Chapter 2: Security Trends

1
Chapter 2 Security Trends

• Evolution of computing and security
• Areas that fall under the security umbrella
• Information warfare
• Management and security
• Internet and web activities
• A layered approach to security
• Politics, laws, and education

2
Evolution of computing and security

• Mainframe era
• the only computers were a few mainframes, which
  are used for specialized tasks.
• Users access the mainframes through dumb
  terminals
• Little threat of security breaches or
  vulnerabilities being exploited at that time.
• Why?

3
Evolution of computing and security (2)

• Because
• A handful of people, who knew how to operate the
  computer, work in a closed environment.
• Although some mainframes are networked, it was
  done in a crude fashion for specific tasks.
• The operating systems of that time had problems,
  software bugs, and vulnerabilities, but not many
  people were interested in taking advantage of
  them.

4
Evolution of computing and security (3)

• PC and networking era (1980 -- )
• Personal computers (PCs) become more efficient
  and cheaper
• The functionality of the system grew, various
  applications were developed
• Millions individuals have access to computers
• Millions of computers are networked and birth of
  the client / server computing model
• Many security issues emerge
• Data got corrupted accidentally due to individual
  mistakes, unexpected inputs, and malicious
  attempts.

5
Evolution of computing and security (4)

• Computing world is keep evolving
• advance of hardware ? more powerful computer ?
  software w/ richer functionality ? advance of
  hardware
• Computers are powerful tools
• The vast capabilities and functionalities that
  computers have brought to society have also
  brought complex and troubling methods of
  destruction, fraud, abuse, and insecurity.

6
Areas that fall under the security umbrella

• Security has a wide base Technology, hardware,
  people, and
• procedures are woven together
• Several strands of the security fabric may need
  to be unraveled and scrutinized when identify and
  resolve a specific problem

7
Information warfare

• Information warfare any action to deny, exploit,
  corrupt, or destroy the enemys information and
  its function, while at the same time protecting
  ones self against those same actions.
• We are increasingly dependent on computer
  /network technology for communication, funds
  transfers, utility management, government
  services, military action, and maintaining
  confidential information.

8
Information warfare (2) How are nations affected?

• A majority of the military vehicles, weapons
  systems, and communication systems are controlled
  by computer systems
• Todays soldiers need to operate the new
  technology-driven weapons systems, and to defend
  these systems from attacks, and possibly use them
  to attack the enemys defense system
• Critical infrastructures and industries, such as
  power grid and communication channels, are
  controlled by computer systems. Most governments
  have recognized this vulnerability and have
  started taking steps to evade these types of
  attacks.

9
Information warfare (3) How are companies
affected?

• Many companies are finding out how security
  affects their
• bottom line in ways they never expected.
• If a company suffers a security breach, it will
  have to deal with a wide range of issues, such as
  sued by the customers.
• Organizations have had trade secrets and
  intellectual property stolen by employees who
  left to work for a competitor.
• A company can lose money and time is by its lack
  of readiness to react to a situation.
• To get a good insurance rate, companies must
  prove that they have a solid security program and
  that they are doing all that they can to protect
  their own investments.

10
Information warfare (4) The Evolution of Hacking

• Hacking what is hacking anyway?
• Joyriding hacking, profit-driven hacking, and
  ethical hacking
• Hackers profile Baby hacker, tool hacker, and
  god father hacker
• Not only hacking activity on the rise, but the
  sophistication of the attacks is advancing
• Steal financial information, military secret
• Extortion
• Phishing
• Defacing web sites

11
Information warfare (5) The Evolution of Hacking

• A majority of attacks are using methods that have
  been understood for quite some time and for which
  fixes have been readily available.
• Some attacks are identified and reported
• Many organizations do not report hacking activity
  because they are afraid of hurting their
  reputation, losing the faith of their customer
  base
• Other attacks are not even realized or identified

12
Information warfare (6) The Evolution of Hacking

• The trends of hacking
• More vulnerabilities are uncovered every week
• Many more people are interested in trying out the
  exploits
• Serious hackers will build a profile about the
  victim, study environments and uncover access
  point
• The hacking tools are easy to access and use
• Ethical hacking
• the belief that system cracking for fun and
  exploration is ethically
• acceptable as long as the hacker commits no
  theft, vandalism, or
• breach of confidentiality.

13
Management and Security

• Management myth security is the responsibly of
  the IT department
• Lack understanding of what information and
  enterprise security entails
• Incorrectly assume that information security is a
  technical issue
• Information security is a management issue that
  may require technical solutions.

14
Management and Security (2)

• What is good security?
• Ans Good security is planned, designed,
  implemented, maintained, and able to evolve.
• Security has to be in line with the companys
  business goals and objectives
• A top-down approach should be applied
• (use to be bottom-up approach)
• Management needs to understand security issues
  and how security affects the company and its
  customers.
• Proper resources, time and funding can be
  provided.
• The management staff will be held accountable for
  company security

15
Internet and web activities

• Internet opened the door to the possibility of
• mass communication
• provide layers of functionality and potential for
  individuals and businesses all around the world.
• companies connected their networks to the
  Internet and brought their services to the Web
• It also opens the doors to others who are
  interested in finding out more about the
  companys network topology and applications being
  used, accessing confidential information

16
Internet and web activities (2)Evolve of web
servers

• Phase 1 Initially, web server was just another
  server on the internet.
• Static web pages were used.
• Phase 2 With database, web servers can provide
  dynamic web pages.
• Accepting orders, holding confidential customer
  information, answering online query, etc.
• To enhance security, web servers were moved to
  demilitarized zones (DMZs) perimeter networks
• (2-tier architecture)

17
Web servers in DMZ
18
Internet and web activities (3)Evolve of web
servers

• Phase 3 3-tier architecture
• As more customers were able to access back-end
  data and corrupt it accidentally or
  intentionally, companies added more layers of
  protective software and physical layers.
• 3-tier architecture is more appropriate for
  holding bank or credit card information
• The Back-end tier is database storing
  confidential information
• The middle tier comprises application servers
  running middleware, which takes the heavy
  processing task off the front-line servers and
  provides a layer of protection.
• The front-end tier server farm accepts users
  queries and passes them to the middle tier, and
  then presents results.

19
3-tier architecture
20
Internet and web activities (4)Evolve of web
servers

• Features in 3-tier architecture
• Two layers of firewall should support a different
  security policy. If an attacker gets through the
  first firewall, the second firewall with more
  restrictive setting could catch it.
• Database are configured to accept requests only
  from predefined roles, (such as accounting,
  administrators,)
• The intruder cannot make a request because she
  is not a member of one of the predefined roles.
• Is it secure after deploying 3-tier architecture
  web service?

21
Internet and web activities (5)Evolve of web
servers

• Ans No! Attacks can still take place at the
  protocol, component, or service level of an OS or
  application.
• e.g., DDoS/DoS attack, buffer overflows,
  spoofing
• Example
• Vulnerabilities in MS IIS some known problems
  were ignored.
• In spite of all the efforts of setting up the
  right infrastructure, configuring necessary
  firewalls, running IDSs properly, and disabling
  unnecessary ports and services. The un-patched
  IIS were attacked.
• What we can learn from this?

22
Internet and web activities (6)Evolve of web
servers

• A partial list of vulnerabilities lie in
  web-based activities
• Incorrect configurations at the firewall
• Web servers that are not hardened or locked down
  and are open to attacks to the operating system
  or applications
• Middle-tier servers that do not provide the right
  combination and detailed security necessary to
  access back-end databases in a controlled manner
• Databases and back-end servers that accept
  requests from any source
• Databases and back-end servers that are not
  protected by another layer of firewalls
• Failure to run IDSs to watch for suspicious
  activity
• Failure to disable unnecessary protocols and
  services on computers
• Failure to keep the computers patched and up to
  date
• Etc.

23
A layered approach to security

• The vulnerabilities can take place at different
  layers
• A layered approach to implement different
  layers of protection to protect networks from
  different types of attacks.
• Include programming code, protocol, OS,
  application configurations, anti-virus program,
  etc.

24
A layered approach to security (2) file access
protection in a layered approach

• Configure application, file, and registry access
  control lists (ACLs) to provide more granularity
  to users and groups file permissions
• Configure the system default user rights (in a
  Windows environment) to give certain types of
  users certain types of rights
• Consider the physical security of the environment
  and the computers, and apply restraints where
  required
• Place users into groups that have implicit
  permissions necessary to perform their duties and
  no more
• Draft and enforce a strict logon credential
  policy so that not all users are logging on as
  the same user
• Implement monitoring and auditing of file access
  and actions to identify any suspicious activity

25
A layered approach to security (3) An
architectural view

• We should look at the data flow in and out of the
  environment, how this data is being accessed,
  modified, and monitored at different points, and
  how all the security solutions relate to each
  other in different situations.
• Why do we need to take an architectural view?

26
A layered approach to security (4) An
architectural view

• Ans
• Each individual security component could be
  doing its job by protecting its piece of the
  network, but the security function may be lost
  when it is time to interrelate or communicate
  with another security component.

27
Politics, laws, and education

• Most countries have their own way of evaluating
  and testing the security and assurance of a
  system or device.
• the United States has used the Trusted Computer
  System Evaluation Criteria (TCSEC), which is
  referred to as the Orange Book.
• the Europeans have the Information Technology
  Security Evaluation Criteria (ITSEC)

28
Politics, laws, and education (2)

• Different countries legal systems are meeting
  many unprecedented challenges with regard to
  computer security.
• It is hard for a judge or jury to declare who is
  guilty or innocent in a computer crime because
  they are not educated on these types of crimes.
• The law enforcement faces difficulties of lack of
  personnel skilled in computer technology and
  computer forensics
• More security training need to be integrated into
  business, networking, programming and engineering
  classes.
• Anyone is considered a security specialist has to
  have the interest and discipline to teach himself
  security issues.