Foundation Topics
Exploring Security Fundamentals
A “secure network” is a moving target. As new vulnerabilities and new methods of attack are discovered, a relatively unsophisticated user can potentially launch a devastating attack against an unprotected network. This section begins by describing the challenges posed by the current security landscape. You will learn about the three primary goals of security: confidentiality, integrity, and availability.
This section also explains traffic classification and security controls. You will learn how to respond to a security violation and consider the legal and ethical ramifications of network security.
Why Network Security Is a Necessity
Network attacks are evolving in their sophistication and in their ability to evade detection. Also, attacks are becoming more targeted and have greater financial consequences for their victims.
Types of Threats
Connecting a network to an outside network (for example, the Internet) introduces the possibility that outside attackers will exploit the network, perhaps by stealing network data or by impacting the network’s performance (for example, by introducing viruses). However, even if a network were disconnected from any external network, security threats (in fact, most of the probable security threats) would still exist.
Specifically, according to the Computer Security Institute (CSI) in San Francisco, California, approximately 60 to 80 percent of network misuse incidents originate from the inside network. Therefore, although network isolation is rarely feasible in today’s e-business environment, even physical isolation from other networks does not ensure network security.
Based on these factors, network administrators must consider both internal and external threats.
Internal Threats
Network security threats originating inside a network tend to be more serious than external threats. Here are some reasons for the severity of internal threats:
■ Inside users already have knowledge of the network and its available resources. ■ Inside users typically have some level of access granted to them because of the nature
of their job.
■ Traditional network security mechanisms such as Intrusion Prevention Systems (IPS) and firewalls are ineffective against much of the network misuse originating internally.
External Threats
Because external attackers probably do not have intimate knowledge of a network, and because they do not already possess access credentials, their attacks tend to be more technical in nature. For example, an attacker could perform a ping sweep on a network to identify IP addresses that respond to the series of pings. Then, those IP addresses could be subjected to a port scan, in which open services on those hosts are discovered. The attacker could then try to exploit a known vulnerability to compromise one of the discovered services on a host. If the attacker gains control of the host, he could use that as a jumping- off point to attack other systems in the network.
Fortunately, network administrators can mitigate many of the threats posed by external attackers. In fact, the majority of this book is dedicated to explaining security mechanisms that can defeat most external threats.
Scope of the Challenge
The “2007 CSI/FBI Computer Crime and Security Survey” is a fascinating document that provides insight into trends in network attacks from 2004 to 2007. A copy of this document can be downloaded from http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf. As an example of the information contained in this document, Figure 1-1 shows the average number of security incidents reported by 208 respondents for the years 2004 to 2007. Notice that the percentage of respondents reporting more than 10 incidents in a year dramatically increased in 2007.
Exploring Security Fundamentals 11
Figure 1-1 Incidents in the Past 12 Months (Source: “2007 CSI/FBI Computer Crime and Security Survey”)
The following is a further sampling of information contained in the survey:
■ The average financial loss from computer crime/security incidents increased from $168,000 in 2006 to $350,424 in 2007.
■ Of the survey respondents who reported one or more attacks, 18 percent of those attacks were “targeted” attacks (that is, an attack not targeting the general population). ■ Before the 2007 report, viruses were the leading contributor to financial losses for
seven years in a row. However, in the 2007 report, viruses fell to the second leading cause of financial losses, with financial fraud rising to the number one factor.
Nonsecured Custom Applications
The vast majority (approximately 75 percent) of network attacks target specific applications, as opposed to lower-layer attacks. One reason attacks have become more targeted is the trend of attackers to be more motivated by profit, rather than by the fame or notoriety generated by creating a virus, for example. Unfortunately, because many organizations use custom applications (often not written with security in mind), these applications can be prime attack targets.
Attacks on custom applications are not as preventable as attacks on “well-known” applications, which periodically release security patches and updates. Another concern for
0 5 10 15 20 25 30 35 40 45 50
1 to 5 6 to 10 More than 10 Unknown
Number of Incidents
Percent of Respondents
some organizations is complying with regulatory mandates about protecting company data (for example, customer credit card information).
The Three Primary Goals of Network Security
For most of today’s corporate networks, the demands of e-commerce and customer contact require connectivity between internal corporate networks and the outside world. From a security standpoint, two basic assumptions about modern corporate networks are as follows:
■ Today’s corporate networks are large, interconnect with other networks, and run both standards-based and proprietary protocols.
■ The devices and applications connecting to and using corporate networks are continually increasing in complexity
Because almost all (if not all) corporate networks require network security, consider the three primary goals of network security:
■ Confidentiality ■ Integrity ■ Availability
Confidentiality
Data confidentiality implies keeping data private. This privacy could entail physically or logically restricting access to sensitive data or encrypting traffic traversing a network. A network that provides confidentiality would do the following, as a few examples: ■ Use network security mechanisms (for example, firewalls and access control lists
[ACL]) to prevent unauthorized access to network resources.
■ Require appropriate credentials (for example, usernames and passwords) to access specific network resources.
■ Encrypt traffic such that an attacker could not decipher any traffic he captured from the network.
Integrity
Data integrity ensures that data has not been modified in transit. Also, a data integrity solution might perform origin authentication to verify that traffic is originating from the source that should be sending it.
Exploring Security Fundamentals 13
Examples of integrity violations include
■ Modifying the appearance of a corporate website ■ Intercepting and altering an e-commerce transaction ■ Modifying financial records that are stored electronically
Availability
The availability of data is a measure of the data’s accessibility. For example, if a server were down only five minutes per year, it would have an availability of 99.999 percent (that is, “five nines” of availability).
Here are a couple of examples of how an attacker could attempt to compromise the availability of a network:
■ He could send improperly formatted data to a networked device, resulting in an unhandled exception error.
■ He could flood a network system with an excessive amount of traffic or requests. This would consume the system’s processing resources and prevent the system from responding to many legitimate requests. This type of attack is called a denial-of-service (DoS) attack.
Categorizing Data
Different data requires varying levels of security (for example, based on the data’s sensitivity). Therefore, organizations often adapt a data classification system to categorize data. Each category can then be treated with a specific level of security. However, sometimes this data classification is not just a convenience. Sometimes organizations are legally required to protect certain classifications of data.
Classification Models
Although no single standard exists for data classification, organizations often benefit from examining classification models commonly used by government and many businesses.
Government and Military Classification Model
Table 1-2 provides an example of a data classification model, which is used by multiple governments and militaries.
Organizational Classification Model
Table 1-3 provides an example of an organizational data classification model.
Data Classification Characteristics
Table 1-4 offers a few characteristics by which data can be classified.
Table 1-2 Government and Military Data Classification Example
Data Category Description
Unclassified Data that has few or no privacy requirements Sensitive but
unclassified (SBU)
Data that could cause embarrassment but not constitute a security threat if revealed
Confidential Data that has a reasonable probability of causing damage if disclosed to an unauthorized party
Secret Data that has a reasonable probability of causing serious damage if disclosed to an unauthorized party
Top-secret Data that has a reasonable probability of causing exceptionally grave damage if disclosed to an unauthorized party
NOTE In the U.S., Executive Order 12958 (available at http://www.whitehouse.gov/ news/releases/2003/03/20030325-11.html) states that the U.S. government shall classify classified information into one of three levels: (1) Confidential, (2) Secret, and (3) Top- Secret.
Table 1-3 Organizational Data Classification Example
Data Category Description
Public Information made available to the public (for example, through marketing materials)
Sensitive Data that could cause embarrassment but not constitute a security threat if revealed
Private Organizational information that should be kept secret and whose accuracy should be maintained
Confidential Sensitive organizational information (for example, employee records) that should be protected with great care
Exploring Security Fundamentals 15
When determining a classification approach, define how many classification levels you need. Having too many classification levels can prove difficult to administer, whereas having too few classification levels lacks the granularity needed to classify a wide spectrum of data. As part of documenting your classification approach, you should also indicate who is responsible for securing data classified using your defined security levels.
Classification Roles
Different members of an organization must assume different roles to ensure the proper protection of classified data. Examples of these roles include the following:
■ Owner
— Initially determines the classification level
— Routinely reviews documented procedures for classifying data
— Gives the custodian the responsibility of protecting the data ■ Custodian
— Keeps up-to-date backups of classified data
— Verifies the integrity of the backups
— Restores data from backups on an as-needed basis
— Follows policy guidelines to maintain specific data ■ User
— Accesses and uses data in accordance with an established security policy
— Takes reasonable measures to protect the data he or she has access to
— Uses data for only organizational purposes
Table 1-4 Data Classification Characteristics
Characteristic Description
Value How valuable the data is to the organization Age How old the data is
Useful life How long the data will be considered relevant Personal association How personal the data is
NOTE Some occasions necessitate the release of classified data. Such occasions include the need to comply with a court order, when working with certain government agencies, and when the release of the information is ordered by senior management.
Controls in a Security Solution
As just mentioned, the work of actually securing data is the responsibility of the custodian. However, if security is applied only through technical means, the results will not be highly effective. Specifically, because most attacks originating inside a network are not technical attacks, nontechnical mitigation strategies are required to thwart them. Cisco defines three security controls contained in a more all-encompassing security solution:
■ Administrative controls are primarily policy-centric. Examples include the following:
— Routine security awareness training programs
— Clearly defined security policies
— A change management system, which notifies appropriate parties of system changes
— Logging configuration changes
— Properly screening potential employees (for example, performing criminal background checks)
■ Physical controls help protect the data’s environment and prevent potential attackers from readily having physical access to the data. Examples of physical controls are
— Security systems to monitor for intruders
— Physical security barriers (for example, locked doors)
— Climate protection systems, to maintain proper temperature and humidity, in addition to alerting personnel in the event of fire
— Security personnel to guard the data
■ Technical controls use a variety of hardware and software technologies to protect data. Examples of technical controls include the following:
— Security appliances (for example, firewalls, IPSs, and VPN termination devices)
— Authorization applications (for example, RADIUS or TACACS+ servers, one-time passwords (OTP), and biometric security scanners)
NOTE Because this book focuses on Cisco-based security solutions, most of the mitigation strategies presented use technology controls.
Exploring Security Fundamentals 17
Individual administrative, physical, and technical controls can be further classified as one of the following control types:
■ Preventive: A preventive control attempts to prevent access to data or a system. ■ Deterrent: A deterrent control attempts to prevent a security incident by influencing
the potential attacker not to launch an attack.
■ Detective: A detective control can detect when access to data or a system occurs. Interestingly, each category of control (administrative, physical, and technical) contains components for these types of controls (preventive, deterrent, and detective). For example, a specific detective control could be one of the following:
■ An administrative control, such as a log book entry that is required by a security policy ■ A physical control, such as an alarm that sounds when a particular door is opened ■ A technical control, such as an IPS appliance generating an alert
Responding to a Security Incident
Many deterrent controls might display warnings such as “Violators will be prosecuted to the fullest extent of the law.” However, to successfully prosecute an attacker, litigators typically require the following elements to present an effective argument:
■ Motive: A motive describes why the attacker committed the act. For example, was he a disgruntled employee? Also, potential motives can be valuable to define during an investigation. Specifically, an investigation might begin with those who had a motive to carry out the attack.
■ Means: With all the security controls in place to protect data or computer systems, you need to determine if the accused had the means (for example, the technical skills) to carry out the attack.
■ Opportunity: The question of whether the accused had the opportunity to commit the attack asks if the accused was available to commit the attack. For example, if the accused claims to have been at a ball game at the time of the attack, and if witnesses can verify this statement, it is less likely that the accused did indeed commit the attack. Another challenge with prosecuting computer-based crime stems from the fragility of data. For example, a time stamp can easily be changed on a file without detection. To prevent such evidence tampering, strict policies and procedures for data handling must be followed. For example, before any investigative work is done on a computer system, a policy might require that multiple copies of the hard drive be made. One or more master copies could be locked up, and copies could also be given to the defense and prosecution for their investigation.
Also, to verify the integrity of data since a security incident occurred, you should be able to show a chain of custody. A chain of custody documents who has been in possession of the data (that is, the evidence) since a security breach occurred.
Legal and Ethical Ramifications
Some businesses must abide by strict government regulations for security procedures. Therefore, information security professionals should be familiar with a few fundamental legal concepts. For example, most countries classify laws into one of the following three types:
■ Criminal law applies to crimes that have been committed and that might result in fines and/or imprisonment for someone found guilty.
■ Civil law addresses wrongs that have been committed. However, those wrongs are not considered crimes. An example of civil litigation might involve patent infringement. Consequences to someone found to be in violation of a civil law might include an order to cease and desist the illegal activity and/or to pay damages.
■ Administrative law typically involves the enforcement of regulations by government agencies. For example, a company that misappropriated retirement funds might be found in violation of an administrative law. If a party is found to be in violation of an administrative law, the consequences typically are monetary, with the money being divided between the government agency and the victim.
In addition to legal restrictions, information security professionals should be bound by ethical guidelines. Ethical guidelines deal more with someone’s intent and conduct, as opposed to whether an act was technically legal.
Although the issue of ethics might seem more difficult to define, information security professionals have several formalized codes of conduct:
■ International Information Systems Security Certification Consortium, Inc. Code of Ethics
■ Computer Ethics Institute ■ Internet Activities Board (IAB)
Exploring Security Fundamentals 19
Legal Issues to Consider
As a provider of network connectivity to customers, a service provider needs to be aware of potential liability issues. For example, if an e-commerce company lost a certain amount of business because of a service provider outage, the service provider might be found liable and have to pay damages.
Also, some countries are passing laws dictating how companies handle privacy issues. For example, the Notification of Risk to Personal Data Act in the U.S. requires companies and government agencies that conduct commerce between states to alert anyone whose personal data was revealed to someone not authorized to see it.
U.S. Laws and Regulations
With increased levels of terrorist activity on the Internet and an ever-increasing percentage of Internet connectivity for the world’s citizens, governments are forced to develop regulations and legislation covering information security. As a few examples, the U.S. government created the following regulations, which pertain to information security: ■ Gramm-Leach-Bliley Act (GLBA) of 1999: Did away with antitrust laws that disallowed banks, insurance companies, and securities firms from combining and sharing their information.
■ Health Insurance Portability and Accountability Act (HIPAA) of 2000: Provides assurance that the electronic transfer of confidential patient information will not be less secure than the transfer of paper-based patient records.
■ Sarbanes-Oxley (SOX) Act of 2002: Responded to corporate accounting scandals in an attempt to increase public trust in accounting and reporting practices.
■ Security and Freedom through Encryption (SAFE) Act: Permits any form of encryption to be used by people in the U.S.
■ Computer Fraud and Abuse Act: Developed to reduce malicious computing hacking, with an amendment to accommodate the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act.
■ Privacy Act of 1974: Protects the privacy of individuals and requires that they provide written permission for their information to be released.
■ Federal Information Security Management Act (FISMA) of 2002: Requires annual audits of network security within the U.S. government and affiliated parties.
■ Economic Espionage Act of 1996: States that the misuse of trade secrets is a federal crime.
International Jurisdiction Issues
A unique legal challenge for prosecuting information security offenses deals with jurisdictional issues. For example, an attacker in one country could launch an attack from a computer in another country that targets a computer in yet another country. The international