Every time a home PC or small home/office network goes online, it connects to thousands of unknown networks and millions of their users. Connecting to Internet provides the opportunities to communicate and share information with others. But it also gives opportunities to Internet users that are involved in malicious activities. Its often believed by many that they don't possess anything that would be of any interest to intruders. But in most of the computer attacks, these computers are used as launching pads to spread viruses, worms and other attacks. They just serve as one link in a chain of multiple compromised systems.
Security concerns of a home network or SOHO are similar to those of big corporate networks. Faster Internet connections are becoming popular and as they are "always on"; the computer networks are becoming more vulnerable to attacks. Possible attacks on SOHO and home networks include a Denial of Service (DOS) attack, a Distributed Denial of Service (DDOS) attack using SOHO networks, accessing and destroying confidential information on the system, etc. The only way to secure a computer from online intruders is to turn it off or by disconnecting it from the Internet. According to the experts, use of firewalls is the best way of securing a computer network from online intrusion. Firewalls are the first line of defense in protecting computers. A firewall filters the network traffic on the basis of certain pre set rules, hence protecting one network from another. However, there are other tools that can be used to protect the networks like antivirus software, anti hacker tools, etc. Protecting personal computers using PC monitoring tools, file protection tools and password security tools further enhances the security mechanism of the small networks.
After reading the last chapter, you might have gone and updated your computer with the appropriate patches and hotfixes.You might of even given encryption a try on some of your most sensitive materials.You are even careful to keep your computer locked up, away from those who mean you harm.There is, however, so much more to securing your computer.In this chapter, we will look at Internet security.
There are several issues that arise when talking about Internet security.In the last chapter, we talked a lot about patches and hotfixes, but in this chapter, I will focus mainly on protecting your computer from hackers.
Hackers have been around since the dawn of the Internet.Some hackers are benign, they actually work for computer security companies to find holes in software and provide better ways to protect computers and their owners.On the other side of this are the hackers who have malicious intents, to steal your hard work, your personal and credit information for their own gain. Hackers are generally a smart crowd, and if you put enough obstacles in their way, they will move on to an easier target.
Before we get on to that, there is a little background information you should know.For those of you out there with dial-up, a hacker can only break into your computer while you are dialed in. That may seem obvious enough, but it is also a way to keep the computer safe. There is only a limited amount of time per day or week, depending on your personal Internet use habits, that a hacker can get into your computer.� A computer with DSL or a broadband connection is always connected to the Internet, so a hacker can come in at any time to steal your information.Don't get me wrong, it is not that those of you with dial-up need not worry about things such as firewalls, but I want to emphasize how important these steps are, especially to those of you with DSL or broadband Internet connections.
A hacker breaks into a computer by finding out that computer's IP address.The hacker sends out probes over the Internet looking for live IP addresses, if they find your computer, they look at what kind of security system you have.This is another advantage of the dial-up connection. Every time you leave and come back, your IP address changes, making it harder for the hacker to track you down.For DSL and cable users, the IP address is always the same, making it very easy for a hacker to spot you and keep an eye on you.In any case, people often run their computers with multiple applications, like e-mail, web browsers, and maybe a word processing program running on the same IP address.Each of these applications will have a port that identifies them on the computer.Hackers get into your computer by finding a port that has been left open due to poor security and using that port to access the rest of your computer.
People who use dial-up may be thinking that they are bullet proof, that no hacker can get to them, but this is not true.A hacker can use a "backdoor" or a "Trojan Horse" to find the computer again.The hacker can install these programs, and, if they are not given enough time to find what they are looking for on your computer, the Trojan Horse will signal back to the hacker so the hacker knows where to look without having to probe IP addresses hoping to find specifically you again.
Needed Computer Layers of Protection
As you may have already guessed, when it comes to Internet security, it is best to have more than one system of protection in place.In the wintertime, people layer their clothing to provide better protection against the elements.In much the same fashion, it is important to have several layers of protection against software.This is important because computers are only software, man-made mechanisms that are sometime fallible.Having several layers of protection allows you to safeguard against any holes in any security software.What follows are a list of layers that any computer should have.Some of these you will already have, some of them you might have not yet thought of.
- Internet Service Provider. Make sure to choose an ISP that offers anti-virus and Spam filters for your email.
- Firewall. This is especially important if you have a cable or DSL modem.A firewall inspects every packet of information, either trying to go out or trying to come in, to see if that information should pass through.
- Sever the connection.There are several products, hardware, that will sever your Internet connection automatically when you stop surfing.This allows the DSL and cable users the same protection that dial-up users get with the convenience and speed of cable and DSL.
- Consider switching browsers and e-mail providers. Many security and privacy attacks are aimed at Windows and Microsoft product users.Switching to Linux or Macintosh can help protect you from attacks.Most people won't do this, but if you were considering it anyway, think of this as another reason to make the switch.
- Disable printer sharing on your computer.The connection here may not seem apparent. This option was intended for local, secure area networks (LAN's).This option allows others to gain full access to the computer's hard drive.
- Never give out passwords via email.This may seem obvious, but never ever give out a password via e-mail. E-mail can be read too, and, perhaps more dangerously, hackers can send you e-mail from a boss's computer.If your boss or an IT person needs your password, give them a call or walk down to their office to tell them.
Hacking and Cracking
In the early years of computers, hacking had a positive connotation in the computing field. Computer wizards and geniuses from MIT and Stanford proudly claimed the hacker title. 'To hack' was to figure out something that a normal programmer could not think. However, the meanings of this term have changed in recent times. Today, hacking is associated with individuals who maliciously invade computer systems without authorization. It can be to get someone's credit card number or to get into somebody's bank accounts or just for the fun of doing so. Crackers and script-kiddies are two other more commonly used terms describing those involved in the break in or disruption of an online service.
Data communication is based on a set of handshakes to ensure the smooth and reliable flow of information. A hacker who is between a client and a server and is able to spoof (illegally duplicate) the IP address and sequence numbers can attack either machine in several ways. The hacker can disable one of the machines and take the identity of the other, or the hacker can mimic either machine and carry on conversations impersonating the other. A hacker could also attach additional information to a client request and strip the corresponding additional response from the packet before forwarding the remaining response to the client's original request. All this is done while having access to information that is assumed to be going back and forth between two 'trusted' systems. All electronic transmissions such as emails, Internet, intranet, etc can theoretically be monitored. Since most computers are part of network(s), spying on data transmissions is a major concern.
Hackers can include both outsiders and insiders and security problems can occur in any networked environment. Many of the problems are related to the exploitation of the original design of the TCP/IP suite of internetworking protocols, but the majority of them are due to configuration or operator errors. Although current losses due to hacker attacks are significantly smaller than losses due to insider theft and sabotage, the hacker problem is widespread and serious. Industrial espionage often involves the use of hacking techniques and can be perpetrated either by companies seeking to improve their competitive advantage or by governments seeking to aid their domestic industries. Foreign industrial espionage carried out by a government is often referred to as economic espionage.
Recent years have seen a rapid growth of the Internet and online transactions. It is estimated that online transactions would reach well over a trillion dollars in the coming years. With such high stakes, it makes sense for all parties involved to secure the Internet. Haphazard handling of financial and personal information can lead to the Internet being constantly associated with fraud and privacy abuses instead of being a viable commerce medium.
Threats and Attacks Defined
Modern computer systems, linked by national and global networks, face a variety of threats and attacks that can result in significant financial and information losses. These threats vary considerably, from threats to data integrity resulting from accidental, unintentional errors and omissions to threats from malicious hackers attempting to crash a system.
Threats can be seen as potential violations of security and exist because of vulnerabilities, i.e. weaknesses, in a system. Computer systems are vulnerable to many threats, which can inflict various types of damage resulting in significant losses. There are two basic types of threats: accidental threats that result in either an exposure of confidential information or cause an illegal system state to occur and attacks that are intentional threats.
Accidental Threats
Accidental threats to security can be generated by system malfunctions, bugs in software or operational mistakes. Users, data entry clerks, system operators, and programmers frequently make unintentional errors, which contribute to security problems, directly and indirectly. Sometimes the error (such as a data entry error or a programming error) results in a system to crash while in other cases, the errors create vulnerabilities. These exposures can emerge from both hardware and software failures as well as from user and operational mistakes, and result in a violation of the confidentiality of the information or resource. For e.g., a threat to security could occur if a confidential or important mail reaches a wrong person unintentionally.
Threats by the ways of errors can occur in all phases of the system life cycle. Programming and development errors, often called bugs, range in severity from benign to catastrophic. Installation and maintenance errors can also cause security problems. These errors and omissions are important threats to data integrity. In the past decade, software quality has improved reducing this threat, yet there are instances when even the most sophisticated programs and software have failed.
Another instance of accidental loss can be the loss of supporting infrastructure that includes power failures, loss of communications, water outages and leaks, sewer problems, fire, flood, civil unrest, strikes, and so forth. These losses include events such as World Trade Center attacks and the Chicago tunnel flood along with other common events such as a broken water pipe. A loss of infrastructure often results in system downtime and loss of information and resources.
Attacks
An attack is an intentional threat and is an action performed by an entity with the intention to violate security. Examples of attacks are destruction, modification, fabrication, interruption or interception of data. An attack is a violation of data integrity and often results in disclosure of information, a violation of the confidentiality of the information, or in modification of the data. An attacker can gain access to sensitive information by attacking in several steps, where each step involves an illegal access to the system. An intentional threat can be caused by an insider or outsider, can be a spy, hacker, corporate raider, or a disgruntled employee.
Any attack on the security of a system can be a direct and indirect attack. A direct attack aims directly at the desired part of the data or resources. Several components in a system may be attacked before the intended (final) information can be accessed. In an indirect attack, information is received from or about the desired data/resource without directly attacking that resource. Indirect attacks are often troublesome in database systems where it is possible to derive confidential information by posing indirect questions to the database. Such an indirect attack is often called inference.
Passive Attacks
Passive attacks are made by monitoring a system performing its tasks and collecting information. In general, it is very hard to detect passive attacks since they do not interact or disturb normal system functions. Monitoring network traffic, CPU and disk usage, etc are examples of passive attacks. Encryption of network traffic can only partly solve the problem since even the presence of traffic on a network may reveal some information. Traffic analysis such as measuring the length, time and frequency of transmissions can be very valuable to detect unusual activities.
Active Attack
An active attack changes the system behavior in some way. Examples of an active attack can be to insert new data, to modify, duplicate or delete existing data in a database, to deliberately abuse system software causing it to fail and to steal magnetic tapes, etc. A simple operation such as the modification of a negative acknowledgment (NACK) from a database server into a positive acknowledgment (ACK) could result in great confusion and/or damage. Active attacks are easier to detect if proper precautions are taken.
Covert Channels
A Covert channel is a simple and an effective mechanism for sending and receiving information data between machines without alerting any firewalls and IDS's on the network. It is an unprotected channel that can be used to send confidential information to unauthorized entities and thereby violate security. In general, it is very hard to identify covert channels in a system since they can be of many different types:
- Message length variations during transmissions
- Time and length of transmissions
- Presence and size of files
- Creation time for objects
- Modulation of disk usage
- CPU time usage, etc.
This technique derives its stealthy nature from the fact that it sends traffic through ports that most firewalls permit through. In addition, it can bypass an IDS by appearing to be an innocuous packet carrying ordinary information (when in fact it is concealing its actual data in one of the several control fields in the TCP and IP headers). Mandatory encryption of communication does not prevent the use of a covert channel by any entity to send information to another entity. Covert channels can further be classified as timing channels and storage channels. Timing channels are those covert channels that modulate a resource in time, while storage channels are those channels where actions like creation of objects reveal information to other entities.
It is very hard to completely eliminate covert channels in a system. A covert channel with a high bandwidth constitutes a higher threat than a covert channel with a low bandwidth; so most security mechanisms try to reduce the bandwidth of these channels as much as possible. Even a covert channel with a bandwidth as low as 100 baud is in some environments considered to be dangerous. However, actions to limit covert channel bandwidths always limit system performance. For example, in order to avoid the length of messages from being used as an information carrier, all messages can be forced to be of equal length. The problem with this method is that it reduces the available bandwidth of the network as well.
Dealing with Attacks
To deal with any sort of threat or attack on the security of computers, there must be proper security mechanisms in place. Security mechanisms are method, tool, or procedure used to implement the rules stated in the security policy. By specifying "secure" and "non-secure" actions in the security policies, these security mechanisms can help in preventing, detecting and recovering from any attack. The strategies may be used together or separately. Security mechanisms can be classified as: prevention, detection and recovery mechanisms. Within each group, there are many security mechanisms available, where each mechanism focuses on a specific kind of threat and deals with a specific form and aspect of security.
A security prevention mechanism is one that enforces security during the operation of a system by preventing a security violation from occurring. For example restricting physical access to servers, machines or the use of access control mechanisms based on encryption to prevent unauthorized users from accessing objects, etc. Usually prevention involves implementation of mechanisms that users cannot override and that are trusted to be implemented in a correct, unalterable way, so that the attacker cannot defeat the mechanism by changing it. Preventative mechanisms are often very cumbersome and interfere with system use to the point that they hinder normal use of the system. However, some simple prevention mechanisms, such as passwords (to prevent unauthorized users from accessing the system), have become widely accepted.
A detection mechanism is used to detect both attempts to violate security and successful security violations, when or after they have occurred in a system. The goal of the detection mechanism is to determine that an attack is underway, or has occurred, and report it. Alarms can be used to detect unauthorized physical accesses and audit trails can be used to detect unusual system activities after they have occurred. Typical detection mechanisms monitor various aspects of the system, looking for actions or information indicating an attack. A good example of such a mechanism is one that gives a warning when a user enters an incorrect password three times. The login may continue, but an error messages in a system log reports the unusually high number of mistyped passwords. The resources protected by the detection mechanism must be monitored continuously or periodically.
A recovery mechanism is for restoring the system to a pre-security violation state and is normally used after a security violation has been detected. For example if the attacker deletes a file, a recovery mechanism could be to restore the file from backup tapes. Practically, recovery is far more complex due to the unique nature of each attack. Moreover, the attacker may return, so recovery involves identification and fixing of the vulnerabilities used by the attacker to enter the system. In some cases, retaliation (by attacking the attacker's system or taking legal action) is part of recovery.
It is also possible to make mechanisms that belong to several of these categories. A program registering all unusual system activities and thus working as a detection mechanism, may also prevent security breaches from occurring simply because it exists. In a system with a total lack of vulnerabilities and where the security prevention mechanisms fully implement all rules stated in the security policy, there would be no need for detection and recovery mechanisms.
Below are few techniques or tools that will help in implementing these security mechanisms.
Physical Access Security
The first line of defense locally to protect network equipment such as servers, switches, and routers is to keep them in a locked, climate controlled, and fire protected environment. If equipment is not physically accessible to unauthorized personnel, there is less chance of accidental or intentional tampering. It is important that access to critical system components such as the server is restricted to a small number of individuals (usually the administrator and his backup). The server should be located in a locked room to which access is restricted. Other considerations should include protection of equipment against theft, fire, and electrical hazards.
Login / Password Security
One of the main computer security elements is login names and passwords. Every system uses some form of password authentication and therefore must store a representation of the password in order to check whether a logon attempt is valid. Login and password security policy require that any user accessing a workstation or server have a valid login ID and password. Windows NT, Windows 2000, Windows XP, Novell Netware, and UNIX all have specific requirements for creating and changing passwords. The system administrator can also require that passwords be changed periodically. Setting screen savers that time out and activate the workstation lock are additional measures that enhance login security. If hardware manufactures supports, one can also set a NetBios password. This password is hardware dependent, less trivial to bypass than other passwords and comes up before an interloper has access to anything.
It has been common knowledge for quite some time that login names and password authentication schemes are inherently weak. Users usually choose bad passwords (i.e., ones that can easily be guessed), write passwords down, and mail passwords to co-workers or share passwords freely by telephone. For this reason, high security environments do not rely on password authentication alone, but combine password security with smart cards or biometrical authentication systems (finger, voice or eye iris scan).
Anti-Virus Software
In last few years, with the extensive use of the Internet, networks, and email, computers have become more vulnerable to virus attacks and threats. A virus can spread any time files are shared on a local system or the Internet and can do tremendous damage to individual PCs and network servers. Therefore, an early detection and prevention mechanism is very important for the security of the computer. Using antivirus software is a good way to detect viruses and it is advisable to use antivirus software on network operating systems and workstations for adequate protection.
Antivirus software is a program that searches the computer systems for any known or potential viruses. Antivirus programs are intended to prevent and detect viruses. Antivirus software may work differently and ranges from large security packages to small programs designed to handle a specific virus. While some software are designed to scan hard disks and floppy disks for infected programs, others check for any changes in files and alert the user if there are changes, which might indicate an infection. Antiviruses are very helpful in detecting viruses that are already in a system or that are attempting to enter a system and alerting the user to take action. Anti-viral software can be set up to run automatically each time a computer boots or run an executable. And antivirus software can be executed manually in case of a virus attack or threat.
Remote Access Security
Remote access means using any of the resources of a network (file server, printers, workstations) from a remote location-that is, a location not directly attached to the network. Remote access presents particular security risks of unauthorized system access. In remote access, the remote computer takes over a computer connected to the network and operates that computer remotely. Actual data traffic remains on the network between the PC that is being controlled and the rest of the network. Only screen images, keystrokes, and mouse motion are sent across the remote link. In a remote access, as the remote user is invisible, any formal or informal security measures operating at the workplace is not effective. The remote user has access not only to network resources, but also to local resources on the controlled workstation.
Simple password protection is not at all reliable for remote access systems. Over the modem all users are equally unknown. And also remote access typically occurs during off hours when the intruder has plenty of time to experiment, try multiple passwords and avenues of access, all unnoticed. Some systems erect extensive barriers to penetration, including modem access to a limited set of programs and files. A system with external access is, however, never fully secure against smart intruders. External access can be restricted by means of automatic callback systems. With such systems users must provide the system with pre-authorized telephone numbers from which they can call the system. Under this mechanism when a user calls and identifies him to the system, the system calls him back at one of the pre-authorized numbers before the access is allowed.
Internet Firewalls
Firewalls are an excellent tool for securing a network. A firewall is system designed to prevent unauthorized access to or from a private network and basically limits access to a network from another network. Firewall that can be implemented in hardware or software, or a combination of both either denies or allows outgoing traffic known as egress filtering or incoming traffic known as ingress filtering.
In an organizational setup, firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. A firewall should be the first line of defense in protecting the availability, integrity, and confidentiality of data in the computing environment. While a company may use packet-filtering routers for perimeter defense and host-based firewalls as an additional line of defense, in the home environment, the personal firewall plays a key role by defending the network and individual host perimeters.
Encryption
Physical access to a computer or network can allow access to sensitive data to unauthorized persons. To protect certain data from being released inappropriately, it should be encrypted before transmission. Encryption means translating the data into a secret code reversible only by an authorized user with the required key (or password). This process of recovering the encrypted data is known as decryption. Unencrypted data is called plain text and encrypted data is referred to as cipher text. However it should be noted that data encryption is a compute intensive process and should be used only when necessary.
Encryption can limit disclosure of sensitive information, but distribution of encryption keys can be a burden and the data may be compromised if key distribution is not handled appropriately. An encryption or decryption key may be distributed via a user authentication system. When a program provides inadequate security or extra protection is needed for some data or documents, an encryption/decryption program may be a useful tool.
Data Backups
Backup is the act of copying files to a second medium such as a diskette, zip drive or tape, as a precaution in case the first medium (hard disk) fails. A copy of files maintained on a second medium (a disk or tape) as a precaution in case the first medium fails. Data backup provides ways to protect data in case of a physical problem with the computer system such as a hard disk failure or power failure. It is vitally important to back up of software and key files since even the most reliable computer is apt to break down eventually. There are many techniques for backing up files depending up on the type of data, convenience of the recovery process, etc. The basic types of backups that can be performed are:
Normal or Full backups: All files that have been selected are backed up, regardless of the setting of the archive attribute. When a file is backed up, the archive attribute is cleared. If the file is later modified, this attribute is set, which indicates that the file needs to be backed up. In this type of back up, it's easy to find files when required. Since full backups include all data on the hard drive, one doesn't have to search through several disks or tapes to find the files to restore. But there is a drawback with the full backups that they are redundant backups. Since most of the files on the system rarely change, each backup following the first is mostly a copy of what has already been backed up. Also full backups take longer to perform and can be very time consuming.
Differential backups: Designed to create backup copies of files that have changed since the last normal backup. The presence of the archive attribute indicates that the file has been modified and only files with this attribute are backed up. However, the archive attribute on files isn't modified. This allows the user to perform other types of backups on the files at a later date. In comparison to the full backups, the differential backups take lesser time. Hence, it provides more efficient restores. However, differential backups are also redundant backups. Each day's backup would store much of the same information plus the latest information added or created since the last Full Backup.
Daily backups: Daily backup is designed to back up files using the modification date on the file itself. If a file has been modified on the same day as the backup, the file will be backed up. This technique doesn't change the archive attributes of files.
Disaster Recovery Plan
In today's interconnected economy, organizations are more vulnerable than ever to the possibility of technical difficulties disrupting business. Disaster recovery has taken on a new sense of urgency in recent years. Emerging issues like terrorism, hackers, computer viruses, an increased reliance on computers, and the increasing occurrence of emergencies and disasters have all led to an increased need to prepare for disasters that can affect the availability, integrity, and confidentiality of critical business resources. Disaster recovery planning is the technological aspect of business continuity planning. Disaster Recovery can be defined as the ability to respond to an interruption in services by implementing a disaster recovery plan to restore an organization's critical business functions. It incorporates not only planning for any imaginable type of disaster that may hinder the operations of a business, but also putting measures in place to avoid such disaster altogether. Disaster might be something huge like an earthquake or the terrorist attacks on the World Trade Center (that affected everything from telephones to the New York Stock Exchange) or something comparatively small like system/software failure caused by a computer virus. Disaster recovery strategies can include the use of alternate sites, redundant data centers, disaster insurance, business impact analyses and legal liabilities.
Audits
Security audits should be performed by larger organizations periodically to ensure that the organization and its users are following the security policy and preparing adequately for disaster recovery. A security audit also determines the issues such as risk to a business, breach in information security, etc. Security audit checks whether the computer/network is vulnerable to the intruders (both insider and outsiders) or not; through in-depth series of interviews and configuration checks. If audit identifies any weaknesses in company's security status, then it recommends pragmatic ways of implementing a security policy that would help in protecting personnel and vital data.
No comments:
Post a Comment