Security Trends

This chapter presents the following: Evolution of computing and how it relates to

security Different areas that fall under the security

umbrella Politics that affect security Introduction of information warfare Examples of security exploits A layered approach to security

Evolution of Computing

How Security became an issue? The era of ‘MAINFRAMES’, roughly 25 years

ago: Connectivity through DUMB TERMINALS and have

limited functionality ‘Closed Environment’ Limited individuals with operating knowledge Unavailability of point and click utilities

The era of ‘MAINFRAMES’ Dependence on ‘MAINFRAMES’ grew

Due to limited time and functionality, productivity is low

What is the level of Security Threat then … ??

Evolution of Computing

How Security became an issue? The era of ‘CLIENT SERVERS’

Initially limited processing on end-user PC, key processing on server

Later the PC became more efficient, they communicate with Mainframes via Servers (Figure 2.1)

The good things in life often have a darker side!!

Evolution of Computing

Evolution of Computing

How Security became an issue? The era of ‘CLIENT SERVERS’

Companies realized that the employees has to be protected from themselves

Need for the layered approach between Individuals, OS and Data

Lovely story, but what does it mean to security? Computers are tools. Just as a knife can be a useful tool to cut

meat and vegetables, it can also be a dangerous tool in the hands of someone with malicious intent.

“The level of dependence and the extent of integration that technology has attained in our lives have made security a much more

necessary and essential discipline”.

“Computer security is a marathon to be run at a consistent and continual pace. It is not a short sprint, and it is not for those who lack dedication

or discipline.”

Security Trends

Areas of Security

Security has a wide base that touches on several different areas.

Technology, hardware, people, and procedures are woven together as a security fabric, as illustrated in (Figure 2.2)

Areas of Security

Benign to Scary!!

Computers and networks touch every facet of modern life Communication Funds Transfers Utility Management Government Services Military Action / Defense Systems

Technology abused for illegal and malicious activities

Information Warfare?

Benign to Scary!!

In early days, Hackers carryout activities to impress the peers

Now, Hacking for ‘Fun’ is disappeared by Hacking with profit-driven motives

Individuals are hired by organized crime rings for illegal objectives

In many cases, the greatest damage to the organization is of reputation and consumer confidence Product blueprints, Financial information, Business Contracts; etc

Evidence of the Evolution of Hacking www.cybercrime.gov.pk

Some of the attacks that have made some of the headlines:

In July 2009 one of the gadgets that most of us are addicted to, the BlackBerry, was compromised. Hackers sent a piece of code that BlackBerry owners thought was a safe update for the Java code that runs on this device, but instead it was a piece of spyware that allowed the hackers to intercept e-mail and text messages. The “update software” was labeled: “Etisalat network upgrade for BlackBerry service. Please download to ensure continuous service quality.” This sounds convincing enough. It is probable that many BlackBerry devices have been infected by this malicious code, and it is just laying dormant without the owners knowing about it.

Evidence of the Evolution of Hacking Another loved gadget is the iPhone. In April 2009

a bug in the software was discovered that allows someone to crash the iPhone software, disconnect from the network that the iPhones use, and potentially execute code remotely on it. The remote code could allow someone to turn on the microphone of the phone and allow it to become a bugging device. As of this writing, this vulnerability is still being studied, but it is a good indicator of what is going on in the world.

How are Nations Affected?

Intelligence agencies use of technology develop new methods of collecting information on potential

foreign enemy movement, conducting surveillance, and proving guilt in criminal activities.

Disruption of communication in warfare / or even peace time

Technology guided combat system (e.g. Un-manned Drones)

US Department of Defense (DoD) believes that almost 20 countries have developed cyber war organizations to attack other militaries and civilian targets through the internet.

Evidence of penetration activity: During the Persian Gulf War in 1991, it was reported that

hackers from the Netherlands penetrated 34 American military sites that supported Operation Desert Storm activities. They extracted information about the exact location of military troops, weapon details, and movement of American warships. It could have been a different war if Saddam Hussein had actually bought this information when it was offered to him, but he did not - he thought it was a trick.

The future wars of nations would be targeted via these new methods - computer-

generated attacks.

How are Nations Affected?

Organizations have trade secrets and intellectual property Can be stolen by employees who left to work for competitors External attempts on organization’s databases (i.e. Credit

Cards No.) Organizations developing clear policies to protect its

intellectual property and reputation Compliance with privacy and confidentiality

regulations: Electronic Communication Policy (ECP) Health Insurance Portability and Accountability Act (HIPPA) Public Records Act (PRA) Information Practices Act (IPA) Sarbanes-Oxley Act of 2002; etc

How are Companies Affected?

More and more responsibilities on top management CEOs and CFOs

Insurance option for natural disaster or a major security breach

A company wants to be in a position where all the customers come to it when another company suffers a

security compromise, not the other way around.

How are Companies Affected?

Departments under the sponsorship of FBI Critical Infrastructure Assurance Office (CIAO) under

the Department of Commerce, Information Sharing and Analysis Centers (ISACs), National Infrastructure Protection Center (NIPC)

In 2002, President Bush created the Department of Homeland Security (DHS)

Prevention of Electronic Crimes Ordinance, 2007 Updated in 2008.

The Government’s Action

Trans-border issues pertaining to Cryptography What can be encrypted, at what strength and by whom

‘Common Criteria’ for Security Evaluation Difficult for jury, investigators and Law enforcement

agencies as they are not educated in these types of crimes.

Authorities face hard time in: Collection of evidences for computer crimes

how to dump data from memory into a file, recover data from formatted drive, etc prevent data corruption preserves data integrity

Crime-fighting agencies are increasing personnel with skills in technology and security in many parts of these organizations.

Politics and Laws

So What does this all means to US??? As our dependence on technology grows, so should our protective measures.

Hacking, Cracking and Attacking Hackers were initially considered the IT Geeks, Now, the individuals with evil / destructive goals.

Availability of easy to use tools and utilities for hacking GUI based vulnerability scanning tools Tools working in ‘Quiet’ mode not detected by IDS Require very limited knowledge to attack Satisfy their curiosity and / or destructive goals

Considered as a challenge for computing and security professionals to continuously improve the quality of products and services

Hacking and Attacking

Historically, management focus is towards ‘Financial Gain’, ‘Growth’; etc and not much about ‘Firewalls’, ‘Hackers’ & ‘Security Breaches’.

A common ‘Perception’ is that IT department is responsible for security. Why???? Is it a technical issue?? Lack of understanding about information and enterprise security

Information security is a management issue that may require technical solutions. It is management’s responsibility to set the tone for what role

security will play in the organization.

“Good security does not begin and end with erecting a firewall and installing antivirus software. Good security is planned, designed, implemented, and maintained, and is capable of

evolving”

Management

What is meant by a “Layer Approach” (or Defense in Depth Approach)?

To protect an environment, you must truly understand the environment, the fixes to be applied, the differences among the numerous vendor applications and hardware variations, and how attacks are actually performed.

Running antivirus software only on workstations is not a layered approach in battling viruses. Running antivirus software on each workstation, file server, and mail server and applying content filtering via a proxy server is considered a layered approach toward combating viruses.

How is file access protection provided in a layered approach?

A Layered Approach

To properly protect file access, the administrator must do the following: Configure application, file, and Registry access control

lists (ACLs) to provide more granularity to users’ and groups’ file permissions.

Configure the system default user rights (in a Windows environment) to give certain types of users certain types of rights.

Consider the physical security of the environment and the computers, and apply restraints where required.

Draft and enforce a strict logon credential policy so that not all users are logging on as the same user.

Implement monitoring and auditing of file access and actions to identify any suspicious activity.

A Layered Approach

This applies to the various protocols, applications, hardware, and security mechanisms that work at one or more of the seven layers of the OSI model. IP spoofing is an attack at the network layer, ARP attacks happen at the data link layer, Traffic sniffing occurs at several layers, Viruses enter through the application layer.

To deploy a firewall with strict password rules is sufficient to secure an environment?

“To look at the flow of data in and out of a network and how the applications and devices work together is an architectural view, versus

a device or application view”.

An Architectural View

Each individual security component could be doing its job by protecting its piece of the network, but the security function may be lost when it is time to interrelate or communicate with another security component.

An Architectural View

A network that has a firewall with packet filtering, a proxy server with content filtering, its public and private DNS records clearly separated, SSL for Internet users, IPSec for VPN connections, and public key infrastructure (PKI), as well as restricted service and port configuration, may seem like a fortified environment, and a network administrator most likely implemented these mechanisms with the best intentions.

A Layer Missed

A network that has a firewall with packet filtering, a proxy server with content filtering, its public and private DNS records clearly separated, SSL for Internet users, IPSec for VPN connections, and public key infrastructure (PKI), as well as restricted service and port configuration, may seem like a fortified environment, and a network administrator most likely implemented these mechanisms with the best intentions.

Without a scanning device that probes the environment on a scheduled basis or an IDS that looks out for suspicious activity, the environment could be vulnerable even after the company has spent thousands of dollars to protect it.

A Layer Missed

For a security specialist, one must have the interest and discipline to teach the security issues, go to seminars and conferences all over the world, read stacks of books, and have a wide range of experience in different environments.

Security should not be looked upon as an extra component or an option to be added later. It should be interwoven into the code as a program is being developed, and interwoven into the education of our new professionals.

Education

End of Chapter 1

Thank You