sent, and the connection is refused.
Challenge Handshake Authentication Protocol (CHAP) - This protocol is used for remote access security. It uses MD5, a one-way encryption method. CHAP performs a hash operation on the password and transmits the hash result instead of password itself over the network and hence the security of the password gets maintained.
The hash algorithm employed in this protocol ensures that the operation cannot be reverse engineered to obtain the original password from the hash results. However, CHAP is vulnerable to remote server impersonation.
MS-CHAP v2, the Microsoft version of CHAP, uses two-way authentication so that the identity of the server as well as the client is verified. This protects against server impersonation. MS-CHAP also increases security by using separate cryptographic keys for transmitted and received data.
Extensible Authentication Protocol (EAP) – It is a means of authenticating a Point-to-Point (PPP) connection that allows the communicating computers to negotiate a specific authentication scheme called an EAP type. A vital characteristic of EAP is its extensibility. Plug-in modules can be added at both client and server sides to support new EAP types. EAP can be used with TLS to provide mutual authentication via the exchange of user and machine certificates.
Remote Authentication Dial-In User Service (RADIUS)
RADIUS often is used by Internet Service Providers (ISPs) to authenticate and authorize dial-up or VPN users. A RADIUS server receives user credentials and connection information from dial-up clients and authenticates them to the network. RADIUS can also perform accounting services, and EAP messages can be passed to a RADIUS server for authentication. EAP needs only to be installed on the RADIUS server and it is not required on the client machine. Windows 2000 Server includes a RADIUS server service called Internet Authentication Services (IAS), which implements the RADIUS standards and allows the use of PAP, CHAP or MS-CHAP as well as EAP.
A break-in to an enterprise’s network or Web site can have various levels of impact on the enterprise/e-business and its clients.
The Intended Use of Authentication
Authentication is required to achieve some business objective:
We are to see below what is all about the next critical phase in securing information.
Authorization – Authentication is only one step albeit a critical one. Another critical requirement is the need to control user’s access to sensitive resources once they have been strongly authenticated. Thus Authorization is the process of establishing the rights and privileges of a party during its interaction with the system. The most common way to establish authorization is by means of Access Control Lists (ACLs). Most Web and application servers implement authorization schemes by use of ACLs, which are essentially text-based property files that follow proprietary formats. Newer breeds of applications are using directory services and industry standard protocols like Lightweight Directory Access Protocol (LDAP) to establish the rights and privileges of the users or entities that interact with those applications.
An authentication platform enables organizations to deploy personal authentication at the network’s edge and know for certain who is accessing sensitive information, applications and transactions. It enables an enterprise to deploy and manages multiple advanced authentication methods – biometric (fingerprint, voice, face, iris and signature recognition) and non-biometric (token and smart card) to protect access to any application or resource.
Firewalls and Intrusion Detection Systems are the appropriate tools for providing the much-wanted authorization for users. They are discussed separately below.
Confidentiality – It is the process of ensuring that any sensitive data being transmitted between the communicating parties can be read only by those parties. Often it is not just enough to authenticate the other party and permit interaction with the system based on authorization. The data that gets sent back and forth between two communicating parties can be sensitive as well. Today most Internet communications happens over public networks. Passwords sent during an authentication session, credit card information sent during a e-commerce transaction, account balances sent during a retail banking transaction, medical records of a patient sent during an inter-hospital communication and a CEO’s email message sent to the board of directors are all examples of data that should be readable only by the party it is intended for and none other. Thus it becomes mandatory to maintain the confidentiality of sensitive information being transmitted among parties. The combating strategy is called encryption. It has many different variations based on the algorithms used for encrypting the information, as well as the protocols used between the communicating parties and the types of keys used to encrypt the data.
Cryptography – It is the ancient art and science of encryption or keeping messages secret. Encryption is the process of transforming information before communicating it to make it unintelligible to all but the intended recipient. All cryptography operates according to the same basic principle. Mathematical formulas called cryptographic algorithms, or ciphers and numbers called keys is used to scramble or encipher information to make it difficult to comprehend without having the appropriate key to unscramble to decipher the information. There are two kinds of encryption – single (symmetric) key and public (asymmetric) key.
Single key encryption - In this scheme, the key used to encrypt the data is itself used to decrypt it also. This means that both parties need to have the same key. As long as this is the case, and no other party has access to that key, the confidentiality of the data transmitted seems to be reasonably secured. The merits of this kind are lower processing power and speed. The demerit is the decoding key should be some how communicated from sender to receiver. Even if a message is fitted with a twenty-first-century 1,024-bit encryption key, the key should still be made known to the message recipient. For an example, the Data Encryption Standard (DES) algorithm used a 56-bit encryption key to encode and decode a message.
Public key encryption – This type enables secure communication between parties without the need to exchange a secret key. It is the basis for privacy, authentication, data integrity, and nonrepudiation. Public key cryptography uses a complex mathematical formula to generate two separate but related keys, one open to public view and the other private, known only to one individual. When a message is encoded with a public key, only the holder of the private key can decode the message, assuring privacy for the sender, because only the owner of the private key can decode the message. A message encrypted with a private key can be decoded by anyone with the corresponding public key.
In 1977, Ron Rivest, Adi Shamir, and Leonard Adelman introduced RSA, a public key standard with a name based on the first letters of their surnames. RSA requires significant computing to generate the public and private keys and hence Phil Zimmerman in 1986 came out with a public key encryption system for use on personal computers and is called Pretty Good Privacy (PGP).
Modern Cryptography Systems – A combination of both single key and public key is used in modern cryptographic systems. The reason for this is that public-key encryption schemes are computationally intensive versus their symmetric key counterparts. Because symmetric key cryptography is much faster for encrypting bulk data, modern cryptography systems typically use public-key cryptography to solve the key distribution problem first, then symmetric key cryptography is used to encrypt the bulk data.
Data Integrity – Though confidentiality ensures that an intervening party can’t read secure data, even if the data is intercepted, it does nothing to prevent a malicious intruder from tampering with encrypted data while it is in transit. Thus message integrity takes an vital part in secure communication as others. The most common technique for ensuring the integrity of a digital message is applying a hashing algorithm on its content and to communicate that hash value or message digest to the receiver of the message. The receiver can apply the same hashing algorithm on the contents of the received message and match the message digest with the one that was transmitted along with the message. The various algorithms are Secure Hashing Algorithm-1, Message Digest 2, and Message Digest 5. As for the transmission of the message digest itself; most common implementations employ the use of the asymmetric encryption method.
Nonrepudiation - It should not be possible for a sender to reasonably claim that he or she did not send a secured communication or did not make an online purchase.
Below we look at the threats and vulnerabilities lurking around communication systems and the information security technologies that we can use them to challenge them head on.
Here come some of the most commonly encountered types of intrusions and attacks. They can be classified as follows:
Internal Attack – an attack originating from inside the local network. It is easier for legitimate network users to steal, modify, or destroy data or plant malicious code on the network because they need not worry about getting inside. While it is important to protect the network perimeter where our LAN connects to the Internet, it is equally important to consider internal threats. To address internal threats, we have to
External Attack – an attack originating from outside of the local network. The unknown enemy who attacks from across town or across the globe presents a more frightening image. Now that most company networks are connected to the Internet and more of these connections become full-time dedicated ones with static IP addresses, the threat from the Internet has become very real.
Protecting our Internet-connected network from external intrusions and attacks requires a good, multilevel, well-thought-out security plan. Our first line of defense should be firewall of some sort at the outer perimeter of the network. We can also create a DMZ or perimeter network, which is a sort of buffer zone between the external network and our network.
The external attack can be further subdivided into two types as intrusion and non-intrusion attacks. The differentiation is based on the fact that the data on our network is the target of the attack or just to bring down our network and prevent legitimate users from gaining access.
Another way to categorize attacks is by the technical aspect; different attack types exploit vulnerabilities. For example, an attack that exploits the bugs in a user application is a risk only to those who use that application. An attack that exploits security holes in an operating system is likely to put larger group at risk because most computers run one of only a few common operating systems. The most universally dangerous is the attack that uses the characteristics of a networking protocol, particularly TCP/IP, the protocol run by every computer on the Internet. Many common attacks are based on creative exploitation of some weaknesses or characteristics of a member of the TCP/IP protocol suite.
Modern versions of the Microsoft Office applications allow us to create macros or use Visual Basic for Applications to automate functions. This helps hackers to insert malicious code into Office documents, which can then be sent to a destination on our network as email attachments.
Also Microsoft outlook and other sophisticated email clients as well as Microsoft’s Internet Information Server (IIS) are vulnerable to this type of activity. Because these email clients allow us to receive HTML-formatted email, they are also vulnerable to exploits that embed malicious Java applets or VBScript into an HTML document. These applications then run on the destination computer and can introduce a virus, collect data and sent it back to the originator, delete data from our hard disk, or perform other unwanted actions.
Hackers can exploit bugs in an operating system to gain access to our system as well. The Windows 9x operating systems are inherently insecure. OS components can be subjected to buffer overflows, in which the number of bytes or characters exceeds the maximum number allowed by the programmer writing the software. This can cause the system to crash. Often, OS vulnerabilities are more or less due to bad configuration and by effecting changes in the default configuration settings; we can prevent many of these vulnerabilities. For most of the true security bugs, the OS vendors constantly release hot fixes, patches, or service packs that fix the problem once it becomes known. Hackers often count on the fact that many of the network administrators are not so quick in applying the fixes.
Knowledgeable hackers to gain access to our network or damage our data can exploit commonly used protocols, such as HTTP, DNS, CGI, and FTP. TCP/IP-related protocols, such as TCP, UDP, and ICMP are favorite targets and are the basis of many of the attack types.
Internet Explorer (IE) Security - Vulnerabilities and Cures
Internet Explorer can misinterpret some IP addresses as belonging to an intranet site rather than an Internet site, by passing normal security protocols that are applied to Web sites but are not enforced against internal HTML documents. This is called IP spoofing
The second vulnerability involves a way attackers can cause IE to contact a Web site, send a command as soon as the connection has been established and make it appear that this command comes from a third party. This could allow some one to spoof a user and delete information such as e-mail from Internet accounts.
The third vulnerability is related to a specific version of Telnet. This flaw in IE allows command-line actions, which should be blocked, to be executed
E-mail comprises well over half of the correspondence taking place between external stakeholders in today’s business world. It is surprising that only 10 to 15 percent of the emails sent over the Internet are encrypted. Security of emails is highly recommended, as there are issues on transmission of inappropriate messages or the disclosure of privileged information. Part of the problem is that standard e-mail POP3 or IMAPI is communicated in an open protocol (SMTP) that can be easily spoofed or compromised.
There are some shortcomings on standard e-mail systems:
There are some measures that can be taken to prevent theft, interception, and sabotage of our email. Businesses can protect themselves from sabotage or liability by installing gatekeeper or filtering software on their email servers to prevent a raider from intercepting any communication. This class of software will search messages for questionable content and alert system administrators to review any findings. These content filters can also be used to protect an enterprise’s intellectual property. One example is the Echelon Project, developed by the National Security Agency which has the ability to monitor millions of simultaneous contacts or message packets from anywhere in the world. The FBI uses a system called Carnivore, an intelligent message-packet sniffer that can trace email header information.
Businesses can protect themselves from e-mail interception by putting the following message/system qualifications in place.
There is not a universal accepted standard for the protection of electronic messaging industry wide. Most of the technologies used today are based on a set of keys (a long character string) that produces a safeguarded valid certificate. This certificate and its associated keys are then used to encrypt and authenticate a message. The following list outlines several options available today for safeguarding messages:
We have been hearing and realizing some of the vulnerabilities that have been uncovered in today’s communication systems. Hacking and viruses have certainly been in the limelight in recent years because of their visibility but many less visible threats are out there and can be even more sinister. As the value of data sent over networks increases, it is becoming more and more important to implement effective information security measures.
The main categories of threat are:
Hacking or Intrusion Attacks: This category encompasses attacks whereby an intruder gains access to some area or set of resources that are intended to be off-limits. Classic examples are a website being vandalized or confidential data being stolen by illegal access.
Hackers come in several different flavors and have an assortment of motives and objectives once they gain access to a vulnerable system. Hackers range from the inexperienced “script kiddies” to professionals who engage in targeted industrial espionage.
Script kiddies are at the bottom of the hacking food chain. They download tools and hacking scripts created by serious systems crackers and read about new ways to break into certain systems from hacker Web sites. Then, they scan the Internet for systems meeting a certain description and attempt to hack it. They accomplish these hacks without really understanding how it works. They simply run the programs or scripts and type in commands listed in the hacking documentation they got from a Web site.
Technicians are more experienced system crackers who are savvy technicians with programming skills and a broad knowledge and understanding of how computer networks operate. Their objectives can vary widely from simple learning experience to using our system as a gateway to make attacks on other systems. These hackers can be the most dangerous because they are skilled and unpredictable.
The industrial spies are another type of hackers, who are very rare but highly dangerous and specially targets our company. These are highly skilled individuals who use cutting-edge techniques and can spend months analyzing a network before making an attack. They are usually seeking to steal sensitive financial data or valuable research and development data. Targets for this kind of activity are usually banks, large e-commerce sites, multinational corporations and any industry where intellectual property is valuable. Large organizations usually have security professionals on the lookout 24/7 for this kind of suspicious activity.
We can use firewalls and intrusion detection systems complemented by strong authentication systems to decide who is allowed to do what, and who is allowed access to what. When these are properly implemented, a hacker’s main tools become useless. The option of fooling a firewall into allowing privileged access is eliminated by the use of strong authentication and the scope of access from a non-authenticated connection is limited by filtering rules and protocol analysis.
Dos attacks have become the weapon of choice for cyber-terrorists. Any attacks aimed at hampering a service can fall into this category. This sort of attackers tries to exploit a known weakness in software, networking practices, and operating systems to crash a system or subsystem. Here come four types of DoS attack.
There are generally four types of DoS attacks. They are
Programming flaws – These flaws are failures of an application, operating system, or embedded logic chip to handle exceptional conditions. The conditions usually are the result of a user sending unintended data to the vulnerable component. Many times, attackers will send weird non-RFC-compliant packets to a target system to determine if the network stack will handle this exception of it if will result in a kernel panic and a complete system crash. For specific applications that rely on user input, attackers can send large data strings thousands of lines long. If the program uses a fixed-length buffer of say, 128 bytes, the attackers could create a buffer overflow condition and crash the application.
Routing and DNS attacks – A routing-based DoS attack involves attackers manipulating routing table entries to deny service to legitimate systems or networks. Most routing protocols such as Routing Information Protocol (RIP) v1 and Border Gateway Protocol (BGP) v4 have no or very weak authentication. This creates a vulnerability cyber-terrorists can exploit by altering legitimate routes.
The most recent attacks were called distributed denial of service (DDoS) attacks because they employed a strategy using unprotected network computers in the attack. In a DDoS attack, a hacker first uses simple software packages, usually downloaded from the Internet, to identify network or node computers that are not secure. These computers are usually university or corporate computers where security is minimal. Once located, the hacker secretly installs software that will conduct the attack from these network computers.
Since these node computers are typically connected directly to the Internet with a T1 or T3 line, they are capable of transmitting thousands of messages per second. When the hacker has prepared 50 to 100 node computers, the hacker initiates the attack. Each individual node computer starts sending thousands of page requests to a Web site, quickly building up hundreds of thousands or even millions of requests. In addition, each request includes a false return address, which makes the targeted Web server use more time in trying to answer the request. Under these conditions, a server simply cannot handle the traffic. Also, the node computers being used for the attack are often heavily affected.
Eavesdropping: An attacker listens to or watches information in transit. Wire-tapping is a classic eavesdropping attack.
Using encryption can thwart this. As long as those who should have access to the data only share keying material, and as long as the system is implemented using good security principles, then these systems have an excellent track record.
Active attacks: As eavesdropping, these imply that information is being viewed in transit. But instead of passively observing or collecting information, data is intercepted, altered and retransmitted, that is, the line of communication gets broken and routed via the attacker.
Such attacks are completely defeated if an authentication phase is used and cryptographically tied to the communication session. A classic example is to use public key certificates to authenticate a Diffie-Hell-man key exchange; the derived keys are then used to encrypt the remainder of the session. An active attacker can not play “person in the middle”, since the attacker can not authenticate his or her self to the communicating partners. A common error is to not bind the communication session to the authentication stage. This can lead to active hijacking attacks in which a session is commandeered mid-way o at least after the authentication phase.
Spoofing attacks: Such attacks relate with a person or machine impersonates another to gain access to a resource. Authorization based on strong authentication will prevent people from spoofing a user with desired privileges.
Replay attacks: This sort of attacks is based on re-sending packets, or streams of packets that have already been accepted by a recipient. For example, if a message is sent to a bank instructing it to add $100 into a bank account, it might be in the account holder’s interest to capture and replay that message several times.
Packet alternation: Instead of spoofing an identity, an attacker may choose to massage a valid connection to suit his or her needs. For example, if an email is sent stating that “Mr. X is no longer allowed access to building Y ”, then altering “building Y “ to building Z “ might allow Mr. X illegal access to building Y.
Network packets may have their own associated integrity checks which effectively guard against these types of attacks. For example, the Internet Protocol Security (IPSec) standard from the Internet Engineering Task Force has a mode which computes a digest on each packet. The recipient discards any packets for the check disagrees.
Viruses and Worms: these work by disguising malicious code and duping an unsuspecting user into executing it. Once running, viruses can take over a machine, spread, destroy, or change information, attempt to propagate or even lay dormant for a certain period.
Breaches in application security do not really get as much publicity as e-mail viruses such as SirCam, or Nimad or worms such as CodeRed, but they can cause just as many problems, ranging from theft of merchandise and information to the complete shutdown of a Web site. Here come the top ten hacking techniques at the application level.
Virus detection software has been largely successful in eradicating the majority of known viruses; firewalls are now being equipped to scan for viruses. Worms take advantage of weaknesses in networking systems. In addition, we can use digital signatures to authenticate software and provide better information about the source of a program.
Cookie poisoning – by manipulating the information stored in a browser cookie, hackers assume the user’s identity and have access to that user’s information such as user id, timestamp etc. on the client’s machine. Since cookies are not always cryptographically secure, a hacker can modify them, thus fooling the application into changing their values by poisoning the cookie. Malicious users can gain to accounts that are not their own and perform activities on behalf of that real user.
Hidden-field manipulation – hackers can easily change hidden fields in a page’s source code to manipulate the price of an item. These fields are often used to save information about the client’s session, eliminating the need to maintain a complex database on the server side. Because e-commerce applications use hidden fields to store the prices of their merchandise, people can view the site’s source codes, find the hidden field, and alter the prices. In a real-world scenario, no one would have discovered the change and the company would have shipped the merchandise at the altered prices and may even have sent a rebate.
Parameter tampering – this technique involves changing information in a site’s URL parameter. Because many applications fail to confirm the correctness of common gateway interface (CGI) parameters embedded inside a hyperlink, parameters can be easily altered to, for example, allow a credit card with a $100,000 limit, skip a site login screen, and give access to alternate orders and customer information.
Buffer Overflow – by exploiting a flaw in a form to overload a server with excess information, hackers can often cause the server to crash and shut down the Web site.
Cross-site Scripting – when hijackers inject malicious code into a site, the false scripts are executed in a context that appears to have originated from the targeted site, giving attackers full access to the document retrieved and may be even sending data contained the page back to the attacker.
Backdoor and debug options – often programmers will leave in debug options to test the site before it goes live. Sometimes, in haste, they forget to close the holes, giving hackers free access to sensitive information.
Forceful browsing – by subverting the application flow, hackers access information and parts of the application that should normally be inaccessible, such as log files, administration facilities, and application source code.
Stealth commanding – hackers often conceal dangerous commands via “Trojan horse” with the intent to run malicious or unauthorized code that is damaging to the site.
Third-party misconfiguration – since vulnerabilities are posted and patches made available on public Web sites such as SecurityFocus, hackers are alerted to new vulnerabilities as they arise. For example, through a configuration error, a hacker could create a new database that renders the existing one unusable by the site.
Known vulnerabilities – some technologies used in sites have inherent weaknesses that a persistent hacker can exploit. For example, Microsoft Active Server Pages (ASP) technology can be exploited to gain the administrator’s passwords and take control of the entire site.
Here come some ways that hackers can make use of for attacking our servers by exploiting Windows 9x clients that are connected to those servers.
Password Cracking - There are many different ways of hacking the Windows 9x operating systems. Stealing passwords is one of the more common and dangerous methods. The initial password prompt that users see when logging on to Windows 9x can be easily bypassed by pressing [Esc] or clicking Cancel. The only benefit to entering a Windows password is that doing so allows us to access a Windows NT or Windows 2000 domain and allows to cache passwords. Because Windows passwords can provide a hacker access to a domain or to other applications, there is a temptation to steal the passwords. Unfortunately, Windows 9x was not designed as a secure environment. Windows password and all cached passwords are stored in a PWL file. There are numerous utilities available on the Internet for cracking PWL files and extracting the Windows password. Hackers need not to be at the workstation to steal it, but by simply copying the PWL file to a disk, they can toy around with cracking the password from any computer. There is unfortunately no single mechanism to protect our PWL files from being copied. Creating a registry key and setting its value to 1 will make it impossible to Windows to remember passwords other than the initial Windows password.
Screen Savers – Normally users remain logged while away from their desks assuming that their accounts are safe because the PCs are running screen-saver-protected passwords. It is very simple for hackers to get around a screen-saver password. Thus save anything that is important on a server where it can be better protected.
File Sharing – Windows 9x file securing is one of the big threats to our network. It is not itself a problem. If users are sharing files, they probably intend for people to access them. Therefore, the unauthorized access to the shared data is not really the problem. The good stuff is usually stored on servers any way. The real problem is the way that the shares are made available. It is easy to use a protocol analyzer to intercept a password.
SNMP is an Internet protocol developed in the 1980s when TCP/IP networks were blossoming and it was recognized that network management was becoming a major problem. SNMP consists of three components:
SMI is a toolkit that identifies data types and develops rules to create the MIB. PDUs define authorized network management messages. UDP ports 161 (agents) and 162 (managers) are the usual way of implementing SNMP using IP, but IPX, AppleTalk datagrams, or even HTTP can also support SNMP.
Vendors write SMI-compliant object definitions for their systems and compile them using a standardized MIB compiler to build executable code that is used to manage hubs, routers, network cards, and so forth., which have agents that recognize MIB objects.
Access control and data packet authentication are password-protected but since they are usually included in each SNMP packet, often in unencrypted format, they can be discovered using any packet sniffer. This means that network managers need to block the use of any of the control features of SNMP, such as Set, or any tool that allows packets to write data at any entity.
SNMP provides an easy way for administrators to get topology information about their networks and even provides some management of remote devices and servers. However, the administrators have to be very careful that they have to correctly block SNMP traffic at the firewall level, otherwise hackers can also use it together that valuable network information and exploit vulnerabilities.
The main threat from SNMP is that it provides an easy way to collect basic system configuration information. For example, the SNMP “systeminfoget” string could be used to report what network adapters are available on the client during the logon sequence. This is exactly the sort of information a hacker tries to obtain before beginning penetration attempts. In addition to information gathering, SNMP can be used to manage devices such as to shut down a network interface. This is even more dangerous as a tool for malicious hackers.
SNMP is inherently insecure because SNMP messages are not encrypted. SNMP is not vulnerable because of a bug in the code, but it is dangerous because of how it was originally designed, before the proliferation of networks connected to the Internet.
The SNMP agent for Windows NT can disclose lots of useful data to a hacker. If the services are running on the NT server, SNMP can disclose some more data. However, SNMP is a cross-platform protocol, its vulnerabilities are definitely not limited to Windows networks.
Since management information databases (MIBs), an SNMP component, often include a TCP connection table listing all passive open ports and active TCP connections, this information can be accessed remotely. Some vendors, such as Cisco, automatically hide some of the SNMP information, even Cisco software does not hide all of the TCP table data.
The easiest way to deal with SNMP threats is to set our firewall to block UDP ports 161 and 162 and any other port the administrator may have custom-configured for SNMP traffic to the outside world. At a minimum, the admin has to monitor activity on all ports utilizing SNMP.
Most SNMP security consists of two subsystems:
General Security Strategies
Preventative Internet security measures include verifying that equipment and services are secured in order to prevent unauthorized access. Most of the time when Internet equipment is compromised and violated, it is due to software flaws or services that have been incorrectly configured.
To overcome hacker attacks, Software developers have to realize the seriousness of the problem and must aggressively address the problem internally. There are several reasons why internal security for machines and employees is so important, but the number one reason to increase internal security is because the majority of true hacks come from inside an organization-so security for system administrators, passwords, and sensitive information needs to be tight. Here are some security steps a company’s system administrators must take:
Most virus attacks cause either the corruption or loss of files. For example, the I Love You virus deleted every graphic image on the PCs it infected. This caused significant damage to many companies that then struggled to recover their Web sites, presentations, art files and other important collections. Macro viruses account for about 80 percent of all viruses and are the fastest growing viruses in computer history. These viruses infect documents created for specific applications such as MS Word or Excel.
The threat of damaging computer viruses and the need for good antivirus software are greater than ever. Many organizations have already learned the painful and costly reality of leaving their networks unprotected against viruses. Thus there comes a strong necessity for implementing a thorough antivirus strategy. Here come some vital points to accomplish this requirement within a company infrastructure.
A network infrastructure can traditionally be divided into four distinct layers that require virus protection.
Layer 1 - Internet Gateways
Layer 2 - Servers
Layer 3 - Clients
Layer 4 - PDA Devices
Here comes a bit about each layer. Almost all viruses are being spread via the Internet, either by way of email transfer or Web browsing. If one is able to secure the first layer then the security of all other layers are almost tamper-proof.
The first layer of protection should really encompass two components, rules-based policy enforcement and virus scanning. By having rules-based policy enforcement, one can create rules to block viruses, based on known content such as I LOVE YOU in the subject line, even before the antivirus software manufacturers have released a signature. Apart from these, rules can be applied to look for old viruses that may be perhaps reclassified as hoaxes.
By having virus protection at the first layer, organizations can trap and block viruses at perhaps one or two gateways for the entire company. Once a virus has entered, a company must rely on server agents to take over. They are then forced to scan and cure the virus for many servers versus one gateway. If suppose the virus enters into client layer, then scanning and curing have to be performed in hundreds or thousands of nodes.
If a company does not have its own Internet gateway, it is left fully to its Internet service provider (ISP) for virus protection.
The second one is the server layer. In any organization, it is natural that at any given time, there are dozens of computers that have the antivirus software either disabled, uninstalled, or crippled in some form or another. This enforces the truth that every server where people are saving files or storing email messages has to be under constant inspection, that is, antivirus software must be configured to provide real-time protection as well as scheduled scanning protection.
The third layer is the client layer. The desktop and laptop layer represents the largest and possibly the most difficult layer to protect. By accident, or intentional disabling, clients have to ability to cripple their antivirus software. Antivirus signatures need to be current, real-time monitoring must be enabled, and scheduled scanning should take place frequently.
The last layer is the PDA layer. In the recent past, viruses have started cropping up for these devices. So it becomes imperative to think about developing antivirus software for such wireless devices. There are devices based on Palm and Pocket PCs.
But protecting these important layers is just the first battle in the war against viruses. To be truly victorious, we must be vigilant in keeping up with antivirus updates. To accomplish this, an organization must perform the following four key steps: Retrieval, Testing, Deployment and Monitoring.
The first and most easily neglected step in managing our multiplayer anitvirus defense is the timely and consistent retrieval of antivirus signature updates. Most signature updates are being obtained by accessing the FTP site of the antivirus vendors and pulling down the latest update. This process has to be automated as manual handling may sometimes lead to catastrophic failure. As a precaution, we should also have a backup mechanism, such as the old-fashioned dial-up access for retrieving updates during those FTP sites are overly busy.
The second task is to test the acquired signature update before deploying it in the organization. The testing phase is for checking whether the signature update has any glaring problems.
The third phase is to deploy the tested signature update. The process of deployment has to be done automatically by rolling out the software to the server and client, which includes both PCs and handheld devices, layers.
The final phase involves monitoring the antivirus health of our environment. We have to monitor whether all our connected computing systems have the latest software, whether they are at the latest signature level, whether someone has intentionally or inadvertently disabled the real-time monitoring and so on. There are software tools for monitoring the state of our antivirus environment. Thus one has to realize that virus protection is not an one-time affair but an ongoing activity. Failing to talk all the necessary steps to win the way against viruses will eventually cost our organization dearly in terms of resources and reputation.
It often seems that network administrators are obsessed with security. After all, if an administrator goes easy on the security, countless hooligans are just waiting to break in to the network to steal or vandalize data. He has to be smarter than every hacker out there.
As companies are beginning to realize security as a mission-critical expenditure, preventive measures occupy a major portion in combating the nuances of hackers. Although all the prevention in the world won’t guarantee against a virus infection, putting safeguards in places will go a long way to reduce the risk and minimize the impact of a possible infection.
Obviously, the most effective way of dealing with any virus threat is to completely prevent it from entering our system. As discussed below, many layers within our infrastructure need to be fortified in order to build a truly effective defense against viruses.
Access Points - First, a network administrator has to identify all of his organization’s access points, or place where viruses could be introduced. Potential access points include the SMTP gateway, Internet gateway, wireless Internet devices, and the CD-ROM drives and floppy drives on the company’s desktops and laptops. In a worst-case scenario, the network administrator has to cut off all externally facing access points to prevent the virus from spreading.
Server Vulnerabilities – It is important for employees to know where all of company’s servers are. If a problem should arise and the regular IT staff members are out of their work place, damage may be more widespread if others are not able to locate company servers.
Preparedness – Part of preventing viruses is to be prepared for their inevitability and to patch every known hole in security. Independent security audits, ethical hacking, and diligent application of security patches can keep a company for a virus attack. Addressing identified weaknesses and staying on top of all the security bulletins and patches as they are released are the most two important factors in the prevention strategies apart from having a permanent security team to deal with the endless barrage of security notices, proper testing of patches and assistance with the constant implementation of updates.
Detection – We should have some early warning mechanism for detecting virus attack. The symptoms significantly vary according to virus. Some of the common signs include strange email messages sent to many recipients or Web server logs that contain additional, irregular entries apart from corrupted files or errors that appear when starting applications.
Regardless of the symptoms, sharing of information about virus attack and its related information to help desk will go a long way in minimizing the damage. A set of criteria should be established with minimum three escalation levels - based on proliferation, payload and likelihood - such as
Level 1: minimal spread that is, according to news services and security watches, obscure vulnerability
Level 2: medium infection, minor payload, easily exploitable vulnerability
Level 3: significant infection, minimal damage but major annoyance, widely known vulnerability
and lines of communication need to be documented for understanding the severity of the virus attack.
Informing the clients – As a virus makes its way up severity levels, and the number of people affected increases, the number of clients notified must correspondingly increase. When the level reaches Level 3, tough decisions regarding discontinuation of services will need to be made. The variation in time zones favors those in the eastern side of the world as they are the first to come to know about the virus attack and can take the suitable remedial measures ahead of their western counterparts.
When a firm gets affected, it is mandatory to garner as much information as possible about the virus, symptoms and the corresponding cures and then to document a comprehensive and consistent approach for eradicating its infection and prevention from the possible future attack. It is equally critical to have an effective communication plan with the clients for notifying them of possible infection, apprising them of progress, and informing them when all systems are fully functional.
A Virus Recovery Plan
To minimize the effects of virus attacks, companies should build a clear virus recovery plan. This plan should specify how IT goes into action, what testing is required, the priority of each end user or group and internal communications. The plan also should specify regular, proactive measures such as regular recovery CD generation. Each virus attack calls for a decision from executive management about whether to disconnect from the outside world and if so, when to reconnect. Having a contingent plan is always going to ensure that impending damage is minimal and repaired in an easy manner. For companies belonging to some specified categories, if they are not online, there are not in business.
Every one knows that virus attacks are a serious threat to any organization dependent on personals computers. Despite best efforts by anti-virus software, viruses wreak havoc on a regular basis. The best defense in the case of new viruses is a strong offence. Each company should have a virus recovery plan.
There is a viable technology from Previo that will help to recover very quickly when an organization’s defenses get breached. Previo’s eSupport Essentials has the capability of preparing us for the unknown by efficiently protecting all the content on all our PCs. eSupport Essentials is focused specifically on recovery, both IT assisted and end-user self-service. This special focus will help each organization to be always up and running as quickly as possible.
Unlike backup systems, eSupport Essentials captures everything, including applications, documents, customizations, favorites, device settings, and other personalizations by taking an automatic snapshot of every PC every day. The snapshot takes only minutes to complete and is done in the background and often averages 1 MB or less per snapshot on an on-going basis, eliminating any tangible impact to the business. This content is then stored in a way that makes it easy to very rapidly restore everything to any point in time. This tool helps any infected company to begin recovery immediately after discovery rather than wait for a fix from the anti-virus software vendor. This is increasingly critical as viruses nowadays spread faster, mutate into unrecognized patterns and adversely affect the supply and demand chain of the business. With Previo, the risk of remaining connected to the Internet is reduced as recovery is in general much faster than with other mechanisms.
When files are lost due to a virus or any other reason, the situation can be remedied in short order. The end user simply rolls the PC back to a time prior to infection. This eliminates the virus as well as restores the lost files. If the end user would prefer, the HelpDesk can perform the rollback via remote assistance. Rollback of this type typically takes less than 30 minutes.
When it becomes necessary for a network to be attached with the Internet, there comes a need for a firewall to protect the network resources from hackers, competitors, and the curious. Normally, devices attached to our LAN can see all of the other devices and access them. This freedom of access is not usually a problem because we know everyone who has access on the network. However, things get complicated when we connect our LAN to the Internet, where millions of connected devices and people who can get at our network resources. While most of these people are not going to bother us, there shall be one or two evildoers and hence we have to be well prepared to be on safer side.
Just like the firewall of a building that prevents flames from spreading from building to building, a network firewall stops unwanted network traffic from spreading from the Internet to our network and vice versa. The unwanted traffic is usually some one outside our network attempting to access our resources. On the other hand, we also should have firewalls to prevent our users from going places on the Internet that they should not. The firewall places a barrier between our network and the Internet. We can make use of this barrier to make sure the safety of our network.
There are different types of firewalls for different levels. A firewall can be hardware-based or software-based. Hardware-based firewalls traditionally take the form of special types of routers. Routers filter information on the network and direct packets. Vendors that sell routers configured firewalls add more filter and management capabilities to their hardware. There are a number of hardware-based firewalls such as Cisco’s PIX Firewall, Galea’s Avertis Firewall, and Ascend’s Pipeline Firewall Router.
Software-based firewalls turn regular PCs into firewalls. This sort of firewalls runs on top of the operating system software, such as Windows NT or Netware. Software-based firewalls are a little slower than the hardware-based ones. Also they are a less reliable due to limitations on the underlying operating system platform. But software-based firewalls are significantly cheaper and more flexible than their hardware counterparts. Microsoft Proxy Server, Novell BorderManager, LanOptic Guardian, IBM eNetwork Firewall and Checkpoint Firewall 1 are some of the leading software-based firewalls.
Firewalls also can be classified into broad levels: network-level firewalls and application-level firewalls. The levels describe the way the firewall controls access across its boundaries. Network-level firewalls control traffic based on the traffic’s source address, destination address, and TCP/IP port information. Packets travel directly through network-level firewalls. The firewall filters the information to make sure that only the proper packets travel through it. As traffic flows directly through the firewall, it processes little other than filtering packets and hence this sort of firewalls works much faster than application-level firewalls.
But application-level firewalls works in a different way. Traffic does not flow through an application-level firewall. Instead, the server running the firewall software processes the requests internally and translates the data from one network to another. Resources on either side of the firewall never actually make contact. Newer application-level firewalls make this process as transparent as possible. Because the firewall must translate the information, application-level firewalls are sometimes slower than network-level firewalls. But application-level firewalls offer a little more control as it checks more information and hence we have a better opportunity to track and control what is going across your firewall. Proxy servers are typical examples of application-level firewalls.
Firewalls can’t protect our network resources from everything and not 100 percent hacker-proof. Firewalls can only protect against information flowing across our network. So they cannot protect our network resources as the attacks may occur through dial-up lines. They also do not protect security breaches such as floppy disks, printouts, tapes and CD-ROMs that our users can carry with them.
Also firewalls can’t protect us from such things as viruses. Normally viruses come embedded inside of files. While firewalls examine where the data packets are coming from and going to, they do not actually examine the contents of the packets.
Firewalls are basic equipment nowadays. The problem is that they are not enough. Many organizations believe that since they have firewalls or other security mechanisms at the boundaries of their enterprises, they are protected from attacks originating from the Internet. However this is not the case for a variety of reasons according to a Gartner report. Firewalls can’t detect attacks from within the enterprise, which can be placed by disgruntled employees. Also firewalls can be easily circumvented.
But an Intrusion Detection System (IDS) can add a different dimension to the security infrastructure because it can monitor intrusion attempts from both inside and outside the company as well as detect anomalous behavior patterns that could reflect malicious intent. IDS have garnered much interest in the recent days
Intrusion Detection System (IDS) – An Overview
An IDS is a system that tries to detect and alert on attempted intrusions into a system or network, where an intrusion is considered to be any unauthorized or unwanted activity on that system or network.
An IDS adds an early warning capability to our defenses alerting us to the type of suspicious activity that typically occurs before and during an attack. As intrusion detection systems are not capable of arresting hacker’s attacks, there should be a carefully thought out corporate security policy, backed up by effective security procedures which are carried out by skilled staff using the necessary tools. Thus IDSs can be viewed as an additional tool in the continuing battle against hackers and crackers.
Intrusion detection systems are a combination of early warning and alarm systems and can be viewed as an additional tool in the continuing job of maintaining the security of a corporate system. IDS are complementary to the use of firewalls and effective security policy within an organization. IDS will respond to threats such as internal attacks, external attacks using legitimate routes and exploiting allowed rules in firewalls that other host and network security products are unable to counter.
Here come a few situations where an IDS becomes an invaluable tool.
A hacker still can pierce through firewalls. Though vital data seem to be intact, hackers could alter some operating system files in such a way that every time system administrators log into a machine, their password is emailed out to the hackers. Also every time they change their password, as per the security policy, the hackers are immediately notified.
Hackers also can come inside our network by means of illegal traffic with nothing recorded in our firewall logs
Thus an IDS can
There are two main types of IDS namely network- and host-based systems.
Network-based IDS examine the individual packets flowing through a network. Unlike firewalls, which typically only look at IP addresses, ports and ICMP types, network-based intrusion detection systems (NIDS) are able to understand all the different flags and options that can exist within a network packet.
Thus a NIDS can therefore detect maliciously crafted packets that are designed to be overlooked by a firewall’s relatively simplistic filtering rules. NIDS also can look at the payload within a packet, that is, to see which particular web server program is being accessed and with what options and to raise alerts when an attacker tries to exploit a bug in such code. Thus, in summary, a network-based IDS looks at all the traffic flowing by on a network. NIDS can operate in real time. They are placed as sensors on LAN servers. They use a database of known “attack signatures” or look for patterns. They produce a lower rate of false alarms, but the database must be updated regularly and frequently to ensure the IDS will recognize new types of attacks.
But host-based intrusion detection systems are concerned with what is happening on each individual computer or host. They are able to detect such things as repeated failed access attempts or changes to critical system files. The down side is that host-based IDS do not operate in real time and are prone to false alarms.
An application based IDS is a host-based system that is particular to a type of service, that is, an IDS built particularly for a web server or mail server.
A target based IDS is built to check the integrity of a particular system and its onboard software including operating system software. Target based systems are often called file-integrity assessments since they use check-sum based software to determine whether a system has been tampered with.
IDSs can be further categorized on the basis of detecting misuse and anomalous use. Misuse detection within a network-based IDS involves checking for illegal types of network traffic, for example, combinations of options within a network packet that should never legitimately occur. Misuse detection by a host-based IDS would include attempts by a user to execute programs for which they do not have legitimate need.
Detection of anomalous activity relies on the system knowing what is regular network traffic and what is not. Anomalous traffic to a host-based IDS might be interactive accesses outside of normal office hours. An example of anomalous traffic on a network-based IDS is repeated attempted access by one remote machine to many diverse services on one or more of our internal systems, all in quick succession.
IDSs can also be classified by their passive or reactive nature. Passive systems simply detect the potential security breach, log the information and raise an alert. Reactive systems are designed to response to the illegal activity, for example, by logging off a user or by reprogramming the firewall to disallow network traffic from a suspected hostile source.
This reactive system has some serious drawbacks as it can potentially take actions that could shut down business critical services. For example, an attacker crafts rogue network traffic aimed at our Internet mail server. The traffic is crafted in such a way that it is coming from our ISP. The network-based IDS detects this and reprograms our firewall to disconnect this traffic and hence we can not receive any email through our ISP. Thus arise the necessity of having skilled staff members as a critical part of any intrusion detection system. They can identify this faked traffic and be able to liaise with our ISP to establish the source of the problem.
Thus an IDS can not be a silver bullet for all our security needs and can not replace skilled staff.
Thus intrusion detection systems should be seen as an important layer in a company’s defense in depth security strategy.
Enhancing Intrusion Detection with a honeypot
Every network with an Internet connection is vulnerable to intrusion. It is the price one has to pay for staying wired to the world. Catching elite intruders and tracking their movements throughout the network is tricky business. One could use any of several commercial IDSs. However, they only tell where intruders went and how they got there. Besides, these elite intruders can often camouflage themselves among the legitimate traffic and alter the system logs to remove any trace of their penetration.
The best intrusion detection methodology here is to track every movement of those elite intruders in a way that allows one to preserve that data for law enforcement officials and to provide a target away from our production servers. There is a specialized tool for accomplishing this. Honeypots are programs that simulate one or more network services that one has designated on his computer’s ports. An attacker assumes that we are running vulnerable services that can be used to break into the machine. A honeypot can be used to log access attempts to those ports including the attacker’s keystrokes. This could give us advanced warning of a more concentrated attack.
Honeypots are most successful when run on known servers, such as Web, mail, or DNS servers, because these systems advertise their services and are often the first point of attack. One can construct a system that appears vulnerable to attack but actually offers:
We are intentionally putting our bait to be bitten. If this task is performed well, we can
It is recommended that honeypot has to be isolated from the production network. Many firewalls allow us to place a network in the demilitarized zone (DMZ). This is a network added between an internal network and an external network in order to provide an additional layer of security. The other option is to place it on a separate, dedicated Internet connection and all traffic to and from the honeypot should also be routed through its own dedicated firewall.
The key to an effective honeypot is its ability to monitor intruders. Skilled intruders will go to extraordinary lengths to cover their tracks. It is imperative that we have to collect as much data from as many sources as possible. The first place to collect data is the honeypot’s firewall. All enterprise firewalls are capable of logging all traffic they examine. If a firewall services only our honeypot, any traffic appearing in the firewall logs is evidence of an attack.
The second data collection tool is the honeypot’s system logs. These logs will be intruders’ first target and are extremely vulnerable to alternation. It is vital that these logs are automatically duplicated to a remote system. IDSs or packet sniffers are providing the third and final monitoring tool. These applications monitor traffic passively and do not advertisee their presence. They will provide us a key-to-key view of what the attacker does and sees.
IP Virtual Private Networks (VPNs) – An Overview
An IP VPN is an enterprise-scale or dial-up connectivity deployed on a shared network infrastructure that uses IP-based technologies.
A VPN is seen as virtual because it does not require dedicated lines. It is private as it uses encryption algorithms, is transparent and it is nearly tamper-proof. A VPN is considered a network because it reaps the benefits of a shared IP network.
VPN – An Introduction
VPNs are a mature part of the network security market. VPN solutions allow companies, institutions, and government to leverage productivity gains and competitive advantages. IP VPN competes aggressively against other WAN options and as an effective alternative to private lines. They are second to dial-up modems as a way of remotely accessing the corporate LAN. It is being formed by creating a virtual tunnel either on the public Internet or through use of a managed IP-based network or both. IP VPNs provide Internet access to remote clients while the connection is securely tunneled into a corporate network.
In addition to security, a VPN provides quality of service and manageability of a private network using shared IP networks. An IP VPN can be viewed as a traditional private network with exclusive use of resources, and it is a blend of security technologies. Its capability is created through equipment that provides security features such as tunnel-based encryption and user authentication mechanisms. Alternatively, an IP VPN allows remote employees to communicate with branch offices and external parties between two endpoints, such as LANs and WANs.
The advantages of having IP VPN are found primarily in cost savings and security. IP VPNs are easy to use and support rapid VPN deployment. IP VPNs are scalable, that is, IP VPNs has the capability to handle dramatic traffic fluctuations and add new users. IP VPN servers provide a hardware upgrade path to increase capacity and scalability. The placement of a VPN gateway in relation to firewalls, routers, and extranet/intranet connections directly affects the level of scalability, manageability and security it offers.
Performance gets improved, but it heavily depends on packet size, encryption algorithm, number of concurrent connections, packet loss and operating system. Performance also relies on the size of CPUs, as security functions such as encryption are processor-intensive.
IP VPN supports centralized, policy-based management from a single point of administration, which ensures that remote clients and firewalls are installed and configured properly. Also Client hosts using the VPN connection to access the corporate network are being protected against attacks.
Others include flexible communications and simplified network design. An IP VPN server eliminates long distance charges for dialing directly into the corporate network and government network allowing low-cost access to business-critical applications. It provides a secure link between remote workers and branch offices or external parties over the Internet, allowing companies to deploy core applications across global networks. The primary applications of a VPN are remote access, site-to-site connectivity and extranets.
For IP VPNs to flourish, there arises a strong need for appropriate tools and technologies. For example, tools such as bandwidth managers, traffic shapers, content network delivery and caching schemes to cope with network bottlenecks are urgently needed. Cost is by far the biggest reason that companies are using a service provider’s IP VPN. IP VPN solution providers are moving to offer additional security solutions such as IPsec, intrusion detection and key management.
VPN solutions now have the ability to simplify the corporate network and make it more effective part of a company’s business. VPNs today are about enabling leading business practices and managing policy relationships between enterprises, their associates, partners and customers.
Since most can not stop an attack, IDS should not be considered a
As world is becoming wireless, wireless communication devices and products are penetrating into every one’s daily life. Unauthorized users may be lurking on wireless local area network (WLAN). The enthusiasm for 802.11b wireless networking has been dampened by reports of vulnerabilities in the protocol’s WEP algorithm, an algorithm that is supposed to protect wireless communication from eavesdropping and unauthorized access. There are a number of potential security problems posed by WLANs such as eavesdropping, tampering with transmitted messages, defeating access control measures and denials of service. Though these security threats are looming around, wireless systems are becoming a hot commodity among businesses and consumers. This propels security experts to think about devising mechanisms and tools for WLAN security.
A wireless network uses radio waves to transmit data to every one within range. So special precautions need to be taken to ensure that those signals cannot be intercepted in their movement. WEP relies on a secret key that is shared between a mobile station and an access point. The secret key is used to encrypt packets before they are transmitted and an integrity check is used to ensure that packets are not modified in transit. However, it becomes easier for hackers to break into wireless systems by using off-the-shelf equipment and positioning themselves within transmitting range of a WLAN due to some potential flaws in WEP. As a result, the WLAN is susceptible for the following types of attacks:
Thus it is wise not to depend solely on WEP and to use other security mechanisms for enhancing WEP and WLAN security.
Here come a couple of security procedures to be followed when companies set up wireless LAN. The first one is wireless networks should be WEP-enabled due to the facts that WEP contains a encryption system and deploying wireless networks without any encryption brings out serious repercussions. The second step is to isolate the WLAN and enhance encryption. That is, after enabling WEP, we should also consider other security measures in order to compensate for its vulnerabilities.
There are two other security measures as follows. One is, we need to place our wireless network outside of the firewall and treat it just like we would treat the rest of Internet. That is, we have to recognize that it can’t be trusted and anything could happen on it and hence we should firewall it off from all of our sensitive corporate assets. The second suggestion is to use a virtual private network (VPN) for all traffic on the WLAN. The VPN will do its own end-to-end encryption on top of WEP. We can use such popular VPN protocols as PPTP and IPSec to accomplish this and finally set up a VPN server/router that connects the WLAN segment to our LAN segment.
There is one another alternative, but cheaper one. There is a signal encryption key that is configured identically for every one who is supposed to have access to the wireless network. Usually this key is set up once when the password is handed out and often stays the same for months or even years. The suggestion is that the wireless system should employ extensions to WEP that perform dynamic key changes and modify the wireless encryption key once every 10 minutes. Thus by changing the key once every 10 minutes, we may lose 10 minutes of data and changing the key frequently makes it hard to mount WEP attacks.
A number of new products are attempting to rally support by providing additional measures of security and control. Microsoft has thrown its considerable weight behind 802.11b. Microsoft has incorporated a host of wireless-related features to the Windows XP OS. These include new driver support and client association tools, but the most significant feature is the integration of the nascent 802.1x standard, a move toward user-authenticated network access control. As part of the 802.1x standard, the Windows XP client natively supports Extensible Authentication Protocol (EAP), which provides dynamic, session-specific wireless encryption keys, central user administration via specialized third party Remote Authentication Dial-in User service (RADIUS) servers, and mutual authentication between client and Access point (AP) and AP to RADIUS server.
As 802.11b authenticates the hardware, not the user, stolen laptops or forged media access control (MAC) addresses can be used to infiltrate the network. With EAP, the RADIUS server will authenticate the user, not just the hardware, providing a scalable, centrally managed authentication solution. Also, EAP’s dynamic WEP keys reduce the exposure of the same WEP key over multiple transmissions, reducing the risk of the latest cryptographic vulnerabilities.
Cisco also became a vendor for a wireless-ready RADIUS serve through its Cisco Secure Access Control Server. This can be used with Cisco’s proprietary Lightweight Extensible Authentication Protocol implementation and it already interoperates with 802.1x. Additionally, Funk Software is bringing its own wireless-ready solution, Steel-Belted RADIUS.
Another hurdle to corporate wireless networking is a lack of centralized management, making it difficult to implement and update a wireless security policy across the enterprise. Wavelink corp. has stepped into the void by releasing Mobile Manager 5.0, which centralizes the discovery, monitoring and configuration of access points across the network.
Laptops nowadays have become the handy and highly portable device for executives and other important people in enterprises. A stolen laptop can invalidate an enterprise’s effort to secure its infrastructure from external threats. Laptop computer theft, and the subsequent loss of sensitive data, has become the Achilles heel of any enterprise’ efforts to protect its intellectual property and the privacy of its clients and business partners. There are methods that allow a single user to encrypt files on laptops or desktops. However as the encryption methods are often flawed and the encrypted files cannot be recovered under worst-case scenarios, there arises a strong need for viable mechanisms that can protect the confidential and sensitive information stored on laptops.
Any enterprise with potentially sensitive information on laptop systems should protect those assets with a solution that prevents access to the operating system and applications as well as the data created by those applications. Typically, this solution involves selecting a vendor application that encrypts the entire hard drive or just files. Thus security managers tasked with developing and implementing enterprise-level policies and procedures for laptop protection have to think seriously about the following questions before embarking on choosing an viable vendor and his solution product.
There are a few vendors that have recognized the need for enterprise-level solutions and their offerings are also increasingly in line with the needs of security administrators. Thus, enterprises can find competitive, emerging solutions to mitigate the data risks associated with a stolen laptop.
PointSec Mobile Technologies, WinMagic, Ensure Technologies, F-Secure, Aliroo, CopyTele, Ultimaco and Vasco are some of the leading and emerging software companies with security products for laptops.
Here comes a brief explanation on necessity of securing our PDAs and the tools that can fulfill the security requirements of handheld devices.
Today all our company’s executives and even the sales force carry around PDAs. They are incredibly convenient but at the same time the information stored in those handy little electronic notebooks faces the risk of being stolen or corrupted. They probably contain PIN numbers, unlisted phone numbers, credit card and calling card numbers. They even may contain sensitive client, sales, and pricing information. In the recent past, network passwords are also being stored in them.
Suppose some one has lost his or her PDA or it is stolen. The loss of a PDA has little to do with the hardware as the cost of PDAs has come down recently. Also most users do not have much trouble restoring data as they keep them synchronized with their PC on a regular basis. Thus it is necessary to record the duplicate data on the PC that is synchronized to the PDA’s database.
Also most offer at least minimal security in the form of password protection. Unfortunately passwords can be guessed and cracking PDAs has become a cottage industry in some places. Fortunately, there are third-party encryption programs available for PDAs. For all but the most innocuous data, such as public information simply carried in a PDA for convenience, encryption protection should definitely be considered. JAWZ Inc. http://www.jawzinc.com/main.asp supplies a 4096-bit email encryption tool. This is especially useful because it lets encrypt single messages, all messages or just those in a selected category. Ilium Software http://www.iliumsoft.com/ has come out with a 40-bit RC4 eWallet encryption software for handhelds as well as Windows and NT PCs. Developer One’s 56-bit CodeWallet is now available for Windows CE PDAs and desktops.
The happenings around the world emphasis the need for understanding the criticality of information security and what is all about and the need for security requirements and security-related tools and technologies.
Some of the general warnings for system and network administrators are as follows:
When a potential threat has been identified, standard enterprise security measures should be complemented by increased firewall analysis, intrusion detection inspection of site usage logs. Penetration testing and vulnerability scanning should be performed on at least a weekly basis Companies also have to recognize that their vulnerability does not end at their own firewalls; their Internet Service Providers and server hosting companies must have the necessary technology and processes in place to quickly detect and react to denial of service attacks.
It is also essential that companies create and document incident response procedures and regularly perform the Internet equivalent of fire drills to ensure that their responses are rapid and effective. Key management personnel should be assigned to handle press inquiries, and the responsibility and criteria for making the decision to involve law enforcement should be defined in advance.
Small and midsize companies are especially vulnerable to malicious attacks because they usually can not afford or do not attract, personnel who have extensive security experience. To strengthen network security and reduce vulnerability to an attack, the following points have been recommended by Gartner group.
To succeed in the fiercely competitive e-commerce marketplace, business must become fully aware of Internet security threats, take advantage of the technology that overcomes them, and win customers’ trust. The solution for businesses that are serious about e-commerce is to implement a complete e-commerce trust infrastructure. PKI cryptography and digital signature technology, applied via Secure Sockets Layer (SSL) digital certificates, provide the authentication, data integrity, and privacy necessary for e-commerce.
In recent months, there have been several high-profile security breaches by cyber criminals who logged onto e-business Web sites and gained unauthorized access to confidential data and applications at the back end.
Internet security issues arise and evolve and those concerned have to act with foresight and innovations.
http://www.cert.org/ - This site focuses on viruses and software flaws and contains an extensive collection of security-related articles
http://www.eff.org/ - This site represents a nonprofit group, which is focusing on protecting privacy in the computer arena. This is loaded with a number of exciting papers on Internet security
http://csrc.nist.gov/ - This Web site contains information about computer security issues, products and research of concern to federal agencies, industry and users
http://www.securityportal.com/ - A gateway to useful security-related resources
http://www.rsasecurity.com/ - RSA Security Site
http://www.verisign.com/ - Verisign’s Web site providing security tools and resources