admin@kcseforecast.com

+2541026301456

Security Threats and Controls

Security Threats and Controls

By the end of the lesson you should be able to:

  • Define data security
  • Identify security threats and control measures

Data Security refers to the process of protecting computer hardware, software, and communication systems against unauthorized access, destruction, or even modification

Control refers to procedure, action, device, or technique that reduces or eliminates the vulnerability of an information system

Data Security Principles

These are also known as information security triads. They include Confidentiality, Integrity, and Availability.

Confidentiality refers to the ability of a system to ensure that the information system is only accessed or disclosed to authorized parties.

Integrity ability of a system to ensure that can only be modified or altered by authorized parties

Availability ability of a system to ensure that information system assets are usable by and accessible to all authorized parties

Other Pillars of Data Security

  • Authentication
  • Nonrepudiation
  • Auditability

Security Threats and Control Measures

A threat refers to a set of circumstances that has the potential to cause loss or harm to information or information system gadgets. Threats mostly exploit a vulnerability (weakness) in an information system. Vulnerability is a weakness in the system.

Threats from System Failure

  • Hardware failure due to improper use
  • unstable power supply
  • network breakdown
  • natural disaster
  • storage failure
  • exploits

Threats from Malicious Programs

  • bootsector viruses
  • file viruses
  • hoax viruses
  • trojan horse
  • worms
  • Backdoors

Security Threats and Controls

By the end of the lesson you should be able to:

  • state control measures against hardware failure
  • state and explain threats from malicious programs
  • state the control measures against malicious programs

 

Control Measures against Hardware Failure

  • use of UPS and surge protectors to protect computers against brownout and blackout which may cause physical damage or data loss.
  • Use of disaster recovery plans which involves establishing of offsite storage of organization's information assets e,g servers, databases and softwares

Threats from malicious programs

Common types of malicious programs include:

  • Trojan Horse are malicious programs that seems to be genuine but they do undesirable activities behind the scenes.
  • Worms malicious programs that replicate and clogs the memory causing computers to hang. Worms can be transmitted by transmission media in a networked environment.
  • Boot Sector Viruses these destroys the booting information on storage media.
  • Files Virues attaches themselves to files
  • Hoax Viruses are malicious programs that contains attractive messages but may affect a computer system.

Control measures against malicious programs

  • Installing a memory anti-virus software
  • Scanning file attachment for viruses before opening
  • Backing up of softwares and data at regular intervals
  • scanning of removable storage media before using them

Computer Network Security

  1. Define Network Security
  2. Explain the three elements of security
  3. Explain various types of security
  4. Explain security control measures

 

Computer Network Security

Understanding Network Security

What is network security

Before we talk about network security, we need to understand in general terms what security is. Security is a continuous process of protecting an object from attack. That object may be a person, an organization such as a business, or property such as a computer system or a file. When we consider a computer system, for example, its security involves the security of all its resources such as its physical hardware components such as readers, printers, the CPU, the monitors, and others. In addition to its physical resources, it also stores non-physical resources such as data and information that need to be protected. 

In a distributed computer system such as a network, the protection covers physical and non-physical resources that make up the network including communication channels and connectors like modems, bridges, switches, and servers, as well as the files stored on those servers. In each one of these cases, therefore, security means preventing unauthorized access, use, alteration, and theft or physical damage to these resources. Security as defined thus involves the following three elements:

1. Confidentiality: to prevent unauthorized disclosure of information to third parties. This includes the disclosure of information about resources.

2. Integrity: to prevent unauthorized modification of resources and maintain the status quo. It includes the integrity of system resources, information, and personnel. The alteration of resources like information may be caused by a desire for personal gain or a need for revenge.

3. Availability: to prevent unauthorized withholding of system resources from those who need them when they need them.

Two types of security

  1. Physical Security

A facility is physically secure if it is surrounded by a barrier like a fence, has secure areas both inside and outside, and can resist penetration by intruders. Physical security can be guaranteed if the following four mechanisms are in place: deterrence, prevention, detection, and response 


 

Deterrence: 

Is usually the first line of defense against intruders who may try to gain access. It works by creating an atmosphere intended to frighten intruders. Sometimes this may involve warnings of severe consequences if security is breached.

Prevention 

Is the process of trying to stop intruders from gaining access to the resources of the system. Barriers include firewalls, DMZs, and use of access items like keys, access cards, biometrics, and others to allow only authorized users to use and access a facility.

Detection

Occurs when the intruder has succeeded or is in the process of gaining access to the system. Signals from the detection process include alerts to the existence of an intruder. Sometimes these alerts can be real time or stored for further analysis by the security personnel.

Response 

Is an aftereffect mechanism that tries to respond to the failure of the first three mechanisms. It works by trying to stop and/or prevent future damage or access to a facility.

The areas outside the protected system can be secured by wire and wall fencing, mounted noise or vibration sensors, security lighting, close circuit television (CCTV), buried seismic sensors, or different photoelectric and microwave systems [I]. Inside the system, security can be enhanced by use electronic barriers such as firewalls and passwords.

Firewalls

A firewall is hardware or software used to isolate the sensitive portions of an information system. facility from the outside world and limit the potential damage that can be done by a malicious intruder.

Types of firewalls

Packet filters

These are packet-level filters. They contain gates that allow packets to pass through if they satisfy a minimum set of conditions, and choke or prevent those packets that do not meet the entry conditions. The minimum conditions may require packets to have permissible origin or destination addresses, as determined by the network administrator

Proxy servers

With proxy servers, clients direct their requests for the application and the Internet connection through the server. If individual client requests conform to the pre-set conditions, then the firewall will act on the request; otherwise it is dropped. These firewalls require specialized client and server configurations depending on the application. 

Stateful inspection

These firewalls combine the filter and proxy functionalities. Because of this, they are considered complex and more advanced. The conditions for a stateful inspection are, like the filter, based on a set of rules. But unlike filters, these rules are not based on TCP or UDP but on applications like proxy servers. They filter packets by comparing their data with archived friendly packets.

Passwords

A password is a string of usually six to eight characters, with restrictions on length and start character, to verify a user to an information system facility, usually a computer system. Password security greatly depends on the password owner observing all of these four cardinal rules: 

  • Never publicize a password.
  • Never write a password down anywhere.
  • Never choose a password that is easy to guess.
  • Change your passwords frequently.

Password security is not only important to individuals whose files are stored on a system, but it is also vital to the system as a whole because once an intruder gains access to one password, he or she has gained access to the whole system, making all its files vulnerable.

  1. Pseudo-security (security through obscurity (STO))

This is virtual security in the sense that it is not physically implemented like building walls, issuing passwords, or putting up a firewall, but it is effectively based solely on a philosophy. The philosophy itself relies on a need to know basis, implying that a person is not dangerous as long as that person doesn't have knowledge that could affect the security of the system like a network, for example. In real systems where this security philosophy is used, security is assured through a presumption that only those with responsibility and who are trustworthy can use the system and nobody else needs to know. So in effect the philosophy is based on trust of those involved assuming that they will never leave. If they do, then that means the end of security for that system. There are several examples where ST0 has been successfully used.

These include Coca-Cola, KFC, and other companies that have, for generations, kept their secret recipes secure based on a few trusted employees. 

 

  1. WHAT ARE WE PROTECTING?

What do we mean when we say that a resource or a system is secure? A resource is secure, based on the above definition, if that resource is protected from both internal and external unauthorized access. Similarly, system resources are secure when they are all protected from unauthorized access. These resources, physical or not, are objects. Ensuring security of an object, thus means protecting that object from unauthorized access both from within the object and externally. In short, we protect objects. System objects are either tangible or non-tangible. If we focus on computer system security in general and on network security in particular, the tangible objects are the hardware resources in the system and the intangible object is the information and data in the system, both in transition and static in storage.

 

2.2.1 Hardware

Protecting hardware resources include protecting: End user objects that includes the user interface hardware components such as all client system input components including a keyboard, the mouse, touch screen, light pens, and others.

Network objects like firewalls, hubs, switches, routers and gateways which are vulnerable to hackers. Network communication channels to prevent eavesdroppers from intercepting network communications.

 

2.2.2 Software

Protecting software resources includes protecting hardware-based software, operating systems, server protocols, browsers, application software, and intellectual property stored on network storage disks and databases. It also involves protecting client software such as investment portfolios, financial data, real estate records, images or pictures, and other personal files commonly stored on home and business computers.

 

2.3 Security Services

We have defined security, and in particular system security, as a process of preventing unauthorized access to the system resources. Such prevention of unauthorized access to system resources is achieved through a number of security services that include access control, authentication, confidentiality, integrity, and non-repudiation.

 

2.3.1 Access Control

This is a service the system uses, together with a user pre-provided identification information such as a password, to determine who uses what of its services. 

Hardware Access Control Systems

Rapid advances in technology have resulted in efficient access control tools that are open and flexible while at the same time ensuring reasonable precautions against risks. Access control tools falling in this category include: 

  • Access terminal-to-terminal access points have become very sophisticated and now they not only carry out user identification, but also verify access rights, control access points, and communicate with host computers. These activities can be done in a variety of ways including fingerprint verification and real-time anti-break-in sensors. Network technology has made it possible for these units to be connected to a monitoring network or remain in a standalone off-line mode.
  • Visual event monitoring- this is a combination of many technologies into one very useful and rapidly growing form of access control using a variety of real-time technologies including video and audio signals, aerial photographs, and global positioning system (GPS) technology to identify locations.
  • Identification cards- sometimes called proximity cards, these cards have become very common these days as a means of access control in buildings, financial institutions, and other restricted areas. The cards come in a variety of forms including magnetic, bar coded, contact chip, and a combination of these.
  • Biometric identification. This is perhaps the fastest growing form of control access tool today. Some of the most popular forms include fingerprint, iris, and voice recognition. However, fingerprint recognition offers a higher level of security.
  • Video surveillance. This is a replacement of closed circuit television (CCTV) of yester year, and it is gaining popularity as an access control tool. With fast networking technologies and digital cameras, images can now be taken and analyzed very quickly and action taken in minutes.

Software Access Control Systems

Software access control falls into two types: point of access monitoring and remote monitoring. In point of access (POA), personal activities can be monitored by a PC-based application. The application can even be connected to a network or to a designated machine or machines. The application collects and stores access events and other events connected to the system operation and downloads access rights to access terminals.

In remote mode, the terminals can be linked in a variety of ways including the use of modems, telephone lines, and all forms of wireless connections. Such terminals may, sometimes if needed, have an automatic calling at pre-set times if desired or have an attendant to report regularly.

Authentication

Authentication is a service used to identify a user. User identity, especially of remote users, is difficult because many users, especially those intending to cause harm, may masquerade as the legitimate users when they actually are not. This service provides a system with the capability to verify that a user is the very one he or she claims to be based on what the user is, knows, and has. 

Thus authentication is a process whereby the system gathers and builds up information about the user to ensure that the user is genuine. In data communication, authentication is also used to verify the identity of the sender and the integrity of the message. In computer systems, authentication protocols based on cryptography use either secret-key or public-key schemes to create an encrypted message digest that is appended to a document as a digital signature. 

Physically we can authenticate of users or user surrogates based on checking one or more of the following user items;

  • User name (sometimes screen name)
  • Password
  • Retinal images: The user looks into an electronic device that maps his or her eye retina image; the system then compares this map with a similar map stored on the system.
  • Fingerprints: The user presses on or sometimes inserts a particular finger into a device that makes a copy of the user fingerprint and then compares it with a similar image on the system user file.
  • Physical location: The physical location of the system initiating an entry request is checked to ensure that a request is actually originating from a known and authorized location. In networks, to check the authenticity of a client's location a network or Internet protocol (IP) address of the client machine is compared with the one on the system user file. This method is used mostly in addition to other security measures because it alone cannot guarantee security. If used alone, it provides access to the requested system to anybody who has access to the client machine.
  • Identity cards: Increasingly, cards are being used as authenticating documents. Whoever is the carrier of the card gains access to the requested system. As is the case with physical location authentication, card authentication is usually used as a second-level authentication tool because whoever has access to the card automatically can gain access to the requested system.

 

Confidentiality

The confidentiality service protects system data and information from unauthorized disclosure. When data leave one extreme of a system such as a client's computer in a network, it ventures out into a non-trusting environment. So the recipient of that data may not fully trust that no third party like a cryptanalysis or a man-in-the middle has eavesdropped on the data. This service uses encryption algorithms to ensure that nothing of the sort happened while the data was in the wild. Encryption protects the communications channel from sniffers.

Sniffers are programs written for and installed on the communication channels to eavesdrop on network traffic, examining all traffic on selected network segments. Sniffers are easy to write and install and difficult to detect.

The encryption process uses an encryption algorithm and key to transform data at the source, called plaintext; turn it into an encrypted form called cipher-text, usually unintelligible form; and finally recover it at the sink




 

Integrity

The integrity service protects data against active threats such as those that may alter it. Just like data confidentiality, data in transition between the sending and receiving parties is susceptible to many threats from hackers, eavesdroppers, and cryptanalysts whose goal is to

intercept the data and alter it based on their motives. 

This service, through encryption and hashing algorithms, ensures that the integrity of the transient data is intact. 

 

Non-repudiation

This is a security service that provides proof of origin and delivery of service and/or information. In real life, it is possible that the sender may deny the ownership of the exchanged digital data that originated from him or her. This service, through digital signature and encryption algorithms, ensures that digital data may not be repudiated by providing proof of origin difficult to deny. A digital signature is a cryptographic mechanism that is the electronic equivalent of a written signature to authenticate a piece of data as to the identity of the sender.

 

SECURITY STANDARDS

Because security solutions come in many different types and use different technologies, security standards are used to bring about interoperability and uniformity among the many system resources with differing technologies within the system and between systems. System

managers, security chiefs, and experts choose or prefer standards, if no de facto standard exists, that are based on service, industry, size, or mission. The type of service an organization is offering determines the types of security standards used. Like service, the nature of the industry an organization is in also determines the types of services offered by the system, which in turn determines the type of standards to adopt. The size of an organization also determines what type of standards to adopt. In relatively small establishments, the ease of implementation and running of the system influence the standards to be adopted.

Finally, the mission of the establishment also determines the types of standards used. For example, government agencies have a mission that differs from that of a university. These two organizations, therefore, may choose different standards. Here are the bodies and organizations behind the formulation, development, and maintenance of these standards. These bodies fall into the following categories:

International organizations such as the Internet

  • Engineering Task Force (IETF), the Institute of Electronic and Electric Engineers (IEEE), the International Standards Organization (ISO), and the International Telecommunications Union (ITU).
  • Multinational organizations like the European Committee for Standardization (CEN), Commission of European Union (CEU), and European Telecommunications Standards Institute (ETSI).
  • National governmental organizations like the National Institute of Standards and Technology (NIST), American National Standards Institute (ANSI), and Canadian Standards Council (CSC).
  • Sector specific organizations such as the European Committee for Banking Standards (ECBS), European Computer Manufacturers Association (ECMA), and Institute of Electronic and Electric Engineers (IEEE). Etc

BEST PRACTICES IN SECURITY

To keep abreast of all changes of network insecurity, security experts and security managers must know how and what to protect and what controls to put in place and at what time. It takes security management, planning, policy development, and the design of procedures. Here are some examples of best practices;

  1. Commonly Accepted Security Practices and Regulations (CASPR)

Developed by the CASPR Project, this effort aims to provide a set of best practices that can be universally applied to any organization regardless of industry, size or mission. Such best practices would, for example, come from the world's experts in information security. CASPR distills the knowledge into a series of papers, and publishes them so they are freely available on the Internet to everyone.

The project covers a wide area including operating system and system security, network and telecommunication security, access control and authentication, info-security management, info-security auditing and assessment, info-security logging and monitoring, application security, application and system development, and investigations and forensics.

  1. Control Objectives for Information and (Related) Technology (COBIT):

Developed by IT auditors and made available through the Information Systems Audit and Control Association, COBIT provides a framework for assessing a security program. COBIT is an open standard for control of information technology. COBIT was designed to help three distinct audiences;

  • Management who need to balance risk and control investment in an often unpredictable IT environment
  • Users who need to obtain assurance on the security and controls of the IT services upon which they depend to deliver their products and services to internal and external customers
  • Auditors who can use it to substantiate their opinions and/or provide advice to management on internal controls.
  1. Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)

Is an approach for self-directed information security risk evaluations that :

  • Puts organizations in charge
  • Balances critical information assets, business needs, threats, and vulnerabilities
  • Measures the organization against known or accepted good security practices
  • Establishes an organization-wide protection strategy and information security risk mitigation plans

In short, it provides measures based on accepted best practices for evaluating security programs. It does this in three phases:

  • First it determines information assets needing to be protected.
  • Evaluates the technology infrastructure to determine if it can protect those assets and how vulnerable it is and defines the risks to critical assets
  • Uses good security practices, establishes an organization-wide protection strategy and mitigations plans for specific risks to critical assets.

ELEMENTS OF SECURITY

We will conclude this chapter on security by discussing those fundamental elements that someone interested in the security of a computer system or a network may find valuable. One may decide to take all of them or a combination of some of them. Remember we have been saying that there is no perfect security, and security of individual computer systems or a network is based on the needs of that system. So the choice of which of these elements to use depends entirely on the needs of the enterprise that owns the computer system or network.

The Security Policy

There are many and varied views on the necessity of a security plan. Some security experts do not consider it essential while others do. However, it is an important element in the security environment of an enterprise. The security plan emphasizes a number of factors starting with the identification of all critical operations in the system that must be secured, those that are needed, but not critical to daily operations, and those operations that can be secured. 

Second it prioritizes the system resources and the information stored on each. The security policy also assigns risk factors to all these classified resources. Once the risk factors are assigned to each resource, a list of acceptable security measures for each resource is drawn. It further categorizes the activities of the computer system or network as acceptable and unacceptable. A security plan must also focus on the people using the system by dividing them into two groups, those on the security team and the users. For each group appropriate education on security must be enforced, emphasizing what constitutes security and what needs to be done in case of a security breach. There are different aspects of a security plan and varying depths of what must be included depending on the needs of the enterprise.

Access Control

As information becomes more valuable and more people join the ever growing Internet, scavenger hunters, hackers, activists, robbers, and all sorts of people will continue to flock onto the Internet and the security of information of a society increasingly dependent on computer networks will become vital. The importance of this security element, therefore, cannot be over emphasized. Security experts approach access control based on a variety of techniques including access control list, a list that identifies individual users and groups associated with each object in the database and the rights that the user or group has when accessing that object, and the execution control list, which consists of the resources and actions that a program can access/perform while it is executing and determines which program activities are appropriate and which are not.

Strong Encryption Algorithms

The amount of information stored and traversing the computer systems and networks has been increasing both in volume and value as networks expand. The security of that information, however, has become increasingly threatened by the quality and security of the software running on these machines as we have already pointed out and also by the sheer determination and number of hackers trying to access that information. Research has shown a high volume of vulnerabilities in the network infrastructure and embarrassingly poor protocols. Hackers are exploiting these software bugs, which are sometimes easy to fix, eavesdropping and intercepting communication data with increasing ease. The security of information, therefore, rests with finding strong encryption algorithms that will thwart would be intruders

Authentication Techniques

Many people have rightly put it that the future of e-commerce is riding on strong encryption and authentication techniques. As more and more people go online to buy and sell their wares, they need strong and trustworthy algorithms that will make such transactions safe.

Auditing

The purpose of auditing is to find as many problems as possible in the system before the intruders find them for you. The wisdom of testing is that the better and more you test, the more difficult your network will be to attack. An audit keeps you aware and honest about the security of the system so that you discard the myth that if it is not broken into it is secure. Also if done by an outsider, an audit however poor it is, gives you a standard to measure your security needs. Finally, an audit done by an outsider gives a comparison of the types of problems you have as compared to those in other institutions where the auditor has been.

There are two types of auditing: active and passive.

Active auditing involves actively responding to illicit access and intrusion and in between these intrusions; passive, on the other hand, is not a real-time mechanism. It depends on someone to review the logs and then act upon the information they contain.