The objective of this unit is to provide the students with an overview of the major security issues involved in a networked environment. On completing this unit, the student should be in a position to understand the risks involved as also get an idea of the mechanisms that need to be put in place by way of solutions to secure the information.
II. Learning Outcome
On completing this module you should have an understanding of the different kinds of threats to information security. You should also have a clear understanding of the terminology in this regard. It is also expected that you have an idea of the measures that are widely employed to ensure information security, especially in the network environment
III. Structure of the Module
1. Information and Networked Environment – an introduction
2. Information security aspects
2.1. The challenges to provide information security
2.2. Why should be information secured?
2.3. Three elements of Information Security
3. Main controls aimed at protecting the C-I-A triad.
4. Threats to Information Security
4.1. Information security policy – a mandate for the organizations.
4.2. Best Practices to Protect Digital Assets.
4.3. Other simple best practices
5. Wireless World creating serious security vulnerabilities
6. The security and privacy issues associated with social networking sites
6.1. Precautions to be taken
1. Information and Networked Environment – An Introduction
In the present society, it is a proven fact that information is ‘power’, information is ‘wealth’. Information is almost like air that continuously flows. Information flows from human to human, human to machine, machine to machine. Information takes different forms namely handwritten documents, printed documents, voice, text, image, video, etc. The Internet is the core of the Information Society.
The Internet is not a single network, but a worldwide collection of loosely connected networks that are accessible by individual computer hosts, in a variety of ways, to anyone with a computer and a network connection. Thus, individuals and organizations can reach any point on the internet without regard to national or geographic boundaries or time of day. However, along with the convenience and ease of access to information come risks. Among them are the risks that valuable information may be lost, stolen, altered, or misused. If information is recorded electronically and is available on networked computers, it is more vulnerable than if the same information is printed on paper and locked in a file cabinet. Intruders do not need to enter an office or home; they may not even be in the same country. They can steal or tamper with information without touching a piece of paper or a photocopier. They can also create new electronic files, run their own programs, and hide evidence of their unauthorized activity.
Computers have become an inevitable and essential component of information society today. One cannot imagine a professional life or personal life without computers. Once upon a time, computer used to be an expensive, bulky machine that was used only for number crunching purposes and for handling complicated mathematical operations. Computers were the property of only big and rich organizations. They were available in the form of mainframe computers and mini computers wherein terminals (input/output devices) had to be connected to get the work done. But today computers are available in different forms like desktop, laptop, tablets, smart phones, and ‘Google glass’, etc. It’s amazing to note that there has been a paradigm shift in the functionality of computer. Present day computer does:
• Number crunching;
• Information (content) generation;
• Information processing;
• Provide entertainment;
• Monitoring and many more.
Out of these functions, the ‘magic role’ played by computers is to create Information Networked Society. The largest engineered system ever created by mankind, namely Internet, binds or connects or networks millions of such computers to create Information Networked Society. Internet has converted the whole world in to what is known as ‘global village’. Let us look at the basic elements of internet.
• User end machines / Hosts
User end machine could be a desktop, laptop, a smart phone that creates and exchanges information in the form voice, text, image, video or a combination of these. In other words, information is also called ‘content’. Network deals with how the machines / gadgets creating and exchanging information are connected using a set of hardware and software. The process of exchanging information is popularly known as protocol. Figure below presents a macro-view of the building blocks of the internet.
2. Information security aspects
“Information security is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc…)” (Wikipedia)
Many organizations realize that one of their most valuable assets is their data, because without data, an organization loses its record of transactions and/or its ability to deliver value to its customers. Protecting data in motion and data at rest are both critical aspects of information security. An effective information security program is essential to the protection of the integrity and value of the organization’s data.
Two major aspects of information security are:
- IT Security: Information Technology Security is information security applied to technology (most often some form of computer system). IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within large businesses. They are responsible for keeping all of the technology within the organization secure from malicious cyber attacks that often attempt to breach into the critical private information or gain control of the internal systems.
- Information Assurance: The process to assure that data is not lost when critical issues arise. These issues include but are not limited to: natural disasters, computer/server malfunction, physical theft, or any other instance where data has the potential of being lost. Since most information is stored on computers in the modern era, information assurance is typically dealt with by IT security specialists.
2.1 The challenges to provide Information Security: Let us look at simple day-to-day example of browsing the Internet. End user, typically called as client, invokes a browser like internet explorer, google chrome, enters the address of the web site (the address of the server computer) to be browsed and presses enter key. After a few seconds, the first page of the web site, typically called as home page, is displayed on the monitor. In this process, there is a complex sequence of actions that takes place in the background. The request for the page travels through a complex Internet infrastructure that makes use of private and public infrastructure and reaches the server at the other end. The home page is returned to the client.
An important point to be noted from this simple example is that securing the information has to be done a 4 levels, end-to-end namely:
2.2. Why should information be secured?: The answer is simple: a mentioned earlier, information is wealth. It’s obvious to secure the wealth if an organization has to survive and grow. Broadly information security:
1. Prevents data theft
2. Avoids legal consequences of not securing information
3. Maintains productivity
4. Foils cyber terrorism
5. Prevents identity theft
2.3. Three Elements of Information Security: The three key elements of information security are:
Referred to as the C-I-A triad or information security triad. Let’s look at the meaning of each of these elements.
2.3.1. Confidentiality: Confidentiality means that information that is not in public domain should stay secret and be accessible to only those persons authorized to access it. Unauthorized access to confidential information may have devastating consequences, not only in national security applications, but also in commerce and industry. Main mechanisms of protection of confidentiality in information systems are cryptography and access controls. Examples of threats to confidentiality are malware, intruders, social engineering, insecure networks, and poorly administered systems.
2.3.2. Integrity:Integrity is concerned with the trustworthiness, origin, completeness, and correctness of information as well as the prevention of improper or unauthorized modification of information. Integrity in the information security context refers not only to integrity of information itself but also to the origin integrity—that is, integrity of the source of information.
Integrity protection mechanisms may be grouped into two broad types: Preventive mechanisms such as access controls that prevent unauthorized modification of information,
Detective mechanisms, which are intended to detect unauthorized modifications when preventive mechanisms have failed. Controls that protect integrity include principles of least privilege, separation, and rotation of duties.
2.3.3. Availability:Availability of information, although usually mentioned last, is not the least important pillar of information security. Who needs confidentiality and integrity if the authorized users of information cannot access and use it? Who needs sophisticated encryption and access controls if the information being protected is not accessible to authorized users when they need it? Therefore, despite being mentioned last in the C-I-A triad, availability is just as important and as necessary a component of information security as confidentiality and integrity.
Attacks against availability are known as denial of service (DoS) attacks, Natural and man made disasters obviously may also affect availability as well as confidentiality and integrity of information, though their frequency and severity greatly differ—natural disasters are infrequent but severe, whereas human errors are frequent but usually not as severe as natural disasters. In both cases, business continuity and disaster recovery planning (which at the very least includes regular and reliable backups) is intended to minimize losses.
3. Main controls aimed at protecting the C-I-A triad.
Central to information security is the concept of controls, which is categorized as physical, administrative, technical and functional.
Physical controls include doors, secure facilities, fire extinguishers, flood protection, and air conditioning.
Administrative controls are the organization’s policies, procedures, and guidelines intended to facilitate information security.
Technical control includes measures such as firewalls, authentication systems, intrusion detection systems, and file encryption, among others.
Functional control is again classified in to:
- Preventive Controls: Preventive controls are the first controls met by the adversary. Preventive controls try to prevent security violations and enforce access control. Like other controls, preventive controls may be physical, administrative, or technical: doors, security procedures, and authentication requirements are examples of physical, administrative, and technical preventive controls, respectively.
- Detective Controls: are in place to detect security violations and alert the defenders. They come into play when preventive controls have failed or have been circumvented and are no less crucial than detective controls. Detective cont rols include cryptographic checksums, file integrity checkers, audit trails and logs, and similar mechanisms.
- Corrective control: try to correct the situation after a security violation has occurred. Although a violation occurred, not all is lost, so it makes sen se to try and fix the situation. Corrective controls vary widely, depending on the area being targeted, and they may be technical or administrative in nature.
- Deterrent Controls are intended to discourage potential attackers and send the message that it is better not to attack, but even if you decide to attack we are able to defend ourselves. Examples of deterrent controls include notices of monitoring and logging as well as the visible practice of sound information security management.
- Recovery Controls are somewhat like corrective controls, but they are applied in more serious situations to recover from security violations and restore information and information processing resources. Recovery controls may include disaster recovery and business continuity mechanisms, backup systems and data, emergency key management arrangements, and similar controls.
- Compensating: These are intended to be alternative arrangements for other controls when the original controls have failed or cannot be used.When a second set of controls addresses the same threats that are addressed by another set of controls, the second set of controls are compensating controls.
Let us now look at the typical process followed to ensure information security.
• Authorization Processes
3.1. Identification: Identification is the first step in the identify-authenticate-authorize sequence that is performed every day countless times by humans and computers. While particulars of identification systems differ depending on who or what is being identified, some intrinsic properties of identification apply regardless of these particulars. Just three of these properties are the:
iii. Uniqueness of IDs
Identification name spaces can be local or global in scope. To illustrate this concept, let’s refer to the familiar notation of Internet e-mail addresses. while many e-mail accounts named john may exist around the world, an e -mail address firstname.lastname@example.org unambiguously refers exactly to one such user in the company .com locality. Provided that the company in question is a small one, and that only one employee is named John, inside the company everyone may refer to that particular person by simply using his first name. That would work because they are in the same locality and only one John works there. However, if John were someone on the other side of the world or even across town, to refer to email@example.com as simply john would make no sense, because user name john is not globally unique and refers to different persons in different localities. This is one of the reasons why two user accounts should never use the same name on the same system—not only because you would not be able to enforce access controls based on non-unique and ambiguous user names, but also because you would not be able to establish accountability for user actions. What it means is that, for information security purposes, unique names are required and, depending on their scope, they must be locally unique and possibly globally unique so that access control may be enforced and accountability established.
3.2. Authentication: Authentication, which happens just after identification and before authorization, verifies the authenticity of the identity declared at the identification stage. In other words, it is at the authentication stage that you prove that you are indeed the person or the system you claim to be. The three methods of authentication are:
• What you know
• What you have
• What you are.
The aim is to obtain reasonable assurance that the identity declared at the identification stage belongs to the party in communication. It is important to note that reasonable assurance may mean different degrees of assurance, depending on the particular environment and application, and therefore may require different approaches to authentication: authentication requirements of a national security– critical system naturally differ from authentication requirements of a small company. Because different authentication methods have different costs and properties as well as different returns on investment, the choice of authentication method for a particular system or organization should be made after these factors have been carefully considered.
What You Know: Among what you know authentication methods are passwords, passphrases, secret codes, and personal identification numbers (PINs). When using what you know authentication methods, it is implied that if you know something that is supposed to be known only by X, then you must be X (although in real life that is not always the case). What you know authentication is the most commonly used authentication method thanks to its low cost and easy implementation in information systems. However, what you know authentication alone may not be considered strong authentication and is not adequate for systems requiring high security.
What You Have: Perhaps the most widely used and familiar what you have authentication methods are keys—keys we use to lock and unlock doors, cars, and drawers; just as with doors, what you have authentication in information systems implies that if you possess some kind of token, such as a smart card or a USB token, you are the individual you are claiming to be. Of course, the same risks that apply to keys also apply to smart cards and USB tokens—they may be stolen, lost, or damaged. What you have authentication methods include an additional inherent per-user cost. Compare these methods with passwords: it costs nothing to issue a new password, whereas per-user what you have authentication costs may be considerable.
What You Are: What you are authentication refers to biometric authentication methods. A biometric is a physiological or behavioral characteristic of a human being that can distinguish one person from another and that theoretically can be used for identification or verification of identity. Biometric authentication methods include
• Iris, and Retina Recognition
• Voice and Signature Recognition
Biometric authentication methods when used correctly, in addition to what you have or what you know authentication, may significantly contribute to the strength of authentication. Biometrics is a complex subject and is much more cumbersome to deploy than what you know or what you have authentication. Unlike what you know or what you have authentication methods, whether or not you know the password or have the token, biometric authentication systems say how much you are like the subject you are claiming to be; naturally this method requires much more installation-dependent tuning and configuration.
After declaring identity at the identification stage and proving it at the authentication stage, users are assigned a set of authorizations referred to as rights, privileges, or permissions that define what they can do on the system. These authorizations are most commonly defined by the system’s security policy and are set by the security or system administrator. These privileges may range from the extremes of “permit nothing” to “permit everything” and include anything in between. As you can see, the second and third stages of the identify-authenticate-authorize process depend on the first stage, and the final goal of the whole process is to enforce access control and accountability.
Accountability is another vital principle of information security that refers to the possibility of tracing actions and events back in time to the users, systems, or processes that performed them, to establish responsibility for actions or omissions. A system may not be considered secure if it does not provide accountability, because it would be impossible to ascertain who is responsible and what did or did not happen on the system without that safeguard. Accountability in the context of information systems is mainly provided by logs and the audit trail.
Logs: System and application logs are ordered lists of events and actions and are the primary means of establishing accountability in most systems. However, logs (as well as the audit trail, which is described next) may be considered trustworthy only if their integrity is reasonably assured. In other words, if anyone can write to and/or erase logs or the audit trail, they would not be considered dependable enough to serve as the basis for accountability. In case of networked or communication systems, logs should be correctly timestamped and time should be synchronized across the network so events that affect more than one system may be correctly correlated and attributed.
Audit Trail : Logs usually show high-level actions, such as an e -mail message delivered or a web page served, whereas audit trails usually refer to lower-level operations such as opening a file, writing to a file, or sending a packet across a network. Another aspect by which logs and audit trails differ is their source: logs are usually and mostly generated by particular system software or applications, and an audit trail is usually kept by the operating system or its auditing module.
Privacy normally refers to the expectation and rights of individuals to privacy of their personal information and adequate, secure handling of this information by its users. Personal information here usually refers to information that directly identifies a human being, such as a name and address, although the details may differ in different countries. In many countries, privacy of personal information is protected by laws that impose requirements on organizations processing personal data and set penalties for noncompliance. The European Union (EU) in particular has strict personal data protection legislation in place, which limits how organizations may process personal information and what they can do with it. The U.S. Constitution also guarantees certain privacy rights, although the approach to privacy issues differs between the United States and Europe.
IV. Threats to Information Security
Threat is nothing but an object, person, or other entity that represents a constant danger to an asset. Management must be informed of the different threats facing the organization. By examining each threat category, management effectively protects information through policy, education, training, and technology controls.
Malicious code: includes execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information
Back door: gaining access to system or network using known or previously unknown/newly discovered access mechanism
Password crack: attempting to reverse calculate a password
Brute force: trying every possible combination of options of a password
Dictionary: selects specific accounts to attack and uses commonly used passwords (i.e., the dictionary) to guide guesses
Denial-of-Service (DoS): attacker sends large number of connection or information requests to a target
- Target system cannot handle successfully along with other, legitimate service requests
- May result in system crash or inability to perform ordinary functions Distributed Denial-of-Service (DDoS): coordinated stream of requests is launched against target from many locations simultaneously
- Spoofing: technique used to gain unauthorized access; intruder assumes a trusted IP address
- Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them back into network
- Spam: unsolicited commercial e-mail; more a nuisance than an attack, though is emerging as a vector for some attacks
- Mail bombing: also a DoS; attacker routes large quantities of e-mail to target
- Sniffers: program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network
- Social engineering: using social skills to convince people to reveal access credentials or other valuable information to attacker
- Buffer overflow: application error occurring when more data is sent to a buffer than can be handled
- Timing attack: relatively new; works by exploring contents of a Web browser’s cache to create malicious cookie
4.1. Information Security Policy – a mandate for the organizations. Information security is not an ‘IT problem’, it is a business issue. Obviously compliance with legal and regulatory requirements is important. It provides a very good reason for reviewing your information security practices, but it should not in itself be the sole or even the main driver. If a business wishes to survive, let alone prosper, it must grasp the importance of information security and put in place appropriate measures and processes.
An information security policy is a set of rules and practices that define how the sensitive information of a company should be managed, protected, and distributed within the organization. The different aspects of an information security policy include labeling the information, modification of the information, accountability, and information ownership.
Each organization has an organization structure and the staff members at different levels needs to access different types of data. The information classification and the data distribution policies are therefore important for a company, so that the staff members at lower level should not be allowed to access data stored for higher level staff.
The main objectives of information security policy are:
- Integrity: The data is not tempered and modified undetectably.
- Availability: Data is available when it is required. This means that all the systems that are involved in data security, data access or processing or data distribution function properly.
- Disclosure: The disclosure of data should be as much, as it is important for the user to perform his task.
4.2. Best Practices to Help Protect Digital Assets.
It is essential to install:
• Anti-Virus Software
• Anti-Spyware Software
• Applications Updates
• Security Bundles
• Personal Firewalls
4.3. Other simple best practices
It is very important to follow simple best practices as part of creating information security:
- When not using your PC, turn it off
- View your E-mail as text only; disable the function that automatically views E-mail as HTML
- Do not automatically open attachments
- Do not run software programs of unknown origin
- Delete chain E-mails and junk mail. Do not forward or reply to any of them
- Never reply back to an E-mail to “unsubscribe” or to remove yourself from an unknown list. This lets the spammers know that they have reached a live E-mail address and your spam mail will increase
- Back up your critical data and documents regularly – thumb drives and CDs are cheap
5. Wireless World Creating Serious Security Vulnerabilities
Wireless technologies have empowered IT users to access information anytime, anywhere. At the same time, creating serious security vulnerabilities like:
• Unauthorized users can access the wireless signal from outside a building and connect to the network
• Attackers can capture and view transmitted data (including encrypted data)
• Employees in the office can install personal wireless equipment and defeat perimeter security measures
6. The security and privacy issues associated with social networking sites
Social networking sites have become very popular avenues for people to communicate with family, friends and colleagues from around the corner or across the globe. While there can be benefits from the collaborative, distributed approaches promoted by responsible use of social networking sites, there are information security and privacy concerns. The volume and accessibility of personal information available on social networking sites have attracted malicious people who seek to exploit this information. The same technologies that invite user participation also make the sites easier to infect with malware that can shut down an organization’s networks, or keystroke loggers that can steal credentials.
Common social networking risks such as spear phishing, social engineering, spoofing, and web application attacks attempt to steal a person’s identity. Such attacks are often successful due to the assumption of being in a trusting environment social networks create.
Security and privacy related to social networking sites are fundamentally behavioral issues, not technology issues. The more information a person posts, the more information becomes available for a potential compromise by those with malicious intentions. People who provide private, sensitive or confidential information about themselves or other people, whether wittingly or unwittingly, pose a higher risk to themselves and others. Information such as a person’s social security number, street address, phone number, financial information, or confidential business information should not be published online. Similarly, posting photos, videos or audio files could lead to an organization’s breach of confidentiality or an individual’s breach of privacy.
6.1. Precautions to be taken
- Below are some helpful tips regarding security and privacy while using social networking sites:
- Ensure that any computer you use to connect to a social media site has proper security measures in place. Use and maintain anti-virus software and keep your application and operating system patches up-to-date.
- Use caution when clicking a link to another page or running an online application, even if it is from someone you know. Many applications embedded within social networking sites require you to share your information when you use them. Attackers use these sites to distribute their malware.
- Use strong and unique passwords. Using the same password on all accounts increases the vulnerability of these accounts if one becomes compromised.
- If screen names are allowed, do not choose one that gives away too much personal information.
- Be careful who you add as a “friend,” or what groups or pages you join. The more “friends” you have or groups/pages you join, the more people who have access to your information.
- Do not assume privacy on a social networking site. For both business and personal use, confidential information should not be shared. You should only post information you are comfortable disclosing to a complete stranger.
- Use discretion before posting information or commenting about anything. Once information is posted online, it can potentially be viewed by anyone and may not be retracted afterwards. Keep in mind that content or communications on government-related social networking pages may be considered public records.
- Configure privacy settings to allow only those people you trust to have access to the information you post. Also, restrict the ability for others to post information to your page. The default settings for some sites may allow anyone to see your information or post information to your page; these settings should be changed.
Modern society is completely dependent on information and information technology. Internet is the part and parcel of both professional and personal life. Anywhere, anytime access, with the advent of wireless technology, is really a boon. Variety of security threats may convert the boon to bane. It is extremely important to protect the information through variety of solutions. It should be the right blend of technologies, policies, education and culture.
|you can view video on Information Principal Security Investigator issues in the Networked environment|
- Mcclure, scambray and kurtz – mcclure, s., j. Scambray, et al. (2005). Hacking exposed : network security secrets & solutions. Emeryville, calif.,mcgraw-hill/osborne. Wikipedia-http://en.wikipedia.org/wiki/information_security
- Issue update on information security and privacy in network environments september 1995 Ota-bp-itc-147, gpo stock #052-003-01416-5
- Computer networking, 6e, james f. Kurose , keith w. Ross, pearson publiction Tutorial- http://learnthat.com/2010/11/introduction-to-network-security/
- Information security forum : web: www.securityforum.org
- Information security policies and controls for a trusted environment by s. Srinivasan, i n f o r m at i o n s y s t e m s c o n t r o l j o u r n a l , vol. 2 , 2 0 0 8
- Cyber security tips, newsletter march 2010,volume 5, issue 3, from the desk of william f. Pelgrin, chair
- Internet and network security fundamentals, presentation by champika wijayatunga, training manager, apnic