Top Banner
Network Security Overview Secure computing and communications using a Layered Defense Strategy An IT Engineering Resource Version 1.2
63

Jennings it security overview 1 2

May 19, 2015

Download

Technology

Donald Jennings

IT Network Security Engineering Resource
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Jennings it security overview 1 2

Network Security Overview

Secure computing and communications using a Layered Defense Strategy

An IT Engineering Resource

Version 1.2

D. E Jennings

April 2012

Page 2: Jennings it security overview 1 2

CONTENTS:1. INTRODUCTION: 32. HOW WE GOT TO THIS POINT: 33. PROTECTING THE COMPANY FROM CYBER CRIME: 44. SECURITY PLANS AND POLICIES: 55. SECURITY OPERATIONS: 66. RISK MANAGEMENT: 97. CATEGORIES OF RISK: 108. PERSONNEL SECURITY: 159. BUILDING SECURITY: 1610. ACCESS CONTROL: 1711. TELECOMMUNICATIONS: 2012. NETWORK SECURITY 2113. ARCHITECTURE 2514. INTRUSION DETECTION SYSTEM (IDS) 2715. ELECTRONIC MAIL SECURITY: 2916. Disaster Recovery 31

© Copyright: April 2012, D. E. Jennings Page 2 of 42

Page 3: Jennings it security overview 1 2

APPENDIX ISecurity Policy 35

APPENDIX IIVulnerability Assessment 37

APPENDIX IIIRoles Matrix & Organization Chart 38

APPENDIX IVTypical Network Design 39

© Copyright: April 2012, D. E. Jennings Page 3 of 42

Page 4: Jennings it security overview 1 2

1. Introduction:

This document presents a discussion of concepts, plans and process used to protect the assets and

maintain business continuity for a typical small to medium sized company. Although most of the

measures discussed here are applicable to the large and extremely companies, these

organizations usually have international locations and require additional measures not discussed

in this document.

The approach taken here differs from the traditional approach and to understand why, it is useful

to look very briefly at the history of Corporate Security. Before computer networks security was

a physical lockdown kind of thing. It was handled by the same people who managed other

physical requirements of the company. Because the primary threat has changed, we believe that

Security should now be managed by the Information Technology-Security department. In many

companies today there are two departments: Physical security where security guards man the

doors and the IT Security department where computer technicians keep the network safe. When

there is a split responsibility there is room for a gap. With two departments managing different

access lists, and different access procedures, there is the possibility of too much or too little

security. Most companies are suffering from this problem. The approach suggested in this paper

is to administer a unified policy for all security under one department, i.e. the IT Security

department. Therefore they would include physical security in their mandate. At the center of

security is an automated Identity Management System.

2. How we got to this point:

When corporate computer networks came into existence security did not seem to be an issue.

They were very big and very expensive, run by large institutions or the largest corporations only.

In the 1980’s, using a “dumb terminal” over dial up phone lines, from home, an employee could

access the corporate computing center across the country. It was possible to input data that would

be run as a “batch” file overnight and printed at the office in the morning - no passwords

involved. The probability of anyone getting in and doing damage was extremely small and they

really couldn’t do any damage. Computers were managed by a small group of very highly trained

professionals and the knowledge as to what they were doing was not known to the general

public. Then Atari and others invented computer game machines. Around that time the personal

© Copyright: April 2012, D. E. Jennings Page 4 of 42

Page 5: Jennings it security overview 1 2

computer was invented and then came dial up bulletin boards. Security was not built into

programs and hacking them was easy. Lots of cracked1 commercial software (mostly games)

appeared on bulletin boards. This went on for many years with computer cracked software and

games passing from one dial-up bulletin board to another. The International community “got it”

and computer uses all over world paid literally “$0.0” for quality software and games (and

continue to do so). Then the “internet” arrived. The number of “hackers” multiplied… the

amount of commercial (software, games, audio files, video, etc.) products being “cracked” is still

increasing. Hacking into high profile institutions was and is considered a “badge” of honor and

garners great admiration from fellow hackers. The monetary gain incentive is at least as enticing

as the “just see if you can do it” incentive.2 A report from the anti-virus company, Norton, said

most of us are not secure and the cost of all this in the US alone is over $139 billion dollars a

year. 3 So in spite of this background, companies have embraced the use of the internet to

conduct business in a big way. The same highway, known well and used by hackers to infiltrate,

is used by companies to conduct billions of dollars worth of business daily. Although the

benefits outweigh the risks, the risks are still there and must be … mitigated. Although the

threats from outside are enormous, the fact of life is that the greatest threat for small businesses

is from their own employees. 4

3. Protecting the company from Cyber Crime:

As we see in the preceding the type and severity of cyber crime is still evolving. Protecting the

company is always a challenge, and IT security departments must keep pace with the changing

threats.

The size of the company, the location and nature of the facilities, the number of locations and the

Information Technology (IT) requirements of each affect the level and type of security required.

For example a company that utilizes a mobile sales force will need encrypted laptops and robust

secure communications channels to enable sales teams to keep in touch with the office. Also, a

company with two geographically separated locations can use the other location as a data backup

facility for disaster recovery.

A centralized security policy and access control model is a model where all company locations

are governed by the same security policy. A decentralized model allows each domain (or

location) to control its own security. This may be advisable when there is a wide difference in

© Copyright: April 2012, D. E. Jennings Page 5 of 42

Page 6: Jennings it security overview 1 2

requirements from one location or domain to another. An example: one location must meet Top

Secret security requirements, and others may not. For most small to medium companies a

centralized policy is more efficient to administer and maintain.

This document is not the Security Policy, the Operational Security Plan, or the Business

Continuity Plan, but an overview of what goes into these and other documents.

4. Security Plans and Policies:

1. This document: A description of Security Plans and Operations.

2. Security Policy: Senior management’s directives to create an information security program to

protect the corporation’s assets, establish security related goals and security measures, as well as

target and assign responsibilities.5 The Security Policy contains sections on: Purpose, Scope,

Responsibilities and Compliance. It is a high-level statement of management’s intentions about

how security should be practiced within the organization. It identifies what actions are

acceptable, and what level of risk the company is willing to accept. Reviewed by Security

department and Corporate Management for updating every 1 year and approved by Corporate

Management.

3. Operational Security Plan. 6 This document is the detailed plan that contains instructions for

putting the policy into action. It is basically a “manual” on how to get it done. It contains a

breakdown of each security measure implemented. Audience: Program Management, IT

Management, Program Operations Staff, IT Staff, Auditors. Reviewed by Security department

for updating every 6 months, The Operational Security Plan is developed and revised by Security

department, and approved Corporate Management.

4. Business Continuity Plan. (BCP) This is a plan to preserve the business activities when faced

with disruptions or disasters. The plan includes the identification of real risks, risk assessment,

and countermeasure implementation plans. Although many organizations use the phrases

Business Continuity Planning or Disaster Recovery Planning interchangeably, they are two

distinct disciplines. Though both plans are essential to the effective management of disasters and

other disruptive events, their goals are different. The goal of a BCP is for ensuring that the

business will continue to operate before, throughout, and after a disaster event is experienced.

The focus of a BCP is on the business as a whole, and ensuring that those critical services that

© Copyright: April 2012, D. E. Jennings Page 6 of 42

Page 7: Jennings it security overview 1 2

the business provides or critical functions that the business regularly performs can still be carried

out both in the wake of a disruption as well as after the disruption. In order to ensure that the

critical business functions are still operable, the plan takes into account the common threats to

their critical functions as well as any associated vulnerabilities that might make a disruption

more likely.

5. Disaster Recovery Planning (DRP) is considered tactical rather than strategic and provides a

means for immediate response to disasters. The DRP can be, but is not necessary within the

BCP. The DRP is developed by Security Department, and reviewed yearly with representatives

of each department and approved by Corporate Management. The DRP is exercised once a year.

(a simulated disaster is staged and response team must respond according to the plan enabling

continuity of operations.) For example, the plan to locate two manufacturing facilities in

different geographic areas in case one is disabled by a disaster is BCP and the plan to allow

workers to “work from home” via a secure Virtual Private Network (VPN) using virtual facilities

on secure databases is DRP. The DRP should be exercised at least yearly. The exercise (a

simulated disaster event) is planned on a weekend or time when normal business low… i.e. over

Christmas, or super bowl weekend, etc. For the exercise the normal facilities are disabled and the

“backup” plan to operate, possibly on a limited basis, goes into effect.

5. Security Operations:

The role of Security Operations is to:

1) Protect the assets both physical and information, of the organization.

2) Protect the employees from harm both inside the building and on the premises.

3) Enable company operations after a loss of functionality.

4) Accomplish this in a cost effective way that does not unduly hinder operations.

These goals are accomplished through the implementation a “Defense in Depth” layered plan of

physical, administrative, managerial, technical and operational controls.7 The methods of

layering defensive technologies included in defense in Depth (DiD) are physical, logical and

virtual security solutions. The information assets are secured to reduce the risk of loss of

confidentiality, integrity or availability.

© Copyright: April 2012, D. E. Jennings Page 7 of 42

Page 8: Jennings it security overview 1 2

Confidentiality provides a degree of assurance that data has not been made available or disclosed

to unauthorized individuals, processes, or other entities. In essence, it assures that data can only

be read or understood between trusted parties. Confidentiality can be breached or bypassed by

someone shoulder surfing, sniffing or network monitoring, stealing passwords, or social

engineering (an attacker posing as a trusted individual). In the network, confidentiality is

accomplished through encryption.

Threats to confidentiality include:

Hackers/crackers

Masqueraders/spoofing

Unauthorized user activity

Unprotected downloaded files

Network sniffing

Trojan horses

Social engineering

Integrity includes the issue of protecting against unauthorized modification or destruction of

information. It includes the assurance that data leaving point A and arriving at point B arrives

without modification and assures that point A and point B are who they claim to be.

The three basic principles used to establish integrity in the enterprise:

Need-to-Know Access - Users should be granted access only to those files and programs

they absolutely need to fulfill their duties. (Role based security)

Separation of Duties - No single person has control of a critical transaction from

beginning to end. Two or more people should be responsible for an entire critical

transaction.

Rotation of Duties - Job responsibilities should be periodically changed so that users will

find collaboration more difficult to exercise complete control of a transaction or subvert

© Copyright: April 2012, D. E. Jennings Page 8 of 42

Page 9: Jennings it security overview 1 2

one for fraudulent purposes. This also has many other beneficial effects including

redundancy and continuity of operations in the event of loss of key personnel.

Availability is the attribute that ensures the reliable and timely access of resources to authorized

individuals. The means the corporation is expecting IT resources:

Perform or function properly.

The IT resource or Network is available / accessible.

The IT resource or Network is available when it is needed.

Availability can be compromised by Denial-of-Service (DoS) attacks. These are actions by users

or attackers that tie up computing resources in such a way that renders the system unusable.

Availability is lost when natural disasters (fire, flood, earthquake) or human action (bombs,

strikes, malicious code) create loss of IT or Network capabilities.

Availability is also lost due to normal equipment failure. The IT security department works with

the IT Architect to ensure high availability design of the network. In some cases the IT

Architecture is within the Security Department as security and availability is paramount in the

network design.

The security department utilizes the Protect, Detect and React paradigm. In order to accomplish

this the department incorporates protection mechanisms and utilizes detection tools and

procedures and logs that allow the discovery, and ability to react and recover from attacks or

disasters. The security department focus is on People, Technology and Operations.

The company Security Policy (see overview - Appendix I) is the foundation of the security

operations of the company. The Security Policy, Operational Security Plan and Disaster

Recovery Plan is evaluated and updated if required on an annual basis. The updates are based on

data provided by the network information controls, re-evaluation of risks and stakeholder input

as to usability and effectiveness.

The Operational Security Plan includes the detail processes for physical security, access control,

telecommunications and network security, and operations security.

© Copyright: April 2012, D. E. Jennings Page 9 of 42

Page 10: Jennings it security overview 1 2

6. Risk Management:

In order to determine what level of security an asset requires, we first identify and rank the assets

to be protected, and then determine what level of protection is required. This is accomplished by

a risk analysis, a risk assessment and a business impact analysis. These are completed by the

security team with the business unit management that has custody of the asset with an overview

of corporate management. Risk is a function of the likelihood of a given threat-source’s

exercising a particular potential vulnerability, and the resulting impact of that adverse event on

the organization. It’s interesting that the Federal Government has revised their Risk Analysis

approach to more closely follow industry standards.8

A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking)

the vulnerabilities in a system.

A Risk Analysis involves identifying the most probable threats to an organization and analyzing

the related vulnerabilities of the organization to these threats.

A Risk Assessment involves evaluating existing physical and environmental security and

controls, and assessing their adequacy relative to the potential threats of the organization. See

example table in Appendix II.

A Business Impact Analysis involves identifying the critical business functions within the

organization and determining the impact of not performing the business function beyond the

maximum acceptable outage. Types of criteria that can be used to evaluate the impact include:

customer service, internal operations, legal/statutory and financial.

The Risk Analysis is the first step in the risk management methodology.9

1. Identify and prioritizing assets;

2. Identify vulnerabilities;

3. Identify threats and their probabilities;

4. Identify countermeasures;

5. Develop Cost benefit analysis;

6. Develop security policies and procedures.

© Copyright: April 2012, D. E. Jennings Page 10 of 42

Page 11: Jennings it security overview 1 2

Using the formula: Risk = Threat * Vulnerability. A risk analysis is completed for each corporate

asset.

Vulnerability assessment has many things in common with risk assessment. Assessments are

typically performed according to the following steps:

1. Cataloging assets and capabilities (resources) in a system.

2. Assigning quantifiable value (or at least rank order) and importance to those resources

3. Identifying the vulnerabilities or potential threats to each resource

4. Mitigating or eliminating the most serious vulnerabilities for the most valuable resources

7. Categories of Risk:

1. Damage - Results in physical loss of an asset or the inability to access the asset as in the

case of a cut in a network cable.

2. Disclosure - Disclosing critical information regardless of where or how it was disclosed.

3. Losses - Can be permanent or temporary, including the altering of data or the inability to

access data.

4. Physical damage - Can result from natural disasters or other factors as in the case of a

power loss or vandalism.

5. Malfunctions - The failure of systems, networks, or peripherals

6. Attacks - Purposeful acts whether from the inside or outside. Misuse of data, as in

unauthorized disclosure, is an attack on that information asset.

7. Human errors - Usually considered accidental incidents as compared to attacks that are

purposeful incidents.

8. Application errors - Failures of the application, including the operating system.

Application errors are usually accidental errors while exploits of buffer overflows or

viruses are considered attacks.

A Risk Assessment chart is used to rank the effect of threats and vulnerabilities that are

determined to be risks. Cost benefit analysis is used to determine when a risk is worthy of

© Copyright: April 2012, D. E. Jennings Page 11 of 42

Page 12: Jennings it security overview 1 2

mitigation. An earthquake although is very unlikely would have a catastrophic effect. Therefore

a plan for continuing operations in the event of an earthquake will be advisable, however the cost

of maintaining complete redundant facilities my not be warranted, unless the business is located

in a heavy earthquake zone.

The tables in the following pages are intended to show examples of how the risk analysis and

mitigation is documented. There is no one “correct” table. The analysis should drill down to the

level of detail that you will be able to manage. The team that conducts and reviews the assets

and risks will include department managers that have ownership of the assets. For personnel, we

suggest that a professional from the Human Resource (HR) department take the lead in the

personnel risk analysis by role.

The table below is an example of a Risk Assessment Chart for loss of personnel, in this

case the Chief Information Officer.

Risk: Loss of personnel: Chief Information OfficerLikelihood >

ConsequenceA. Very Likely

B. Somewhat

Likely

C. Unlikely Mitigation:

Catastrophic The market is in short supply, many recruiters are contacting our CIO w/offers

Although the CIO is being recruited he/she is content and does not seem to want to leave

Two or more trained in this position within the company at all times to mitigate the risk of loss since it is a critical position and difficult to replace. Retention policy (bonus, vacation, etc.).

Very DisruptiveInconvenientNote: The difference between “Very Likely” and “Unlikely” above is that the Corporate management is aware of the first scenario and makes an effort to retain the CIO making the likelihood of he/she leaving “unlikely”. Never-the-less in either case the result would be “catastrophic” so planning for his/her leaving is done by identifying a “backup” person and making sure that person is able to assume the duties by using the policy of “rotation of duties”.10 In this economy there is less likelihood of people changing jobs, however key positions should be looked at in terms of duplication of capability and personnel retention. This is not necessarily a function of the security department, however when risks such as these are identified they should be brought up to corporate management for inclusion in the overall company risk management process.

Example of a Risk Assessment Chart for less critical roles.Risk: Loss of personnel: Assistant Staff

Likelihood >Consequence

A. Very Likely

B. Somewhat Likely

C. Unlikely Mitigation:

CatastrophicVery

© Copyright: April 2012, D. E. Jennings Page 12 of 42

Page 13: Jennings it security overview 1 2

DisruptiveInconvenient Personnel for this

position are available in the marketplace.

This position, although very useful and important to the company is not considered a high risk. Except for normal role documentation and training materials other mitigation is not necessary.

For less critical roles, turnover is always inconvenient and may be very disruptive even though the positions are quickly replaced. Therefore each role / position is looked at in detail and effort is made to ensure continuity of operations and minimize the effects of loss of personnel.

Risk Assessment Chart for Information Technology / Computing and Network hardware.Hardware failure (general)

Likelihood: Very Likely Somewhat Likely

Unlikely Mitigation

Consequence: (1) (2) (3) (1) (2) (3) (1) (2) (3)Router - Core

X

We can reduce the consequence to inconvenient by deploying redundant routers or diverse paths. The failure rate is a function of the equipment design and environment.

Router - Distribution

X

As the router controls less critical branches of the network we might economize and only utilize diverse routing to ensure high availability.

Switch (non redundant)

XDiverse paths may be able to move the consequence to “inconvenient”.

Server (non redundant)

X

Servers are usually deployed in redundant modes as the cost of servers had dropped in relation to their critical use in the network.

Consequence: 1) Catastrophic, 2) Very Disruptive, 3) InconvenientHardware fails. Depending on the age, vendor, maintenance, environment (heat / cold) etc. Constant temperature is usually preferred, as heating and cooling expand and contract metal and substrates that have different expansion coefficients and can separate and crack. The life of equipment is variable. Redundancy for key equipment is almost always cost effective. A much more detailed / extensive analysis should be completed for an actual risk analysis.

The consequence can be rated as: 1= Catastrophic, Major damage to the equipment and/or

facilities, interruption in operations for more than 48 hours, 2= Very Disruptive, interruption in

operations for up to 8 hours, 3= Inconvenient or little impact or interruption in operations.

The table below lists common Cyber Attacks and mitigation strategies. This table is pretty much

on the top of the list for evaluation and re-evaluation by the IT Security Department. This is what

they deal with on a day to day basis. New attacks are coming out daily. Operating systems

patches are automatically reviewed daily and updates made as required. Software version

numbers are important and tracked by date. All software used by the company must be

maintained and kept up to date with the latest release. There is a function in the Security IT

department devoted to this process.

Common Network Cyber Attacks

© Copyright: April 2012, D. E. Jennings Page 13 of 42

Page 14: Jennings it security overview 1 2

Likelihood: Very Likely Somewhat Likely

Unlikely Mitigation

Consequence: (1) (2) (3) (1) (2) (3) (1) (2) (3)Denial of service

X

Malformed bits / false IP addresses can be mitigated by keeping OS up to date and logging frequent connection attempts against one service.

SYN Flood

X

An overload of packets that have the SYN flag set can be blocked by a firewall and keeping the OS up to date and review of log files.

Malware

X

Up to date antivirus signatures are essential in combating viruses, Trojans, worms, spyware etc. Also restricting access to non-essential web surfing, especially in critical branches of the network. Segmenting the network critical assets. Restrict access to administrator privileges on user computers to keep unauthorized software off machines or change security settings.

Social EngineeringX

Servers are usually deployed in redundant modes as the cost of servers had dropped in relation to their critical use in the network.

Port ScanningX

Firewall will protect from port scanning with intention to infiltrate network.

ICMP abuseX

Packet Filtering via a firewall will block abusive ICMP echo requests.

Host Attack

X

A Proxy Server will keep attackers from accessing IP addresses, hostnames and passwords which can be used to find other hosts to attack.

Man in middle attack

X

VPN Virtual Private Network encryption can keep an attacker from operating between computers, impersonating one to intercept communications.

New Files on network

XUse system auditing software to control this as a behavioral monitor / block.

Remote Procedure calls X

Intrusion Detection System will defeat this threat as well as keeping OS patches up to date.

Consequence: 1) Catastrophic, 2) Very Disruptive, 3) Inconvenient

The following table takes the credible threats from individual analysis charts in a summary form

on one chart. These charts are not meant to be exhaustive but rather illustrative of the process.

Example: Threat / Vulnerability and Mitigation Summary Table:

Vulnerability: Threat: Risk Assessment:Probability

Consequence

Mitigation:

PersonnelInjury while

Employees may be vulnerable between the

Mugging, theft, panhandling or other

Unlikely / Catastrophic

Cost benefit analysis makes lighting and

© Copyright: April 2012, D. E. Jennings Page 14 of 42

Page 15: Jennings it security overview 1 2

entering /leaving building

time they leave their vehicles and when they enter the building.

personal attacks while alone walking to car.

cameras feasible for this threat.

most locations - risk is “unlikely” / consequence can be “catastrophic”

PersonnelResignations

Key operation may be at risk

Loss of functionality, leave company, Illness at critical time.

Likely / Catastrophic Make sure each role / duty has back up. Capture and document key information.

Key employees are more likely to be recruited by other companies.

PersonnelDisgruntled inside

Employees with access to assets

Sabotage, theft, disruption of teamwork

Unlikely / Disruptive

Critical assets identified and protected: Locked / RFID tags similar to those used in retail.

Most lost assets – non critical, critical assets must be protected

PersonnelDisgruntled outside

Former employee with passwords enabled logs onto network via borrowed laptop or dial in access.

Sabotage, theft, disruption of teamwork

Unlikely / Disruptive

Identity Management System and Log File review.Although most

assets can be lost with only disruptive consequences, critical assets must be protected

Social Engineering

Sensitive information is vulnerable. Inadvertent release of information… PII, passwords, etc.

PII theft can lead to identity theft. Password release can lead to actual infiltration of the network

Unlikely / Disruptive

Education and periodic test / probing to keep employees alert and aware.

This has to be evaluated periodically, in most cases this threat is unlikely

Hardware failure

Loss of Servers, routers, etc. through equip. failure cause heat lack of maintenance

Functionality / availability of the network

Unlikely / Catastrophic

Utilize Redundant Equipment where feasibleThis can be

determined on an equip by equip basis

Hardware theft tamper

Located in unlocked room Accessible to employees

Sabotage or inadvertent damage due to error

Unlikely / Catastrophic

Keep in locked secure environment

After the initial installation equipment is often ignored.

Software Category A: necessary to company operations.

Loss / tamper / out of date

Unlikely / Very Disruptive

Backups must be maintained. software versions up to date with patches, antivirus protection.

Software Category B: used to support / promote business

Loss / tamper / out of date

Unlikely / Disruptive

Keep non-critical software up to date with patches, antivirus protection.

Information Key inventions – intellectual property

Theft – duplication if in the hands of competitor

Unlikely / Catastrophic

Knowledge is most valuable.

Information Customer lists, PII Illicit use if in the Unlikely /

© Copyright: April 2012, D. E. Jennings Page 15 of 42

Page 16: Jennings it security overview 1 2

hands of competitor / thief

Catastrophic

8. Personnel Security:

Although not generally thought of in an IT Security Plan, Personnel security is always a part of

the overall security considerations, and with IT Security responsible for the entire company

security this becomes part of their responsibility. The main thrust here is to make sure employees

are safe. Vulnerabilities exist mostly while moving between the parking lot and the building.

The other aspect of security involving personnel is the risk to the company when personnel end

their employment with the company (voluntarily or otherwise). Several security issues are

involved with employees who move on. These are mostly handled by with the help of the

automated Identity Management System.

Security starting at the parking lot is designed to accomplish two things. First: physical security

or safety of employees. The plan is designed to protect employees from the threat of personal

harm when they are between their cars and the building. This is accomplished by the use of 8ft.

high fencing integrated into landscaping and color coordinated to be less visible, intrusion

detection sensors, cameras and lighting. The parking lots will have cameras installed at locations

that enable viewing of activity anywhere in the lots. The entire area, building and parking lot

will be fenced and lighting and cameras will be deployed in strategic areas. This will enhance

the landscaping which will be designed to enhance security, leaving areas near the windows and

building entrances free of large shrubs so as to enable greater visibility.

Physical security is closely connected with Identity Management and starts with vehicle

identification. The parking lots will be for employee use only. There will be a separate lot for

visitors and clients. The employee lots will have Radio-Frequency Identification (RFID)

transceivers installed and each employee will be issued tags (also called transponders) that will

enable identification of their vehicles as they enter the lots. 11 There is one entrance at each

location and the receptionist in the building who also functions as a security officer will have a

picture and name of employee on her screen before they enter the front entrance. (Captured by

the RFID system) If he/she sees a different person enter she will deal with that in a different

© Copyright: April 2012, D. E. Jennings Page 16 of 42

Page 17: Jennings it security overview 1 2

way. Visitors may not be in the system until they have visited the first time and been identified

and put in the database. First time visitors are treated slightly different from 2nd time visitors and

employees. In each case the goal is to have flawless security and we want the person to feel

good about the security measures and tolerate if not enjoy their participation in the process. We

also do not want to delay a legitimate entry. Trained and motivated security personnel are

essential to this process. One option is to institute a Rotation of Duties with all other roles in the

company with the security point person which will enable all employees to appreciate the role of

security. Front desk security would be a duty everyone would be able to enjoy. This would

increase security awareness and allow everyone in the company eventually to meet everyone

else.

9. Building Security:

Windows and doors to the outside will be alarmed to a central alarm system. During business

hours there will be one entrance for employees to enter the building. At that location they will

use their RFID badge to open a door. Once inside there is a lobby where they will be allowed

into the building after showing their ID badge to the receptionist. This process is two factor

security, RFID badge and personal recognition by a human.

After hours the building will be locked and secure by 24 hour security monitoring. The security

monitoring will include the grounds, the parking lot and cameras at strategic locations within and

outside the building. The cameras will be on a 24/7 recording schedule and archived and a

regular schedule. Those who require after hours work must have prior approval and will be

admitted by the security guard on duty.

Sensitive rooms within each building will be secured from general employee access. Each

employee RFID badge will give them access to specific areas divided by department. The

Human Resources department will have a lobby area with soundproof rooms where employee

interviews will be conducted. Also the finance area will have an area where non-finance

employees will be admitted without having to enter the restricted “Finance” area which is

restricted to finance employees only. Conference rooms, cafeteria, restrooms, etc., will be open

to the general employee population.

© Copyright: April 2012, D. E. Jennings Page 17 of 42

Page 18: Jennings it security overview 1 2

10. Access Control:

Access control is enabled by an efficient Identity Management system.12 Identity Management is

the management of user credentials and the means by which users log on to corporate network

resources. With the emergence of phishing attacks good identity management became essential

in maintaining the CIA triad. Phishing exploits the difficulty of properly identifying and

authenticating identities. The evolution of identity management follows the progression of

Internet technology closely.

Typical identity management functionality includes the following:

1. User information self-service

2. Password resetting

3. Management of lost passwords

4. Workflow

5. Provisioning and de-provisioning of identities from resources

Identity management also addresses the age-old 'N+1' problem — where every new application

may entail the setting up of new data stores of users. The ability to centrally manage the

provisioning and de-provisioning of identities, and consolidate the proliferation of identity

stores, all form part of the identity management process.

Identity management starts with the risk assessment to determine the need for particular controls

to properly protect information, applications, and infrastructure as required. These controls set

the lifecycle security objectives for creating and maintaining an identity, verifying and

authenticating an identity, granting permissions and authorities, monitoring and accountability,

and auditing and appraisal of the identity management processes.

The identity management system defines the control objectives required to enforce the security

policy:

1. Identification: The process that creates an entity and verifies the credentials of the

individual, which together form a unique identity for authentication and authorization

purposes).

© Copyright: April 2012, D. E. Jennings Page 18 of 42

Page 19: Jennings it security overview 1 2

2. Authentication: Verifies credentials to support an interaction, transaction, message, or

transmission).

3. Authorization: Grants permissions by verifying the authenticity of an individual’s

identity and permissions to access specific categories of information or to carry out

defined role based tasks).

4. Accountability: The process that records the linkage between an action and the

identity of the individual or role who has invoked the action, thus providing an

evidence trail for audit or non-repudiation purposes).

5. Audit : The process that examines data records, actions taken, changes made, and

identities/roles invoking actions which together provide a reconstruction of events for

evidential purposes). The control objectives above serve the requirement to provide

an auditable chain of evidence.

Using the Identity Management system, each employee is given access to physical locations,

network locations, information databases, etc. based on their role and classification. Each role

and title will imply certain tasks and levels of authorization to perform particular tasks. An

example of a Role table is in Appendix III . Access to the required resources will be based on

those roles. The identity management system enables efficient deployment of employees and

removal of employees when they no longer are required to have the access or they leave the

company.

Maintaining access control in the enterprise requires several components for each category of

access

control. There are three main categories of access control:13

Administrative:

1. Policies and procedures - A high-level plan that lays out management’s plan on how

security should be practiced in the company. It defines what actions are not acceptable

and what level of risk the company is willing to accept.

© Copyright: April 2012, D. E. Jennings Page 19 of 42

Page 20: Jennings it security overview 1 2

2. Personnel controls - Indicate how employees are expected to interact with corporate

security, and how non-compliance will be enforced.

3. Supervisor structure - Defines the overall company hierarchy. Each employee has a

supervisor they report to and that supervisor has a superior they report to. This chain of

command dictates who is responsible for each employee’s actions.

4. Security awareness training - Users are usually the weakest chain in the security chain.

Proper training on security issues can instill access control usage on the network.

5. Testing - Test access controls on the network to determine their effectiveness (or

ineffectiveness).

Physical:

1. Network segregation - Defining segregation points can help enforce access controls on

ingress or egress to the segment.

2. Perimeter security - Defines how the perimeter of the company will be enforced such as

guards, security badges, fences, gates.

3. Computer controls - Defines the physical controls on computer systems such as locks on

systems to deter theft of internal parts, removal of floppy to deter copying.

4. Work area separation - Separation of work areas based on type of use such as server

room, wiring closets, experimental room.

5. Data backups - This physical control is used to ensure access to information in case of

system failure or natural disaster.

6. Cabling - Protecting the cabling from electrical interference, crimping, and sniffing.

Technical:

1. System access - Controls that determine how resources on a system are accessed such as

MAC architecture, DAC architecture, username/password, RADIUS, TACACS+,

Kerberos.

2. Network architecture - Defines logical network segmentation to control how different

network segments communicate.

© Copyright: April 2012, D. E. Jennings Page 20 of 42

Page 21: Jennings it security overview 1 2

3. Network access - Defines access controls on routers, switches, and network interface

cards, and bridges. Access control lists, filters, AAA, and firewalls would be used here.

4. Encryption and protocols - A technical control that encrypts traffic as it courses through

untrusted network segments. Protocols could include IPSec, L2TP, PPTP, SSH,

SSL/TLS.

5. Control zone - A specific area in the enterprise that surrounds and protects network

devices that emit electrical signals. Electrical signals emanate from all computer systems

and travel a certain distance before being drowned out by interference from other

electrical fields. Control zones are both a technical and physical control.

6. Auditing - Tracks activity as resources are being used in the enterprise.

11. Telecommunications:

Along with access to the network from the company intranet, employees may gain remote access

via a remote log-on through a secure Virtual Private Network (VPN).

Virtual Private Networks (VPNs) are secure private connections created using a public network.

They are virtual in the sense that the public network is seen as a single hop between networks

allowing the two networks to be virtually connected. They are private in the sense that data sent

over the public network cannot be viewed by un-trusted personnel. Encryption techniques create

the privacy.

The four main VPN protocols are in use today:  

Layer two Forwarding (L2F) is a protocol developed by Cisco that supports the creation of

secure virtual private dial-up networks (VPDNs) over the Internet.  

Point to Point Tunneling Protocol (PPTP) is a network protocol developed by Microsoft that

enables the secure transfer of data from a remote client to a private enterprise server by creating

a VPN across TCP/IP-based data networks. PPTP supports on-demand, multiprotocol, virtual

private networking over public networks, such as the Internet.  

© Copyright: April 2012, D. E. Jennings Page 21 of 42

Page 22: Jennings it security overview 1 2

Layer 2 Tunnel Protocol (L2TP) is an Internet Engineering Task Force (IETF) standard that

combines the best features of two existing tunneling protocols: Cisco's Layer 2 Forwarding

(L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP).  

IPSec - The Security Architecture for the Internet Protocol is designed to provide interoperable,

high quality, cryptographically based security for IPv4 and IPv6. The set of security services

offered includes access control, connectionless integrity, data origin authentication, detection and

rejection of replays, a form of partial sequence integrity, confidentiality through encryption, and 1

END NOTES

? Crack: from www. Webopedia.com:(1) To break into a computer system. The term was coined in the mid-80s by hackers who wanted to differentiate themselves from individuals whose sole purpose is to sneak through security systems. Whereas crackers sole aim is to break into secure systems, hackers are more interested in gaining knowledge about computer systems and possibly using this knowledge for playful pranks. Although hackers still argue that there's a big difference between what they do and what crackers do, the mass media has failed to understand the distinction, so the two terms -- hack and crack -- are often used interchangeably. (2) To copy commercial software illegally by breaking (cracking) the various copy-protection and registration techniques being used. Hacker: A slang term for a computer enthusiast, i.e., a person who enjoys learning programming languages and computer systems and can often be considered an expert on the subject(s). Among professional programmers, depending on how it used, the term can be either complimentary or derogatory, although it is developing an increasingly derogatory connotation. The pejorative sense of hacker is becoming more prominent largely because the popular press has coopted the term to refer to individuals who gain unauthorized access to computer systems for the purpose of stealing and corrupting data. Hackers, themselves, maintain that the proper term for such individuals is cracker.2

? The Internet Crime Complaint Center (IC3) is a partnership between the FBI and the National White Collar Crime Center. IC3 received 303,809 Complaints from 1/1/10 to 12/31/10 and of these 121,710 Complaints were referred to law enforcement.3 According to a recent Norton cybercrime report, 431 million adults in 24 countries experienced some type of cybercrime over the past year, which is up 3 percent from the 2010 study. (The top three cybercrimes, according to the study, are viruses or malware, online credit card fraud, and phishing - or e-mail scams.) In the United States, that comes to 141 victims per minute. "Our study found over 41 percent of us don't have software security," said Helen Malani, Norton's consumer cybercrime expert. "There's a general apathy about it - a disconnect. Three times as many people have been the victim of online crimes, but yet they are more afraid that they will be robbed on the street." According to the study, over the past year the United States' total bill for cybercrime topped $139 billion.

4 From “www.answers.com/topic/computer-crime” “As criminologist and computer-insurance executive Ron Hale indicated to Tim McCollum of Nation's Business, one of the most unsettling facts about computer crime is that the greatest threat to information security for small businesses is their employees. As McCollum noted, "a company's employees typically have access to its personal computers and computer networks, and often they know precisely what business information is valuable and where to find it." The reasons for these betrayals are many, ranging from workplace dissatisfaction to financial or family difficulties. “5

? NIST Special Publication 800-12, Chapter 5 Discusses three policy types: Program policy, issue-specific policy, and system-specific policy. Program policy establishes an organization’s information security program.6

? NIST SP 800-18 – Guide for developing Security Plans for Information Technology Systems, February 2006. Also ISO 17799 Information Technology – Code of practice for information security management.7

? NIST SP800-27 – Rev A June 2004: Engineering Principles for Information Technology Security. “Securing information and systems against the full spectrum of threats requires the use of multiple, overlapping protection approaches addressing the people, technology, and operational aspects of information systems. This is due to the highly interactive nature of the various systems and networks, and the fact that any single system cannot be adequately secured unless all interconnecting systems are also secured. By using multiple, overlapping protection approaches, the failure or circumvention of any individual protection approach will not leave the system unprotected. Through user training and awareness, well-crafted policies and procedures, and redundancy of protection mechanisms, layered protections enable effective protection of information technology for the purpose of achieving mission objectives.”8

? OMB's 1996 revision of Circular A-130, Appendix III – “recognizes that federal agencies havehad difficulty in performing effective risk assessments--expending resources on complex assessments of specific risks with limited tangible benefits in terms of improved security. For this reason, the revised circular eliminates a long-standing federal requirement for formal risk assessments. Instead, it promotes a risk-based approach and suggests that, rather than trying to precisely measure risk,

© Copyright: April 2012, D. E. Jennings Page 22 of 42

Page 23: Jennings it security overview 1 2

limited traffic flow confidentiality. The IP layer provides these services, offering protection in a

standard fashion for all protocols that may be carried over IP, including IP itself.

When the Identity Management System is used, the VPN access is seamlessly integrated with the

Identity Management System.

12. Network Security

Attackers are continuously attempting to gain access to corporate resources for profit or fun.

Once the security world obtains an understanding of the exploit used, the application, algorithm,

or protocol is updated to mitigate the threat. Attackers then try different avenues of attack, which

leads to an endless exploit/mitigation loop.

Examples of Network Attacks:

Smurf: This is an attack with three entities: the attacker, the victim, and the amplifying network.

The attacker spoofs, or changes the source Internet Protocol (IP) address in a packet header, to

make an Internet Control Message Protocol (ICMP) ECHO packet seem as though it originated

at the victim’s system. This ICMP ECHO message is broadcasted to the amplifying network,

where all active nodes send replies to the source (the victim). The victims system and network

become overwhelmed by the large amounts of ECHO replies.

Fraggle: This is the same type of attack as the Smurf attack, except here the attacker broadcasts a

spoofed UDP packet to the amplifying network, which in turn replies to the victim’s system.

agencies focus on generally assessing and managing risks. This approach is similar to that used by the organizations we studied”9

? NIST 800-30 Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process.

10 Rotation of Duties: that is, moving employees from one job to another at set or random intervals, helps deter fraud. As a result of

rotating duties, employees are also cross-trained to perform each other’s functions in case of illness, vacation, or termination. Enabling job rotation allows the company to have more than one person who understands the tasks and responsibilities of a specific job title, which provides personnel redundancy if a person leaves the company or is absent. Job rotation also helps when attempting to identify internal fraudulent activity.

11 Layered Defense This is part of the Defense-in-depth strategy. In a layered defense, the perimeter is the first line of defense that intruders must overcome.12

? Providers of Identity Management Systems are: Sun IM (supported until 2014), Oracle IM, IBM Tivoli IM, Microsoft Active Directory, Microsoft Identity Lifecycle Manager, CA Technologies, Courion IM, Novell IM

13 Adapted from “Certified Information Systems Security Professional” Thompson NETg, 2005

© Copyright: April 2012, D. E. Jennings Page 23 of 42

Page 24: Jennings it security overview 1 2

Denial of Service (DoS): This attack consumes the victim’s bandwidth or resources, causing the

system to crash or stop processing other packets. DoS attacks are carried out by attackers with an

intent to stop legitimate users from accessing certain resources. Their intent is malicious and not

designed to obtain information. DoS attacks are usually the most formidable of attacks to deal

with as they usually involve very large amounts of traffic that may or may not look on the wire

as valid transmissions. Knowing how these attacks are sculpted and executed will allow network

administrators to better deter them on their networks. Mitigation of DoS attacks can be

performed at the ISP egress router into the company via rate limiting, via NIDS, HIDS, and by

have up to date security patches and hot fixes installed on all critical servers and systems. To

mitigate this type of attack, input-checking included in the login subsystem can easily stop this

the DoS attack.

Distributed Denial of Service (DDoS): This is a logical extension of the DoS attack. The attacker

creates master controllers that can in turn control slaves/zombie machines, all of which can be

configured to attack a single node.

DNS DoS Attacks: In this attack a record at a domain name server (DNS) server is replaced with

a new record pointing at a fake/false IP address.

Cache Poisoning: Here the attacker inserts data into the cache of the server instead of replacing

the actual records.

A buffer overflow is a software-based attack created when a program does not check the length

of data that is inputted into it, which will then be processed by the CPU. A buffer overflow exists

when a particular program attempts to store more information in a buffer memory storage than it

was intended to hold. Since the buffer was only intended to hold a certain amount of data, the

additional data overflows into a different area of memory. It is this different area of memory

where overflows cause the problem.

Brute force attacks occur when a cracker attempts to obtain the correct password for an account

by trying every conceivable value hoping to stumble across the correct one. Administrators have

known about brute force attacks for many, many years and have come up with ways to mitigate

these types of attacks. One of the easiest methods is to rename the administrator account to

something else. In this way the cracker must know two things, the account name and the

password. Administrators will also create passwords of at least eight characters in length. This

© Copyright: April 2012, D. E. Jennings Page 24 of 42

Page 25: Jennings it security overview 1 2

technique helps because it takes time to brute force an attack on a password that is at least eight

characters long. Hopefully, the administrator will notice the attack and take precautionary steps

to block the cracker. The length of the password and number of possible values a password may

have will delay the success but not stop this attack. Also, imposing a delay of say 20 seconds

between failed attempts or locking the account after 10 failed attempts deters this type of attack.

Dictionary attacks are another form of brute force attacks and take advantage of a well-known

flaw in the password authentication scheme. That flaw is the fact that many people use common

words as the password for an account. Attackers exploit this fact by using a source for common

words (the dictionary) to try to obtain a password for an account. They simply try every possible

word in the dictionary until a match is found. Proper password usage is key to the mitigation of

this attack. Dictionary attacks are usually mitigated by systems that use pass phrases instead of

passwords.

Spoofing: Attackers can use many different types of spoofing attacks, but they all use spoofing

for one reason, which is to impersonate another host. Sometimes the attacker does not care who

he or she is impersonating; the attacker only cares that the packet he or she is transmitting does

not identify him or her. Other times the attacker knows exactly what host he or she wants to

impersonate and wants the return traffic to reach this host. A spoofing attack on a password

system is one in which one person or process pretends to be another person or process that has

more privileges. An example would be a fake login screen also called a Trojan horse login. In

this attack, the attacker obtains low-level access to the system and installs a malicious code that

mimics the user login screen. On the next attempt to login, the user enters his username and

password into the fake login screen. The malicious code then stores the username and password

in a certain location or may even email the information to an email account. The Trojan horse

then calls the correct login process to execute. To the user, the entry appears to be an incorrect or

mistyped username or password and he or she will try again. When they do, of course, they are

let into the system.

DNS spoofing attacks work by convincing the target machine that the machine that it wants to

contact (for example, www.makebigchecks.com) is the machine of the attacker. When the target

issues a DNS query, it could be intercepted and replied with the spoofed IP address, or the query

could reach the DNS server, which has been tampered with in order to give the IP address of the

© Copyright: April 2012, D. E. Jennings Page 25 of 42

Page 26: Jennings it security overview 1 2

cracker’s host, rather than the real server’s IP address. Either way the target receives a false IP

address of the target and will attempt to contact it.

Sniffing: The act of sniffing is the use of a program or device that monitors data traveling over a

network. Sniffing is hard to detect because as a passive attack, it only receives information and

never sends out information. The goal of sniffing is to capture sensitive information such as a

password in order to perform a replay attack at a later time. Mitigation against sniffing attacks

can include using a switched infrastructure, using one-time passwords, or enabling encryption.

In a Transmission Control Protocol (TCP) takeover attack, the cracker will attempt to insert

malicious data into an already existing TCP session between two hosts. In this type of attack, the

attacker is either attempting to inject false data into the conversation, or take over the session

completely. This type of attack is usually used in conjunction with a DoS attack to stop the host

it is impersonating from sending any further packets. The DoS attack against the impersonated

host will itself be using spoofed packets. In this way, the attacker will hide his or her identity

from the host he or she took over the TCP session from, while the opposite end still believes its

ongoing session is with the original host.

A pseudo flaw is an apparent loophole deliberately implanted in an operating system or program

as a trap for intruders. Pseudo flaws are inserted into programs to get attackers to spend time and

energy attempting to uncover weaknesses in programs that they hope will allow them to gain

access to other parts of the system. Because these are deliberate flaws, the attacker can spend

weeks attempting to exploit the flaw, before he or she becomes discouraged and moves on to

different parts of the program.

Alteration of Authorized Code: Attackers often write small programs that create a patch in

authorized code. Take a program that will not execute until the user enters a valid serial number

or authorization code. The attacker does not have this information, yet still wants to execute the

program. Using his or her knowledge of programming and off-the-shelf software, the attacker

can identify where in the program the subroutine that performs authorization is called from. The

attacker then writes a program that modifies that very same area of the program, but instead of

calling the authorization subroutine, the instructions are now a series of NOPs (no operations).

This alteration of authorized code simply bypasses the authorization subroutine and begins

executing the program.

© Copyright: April 2012, D. E. Jennings Page 26 of 42

Page 27: Jennings it security overview 1 2

Flooding is the process of overwhelming some portion of the information system. This could be

bandwidth on a serial link or memory in a router or server. There are many uses of flooding for

attackers. Attackers could hide their attacks in a flood of random attack packets, they could

attempt to overwhelm a switch’s Address Resolution Protocol (ARP) table, or they could

perform DoS attacks. SYN floods are an example of flooding used in a DoS attack. SYN floods

take advantage of TCP’s three-way-handshake. In this DoS attack, the attacker sends many

thousands of half-formed or embryonic TCP connection requests (SYN packets), usually with a

spoofed source address, to the target server. The server that receives these connection requests

sets aside a small amount of memory for each connection, and replies with an SYN-ACK to the

spoofed address. The spoofed host (if it exists) receives the SYN-ACK packet and discards it.

This leaves the server with an open or a half-formed connection, which will remain so for three

minutes as it waits for the connection to complete. A few open connections will not cause harm

to a server, but thousands upon thousands of open connections, each using a small amount of

memory, will quickly consume all available resources on the server. When all resources are

consumed, the server will no longer respond to the SYN requests of the attacker. Unfortunately,

the server will also not respond to any SYN request from a valid user, which is what the DoS the

attacker is trying to accomplish.

These attacks are always changing and methods of mitigating them are also changing.

13. Architecture

An example network architecture for a single location is located in Appendix IV. The network is

segregated into 7 sub-networks which include the 10 functional areas.

Fundamental Firewall Designs

Firewall design has evolved, from flat designs such as dual-homed host and screened host, to

layered designs such as the screened subnet. The evolution has incorporated network defense in

depth, incorporating the use of DMZ and more secure networks.

A Bastion host is any host placed on the Internet which is not protected by another device (such

as a firewall). Bastion hosts must protect themselves, and be hardened to withstand attack.

Bastion hosts usually provide a specific service, and all other services should be disabled.

© Copyright: April 2012, D. E. Jennings Page 27 of 42

Page 28: Jennings it security overview 1 2

A Dual-homed host has two network interfaces: one connected to a trusted network, and the

other connected to an untrusted network, such as the Internet. This design was more common

before the advent of modern firewalls in the 1990s, and is still sometimes used to access legacy

networks.

Screened Host Architecture is an older flat network design using one router to filter external

traffic to and from a bastion host via an access control list (ACL). The bastion host can reach

other internal resources, but the router ACL forbids direct internal/external connectivity. The

difference between dual-homed host and screened host design is screened host uses a screening

router, which filters Internet traffic to other internal systems. Screened host network design does

not employ network defense-in-depth: a failure of the bastion host puts the entire trusted network

at risk. Screened subnet architecture evolved as a result, using network defense in depth via the

use of DMZ networks.

DMZ Networks and Screened Subnet Architecture. A DMZ is a dangerous “no-man’s land”: this

is true for both military and network DMZ. Any server that receives traffic from an untrusted

source such as the Internet is at risk of being compromised. We use defense-in-depth mitigation

strategies to lower this risk, including patching, server hardening, NIDS, etc., but some risk

always remains.

Network servers that receive traffic from untrusted networks such as the Internet should be

placed on DMZ networks for this reason. A DMZ is designed with the assumption that any DMZ

host may be compromised: the DMZ is designed to contain the compromise, and prevent it from

extending into internal trusted networks. Any host on a DMZ should be hardened. Hardening

should consider attacks from untrusted networks, as well as attacks from compromised DMZ

hosts. A “classic” DMZ uses two firewalls, also called a screened subnet dual firewall design. In

this design two firewalls screen the DMZ subnet. A single-firewall DMZ uses one firewall. This

is sometimes called a “three-legged” DMZ. The single firewall design requires a firewall that can

filter traffic on all interfaces: untrusted, trusted, and DMZ. Dual-firewall designs are more

complex, but more secure. In the event of compromise due to firewall failure, a dual firewall

DMZ requires two firewall failures before the trusted network is exposed. Single firewall design

requires one failure.

© Copyright: April 2012, D. E. Jennings Page 28 of 42

Page 29: Jennings it security overview 1 2

14. Intrusion Detection System (IDS)

An important tool in network defense is the Intrusion Detection System (IDS). An IDS utilizes

audit records of all activities on a system. An IDS has three basic components: a sensor (agent),

an analyzer, and a security interface (also called the director). The sensor collects information

and forwards it to the analyzer. The analyzer receives this data and attempts to ascertain if the

data constitutes and attack or intrusion. The security interface, which is usually a separate device,

displays the output to the security administrator configures the sensors in the network. There are

two basic types of intrusion detection mechanisms: Network-based Intrusion Detection Systems

(NIDS) and Host-based Intrusion Detection Systems (HIDS).

Intrusion detection devices attempt to identify any of the following types of intrusions:

Input Validation Errors

Buffer Overflow

Boundary Conditions

Access Validation Errors

Exceptional Condition Handling Errors

Environmental Errors

Configuration Errors

Race Conditions

NIDS: Protects an entire network segment and is usually a passive device on the network. Users

are unaware of NIDS existence unless they learn about it through the general security training

sessions. NIDS cannot detect malicious code in encrypted packets, and is cost effective for mass

protection. It requires its own sensor for each network segment.

HIDS: Protects a single system. It uses system resources (CPU and memory) from the system

and provides application level security. An advantage of HIDS is that it provides day-one

security. Intrusion detection is performed after decryption so it is used on servers and sensitive

workstations, but is costly for mass protection.

© Copyright: April 2012, D. E. Jennings Page 29 of 42

Page 30: Jennings it security overview 1 2

The two forms of Intrusion Detection:

Profile-based Intrusion Detection (Also known as anomaly detection): In profile-based

detection, an alarm is generated when activity on the network goes outside of the profile. A

profile is a baseline of what should be considered normal traffic for each system running on the

network. A problem exists because most systems do not follow a consistent profile. What is

normal today, might not be normal tomorrow.  

Signature-based Intrusion Detection: In signature-based detection, a signature or set of rules is

used to determine intrusion activity. An alarm is generated when a specific pattern of traffic is

matched or a signature is triggered. Typical responses to an attack include the following:

Terminating the session (TCP resets)

Block offending traffic (usually implemented with Access Control Lists - ACLs)

Creating session log files

Dropping the packet

IDS Examples:14

Tripwire scans files and directories on Unix systems to create a snapshot record of their

size, date, and signature hash. If you suspect an intrusion in the future, Tripwire will

rescan your server and report any changed files by comparing the file signatures to the

stored records. Tripwire was an open-source project of Purdue University, but it

continues development as a licensed package of Tripwire Security Systems

(www.tripwiresecurity.com ).

Snort ( www.snort.org ) is an open-source intrusion detection system that relies upon raw

packet capture (sniffing) and attack signature scanning to detect an extremely wide array

of attacks. Snort is widely considered to be the best available intrusion detection system

because of the enormous body of attack signatures that the open source community has

created for it. The fact that it’s free and cross platform pretty much ensures that the

14 Sybex: Network Security Fundamentals

© Copyright: April 2012, D. E. Jennings Page 30 of 42

Page 31: Jennings it security overview 1 2

commercial IDSs won’t develop much beyond where they are now. Snort was originally

developed for Unix and has been ported to Windows.

Demarc PureSecure ( www.demarc.com ) is a best-of-breed network monitoring and

intrusion detection system descended from Snort. PureSecure is a commercial product

that uses Snort as its intrusion detector, but it adds typical network monitoring functions

like CPU, network, memory, disk load, ping testing, and service monitoring to the

sensors that run on every host. Demarc creates a web-based client/server architecture

where the sensor clients report back to the central Demarc server, which runs the

reporting website. By pointing your web browser at the Demarc server, you get an

overview of the health of your network in one shot. Demarc can be configured to alert on

all types of events, so keeping track of your network becomes quite easy. Demarc’s price

is $1,500 for the monitoring software, plus $100 per sensor.

Network Flight Recorder (NFR, www.nfr.com ) was one of the first inspector based

intrusion detection systems on the market and was originally offered as a network

appliance. Now available as both software and network appliances, NFR has evolved into

a commercial product very similar to Snort in its capabilities. However, since it is a

commercial product, NFR can consult with you directly to analyze intrusion attempts, to

train your staff, and to provide product support for its products.

15. Electronic Mail Security:

E-mail access was one of the first protocols defined under the Transmission Control

Protocol/Internet Protocol (TCP/IP) protocol suite. The two main mail protocols are Post office

Protocol 3 and Simple Mail Transfer Protocol.

Post office Protocol 3 (POP3) is a lightweight e-mail client using TCP port 110, used to receive

e-mail from a server.

© Copyright: April 2012, D. E. Jennings Page 31 of 42

Page 32: Jennings it security overview 1 2

Simple Mail Transfer Protocol (SMTP). Is an effective mail transfer protocol, but not very

secure. SMTP uses port 25 and is used to send e-mail from client to server and server to server

forwarding.

SMTP protocol defines the mechanism a sender uses to connect to, request, and send e-mail to

the server. SMTP was an effective protocol, but is riddled with security holes. SMTP can be

identified as using TCP port 25 on the network. SMTP takes up a lot of overhead. The Post

Office Protocol version 3 (POP3) was created as a means of reducing the required overhead for a

single workstation. POP3 is intended to permit a workstation to dynamically access a mail-drop

on a server host. SMTP is used to send e-mail from an e-mail client to an e-mail server and POP3

is used to receive e-mail from the e-mail server to the e-mail client. POP3 can be identified as

using TCP port 110 on the network.

When e-mail first came into existence, e-mail messages were meant to be pure text only

messages. As the Internet started to grow, graphic files, audio files, Hypertext Transport Protocol

(HTTP), were a part of mail. The Multipurpose Internet Mail Extensions (MIME) protocol was

developed to handle these. MIME allows a one-time modification to e-mail reading programs

that would enable the program to display a wide variety of messages types. This e-mail extension

allows you to view dynamic multitype email messages that include color, sound, animations, and

moving graphics. The drawback of MIME is that it also lacks adequate security. E-mail was still

subject to the same old hacks, such as sniffing and replay. Secure MIME (S/MIME) was created

to enable a more secure MIME.

S/MIME provides cryptographic security services for electronic messaging applications by

providing authentication, message integrity, non-repudiation of origin (using digital signatures),

and privacy and data security (using encryption). Using S/MIME is the preferred way of securing

e-mail as it traverses the Internet.

Public Encryption of E-Mail messages - PGP

© Copyright: April 2012, D. E. Jennings Page 32 of 42

Page 33: Jennings it security overview 1 2

PGP uses a public key cryptosystem. In this method, each party creates an RSA public/private

key pair. One of these keys is kept private (the private key), and one is given out to anyone in the

public Internet (the public key). What one key encrypts, only its partner private key can decrypt.

This means if user X obtains user Y’s public key and encrypts a message destined to user Y

using its public key, the only person in the universe who can decrypt the message would be user

Y, as he or she has the corresponding private key. PGP is a hybrid cryptosystem in that before

encryption is performed the e-mail data is first compressed. Compression not only makes an e-

mail message smaller, it also removes any patterns found in plain text, which mitigate many

cryptanalysis techniques that look for these patterns. PGP performs the following security

measures: confidentiality, data integrity, and sender authenticity.

Secure Web based mail: For a small business utilizing a free open mail server has some

advantages. Yahoo, for example has teamed with Zixit Corporation, a company that enables

secure, certified email to any recipient. 15

16. Disaster Recovery

Sometimes called Business Continuity Planning, the Disaster Recovery Plan is the tactical

actualization of BCP. The DRP is the operational plan and is a requirement for the corporation

that has the goal of remaining in business after a natural or manmade disaster. In this section we

discuss the back up and restore plan and strategies for business continuity. First a listing of the

types of events that might occur:

Sabotage Bombings Loss of Electrical PowerArson Earthquakes StormSecurity Incidents (major) Fire Communication system outageStrike (labor unrest) Flood Unavailability of Key Employees

15

? WindowsITPro Jonathan Hassell: “Why should a SOHO user trust Zixit? The company has a well-planned security schedule with a data center it has secured by three manned controls—video monitoring, zone-based security, and smart authentication (e.g., proximity cards and biometric reading). Zixit uses Triple Data Encryption Standard (3DES) to secure messages coming into the data center, and duplicates the messages for storage on an online, redundant array of disks. To guard against media theft, Zixit doesn't make any removable media backups of the email messages it stores. The company also enforces a sender-configured expiration date, after which Zixit permanently erases all copies and records of the email. Zixit strictly schedules and adheres to third-party audits of its security procedures. In addition, the company reviews access logs for any unauthorized entry attempts and forwards the information to law enforcement authorities.

© Copyright: April 2012, D. E. Jennings Page 33 of 42

Page 34: Jennings it security overview 1 2

The planning committee (DRP team) is made up of management and technical experts from each

area of the company meet at regular intervals. This team will hold yearly a disaster recovery

exercise and participate in periodic probes and assessments of the company security practices

and technologies.

The general process of disaster recovery involves responding to the

disruption; activation of the recovery team; ongoing tactical communication

of the status of disaster and its associated recovery; further assessment of

the damage caused by the disruptive event; and recovery of critical assets

and processes in a manner consistent with the extent of the disaster.

Respond: First there must be an initial response that begins the process of assessing the damage.

Speed is essential during this initial assessment. There will be time later, to more thoroughly

assess the full scope of the disaster. The initial assessment will determine if the event in question

constitutes a disaster. An alternate data center may be required. If there is doubt that an alternate

facility will be necessary, then the sooner this fact can be communicated, the better for the

recoverability of the systems. The initial response team should also be mindful of assessing the

facility’s safety for continued personnel usage, or seeking the counsel of those suitably trained

for safety assessments of this nature.

Activate Team: If during the initial response to a disruptive event a disaster is declared, then the

team that will be responsible for recovery needs to be activated.

Communicate: One of the most difficult aspects of disaster recovery is ensuring that consistent

timely status updates are communicated back to the central team managing the response and

recovery process. In addition to communication of internal status regarding the recovery

activities, the organization must be prepared to provide external communications, which involves

disseminating details regarding the organization’s recovery status with the public.

Assess: Though an initial assessment was carried out during the initial response portion of the

disaster recovery process, a more detailed and thorough assessment will be done by the disaster

recovery team. The team determine the proper steps necessary to ensure the organization’s

ability to meet its mission and Maximum Tolerable Downtime (MTD).

© Copyright: April 2012, D. E. Jennings Page 34 of 42

Page 35: Jennings it security overview 1 2

Reconstitution: The goal of the reconstitution phase is to recover critical business operations

either at primary or secondary (recovery) site. If an alternate site is used, adequate safety and

security controls must be in place in order to maintain security continuity. In addition to the

recovery team’s efforts at reconstitution of critical business functions at an alternate location, a

salvage team will be employed to begin the recovery process at the primary facility that

experienced the disaster.

One key to data recovery and business continuity is the data backup process. Holding data

backups at safe locations is a major requirement. Another aspect of DRP becoming more

prevalent is where two companies agree to be the “backup” facility for the other. This can be

where industries are similar and each company will set aside an area for the business continuity

of the other. This may not work for dire competitors; however the cost benefit of these plans is

such that cooperation among rivals is actually becoming cost effective. (see reciprocal

agreement, below)

The Alternate or Secondary (recovery) site:

A redundant site is an exact production duplicate of a system that has the capability to seamlessly

operate all necessary IT operations without loss of services to the end user of the system. A

redundant site receives data backups in real time so that in the event of a disaster, the users of the

system have no loss of data. It is a building configured exactly like the primary site and is the

most expensive recovery option because it effectively more than doubles the cost of IT

operations. To be fully redundant, a site must have real-time data backups to the production

system and the end user should not notice any difference in IT services or operations in the event

of a disruptive event.

A hot site is a location that an organization may take time to relocate to following a major

disruption or disaster. It could be a datacenter with a raised floor, power, utilities, computer

peripherals, and fully configured computers. The hot site will have all necessary hardware and

critical applications data mirrored in real time. A hot site will have the capability to allow the

organization to resume critical operations within a very short period of time (hours). Hot sites

© Copyright: April 2012, D. E. Jennings Page 35 of 42

Page 36: Jennings it security overview 1 2

can quickly recover critical IT functionality. However, a redundant site will appear as operating

normally to the end user no matter what the state of operations is for the IT program. A hot site

has all the same physical, technical, and administrative controls implemented of the production

site.

A warm site has readily-accessible hardware and connectivity, but it will have to rely upon

backup data in order to reconstitute a system after a disruption. It may have a datacenter with a

raised floor, power, utilities, computer peripherals, and fully configured computers. Because of

the extensive costs involved with maintaining a hot or redundant site, many organizations will

elect to use a warm site recovery solution. These organizations will have to be able to withstand

a Maximum Tolerable Downtime (MTD) of at least 1-3 days in order to consider a warm site

solution. The longer the MTD is, the less expensive the recovery solution will be.

A cold site is the least expensive recovery solution to implement. It does not include backup

copies of data, nor does it contain any immediately available hardware. After a disruptive event,

a cold site will take the longest amount of time of all recovery solutions to implement and restore

critical IT services for the organization. It could take weeks to get vendor hardware shipments in

place so organizations using a cold site recovery solution will have to be able to withstand a

significantly long MTD. A cold site is typically a datacenter with a raised floor, power, utilities,

and physical security, but not much beyond that.

Reciprocal agreements are a bi-directional agreement between two organizations in which one

organization promises another organization that it can move in and share space if it experiences a

disaster. It is documented in the form of a contract written to gain support from outside

organizations in the event of a disaster. They are also referred to as Mutual Aid Agreements

(MAAs) and they are structured so that each organization will assist the other in the event of an

emergency.

For each of these scenarios frequent testing for a simulated disaster and the associated recovery

is absolutely essential.

In this paper we have given a brief overview of some of the aspects of corporate security. We

touched on physical security, network security, Identity Management and disaster recovery.

There is no one correct way to maintain a secure operation. The emphasis should be on cost

appropriate measures rather than the latest technological gimmick, lots of training to keep

© Copyright: April 2012, D. E. Jennings Page 36 of 42

Page 37: Jennings it security overview 1 2

awareness of employees of the threats and risks. There should be a minimum of disruption to

employees and their normal operations.

© Copyright: April 2012, D. E. Jennings Page 37 of 42

Page 38: Jennings it security overview 1 2

APPENDIX I

Security Policy: (Overview)

1.1 Goal: Secure and maintain company integrity, assets and personnel with minimum disruption

to core operations.

Updates: The security department will facilitate semi-annual meetings to update this

policy. Feedback will be solicited from each department.

Manufacturing Facilities:

2.0 Network assets (Listed)

2.1 Human Resources

2.2 Research and Development

2.3 Engineering

2.4 Corporate Management

3.0 Roles:

Each Role is defined by: Task definitions and detail, education and training requirements,

certification requirements, particular compliance requirements (Fire Safety, OSHA, HIPPA,

Sarbanes Oxley, etc), pay and benefits scale, all maintained by the HR department.

Security Levels: Each role will imply at least two security levels (Role - A) and (Role - B). The

“A” level will be used for the employee who is completed the six month evaluation period

required for each role. The Role definitions for each department will specify which function “B”

level employee can complete alone and which would need to be completed with the oversight of

an “A” level employee in the same role. For example creating or deleting corporate folders for

data storage, creating, moving or modifying corporate data. The actual role detail is developed

by management of the particular department and maintained by the Human Resources

department. Corporate management develops the roles in the Management level I and

Management level II roles. See appendix III for a matrix of Roles.

4.0 Security Breach:

© Copyright: April 2012, D. E. Jennings Page 38 of 42

Page 39: Jennings it security overview 1 2

The list of information assets that requires protection and the level of protection is negotiated

between the department heads and the Security department after the Risk Analysis has been

completed by the management team with the facilitation of the Security Department. A security

breach may or may not involve the actual release of information. Logs for each security

measure are one of several sources of discovery used to identify a security breach. In the event

of a security breach specific actions are to be taken and are different for each type of breach.

Details are enumerated in the Security Policy. For example if a breach in Personally Identifiable

Information, PII occurs the response team completes a specific process. PII refers to information

that can be used to distinguish or trace an individual’s identity, e.g. name, social security

number, date and place of birth, etc. The process is brief is:

1) Notify Security, your department manager.

2) Complete a report containing:

a. Date of incident

b. Number of individuals impacted

c. Their status: Government / Military / Civilian.

d. Description of the incident including circumstances of the breach, type of

information lost of compromised and if the PII was encrypted or password

protected.

3) Security department completes the process with the corporate Legal team depending on

the actual incident. State laws differ on notifications; therefore the actual response may

be different depending on where the incident occurred.

The process for HIPPA information breach is somewhat different and is spelled out in the policy

as well.

© Copyright: April 2012, D. E. Jennings Page 39 of 42

Page 40: Jennings it security overview 1 2

APPENDIX II

Vulnerability Assessment

The table below shows the results of assessment that may be completed by an outside consulting firm. It should be repeated periodically asimprovements are made. This type of security audit or assessment is often required by Government contracts. It is presented for illustration only. Of course an actual list would depend on the particular network / implementation being assessed.

Risk Assessment Finding

Vulnerability Business Impact Analysis

Mitigation

Server located in unlocked room. Physical access by unauthorized persons.

Potentially cause loss of CIA for email system through physical attack on the system

Install hardware locks with PIN alarm system (risk is reduced to acceptable level).

Software is out of date. This version is insecure and has reached end of life from vendor.

Loss of CIA for email system through cyber attack.

Update system software (risk is eliminated).

Firewall weak or not properly implemented. Need DMZ protection due to network architecture and risk of intrusion.

Exposure to Internet without Firewall increases cyber threat.

Loss of critical data possible. Potential catastrophic impact.

Move email server into a managed hosting site (risk is transferred to hosting organization). Conduct Penetration testing and resolve network breaches through improved network / firewall design and implementation.

CIA = Confidentiality, Integrity, or Availability

© Copyright: April 2012, D. E. Jennings Page 40 of 42

Page 41: Jennings it security overview 1 2

Appendix III

Roles matrix and Organization Chart

ROLES (Used for Security Authorization Purposes)

Management Level IA & B

Management Level IIA & B

SupervisorA & B

Project ManagerA & B

ComplianceA & B

Subject Matter ExpertA & B

OperatorClass IA & B

OperatorClass IIA & B

DE

PA

RT

ME

NT

S:

Human Resources

- X X - X X X X

Research and Development

- X X X X X X X

Engineering &Technology

- X X X X X X X

Corporate Management

X X X - X X X X

Marketing Sales

- X X - X X X X

Finance &Accounting

- X X X X X X X

Manufacturing & Operations

- X X X X X X X

IT Security & Architecture

X X X X X X X X

Information Technology

- X X X X X X X

Documentation & Training

- X X X X X X X

The matrix (above) outlines potential allocations of roles within departments for security level authorizations and does not indicate actual assignments. The Organization chart (below) represents the philosophy of utilizing the IT Security department to manage the IT department whereas in traditional organizations it may be reversed or often there are two competing organizations sometimes performing similar operations.

© Copyright: April 2012, D. E. Jennings Page 41 of 42

Corporate Management

Manufacturing & Operations

Documentation & Training

Human Resources

Information Technology

Finance & Accounting

IT Security & Architecture

Engineering & Technology

Research & Development

Marketing &Sales

Page 42: Jennings it security overview 1 2

Appendix IV

Typical network design: single location:

© Copyright: April 2012, D. E. Jennings Page 42 of 42

DMZ: All w/IDS Agent running

HR MfgEng R&DCorp Marketing Sales

IT & Security

Finance

Firewall

DNS Server

WEB Server

DMZ Switch

Mail Server

File Server w/IDS Agent

Firewall

Screened Subnet dual firewall DMZ Design

Firewall

Firewall

Hot Standby Backup

Features: Redundant firewalls, redundant paths, Sales isolated on separate router.

SW SW SW SW SW SW SW