CSS 211 - Introduction to Network Security

Chapter 4 - Host, Application, and Data Security

Objectives:

This lesson begins our discussion of security regarding hosts, applications, and data. Objectives important to this lesson:

  1. Securing a host
  2. Application security
  3. Securing data
Concepts:

Chapter 4 begins with a new idea, security controls. which can be devices, procedures, or policies that are meant to increase security for an enterprise. Increasing security can also be described as decreasing risk. The text begins by saying that we could classify security controls as one of two types:

  • administrative controls - These include the procedures to create security policies and the security policies themselves. Security policies are explained as being rules about "the actions that users may do, must do, and cannot do". (page 139)
  • technical controls - Actions that are performed by devices (technical solutions).

The author goes on to explain that both types of controls have the same subtypes:

  • deterrent controls - used to discourage attacks; applied before an attack; example: warning attackers that we are protected
  • preventive controls - used to prevent attacks; applied before an attack; example: using a firewall to block traffic for specific ports
  • detective controls - used to detect an attack or intrusion; applied during an attack; example: using an Intrusion Detection System
  • compensating controls - alternative controls that are used when normal controls are not possible; applied during an attack; example: disabling switch ports to isolate devices or LAN segments
  • corrective controls - used to reduce damage and restore to service; applied after an attack; example: using an emergency cleaning program on a USB memory stick, so that a computer can be usable
Physical Security/External Perimeter Defense

The text moves on to discuss several methods used to secure physical locations, some with a few variations. We can view them in the context of the control types listed above;

  • barriers (passive controls)
    • signs - These seem to be deterrents, since they warn attackers about our intentions and some of our preparations.
    • lights - No, lights are not barriers, but they could be preventatives, making some forms of attack less likely to succeed.
    • fences - Preventive controls to establish points of entry. Fences imply gates and the possibility of authentication.
    • barricades - The text is talking about the kind of barricades you see at road construction sites. It makes the point that a barricade that will stop a car may not stop a pedestrian. We should make sure we select the right barrier for the threat at hand. A barricade must be more serious to deter an attacker, not as serious if we only mean to funnel a crowd.
  • guards (active controls)
    • in place - A guard may be a human (or canine) presence at a gate, a reception point, or a series of locations if mobile. This is a deterrent and a preventative control.
    • remote monitor - A guard may monitor one or more locations remotely with cameras and monitors. When live, this is a deterrent and a preventative control. When video is recorded and examined later, it becomes a detective control, possibly a corrective control.
  • motion detectors (passive and active types)
    • visual - sensor uses visible light, example: Closed Circuit TV
    • radio frequency - unit emits and senses reflected microwaves or other radio frequencies; example: radar
    • vibration - unit senses vibrations in surrounding area; example: a unit to detect the motion of someone walking across a floor
    • sound - unit senses changes in background sound, typically any sound in an area assumed to be quiet
    • magnetism - This one is different from the rest. Alll the others are based on detecting an intruder. This one is based on detecting a change in the position of a door or window. A magnet is often used to keep an electric circuit open on a sensor attached to a door or a window; when the door/window is opened, the magnet moves away from the sensor, the circuit is closed, and an alarm is triggered. The sensor must be bypassed to use a security door that is equipped with such a device. An example is a door that leads to a swimming pool.
    • infrared - the sensor sees infrared light/heat, looks for changes in the area being scanned,similar in behavior to the radio frequency, vibration, and sound sensors
Internal Physical Access
  • hardware locks - There are many kinds of locks that can be used on many kinds of devices. The text discuses four general types and some specific types:
    • keyed entry locks - when locked, a key is required to open the lock from the outside, but not from the inside
    • privacy locks - like bathroom locks, meant to be opened from the outside in emergencies, but meant to provide privacy from polite people when locked
    • patio locks - typically a sliding mechanism is used (but other kinds exist) that cannot be unlocked from the outside
    • passage locks - not really locks, just mechanisms on doors that cause them to stay shut until someone operates the knob or handle to open them
    • deadbolt - typically requires a key to lock or unlock it, more secure than other types because the bolt is not operated by the door lever/knob; dead bolt locks are better than preset locks (key-in-knob locks)
    • cipher locks - the operator must press a sequence of buttons on the lock, in the right order, to open the door; an advantage of this type is that some can be reprogrammed instead of rekeyed, and some can be controlled remotely; like an ATM, users must hide their code from eavesdroppers
  • proximity readers - The text discusses magnetic strip readers in this group, but they are not the same. A card with a magnetic strip is usually swiped through a scanner to open such a lock. Very close contact with the sensor is required. A proximity reader is more likely to scan for Radio Frequency ID (RFID) tags which typically need only to be brought near a sensor for a lock to be opened.
  • access lists - An access list might be defined as a list of people authorized to use a resource, such as a door into a secure area. The text means more than just this list. The author states that an access list includes the time and date of each user's access of the resource, including entry and exit times. When a document includes that information, the document might more appropriately be called an access log.
  • man trap - essentially an air lock in which you contain people before deciding to let them in, throw them out, or call the police; needs to be coupled with another system or security personnel, or there is no point
  • protected distribution system - hardened (more secure) cable conduit or alarmed cable conduit; Cable, especially UTP cable, is easy to manipulate, making it easy to steal data from it. The PDS conduit makes it harder to access the cable itself, making it harder to steal data.
  • hardware security devices - cable locks for laptops and portable equipment, safes and locking cabinets for small equipment
Operating System Security
  • configuration - The text lists five steps that can lead to a secure configuration.
    • security policy - Establish a policy for all devices about the security settings that your equipment will use.
    • host software baselining - The text means that you must perform an audit of each device/operating system combination being used in your enterprise, to see how it does or does not meet your security policy requirements.
    • OS security settings - Your technical staff must determine whatt changes to make to the baseline for each device to bring it into compliance with your security policy.
    • deploying and managing settings - The text describes applying an established configuration by making changes manually on each machine, by applying a security template to machines so their settings are all the same, and by applying a Group Policy in Active Directory to make an automated application of your security configuration.
    • patch management - The application of security patches should be done in a regular, managed way, even when there are patches to apply in a hurry. The text introduces three related terms on page 151, but that list is incomplete. Some patches are not related to security:
      • critical update - typically corrects a failure in the program; usually not a security failure
      • feature pack - a collection of additions that are typically not critical: they are new features, not fixes for existing ones; usually not a security fix
      • update - a collection of fixes that correct problems; typically not security related, but Adobe seems to use this word to include security updates as well
      • security patch - a publicly released update, typically to repair/remove a vulnerability
      • hotfix - a package with one or more fixes, often related to security issues, that may only apply in a custom environment
      • update rollup - a set of fixes that may include all of the above types
      • service pack - a package that contains all the above changes to the program that apply since its release, or since the last service pack

The first three types in the patch management list typically do not address security issues, but the last four types do. Managing patches and other updates does not have a clear cut best answer. The four options options below, offered by Windows, are presented as representative examples of your choices:

    • install automatically
    • download automatically, but let me choose what to install
    • check for updates, notify me, but let me choose to download and install
    • never check

The first three include automatically checking for updates, or their functions would not take place. In the environment of my day job, we typically do not have devices check Microsoft for updates because of the degree of customization of applications and the possibility of patches breaking some functionality.

In environments where the users do not own their computers (e.g. large companies, government offices, schools) it is better to have central control over configuration and patches. Several advantages apply:

  • a distributed network of servers can be used for patch distribution to workstations, making better use of bandwidth and access (this has the greatest value when the LANs are in different geographic locations)
  • computers that are not allowed to go to the Internet can get updates (for example, computers in secure areas where Internet access is not allowed)
  • administrators can test updates before general deployment, and request hotfix updates for a customized environment instead
  • administrators can choose not to deploy updates that do not apply to their configurations
  • hotfixes provided by the vendor can be deployed, which would not be available from the general update site of the vendor
  • users cannot refuse updates to "their" computers

The text lists one more kind of operating system security, which it does not discuss in much detail. Security through design is defined as using an operating system that has been hardened, which means that it matches the list of features on page 153. This definition may be different from one workplace to the next, but these are the four features from the text:

  • all default supervisor/administrator accounts have been removed (Least privilege)
  • each account can only access resources necessary for the job being performed (Reduced capabilities)
  • the operating system files are restricted to read only status (Read only file system)
  • all parts of the operating system that are unnecessary are removed (Kernal pruning)

On the bottom of page 153, the text turns to solutions that are available from vendors whose products fill a market niche.

  • antivirus software - A number of applications are available that protect against viruses and more. The text discusses the scanning and monitoring features that are common. The text presents an aspect of these programs as a disadvantage: they must be continuously updated with new virus definition files (signature files) that enable the product to recognize and deal with viruses. I do not see this as a disadvantage as much as a feature. New viruses are created all the time. You should expect that you have to update your protection to make sure you are protected against all currently known threats.
  • antispam filters - Spam is associated with email. It should not be a surprise that an anti-spam product can be installed on your outgoing queue (your SMTP server), or your incoming queue (your POP3 or IMAP4 server). Why not both? I can't think of a reason, but the book does not discuss it.

    The text also discusses contracting a third party to filter your spam, instead of applying the filter to your own system.

    Some email clients can be configured to block spam, but they may have to have particular settings turned on to do so. My copy of Outlook, for example, will not let me set a rule for Junk Mail (spam) unless I change from live mode to cached mode. The Junk Mail option would allow me to block a sender, block a sender's domain, or classify a sender as safe. These are the same settings listed for the third party option above.

    The last option described in the text is to install separate filtering software that works with your email client.

  • popup blockers and antispyware - Popups are defined as small web browser windows that are spawned from web pages or other processes. Popups are typically spawned to hold ads, but they can be made for additional information, input forms, or other purposes. A popup blocker can be a feature of a browser, of an antivirus product, or a free standing application.

  • host-based firewalls - The text spends two paragraphs on firewalls (also called packet filters). This software may be part of the operating system, part of an antivirus solution, or a standalone product. We will see more on this subject later in the text.

The next topic, starting on page 155, concerns systems that often have none of the protections listed above. The text explains that they can be called static systems because of their lack of dynamically updated protection. Six example categories are discussed.

  • embedded systems - a computer system inside a device, like the operating systems in appliances
  • game consoles - typically smaller versions of common operating system, without the patch cycles
  • smartphones - less vulnerable than in the past, but still not patched as often as commercial operating systems
  • mainframes - operating systems are typically very different from desktop operating systems
  • in-vehicle computer systems - computer systems that support the systems and equipment in cars and trucks
  • SCADA (Supervisory Control And Data Acquisition) - operating systems for large devices, factory equipment, and utility processes, such as those used by power, water, and gas utilities

Defense methods for static systems:

  • network segmentation - prevents access from the main network
  • security layers - as discussed earlier
  • application firewalls - can be used if the OS of the device allows it
  • manual updates - create a policy, establish a schedule, and assign a job to do it
  • firmware version - update these, just like OS patches
  • control redundancy and diversity - keep these systems simple to prevent complications that provide attack vectors

The text discusses security for applications as a concern that should be addressed when the applications are developed. This should always have been true, but it is more obvious to developers in a time in which patches for applications are delivered monthly, weekly, or more often.

Some software testing methods are discussed:

  • error testing - make sure that the application stops or continues properly when any of the error conditions we have discussed are introduced by an attacker
  • fuzz testing - make sure the application is able to handle improper data or responses from a user
  • return codes - functions in applications can be written to provide a return code, usually an integer value that indicates the kind of data it is passing, or whether the function ended as expected; make sure to check return codes before using data returned from a called function
  • input validation - as we discussed earlier, validating the input a user or another program supplies is critical; the concept reminds me of the Russian proverb adopted by Ronald Reagan, Доверяй, но проверяй. Trust, but verify.

Moving on to the last concepts in the chapter, the text reminds us to apply security measures to our data, no matter what state it may be in. The general concept is call Data Loss Prevention (DLP), and it recognizes three states of data:

  • data in use
  • data in transit
  • data at rest