ITS 2110 - Introduction to Network Security

Chapter 1, Introduction to Security

Objectives:

This lesson introduces the student to basic concepts about the need for computer system security. Objectives important to this lesson:

  1. Securing information
  2. Definition of terms
  3. Types of attackers
  4. Formal structure of an attack
  5. Five classic defense methods
Concepts:

Chapter 1 begins with some anecdotes about security issues to impress the student with the need for information system security. We might presume that someone who signs up for this class has the idea that such needs exist already. The author presents examples of several ways a computer system might be attacked, compromised, or otherwise damaged. He makes the point that information security is no longer a problem just for IT professionals. All people living in an information rich society are subject to attacks on their IT and financial assets.

  • A virus or malware program might be placed in some electronic device that you would not normally consider a threat. Later, it could be used to infect USB sticks that accessed it, making the USB stick a carrier of the virus for any computer it was plugged into later.
  • The text discusses a classic "Nigerian email" scam, also known as the Nigerian General or the Nigerian Bank Manager scam. Current events being what they are (changes of leadership in other countries, second half of 2011), I would expect variations on this scam to include Libyan and Egyptian themes sooner or later.
  • The text discusses booby trapped web pages; These do not always wait for unwary web surfers, links to them are often included in emails to potential marks (scam victims). Web browsers and personal security programs are including protection from such things, but they are a moving target.
  • Specific web based scams use phishing sites. The idea is to get an email recipient to go to a web page, or use email to send sensitive information like login ID and password to the scammer. The mark is supposed to believe that the scammer is actually a trusted authority, like a bank, utility company, or other service vendor. The web addresses used for these sites are often meant to be temporary, so a definitive list must always be changing.
  • Customer data is always at risk of being stolen by system break ins. Watch the news for new developments.
  • Identity theft is a common fear: you can get a rider for it on your homeowner insurance.
  • Theft of laptops holding secure information results in a much worse loss than losing the hardware itself.

In this version of the text, the author pauses to discuss some IT Security related jobs. Larger companies and governmental agencies are likely to employ people in each category, smaller companies are more likely to consolidate security duties in fewer roles.

  • Chief Information Security Officer - high level administrator over the other roles, responsible for all security decisions
  • Security manager - runs one or more teams of security professionals
  • Security administrator - can be a person in charge of a system, or a level of management as the text indicates
  • Security technician - the actual worker-level position, this role includes providing support to end users and to system developers regarding security issues

The text also reviews security related certifications, and reminds us that this book is specifically oriented toward the CompTIA Security+ certification.

The text returns to the topic of attacks, and provides some reasons it can be hard to defend against them:

  • Speed of attack - interconnected computers pass viruses and worms faster and faster
  • Sophistication - attack traffic on a network can look like any other traffic, the attack can morph (change) so it looks different as time goes by
  • Simple tools - attack tools are easily available and easy to use: better tools means you don't have to be a good hacker to attack a system well
  • Vulnerabilities detected and acted upon - zero day attacks: an attack on a system based on a newly discovered method or newly uncovered vulnerability
    Almost all viruses start out this way. Antivirus programs provide no protection against new viruses until the analysts who write protection and cleaning algorithms know about the virus.
  • Lack of timely patching - Delays in patching known issues in software and firmware. Have you noticed that Microsoft, for example, tends to put out patches and updates the 2nd Tuesday of every month? How does that schedule strike you? Often enough, not often enough, or too often?
  • Distributed attacks - attacks that take place from many computers at once, typically from already infected or compromised machines.
  • BYOD - companies frequently support the Bring Your Own Device to work concept, which sounds like a money saver, but may actually expose company data on an unsecured device
  • User confusion - the average user does not have a clue whether a security question on a screen is important, much less what the right answer to it might be (The current process is trying to make a change to your system. Do you want to permit this?)

The text turns to a series of definitions that may not seem to apply to all cases. They are general definitions, a starting point to consider what we are working with and working toward.

  • information security - the text starts by saying this means guarding digital information. We should remember that some information is also stored on paper, in photographs, and in other media that also need to be protected. The focus of this text seems to be digital information, but the author would surely agree the other media should be secure as well.
  • The text also says that security can be viewed as the processes used to defend against attack or as the theoretical result of those processes, the state of being secure.
  • The text observes that the more secure a system or device is made, the less convenient it is to use that system or device. This is often seen when rules about passwords change. Users who are forced to use more complex passwords often find some way to remember the password that exposes it to theft (e.g. written on a post-it note).

The author discusses the idea that a security program cannot guarantee freedom from attack. The goal is to eliminate or minimize damage from attacks that take place. He provides a justification for providing such protection: to maintain the value of information. He says that there are three aspects of information that are typically protected (CIA) and adds three more (AAA):

  • confidentiality - information is accessed only by those who are meant to access it
  • integrity - information is correct, and has not been altered except by authorized persons
  • availability - information is accessible when needed
  • authentication - proving the identity of a user/requester
  • authorization - providing access to specific assets and resources
  • accounting - providing an auditable trail of events

The text provides a rather long formal definition of information security, and adds three more concepts, three entities that provide protection: products, people, and procedures are what provide the protection. The Products category refers to hardware and software such as firewall devices and authentication software. People would primarily be whoever installs and uses security products. Procedures means plans, policies, and actual steps carried out by those who use information, as well as by those who protect it. I think it is a bit of a reach to have the formal definition include three attributes of information, three ways it is used in a system, and three entities that protect it. This is likely one of those certification question points that we just have to accept as worded the way it is worded, and we aren't allowed to improve it.

The text moves on to discuss more vocabulary, illustrated by a story about a woman who wants to put a new stereo system in her car. The story is useful, but not necessary to understand the terms.

  • asset - information that we care about
  • threat - a potential form of loss or damage; many threats are only potential threats
  • threat agent - a vector for the threat, a way for the threat to occur; could be caused by a person, an event, or a program running an attack
  • vulnerability - a weak spot where an attack is possible or more likely to succeed
  • exploit - a method of attack; the text calls the act using an exploit to attack through a vulnerability using a threat vector
  • risk - the probability of a loss; risk can be managed in five classic ways: avoidance, acceptance, mitigation, deterrence, and transference

The next section of the text lists several goals of information security that could also be considered as benefits of it.

  • preventing data theft - prevention of loss is an obvious benefit of a working security system
  • preventing identity theft - this is not necessarily different from the first bullet, since identity information is one kind of data; stolen identity information, however, has a more personal effect on the victims than the simple theft of other corporate data, and provides a means to defraud each victim multiple times
  • avoiding legal consequences - those who do not protect their data may be subject to legal charges; the text has a list of several applicable state and federal acts in the US:
    • HIPAA (Health Insurance Portability and Accountability Act), prohibits disclosure of protected health data, with penalties up to $250,000 and 10 years in prison for trying to sell it
    • Sarbox (Sarbanes-Oxley Act of 2002), a reaction to corporate fraud and corruption. It provides penalties up to $5,000,000 and 20 years in prison for officers who file false corporate reports.
    • GLBA (Gramm-Leach-Bliley Act), protects consumer data at banks and financial institutions, provides penalties up to $500,000 for unauthorized disclosure.
    • USA Patriot Act of 2001, authorized law enforcement agencies to obtain documents and data if they have a court order, subpoena, or other authorization; provides several penalties for non-compliance.
    • California Database Security Breach Act of 2003, the first state law requiring that businesses notify state residents within 48 hours of experiencing a data breach of specific personal information data (other states have enacted similar laws).
    • COPPA (Children's Online Privacy Act of 1998), federal act that requires entities to get parental permission before collecting, using, disclosing, or displaying data about children under 13 (no penalties stated in the text).
  • maintaining productivity - prevention saves the effort (time and cost) that a successful attack would incur.
    The text implies that in the case of an attack, you should estimate that it will take about 1% of your total staff to combat the attack.
    The cost of virus attacks includes cleaning cost, loss of productivity, and loss of revenue. Follow this link to a list of ten famous and expensive viruses.
  • foiling cyberterrorism - the potential for terrorists to disrupt a national infrastructure includes disruption of health and emergency services, power, communications, and commerce.

The text discusses some categories used to classify attackers:

  • hackers - One of the buzzwords of computer systeem geeks, this one can mean anything; it is generally accepted to mean someone with more skill than an average user, may be a white hat (good guy) or black hat (bad guy). A hacker may break in to a system for a thrill, to show off, or to cause some kind of damage. The text also throws in the concept of a gray hat, a hacker who will find a vulnerability and announce it to the public instead of telling the vulnerable institution.
  • script kiddies - attackers who use hacking tools that they don't really understand
  • brokers - hackers who find vulnerabilities and sell the information; the text says "to the highest bidder" but the information may actually be sold multiple times
  • spies - computer attackers who are looking for specific data from specific systems
  • employees/insiders - Computer security includes the concept of protecting data from people who aren't authorized to access it. What about protecting it from authorized users who want to give or sell it to someone else? What about authorized users who give out their password because someone asks for it? What about users who are no good at protecting their secrets?
  • cybercriminals - The text has a longer discussion of this category. The bottom line is that they are after some financial gain. This could be data they can sell, actual fund transfers, or theft of financial instruments.
  • cyberterrorists - A cyberterrorist is defined as a system attacker whose motivations are ideological.
  • hacktivists - hackers who disable or deface a web presence to make a political point
  • state sponsored attackers - government supported attackers (who may work for an agency or an armed service of that government)

The text lists seven steps that an attacker may follow in preparing for and carrying out a computer system attack:

  1. Probe for information - look over the target and find potential weak spots; for example, look for open ports on servers
  2. Weaponize - create an exploit based on what you found
  3. Delivery - penetrate defenses; actually stage the attack, whether by email, attempted login, or other means
  4. Exploitation - execute the element that was delivered to the target
  5. Installation - may mean to install a back door for future entry, or to put code in place for execution
  6. Command and control - optional step, the exploit code contacts the attacker to begin a download or to provide a control interface
  7. Actions on objectives - the attack harvests data, does damage, creates a zombie, or whatever the attacker wished to accomplish

Consider that not all attackers will follow all of these steps. Some would damage a system without making a back door for later, some would explore a system but never damage it, and others might steal data to make public what the data owners would rather be secret.

The author also gives us five defenses against attacks.

  • layering - the author spends more time with metaphors than with examples; the point is just that a security solution will have multiple layers, requiring an attacker to get through several kinds of protection before accessing data
  • limiting - it is a standard feature of most databases that the designer can restrict users to specific views of the data, letting them see only what their role requires, letting only specific authenticated users modify or add information to the data files; network security can be like this as well, offering only role or user specific views of data, only allowing limited changes by specific users
  • diversity - diversity should be part of the layering concept, but that would mean we would need another bullet; diversity means that each layer of security is different in some way from the other layers, so an attacker will not be able to use the same exploit to get through all the layers
  • obscurity - this means that the inner workings of the system should not be described or stated where a potential attacker could access that information; As a network system user, this is one of the more irritating aspects to me. Consider passwords. The network tells me my password will expire, and offers me a chance to change it now. I offer it a new password, and it replies that the new password is too short. I offer another one, and it tells me I haven't used enough complexity (upper case, lower case, numbers, and symbols: use at least one from at least three types). I offer another, and it tells me I can't use a password I used as recently as 10 changes ago. You see the pattern? Let there be rules for using the system, but the user is not made aware of the rule until it is violated. In the case of securing the system from attackers, the attacker is not told any of these rules when they are trying to guess a password.
  • simplicity - let the system be simple to administer, but hard to hack