BestInternetSecurity.net

Many factors should be considered when choosing the best facility for hosting computer equipment. Some of these factors include:

• Local Crime: Is the site a prime area for criminal activities?
• Natural Hazards: Does the location have a high occurrence of flooding, earthquakes, thunderstorms, or other natural hazards?
• Power Supply: Is there a stable power supply for your computing facilities?
• Access: Is the locations easily accessible, for personnel, suppliers, and others needed to access to the location?
• Existing boundary protection: Is the location secure?Security controls such as fencing, adequate lighting, and detection systems, including motion sensor and video surveillance systems, need to be in place. The detection system must be equipped with a reactive system preventing (or at least delay the progress of) intrusion of any trespassers. This can be accomplished with nuisance alarms as well as prearranged response forces, such as the local police or hired security guards.
• Nature of Facility:  Is the facility shared with other tenants?It is critically important that the condition of sharing with co-tenants will not undermine the level of security. Strong security measures need to be in force.

In addition to facility management, we should also consider other factors of physical security. But choosing the right facility in the first place is the foundation for all other physical security controls to be enforced effectively.

Physical security is the lifeblood of all security controls. If physical security is compromised, all other controls are irrelevant.

Why? Think about it. If someone manages to get into your server, physically accessing your computers, he or she can cause serious damage. Some examples of damage possible can include: removing the hard drives from your computer, stealing computer backup tapes, or simply shutting down the power to your servers. All of these can be accomplished in the blink of an eye, without involving serious technical skills. As we have mentioned before, security is the weakest link in your system. For this reason, we should not overlook physical security.

To understand physical security, we first need to understand physical threats.

The are three types of physical threats:

External physical threats:

• Flooding, lightning, earthquake, wind, tornado, hurricane, ice, fire, chemical

Internal physical threats:

• Fire, environmental failure, liquid leakage, electrical interruption

Human physical threats:

• Theft, vandalism, sabotage, espionage, errors

To prevent these threats from becoming reality, physical security controls should be implemented.  Some examples of effective physical security controls include:

Exterior physical security controls:

• Fences, Barriers

Entrance physical security controls:

• Doors and Gates with Locks

Administrative physical security controls:

• Badges and Escorts

Property physical security controls:

• Monitoring/Detection Systems, Lighting

Environmental physical security controls:

• HVAC System, Power Protection, Water and Fire Protection

All of these controls require detailed and careful planning prior to setting up an office with computing facilities. We will discuss physical controls in more detail later.

Tags: Administrative Physical Security Control, Environmental Physical Security Control, Water Protection

The accountability portion of security control refers to holding system users responsible for their actions by constantly monitoring all activities within the system.

Consistently logging and auditing activities are ways that we monitor the system to ensure proper tracking of computer misuse. For example, as part of the auditing process, the following activities should be logged for effective control and accountability:

• User identification information
• System access time
• Information on system objects being accessed
• Failure login attempts
• System warnings and error messages
• Repeated users’ mistakes

Considering that a system that ensures accountability requires a strong system of authentication, a good access control system should be implemented. If the system has no access control system, logging the above activities could become meaningless.

Keep in mind that system logging must take into account numerous daily network activities. These valid activities need to be distinguished from activities that appear suspicious.  For this reason, an effective clipping mechanism should be in place. This mechanism, which includes setting clipping levels to define acceptable system activities, acts as a baseline for determining system violations.

The goal of monitoring, auditing, and clipping levels is to discover problems before major damage occurs, and to be alerted when a possible attack is underway.  Theoretically, when the clipping mechanism detects that the baseline has been exceeded, an alarm is generated and the system records further information regarding the detected changes in activity. In other words, as soon as the system detects that activities are occurring that fall outside of the predefined acceptable threshold, it notifies the security administrator via e-mail or pager, and generates a log of further activity. This log can then be used to investigate the suspicious activity.

Perhaps a more effective solution would be the use of software that automates the detection of a violation. The most common installation related to system violation is the Intrusion Detection System(IDS). IDS is software customized to collect and analyze system activities. It alerts system administrators of suspicious system activities by using a pre-installed database specifically built to record clipping levels and patterns of system misuse.

Any good system monitoring and auditing process should allow the user to work unimpeded. For security purposes, the user should not know what or how monitoring and auditing is being conducted. However, of course the issue of privacy should also be considered. The monitoring system should comply with local personnel and data privacy laws when carrying out monitoring activities. It is strongly advised that users be notified in advance of possible logging and analysis of their system activities.

Tags: Operations Security Control, Operations Security, Audit, IT Audit, System Auditing, Personnel Privacy Laws, Intrusion Detection System

Now we’ll cover some of the administrative aspects of Operations Control.

1. Separation of Duties is a preventative measure that prevents one person from performing a full function from beginning to an end. This policy reduces the possibility of any one person committing an act against policy unless there is collusion amongst two or more people. Since collusion involves the actions of more than one party, an unwanted action is less likely to occur.
2. Job Rotation refers to the policy of constantly changing each person’s role within the business process. This method helps to identify reoccurring mistakes or fraudulent activities, since such activities can be identified and/or corrected by the new person assigned to the same task.  You could consider this policy as a type of “detective control.”A strategy that complements the job rotation tactic is mandatory vacation. This policy allows the administrator to detect potential activities of abuse by forcing staff to leave their current post or capacity on a temporary basis. Again, the worker newly assigned to the task is in a position to identify traces or clues leading to the discovery of abuse by the prior worker assigned to the task.
3. Least Privilege is a policy that requires each individual to be granted the least amount of permission and rights necessary to perform only their assigned duties. In this method, the administrator prevents individuals from performing tasks outside of their assigned duties, which could lead to actions that jeopardizes the security of the company’s system.According to Saltzer and Schroeder [Saltzer 75], every program and every user of the system should operate using the least set of privileges necessary to complete the job.  Primarily, this principle limits the damage that can result from an accident or error.Sometimes, this policy is called  “need-to-know.”   In this scenario, a person is not given access to information unless he or she has a specific need to know it.  In other words, access to the information must be necessary to conduct that person’s official duties.

There are several other controls that should be addressed as well. However, the three fundamental methods we cover here are important administrative controls generally overlooked by many organizations.

Reference:
Saltzer, Jerome H. & Schroeder, Michael D. “The Protection of Information in Computer Systems.” Proceedings of the IEEE 63, 9 (September 1975): 1278-1308.

Tags: Operations Control Techniques, Operations Security

Kerberos Authentication: In Greek mythology, Kerberos is the monstrous three-headed dog that guards the entrance to Hades. Indeed, we can view modern-day Kerberos Authentication as the god who guards the entrance to a network’s resources.

Kerberos Authentication, a computer network authorization protocol, was originally invented and published by MIT. This system allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. In general, we call this function access control.

Kerberos Authentication

Before we address the working mechanisms of Kerberos Authentication, we need to understand several terms in the discussion.

Kerberos Authentication is based on a system of “tickets,” which serve to prove the identity of users. It consists of a number of components found within its system. Two main components are:

Authentication Server (AS): The AS is responsible for identifying the user and issuing a valid ticket for the client to use. This is referred to as a Ticket Granting Server (TGS) service. The AS also generates a short-term secret key for the communication between the client and the TGS.

Ticket Granting Server (TGS): The TGS is logically separate from the AS. It is responsible for issuing a Service Request Ticket (SRT) to users in the network when they request certain resources within the Kerberos network environment.

Physically, the AS and the TGS can reside within a single server.

The Single Sign-On Process of Kerberos Authentication

When a user logs into the system, he or she presents to the client server a username and password. The client performs a one-way hash transformation to yield a secret key, called the client’s own secret key or long-term secret key. The client then sends the information to the Authentication Server (AS).

When the AS receives the user’s clear text identification information from the client machine, it checks to see if the user’s long-term secret key is in the database. If the user has entered the password correctly, this secret key will be identical to the client’s own secret key. (Please note that this process does NOT involve the transfer/exchange of the user’s actual password or client’s own secret key through the network, thus eliminating the possibility of unauthorized third parties capturing sensitive information.)

The AS then generates two items. The first item is a random session key, referred to as the TGS session key, or the short-term secret key. This key is encrypted with the client’s own secret key (the long-term secret key) and sent to the client machine, which can then decrypt the TGS session key by its own secret key. The TGS session key (short-term secret key) is stored within the client’s system (usually in its volatile memory, for security purposes).

The second item the AS generates is a Ticket Granting Ticket (TGT), encrypted with the TGS’s secret key, the username, and some other information encrypted by TGS’s secret key. The TGT is sent to the client, but it cannot be tampered with or altered by the client or any other party. This use of a TGT is the essence of this type of access control technology.

Now the client has enough information to present itself to the Ticket Granting Server (TGS) for authentication and service request. The client presents the following three items to the TGS:

1. The TGT it received from AS
2. The service ID of the network service requested
3. The client’s own authentication information (authenticator).(The authenticator is encrypted by the TGS’s session key.)

After receiving the TGT, the TGS uses its secret key to decrypt the content. It extracts the TGS’s session key from the TGT and uses it to decrypt the client’s authenticator in order to verify the client’s identity.

After successful verification, TGS then issues the client two messages. The first message is the client’s own service session key to a particular service. As an example, let’s say the user requested a printer service. So the service session key is a printer service session key encrypted by the TGS’s session key. The client can immediately decrypt the printer service session key using the same TGS session key (the short-term secret key).

The second message the TGS sends to the client is the Service Request Ticket (SRT) encrypted by the printer service’s secret key. This SRT contains the printer service session key already shared with the client. (Again this second message cannot be altered or tampered with by the client and any other third parties because it is encrypted by the printer’s secret key.)

When the client requests the service from the printer, it sends the SRT to the printer together with its own authenticator (encrypted by the printer service session key.) The printer first decrypts the ticket by its own secret key, and extracts the respective printer service session key shared with the client. It then uses the session key to decrypt the authenticator to verify the client’s identity.

After successful verification, the printer can communicate with the client and provides the service to the client. From that point forward, the two parties communicate using the printer service session key.

Why is Kerberos Authentication called Single Sign-On?

The magic of the single sign-on process lies in the fact that the client logs onto the AS only one time, using a password. The password is “hashed” in order to produce the long-term secret key for verification. The authentication process within the AS then creates a TGS session key (the short-term secret key) for the client. The client then uses this short-term secret key to communicate with the TGS, requesting different network services. At this point there is no need to enter the password again—hence, the “single sign-on” name.

Security Threats of Kerberos Authentication

It is still possible to compromise this short-term secret key, threatening the security of the system. However, this threat is minimized by the fact that the user is required to re-enter his or her password every six to eight hours. This causes the Kerberos system to go through the authentication process with AS once again, and the short-term secret key is renewed with another one. Additionally, in order to protect the short-term secret key further, it should reside on the client’s volatile memory side instead of within permanent secondary storage, which is vulnerable to attack.

Pros and Cons of Single Sign-On Systems

On the one hand, the single sign-on process offers the user the convenience of typing in a password only once to request different services during any six-to-eight-hour period. However, it has the disadvantage of possible compromise of services for that period of time if the short-term secret key is compromised.

Tags: Short-term session key, Long-term session key, Single point of failure, Password Management, Replay-attack, Single Sign-On Access Control

Before we can fully understand operations security, let’s define what we mean by “operations.”

Operations refer to the continual, day-to-day usage and maintenance of the system.

Operations Security covers all the measures necessary to keep the entire system— including the network, computer system(s), and applications—running in a secure and protected manner.

Operations Security includes the following aspects:

• Physical and Environment Protection
• Production
• Input/Output Controls
• Emergency and Contingency Planning
• System and Data Backup
• Software Maintenance Control
• System Documentation
• System Change Management

Among these aspects, the Input/Output Controls cover the proper handling of media for input/output data, such as print-outs, disk cartridges, and mass-storage devices.

The Operations Department is responsible for the operations security of a system. This department ensures that the daily activities of the system run smoothly, and that any issues that may arise are handled quickly and efficiently.

The key role of the Operations Department is to exercise due care and due diligence in the security of the system. The determining factor in shaping the best courses of action for ensuring the security of a system involves the concept of “the prudent person.” What would a prudent person do in a particular situation?

Finally, the Operations Department staff should not be allowed to access the development environment, or to the security management functions within the system. This could cause an increase in the risk of security breaches.

In today’s environment, Risk Management is considered a core management issue in modern corporate governance. We have been discussing this concept in several areas of finance. Now, we are considering the subject as it pertains to the area of Information Security (IS). This is an important consideration since, in the past thirty years, IS systems have grown to be a core component among many other operations within the corporate structure.

In order to understand Risk Management, some basic terms related to risk management should be understood. They are: Vulnerabilities, Threats, and Exposure.

Vulnerability refers to the inherent weakness of an IS system. (“Inherent” simply means something that is internal to the system that you can’t easily eliminate completely.) The fact is, there is no system that is totally free from defects. No one-hundred-percent “bullet-proof” system can exist, simply due to the fact that a system is only as strong as its weakest point. There is no system in the world that is without weaknesses. One could not possibly be developed without unlimited resources to build, verify, and test the system.

Threats are certain incidents that exploit the vulnerability of a system. Threats can be natural (such as a thunderstorm or earthquake), environmental (such as temperature or humidity), or intentional (such as hacking or virus spreading).

Exposure refers to the damage that can be done if and when a threat successfully exploits the vulnerability of a system.

When there is a chance that a threat could exploit a system’s vulnerability, there is risk. In the field of information management, risk refers to the possible attack on an IS system by the threats made possible by its inherent vulnerabilities.

Risk includes the following properties:

• Risk cannot be totally eliminated.
  When a system possesses vulnerability, and it always does, there is risk.
• You can reduce the risk, but not completely eliminate it.
  However, risk can only be reduced by carefully planned countermeasures.
• You can deal with residual risk by insuring the system.
  We call this process Risk Mitigation.

Information Security Management is the art of dealing with risk using systematic and consistent management principles. This is not merely a technical issue—it is more likely a management issue. Therefore, Information Security Management is best achieved with the proper deployment of carefully planned corporate strategies to deal with Information Security risk.

Computer Security, Information Risk Management

One-way Hash Algorithm

In cryptographic application such as digital signature, we usually operate on the message with one-way hash algorithm before we apply the sender’s private key on it.

Why? It is because one-way hash algorithm can convert the message of whatever length  into a fixed length code (usually of 128 or 196 bits). In this way, we can easily apply asymmetric encryption on the shortened code instead of the original message.

This is because the original message can be infinitely long and the operation of asymmetric encryption on it can take a long time.

As one-way hash algorithm serves as the digital fingerprint of the original message it has to process the following properties:

• It has to be speedy in operation.
• It produces Hash of fixed length irrespective of the original message length.
• Once the hash produced, no one can reverse the process and reconstruct the original message from it (as the name one-way implies)
• Even if there is a little change in the original message, the resultant hash has to be changed in most of its bit (this is called diffusion in the cryptographic technology).

The last property prevents someone from constructing a modified message that produces the same hash.

firewall protection

Before you understand the many Firewall Protections, you should know firewall’s limitations first.

Here they are:

• not guarantee data integrity
• not support authenticity of the source of data
• no control over how the packets were created
• not support confidentiality- no encryption among different firewalls unless it is incorporated with VPN features
• don’t protect against some Internet threats like virus attack and/or password cracking
• Do not provide protection from insider threats i.e. Insider Attacks
• can’t protect against traffic that doesn’t go through it (example: dial-up modems in the private network can be a backdoor)
• Once pass through it, it can do nothing!
• Single point of failure

Definitely there are more, can you think of some more?

Related topics: Limitations of Firewall, Single Point of Failure

Myth # 1

IDS can handle network attacks automatically

No. IDS can only assist a human being to investigate and detect any potential network attack undergoing in the network. Its still relies on the network administrator to hande the suspicious incidents.

Myth # 2

Network based IDS can effectively monitor all network traffic of the network segment under investigation.

No.  As the modern network is getting faster and faster in bandwidth (considering Ethernet moving from 10Mb/s to now  there are some networks running at 1000 Mb/s Ethernet speed), it is very unlikely an ordinary network tap can capture all network packets for analysis. Failing to do so actually leads to the potential overlooking of network abnormal traffic patterns.

Myth # 3

No Alarm means there is no intrusion

No. For sure, IDS could fail to detect intrusion activities for the following reasons:

1) It fails to capture ALL network traffic (Myth #2)

2) It fails to identify the suspicious traffic pattern (due to the lack of related traffic pattern information in the pattern file)

This phenomenon is “False Negative” (in which an actual intrusion is not detected)

Myth #4:

If there is alarm, there must be intrusions.

No. Like most other detecting devices, there could be  cases for “False Positives” to happen. That is, IDS signals you there are intrusions but actually there is none. IDS can be too sensitive in detecting some network patterns that is unrelated to network attacks.

Related Topics: IDS, Intrusion Detection System,Myths of IDS, Network Mis-use, False Positive, False Negative