Security and Distributed Work Efforts

1
Security and Distributed Work Efforts

• David Frohman
• B AD 64046
• Kent State University
• Spring, 2002

2
Overview

• Introduction
• Foundation and Description of the Problem
• Identification and Authentication
• Distributed Work Technology Methods and Security
• Security Evaluation Criteria
• How Much Security is Enough?

3
Introduction

• Networked computing is not a new concept.
• For many years users have linked computers
  together to share files, save information, and
  communicate.
• In the 1990s client/server computing became
  popular.
• The application software sat on a users computer
  and communication was with a server which
  deposited database information.

4
Introduction

• At the same time client/server computing was
  popular large corporate enterprise groups were
  developing distributed systems.
• Distributed systems were linked by vendor
  specific software and protocols or communicated
  in a neutral way across heterogeneous platforms.

5
Introduction

• With the growing popularity with the Internet in
  the 1990s, Internet based protocols became the
  preferred means to implement distributed
  computing.
• Likewise, to the sharing of processes across
  multiple workstations to achieve a shared result
  we will refer to our discussion of security in
  collaboration as a distributed work effort.

6
Consequences of Our Information

• They can destroy
• Information
• Executable programs
• Operating systems
• Our computing or system resources
• They can steal
• Information
• Service
• Hardware
• Software

7
Consequences of Our Information

• They can disclose
• Information to which they have no right or need
• Information to unauthorized personnel for
  personal gain or for other motivations
• How to let others use resources not intended for
  outside use
• They and cause service disruptions or
  interruptions
• By causing physical or logical damage to the
  system
• By improperly denying access to legitimate users

8
Sources of Security Threats

• External Threats
• Hackers (now terrorism?)
• Corporate espionage
• Government-sanctioned espionage
• Vendors
• Former employees
• Internal Threats
• Disgruntled employees
• Unintentional losses or security breaches
• Hackers
• Evidence has shown internal threats cause the
  most concern.

9
Top 10 Challenges to Securing Your Network
Authentication Server
Business Partner Site
Remote and Mobile Employees
Intranet Gateways
Directory Server
Internet Gateway
Management Console
Web Server Pool
Branch office
1) Protecting your corporate network resources
against internal and external threats. 2)
Providing worldwide connectivity for your mobile
and remote employees. 3) Using the Internet to
lower your wide area data communication costs. 4)
Providing your business partners with selective
network access through a secure extranet. 5)
Guaranteeing your secure networks performance,
reliability and availability. 6) Defining and
enforcing user-level security policies across
your network. 7) Immediately detecting and
responding to attacks and suspicious activity
against your network. 8) Securely and efficiently
managing your networks IP address
infrastructure. 9) Implementing an open security
solution that enables integration with
industry-leading and custom applications. 10)
Managing the total cost of ownership across your
secure network.
10
Definitions

• Security
• Protection of assets.
• Risk analysis.
• Security is comprised of three elements
• Prevention
• Detection
• Reaction

11
Definitions

• Computer Security
• Comprised of three elements
• Confidentiality
• Secrecy and privacy.
• Integrity
• No person, authorized or otherwise, shall corrupt
  data.
• Availability
• Product services are accessible when needed and
  without due delay.
• Authenticity (subject to argument)
• Both data and users are subject entity
  reassurance.
• Accountability (varying definitions)
• Selective audit information kept so security
  aspects are traced to specific users.

12
Dieter Gollmann

• Course director for the MSc in Information
  Security at Royal Holloway, University of London,
  1992-1997.
• Wrote a book Computer Security which grew out
  of his lecture notes.
• Joined Microsoft Research in Cambridge as a
  researcher in Information Security.

13
Definition of Security According to Dieter
Gollmann

• Security
• Computer security deals with the prevention and
  detection of unauthorised actions by users of a
  computer system.

14
Fundamental Dilemma of Computer Security

• Security unaware users have security
  requirements.
• Most users do not have security expertise.
• Dilemma is met with targets of evaluation and
  ease of use.
• Risk analysis results in a engineering
  trade-off.

15
Fundamentals of Computer Security

• 1) Should protection mechanisms focus on data,
  operations, or users?
• 2) An IT system consists of 5 layers.
• Applications
• Services
• Operating System
• OS Kernel
• Hardware
• In which layers should security mechanisms be
  placed?
• 3) Assurance versus simplicity trade-off. Which
  is more important?
• 4) Centralized versus Decentralized controls.
  Where should the responsibility of defining
  security reside?
• How does an implementor prevent access to layers
  below security?

16
Security Lifecycle

• The security lifecycle follows this path.

Assessment -gt Design -gt Deployment -gt Management
17
Identification and Authentication

• First step is identification.
• Usually a login name and password.
• Second step is authentication.
• The process of verifying a claimed identity.
• Authentication can be one time or repeated.
• Three threats
• Password Guessing
• Password Spoofing
• Compromise of the password file

18
Choosing Passwords

• Critical to keeping probability low for guessing
  valid passwords.
• Two guessing strategies
• Exhaustive search (brute force)
• Intelligent search (typically dictionary attack)

19
Password Defenses

• Set password - unset passwords give attacker
  unchallenged entry method.
• Change default passwords.
• Software comes with default passwords for ease of
  setup.
• Password length - require minimum password
  lengths.
• Password formats - Password maintenance routines
  that test for mixed case and other formats.
• Avoid obvious passwords - Attackers frequently
  harbor lists of popular passwords to aid in the
  dictionary attacks.

20
Further Password Measures

• Password Checkers
• Tools that check password updates against a
  database of weak passwords.
• Password Generation
• Automatic password generation producing random
  pronounceable passwords. Users are not allowed to
  pick their own passwords.
• Password Aging
• Sets an expiration date of user passwords. Once a
  user has reached a predefined password timeout
  the user is forced to change their passwords.

21
Further Measures Contd

• Limit Login Attempts
• Reduces password guessing by locking the user
  account after a predefined number of tries.
• Inform User
• After a successful login the number of failed
  login attempts and last login date is displayed.

22
Spoofing Attacks

• A legitimate or illegitimate user presents a fake
  login screen to the user.
• An intermediate program harbors the users genuine
  password and either presents a fake error page or
  hands over execution to the program.

23
Spoofing Attack Prevention

• Display the number of failed logins.
• Makes user suspicious of failed first login.
• Trusted Path
• Guarantee that user is communicating with
  intended program or operating system.
• Windows NT has CTRLALTDEL.
• Mutual Authentication
• In a distributed system can require
  authentication at a more local level.

24
Protecting the Password File

• Cryptographic Protection
• Access control enforced by the operating system.
• Combination of cryptographic and access control.
• Further enhancements to slow down dictionary
  attacks.

25
Alternative Approaches

• Single Sign-on
• Ease of use trade-off with security
  considerations.
• Alternatives to passwords
• Based on something you know.
• Based on something you hold.
• Based on who you are.
• Based on what you do.
• Based on where you are.

26
Distributed Systems Security

• Also known as heterogeneous or federated systems.
• Moving from a centralized to distributed system
  has an impact on security.
• Communications is no longer a private issue
  between user and host.

27
Stanford Incident Type Comparison
28
Distributed System Security Policy

• Three options for authenticating and access
  control decisions.
• Authentication based on the users identity.
• The network address the user operates from.
• The distributed service the user is invoking.
• Once the policies are sorted out the issue
  becomes how to enforce them.

29
Distributed Security Enforcement

• Once distributed security policies are worked out
  the issue becomes
• Where the user is authenticated.
• Where the access control issue is resolved.
• For centralized authentication and access control
  decisions the where answer could be
• Authentication servers
• Ticket granting servers
• Install a firewall
• For locally controlled authentication and access
  control decisions enforcement can be left to the
  individual operating systems or individual
  applications.

30
World Wide Web Security

• The WWW changed the nature of distributed
  computing.
• Separation of data and program is abolished with
  interactive web pages.
• Computation is moved to the client.
• Distributed computing allows code to move from
  user to user.
• Users must configure their own security
  implementations.

31
World Wide Web Security

• Web Browsers
• Discloses information to the server causing
  privacy concerns and discloses potential
  weaknesses.
• Default settings a potential security problem.
• Caches and history can cause security problems on
  shared terminals.
• Must protect verification, encryption, and
  signature keys from disclosure.
• Integrative services such as email can be used to
  circumvent security.
• Browsers are tending to become more integrated
  into the operating system and can run with system
  privileges.

32
Further WWW Issues

• CGI Scripts
• Executable code addressable from a web request.
• Cookies
• Stores information locally on the users computer
  as a result of the statelessness of the WWW.
• Can be a privacy issue.
• Certified Code
• Uses certificates to verify the source of a
  document or executable.
• Does not guarantee how it will run.
• Certificates are kept in a list.
• If the list is accessed malicious code can run as
  trusted code.
• Must know the issuer of the certificate for it to
  be any good.

33
Further WWW Issues (contd)

• Java
• Runs in a sandbox and has limited access to
  system resources.
• Despite Suns attempt to limit security problems
  Java has had some incidents.
• ActiveX
• Can run with full system permissions.
• Microsoft not known to have a great security
  track record.
• Intellectual Property Rights
• Who is liable?

34
Viruses

• Def A computer program that copies itself by
  attaching other programs, thereby infecting
  them, and performing unwanted actions.
• Viruses infect programs, while worms infect
  memory.
• Only a few scanners are capable of catching all
  known viruses.
• A time bomb is a program triggered by a date and
  time.
• A logic bomb is a program triggered by some
  event.
• Preventing virus and worm attacks are complex and
  usually require a combination of policy and
  installation procedures.

35
Cryptography

• In distributed systems traffic between client and
  servers is an attractive target for intruders.
• Three services are needed to ensure secure
  communications.
• Data Confidentiality
• Data Integrity
• Data Origin Authentication
• Cryptographic mechanisms used to ensure secure
  communications.
• Encryption Algorithms
• Integrity Check Functions (Cryptographic Hash
  Functions)
• Digital Signatures

36
Network Security

• Intermediate nodes between client and server can
  run sniffing programs to read personal and
  network data.
• Network data could be manipulated to re-route
  packets forged source addresses.
• Some network protocols have security built into
  their layered composition.
• IP version 4 does not have such security.

37
Network Security

• IP version 6 has some security defined as IPSEC,
  RFC 1883.
• IPSEC protects integrity and authenticity of IP
  datagrams but does not prevent traffic analysis
  or protect confidentiality.
• Confidentiality can be protected by using IP
  encapsulation.
• Data payload can be encrypted and inserted into
  an IP packet for transportation.
• Known as transport mode.
• A VPN can be created by encrypting and
  encapsulating the IP packet into another with an
  IP address of an intermediary such as a firewall.
  
• Known as tunneling mode.

38
(No Transcript)
39
Network Security

• SSL is a stateful connection-oriented transport
  protocol that resides between the application and
  TCP layer of the TCP/IP protocol.
• SSL was developed by Netscape to protect web
  traffic.
• The IETF draft on Transport Layer Security is
  largely identical to SSL and both are now
  referred to as the SSL/TLS protocol.

40
Network Security

• IPSEC and SSL/TLS secure nodes but a network may
  be insecure.
• A firewall may be used to protect network
  boundaries.
• Firewalls can perform packet filtering to
  restrict hosts and ports that can enter a
  network.
• Firewalls can serve as proxy servers that only
  permit access to specific hosts on the Internet.

41
Network Security

• Firewalls can log traffic activity.
• A dual-homed firewall has both an external
  network interface attached to the extranet and
  another network interface card attached to the
  internal network.
• A screened host firewall is a dual-homed firewall
  that screens traffic from the extranet and only
  allows traffic with an internal bastion host.
• The bastion host performs access control
  decisions which results in better performance.
• A screened subnet firewall is similar to a
  screened host firewall but allows for a DMZ.

42
Voice Systems

• Data hackers steal information and damage
  systems.
• Voice hackers steal telephone service.
• Data people cannot pretend voice hacking is a
  voice problem.
• Voice hackers can get to data networks through
  the private branch exchange (PBX), or attack
  modem pools directly.
• Voice mail systems and other services may be
  vulnerable to information theft.
• In a landmark case of ATT v. Jiffy Lube
  International, Jiffy lube was responsible for
  unauthorized calls placed by Jiffy Lubes PBX.
  Jiffy Lube had created the vehicle by which
  those long distance calls became possible.

43
Network Security Policy

• Demonstrates issues have been thought out and
  committed to paper.
• Avoids claims of arbitrary enforcement.
• Acts as a roadmap when an incident occurs.
• All users regardless of position have the same
  security responsibilities.
• Network security policies are not static.

44
Acceptable Use Policy

• A minimal acceptable use policy should include
• Password, management, protection, and change
  rules.
• Notice prohibiting the illegal duplication of
  software.
• Antivirus policy with specific dos and do nots.
• Encouragement to use screen savers and automatic
  logout features.

45
Acceptable Use Policy

• Rules regarding the use of organizational
  resources for personal use.
• Penalties for violations an annual review item
  other human resource concerns.

46
Security Evaluation

• Users of products need assurance that the
  products they buy provide adequate security.
• Users could
• Trust the word of the manufacturer or service
  provider.
• Test the system themselves.
• Trust an assessment by a third party source.
• Fortunately several standardized security
  evaluation criteria currently exist.

47
Security Evaluation Criteria

• U.S. Trusted Computer System Evaluation Criteria
  (Orange Book)
• European Information Technology Security
  Evaluation Criteria (ITSEC)
• Canadian Trusted Computer Product Evaluation
  Criteria (CTCPEC)
• Common Criteria for Information Technology
  Security Evaluation (CCEB)
• All vary in definitions of security.

48
Orange Book

• The U.S. Trusted Computer System Evaluation
  Criteria (Orange Book) was first evaluation
  criteria to gain wide acceptance.
• Many manufacturers like to still quote orange
  book ratings on some of their products.
• A number of new criteria have been created to
  improve upon orange book.
• Orange book is still quoted on how the older
  criteria fits into the new evaluation methods.

49
ITSEC

• The European Information Technology Security
  Evaluation Criteria (ITSEC) is the result of the
  Dutch, English, French, and German defining
  national evaluation criteria.
• The first draft was published in 1990 and was
  endorsed as an E.U. recommendation in 1995.
• The Orange Book was found to be too rigid and the
  ITSEC was created to deal with new security
  requirements as they arise.
• The previous evaluation criteria provided a link
  between strength and assurance where the ITSEC
  refers to effectiveness and correctness to
  provide this flexibility.

50
Common Criteria

• Users that were not security experts found
  difficulty in determining security targets
  defined in the ITSEC evaluation criteria.
• The Common Criteria for Information Technology
  Security Evaluation (CCEB) was the next step in
  the evolution chain.
• The Common Criteria retained the linkage between
  function and assurance and provided guidance in
  determining evaluation classes.
• The goal was to maintain as much flexibility as
  possible.

51
How Much Security is Enough?

• The minimal amount of security is no security at
  all.
• Minimizes
• Administration
• Expense
• Employee productivity loss
• At the maximum extreme of security
• Security is given priority over applications
• Security cost is given priority at the expense of
  the application budget which targets the
  organizations mission.
• Administration cost is overwhelming.

52
How Much Security is Enough?

• The system becomes so oppressive users begin to
  keep stuff in drawers, share shortcuts, and write
  down passwords.
• Ultimately, oppressive security is self
  defeating.

53
How Much Security is Enough?

• We need to find a balance between the two
  extremes.
• The equilibrium is referred to as the security
  balance.
• The security balance should secure our
  organizational mission, and take into account our
  organizations culture and way of doing things.

54
How Much Security is Enough?

• Five principles to find the proper balance
• Identify assets
• Identify threats to assets
• Identify vulnerabilities
• Consider the risks
• Take protective measures

55
How Much Security is Enough?

• The principles of security balance results in the
  following relationships
• Assets oppose threats
• Protective measures oppose vulnerabilities
• Risk can never be zero, so responsive action will
  eventually be required

56
How Much Security is Enough?

• Additional security Considerations
• Time value of information
• Some information is short lived and encryption
  cracking time may indicate adequate security.
• Some information, such as stock quotes, may need
  to be delivered in a timely manner.
• Expense to difficulty ratio
• Deter dishonest attempts by making cracking so
  expensive and time consuming it would be better
  to access data legally.

57
How Much Security is Enough?

• Additional Security Considerations (contd)
• Baseline versus extended protection measures
• Baseline includes standard security such as
  passwords, directory rights, etc.
• Extended includes additional security such as
  encryption, authentication, firewalls, gateways,
  etc.
• Risk Analysis
• Either qualitative or quantitative

58
How Much Security is Enough?

• Additional Security Considerations (contd)
• Exposure analysis
• Scenario analysis
• Ask!
• Questionnaires, etc.
• Sometimes an user finds a security breach and
  does not tell anyone -- because no one ever
  asked.
• Checklists
• Saves exotic and time-consuming analysis.
• But, is a shotgun approach.

59
How Much Security is Enough?

• Additional Security Considerations (contd)
• Gain management support
• Conduct a brief analysis and present an objective
  case.
• Weaknesses should note possible annual losses.
• Management usually does not render an immediate
  decision.

60
References

• 1. Dieter Gollmann, Computer Security, 1999,
  John Wiley Sons
• 2. Fred Simonds, Network Security, 1996,
  McGraw-Hill
• 3. Technology Forecast 2001-2003, 2001,
  PricewaterhouseCoopers
• 4. David Brumley, Computer Security in Higher
  Education, 2001, http//www.theorygroup.com/Theor
  y/Talks/checo_2001/checo_2001.ppt
• 5. Christopher Benson, Security Strategies,
  2000, http//www.microsoft.com/technet/treeview/de
  fault.asp?url/technet/security/bestprac/bpent/sec
  1/secstrat.asp
• 6. Terry Weaver, VPN AUTHENTICATION DEPLOYMENT
  GUIDE, 2002, Http//www.enterasys.com/products/wh
  itepapers/vpn/9012640.pdf
• 7. Check Point Software Technologies Ltd., Top
  10 Challenges to Securing Your Network, 2000,
  http//cgi.us.checkpoint.com/rl/resourcelib.asp?st
  ate2
• 8. MIS Corporate Defence Solutions Ltd., An
  Overview of Network Security Analysis and
  Penetration Testing, 2000, http//www.mis-cds.com
  /services/spirit/test/wp-over-pentest.pdf