Network Security
In the past few years government and military organizations have widely adopted LAN, WAN and Internet to take advantage of the advancement in technology. Connecting private and internal network to an outside untrusted network has advantages and disadvantages. There are advantages because the exchange of information is greatly facilitated. There are disadvantages because valuable network resources are exposed to the outside world. The vast connectivity and growing interest in the Internet has also posed several risks.
The common motives for computer crimes could be the lure for money, revenge, terrorism, fun, recognition or curiosity. Information systems can be attacked by outsiders who may penetrate a computer system or by insiders who are authorized to use the resources but misuse their authorization. An attacker may disrupt the information system of an organization (active attack) or gain access to its sensitive information (passive attack). Although no direct damage is done in a passive attack, any leak in information could have drastic repercussions for the organization.
In simple words, security has been defined as: protecting information system from unintended access.
Security of information system refers to protecting all components of information system, specifically data, software, hardware and networks. A comprehensive security plan incorporates both security policy and security mechanism.
The factors that influence security policy are: • mission of the organization
• management support • risk assessment
• level of security needed _ • cost effectiveness
• personal security responsibilities and accountability • social factors.
The factors that influence security mechanisms are: • network architecture
• security issues
• security components
• factors that make network vulnerable to attack 243
• network security administration
• security awareness and training.
FUNDAMENTAL CONCEPTS
Here, we discuss objectives, assets, threats, vulnerability, safeguards and potential attacks on information in network environment.
Objectives
Information security has four major objectives as given below:
(1) Confidentiality: Ensuring that information is not disclosed or revealed to unauthorized persons.
(2) Integrity: Preventing unauthorized creation or modification of data and maintaining consistency of data.
(3) Availability: Ensuring that authorized users are not denied access to information and resources.
(4) Legitimate use: Ensuring that authorized persons do not use the information in an unauthorized way.
Assets
Assets are valuable resources of the organization that need to be protected. The loss of an asset means a significant loss to an organization. In some cases, a lost asset cannot be replaced, particularly in the case of goodwill, trust, or confidential research.
Examples of asset categories are: users, application, services, servers, networks, documentation, goodwill, reputations and manpower skills.
Threats
Threat is an impending action by a person or event that poses some danger to an asset. a loss of an asset is caused by the realization of the threat. A threat is realized via the medium of vulnerability. Threats come from organization environment and therefore cannot be totally controlled by the organization. The four major threats are as follows: (1) Information leakage: Information is revealed to unauthorized users which is a threat to secrecy.
(2) Integrity violation: Destroying, altering or creating bogus data that results in inconsistency of data.
(3) Denial of service: Using legitimate access rights to disrupt traffic partially or completely.
(4) Illegitimate use: Exploitation of privileges by legitimate users.
The above threats can be realized in different ways as given below:
(1) Authorization violation: A person authorized to use resource uses it in an unauthorized manner.
(2) By passing control: Exploiting system flaws or security weakness in order to acquire higher or unauthorized privileges.
(3) Eavesdropping: Leakage of information by monitoring communication channels.
(4) Interception: Extracting information from radio frequency or electromagnetic equipment.
(5) Malicious programs: Programs that are specially written to damage other programs.
(6) Masquerade: A person or entity pretends to be different.
(7) Traffic analysis: Leakage of information by analyzing traffic pattern.
(8) Repudiation: A person participating in an exchange of information denies having participated.
(9) Resource exhaustion: Using resources so as to make them unavailable for others. This results in denial of service.
(10) Social engineering: Fooling a user to disclosing his password. Leaning over someone's shoulder to observe the password and learning about a system by eavesdropping on conversation are also accomplished by social engineering.
Vulnerability
Vulnerability is weakness or absence of safeguards. Unlike threats, vulnerabilities usually exist within the organization. A possible categorization of vulnerability is security policy, procedures, administration, implementation and apathy. Some examples of vulnerability are given in Table 14.1.
|
Table 14.1 Examples of Vulnerability |
Category |
Vulnerability |
Security policy |
Granting higher rates to users than required. |
Administration |
Circumventing security procedures due to degradation in |
|
performance. |
Administration |
Initialising insecure system. |
Administration |
Empty root/administrator passwords, particularly during |
|
installation. |
Implementation |
Failure of protection mechanism. |
Apathy |
Bypassing or disabling security procedures for convenience. |
Procedure |
Duplication of confidential reports. |
Procedure |
Unsafe handling of backups containing confidential reports. |
Safeguards |
Safeguards are physical controls, security policies, security mechanisms and procedures |
that protect assets from threats. |
Physical controls |
The common physical controls are: |
• Physical security |
• Personnel security |
• Administrative security |
• Emanations security. |
Security policy |
The security policy is a set of rules established by the organization to apply to all |
security relevant activities. Several levels of security policies have been suggested such |
as management policy, operational policy and procedural policy. |
Authorization is a fundamental part of a security policy. It establishes who is |
assigned to perform what role. It is carried out using access control mechanism. |
Security services |
The security mechanisms and procedures, which are main security safeguards, are |
known as security services. The security services are as follows: |
• Identification and authentication service |
• Access control service |
• Confidentiality service |
• Data integrity service |
• Non-repudiation service. |
Attack |
An attack is the realization of threat. Broadly the attackers are hackers, spies, vandals |
and professional criminals. |
Tool |
The tools generally used by an attacker broadly fall into categories such as physical |
attack, information exchange, user commands, program and data up. |
Actions |
Depending on the vulnerability, the attacker can perform different actions such as |
probe, scan, flood, bypass control, spoof, steal and read/copy/modify. |
Target |
The targets of attack are generally account, process, data, system components and |
network. |
Target
The targets of attack are generally account, process, data, system components and network.
IDENTIFICATION AND AUTHENTICATION
Identification and authentication are measures to prevent unauthorized people from entering the system. Identification is the means by which a user provides a claimed identity to the system. The most common form of identification is the user ID. Authentication is the means of establishing the validity of a user's claimed identity. The two tasks are generally combined in the login process. There are three ways of authenticating a user's identity.
(1) Proof by knowledge; for example, password
(2) Proof by possession; for example, pin card
(3) Proof by property (biometrics); for example, fingerprint.
Safeguards
The following measures are employed to safeguard passwords:
Password rules are imposed to prevent use of weak passwords. These could be: - Minimum length of passwords and allowable set of characters, uppercase, numeric, non-alphanumeric are specified.
- The password ageing time frames are specified to enforce change in passwords.
- Generations of expired passwords being disallowed for use are specified. A site may use reactive password checking strategy in which password cracker programmer is run periodically to find weak passwords.
A site may use proactive password checking scheme in which the system checks for all allowable password at the time of registration. If the password is weak, it is rejected.
BACK | 
