Security+ Study Guide © 2003 certificationsuccess.com Compiled By:Kiran Gupta kirang@nda.vsnl.net.in www.v-netonline.com 1 © 2003 certificationsuccess.com Your Free Certification Portal General Security Concepts ........................................................................................................................5 COMMON THREATS ..........................................................................................................................5 Access Control...........................................................................................................................................7 Logical access controls ..........................................................................................................................7 Common Logical access controls implemented by Operating system’s are .........................................7 Physical Access Controls ......................................................................................................................8 Authentication ...........................................................................................................................................8 Kerberos ................................................................................................................................................8 Digital certificates .................................................................................................................................8 Challenge Handshake Authentication Protocol (CHAP). .....................................................................9 Tokens ...................................................................................................................................................9 Biometrics..............................................................................................................................................9 Attacks .......................................................................................................................................................9 Denial of Service Attack (DoS)...........................................................................................................10 Back Door............................................................................................................................................10 Spoofing ..............................................................................................................................................10 Man in the middle................................................................................................................................10 Birthday...............................................................................................................................................10 Social Engineering...............................................................................................................................11 Password Guessing ..............................................................................................................................11 Prevention from Attacks ..........................................................................................................................11 Patching ...............................................................................................................................................11 Virus Detection....................................................................................................................................11 Firewalls ..............................................................................................................................................12 Password Crackers...............................................................................................................................12 Encryption ...........................................................................................................................................12 Vulnerability Scanners ........................................................................................................................12 Configuring Hosts for Security ...........................................................................................................12 War Dialing .........................................................................................................................................12 Security Advisories .............................................................................................................................12 Intrusion Detection..............................................................................................................................13 Network Discovery Tools and Port Scanners......................................................................................13 Incident Response Handling ................................................................................................................13 Security Policies ..................................................................................................................................13 Denial of Service Testing (for firewalls and Web servers) .................................................................13 Auditing ...................................................................................................................................................13 Internal Controls Audit ........................................................................................................................14 Security Checklists ..............................................................................................................................14 Penetration Testing ..............................................................................................................................14 Monitoring Types ................................................................................................................................14 Review of System Logs .......................................................................................................................14 Automated Tools .................................................................................................................................14 Configuration Management/Managing Change ..................................................................................14 Trade Literature/Publications/Electronic News ..................................................................................14 Periodic Re-accreditation ....................................................................................................................14 2 © 2003 certificationsuccess.com Your Free Certification Portal Remote Access ........................................................................................................................................14 Secure Your Wireless Network ...........................................................................................................15 802.1x Authentication .........................................................................................................................16 Virtual private network (VPN) connections ........................................................................................16 Point-to-Point Tunneling Protocol (PPTP)..........................................................................................17 Layer Two Tunneling Protocol (L2TP)...............................................................................................17 Remote Authentication Dial-In-User Service (RADIUS) ...................................................................18 IP Security (IPSec) ..............................................................................................................................18 TACACS .............................................................................................................................................18 XTACACS ..........................................................................................................................................18 TACACS+ ...........................................................................................................................................18 Email........................................................................................................................................................19 S/MIME...............................................................................................................................................19 HOAXES .............................................................................................................................................20 Web..........................................................................................................................................................20 SSL/TLS ..............................................................................................................................................20 Vulnerabilities .........................................................................................................................................21 Vulnerable CGI programs ...................................................................................................................21 Web server attacks...............................................................................................................................22 Web browser attacks............................................................................................................................22 Global file sharing ...............................................................................................................................23 User IDs, especially root/administrator with no passwords or weak passwords.................................23 IMAP and POP buffer overflow vulnerabilities or incorrect configuration........................................23 Default SNMP community strings set to ‘public’ and ‘private.’.........................................................23 File Transfer ............................................................................................................................................24 Active FTP ...........................................................................................................................................24 Passive FTP .........................................................................................................................................25 IP spoofing...............................................................................................................................................26 TCP sequence number prediction............................................................................................................26 DNS poisoning through sequence prediction..........................................................................................26 Packet sniffing .........................................................................................................................................26 Virtual LANs...........................................................................................................................................27 Benefits of VLANs..............................................................................................................................27 Basic models of VLAN .......................................................................................................................28 Network Address Translation (NAT) ......................................................................................................29 Internet Connection Sharing & NAT ..................................................................................................30 Network intrusion detection system (NIDS) ...........................................................................................30 Network intrusion detection systems (NIDS)......................................................................................30 System integrity verifiers (SIV) ..........................................................................................................31 Log file monitors (LFM) .....................................................................................................................31 Physical Intrusion................................................................................................................................31 System Intrusion..................................................................................................................................31 Remote Intrusion.................................................................................................................................31 How are intrusions detected ................................................................................................................31 Honeypots ............................................................................................................................................32 Hardening ................................................................................................................................................34 Security through Obscurity..................................................................................................................35 3 © 2003 certificationsuccess.com Your Free Certification Portal Hardening Requires Making Choices..................................................................................................35 CRYPTOGRAPHY.................................................................................................................................35 Basic Cryptographic Technologies......................................................................................................35 Key Escrow .........................................................................................................................................37 Uses of Cryptography..........................................................................................................................37 Electronic Signature ............................................................................................................................38 PKI...........................................................................................................................................................38 Creation of a certificate .......................................................................................................................38 Certificate Enrollment .........................................................................................................................38 Physical Security.....................................................................................................................................38 Physical Access Controls ....................................................................................................................39 Fire Safety Factors...............................................................................................................................39 Failure of Supporting Utilities .............................................................................................................40 Structural Collapse ..............................................................................................................................41 Plumbing Leaks ...................................................................................................................................41 Interception of Data .............................................................................................................................41 Mobile and Portable Systems ..............................................................................................................42 Interdependencies ................................................................................................................................43 Cost Considerations .............................................................................................................................43 CONTINGENCIES AND DISASTERS .................................................................................................43 Forensics ..................................................................................................................................................44 Computer Time and Date Settings ......................................................................................................44 Hard Disk Partitions ............................................................................................................................44 Operating System and Version............................................................................................................45 Data and Operating System Integrity..................................................................................................45 Computer Virus Evaluation.................................................................................................................45 File Catalog .........................................................................................................................................45 Software Licensing ..............................................................................................................................45 Retentio n of Software, Input Files and Output Files ...........................................................................46 COMPUTER SECURITY RISK MANAGEMENT...............................................................................46 Risk Assessment ..................................................................................................................................46 Risk Mitigation....................................................................................................................................48 AWARENESS, TRAINING, AND EDUCATION ................................................................................48 4 © 2003 certificationsuccess.com Your Free Certification Portal General Security Concepts COMMON THREATS Computer systems are vulnerable to many threats that can inflict various types of damage resulting in significant losses. This damage can range from errors harming database integrity to fires destroying entire computer centers. Losses can stem, for example, from the actions of supposedly trusted employees defrauding a system, from outside hackers, or from careless data entry clerks. Precision in estimating computer security-related losses is not possible because many losses are never discovered, and others are "swept under the carpet" to avoid unfavorable publicity. The effect of various threats varies considerably: some affect the confidentiality or integrity of data while others affect the availability of a system. Errors and Omissions Errors and omissions are an important threat to data and system integrity. These errors are caused not only by data entry clerks processing hundreds of transactions per day, but also by all types of users who create and edit data. Many programs, especially those designed by users for personal computers, lack quality control measures. However, even the most sophisticated programs cannot detect all types of input errors or omissions. A sound awareness and training program can help an organization reduce the number and severity of errors and omissions. Users, data entry clerks, system operators, and programmers frequently make errors that contribute directly or indirectly to security problems. In some cases, the error is the threat, such as a data entry error or a programming error that crashes a system. In other cases, the errors make the system vulnerable. Fraud and Theft Computer systems can be exploited for both fraud and theft both by "automating" traditional methods of fraud and by using new methods. For example, individuals may use a computer to skim small amounts of money from a large number of financial accounts, assuming that small discrepancies may not be investigated. Financial systems are not the only ones at risk. Systems that control access to any resource are targets (e.g., time and attendance systems, inventory systems, school grading systems, and long-distance telephone systems). Computer fraud and theft can be committed by insiders or outsiders. Insiders i.e., authorized users of a system, are responsible for the majority of fraud. Employee Sabotage Employees are most familiar with their employer's computers and applications, including knowing what actions might cause the most damage, mischief, or sabotage. The downsizing of organizations in both the public and private sectors has created a group of individuals with organizational knowledge, who may retain potential system access if system accounts are not deleted in a timely manner. The 5 © 2003 certificationsuccess.com Your Free Certification Portal number of incidents of employee sabotage is believed to be much smaller than the instances of theft, but the cost of such incidents can be quite high. Hackers and crackers The term malicious hackers, sometimes called crackers, refers to those who break into computers without authorization. They can include both outsiders and insiders. Given below is a brief difference between a hacker and a cracker. A hacker is a person intensely interested in the arcane and recondite workings of any computer operating system. Most often, hackers are programmers. As such, hackers obtain advanced knowledge of operating systems and programming languages. They may know of holes within systems and the reasons for such holes. Hackers constantly seek further knowledge, freely share what they have discovered, and never, ever intentionally damage data. A cracker is a person who breaks into or otherwise violates the system integrity of remote machines, with malicious intent. Crackers, having gained unauthorized access, destroy vital data, deny legitimate users service, or basically cause problems for their targets. Industrial Espionage Industrial espionage is the act of gathering proprietary data from private companies or the government for the purpose of aiding another company/companies. Industrial espionage can be perpetrated either by companies seeking to improve their competitive advantage or by governments seeking to aid their domestic industries. Foreign industrial espionage carried out by a government is often referred to as economic espionage. Since information is processed and stored on computer systems, computer security can help protect against such threats; it can do little, however, to reduce the threat of authorized employees selling that information. Malicious Code Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other uninvited software. Malicious Software: A Few Key Terms Virus A code segment that replicates by attaching copies of itself to existing executables. The new copy of the virus is executed when a user executes the new host program. The virus may include an additional "payload" that triggers when specific conditions are met. For example, some viruses display a text string on a particular date. There are many types of viruses, including variants, overwriting, resident, stealth, and polymorphic. Trojan Horse A program that performs a desired task, but that also includes unexpected (and undesirable) functions. For example consider an editing program for a multiuser system, this program could be modified to randomly delete one of the users' files each time they perform a useful function (editing), but the deletions are unexpected and definitely undesired! Worm 6 © 2003 certificationsuccess.com Your Free Certification Portal A self-replicating program that is self-contained and does not require a host program. The program creates a copy of itself and causes it to execute; no user intervention is required. Worms commonly use network services to propagate to other host systems. Access Control Access is the ability to do something with a computer resource (e.g., use, change, or view). Access control is the means by which the ability is explicitly enabled or restricted in some way (usually through physical and system-based controls). Logical access controls Computer-based access controls are called logical access controls. Logical access controls can prescribe not only who or what is to have access to a specific system resource but also the type of access that is permitted. These controls may be built into the operating system, may be incorporated into applications programs or major utilities (e.g., database management systems or communications systems), or may be implemented through add-on security packages. Logical access controls may be implemented internally on the computer system being protected or may be implemented through external devices. Logical access controls can help protect 1. Operating systems and other system software from unauthorized modification or manipulation (and thereby help ensure the system's integrity and availability). 2. The integrity and availability of information by restricting the number of users and processes with access. 3. Confidential information from being disclosed to unauthorized individuals. Common Logical access controls implemented by Operating system’s are Message Authentication Code (MAC) – An algorithm that insures the quality of a block of data, MAC is computed as a keyed hash over the document using a shared secret which could potentially have been arranged in a number of ways, e.g. manual arrangement or Kerberos. This technique requires neither the use of public key cryptography nor encryption. Discretionary access control (DAC) - DAC involves being able to completely control which files and resources a user may access at a given time. For example, perhaps only a small portion of your staff needs to access Microsoft Excel. In the Windows NT security model, you can deny access to all other users who are unauthorized to use Excel. In DAC, there are different levels of control. For example, some operating systems or utilities offer only moderate control (perhaps one system might allow an administrator to block user access to directories or partitions). This type of control is not really suitable in large networks, where one or more directories may hold applications or resources that other programs need in order to execute. Role Based Access Control (RBAC) – RBAC is able to completely control which files and resources a user may access at a given time based on their role in the organization. RBAC is based on the separation of duties, administration and access in the organization. A role brings together a collection 7 © 2003 certificationsuccess.com Your Free Certification Portal of users and a collection of permissions. These collections will vary with time. The use of roles can be a very effective way of providing access control. The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization. Physical Access Controls Physical access controls restrict the entry and exit of personnel (and often equipment and media) from an area, such as an office building, suite, data center, or room containing a LAN server. The controls over physical access to the elements of a system can include controlled areas, barriers that isolate each area, entry points in the barriers, and screening measures at each of the entry points. In addition, staff members who work in a restricted area serve an important role in providing physical security, as they can be trained to challenge people they do not recognize. Physical access controls should address not only the area containing system hardware, but also locations of wiring used to connect elements of the system, the electric power service, the air conditioning and heating plant, telephone and data lines, backup media and source documents, and any other elements that require system's operation. This means that all the areas in the building(s) that contain system elements must be identified. Authentication Authentication is the process of ensuring that the people on both ends of the connection are, in fact, who they say they are. This applies not only to the entit y trying to access a service but also to the entity providing the service. Kerberos Kerberos is another authentication solution, which is designed to provide a single sign-on to a heterogeneous environment. Kerberos allows mutual authentication and encrypted communication between users and services. Unlike security tokens, however, Kerberos relies on each user to remember and maintain a unique password. When a user authenticates to a local operating system, a local agent sends an authentication request to the Kerberos server. The server responds by sending the encrypted credentials for the user attempting to authenticate to the system. The local agent then tries to decrypt the credentials using the user-supplied password. If the correct password has been supplied, the user is validated and given authentication tickets, which allow the user to access other Kerberos authenticated services. The user is also given a set of cipher keys that can be used to encrypt all data sessions. Once the user is validated, no authentication is required for any other Kerberos-aware servers and applications. The tickets issued by the Kerberos server provide the credentials required to access additional network resources. This means that while the users should remember their passwords, they only need one password to access all systems on the network to which they have been granted access. Digital certificates Digital certificates are electronic credentials that are used to represent an entity on the network. The entity can be a user, a computer, or a network device. Possession of a certificate and its associated public and private keys provides authentication and encryption services. A private key can be used to create a unique digital signature. This signature can then be verified later with a public key in order to ensure that the signature is authentic. This process provides a very strong method of authenticating a user’s identity. A Digital Certificate server provides a central point of management for multiple public 8 © 2003 certificationsuccess.com Your Free Certification Portal keys. This prevents every user from having to maintain and manage copies of every other users public cipher key. Challenge Handshake Authentication Protocol (CHAP). CHAP sends the password and a challenge from the server through a hashing algorithm. The recipient identifies the user, obtains the password from the directory, and performs the same hashing algorithm against the challenge and password. If the results match, the user is authenticated. CHAP authentication requires that the user's password be stored in plaintext or in reversibly encrypted format at the domain controller for comparison purposes. When this attribute is set, the storage of the plaintext password format doesn't take place until the user changes the password after the attribute is enabled. Tokens Tokens are used for storing the information in human unreadable form. Special reader/writer devices control the writing and reading of data to and from the tokens. The most common type of token is a magnetic strip card, in which a thin stripe of magnetic material is affixed to the surface of a card (e.g., as on the back of credit cards). A common application of tokens for authentication to computer systems is the automatic teller machine (ATM) card. This uses a combination of something the user possesses (the card) with something the user knows (the PIN). Biometrics Biometric authentication technologies use the unique characteristics (or attributes) of an individual to authenticate that person's identity. These include physiological and behavioral attributes Physiological attributes • Fingerprints • Hand geometry, • Retina patterns Behavioral attributes • Voice patterns • Hand-written signatures Biometric authentication technologies based upon these attributes have been developed for computer log- in applications. Biometric authentication is technically complex and expensive, and user acceptance can be difficult. However, efforts are being made to make the technology reliable, less costly, and user-friendly. Biometric systems can provide an increased level of secur ity for computer systems, but the technology is less mature than that of memory tokens or smart tokens. Imperfections in biometric authentication devices arise from technical difficulties in measuring and profiling physical attributes as well as from the somewhat variable nature of physical attributes. These may change, depending on various conditions. For example, a person's speech pattern may change under stressful conditions or when suffering from a sore throat or cold. Due to their relatively high cost, biometric systems are typically used with other authentication means in environments requiring high security. Attacks 9 © 2003 certificationsuccess.com Your Free Certification Portal Attacks on a computer system or computer network are of various forms like Denial of Service Attack (DoS) - The Denial of Service (DoS) attack does not involve an intruder gaining access. Instead, the cracker undertakes remote procedures that render a portion (or sometimes all) of a target inoperable. The techniques employed in such an attack are simple, because connections over the Internet are initiated via a procedure called the three-part handshake. In this process, the requesting machine sends a packet requesting connection. The target machine responds with an acknowledgment. The requesting machine then returns its own acknowledgment and a connection is established. In this attack, the requesting (cracker's) machine sends a series of connection requests but fails to acknowledge the target's response. Since the target never receives that acknowledgment, it waits. If this process is repeated many times, it renders the target's ports useless because the target is still waiting for the response. These connection requests are dealt with sequentially. Eventually, the target will abandon waiting for each such acknowledgment. Nevertheless, if it receives tens or even Hundreds of these requests, the port will remain engaged until it has processed and discarded each request. Back Door - A back door is some hidden method through which an attacker can later return to the affected machine and gain control over it. Back doors circumvent normal system protection and allow attackers unauthorized access in the future. Spoofing - A spoofing attack involves nothing more than forging one's source address. It is the act of using one machine to impersonate another. To understand how this occurs, you must know a bit about authentication. Every user has encountered some form of authentication. This encounter most often occurs while connecting to a network. On the Internet, application- level authentication routines are minority. Authentication routines occur continuously and these are totally invisible to the user. The difference between these routines and application- level authentication routines is fundamental. In application- level authentication, a machine challenges the user; a machine requests that the user identifies him. In contrast, non-application- level authentication routines occur between machines. One machine demands some form of identification from another. Until this identification is produced and validated, no transactions occur between the machines engaged in the challenge-response dialog. Such machine-to- machine dialogs always occur automatically (that is, they occur without human intervention). In the IP spoofing attack, the cracker attempts to capitalize on the automated nature of the dialog between machines. Thus, the IP spoofing attack is an extraordinary method of gaining access because in it, the cracker never uses a username or password. Man in the middle – In this type of attack an attacker is sitting on a network segment between a server and client and has been quietly monitoring the session. This has given the attacker the time to learn what port and sequence numbers are being used to carry on the conversion. After that attacker crashes the client by sending wild ping or ICMP flood attack, so that client cannot respond to traffic sent by the server. Now that the client is out of the way the attacker is free to communicate the server as if he were the client. A good authentication should also verify that the source remains constant and has not been replaced by another system. This can be achieved by exchanging a secret during the course of the communication session. Birthday - A birthday attack is a name used to refer to a class of brute- force attacks. It gets its name from the surprising result that the probability that two or more people in a group of 23 share the same 10 © 2003 certificationsuccess.com Your Free Certification Portal birthday is greater than ½. This result is called a birthday paradox. If some function, when supplied with a random input, returns one of “k” equally- likely values, then by repeatedly evaluating the function for different inputs, we expect to obtain the same output after about 1.2k1/2. For the above birthday paradox, replace k with 365. Birthday attacks are often used to find collisions of hash functions. Social Engineering – is the term used for giving away passwords. Users may share their passwords. They may give their password to a co-worker in order to share files. In addition, people can be tricked into divulging their passwords. Password Guessing - A password guesser or password cracker is any program that can decrypt passwords or otherwise disable password protection. A password cracker need not decrypt anything, in fact, most of them don't. Password Guessing are of many types like Brute Force - Many so-called password crackers are nothing but brute- force engines--programs that try word after word, often at high speeds. These rely on the theory that eventually, you will encounter the right word or phrase. This theory has been proven to be sound, primarily due to the factor of human laziness. Humans simply do not take care to create strong passwords. Dictionary – In dictionary attacks a dictionary of words is prepared and then this dictionary is used in guessing the Password. Dictionary-based attack is *very* effective. Moreover, if you know the "structure" of the password (for example, the characters at some positions), then you can create your own dictionary based on the rules you have. Prevention from Attacks Protecting one’s networks from computer attacks is an ongoing and non-trivial task; however, some simple security measures will stop the majority of network penetration attempts. For example, a wellconfigured firewall and an installed base of virus checkers will stop most computer attacks. Here, we present a list of 14 different security measures that, if implemented, will help secure a network. Patching Companies often release software patches in order to fix coding errors. If unfixed, these errors often allow an attacker to penetrate a computer system. Systems administrators should protect their most important systems by constantly applying the most recent patches. However, it is difficult to patch all hosts in a network because patches are released at a very fast pace. First focus on patching the most important hosts and then implement the other security solutions mentioned below. Patches usually must be obtained from software vendors. Virus Detection Virus-checking programs are indispensable to any network secur ity solution. Virus checkers monitor computers and look for malicious code. One problem with virus checkers is that one must install them on all computers for maximum effectiveness. It is time-consuming to install the software and requires updating monthly for maximum effectiveness. Users can be trained to perform these updates but they can not be relied upon. In addition to the normal virus checking on each computer, we recommend that organizations scan e-mail attachments at the e- mail server. This way, the majority of viruses are stopped before ever reaching the users. 11 © 2003 certificationsuccess.com Your Free Certification Portal Firewalls Firewalls are the single most important security solution for protecting one’s network. Firewalls police the network traffic that enters and leaves a network. The firewall may out rightly disallow some traffic or may perform some sort of verification on other traffic. A well-configured firewall will stop the majority of publicly available computer attacks. Password Crackers Hackers often use little-known vulnerabilities in computers to steal encrypted password files. They then use password-cracking programs that can discover weak passwords within encrypted password files. Once a weak password is discovered, the attacker can enter the computer as a normal user and use a variety of tricks to gain complete control of your computer and your network. While used by intruders, such programs are invisible to systems administrators. Systems administrators should run password-cracking programs on their encrypted password files regularly to discover weak passwords. Encryption Attackers often break into networks by listening to network traffic at strategic locations and by parsing out clear text usernames and passwords. Thus, remote password-protected connections should be encrypted. This is especially true for remote connections over the Internet and connections to the most critical servers. A variety of commercial and free products are available to encrypt TCP/IP traffic. Vulnerability Scanners Vulnerability scanners are programs that scan a network looking for computers that are vulnerable to attacks. The scanners have a large database of vulnerabilities that they use to probe computers in order to determine the vulnerable ones. Both commercial and free vulnerability scanners exist. Configuring Hosts for Security Computers with newly installed operating systems are often vulnerable to attack. The reason is that an operating system’s installation programs generally enable all available networking features. This allows an attacker to explore many avenues of attack into one’s computer. All unneeded network services should be turned off. War Dialing Users often bypass a site’s network security scheme by allowing their computers to receive incoming telephone calls. The user enables a modem upon leaving work and then is able to dial in from home and use the corporate network. Attackers use war dialing programs to call a large number of telephone numbers looking for those computers receptive to telephone calls. Since users set up these computers themselves, they are often insecure and provide attackers a backdoor into one’s network. System administrators should regularly use war dialers to discover these back doors. Both commercial and free war dialers are readily available. Security Advisories Security advisories are warnings issued by incident response teams and vendors about recently discovered computer vulnerabilities. Advisories usually cover only the most important threats and thus are low-volume and high- utility reading. They describe in general terms the threat and give very specific solutions on how to plug the vulnerability. 12 © 2003 certificationsuccess.com Your Free Certification Portal Intrusion Detection Intrusion detection systems detect computer attacks. They can be used outside of a network’s firewall to see what kinds of attacks are being launched at a network. They can be used behind a network’s firewall to discover attacks that penetrate the firewall. They can be used within a network to monitor insider attacks. Intrusion detection tools come with many different capabilities and functionality. Network Discovery Tools and Port Scanners Network discovery tools and port scanners map out networks and identify the services running on each host. Attackers use these tools to find vulnerable hosts and network services. System administrators use these tools to monitor what host and network services are connected to their network. Weak or improperly configured services and hosts can be found and patched. Incident Response Handling Every network, no matter how secure, has some security events (even if just false alarms). Staff must know beforehand how to handle these events. Important points that must be resolved are: when should one call law enforcement? , when one should call an emergency response team? , when should network connections be serviced? , and what is the recovery plan if an important server is compromised? Security Policies The strength of a network security scheme is only as strong as the weakest entry point. If different sites within an organization have different security policies, one site can be compromised by the insecurity of another. Organizations should write a security policy defining the level of protection that they expect to be uniformly implemented. The most important aspect of a policy is creating a uniform mandate on what traffic is allowed through the organization's firewalls. The policy should also define how and where security tools (e.g., intrusion detection or vulnerability scanners) should be used in the network. To obtain uniform security, the policy should define secure default configurations for different types of hosts. Denial of Service Testing (for firewalls and Web servers) Denial-of-service (DOS) attacks are very common on the Internet. Malicious attackers shut down Web sites, reboot computers, or clog up networks with junk packets. DoS attacks can be very serious, especially when the attacker is clever enough to launch an ongoing, untraceable attack. Sites serious about security can launch these same attacks against themselves to determine how much damage can be done. We suggest that only very experienced systems administrators or vulnerability analysis consultants perform this type of analysis. Auditing Auditing is the review and analysis of management, operational, and technical controls. The auditor can obtain valuable information about activity on a computer system from the audit trail. Audit trails improve the audit ability of the computer system. Audits can be self-administered or independent (either internal or external). Both types can provide excellent information about technical, procedural, managerial, or other aspects of security. The essential difference between a self-audit and an independent audit is objectivity. Reviews done by system management staff, often called selfaudits/assessments, have an inherent conflict of interest. The system management staff may have little 13 © 2003 certificationsuccess.com Your Free Certification Portal incentive to say that the computer system was poorly designed or is sloppily operated. On the other hand, they may be motivated by a strong desire to improve the security of the system. In addition, they are knowledgeable about the system and may be able to find hidden problems. There are two types of automated tools: (1) Active tools, which find vulnerabilities by trying to exploit them. (2) Passive tests, which only examine the system and infer the existence of problems from the state of the system. Automated tools can be used to help find a variety of threats and vulnerabilities, such as improper access controls or access control configurations, weak passwords, lack of integrity of the system software, or not using all relevant software updates and patches. These tools are often very successful at finding vulnerabilities and are sometimes used by hackers to break into systems. Not taking advantage of these tools puts system administrators at a disadvantage. Internal Controls Audit. An auditor can review controls in place and determine whether they are effective. The auditor will often analyze both computer and non-computer-based controls. Security Checklists. Checklists can be developed, whic h include national or organizational security policies and practices (often referred to as baselines). Penetration Testing : Penetration testing can use many methods to attempt a system break-in. In addition to using active automated tools as described above, penetration testing can be done "manually." For many systems a lack of internal controls on applications are common vulnerabilities that penetration testing can target. Penetration testing is a very powerful technique. It should preferably be conducted with the knowledge and consent of system management. Monitoring Types. There are many types and methods of monitoring a system or user. Some methods are deemed more socially acceptable and some are illegal. It is wise to check with legal council. Review of System Logs. A periodic review of system- generated logs can detect security problems, including attempts to exceed access authority or gain system access during unusual hours. Automated Tools. Several types of automated tools monitor a system for security problems. Some examples are virus scanners, check summing, password crackers, integrity verification programs, intrusion detectors, and system performance monitoring. Configuration Management/Managing Change. From a security point of view, configuration management provides assurance that the system in operation is the correct version (configuration) of the system and that any changes to be made are reviewed for security implications. Trade Literature/Publications/Electronic News. In addition to monitoring the system, it is useful to monitor external sources for information. Periodic Re-accreditation . Periodically, it is useful to formally reexamine the security of a system from a wider perspective. The analysis, which leads to re-accreditation, should address such questions as: Is the security still sufficient? Are major changes needed? The re-accreditation should address highlevel security and management concerns as well as the implementation of the security. Remote Access 14 © 2003 certificationsuccess.com Your Free Certification Portal Secure Your Wireless Network Unlike wired networks, wireless networks can reach beyond the walls of buildings. In many deployments, wired network security depends on the physical security of the networks behind locked doors of the buildings. You need to pass through the building security to get access to the network. On the other hand, wireless networks can be monitored and attacked from outside the walls of buildings. To mitigate security risks, many wireless networks provide ways to encrypt transmissions. You can use simple static encryption (WEP) network keys or more advanced techniques that generate and rotate the WEP keys to provide privacy. Since its inception, 802.11 has provided some basic security mechanisms to make this enhanced freedom less of a potential threat. For example, 802.11 access points (or sets of access points) can be configured with a service set identifier (SSID). This SSID must also be known by the NIC in order to associate with the AP and thus proceed with data transmission and reception on the network. This is very weak security based on the following: • The SSID is well known by all NICs and APs. • The SSID is sent through the air in the clear (even beaconed by the AP) • • Whether the association is allowed if the SSID is not known can be controlled by the NIC/Driver locally No encryption is provided through this scheme While there may be other problems with this scheme, it is evident that this is enough to stop none, or probably only the casual hackers. Additional security is provided through the 802.11 specifications through the Wired Equivalent Privacy (WEP) algorithm. WEP provides 802.11 with authentication and encryption services. The WEP algorithm defines the use of a 40-bit secret key for authentication and encryption and many IEEE 802.11 implementations also allow 104-bit secret keys. This algorithm provides mostly protection against eavesdropping and physical security attributes comparable to a wired network. A principal limitation to this security mechanism is that the standard does not define a key management protocol for distribution of the keys. This presumes that the secret, shared keys are delivered to the IEEE 802.11 wireless station via a secure channel independent of IEEE 802.11. This becomes even more challenging when a large number of stations are involved such as on a corporate campus. To provide a better mechanism for access control and security the inclusion of a key management protocol in the specification is required. For the most advanced protection, one should use 802.1X industry standard as defined by IEEE. It provides for individual authentication and privacy by being able to generate and plug- in WEP keys. Furthermore, these WEP keys can be generated per user and rotated often based on the policy. 15 © 2003 certificationsuccess.com Your Free Certification Portal 802.1x Authentication IEEE 802.1x is a standard for port-based network access control that provides authenticated network access to 802.11 wireless networks and wired Ethernet networks. Port-based network access control uses the physical characteristics of a switched local area network (LAN) infrastructure to authenticate devices that are attached to a LAN port and to prevent access to that port in cases where the authentication process fails. During a port-based network access control interaction, a LAN port adopts one of two roles: authenticator or supplicant. In the role of authenticator, a LAN port enforces authentication before it allows user access to the services that can be accessed through that port. In the role of supplicant, a LAN port requests access to the services that can be accessed through the authenticator's port. An authentication server, which can either be a separate entity or co- located with the authenticator, checks the supplicant's credentials on behalf of the authenticator. The authentication server then responds to the authenticator, indicating whether the supplicant is authorized to access the authenticator's services. The authenticator's port-based network access control defines two logical access points to the LAN, through one physical LAN port. The first logical access point, the uncontrolled port, allows data exchange between the authenticator and other computers on the LAN, regardless of the computer's authorization state. The second logical access point, the controlled port, allows data exchange between an authenticated LAN user and the authenticator. IEEE 802.1x uses standard security protocols, such as Remote Authentication Dial-In User Service (RADIUS), to provide centralized user identification, authentication, dynamic key management, and accounting. Virtual private network (VPN) connections With the Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP), you can securely access resources on a network by connecting to a remote access server running Windows 2000 through the Internet or other networks. The use of both private and public networks to create a network connection is called a virtual private network (VPN). The following table describes the advantages of using VPN connections. Advantage Example The Internet is used as a connection instead of a long-distance telephone number or 1Cost advantages 800 service. Because an ISP maintains communications hardware such as modems and ISDN adapters, your network requires less hardware to purchase and manage. You can make a local call to the telephone company or Internet service provider (ISP), which then connects you to a remote access server running Windows 2000 and Outsourcing your corporate network. It is the telephone company or ISP that manages the modems dial-up and telephone lines required for dial- up access. Because the ISP supports complex networks communications hardware configurations, a network administrator is free to centrally manage user accounts at the remote access server. The connection over the Internet is encrypted and secure. New authentication and Enhanced encryption protocols are enforced by the remote access server. Sensitive data is security hidden from Internet users, but made securely accessible to appropriate users through 16 © 2003 certificationsuccess.com Your Free Certification Portal a VPN. Network Since the most common network protocols (including TCP/IP, IPX, and NetBEUI) protocol are supported, you can remotely run any application dependent upon these particular support network protocols. Since the VPN is enc rypted, the addresses you specify are protected, and the Internet IP address only sees the external IP address. For organizations with nonconforming internal IP security addresses, the repercussions of this are substantial, as no administrative costs are associated with having to change IP addresses for remote access via the Internet. There are two ways to create a VPN connection: By dialing an ISP, or by connecting directly to the Internet, as shown in the following examples. In the first example, the VPN connection first makes a call to an ISP. After the connection is established, the connection then makes another call to the RAS that establishes the PPTP or L2TP tunnel. After authentication, you can access the corporate network In the second example, a user who is already connected to the Internet uses a VPN connection to dial the number for the remote access server. Examples of this type of user include a person whose computer is connected to a local area network, a cable modem user, or a subscriber of a service such as ADSL, where IP connectivity is established immediately after the user's computer is turned on. The PPTP or L2TP driver makes a tunnel through the Internet and connects to the PPTP-enabled or L2TPenabled RAS. After authentication, the user can access the corporate network Point-to-Point Tunneling Protocol (PPTP) You can access a private network through the Internet or other public network by using a virtual private network (VPN) connection with the PPTP. It enables the secure transfer of data from a remote computer to a private server by creating a VPN across TCP/IP-based data networks. PPTP supports ondemand, multi protocol, virtual private networking over public networks, such as the Internet. Developed as an extension of the Point-to-Point Protocol (PPP), PPTP adds a new level of enhanced security and multi protocol communications over the Internet. Specifically, by using the new Extensible Authentication Protocol (EAP), data transfer through a PPTP-enabled VPN is as secure as within a single LAN at a corporate site. PPTP tunnels or encapsulates IP, IPX, or NetBEUI protocols inside PPP datagram. This means that you can remotely run applications that are dependent upon particular network protocols. The tunnel server performs all security checks and validations, and enables data encryption, which makes it much safer to send information over unsecured networks. You can also use PPTP in private LAN-to-LAN networking. PPTP does not require a dial- up connection. It does, however, require IP connectivity between your computer and the server. If you are directly attached to an IP LAN and can reach a server, then you can establish a PPTP tunnel across the LAN. If, however, you are creating a tunnel over the Internet, and your normal Internet access is a dial- up connection to an ISP, you must dial up your Internet connection before you can establish the tunnel. Layer Two Tunneling Protocol (L2TP) An industry standard Internet tunneling protocol. Unlike Point-to-Point Tunneling Protocol (PPTP), L2TP does not require IP connectivity between the client workstation and the server. L2TP requires only that the tunnel medium provides packet-oriented point-to-point connectivity. The protocol can be 17 © 2003 certificationsuccess.com Your Free Certification Portal used over media such as ATM, Frame Relay, and X.25. L2TP provides the same functionality as PPTP, based on Layer 2 Forwarding (L2F) and PPTP specifications, L2TP allows clients to set up tunnels across intervening networks. Remote Authentication Dial-In-User Service (RADIUS) A security authentication protocol based on clients and servers and widely used by Internet service providers (ISPs) on non-Microsoft remote servers. RADIUS is the most popular means of authenticating and authorizing dial- up and tunneled network users today. RADIUS allows single signon capabilities to remote users by allowing them to authenticate with the domain account and password. Single sign-on allows access to all resources on a network with a single user account and password, rather than having to provide different account/password combinations for connecting to the ISP and to the corporate network through a VPN connection. This single user account and password can be used at any remote access serve r or network device that's configured as a RADIUS client to the IAS server. IP Security (IPSec) IP Security is public/private key encryption algorithm that uses a Diffie-Hellman exchange in order to perform authentication and establish session keys. IPSec also uses a 40-bit DES algorithm in order to encrypt the data stream. IPSec has been implemented at the session layer, so it does not require direct application support. TACACS TACACS is an industry standard protocol specification defined by RFC 1492, that forwards username and password information to a centralized server. The centralized server can either be a TACACS database or a database like the UNIX password file with TACACS protocol support. For example, the UNIX server with TACACS passes requests to the UNIX database and sends the “accept” or “reject” message back to the access server. XTACACS XTACACS defines the extensions that Cisco added to the TACACS protocol to support new and advanced features. TACACS+ TACACS+ allows a separate access server (the TACACS+ server) to provide the services of authentication, authorization, and accounting independently. Each service can be tied into its own database or can use the other services available on that server or on the network. The overall design goal of TACACS+ is to define a standard method for managing dissimilar Network Access Servers (NASs) from a single set of management services such as a database. A NAS provides connections to a single user, to a network, or sub network, and interconnected networks. TACACS+ has three major components 1. The protocol support within the access servers and routers 2. The protocol specification 3. The centralized security database. 18 © 2003 certificationsuccess.com Your Free Certification Portal Email S/MIME Security services can be added to each communication link along a path, or it can be wrapped around the data being sent, so that it is independent of the communication mechanism. This latter approach is often called "end-to-end" security and it has become a very important topic for users. The two basic features of this type of security are Privacy: Only the intended recipient can read the message. Authentication: The recipient can be assured of the identity of the sender. The technical capabilities of these functions have been known for many years, but they have only been applied to Internet mail recently. These services typically include authentication of the originator and privacy for the data. They can also provide a signed receipt from the recipient. At the core of these capabilities is the use of public key technology and large-scale use of public keys requires a method of certifying that a given key belongs to a given user. Although they offer similar services to users, the two protocols have very different formats. Further, and more important to corporate users, they have different formats for their certificates. This means that not only can users of one protocol not communicate with the users of the other, they also cannot share authentication certificates. The difference between the two protocols is similar to the differences between GIF and JPEG files. They both do basically the same thing for end users, but their formats are very different. S/MIME was originally developed by RSA Data Security, Inc. It is based on the PKCS #7 data format for the messages, and the X.509v3 format for certificates. PKCS #7, in turn, is based on the ASN.1 DER format for data. PGP/MIME is based on PGP, which was developed by many individuals, some of whom have now joined together as PGP, Inc. The message and certificate formats were created from scratch, and use simple binary encoding. OpenPGP is also based on PGP. Differences and Commonalities between S/MIME v3 and PGP S/MIME v3 and PGP are both protocols for adding authentication and privacy to messages. However, they differ in many ways, and are not designed to be interoperable. Some cryptography algorithms are same between the two protocols, but others differ. The following chart is a comparison of many relevant features of the two protocols, showing where they differ and where they are the same. Mandatory features S/MIME v3 OpenPGP Message format Binary, based on CMS Binary, based on previous PGP Certificate format Binary, based on X.509v3 Binary, based on previous PGP Symmetric encryption algorithm TripleDES (DES EDE3 CBC) TripleDES (DES EDE3 Eccentric CFB) 19 © 2003 certificationsuccess.com Your Free Certification Portal Signature algorithm Diffie-Hellman (X9.42) with DSS ElGamal with DSS Hash algorithm SHA-1 SHA-1 MIME encapsulation of signed Choice of multipart/signed or data CMS format Multipart/signed with ASCII armor MIME encapsulation of encrypted data Multipart/encrypted Application/pkcs7- mime HOAXES These hoaxes usually arrive in the form of an email. Please disregard the hoax emails - they contain bogus warnings usually intent only on frightening or misleading users. The best course of action is to merely delete these hoax emails. Web SSL/TLS SSL/TLS is the encryption system used by 'http' web pages. It is generally considered to be the most secure method for sending sensitive information across the internet, and is the basis of all ECommerce security systems used today. The SSL Protocol The Transmission Control Protocol/Internet Protocol (TCP/IP) governs the transport and routing of data over the Internet. Other protocols, such as the Hyper Text Transport Protocol (HTTP), Lightweight Directory Access Protocol (LDAP), or Internet Messaging Access Protocol (IMAP), run "on top of" TCP/IP in the sense that they all use TCP/IP to support typical application tasks such as displaying web pages or running email servers. SSL runs above TCP/IP and be low high-level application protocols The SSL protocol runs above TCP/IP and below higher- level protocols such as HTTP or IMAP. It uses TCP/IP on behalf of the higher- level protocols, and in the process allows an SSL-enabled server to authenticate itself to an SSL-enabled client. This allows the client to authenticate itself to the server, and allows both machines to establish an encrypted connection. These capabilities address fundamental concerns about communication over the Internet and other TCP/IP networks: 20 © 2003 certificationsuccess.com Your Free Certification Portal • • • SSL server authentication allows a user to confirm a server's identity. SSL-enabled client software can use standard techniques of public-key cryptography to check that a server's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the client's list of trusted CAs. This confirmation might be important if the user, for example, is sending a credit card number over the network and wants to check the receiving server's identity. SSL client authentication allows a server to confirm a user's identity. Using the same techniques as those used for server authentication, SSL-enabled server software can check that a client's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the server's list of trusted CAs. This confirmation might be important if the server, for example, is a bank sending confidential financ ial information to a customer and wants to check the recipient's identity. An encrypted SSL connection requires all information sent between a client and a server to be encrypted by the sending software and decrypted by the receiving software, thus provid ing a high degree of confidentiality. Confidentiality is important for both parties to any private transaction. In addition, all data sent over an encrypted SSL connection is protected with a mechanism for detecting tampering--that is, for automatically determining whether the data has been altered in transit. The SSL protocol includes two sub-protocols: the SSL record protocol and the SSL handshake protocol. The SSL record protocol defines the format used to transmit data. The SSL handshake protocol involves using the SSL record protocol to exchange a series of messages between an SSLenabled server and an SSL-enabled client when they first establish an SSL connection. This exchange of messages is designed to facilitate the following actions: • • • • Authenticate the server to the client. Allow the client and server to select the cryptographic algorithms, or ciphers, that they both support. Optionally authenticate the client to the server. Use public-key encryption techniques to generate shared secrets. Vulnerabilities Vulnerable CGI programs Most web servers support Common Gateway Interface (CGI) programs to provide interactivity in web pages, such as data collection and verification. Many web servers come with sample CGI programs installed by default. Unfortunately, many CGI programmers fail to consider ways in which their programs may be misused or subverted to execute malicious commands. Vulnerable CGI programs present a particularly attractive target to intruders because they are relatively easy to locate, and they operate with the privileges and power of the web server software itself. Intruders are known to have exploited vulnerable CGI programs to vandalize web pages, steal credit card information, and set up back doors to enable future intrusions, even if the CGI programs are secured. As a general rule, sample programs should always be removed from production systems. 21 © 2003 certificationsuccess.com Your Free Certification Portal Web server attacks Beyond the execution of CGI programs, web servers have other possible holes. A large number of web servers have holes whereby a file name can include a series of "../" in the path name to move within the file system, getting any file. Another common bug is buffer overflow in the request field or in one of the other HTTP fields. Web servers often have bugs related to their interaction with the underlying operating system. An old hole in Microsoft IIS has been dealing with the fact that files have two names, a long filename and a short 8.3 hashed equivalent that could sometimes be accessed bypassing permissions. NTFS (the new file system) has a feature called "alternate data streams" that is similar to the Macintosh data and resource forks. Servers have problems with URLs, example, the "death by a thousand slashes" problem. The older versions of Apache web servers would cause huge CPU loads as it tried to process each directory in a thousand slash URL. Web browser attacks It seems that all of Microsoft's and Netscape's web browsers have security holes (though, of course, the latest ones never have any that we know about yet). This includes URL, HTTP, HTML, JavaScript, Frames, Java, and ActiveX attacks. URL fields can cause a buffer overflow condition, either as it is parsed in the HTTP header, or as it is displayed on the screen, or processed in some form (such as saved in the cache history). Also, an old bug with Internet Explorer allowed interaction with a bug whereby the browser would execute .LNK or .URL commands. HTTP headers can be used to exploit bugs because some fields are passed to functions that expect only certain information. HTML can be often exploited, such as the MIME-type overflow in Netscape Communicator's <EMBED> command. JavaScript is a perennial favorite, and usually tries to exploit the "file upload" function by generating a filename and automatically hiding the "SUBMIT" button. Frames are often used as part of a JavaScript or Java hack (for example, hiding web-pages in 1px by 1px sized screens), but they present special problems. For example, I can include a link to a trustworthy site that uses frames, then replace some of those frames with web pages from my own site, and they will appear to you to be part of that remote site. Java has a robust security model, but that model has proven to have the occasional bug (though compared to everything else, it has proven to be one of the most secure elements of the whole system). Moreover, its robust security may be its undoing: Normal Java applets have no access to the local system, but sometimes they would be more useful if they did have local access. ActiveX is even more dangerous than Java as it works purely from a trust model and runs native code. You can even inadvertently catch a virus that was accidentally imbedded in some vendor's code. 22 © 2003 certificationsuccess.com Your Free Certification Portal Global file sharing These services allow file sharing over networks. When improperly configured, they can expose critical system files or give full file system access to any hostile party connected to the network. Many computer owners and administrators use these services to make their file systems readable and writeable in an effort to improve the convenience of data access. When file sharing is enabled on Windows machines they become vulnerable to both information theft and certain types of quick-moving viruses. A virus called the 911 Worm uses file shares on Windows 95 and 98 systems to propagate and causes the victim’s computer to dial 911 on its modem. Macintosh computers are also vulnerable to file sharing exploits. The same NetBIOS mechanisms that permit Windows File Sharing may also be used to enumerate sensitive system information from NT systems. User and Group information (usernames, last logon dates, password policy, RAS information), system information, and certain Registry keys may be accessed via a "null session" connection to the NetBIOS Session Service. This information is typically used to mount a password guessing or brute force password attack against the NT target. User IDs, especially root/administrator with no passwords or weak passwords Some systems come with "demo" or "guest" accounts with no passwords or with widely-known default passwords. Service workers often leave maintenance accounts with no passwords, and some database management systems install administration accounts with default passwords. In addition, busy system administrators often select system passwords that are easily guessable ("love," "money," "wizard" are common) or just use a blank password. Default passwords provide effortless access for attackers. Many attackers try default passwords and then try to guess passwords before resorting to more sophisticated methods. Compromised user accounts get the attackers inside the firewall and inside the target machine. Once inside, most attackers can use easily-accessible resources to gain root or administrator access. IMAP and POP buffer overflow vulnerabilities or incorrect configuration IMAP and POP are popular remote access mail protocols, allowing users to access their e- mail accounts from internal and external networks. The "open access" nature of these services makes them especially vulnerable to exploitation because openings are frequently left in firewalls to allow for external e-mail access. Attackers who exploit flaws in IMAP or POP often gain instant root- level control. Default SNMP community strings set to ‘public’ and ‘private.’ The Simple Network Management Protocol (SNMP) is widely used by network administrators to monitor and administer all types of network-connected devices ranging from routers to printers to computers. SNMP uses an unencrypted "community string" as its only aut hentication mechanism. Lack of encryption is bad enough, but the default community string used by the vast majority of SNMP devices is "public". A few clever network equipment vendors change the string to "private". Attackers can use this vulnerability in SNMP to reconfigure or shut down devices remotely. Sniffed SNMP traffic can reveal a great deal about the structure of your network, as well as the systems and devices attached to it. Intruders use such information to pick targets and plan attacks. 23 © 2003 certificationsuccess.com Your Free Certification Portal File Transfer FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20. Active FTP In active mode FTP the client connects from a random unprivileged port (N > 1024) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20. From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened: • • • • FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1024 (Server responds to client's control port) FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port) FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port) When drawn out, the connection appears as follows: In step 1, the client's command port contacts the server's command port and sends the command PORT 1027. The server then sends an ACK back to the client's command port in step 2. In step 3 the server initiates a connection on its local data port to the data port the client specified earlier. Finally, the client sends an ACK back as shown in step 4. The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this 24 © 2003 certificationsuccess.com Your Free Certification Portal appears to be an outside system initiating a connection to an internal client ,something that is usually blocked. Passive FTP In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode. In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1024 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data. From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened: • • • • FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1024 (Server responds to client's control port) FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server) FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port) When drawn, a passive mode FTP connection looks like this: In step 1, the client contacts the server on the command port and issues the PASV command. The server then replies in step 2 with PORT 2024, telling the client which port it is listening to for the data connection. In step 3 the client initiates the data connection from its data port to the specified server data port. Finally, the server sends back an ACK in step 4 to the client's data port. 25 © 2003 certificationsuccess.com Your Free Certification Portal While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side. The biggest issue is the need to allow any remote connection to high numbered ports on the server. Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. The second issue involves supporting and troubleshooting clients which do (or do not) support passive mode. As an example, the command line FTP utility provided with Solaris does not support passive mode, necessitating a third-party FTP client, such as ncftp. With the massive popularity of the World Wide Web, many people prefer to use their web browser as an FTP client. Most browsers only support passive mode when accessing ftp:// URLs. This can either be good or bad depending on what the servers and firewalls are configured to support. IP spoofing There is a range of attacks that take advantage of the ability to forge (or 'spoof') your IP address. While a source address is sent along with every IP packet, it isn't actually used for routing. This means an intruder can pretend to be you when talking to a server. The intruder never sees the response packets (although your machine does, but throws them away because they don't match any requests you've sent). The intruder won't get data back this way, but can still send commands to the server pretending to be you. TCP sequence number prediction In the startup of a TCP connection, you must choose a sequence number for your end, and the server must choose a sequence number for its end. Older TCP stacks choose predictable sequence numbers, allowing intruders to create TCP connections from a forged IP address (for which they will never see the response packets) that presumably will bypass security. DNS poisoning through sequence prediction DNS servers will "recursively" resolve DNS names. Thus, the DNS server that satisfies a client request will become itself a client to the next server in the recursive chain. The sequence numbers it uses are predictable. Thus, an intruder can send a request to the DNS server and a forged response to the server to be the next server in the chain. It will then believe the forged response, and use that to satisfy other clients. Packet sniffing Packet sniffing is a form of wire-tap applied to computer networks. It came into vogue with Ethernet, which is known as a "shared medium" network. This means that traffic on a segment passes by all hosts attached to that segment. Ethernet cards have a filter that prevents the host machine from seeing traffic addressed to other stations. Sniffing programs turn off the filter, and thus see everyone’s traffic. 26 © 2003 certificationsuccess.com Your Free Certification Portal Today's networks are increasingly employing "switch" technology, preventing this technique from being as successful as in the past. It is still useful, though, as it is becoming increasingly easy to install remote sniffing programs on servers and routers, through which a lot of traffic flows. Today's networks may already contain built- in sniffing modules. Most hubs support the RMON standard, which allow the intruder to sniff remotely using SNMP, which has weak authentication. Many corporations employ Network Associates "Distributed Sniffer Servers", which are set up with easy to guess passwords. Windows NT machines often have a "Network Monitoring Agent" installed, which again allows for remote sniffing. Packets sniffing is difficult to detect, but it can be done. The popularity of packet sniffing stems from the fact that it sees everything. Typical items sniffed include: SMTP, POP, IMAP traffic - Allows intruder to read the actual e- mail. POP, IMAP, HTTP Basic, Telnet authentication - Reads passwords off the wire in clear-text. SMB, NFS, FTP traffic - Reads files of the wire. SQL database - Reads financial transactions and credit card numbers. Not only can sniffing read information that helps break into a system, it is an intrusion by itself because it reads the very files the intruder is interested in. This technique can be combined with active transmissions for even more effective attacks. Virtual LANs A VLAN is a group of PCs, servers and other network resources that behave as if they were connected to a single, network segment even though they may not be. For example, all marketing personnel may be spread throughout a building. Yet if they are all assigned to a single VLAN, they can share resources and bandwidth as if they were connected to the same segment. The resources of other departments can be invisible to the marketing VLAN members, accessible to all, or accessible only to specified individuals, at the IT manager's discretion. This logical grouping of network nodes helps free IT managers from the restrictions of their existing network design and cabling infrastructure. It offers a fundamental improvement in the ease with which LANs can be designed, administered and managed. Since VLANs are software-based, they allow the network structure to quickly and easily adapt to the addition, relocation or reorganization of nodes. No longer does each change require a visit to the wiring closet. Equally important, VLANs help meet performance needs by segmenting the network more effectively. Unlike standard switching, they restrict the dissemination of broadcast as well as node-to-node traffic, so the burden of extraneous traffic is reduced throughout the network. Security can also be improved. Since all packets traveling between VLANs may also pass through a router, standard router-based security measures can be implemented to restrict access as needed. Benefits of VLANs Flexible network segmentation 27 © 2003 certificationsuccess.com Your Free Certification Portal Users and resources that communicate most frequently with each other can be grouped into common VLANs, regardless of physical location. Each group's traffic is largely contained within the VLAN, reducing extraneous traffic and improving the efficiency of the whole network. Simple management The addition of nodes, as well as moves and other changes, can be dealt with quickly and conveniently from the management console rather than the wiring closet. Increased performance VLANs free up bandwidth by limiting node-to-node and broadcast traffic throughout the network. Better use of server resources With a VLAN-enabled adapter, a server can be a member of multiple VLANs. This reduces the need to route traffic to and from the server. Enhanced network security VLANs create virtual boundaries that can only be crossed through a router. So standard, router-based security measures can be used to restrict access to each VLAN as required. Basic models of VLAN In general, there are three basic models for determining and controlling how a packet gets assigned to a VLAN. Port-based VLANs In this implementation, the administrator assigns each port of a switch to a VLAN. For example, ports 1-3 might be assigned to the Sales VLAN, ports 4-6 to the Engineering VLAN and ports 7-9 to the Administrative VLAN. The switch determines the VLAN membership of each packet by noting the port on which it arrives. When a user is moved to a different port of the switch, the administrator can simply reassign the new port to the user's old VLAN. The network change is then completely transparent to the user, and the administrator saves a trip to the wiring closet. However, this method has one significant drawback. If a repeater is attached to a port on the switch, all of the users connected to that repeater must be members of the same VLAN. MAC address-based VLANs The VLAN membership of a packet in this case is determined by its source or destination MAC address. Each switch maintains a table of MAC addresses and their corresponding VLAN memberships. A key advantage of this method is that the switch doesn't need to be reconfigured when a user moves to a different port. 28 © 2003 certificationsuccess.com Your Free Certification Portal However, assigning VLAN membership to each MAC address can be a time consuming task. Also, a single MAC address cannot easily be a member of multiple VLANs. This can be a significant limitation, making it difficult to share server resources between more than one VLAN. (Although a MAC address can theoretically be assigned to multiple VLANs, this can cause serious problems with existing bridging and routing, producing confusion in switch forwarding tables.) Layer 3 (or protocol)-based VLANs With this method, the VLAN membership of a packet is based on protocols (IP, IPX, NetBIOS, etc.) and Layer 3 addresses. This is the most flexible method and provides the most logical grouping of users. An IP subnet or an IPX network, for example, can each be assigned their own VLAN. Additionally, protocol-based membership allows the administrator to assign non-routable protocols, such as NetBIOS or DECnet, to larger VLANs than routable protocols like IPX or IP. This maximizes the efficiency gains that are possible with VLANs. Another important distinction between VLAN implementations is the method used to indicate membership when a packet travels between switches. Two methods exist i.e. implicit and explicit. Implicit VLAN membership is indicated by the MAC address. In this case, all switches that support a particular VLAN must share a table of member MAC addresses. Explicit A tag is added to the packet to indicate VLAN membership. Cisco ISL and the IEEE 802.1q VLAN specifications both use this method. To summarize, when a packet enters its local switch, the determination of its VLAN membership can be port-based, MAC-based or protocol-based. When the packet travels to other switches, the determination of VLAN membership for that packet can be either implicit (using the MAC address) or explicit (using a tag that was added by the first switch). Port-based and protocol-based VLANs use explicit tagging as their preferred indication method. MAC-based VLANs are almost always implicit. Network Address Translation (NAT) NAT enables private IP addresses to be translated into public IP addresses for traffic to & from the internet, useful to share a single internet connection with only a single public IP address. NAT consists of following components 1) Translation component. 2) Addressing component. 3) Name resolution component. NAT does not support following protocols 1) Kerberos 29 © 2003 certificationsuccess.com Your Free Certification Portal 2) IP security protocol (IPsec). NAT Editors When we have to translate and adjust the payload beyond the IP, TCP & UDP headers, a NAT editor is required. Windows 2000 includes built in NAT editor for the following protocols: Ø FTP. Ø Internet Control Message Protocol(ICMP) Ø Point to Point Tunneling Protocol(PPTP) Ø Net BIOS over TCP/IP. Additionally, the NAT routing protocol includes proxy software for the following protocol: Ø H.323 Ø Direct play Ø Lightweight Directory Access Protocol (LDAP)-based Internet Locator Service (ILS) registration. Ø Remote Procedure call. Internet Connection Sharing & NAT To connect a small office or have network to the internet, you can use either a routed or translated connection. Routed connection The computer running windows 2000 server acts as an IP router that forwards packets between the internet network & the public internet. Translated Connection The computer running windows 2000 server acts as a network address translator. Translated connection requires less knowledge of IP addressing & routing and provide a simplified configuration for hosts and the windows 2000 router. Network intrusion detection system (NIDS) An intrusion is somebody ("hacker" or "cracker") attempting to break into or misuse your system. The word "misuse" is broad, and can reflect something severe as stealing confidential data to something minor such as misusing your email system for spam (though for many of us, that is a major issue!). An "Intrusion Detection System (IDS)" is a system for detecting such intrusions. Network intrusion detection systems (NIDS) monitors packets on the network wire and attempts to discover if a hacker/cracker is attempting to break into a system (or cause a denial of service attack). A typical example is a system that watches for large number of TCP connection requests (SYN) to many different ports on a target machine, thus discovering if someone is attempting a TCP port scan. A NIDS may run either on the target machine who watches its own traffic (usually integrated with the stack and services themselves), or on an independent machine promiscuously 30 © 2003 certificationsuccess.com Your Free Certification Portal watching all network traffic (hub, router, probe). Note that a "network" IDS monitors many machines, whereas the others monitor only a single machine (the one they are installed on). System integrity verifiers (SIV) monitors system files to find when an intruder changes them (thereby leaving behind a backdoor). The most famous of such systems is "Tripwire". A SIV may watch other components as well, such as the Windows registry and chron configuration, in order to find well known signatures. It may also detect when a normal user somehow acquires root/administrator level privileges. Many existing products in this area should be considered "tools" than complete "systems": i.e. something like "Tripwire" that detects changes in critical system components, but doesn't generate real-time alerts upon an intrusion. Log file monitors (LFM) monitor log files generated by network services in a similar manner to NIDS. These systems look for patterns in the log files that suggest an intruder is attacking. A typical example would be a parser for HTTP server log files that are looking for intruders who try well-known security holes, such as the "phf" attack. The primary ways an intruder can get into a system: Physical Intrusion If an intruders have physical access to a machine (i.e. they can use the keyboard or take apart the system), they will be able to get in. Techniques range from special privileges the console has, to the ability to physically take apart the system and remove the disk drive (and read/write it on another machine). Even BIOS protection is easy to bypass: virtually all BIOSes have backdoor passwords. System Intrusion This type of hacking assumes the intruder already has a low-privilege user account on the system. If the system doesn't have the latest security patches, there is a good chance the intruder will be able to use a known exploit in order to gain additional administrative privileges. Remote Intrusion This type of hacking involves an intruder who attempts to penetrate a system remotely across the network. The intruder begins with no special privileges. There are several forms of this hacking. An intruder has more difficult time if there is a firewall between him/her and the victim machine. Note that Network Intrusion Detection Systems are primarily concerned with Remote Intrusion. How are intrusions detected Anomaly detection The most common way people approach network intrusion detection is to detect statistical anomalies. The idea behind this approach is to measure a "baseline" of such stats as CPU utilization, disk activity, user logins, file activity, and so forth. Then, the system can trigger when there is a deviation from this baseline. The benefit of this approach is that it can detect the anomalies without having to understand the underlying cause behind the anomalies. For example, let's say that you monitor the traffic from individual workstations. Then, the system notes that at 2am, a lot of these workstations start logging 31 © 2003 certificationsuccess.com Your Free Certification Portal into the servers and carrying out tasks. This is something interesting to note and possibly take action on. Signature recognition The majority of commercial products are based upon examining the traffic looking for well-known patterns of attack. This means that for every hacker technique, the engineers code something into the system for that technique. This can be as simple as a pattern match. The classic example is to examine every packet on the wire for the pattern "/cgi-bin/phf?", which might indicate somebody attempting to access this vulnerable CGI script on a web-server. Some IDS systems are built from large databases that contain hundreds (or thousands) of such strings. They just plug into the wire and trigger on every packet they see that contains one of these strings. Techniques used by a NDIS to match signatures Traffic consists of IP datagram flowing across a network. A NIDS is able to capture those packets as they flow by on the wire. A NIDS consists of a special TCP/IP stack that reassembles IP datagram and TCP streams. It then applies some of the following techniques: Protocol stack verification A number of intrusions, such as "Ping-O-Death" and "TCP Stealth Scanning" use violations of the underlying IP, TCP, UDP, and ICMP protocols in order to attack the machine. A simple verification system can flag invalid packets. This can include valid, by suspicious, behavior such as fragmented IP packets. Application protocol verification A number of intrusions use invalid protocol behavior, such as "WinNuke", which uses invalid NetBIOS protocol (adding OOB data) or DNS cache poisoning, which has a valid, but an unusual signature. In order to effectively detect these intrusions, a NIDS must reimplement a wide variety of application- layer protocols in order to detect suspicious or invalid behavior. Creating new loggable events A NIDS can be used to extend the auditing capabilities of your network management software. For example, a NIDS can simply log all the application layer protocols used on a machine. Downstream event log systems (WinNT Event, UNIX syslog, SNMP TRAPS, etc.) can then correlate these extended events with other events on the network. Honeypots Programs that pretend to be a service, but which do not advertise themselves. It can be something as simple as one of the many BackOrifice emulators, or as complex as an entire subnet of bogus systems installed for that purpose. Honeypot can be defined as "a security resource who's value lies in being probed, attacked or compromised". This means that whatever we designate as a Honeypot, it is our expectation and goal to have the system probed, attacked, and potentially exploited. Keep in mind, Honeypots are not a solution. They do not 'fix' anything. Instead, Honeypots are tools. How you use that tool is up to you and depends on what you are attempting to achieve. A Honeypot may be a system that merely emulates other systems or applications, creates a jailed environment, or may be a standard built system. Regardless of how you build and use the Honeypot, it's value lies in the fact that it is attacked. 32 © 2003 certificationsuccess.com Your Free Certification Portal The Honeypot adds value to the security measures of an organization. Think of them as 'law enforcement', their job is to detect and deal with bad guys. Traditionally, commercial organizations use production Honeypots to help protect their networks. The second category “research Honeypots” are Honeypots designed to gain information on the blackhat community. These Honeypots do not add direct value to a specific organization. Instead they are used to research the threats organizations face, and how to better protect against those threats. Think of them as 'counter-intelligence', their job is to gain information on the bad guys. This information is then used to protect against those threats. Traditionally, commercial organizations do NOT use research Honeypots. Instead, organizations such as Universities, government, military, or security research organizations use them. Value of Honeypots Honeypots have certain advantages (and disadvantages) as security tools. It is the advantages that help define the value of a Honeypot. The beauty of a Honeypot's lies in its simplicity. It is a device intended to be compromised, not to provide production services. This means there is little or no production traffic going to or from the device. Any time a connection is sent to the Honeypot, this is most likely a probe, scan, or even attack. Any time a connection is initiated from the Honeypot, this most likely means the Honeypot was compromised. As there is little production traffic going to or from the Honeypot, all Honeypot traffic is suspect by nature. Now, this is not always the case. Mistakes do happen, such as an incorrect DNS entry or someone from accounting inputting the wrong IP address. But in general, most Honeypot traffic represents unauthorized activity. Because of this simplistic model, Honeypots have certain inherent advantages and disadvantages. Advantages Data Collection Honeypots collect very little data, and what they do collect is normally of high value. This cuts the noise level down and makes it much easier to collect and archive data. One of the greatest problems in security is wading through gigabytes of data to find the data you need. Honeypots can give you the exact information that you need, in a quick and easy to understand format. Resources Many security tools can be overwhelmed by bandwidth or activity. Network Intrusion Detection Devices may not be able to keep up with network activity, dropping packets, and potential attacks. Centralized log servers may not be able to collect all the system events, potentially dropping some events. Honeypots do not have this problem, they only capture what comes to them. Disadvantages Single Data Point Honeypots all share one huge drawback; they are worthless if no one attacks them. Yes, they can accomplish wonderful things, but if the attacker does not send any packets to the Honeypot, the Honeypot will be blissfully unaware of any unauthorized activity. Risk Honeypots can introduce risk to your environment. Different Honeypots have different levels of risk. 33 © 2003 certificationsuccess.com Your Free Certification Portal Some introduce very little risk, while others give the attacker entire platforms from which to launch new attacks. Risk is variable, depending on how one builds and deploys the Honeypot. It is because of these disadvantages that Honeypots do not replace any security mechanisms. They can only add value by working with existing security mechanisms. Hardening The process of hardening is that of identifying exactly what a specific machine will be used for and removing or disabling all system components not necessary for that function. It's like turning a general purpose computer into a single or limited purpose computer. Here we're building a system suitable that is used as a firewall, web server. The specific components left on a given machine will be determined by the function or functions for which that computer will be used. Multiple Internet services may run on a single hardened machine. More generally hardening may be treated as any and all of the steps used to tighten or improve the security on a computer. Often included are limiting the user population, password policies, access controls and user and group rights and intrusion detection, which is treated separately. It's preferable that a system being hardened should not be connected to a network until the hardening process is complete. It should not be connected to a perimeter network or DMZ or whatever you call your network segment that is directly connected to the Internet until the hardening is complete. Building a hardened computer is not like installing a workstation or a test or experimental machine. The first computer that should be hardened and will benefit most from being hardened is a firewall. All computers with full time Internet connections should be protected by a firewall and hardened to some degree. What benefit is to be gained from removing features on a computer? Any potential intruder's purposes won't be the same as those for which a hardened machine is built. The fewer the general purpose features on a specific computer, the harder it will be for an intruder to access it or make effective use of it if it is accessed. Hardening also makes it more difficult for internal staff to use a machine in other than it's intended fashion. Removing functions is preferred to disabling because part of the intent of hardening is prevent even root users from being able to re-enable functions by making simple configuration changes. Depending on what software is left on the hardened machine and what firewall and network security devices are in place, it may or may not be possible for a root user to reinstall the removed pieces. The right network setup can make it effectively impossible for any user without access to local removable media to add components to a system. Even where it is possible, it's obviously more difficult to obtain the necessary pieces of some software and put them in the right places and change the corresponding configuration files than it is to just change the configuration files. 34 © 2003 certificationsuccess.com Your Free Certification Portal Security through Obscurity There is a concept that is sometimes severely criticized by members of the security community. It's called security through obscurity. There is often no security at all but simply putting things in obscure places where it's hoped the wrong people won't find them. Some examples are public web and FTP servers with no DNS entries. A little more obscure is a web server with no DNS entry and running on an odd port. Placing a sensitive document deep in an unlikely directory tree is another example. These are all examples security through obscurity that are rightly criticized as no security. In these cases, it's likely to be simply a matter of time before the "hidden" resource is found by the unwanted. With network and disk scanning tools it may not take long time. On the other hand some perfectly valid security techniques are entirely dependent on obscurit y for their effectiveness. The obvious example is passwords. That is why so much training needs to go into selecting good passwords. Users naturally tend to select passwords that are not obscure enough and hence are easily guessed or found by password cracking programs. Even where obscurity isn't an inherent part of the technique, it is a useful complement. Firewalls don't depend on obscurity to work. Still no network administrator in his or her right mind would publicly post a firewall's rule set or diagrams of their network's topology. Doing so doesn't automatically give potential intruders entry the way possession of a password in the right location does. Such information will, however, help intruders or at a minimum keep them from wasting time on well defended resources. Properly configured web servers don't enable directory listings except in very special circumstances. If someone is going to launch an application level attack against a web server, learning what scripts or programs are available is the first essential step. Hardening Requires Making Choices Hardening a system is about making choices. Specific choices may make a system somewhat more secure but also more difficult to use and administer. The choices appropriate to one site may not be appropriate at another. The approach described here is moderately extreme; some may regard the resulting systems as unusable. Sometimes the effort or added system maintenance burden will simply not seem worth the limited gain in security. Every site needs to decide what security measures are appropriate to the resources being protected. Technical security measures will not work if your own staff actively opposes them. CRYPTOGRAPHY Cryptography is a branch of mathematics based on the transformation of data. It provides an important tool for protecting information and is used in many aspects of computer security. For example, cryptography can help provide data confidentiality, integrity, electronic signatures, and advanced user authentication. Although modern cryptography relies upon advanced mathematics, users can reap its benefits without understanding its mathematical underpinnings. Basic Cryptographic Technologies Cryptography relies upon two basic components: an algorithm (or cryptographic methodology) and a key. In modern cryptographic systems, algorithms are complex mathematical formulae and keys are 35 © 2003 certificationsuccess.com Your Free Certification Portal strings of bits. For two parties to communicate, they must use the same algorithm (or algorithms that are designed to work together). In some cases, they must also use the same key. Many cryptographic keys must be kept secret; sometimes algorithms are also kept secret. There are two basic types of cryptography: secret key systems (also called symmetric systems) and public key systems (also called asymmetric systems). Table below compares some of the distinct features of secret and public key systems. Both types of systems offer advantages and disadvantages. Often, the two are combined to form a hybrid system to exploit the strengths of each type. To determine which type of cryptography best meets its needs, an organization first has to identify its security requirements and operating environment. DISTINCT FEATURES NUMBER OF KEYS TYPES OF KEYS PROTECTION OF KEYS SECRET KEY CRYPTOGRAPHY Single key. Key is secret. Disclosure and modification. RELATIVE SPEEDS Faster. PUBLIC KEY CRYPTOGRAPHY Pair of keys. One key is private, and one key is public. Disclosure and modification for private Keys and modification for public keys. Slower. Secret Key Cryptography In secret key cryptography, two (or more) parties share the same key, and that key is used to encrypt and decrypt data. As the name implies, secret key cryptography relies on keeping the key secret. If the key is compromised, the security offered by cryptography is severely reduced or eliminated. Secret key cryptography assumes that the parties who share a key rely upon each other not to disclose the key and protect it against modification. The best known secret key system is the Data Encryption Standard (DES). It is the most widely accepted publicly available cryptographic system today. Public Key Cryptography Public key cryptography uses a pair of keys for each party. One of the keys of the pair is "public" and the other is "private." The public key can be made known to other parties; the private key must be kept confidential and must be known only to its owner. Both keys, however, need to be protected against modification. Public key cryptography is particularly useful when the parties wishing to communicate cannot rely upon each other or do not share a common key. There are several public key cryptographic systems. One of the first public key systems is RSA, which can provide many different security services. Hybrid Cryptographic Systems Public and secret key cryptography have relative advantages and disadvantages. Although public key cryptography does not require users to share a common key, secret key cryptography is much faster: equivalent implementations of secret key cryptography can run 1,000 to 10,000 times faster than public key cryptography. To maximize the advantages and minimize the disadvantages of both secret and public key cryptography, a computer system can use both types in a complementary manner, with each performing different functions. Typically, the speed advantage of secret key cryptography means that it is used for encrypting data. Public key cryptography is used for applications that are less demanding to a computer system's resources, such as encrypting the keys used by secret key cryptography (for distribution) or to sign messages. 36 © 2003 certificationsuccess.com Your Free Certification Portal Key Escrow Since cryptography can provide extremely strong encryption, it can thwart the government's efforts to lawfully perform electronic surveillance. For example, if strong cryptography is used to encrypt a phone conversation, a court-authorized wiretap will not be effective. To meet the needs of the government and to provide privacy, the federal government has adopted voluntary key escrow cryptography. This technology allows the use of strong encryption, but also allows the government to obtain decryption keys held by escrow agents. Uses of Cryptography Cryptography is used to protect data both inside and outside the boundaries of a computer system. Outside the computer system, cryptography is sometimes the only way to protect data. While in a computer system, data is normally protected with logical and physical access controls (perhaps supplemented by cryptography). However, when in transit across communications lines or resident on someone else's computer, data cannot be protected by the originator's logical or physical access controls. Cryptography provides a solution by protecting data even when the data is no longer in the control of the originator. Data Encryption One of the best ways to obtain cost effective data confidentiality is through the use of encryption. Encryption transforms intelligible data, called plaintext, into an unintelligible form, called ciphertext. This process is reversed through the process of decryption. Once data is encrypted, the ciphertext does not have to be protected against disclosure. However, if ciphertext is modified, it will not decrypt correctly. Both secret key and public key cryptography can be used for data encryption although not all public key algorithms provide for data encryption. To use a secret key algorithm, data is encrypted using a key. The same key must be used to decrypt the data. When public key cryptography is used for encryption, any party may use any other party's public key to encrypt a message; however, only the party with the corresponding private key can decrypt, and thus read, the message. Since secret key encryption is typically much faster, it is normally used for encrypting larger amount of data. Integrity In computer systems, it is not always possible for humans to scan information to determine if data has been erased, added, or modified. Even if scanning was possible, the individual may have no way of knowing what the correct data should be. For example, "do" may be changed to "do not," or $1,000 may be changed to $10,000. It is therefore desirable to have an automated means of detecting both intentional and unintentional modifications of data. While error detecting codes have long been used in communications protocols (e.g., parity bits), these are more effective in detecting (and correcting) unintentional modifications. They can be defeated by adversaries. Cryptography can effectively detect both intentional and unintentional modification; however, cryptography does not protect files from being modified. Both secret key and public key cryptography can be used to ensure integrity. Although newer public key methods may offer more flexibility than the older secret key method, secret key integrity verification systems have been successfully integrated into many applications. When secret key cryptography is used, a message authentication code (MAC) is calculated from and appended to the data. To verify that the data has not been modified at a later time, any party with access to the correct secret key can recalculate the MAC. The new MAC is compared with the original MAC, and if they are identical, the verifier has confidence that the data has not been modified by an unauthorized party. 37 © 2003 certificationsuccess.com Your Free Certification Portal Electronic Signature An electronic signature is a cryptographic mechanism that performs a similar function to a written signature. It is used to verify the origin and contents of a message. For example, a recipient of data (e.g., an e- mail message) can verify who signed the data and that the data was not modified after being signed. This also means that the originator (e.g., sender of an e- mail message) cannot falsely deny having signed the data. PKI Certificates are fundamental elements of the Public key infrastructure (PKI). Certificate enable users to use smart card, logon, send encrypted e- mail, & sign electronic documents. Certificates are issued managed, renamed, & revoked by certificate authorities. Certificate is a digital document that attests to the binding of a public key to an entity. A certificate may consist of a public key signed by a trusted entity. Most widely used structure and syntax for digital certificate is defined by the International Telecommunication Union (ITU) in ITU- T recommendation X.509. Creation of a certificate Ø Ø Ø Ø Ø Ø Generating a Key pair Collecting Required Information Requesting the Certificate Verifying the information Creating the Certificate Sending or Posting the Certificate Certificate Enrollment The process of obtaining a digital certificate is called certificate enrollment. There are various enrollment methods like. 1) Web-Based enrollment. 2) Client certificate enrollment. 3) Automated enrollment. Physical Security The physical facility is usually the building, other structure, or vehicle housing the system and network components. Systems can be characterized, based upon their operating location, as static, mobile, or portable. Static systems are installed in structures at fixed locations. Mobile systems are installed in vehicles that perform the function of a structure, but not at a fixed location. Portable systems are not installed in fixed operating locations. They may be operated in wide variety of locations, including buildings or vehicles, or in the open. 1. The physical characteristics of these structures and vehicles determine the level of such physical threats as fire, roof leaks, or unauthorized access. 2. The facility's general geographic operating location determines the characteristics of natural threats, which include earthquakes and flooding; man-made threats such as burglary, civil disorders, or 38 © 2003 certificationsuccess.com Your Free Certification Portal interception of transmissions; and damaging nearby activities, including toxic chemical spills, explosions, fires, and electromagnetic interference from emitters, such as radars. 3. Supporting facilities are those services (both technical and human) that underpin the operation of the system. The system's operation usually depends on supporting facilities such as electric power, heating and air conditioning, and telecommunications. The failure or substandard performance of these facilities may interrupt operation of the system and may cause physical damage to system hardware or stored data. Physical Access Controls Physical access controls restrict the entry and exit of personnel (and often equipment and media) from an area, such as an office building, suite, data center, or room containing a LAN server. The controls over physical access to the elements of a system can include controlled areas, barriers that isolate each area, entry points in the barriers, and screening measures at each of the entry points. In addition, staff members who work in a restricted area serve an important role in providing physical security, as they can be trained to challenge people they do not recognize. Physical access controls should address not only the area containing system hardware, but also locations of wiring used to connect elements of the system, the electric power service, the air conditioning and heating plant, telephone and data lines, backup media and source documents, and any other elements that require system's operation. This means that all the areas in the building(s) that contain system elements must be identified. It is also important to review the effectiveness of physical access controls in each area, both during normal business hours, and at other times particularly when an area may be unoccupied. Effectiveness depends on both the characteristics of the control devices used (e.g., keycard-controlled doors) and the implementation and operation. Statements to the effect that "only authorized persons may enter this area" are not particularly effective. Organizations should determine whether intruders can easily defeat the controls, the extent to which strangers are challenged, and the effectiveness of other control procedures. Factors like these modify the effectiveness of physical controls. The feasibility of sneaky entry also needs to be considered. For example, it may be possible to go over the top of a partition that stops at the underside of a suspended ceiling or to cut a hole in a plasterboard partition in a location hidden by furniture. If a door is controlled by a combination lock, it may be possible to observe an authorized person entering the lock combination. If keycards are not carefully controlled, an intruder may be able to steal a card left on a desk or use a card passed back by an accomplice. Corrective actions can address any of the factors listed above. Adding an additional barrier reduces the risk to the areas behind the barrier. Enhancing the screening at an entry point can reduce the number of penetrations. For example, a guard may provide a higher level of screening than a keycard-controlled door, or an anti-passback feature can be added. Reorganizing traffic patterns, work flow, and work areas may reduce the number of people who need access to a restricted area. Physical modifications to barriers can reduce the vulnerability to surreptitious entry. Intrusion detectors, such as closed-circuit television cameras, motion detectors, and other devices, can detect intruders in unoccupied spaces. Fire Safety Factors Building fires are a particularly important security threat because of the potential for complete destruction of hardware and data, the risk to human life. Smoke, corrosive gases and high humidity from a localized fire can damage systems throughout an entire building. Consequently, it is important to evaluate the fire safety of buildings that house systems. Following are important factors in determining the risks from fire. Ignition Sources. Fires begin because something supplies enough heat to cause other materials to burn. Typical ignition sources are failures of electric devices and wiring, carelessly discarded 39 © 2003 certificationsuccess.com Your Free Certification Portal cigarettes, improper storage of materials subject to spontaneous combustion, improper operation of heating devices. Fuel Sources. If a fire is to grow, it must have a supply of fuel. Material that will burn to support its growth, require adequate supply of oxygen. Once a fire becomes established, it depends on the combustible materials in the building (referred to as the fire load) to support its further growth. The more fuel per square meter, the more intense the fire will be. Building Operation. If a building is well maintained and operated so as to minimize the accumulation of fuel (such as maintaining the integrity of fire barriers), the fire risk will be minimized. Building Occupancy. Some occupancies are inherently more dangerous than others because of an above-average number of potential ignition sources. For example, a chemical warehouse may contain an above-average fuel load. Fire Detection. The more quickly a fire is detected, all other things being equal, the more easily it can be extinguished, minimizing damage. It is also important to accurately pinpoint the location of the fire. Fire Extinguishment. A fire will burn until it consumes all of the fuel in the building or until it is extinguished. Fire extinguishment may be automatic, as with an automatic sprinkler system or a HALON discharge system, or it may be performed by people using portable extinguishers, cooling the fire site with a stream of water, by limiting the supply of oxygen with a blanket of foam or powder, or by breaking the combustion chemical reaction chain. When properly installed, maintained, and provided with an adequate supply of water, automatic sprinkler systems are highly effective in protecting buildings and their contents. Nonetheless, one often hears uninformed persons speak of the water damage done by sprinkler systems as a disadvantage. Fires that trigger sprinkler systems cause the water damage. In short, sprinkler systems reduce fire damage, protect the lives of building occupants, and limit the fire damage to the building itself. All these factors contribute to more rapid recovery of systems following a fire. Each of these factors is important when estimating the occurrence rate of fires and the amount of damage that will result. The objective of a fire-safety program is to optimize these factors to minimize the risk of fire. Failure of Supporting Utilities Systems and the people who operate them need to have a reasonably well-controlled operating environment. Consequently, failures of heating and air-conditioning systems will usually cause a service interruption and may damage hardware. These utilities are composed of many elements, each of which must function properly. For example, the typical air-conditioning system consists of (1) Air handlers that cool and humidify room air, (2) Circulating pumps that send chilled water to the air handlers, (3) Chillers that extract heat from the water, (4) Cooling towers that discharge the heat to the outside air. . Each of these elements has a mean-time-between- failures (MTBF) and a mean-time-to-repair (MTTR). Using the MTBF and MTTR values for each of the elements of a system, one can estimate the occurrence rate of system failures and the range of resulting service interruptions. This same line of reasoning applies to electric power distribution, heating plants, water, sewage, and other utilities required for system operation or staff comfort. By identifying the failure modes of each utility and estimating the MTBF and MTTR, necessary failure threat parameters can be developed to calculate the resulting risk. The risk of utility failure can be reduced by substituting units with lower MTBF values. MTTR can be reduced by stocking spare parts on site and training maintenance personnel. The outages resulting from a given MTBF can be reduced by installing redundant units under the assumption that 40 © 2003 certificationsuccess.com Your Free Certification Portal failures are distributed randomly in time. Each of these strategies can be evaluated by comparing the reduction in risk with the cost to achieve it. Structural Collapse A building may be subjected to a load greater than it can support. Most commonly this is a result of an earthquake, a snow load on the roof beyond design criteria, an explosion that displaces or cuts structural members, or a fire that weakens structural members. Even if the structure is not completely demolished, the authorities may decide to ban its further use, sometimes even banning entry to remove materials. This threat applies primarily to high-rise buildings and those with large interior spaces without supporting columns. Plumbing Leaks While plumbing leaks do not occur every day, they can be seriously disruptive. The building's plumbing drawings can help locate plumbing lines that might endanger system hardware. These lines include hot and cold water, chilled water supply and return lines, steam lines, automatic sprinkler lines, fire hose standpipes, and drains. If a building includes a laboratory or manufacturing spaces, there may be other lines that conduct water, corrosive or toxic chemicals, or gases. As a rule, analysis often shows that the cost to relocate threatening lines is difficult to justify. However, the location of shutoff valves and procedures that should be followed in the event of a failure must be specified. Operating and security personnel should have this information immediately available for use in an emergency. In some cases, it may be possible to relocate system hardware, partic ularly distributed LAN hardware. Interception of Data Depending on the type of data a system processes, there may be a significant risk if the data is intercepted. There are three routes of data interception: direct observation, interception of data transmission, and electromagnetic interception. Direct Observation. System terminal and workstation display screens may be observed by unauthorized persons. In most cases, it is relatively easy to relocate the display to eliminate the exposure. Interception of Data Transmissions . If an interceptor can gain access to data transmission lines, it may be feasible to tap into the lines and read the data being transmitted. Network monitoring tools can be used to capture data packets. Of course, the interceptor cannot control what is transmitted, and so may not be able to immediately observe data of interest. However, over a period of time there may be a serious level of disclosure. Local area networks typically broadcast messages. Consequently, all traffic, including passwords, could be retrieved. Interceptors could also transmit spurious data on tapped lines, either for purposes of disruption or for fraud. Electromagnetic Interception. Systems routinely radiate electromagnetic energy that can be detected with special-purpose radio receivers. Successful interception will depend on the signal strength at the receiver location; the greater the separation between the system and the receiver, the lower the success rate. TEMPEST shielding, of either equipment or rooms, can be used to minimize the spread of electromagnetic signals. The signal-to- noise ratio at the receiver, determined in part by the number of competing emitters will also affect the success rate. The more workstations of the same type in the same location performing "random" activity, the more difficult it is to intercept a given workstation's radiation. On the other hand, the trend toward wireless (i.e., deliberate radiation) LAN connections may increase the likelihood of successful interception. 41 © 2003 certificationsuccess.com Your Free Certification Portal Mobile and Portable Systems The analysis and management of risk usually has to be modified if a system is installed in a vehicle or is portable, such as a laptop computer. The system in a vehicle will share the risks of the vehicle, including accidents and theft, as well as regional and local risks. Portable and mobile systems share an increased risk of theft and physical damage. In addition, portable systems can be "misplaced" or left unattended by careless users. Secure storage of laptop computers is often required when they are not in use. If a mobile or portable system uses particularly valuable or important data, it may be appropriate to either store its data on a medium that can be removed from the system when it is unattended or to encrypt the data. In any case, the issue of how custody of mobile and portable computers is to be controlled should be addressed. Depending on the sensitivity of the system and its application, it may be appropriate to require briefings of users and signed briefing acknowledgments. Approach to Implementation Like other security measures, physical and environmental security controls are selected because they are cost-beneficial. This does not mean that a user must conduct a detailed cost-benefit analysis for the selection of every control. There are four general ways to justify the selection of controls: 1. They are required by law or regulation. Fire exit doors with panic bars and exit lights are examples of security measures required by law or regulation. Presumably, the regulatory authority has considered the costs and benefits and has determined that it is in the public interest to require the security measure. A lawfully conducted organization has no option but to implement all required security measures. 2. The cost is insignificant, but the benefit is material. A good example of this is a facility with a keylocked low-traffic door to a restricted access. The cost of keeping the door locked is minimal, but there is a significant benefit. Once a significant benefit/minimal cost security measure has been identified, no further analysis is required to justify its implementation. 3. The security measure addresses a potentially "fatal" security exposure but has a reasonable cost. Backing up system software and data is an example of this justification .For most systems, the cost of making regular backup copies is modest (compared to the costs of operating the system), the organization would not be able to function if the stored data were lost, and the cost impact of the failure would be material. In such cases, it would not be necessary to develop any further cost justification for the backup of software and data. However, this justification depends on what constitutes a modest cost, and it does not identify the optimum backup schedule. Broadly speaking, a cost that does not require budgeting of additional funds would qualify. 4. The security measure is estimated to be cost -beneficial. If the cost of a potential security measure is significant, and it cannot be justified by any of the first three reasons listed above, then its cost (both implementation and ongoing operation) and its benefit (reduction in future expected losses) need to be analyzed to determine if it is cost-beneficial. In this context, cost-beneficial means that the reduction in expected loss is significantly greater than the cost of implementing the security measure. Arriving at the fourth justification requires a detailed analysis. Simple rules of thumb do not apply. Consider, for example, the threat of electric power failure and the security measures that can protect against such an event. The threat parameters, rate of occurrence, and range of outage durations depend on the location of the system, the details of its connection to the local electric power utility, the details of the internal power distribution system, and the character of other activities in the building that use electric power. The system's potential losses from service interruption depends on the details of the functions it performs. Two systems that are otherwise identical can support functions that have quite different degrees of urgency. Thus, two systems may have the same electric power failure threat and vulnerability parameters, yet entirely different loss potential parameters. Furthermore, a number of 42 © 2003 certificationsuccess.com Your Free Certification Portal different security measures are available to address electric power failures. These measures differ in both cost and performance. For example, the cost of an uninterruptible power supply (UPS) depends on the size of the electric load it can support, the number of minutes it can support the load, and the speed with which it assumes the load when the primary power source fails. An on-site power generator could also be installed either in place of a UPS (accepting the fact that a power failure will cause a brief service interruption) or in order to provide long-term backup to a UPS system. Design decisions include the magnitude of the load the generator will support, the size of the on-site fuel supply, and the details of the facilities to switch the load from the primary source or the UPS to the on-site generator. Interdependencies Physical and environmental security measures rely on and support the proper functioning of many of the other areas like: Logical Access Controls. Physical security controls augment technical means for controlling access to information and processing. Even if the most advanced and best- implemented logical access controls are in place, if physical security measures are inadequate, logical access controls may be circumvented by directly accessing the hardware and storage media. For example, a computer system may be rebooted using different software. Contingency Planning. A large portion of the contingency planning process involves the failure of physical and environmental controls. Having sound controls, therefore, can help minimize losses from such contingencies. Identification and Authentication (I&A). Many physical access control systems require that people be identified and authenticated. Automated physical security access controls can use the same types of I&A as other computer systems. In addition, it is possible to use the same tokens (e.g., badges) as those used for other computer-based I&A. Other. Physical and environmental controls are also closely linked to the activities of the local guard force, fire house, life safety office, and medical office. These organizations should be consulted for their expertise in planning controls for the systems environment. Cost Considerations Costs associated with physical security measures range greatly. Useful generalizations about costs, are therefore difficult. Some measures, such as keeping a door locked, may be a trivial expense. Other features, such as fire-detection and -suppression systems, can be far more costly. Cost considerations should inc lude operation. For example, adding controlled-entry doors requires persons using the door to stop and unlock it. Locks also require physical key management and accounting (and re keying when keys are lost or stolen). Often these effects will be inconseque ntial, but they should be fully considered. As with other security measures, the objective is to select those that are cost-beneficial. CONTINGENCIES AND DISASTERS A computer security contingency is an event with the potential to disrupt computer operations, thereby disrupting critical mission and business functions. Such an event could be a power failure, hardware failure, fire, or storm. If the event is very destructive, it is often called a disaster. To avert potential contingencies and disasters or minimize the damage they cause organizations can take steps early to control the event. Generally called contingency planning, this activity is closely related to incident handling, which primarily addresses malicious technical threats such as hackers and viruses. Contingency planning involves more than planning for a move offsite after a disaster destroys a data 43 © 2003 certificationsuccess.com Your Free Certification Portal center. It also addresses how to keep an organization's critical functions operating in the event of disruptions, both large and small. This broader perspective on contingency planning is based on the distribution of computer support throughout an organization. The contingency planning process can be divided into six steps 1. Identifying the mission- or business-critical functions. 2. Identifying the resources that support the critical functions. 3. Anticipating potential contingencies or disasters. 4. Selecting contingency planning strategies. 5. Implementing the contingency strategies. 6. Testing and revising the strategy. Forensics Technical evidence has become more important in proving criminal and civil cases. Its importance is tied, in part, to advances in science and computer technology. It is extremely important that computer evidence processing be done correctly in criminal cases. An essential part of any evidence processing is the documentation of what was done. This is important so that memories can be refreshed as to the steps taken and so the results of processing can be duplicated. This is especially true concerning the processing of comp uter evidence. The proper documentation of the steps taken during the evidence processing ranks as a top priority. Good documentation tied to sound processing procedures is essential for success in computer crime cases. Without the ability to reconstruct accurately what has been done, crucial evidence may be subject to question. More important, the qualifications of the expert witness can become an issue if the computer evidence processing was done haphazardly. Shortcuts should be avoided at all costs. Adequate funding for the purchase of proper computer hardware, storage media and software should not be an obstacle when it comes to law enforcement computer evidence processing. Computer Time and Date Settings The time and date that files were created can be important in cases involving computer evidence. However, the accuracy of the time and date stamps on files is directly tied to the accuracy of the time and date stored in the CMOS chip of the computer. Consequently, documenting the accuracy of these settings on the seized computer is important. Without such information, it will be all but impossible to validate the accuracy of the times and dates associated with relevant computer files. When the settings on the computer are inaccurate, the times and dates associated with relevant files can be interpolated by the computer specialist. Before running the computer or checking the time and date, making a bit stream backup of the computer hard disk drive is important. Hard Disk Partitions The potential for hidden or missing data exists when computer hard disk drives are involved. As a result, it is important to document the make, model and size of all hard disk drives contained in the seized computers. This is accomplished by conducting a physical examination of the hard disk drive. 44 © 2003 certificationsuccess.com Your Free Certification Portal The factory information recorded on the outside of the hard disk drive should be documented. Furthermore, a program like “ FDISK “ or “ PartInfo “ should be used to document the number and size of partitions. It is important that hidden partitions and data are found and documented. Operating System and Version The seized computer may rely upon one or more operating systems. The operating system(s) involved should be documented. On DOS and Windows-based computers this can be determined by examining the boot sector of each partition. The results of findings should be noted and the software and version used should be documented. The versions of the software used should also be retained and stored with the documentation. Data and Operating System Integrity The accuracy of any data found will be directly tied to the integrity of the operating system, directory, FAT and data storage areas. Therefore, it is important to document the results of running a program like DOS “ ScanDisk “ and/or DOS “ ChkDisk “. In the event errors are found, they should be documented. At the discretion of the computer specialist, errors should be corrected and/or repaired. Any such corrective actions taken should be documented and the version of the software used should be retained and stored with the documentation. Computer Virus Evaluation It is important that computer viruses are not introduced into the seized computer storage devices by the computer specialist. Consequently, all processing software should be scanned by a certified virus scanning utility, e.g., Mc Afee, Norton and Dr. Solomon, etc. Ideally two separate virus scanning utilities should be used and the results of the scan should be documented. The seized computer hard disk drives and floppy diskettes should also be scanned and any viruses found should be documented. At the discretion of the computer specialist the computer virus should be removed. As with the other software used, the version of the software used should be retained and stored with the documentation. It is also important to realize that infected programs and word processing files can be stored within compressed files, e.g., zip files. Some computer virus scanning programs automatically search inside zip files, other programs do not evaluate the contents of zip files. This should be taken into account regarding the creation of documentation. File Catalog The files stored on the computer hard disk drive(s) and floppy diskettes should be listed and cataloged. The dates and times that the files were created and/or updated should also be recorded. Many times relevant leads can be obtained through the sorting of the files by file date and time. The combination of such information from multiple computers seized as evidence in the same case can also prove valuable for leads. Such information can be helpful in documenting a conspiracy when sorted file dates and times are evaluated. Software Licensing The essential software tools used in computer evidence processing are relatively inexpensive and some software companies support law enforcement agencies with free and discounted forensic software. Be sure that you are licensed to use the software and document that fact in your reports. Also, be sure to register your software with the software publisher after purchase. 45 © 2003 certificationsuccess.com Your Free Certification Portal Retention of Software, Input Files and Output Files As technology moves forward most software manufacturers enhance and upgrade their software. Over the course of just one year a program will probably be upgraded several times. Therefore, it is important that you retain the exact version and copy of software used in the processing of computer evidence. The recommended storage media is a Jazz Disk (By Iomega) or another external storage device that allows file access. COMPUTER SECURITY RISK MANAGEMENT Risk is the possibility of something adverse happening. Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level and maintaining that level of risk. Though perhaps not always aware of it, individuals manage risks every day. Actions as routine as buckling a car safety belt, carrying an umbrella when rain is forecast, or writing down a list of things to do rather than trusting to memory fall into the purview of risk management. People recognize various threats to their best interests and take precautions to guard against them or to minimize their effects. Risk Assessment Risk assessment, the process of analyzing and interpreting risk, is comprised of three basic activities: (1) Determining the assessment's scope and methodology; (2) Collecting and analyzing data; 3) Interpreting the risk analysis results. Determining the Assessment's Scope and Methodology The assessment may be focused on certain areas where either the degree of risk is unknown or is known to be high. Different parts of a system may be analyzed in greater or lesser detail. Defining the scope and boundary can help ensure a cost-effective assessment. Factors that influence scope include what phase of the life cycle a system is Methodologies can be formal or informal, detailed or simplified, high or low level, quantitative (computationally based) or qualitative (based on descriptions or rankings), or a combination of these. No single method is best for all users and all environments. How the boundary, scope, and methodology are defined will have major consequences in terms of (1) the total amount of effort spent on risk management and (2) the type and usefulness of the assessment's results. The boundary and scope should be selected in a way that will produce an outcome that is clear, specific, and useful to the system and environment under scrutiny. Collecting and Analyzing Data Risk has many different components: assets, threats, vulnerabilities, safeguards, consequences, and likelihood. This examination normally includes gathering data about the threatened area and synthesizing and analyzing the information to make it useful. Because it is possible to collect much more information than can be analyzed, steps need to be taken to limit information gathering and analysis. This process is called screening. A risk management effort should focus on those areas that result in the greatest consequence to the organization A risk management methodology does not necessarily need to analyze each of the components of risk separately. For example, assets/consequences or threats/likelihoods may be analyzed together. 46 © 2003 certificationsuccess.com Your Free Certification Portal Asset Valuation. These include the information, software, personnel, hardware, and physical assets (such as the computer facility). The value of an asset consists of its intrinsic value and the near-term impacts and long-term consequences of its compromise. Consequence Assessment. The consequence assessment estimates the degree of harm or loss that could occur. Consequences refers to the overall, aggregate harm that occurs, not just to the near term or immediate impacts. While such impacts often result in disclosure, modification, destruction, or denial of service, consequences are the more significant long-term effects, such as lost business, failure to perform the system's mission, loss of reputation, violation of privacy, injury, or loss of life. The more severe the consequences of a threat, the greater the risk to the system (and, therefore, the organization). Threat Identification. A threat is an entity or event with the potential to harm the system. Typical threats are errors, fraud, disgruntled employees, fires, water damage, hackers, and viruses. Threats should be identified and analyzed to determine the likelihood of their occurrence and their potential to harm assets. In addition to looking at "big-ticket" threats, the risk analysis should investigate areas that are poorly understood, new, or undocumented. If a facility has a well- tested physical access control system, less effort to identify threats may be warranted for it than for unclear, untested software backup procedures. The risk analysis should concentrate on those threats most likely to occur and affect important assets. In some cases, determining which threats are realistic is not possible until after the threat analysis is begun. Safeguard Analysis. A safeguard is any action, device, procedure, technique, or other measure that reduces a system's vulnerability to a threat. Safeguard analysis should include an examination of the effectiveness of the existing security measures. It can also identify new safeguards that could be implemented in the system; however, this is normally performed later in the risk management process. Vulnerability Analysis. A vulnerability is a condition or weakness in (or absence of) security procedures, technical controls, physical controls, or other controls that could be exploited by a threat. Vulnerabilities are often analyzed in terms of missing safeguards. Vulnerabilities contribute to risk because they may "allow" a threat to harm the system. Likelihood Assessment. Likelihood is an estimation of the frequency or chance of a threat happening. A likelihood assessment considers the presence, tenacity, and strengths of threats. Interpreting Risk Analysis Results The risk assessment is used to support two related functions: 1. The acceptance of risk 2. The selection of cost-effective controls. To accomplish these functions, the risk assessment must produce a meaningful output that reflects what is truly important to the organization. Limiting the risk interpretation activity to the most significant risks is another way that the risk management process can be focused to reduce the overall effort while still yielding useful results. If risks are interpreted consistently across an organization, the results can be used to prioritize systems to be secured. 47 © 2003 certificationsuccess.com Your Free Certification Portal Risk Mitigation Risk mitigation involves the selection and implementation of security controls to reduce risk to a level acceptable to management, within applicable constraints. Although there is flexibility in how risk assessment is conducted, the sequence of identifying boundaries, analyzing input, and producing an output is quite natural. The process of risk mitigation has greater flexibility, and the sequence will differ more, depending on organizational culture and the purpose of the risk management. AWARENESS, TRAINING, AND EDUCATION People, who are all fallible, are usually recognized as one of the weakest links in securing systems. The purpose of computer security awareness, training, and education is to enhance security by: 1. Improving awareness of the need to protect system resources. 2. Developing skills and knowledge so computer users can perform their jobs more securely. 3. Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems. Making computer system users aware of their security responsibilities and teaching them correct practices helps users change their behavior. It also supports individual accountability, which is one of the most important ways to improve computer security. Without knowing the necessary security measures (and to how to use them), users cannot be truly accountable for their actions. 48 © 2003 certificationsuccess.com Your Free Certification Portal