Security Essay, Research Paper
Overview
Security is the discipline of using effective protection measures to safeguard important assets from abuse. In other words, ?security? is about protecting important things. Protection involves not just mechanisms (such as locks and doors), but also proper selection and use of mechanisms.
Properly applied, the various disciplines of information security really come down to risk management that is not fundamentally different from risk management in other situations such as finance and insurance.
In learning how to think constructively about managing risks, often the following common sense vocabulary is used:
Asset: something important that needs protection
Value: how important the asset is
Threat: a potential kind of abuse
Risk: likelihood of threat leading to actual abuse
Cost (1): reduction in value of abused asset
Cost (2): amount of resources required to use security measures to protect an asset
Benefit: the value of a security measure
It would be great if these terms ? asset, value, threat, risk, cost, benefit ? could be used scientifically, but when it comes to information systems, most of them are pretty squishy. Nevertheless, even a ?best guess? is remarkably useful. If guesses about relative value and likelihood are consistently applied, then it is usually possible to decide on the priority of potential improvements in information security.
Cost becomes a matter of budget. Most people with authority over funds for security can, if properly informed, make good decisions about how to allocate the budget. In many instances, it is possible to analyze whether the incremental value of a high budget would be significant.
Understanding of information security technology is necessary to make informed judgements like these. Fortunately, the essential technological aspects are not rocket science.
Security Risks
There are several types of security issues: data security, computer security, system security, communication security, and network security. The term ?information security? is often used to encompass all of them and to distinguish them from closely related and important issues ? such as physical security, operational security, and personnel security ? that do not rely primarily on computing technology.
Threats and Vulnerabilities
Computing is as risky as any other aspect of modern life, and in some sense more so because of the complexity of computing systems. Vulnerabilities exist at all levels: network, operating system, middleware and application because all software has bugs, administration is error-prone and users are unreliable.
It is virtually impossible to develop any significant system without some errors in it. We know how to build bridges so the imperfections are tolerable. That is, we can build bridges that do not crash (if proper engineering methodology is followed), but we cannot build systems and applications that do not crash.
In computing systems, flaws are often bugs ? repeatable situations in which the system behaves in an unintended manner. Each bug can also be a security vulnerability, if the bug can be used in a way that allows a failure of security: either authorized users exceeding their privileges, or unauthorized users gaining access to systems. Furthermore, the complexities of modern computing systems make them difficult to manage.
Configuration and administrative errors also create security vulnerabilities. It can be difficult to determine whether the system is ?properly? configured. For example, to ?harden? Windows NT for usage on the Internet, Microsoft recommends over a hundred specific configuration changes that effectively turn off many features that led people to want to use NT. In addition, security experts have other recommendations in addition to those described by Microsoft.
Computing, like life, has many threats. But what are the risks? Given the wide rage of threats, the sheer number of vulnerabilities, and the ever-increasing number of attackers, the risk is nearly 100 per cent that some incident will occur if information security is not addressed in a systematic manner.
Attacks
There are many different avenues of attack. Inadequate data security can provide unauthorized users access to sensitive information. Inadequate computer security can result from the use of weak passwords and allow abuse of user accounts. Applications filled with ?bugs? can allow unauthorized transactions. Inadequate system security can result from a mis-configured operating system and allow unintended network access. Eavesdropping and password reuse are examples of inadequate communication security which can result in impersonation of individuals. Inadequate network security can lead to unintended Internet access to private systems.
There are many examples of inadequate security. Who is hurt by these attacks? Internet access in this scenario affects the on-line consumer greatly, sometimes in a negative way. Companies store information about their customers on corporate servers and networks. Sensitive information such as credit card and social security numbers and other personal details are stored in file servers. Any individual with knowledge of networking protocols can capture data flowing over the Internet via unsecured methods.
IT organizations? lack of knowledge has jeopardized the information that corporations are responsible for. The convenience of the Internet and client server systems contributes to this problem. If important and sensitive data is permitted to travel unprotected between computers, it is subject to theft and alteration. Sophisticated individuals (or corporations) can capture the data for illegal or malicious reasons.
Security for Internet-connected systems was not designed for dedicated attackers. Most Internet-connected systems were variants of an operating system called Unix, and many variants were designed and implemented in, and for, an academic environment. The early cases of attacks were oriented towards gaining privilege that could be abused: spying on sensitive information, maliciously disclosing or destroying information etc.
As time has gone by, people have become more adept to automating attacks. The results of such automation are programs that do more damage than many of the perpetrators could do on their own: viruses, Trojan horses, etc. However, the basic vulnerabilities are often the same, while the change is result of human ingenuity applied to exploiting the vulnerabilities.
Companies and people who are Internet-connected are not immune to the attacks and risks, some of which are described below.
Buffer Overflow
?Finger? is a trivial Unix networking program that conveys information about the status of a user account (e.g. when the user last logged in). The finger ?daemon? (or server program) would listen for requests over the network from anywhere. This program, ?fingerd? was executed with ?root? privilege, for reasons mostly derived from the ?kitchen sink? integration of networking with the operating system (OS).
The software has a common bug: unexpectedly long messages could overfill the message buffers in the code and cause execution errors. In particular, the error in the execution allowed a careful attacker to cause ?fingerd? to execute any command with full administrative privilege. This bug and similar ones are still useful today for attacking network applications of all kinds. Buffer overflow attacks are still very common, and the wide range of potentially vulnerable server software gets wider all the time.
Sendmail
Sendmail is an example of a program that is too valuable to turn off, and is too dangerous to expose to the Internet. The Morris worm was a particularly interesting case ? aside from the fact that it crashed pretty much the entire Internet by accident ? because it used not a bug, but a feature of sendmail.
The ?debug mode? feature allowed anybody who asked to get the ability to do pretty much anything on the host machine. This ability was a necessary side effect of having the capability to play with the sendmail program during execution in order to find out why some of the sendmail?s notoriously complex behavior was misbehaving. The necessity of this side effect was, again, related to the need for the sendmail server program to run with administrative privilege. While no longer viewed as a good idea, few had disabled it, and many were hit by the Morris worm. The ?worm? used the debug mode to copy itself to another computer, and to copy itself repeatedly, until it infested a great number of computers on the Internet.
The Morris worm turned out to be a blessing in disguise. It caused people to close off a very dangerous vulnerability, before someone trying to cause very serious and unrecoverable damage exploited it.
Applications
Enterprise client/server applications have application protocols, and many operate beyond the boundaries of a traditional enterprise network (extranet features and Internet usage). These applications have application protocols, and leaving aside a large number of potential security problems (from lowly password management on up), protocol implementations have ?bugs? that can leave applications vulnerable.
To see how important applications are on the Internet (and vice versa), one only has to listen to Microsoft?s anti-anti-trust mantra: ?the OS isn?t the platform, the Internet is the platform? and to watch the scramble to embed applications into the OS ? creating more unnecessary complexity to create vulnerabilities.
Application security consists of features of an application that provide security features to authenticate users, control their access, and audit (log) their actions. Each factor exists, works well, and has challenges. For authentication, the typical problem is too many user/password databases to manage and too many users with multiple passwords. For access control, there are simply too many things to be controlled with an access rule (or list, ACL) for each.
For audit, too many applications produce different kinds of log data that is practically impossible to analyze and correlate. In other words, the main challenges are in security management where complexity creates significant practical challenges that generate a different kind of risk: misconfigured applications can create security vulnerabilities.
Most recently, news media picked up on a string of stories about theft of credit card numbers from e-commerce sites. In many cases, the vulnerability is from mis-management of the SQL server storing the payments database: the administrator account is left unsecured.
Trojan Horses
Trojan horse is a term used to describe a malicious program that users are tricked into executing. The term comes from Homer?s Iliad where the Achaeans tricked the Trojans into bringing inside their walls a large wooden horse in which Achaean warriors were concealed.
Probably the most common Trojan technique is sending an email attachment that is an executable file, which installs and/or executes some malicious software. Although many mail programs try to help people be careful about opening the ?e-mail bombs,? it still happens. Recent reports indicate that in some unlucky enterprises, as much as a quarter of workstations have been ?trojaned? with a program called netbus.
Hackers are present on the net. For example, a user who was logged onto the Internet visited some IRQ chat rooms frequented by hackers, and noted that his workstation was probed for the presence of netbus as soon as he entered the chat room. There are bad neighborhoods in the ?net as in the real world!
Perhaps better known than netbus is back-orifice (the recent release is often referred to as BO2K) by the Cult of the Dead Cow. Like netbus, BO2K allows the host system to be remotely controlled over the network. Any informed person can get a trojaned workstation to do anything it is asked to do. BO2K achieved some notoriety when the Cult of the Dead Cow presented BO2K as a remote management and debugging tool. In fact, BO2K is reputedly pretty useful, and it is not fundamentally different in techniques than ?legitimate? products like PC Anywhere.
Perhaps the most ingenious Trojan horse was a free-ware e-mail tool that really was a fully functional and quite popular program that thousands of people used daily. In addition to some very carefully thought out and well-implemented features, it also had some hidden features that allowed one?s e-mail to be obtained by others without one?s knowledge.
The main lesson from Trojan horses is simply that software should be untrusted by default and used only if obtained through legitimate channels. In corporate environments, this is more often addressed by security policies in which installation of programs is a privilege reserved for systems support staff, and supported by security mechanisms designed to help keep users out of situations in which they might forget their security awareness training and accidentally install software on their own.
Viruses
A virus is a type of malicious software that takes advantage of a fundamental weakness of a pre-NT windows systems: there was no operating system. That is, application programs have free rein of the system and are on the honor system not to do things like mess around with the file system, the operating system software, etc.
A virus does just that. When a virus-laden program is executed, it copies itself around the system so that even if the original program is deleted, the virus is still around. Further, it can copy itself so that any time the infected PC interacts with the outside world (e.g. copying files via floppy) it goes along for the ride.
Originally, viruses operated only on programs and propagated by sharing software. Before long, virus writers expanded their bag of tricks as parts of an arms race in the anti-virus battle. Several clever and subtle types of self-copying software techniques were invented, as well as a never-ending series of schemes to hide the code. Virus writers? jobs were made much easier when data files started to actually contain a form of executable code called macros. Then virus propagation required only file sharing of the sort that happens all the time in work groups.
And of course, besides propagating themselves, viruses sometimes did malicious things like delete data.
Solutions
Security Measures
The measures span all the areas of information security. At the network level, networks must be segmented from other networks. A most notable example is segmenting an enterprise network from the Internet using router filtering or firewalls. Communication of sensitive information over open networks (such as the Internet) often requires communication security services that are based on encryption techniques. For systems that communicate over open networks, rigorous system security is necessary to avoid vulnerabilities to network-based attacks. Both operating system and application security features must be properly configured to protect critical data, and these features must be used properly by end-users, including password management, virus checking, etc.
Data security measures include the encryption of data and key management. Computer security requires security measures that consist of authentication and access control lists. Application security measures include distributed authentication, directories and authorizations. System security measures include application specific lockdown of dedicated servers, anti-virus protection, and intrusion detection. Communication security measures should include cryptographic protocols, key management and the usage of a public key infrastructure. Network security measures consist of network segmentation, firewalls, packet filters and intrusion detection.
Each of these kinds of measures has its limits as well. In addition to examining security techniques (and how to use them as effective security measures), attention must be paid to their limits. In doing so, security measures can be used effectively in a way that makes sense in terms of budget and of risk management.
Security Policy
A security program is a business function that balances technology management, risk management, technology operation, and budget. In the real world, an organization has a finite budget to spend on security, and an obligation to spend the (both on continuing operations and on new acquisitions) in a way that is cost-effective. The best metric of effectiveness is risk reduction.
Running a strong security program is not easy because it depends on well-articulated security requirements and goals, a reasonable approach to analyzing risk, and hard-nosed analysis of cost and benefit. It also requires top-level management support to provide both budget and incentive for compliance from the full range of people: from end-users to technology management and support staff.
Running a strong security program is also hard because it is a social process. It depends on the people. And people ?
? formulate requirements
? weigh requirements and formulate policy
? plan and execute implementation
? often disagree on details of exactly what to do
? will eventually make mistakes
And even the best-laid plans often go astray. Human nature always intrudes. There are no technological magic fixes and wizards to perform them accurately; the real world is full of compromises.
In dealing with these realities, many organizations can afford to seat-of-pants it, instead of taking a structured approach.