IT Security

IT Security is the use of knowledge, skills and methodologies to accomplish the goals of enterprise security with efficiency and effectiveness.

IT Security can be broken down into four main areas of concentration:
• Security Policy Management
• Network Security Management
• Desktop Security Management
• Forensics

IT Security simply is the methods and goals of preventing the vulnerabilities of an Information System from being exploited.

Three aspects are concerned with Information technology Security being: confidentiality, integrity and availability. Confidentiality deals with authorized access of information assets. Integrity deals with modification of information assets by authorized personnel. Availability deals with access to the system by authorized personnel.

There are many types of vulnerabilities that are generally divided into three categories being: software, hardware and data vulnerabilities. Vulnerabilities of software are: interruption (deletion), interception, modification and fabrication. Vulnerabilities of hardware are: interruption (denial of service), modification, fabrication (substitution) and interception (theft.) Vulnerabilities of data are: interruption (loss), interception, modification and fabrication. The other exposed aspects that contain vulnerabilities are the network and the people.

The Principle of Adequate Protection states that information must be protected only until it has less value than the standards set by policy.

The goals of IT Security are: confidentiality, integrity and availability. The threats of IT Security are: interception,interruption, modification, and fabrication.

Security Policy Management
Security Policy Management deals with a living document called a security policy. The aspects of a security policy include; a password policy, network use policy and email use policy.

Security Policy Management consists of security planning, risk analysis, organizational security policies and physical security.

DLM [Digital Liability Management] model explains an effective security program using people, process and technology working in unison with a single goal. This methodology uses four tiers distinguished by: senior management commitment and support, Acceptable-Use policies, Secure-Use policies, and technology (hardware, software and network security tools.) Some sources of risks are: user ignorance, lack of an enforceable security policy, social engineering, and file sharing.

Zero-tolerance environments are pushing information security audits into action that range from internal security audit assessments (password and user-account policies, back and restore procedures, disaster recovery plans, network infrastructure vulnerabilities, anti-malware software and updates, intrusion detection systems and updates, network operation systems configuration, physical security of mission critical enterprise resources, application security policies and procedures, and separation of duties by IT staff) to external security audit assessments (risk factors that may compromise internal security, servers that breach security policies, effectiveness of firewalls configuration, effectiveness of wireless configuration, effectiveness of email configuration, application security policies and procedures, and remote access policies.)

Risk Assessment is an important part to DLM. A model of risk assessment would be Risk Assessment Cube model that is categorized into three parts being: Probability of Incident, Severity of Loss, and Duration of Impact. Valuation of digital assets is hard to accurately do because there are many different perspectives to understand.

Security Planning identifies and organizes a standard set of security procedures for an enterprise. The issues that a security plan must address are: policy, the state of security in the enterprise, requirements to meet security goals, identify the controls to the vulnerabilities described in the policy and requirements, accountability / audit trail, timetable of achievement, and maintenance plan for the security plan.

One methodology for writing security policies is The OCTAVE Methodology and was developed at the Software Engineering Institute at Carnegie Mellon University. The eight steps are: identify enterprise knowledge, identify operational area knowledge,identify staff knowledge, establish security requirements, map high-priority information assets to information infrastructure, perform an infrastructure vulnerability evaluation, conduct a multidimensional risk analysis, and develop a protection plan.

Security should be a layered approach, meaning the different levels of security that blanket others. Perimeter and WAN protection should include the following: firewalls (block and allow, packet filter, stateful inspection, proxy server, DMZ, and personal), IDS [Intrusion Detection Systems], access control and VPNs [Virtual Private Networks], Authentication such as biometrics and tokens, anti-malware scanning (spyware, virus, worm and trojan horse), cryptography/encryption, and PKI [Public Key Infrastructure] and other certificates.

Risk Analysis is the process of analysis of an enterprise system to define a level of accountability of all identified exposures and the potential vulnerabilities. A risk can be defined by three criteria: the loss associated with the event, the likelihood the event will happen, and the mitigation potential of the outcome of the event.

The basics of risk analysis are: identify assets, determine vulnerabilities, estimation of exploitation, estimate expected annual losses, identify potential controls and their costs, and project annual savings of the controls.

Defensive technology infrastructure audits should be a big part of risk analysis and should have the following characteristics: properly installed and configurations at the correct checkpoints, placed on every device on the network, continuously maintained (patched and audited), with incident response and disaster recovery plans in place, and routinely tested by technology experts. The functional requirements should be audited, such as: confidentiality, integrity, authenticity, nonrepudiation, accountability, and availability.

Organizational Security Policies are high-level management documents that define the enterprise, the controls and constraints of using the system. Security policies are used to identify sensitive information assets, clarify security responsibilities, and promote awareness and guidelines of employees.

A security policy should explain who it will be addressing such as: the users, the owners, and the beneficiaries. A security policy should cover contents such as: its purpose, the protected resources, and the nature of protection. The characteristics of a good security policy are: the coverage and comprehensiveness, durability to last time, realistic, and usefulness.

Some examples of various policies that may make up a security policy are: Acceptable Use Policy, Email Use Policy, Electronic Records Retention Policy, Data Sensitivity Policy, and Internet Security Policy.

AUP [Acceptable-Use Policies] is an obligation to employees for written SOPs that are understandable and easy to use. AUP should be in place to clearly express what the enterprise resources should be used for and what not to be used for. An audit of the policy should happen periodically. Enforcement should be a priority too or the policy has no value. The two goals of AUP are: security breach prevention and legal protection. Characteristics of a successful AUP would be: comprehensive scope, clear language, adaptive content, extension to other enterprise policies, enforcement provisions, consent and accountability.

SUP [Secure-Use Policy] is called the defensive best practices because they focus on security from within the enterprise. This is important because still a majority of threats are from within the enterprise itself. Enforcement is as important as in AUP but enforcement of both should be consistent. Some keys to SUP are: introducing a security focus in the organizational planning process, establishing security as a business function, integrating security and business plans, deploying information security standards, incident response policy and incident response teams, and developing a notification plan.

Secure-Use procedures can be broken down into categories such as: technology and physical security. Technology best practices would be: shut down unnecessary services, set up and maintain permissions securely, conduct background checks, enforce strong passwords, review partner contracts, audits and updates. Physical security practices would include: facility management, security audits, insurance,reinforce SUPs, and reward secure behaviors.

Electronic Records Retention Policy is a security policy that sets a standard operating procedure for retention, destruction and storage of electronic records. This is a policy that should be designed with computer crime and lawyers in mind. Some legislation that should be kept in mind are: Computer Access Device and Computer Fraud and Abuse Law of 1984, the NIIPA [National Information Infrastructure Protection Act] of 1996, HIPAA [Health Insurance Portability and Accountability Act] of 1996, GLB [Gramm-Leach-Bliley Act] of 1999, COPPA [Children’s Online Privacy Protection Act], the USA PATRIOT Act of 2001, and the Sarbanes-Oxley Act.

Physical Security addresses the need to focus attention upon the threats of physical nature within security planning, risk analysis, and controls within an security policy. There are many different security threats that fall under the physical security such as: natural disasters (flood, fire, earthquakes, and volcanoes); power loss (power back-ups, and surge protection); human vandals (unauthorized physical access and use, and theft); and physical interception of sensitive information (dumpster diving). Redundancy and physical controls address physical security threats.

Contingency planning is one key to disaster recovery and should be considered a part of any security policy. A contingency plan might consist of: a backup plan (including offsite), network storage planning and storage management, cold site facility, and hot site facility.

Network Security Management
Aspects of Network Security Management are: Vulnerability Assessment, Hardware Firewall, Intrusion Detection, VPNs, and Wireless Security.

Network Security Management would be the processes by which digital assets are secured. Aspects of Network Security Management are: Security Threats, Security Ramifications, Network Security Goals, and Implementing Network Security.

Security threats are the main reason for the need to maintain integrity, protect confidentiality, and assure availability. Some of the threats one must consider: identity theft, privacy, and wireless access.

Security ramifications are the consideration of cost within the security of information assets. We must balance the books and estimate the costs of the information assets in order to evaluate an efficient use of budget. One must also understand the four primary causes of network security threats: technology weaknesses, configuration weaknesses, policy weaknesses, and human error.

Network security goals are expressed mainly in a security policy but usually involved the following aspects: mitigate data pilferage, authentication, identify assumptions within the system, controlling integrity of security.

Implementing network security has many aspects to control such as: human factors, identifying your weaknesses, limiting access, security through persistence, physical security, perimeter security, firewalls and NAT routers, mission critical security on web and file servers, access control, change management, encryption, intrusion detection systems, security baselines, physical security, disaster recovery and business continuity planning.

Desktop Security Management
Aspects of Desktop Security Management are: Software Firewall, Anti-Virus, Anti-Spam, Secure File Deletion, Secure File Transfer, File Integrity, File Encryption, and Laptop Tracking.

Desktop Security Management might simply be defined as secure use practices of micro-computers with-in a networked environment. Some aspects of Desktop Security Management would be: hardening the operating system, system image administration, license management, and malware management.

Desktop Security Management goes hand-in-hand with Network Security Management. Once the network is secure with DMZ’s the LAN network needs to be addressed and the micro-computers are a good start.

Hardening the operating system of a micro-computer within a networked environment is the first step in creating security between a micro-computer and the network resources. The NSA [National Security Agency] has guidelines that generally harden a micro-computer and is a good source to start with. Hardening the operating system of all micro-computer is a must.

System imaging administration, software update and client management are some topics that can help manage desktop micro-computers and secure recovery of infestations quickly. Through design one might consider mapping home directories to a networks server to keep data in a redundant source such as on a SAN with RAID. Then using software such as radmind [remote administration daemon] to keep all sources of the operating system protected and quickly recoverable. One might also consider NetBooT services to allow the desktop micro-computers to boot from a server and be administrated automatically from a server.

License management addresses the need to protect information assets such as licensed software. By implementing software license management tools such as KeyServer from Sassafras Software the software becomes unusable if it is taken off the network and away from the server. This type of software also allows the number of deployed copies of a software be more than the number of softwares purchased and manages that. This works great in times of software audits and litigation with software companies.

Malware management is once again where we talk about anti-spyware, anti-virus, anti-spam and anti-phishing but only on a smaller scale as a single micro-computer. One of the things that network engineers have learned is that network resources to do this just isn’t enough. Implementing the firewall and malware softwares on individual micro-computers is important too. For instance, when laptops are taken home or on the road it has been found that they might catch some of this malware and then introduce it to the LAN of a secure network and then the network malware resources (even though doing everything they are suppose to) have not protected everything. The malware then propagates the LAN.

Forensics
Four areas of Forensics are: Desktop Forensics, Network Forensics, Email Forensics, and Social Engineering.

Forensics deals a lot with hard-drive diagnostic recovery, file recovery, swap/cache recovery and systems analysis. Forensics tends to get segmented in a way between military, law enforcement, and business depending mostly upon needs and resources. Uses for forensics can be: criminal cases, civil disputes, security audits and human resources/employment proceedings.

Aspects of forensics are: incident response, evidence collection, forensics analysis, expert witness testimony, forensic litigation, training, forensic process improvement.

Cyber crime is one leading need for forensics. Cyber crime can be categorized between (someone with a link to the organization) internal or external (an anonymous abuser) events and typically include: financial fraud, sabotage of systems and/or networks, theft of proprietary information, system penetration or denial of service, unauthorized access/misuse of access privileges, and malware (spyware, virus, spamming, and phishing.)

Data recovery is a part of all forensics in one way or another. Data recovery is an aspect that starts with the knowledge of a desktop administrator, then flows to the knowledge of a network administrator and finally gets additional knowledge of a certified forensics expert.

Back-up systems are a form of a data recovery system. There are many pros to design and analysis of a good back-up system. In the practice of forensics data back-up is not usually the case and real investigative hardware and software analysis needs to be implemented. The use of back-up systems has evolved from just restoring data to recovery from data corruption and user error for the most part. Network back-up systems create performance hazards but can be mitigated with network design such as: SAN [Storage Area Networks], RAID [Redundant Array of Independent Disks) or a separate back up network (but be careful with VLAN’s because they reset your network will crawl.

Acquisition is the start of most processes in digital production and it is no different in evidence collection. The two reasons for evidence collection is future prevention and responsibility. Keep in mind the rules of evidence (as an attorney would know) are: admissible, authentic, complete, reliable, and believable. The general procedure in evidence collection follows: identification of evidence, preservation of evidence, analysis of evidence, and presentation of evidence. An expert should have a logging system in place and document everything. An evaluation of a system should start with duplication using a forensics tool rather than booting the computer (as a matter of fact one should never boot a computer to be evaluated.) Also remember that there is a legal process and requirements in evidence collection procedures.

Another problem in forensics is grasping a timeline. What was the time that this file was created, is the question. Does this computer use NTP [Network Time Protocol] and what server might it be linked to? Time is very important in identification of data and reconstructing past events.

A digital detective is more than just being good at data recovery, it also is the skill and expertise to put together a case (no matter if it is a criminal case or a professional presentation to a corporation.) The tasks involved are simply: convert digital evidence, find all “hidden” data, and put evidence into a useable format.

Desktop forensics involves the the collection, the preservation, analysis, identification, extraction, documentation and presentation of computer evidence. Services of the data forensics industry are: Data Forensic Analysis, Electronic Discovery, Electronic Evidence Discovery, Digital Discovery, Data Recovery, Data Discovery, Data Seizure, Data Duplication/Preservation, Micro-Computer Analysis, Micro-Computer Examination, Document Searches, Media Conversion, Expert Witness Services, and others. The bottom line in all of IT Security is no different in finding and being a forensics experts and that being trust no one.

Principles of micro-computer forensics: data acquisition without contamination of evidence, continuity of evidence as a chain of custody and accountability, and audit trail of methodology. Acquisition is a major task in micro-computer forensics. Principles must be met and guidelines must be followed or the rest of the forensics means absolutely nothing. Everything must be treated with the respect of crime evidence. Generally two copies of the micro-computer submitted for evidence has two copies taken. One is sealed in front of the party that is representing the defendant and will only be used by the courts. The other copy will be used for forensic investigation.

Forensic technician objectives are: sound methodologies and record keeping, sound knowledge of micro-computing, sound knowledge of the law of evidence, sound knowledge of legal procedures, and sound skills in micro-computing forensic tools.

Network forensics (also known as Cyber Forensics) involves the the collection, the preservation, analysis, identification, extraction, documentation and presentation of network evidence. The network forensics principles are: timely cyber attack containment, perpetrator location and identification, damage mitigation and evidence recovery.

One tool that is used in network forensics is called a network forensics data visualizer. The main concept of network forensics is capturing IP sessions, capturing network transactions and summarizes these sessions into a readable visualization.

Evidence recovery deals with: preservation of evidence (micro-computer forensics documentation, file slack, data-hiding techniques), disk structure identification, data encryption, data compression techniques, erased files.

One concept to understand is cyber crime mitigation using risk management techniques. The rate of technological change, the increase in computer literacy, and the growth of online e-business practices all means that means security and forensics need to work harder to protect the most important asset of an organization, its information. Some of the risk management practices that need to be in place are: security policies, proactive security/forensic tools, effective business processes and procedures, and incident response procedures (namely CFIRP or Computer Forensic Incident Response Procedures.)

Some of the micro-computer forensics investigative services should include: micro-computer detection services, digital evidence collection, security policy production and interpretation, and litigation support.

Principles of destruction of micro-computer evidence is another consideration one must undertake in forensics. SOPs [Standard Operating Procedures] are documented quality control and are the fundamentals of forensics. The IOCE [International Organization on Computer Evidence] is an organization established to provide SOPS for micro-computer evidence exchanged between countries. Considerations are: consistency within all legal systems, allowance for use of common language, durability, ability to cross international boundaries, and instill confidence in integrity of evidence.

IACIS [International Association of Computer Investigation Specialist] would be a dominant organization in the industry.

The last frontier in network forensics is scary and deals in what is being called Information Warfare. Information warfare deals with governments, militaries, terrorists, hackers and civilians. It is something that books have been wrote about and also some things that books will be written about but I will not cover here.

Email forensics involves the the collection, the preservation, analysis, identification, extraction, documentation and presentation of email evidence. In email forensics the ability for the forensics expert to be able to read the RAW headers of an email file is a must.

Remember that email is considered a formal document in the court of law and is discoverable in litigation under the federal rules of civil procedure, so treat it as such.

Deletion of email is also not tolerable in the court of law. Once the fact is known that the email might be usable in court proceedings it is an obligation of the user to preserve the email. A Retention Policy is the best practice and consider back up of email separately from back up of the whole system.

Social Engineering involves the the collection, the preservation, analysis, identification, extraction, documentation and presentation of social evidence. Social engineering does not deal with a typical hands-on attack of micro-computers but involves using social skills and personal interaction to get someone to disclose security relevant information and perhaps to even unknowingly help act out within the attack.

Sometimes the sources for social engineering are right under our faces such as corporate websites, local government websites, local advertisements, the yellow pages and marketing. The IT Security department really must align itself with the rest of the company in the design of a good security policy to help defend on this front.

Actually most viruses and trojan horses use social engineering to spread. The end user opens an email and thinks it is important or is enticed to open its contents because it looks important or interesting. Once the email is opened the payload of the virus or trojan horse it activated (sometimes without the end user knowing.) Rootkits may also fall under this definition.

What can be done for these types of attacks? Well first and foremost IT Security should educate the end users (being email users or phone operators or upper management that might have access to proprietary corporate information.) Some technological defense is authentication and encryption of all email and important file transfers. And as always have a good Security Policy in place.

Resources:
Cambell, P., Calvert, B., Boswell, S. (2003). Security+ Guide to Network Security Fundamentals. Boston, MA: Cisco Learning Institute.

Caruso, K., Hurley, C., Long, J., Norwell, P., Owad, T., (2005), OS X For Hackers, Rockland, MA: Syngress Publishing, Inc.

Crume, J. (2000). Inside Internet Security: What Hackers Don’t Want You To Know. England, Pearson Education Ltd.

Flynn, N. (2001). The ePolicy Handbook: Designing and Implementing Effective E-Mail, Internet, and Software Policies. New York, NY: AMA Publications.

Mitnick, K. D., Simon, W. L. (2002). The Art Of Deception: Controlling the Human Element of Security. Indianapolis, IN: Wiley Publishing, Inc.

Panko, R. R. (2004). Corporate Computer and Network Security. Upper Saddle River, NJ: Pearson Prentice Hall.

Pfleeger, C., Pfleeger, S. L. (2003). Security on Computing (third edition). Upper Saddle River, NJ: Pearson Prentice Hall.

Ray, J., Ray, W. C.(2003). Mac OS X Maximum Security: A Hacker’s Guide To Protecting Your Mac OS X Workstation and Server. Indianapolis, IN: SAMS

Schneier, B., (2000), Secrets & Lies: Digital Security in a Networked World, New York, NY: Wiley Computer Publishing

Vacca, J. (2002). Computer Forensics: Computer Crime Scene Investigation. Hingham, MA: Charles River Media, Inc.

Volonino, L., Robinson, S.R. (2004). Principles and Practice of Information Security: Protecting Computers From Hackers and Lawyers. Upper Saddle River, NJ: Pearson Prentice Hall.