• The existence of the Name, Speed and Range attributes in the Wing table is unclassified. • The fact that the wing is to launch an attack is confidential, i.e. the existence of the Objective attribute in the Wing table is confidential. • The speed and the range of each supersonic plane are unclassified • The speed and the range of X-43Z are confidential. • The speed of Firefox is secret and the range is confidential. • Mirage 2000 and Firefox objectives are secret. Other plane objectives are confidential. Analyzing the above-mentioned facts suggests a model where tables, attributes and attribute values can be classified. The security level assigned to a table protects the existence of the table. The security level assigned to an attribute (column) protects the existence of the attribute in the table. The security level assigned to a primary key value protects the value itself and therefore the existence of the entity which is identified by the value. The security level assigned to a non-key attribute value protects the value itself. Knowing this, data contained in the wing relation are classified as shown in table 4.10: Fig. 5.14 Wing (u) We can learn one important lesson from this simple example: designing a multilevel security prototype with fine granularity is not an insurmountable problem if the definitions of the affiliation between a granule of data and a security level are precisely defined. In the past, this method was not always followed. For example, one of the earliest multilevel security models for relational databases, Sea View (Denning et al., 1988), assigns security levels to rows as well as main key values. Regrettably, the semantics of such connections are not well established. 201
Inference Control As we said before, the Bell & LaPadula rules are necessary to enforce the confidentiality policy but they are not sufficient. Covert channels can be used to disclose sensitive data. Many types of covert channels cannot be represented in the security model since many of them are due to implementation flaws. However, detecting and eliminating potential inference channels at the model stage is perfectly possible. There is an inference channel when high classified data can be deduced from low classified data. In order to prevent unauthorized inferences, labelling the data with security levels has to be done carefully. For example, the knowledge of ―Objective is an attribute of the Wing table‖ discloses the knowledge of ―the Wing table exists‖. Consequently, classifying the Wing table at a level which strictly dominates the level protecting the Objective attribute would create an inferencechannel. In fact, there should be an inference control rule in the security model saying that thesecurity level protecting an attribute has to dominate the security level protecting the table. Another example of potential inference channel is the following: the knowledge of ―the speed of Firefox is 6000 km‖ discloses the existence of Firefox. Consequently, classifying the primary key value Firefox at a level which strictly dominates the level protecting the speed value of Firefox would create an inference channel. Therefore, there should be an inference control rule in the model saying that the security level protecting an attribute value of a given row has to dominate the security level protecting the primary key value of that row. Several of such inference control rules have to be enforced when classifying the data in a relational database. The purpose of this paper is not to discover all these rules. A method to formally derive all these rules as well as one example of application of this method on object- oriented databases is presented in (Cuppens & Gabillon 1998, 1999). Let us mention that this method would allow us to derive one inference control rule from each integrity constraint. Of course, not all inference channels can be detected and eliminated. In particular, detecting unauthorized inferences from a knowledge which is not represented in the database is impossible. Database Architecture The Air Force Summer Study (Air Force Studies Board, 1983) suggested three different architectures for building secure multilevel database management systems. These architectures differ from the way the multilevel data are physically stored. The first architecture is called the 202
kernelized Database Management System (DBMS). In this architecture, the multilevel database is partitioned into a collection of single-level segments. The second architecture is called the distributed (or replicated) DBMS. In this architecture, there is a single level database at every security level. Each level database contains the data whose classification level is dominated by l. The third architecture is based on the integrity lock technology but as mentioned in (Jajodia & Kogan, 1990b) this architecture is vulnerable to Trojan horse. Hence this approach cannot be used for highly- assured multilevel DBMS. Whether the architecture is kernelized or distributed, we need to decompose the multilevel relation into a collection of single level relations. Such decomposition is not trivial and several algorithms have been proposed in the literature (Denning et al., 1988; Jajodia & Sandhu, 1990a, 1991a). In this paper, we propose some simple guidelines that should be followed for decomposing the multilevel database. These guidelines are suggested in the MultiView model which is presented in (Cuppens & Gabillon 1993, 1997, 1999). This model is based on the replicated architecture. The main advantage of this architecture over the kernelized approach is that there is no need to combine the data from several sources when answering queries. In fact, we claim that the replicated architecture is the best architecture for a fine-grained multilevel database. The principle of the replicated architecture is the following: each granule classified at level l is stored in the l- level database and is replicated in every database which has a level dominating level l. Application of this principle to the multilevel Wing relation (table 2) gives the following three relations (tables 3, 4 and 5): 203
Fig. 5.15 Table wing(U), wing (c ), wing(s) The unclassified view (see table 3 in table 4.11) of the multilevel Wing relation contains only unclassified data. This view is inconsistent since there are no values for the speed and the range of X43Z. The confidential view (table 4) of the multilevel Wing relation contains unclassified and confidential data. This view is inconsistent since there are also some missingvalues. The secret view (see table 5 in table 4.11) of the multilevel wing relation contains unclassified, confidential and secret data and is consistent and complete. After decomposing the original conceptual multilevel relation, the Security Administrator (SA) has basically two solutions to provide unclassified and confidential users with consistentviews of the database without disclosing sensitive data: • The SA thinks that it is acceptable to inform low level users that there are some sensitive values they are not permitted to see. In that case, the SA inserts the special value RESTRICTED each time there is a missing value. Using the RESTRICTED value was first suggested in (Sandhu & Jajodia, 1992). Semantics of this value is ―the value exists but you are not permitted to know it‖. Table 6 shows the unclassifiedview of the wing relation after the SA has decided to use the RESTRICTED value for the speed and the range of X43Z. 204
• Now, in some cases, the SA may judge that knowing the existence of the sensitive value is itself sensitive information. In that case, the SA inserts a cover story insteadof RESTRICTED. A cover story is a lie which hides the existence of a sensitive data. Table 7 shows the confidential view of the Wing relation after the SA has decided to insert a cover story (Target A) each time there was a missing objective value. This means that the SA considers that the existence of a secret objective should not be disclosed. On the contrary, the SA decided to use the RESTRICTED value for the speed of Firefox. Fig. 5.16 wing (U), Wing(c) Table 6 is the unclassified view of the multilevel relation represented in figure 2. The users working at the unclassified level express queries on this view. Table 7 is the confidential view on which users working at the confidential level express queries. However, confidential users have also the possibility to query the unclassified view. Table 5 is the secret view. The users working at the secret level express queries on this view, but they may also query the confidential and the unclassified views. Compared to our approach, other existing decomposition algorithms are complex. This is because these algorithms take polyinstantiated multilevel relations as input. A multilevel relation is polyinstantiated if it contains different rows with the same key, each at a different classification level. This occurs when the multilevel relation contains some cover stories. The advantage of the approach described in this paper is that our starting multilevel relation (table 2) is not polyinstantiated. Our starting relation reflects precisely the existing multilevel 205
world. The SA inserts cover stories after the decomposition of the starting multilevel relation. Now, after the insertion of the cover stories, the combination of our three relations (tables 5, 6 and 7) represents a polyinstantiated multilevel world which differs from the original multilevel world. In this polyinstantiated world, the Mirage 2000 and the Firefox have one confidential objective and one secret objective. The polyinstantiation technique says that in case of conflict, the low classified data shall automatically be interpreted as cover stories. Therefore, if a secret user sees the secret database and the confidential database then he/she shall interpret the confidential objectives of the Mirage 2000 and the Firefox as lies for confidential users. Note that the polyinstantiation technique has some drawbacks. It relies on a particular interpretation of the data and it does not work well in case of a partial order on the set of security levels. Updating the database Defining the operational semantics for update operations on a multilevel database is not an easy task. It becomes a real challenge if the multilevel relations are poly instantiated (see Jajodia & Sandhu, 1990b). The architecture of our database is replicated. The multilevel world is represented by a set of single level databases. Updating each of these single level databases can be done via standard SQL operations since each single level database behaves as a non-protected database. When updating, users interact with the database which corresponds to their working level. The replicated architecture requires that low level updates propagate to the higher levels via a trusted replication mechanism. However, this is a general principle which may not be appropriate for some particular situations like the followings: • How can we interpret the fact that a low level user has updated a low level cover story? Should the update propagate to the higher levels or should the new value be considered as a new cover story? • How can we interpret the fact that a low level user has inserted a low level row with a primary key value which already exists at higher levels? Should the insertion propagate to higher levels, deleting higher level rows with the same primary key? Regarding these issues, there is no best solution. It depends on the integrity policy. With a 206
solution which considers that sensitive data are of high integrity, low level updates should propagate to higher levels as long as they do not conflict with higher classified data. Consequently, the trusted replication mechanisms shall not propagate to higher levels a low- level update performed on a RESTRICTED value or a cover story. On the opposite, with a solution which emphasizes the freshness of the information, low level updates shall systematically propagate to higher levels, possibly deleting existing higher level data conflicting with the new data. Of course, there are several intermediate solutions. In this paper we suggest one solution which has the advantage of being the simplest: any low-level update statement is reproduced ―as such‖ at the higher levels. Since each single level database behaves as a non-protected database a low-level update statement which is reproduced at a higher level will fail only if it violates one or more integrity constraints. Let us see the application of our solution through some sample SQL statements: INSERT statement. Consider a user working at the unclassified level who inserts a new aircraft in the unclassified Wing relation with the following statement: The replication mechanism has reproduced the INSERT statement at the confidential and secret levels. Since the INSERT statement did not include any objective value, the confidential and secret objective values are set to NULL. If the clearance level of the userwho has performed the insertion is at least confidential then that user has now to set his working level to confidential in order to assign an objective to the F-22 raptor. If theclearance level of the user who has performed the insertion is unclassified then only another confidential or secret user may assign an objective to the F-22 raptor. 207
Propagation of an INSERT statement to higher levels will fail only if it violates one or more integrity constraints. For example, if an unclassified user issues a statement inserting a ―new‖ aircraft called Firefox in the unclassified Wing relation then the statement will succeed at the unclassified level but fail at the confidential level because of a primary key violation. UPDATE statement. Consider a user working at the confidential level who assigns an objective to the F-22 raptor with the following statement: UPDATE Wing SET Objective=‘Target A‘ WHERE name=‗F-22 Raptor‘; Table 11 and table 12 show the resulting confidential and secret databases. The replication mechanism has reproduced the UPDATE statement at the secret level. Note that in our example, the replication mechanism would succeed in reproducing a low level update on a RESTRICTED value or a cover story since such propagation would not violate any integrity constraint. DELETE statement. Consider a user working at the unclassified level who deletes the F-22 raptor with the following statement: DELETE FROM Wing WHERE name=‘F-22 Raptor‘; Tables 5, 6 and 7 show the final multilevel database. The replication mechanism has successfully reproduced the DELETE statement at the confidential and secret levels. Let us mention that the operational semantics for update operations we define in this paper achieves completeness that is, every multilevel database can be constructed by some sequence of update operations (Jajodia & Sandhu, 1991b). However, since every update propagates to the higher levels, single level relations (including RESTRICTED values and cover stories) have to be created in the ascending order of the security levels. 208
Proposals for Multilevel Security Due to the obvious modest resolution of the items under control, establishing multilevel safety for databases is complex, perhaps even more so than for operating systems. The rest of this section looks at different approaches to database multilayer security. Separation Separation is required to limit access, as we have seen. We'll look at how to build separation in databases in this part. Then we'll look at how these strategies can aid in the implementationof database multilayer security. Partitioning Partitioning is the most obvious control for multilevel databases. The database is broken down into several sections, each with its own level of sensitivity. This method is comparable to keeping different files in separate filing cabinets. This control nullifies a key benefit of databases: the removal of redundancy and increased accuracy due to only having one field to update. Moreover, it does not deal with the issue of a high-level user who requires access to both low- and high-level data. Despite this, many individuals with data of varied sensitivities manage their data usingseparate, segregated databases because to the difficulties of building, maintaining, and using multilayer databases. Encryption Separation is required to limit access, as we have seen. We'll look at how to build separation in databases in this part. Then we'll look at how these strategies can aid in the implementationof database multilayer security. First, a user can mount a chosen plaintext attack. Assume that each record stores REP or DEM party affiliation in encrypted manner. A user who gains access to these encoded fields can quickly decode them by generating a new document with party=DEM and comparing the encrypted result to that element in all other records. Worse, if authentication data is encrypted, a malevolent user can substitute his or her own encrypted data for those of any other user. Not only does this provide access for the malicious user, but it also excludes the legitimate user whose authentication data have been changed to that of the malicious user. These possibilities are shown in Figures 4.8 and 4.9. 209
Fig. 5.17 Cryptographic Separation Fig. 5.18 Block Chaining Using a different encryption key for each record overcomes these defects. The fields of a document can be encoded with a different key for each record, or all elements of a record can be cryptographically connected, as in cypher block chaining. The downside is that when users execute conventional database operations like \"select all entries with SALARY > 10,000,\" each field must be decrypted. Even on refused records, decrypting the SALARY column lengthens the time it takes to perform a query. (Consider the query that selects just one record but that must decrypt and compare one field of each record to find the one that satisfies the query.) Thus, encryption is not often used to implement separation in databases. 210
Integrity Lock The integrity lock was first proposed at the U.S. Air Force Summer Study on Data Base Security. The lock is a way to provide both integrity and limited access for a database. Because each piece is metaphorically painted with a color that represents its sensitivity, the technique has been dubbed \"spray paint.\" The element's coloring is kept with it, not in a master data store. Figure 4.10 depicts a design of the basic integrity lock. Each apparent data item is made up of three parts: the data item itself, a sensitivity label, and a checksum, as shown. The sensitivity label specifies the data's sensitivity, and the checksum is calculated across both the data and the specificity label to prevent unauthorized changes to the data item or its label. Because the DBMS may have to analyze multiple fields while picking records to meet a query, the actual data piece is kept in plaintext for efficiency. The sensitivity label should be unforgeable, such that a malevolent subject can't generate a new sensitivity level for an item that's one-of-a-kind, can't replicate a sensitivity level from another item hidden, and can't even detect the sensitivity level of a random element. Fig. 5.19 Integrity Lock The third component of a field's integrity lock is an error-detecting code known as a cryptographic checksum. This checksum must be distinct for each element and include both the item's data value and something to relate that value to a specific point in the database to ensure that a data point or its sensitivity category has not been modified. 211
An acceptable cryptographic checksum, as illustrated in Figure 4.11, includes something distinct to the data (the record number), anything distinct to this data field inside the record (the field attributes name), the element's value, and the element's sensitivity classification. These four components protect the data from being changed, copied, or moved. Fig. 5.20 Cryptographic Checksum Sensitivity Lock The sensitivity lock shown in Figure was designed by Graubert and Kramer to meetthese principles. The sensitivity level and an identification number (such as the recordnumber) make up a sensitivity lock. Each lock is associated with a single record due to the unique identifier. The sensitivity level of many distinct elements will be the same. By glancing at the vulnerability level component of the lock, a malicious individual should notbe able to distinguish two items with equal sensitivity levels or data values. The contents of the lock, particularly the severity level, are hidden from plain view due to encryption. As a result, the lock is linked to a single record and maintains the sensitivity of that document's confidentiality. Fig. 5.21 Sensitive Lock 212
5.3 SECURITY IN NETWORK Network Security refers to the measures taken by any enterprise or organization to secure its computer network and data using both hardware and software systems. This aims at securing the confidentiality and accessibility of the data and network. Every company or organization that handles large amount of data, has a degree of solutions against many cyber threats. A most basic example of information security is password protection, in which the network user chooses his or her own password. Network security has recently been a hot topic in cyber security, with many companies seeking applicants with expertise in this area. Various vulnerabilities of computer systems are protected by network security solutions, such as: • Users • Locations • Data • Devices • Applications Network Security: Working The basic premise of network security is to safeguard large amounts of data and networks in layers, with each layer including a set of rules that must be acknowledged before any activity on the data may be performed. These levels are: • Physical • Technical • Administrative These are explained as following below. 1. Physical Network Security: It is the most basic level, which entails safeguarding the information and network by preventing unauthorized individuals from gaining access to the network's confidentiality. External peripherals, as well as routers, may be used for cable connections. Biometric systems and other 213
similar technologies can be used to achieve the same goal. 2. Technical Network Security: It is primarily concerned with safeguarding information held in the network or data in transit via the network. This type has two functions. The first is protection against unauthorized users, and the second is protection against malicious activity. 3. Administrative Network Security: This degree of network security safeguards user behavior, such as how permissions are provided and the authorization process is carried out. This also ensures the network's level of sophistication, which may be required to secure it from all types of attacks. This level also identifies any infrastructural modifications that must be made. Types of Network Security: The few types of network securities are discussed as below: 1. Access control: Not everyone should have total network access or its information. Going over each employee's details is one technique to investigate this. This is accomplished by Network Access Control, which ensures that only a small number of authorized individuals have access to the resources that are available. 2. Antivirus and Anti-malware Software: This sort of network protection prevents harmful malware from infiltrating the network and jeopardizing data security. The same handles dangerous software such as viruses, trojans, and worms. This ensures that the virus is not only prevented from entering the system, and also that the device is well-equipped to combat it once it has. 3. Cloud Security: Many enterprises are now collaborating using cloud technology, which allows a significant amount of vital data to be kept over the internet. This is extremely vulnerable to the misdeeds of a few unlicensed vendors. This information must be safeguarded, and it must be verified that it is not jeopardized in any way. Many firms use SaaS program to give some of their staffaccess to data stored in the cloud. This sort of security ensures that data visibility is compromised. 214
Threats in Network A Threat can be defined as anything which is danger to an organization's Asset. Threats can be physical threat of network based threats. An attacker may exploit poorly configured network infrastructure devices like a firewall, router network servers or switches. 1. interception, or unauthorized viewing 2. modification, or unauthorized change 3. fabrication, or unauthorized creation 4. interruption, or preventing authorized access These four types apply to networks, although the terminology is slightly different. Interception is sometimes called eavesdropping or wiretapping, modification and fabrication are usually known by the more general term integrity failures, and interruption in a network isdenial of service. Interception: Eavesdropping and Wiretapping Security analysts sometimes use the concept of a security perimeter, a virtual line that encircles a protected set of computing resources. You might think of a security perimeter as encompassing a physical location, such as a home, school, office, or store, as shown in Figure 4.13. Of course, these lines do not really exist, and for much network use you need to extend your access outside your protected zone. But because you lose control of equipment (cables, network devices, servers) outside your zone, your ability to secure your data is limited. Fig. 5.23 Security Perimeters 215
Wiretapping is the name given to data interception, often covert and unauthorized. The name wiretap refers to the original mechanism, which was a device that was attached to a wire to split off a second pathway that data would follow in addition to the primary path. Now, of course, the media range from copper wire to fiber cables and radio signals, and the way to tap depends on the medium. Users generally have little control over the routing of a signal. With the telephone system, for example, a call from New York to Sydney might travel west by satellite, transfer to an undersea cable, and reach the ultimate destination on conventional wire. Along the way, the signal could pass through different countries, as well as international regions of the oceans and sky. The same is true of networked digital communications, which use some of the same resources telephony does. The signal may travel through hostile regions and areas full of competitors. Along the way may be people with method, opportunity, and motive to obtain your data. Thus, a wide area network can be far riskier than a well-controlled local network. Encryption is the strongest and most commonly used countermeasure against interception, although physical security (protecting the communications lines themselves), dedicated lines, and controlled routing (ensuring that a communication travels only along certain paths) have their roles, as well. What Makes a Network Vulnerable to Interception? An isolated home user or a standalone office with a few employees is an unlikely target for many attacks. But add a network to the mix and the risk rises sharply. Consider how a network differs from a stand-alone environment. Anonymity An attacker can launch an attack hundreds of kilometers distant without ever coming into contact with the system, its administrator, or its users. As a result, the potential attacker is protected by an electrical shield. In order to hide the attack's origin, it can be transmitted through a variety of hosts. Furthermore, computer-to-computer identification is not the same as it is for humans. Modification, Fabrication: Data Corruption Eavesdropping is certainly a significant threat, and it is at the heart of major incidents of theft of trade secrets or espionage. But interception is a passive threat: Communication goes on 216
normally, except that a hidden third party has listened in, too. Modification and fabrication are also computer security concerns, and they apply to networking, as well. The threat is that a communication will be changed during transmission. Sometimes the act involves modifying data en route; other times it entails crafting new content or repeating an existing communication. These three attacks are called modification, insertion, and replay, respectively. Such attacks can be malicious or not, induced or from natural causes. People often receive incorrect or corrupted data: a minor misspelling of a name, an obvious typographic error, a mistaken entry on a list. If you watch real-time closed captioning on television, sometimes you see normal text degenerate to gibberish and then return to normal after a short time. Mistakes like this happen, and we either contact someone for a correction if the issue is serious or ignore it otherwise. Errors occur so frequently that we sometimes fail even to notice them. Fig. 5.24 Data Corruption Sources Sometimes modification is blatant, making it readily apparent that a change has occurred (for example, complete deletion, which could be detected by a program, or replacement of text by binary data, which would be apparent to a human reader). Other times the alteration is subtle, such as the change of a single bit, which might allow processing to continue, although perhaps producing incorrect results. Communications media are known to be vulnerable to data corruption. Simple factors such as weather and trees can interfere with clean transmission. For this reason, communications 217
protocols include features to check for and correct, at least some, errors in transmission. The TCP/IP protocol suite (which we describe later in this chapter), is used for most Internet data communication. TCP/IP has extensive features to ensure that the receiver gets a complete, correct, and well-ordered data stream, despite any errors during transmission. Interruption: Loss of Service The final class of network attacks we consider involves availability, the third leg of the C-I-A triad. We are all familiar with how frustrating it is to lose access to an important service, as when the electricity fails or a telephone connection is cut. Suddenly we notice all the ways we depended on that service as we wait anxiously for the repair crew. Networks, and especially the Internet, have solidly assured service. From the earliest designs for the Internet, redundancy and fault tolerance were important characteristics, and the robustness remains. In part this strength is due to the mesh architecture of the Internet. The so- called last mile, the final connection between a host and the larger network infrastructure, is a unique pathway, so any failure there isolates the host. But once into the network, routers have multiple pathways so if one is unavailable another can be used. As with the other vulnerabilities we have just discussed, loss of service can be malicious or nonmalicious, intentional or accidental. Unlike confidentiality and integrity failures, however, denial of service is not binary: Yes, you do either have service or not, but a critical question is how much? Service capacity can be reduced. Is a service degradation of 0.1 percent or 1 percent or 10 percent catastrophic? The answer depends on the particularnetwork in question, its traffic load, and the criticality of its data. Thus, we have to consider not only whether service is or is not present, but also whether the amount present is adequate. 5.4 NETWORK SECURITY CONTROLS Network Security Controls are used to ensure the confidentiality, integrity, and availability of the network services. These security mechanisms are either technological or administrative protections that are put in place to reduce the risk of a security breach. Adequate network security necessitates the implementation of an appropriate set of network security rules to limit the danger of a network being compromised. 218
• Access Control • Identification • Authentication • Authorization • Accounting • Cryptography • Security Policy These controls help organizations with implementing strategies for addressing network security concerns. To reduce the danger of an attack or compromise, various layers of network security measures, as well as the network, should be implemented. Defense in depth network security is ensured by the overlapping employment of these rules. Access Control: To protect general objects, such as files, tables, access to hardware devices or network connections, and other resources. In general, we want a flexible structure, so that certain users can use a resource in one way (for example, read-only), others in a different way (for example, allowing modification), and still others not at all. We want techniques that are robust, easy to use, and efficient. A subject is permitted to access an object in a particular mode, and only such authorized accesses are allowed. • Subject are human users who are often depicted by surrogate programmes that run on their behalf. • Objects are things that can be used to accomplish an action, such as files, tables, programmes, memory objects, hardware devices, strings, data fields, network connections, and processors. Because the operating system (a programme portraying the system administrator) can act on a user, such as permitting a user to execute a programme, halting a user, or granting rights to a user, users, or rather programmes or processes representing users, are also affected. • Access modes refer to any subject-controllable actions on objects, such as read, write, adjust, remove, run, create, destroy, copy, outsource, import, and so on. 219
Effective separation will keep unauthorized subjects from unauthorized access to objects, but the separation gap must be crossed for authorized subjects and modes. In this section we consider ways to allow all and only authorized accesses. Identification and Authentication Your neighbor recognizes you, sees you frequently, and knows you are someone who should be going into your home. Your neighbor can also notice someone different, especially if that person is doing something suspicious, such as snooping around your doorway, peering up and down the walk, or picking up a heavy stone. Coupling these suspicious events with hearing the sound of breaking glass, your neighbor might even call the police. Computers have replaced many face-to-face interactions with electronic ones. With no vigilant neighbor to recognize that something is awry, people need other mechanisms to separate authorized from unauthorized parties. For this reason, the basis of computer security is controlled access: someone is authorized to take some action on something. We examine access control later in this chapter. But for access control to work, we need to be sure who the ―someone‖ is. In this section we introduce authentication, the process of ascertaining or confirming an identity. A computer system does not have the cues we do with face-to-face communication that let us recognize our friends. Instead computers depend on data to recognize others. Determining who a person really is consists of two separate steps: • Identification is the act of asserting who a person is. • Authentication Confirmation that a user corresponds to the user name provided. Identification VS Authentication Identities are often well known, predictable, or guessable. When you send someone an email, you are implicitly sending your email address ID so that they can respond to you. You can publish comments under a screen name to link your various entries in an online debate. Your bank account details appear on checks you write, and your debit card bank account appears on your card, among other things. You reveal a piece of your identity in each of these situations. It's important to remember that your identity is more than just your name: People and procedures can identify you using your bank account information, debit card number, email account, and other information. 220
Some account IDs are not hard to guess. Some places assign user IDs as the user‘s last name followed by first initial. Others use three initials or some other scheme that outsiders can easily predict. Often for online transactions your account ID is your email address, to make it easy for you to remember. Other accounts identify you by telephone, social security, or some other identity number. With too many accounts to remember, you may welcome places that identify you by something you know well because you use it often. But using it often also means other peoplecan know or guess it as well. For these reasons, many people could easily, although falsely, claim to be you by presenting one of your known identifiers. Authorization • Granting access to specific services and/or resources based on the authentication. • Authorization is a process by which a server determines if the client has permission to use a resource or access a file. • Authorization is usually coupled with authentication so that the server has someconcept of who the client is that is requesting access. • The type of authentication required for authorization may vary; passwords may be required in some cases but not in others. • In some cases, there is no authorization; any user may be using a resource or access a file simply by asking for it. Most of the web pages on the Internet require no authentication or authorization. Accounting • A process for logging access and authorization. • Accounting keeps track of user activity while users are logged in to a network by tracking information such as how long they were logged in, the data they sent or received, their Internet Protocol (IP) address, the Uniform Resource Identifier (URI) they used, and the different services they accessed. • Accounting may be used to analyse user trends, audit user activity, and provide more accurate billing. This can be done by leveraging the data collected during the user‘s access. For example, if the system charges users by the hour, the time logs generated 221
by the accounting system can report how long the user was logged in to the router and inside the system, and then charge them accordingly. Cryptography • Encryption or cryptography—the name means secret writing—is probably the strongest defence in the arsenal of computer security protection. • Well-disguised data cannot easily be read, modified, or fabricated. Simply put, encryption is like a machine: you put data in one end, gears spin and lights flash, and you receive modified data out the other end. • In fact, some encryption devices used during World War II operated with actual gears and rotors, and these devices were effective at deterring (although not always preventing) the opposite side from reading the protected messages. • Now the machinery has been replaced by computer algorithms, but the principle is the same: A transformation makes data difficult for an outsider to interpret. Security policy • A security plan states the organization‘s security needs and priorities. • A security policy is a high-level statement of purpose and intent. • Initially, you might think that all policies would be the same: to prevent security breaches. • But in fact, the policy is one of the most difficult sections to write well. 5.5 FIREWALL Firewalls are one of the most important security devices for networks. Firewalls were officially invented in the early 1990s, but the concept really reflects the reference monitor from two decades earlier. A firewall is a device that filters all traffic between a protected or ―inside‖ network and a less trustworthy or ―outside‖ network. Usually a firewall runs on a dedicated device; because it is a single point through which traffic is channeled, performance is important, which means that only firewall functions should run on the firewall machine. 222
In practice, a firewall is a computer with memory, storage devices, interface cards fornetwork access, and other devices. It runs an operating system and executes application programs. Often the hardware, operating system, and applications are sold as a package, so the firewall application (a program) is sometimes also called a firewall. Information systems in corporations, government agencies, and other organizations have undergone a steady evolution. The following are notable developments: • A central mainframe supports a number of connected directly terminals in a centralized data processing system. • Local area networks (LANs) connect PCs and terminals to the mainframe and each other. • A premise network is made up of several LANs that connect PCs, servers, andpossibly a mainframe or two. • Internet connectivity, in which the numerous premises networks all hook into the Internet and may or may not also be linked by a private WAN • Enterprise-wide network, comprised of various, geographically distributed premises connections interconnected by a private wide area network (WAN) Organizations can no longer afford to be without Internet access. The organization depends on the data and services offered. Furthermore, users within the company desire and demand Internet connectivity, and if it is not provided through their LAN, they will access to an Internet service provider using their PC's dial-up capability (ISP). While having connectivity to the Internet benefits the organization, it also enables the outside world to engage with localnetwork assets. The organization is in peril as a result of this. While robust security mechanisms such as intrusion prevention can be installed on each workstation and server on the facilities network, this may not be enough and, in some cases, is not cost-effective. Consider a connection with hundreds or perhaps thousands of computers running a variety of operating systems, such as UNIX and Windows versions. When a security hole is detected, it is necessary to upgrade all potentially impacted systems. To work properly, this necessitates scalable configuration management and proactive patching. While difficult, if solely host- based security is utilized, this is achievable and required. The firewall is a generally recognized alternative or at least supplement to host-based security services. The firewall is placed in between premises network 223
and the Internet to create a secure connection and to create an outside security wall or perimeter. The goal of this perimeter is to secure the facilities network from Internet-based threats while also providing a single point of control for security and auditing. A firewall can be a host computer or a group of two or more computers that work together to execute the firewall function. The firewall, then, provides an additional layer of defense, insulating the internal systems from external networks. This follows the classic military doctrine of ―defense in depth,‖ which is just as applicable to IT security. Design of Firewalls As we have described them, firewalls are simple devices that rigorously and effectively control the flow of data to and from a network. Two qualities lead to that effectiveness: a well- understood traffic flow policy and a trustworthy design and implementation. An example of a simple firewall configuration is shown in Table. The table is processed from the top down, and the first matching rule determines the firewall‘s action. The * character matches any value in that field. This policy says any inbound traffic to port 25 (mail transfer) or port 69 (so-called trivial file transfer) is allowed to or from any host on the 192.168.1 subnetwork. By rule 3 any inside host is allowed outbound traffic anywhere on port 80 (web page fetches). Furthermore, by rule 4 outside traffic to the internal host at destination address 192.168.1.18 (presumably a web server) is allowed. All other traffic to the 192.168.1 network is denied. Fig. 5.25 Example Firewall Configuration 224
Types of Firewalls Types of firewalls include • Packet filtering gateways or screening routers • Stateful inspection firewalls • Application-level gateways, also known as proxies • Circuit-level gateways • Guards • Personal firewalls Packet filtering A packet filtering firewall applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet (Figure 4.15b).The firewall is typically configured to filter packets going in both directions (from and to the internal network). Filtering rules are based on information contained in a network packet: • Source IP address: The IP address of the system that originated the IP packet (e.g., 192.178.1.1) • Destination IP address: The IP address of the system the IP packet is trying to reach (e.g., 192.168.1.2) • Source and destination transport-level address: The transport-level (e.g., TCP or UDP) port number, which defines applications such as SNMP or TELNET • IP protocol field: Defines the transport protocol • Interface: For a firewall with three or more ports, which interface of the firewall the packet came from or which interface of the firewall the packet is destined for The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header. If there is a match to one of the rules, that rule is invoked to determine whether to forward or discard the packet. If there is no match to any rule, then a default action is taken. Two default policies are possible: 225
• Default = discard: That which is not expressly permitted is prohibited. • Default = forward: That which is not expressly prohibited is permitted. The usual discard policy is a little more cautious. Everything is initially disabled, and services must be enabled on a specific instance basis. Users are more likely to perceive the firewall as a burden because of this policy. Businesses and government organizations, on the other hand, are inclined to prefer this policy. Furthermore, when more rules are developed, the visibility of the rules to users decreases. End users benefit from the default forward policy, but security suffers as a result; the security administrator must, in effect, react to each new security danger as it emerges. This strategy could be utilized by institutions that are more open in general, such as universities. a) General Model Fig. 5.26 Types of firewall (a) 226
Fig. 5.26 Types of firewall (b) Table 3.7 shows several packet filtering ruleset instances. The rules are implemented from top to bottom in each set. A wildcard designator is a \"*\" in a field that matches everything. The default = discard policy is assumed to be in effect. A. Inbound mail is permitted (SMTP incoming port 25), but only to a gateway host. Packets from one external host, SPIGOT, are however banned since that host has a record of delivering large files in e-mail messages. B. The default policy is stated explicitly here. This rule is implicitly included as the last rule in all rulesets. C. This regulation specifies that any host on the inside can send mail to any host on the outside. A TCP packet with the destination port of 25 is sent to the destination machine's SMTP server. The issue with this policy is that port 25 is just used as a default for SMTP receipt; an external computer might be set to use port 25 for some other purpose. An attacker could get access to internal machines by delivering packets with a TCP source port number of25 as described in this rule. D. This ruleset delivers the desired effect that C failed to obtain. TCP connections have a property that the rules reap the benefits of. The ACK flag of a TCP segment is set once a connection is established to acknowledge pieces sent from the other side. As a result, this ruleset indicates that IP packets with a source IP address of one of a list of designated internal hosts and a TCP port number of 25 are allowed. 227
Incoming transmissions with a source port number of 25 and the ACK flag in the TCP segment are also allowed. It's worth noting that we specifically select sending and receiving systems in order to define these restrictions. Fig. 5.27 Packet Filtering example E. This rule set is one approach to handling FTP connections. With FTP, two TCP connections are used: a control connection to set up the file transfer and a data connection for the actual file transfer. The data connection uses a different port number that is dynamically assigned for the transfer. Most servers, and hence most attack targets, use low-numbered ports; most outgoing calls tend to use a higher-numbered port, typically above 1023.Thus,this rule set allows • Packets that originate internally • Reply packets to a connection initiated by an internal machine • Packets destined for a high-numbered port on an internal machine 228
This technique necessitates configuring the systems so that only the relevant port numbers are used. The challenge in dealing with software at the packet filtering level is shown by Rule Set E. Stateful packet filtering or an application-level gateway, both of which are detailed later in this section, are another option to deal with FTP and comparable applications. The simplicity of a packet filtering firewall is one of its advantages. Packet filters are also often transparent to users and extremely quick. The following are some of packet filter firewalls' flaws: • Packet filter firewalls cannot prevent attacks that leverage application-specific vulnerabilities or functionality because they do not inspect upper-layer data. A packet filter firewall, for example, cannot block specific application instructions; if a packet filter firewall allows a given application, it will allow all functions available within that application. • A packet filter firewall, for example, cannot block specific application instructions; if a packet filter firewall enables a given application, it will allow all functions accessible within that application. In most cases, packet filter logs contain the same information that is utilized to make access control decisions (source address, destination address, and traffic type). • Advanced user authentication mechanisms are not supported by most packet filter firewalls. This limitation is due, once again, to the firewall's absence of upper-layer capability. • Attacks and vulnerabilities that take use of flaws in the TCP/IP design and protocol stack, including such network layer address spoofing, are common on packet filter firewalls. Many packet filter firewalls are unable to identify a network packet with tampered OSI Layer 3 addressing information. • Finally, packet filter firewalls are vulnerable to security breaches induced by poor settings due to the limited number of factors used in access control decisions. To put it another way, it's all too easy to set up a packet filter firewall to accept traffic kinds, sources, and endpoints that should be blocked according to an organization's information security policy. 229
Some of the attacks that can be made on packet filtering firewalls and the appropriate countermeasures are the following: • IP address spoofing: The intruder sends packets on the outside with an inside host's address in the source IP address field. The attacker expects that by using a faked address, he will be able to break into systems with simple source address security, which allows packets from particular trusted internal hosts to be permitted. If a packet reaches on an external interface with an inside source address, the preventative measure is to discard it. In fact, this countermeasure is frequently applied outside the firewall, at the router. • Source routing attacks: The source station specifies the route that a packet should take as it crosses the Internet, in the hopes that this will bypass security measures that do not analyze the source routing information. The countermeasure is to discard all packets that use this option. • Tiny fragment attacks: The intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into a separate packet fragment. This exploit is intended to get around filtering rules that rely on TCPheader data. A packet filter will often make a filtering decision based on the initial fragment of the packet. The packet's succeeding pieces are filtered out merely becausethey are part of the package whose first part was rejected. The attacker expects thatthe filtering firewall only looks at the first fragment and allows the rest to get through.A tiny piece attack can be countered by requiring that the first segment of a packet have a predetermined minimum quantity of the transport header. If the first piece is denied, the filter can store the package and discard the rest. Stateful inspection firewalls Filtering firewalls work on packets one at a time, accepting or rejecting each packet and moving on to the next. They have no concept of ―state‖ or ―context‖ from one packet to the next. A stateful inspection firewall maintains state information from one packet to another in the input stream. Stateful inspection firewalls judge according to information from multiple packets. 230
A typical packet filter performs filtering decisions on a packet-by-packet basis, without taking into account any higher-layer context. A little background is required to understand what context means and why a standard packet filter is restricted in terms of context. The client/server architecture is used by the majority of standardized TCP applications. E-mail is transferred from a client system to a server system using the Simple Mail Transfer Protocol (SMTP). New e-mail messages are generated by the client system, usually based on user input. Incoming e-mail messages are accepted by the server system and routed to the correct user mailboxes. SMTP works by establishing a TCP connection between the client and the server, with the TCP server port number 25 being used to identify the SMTP server program. The SMTP client's TCP port number is a number from 1024 and 65535 that the SMTP client generates. In general, when an application that uses TCP creates a session with a remote host, it creates a TCP connection in which the TCP port number for the remote (server) application is a number less than 1024 and the TCP port number for the local (client) application is a number between 1024 and 65535.The numbers less than 1024 are the ―well-known‖ port numbers and are assigned permanently to particular applications (e.g., 25 for server SMTP). The numbers between 1024 and 65535 are generated dynamically and have temporary significance only for the lifetime of a TCP connection. For TCP-based traffic to occur, a simple packet filtering firewall must allow inbound network traffic on all of these high-numbered ports. This presents a vulnerability that unauthorized users can take advantage of. A stateful inspection packet firewall toughens up the rules for TCP traffic by constructing a folder of outbound TCP connections. There is an entrance for each currently established link. Incoming traffic to high-numbered ports will now be allowed only for packets that match the profile of one of the items in this directory. A stateful packet inspection firewall examines the same packet data as a packet filtering firewall, but also stores TCP connection information. TCP sequence numbers are also tracked by some stateful firewalls to avoid attacks that rely on them, such as session hijacking. Some even look for well-known protocols like FTP, IM, and SIPS instructions in small quantities of application data to identify and track connected connections. 231
Application-level gateways A bastion host, also known as an application proxy gateway, is a firewall that simulates the (correct) actions of an application at level 7 so that the program receives only requests to act appropriately. A proxy gateway is a two-headed machine: from the inside, it appears to be the outside (target) link, while outsiders see the proxy host as an insider. In reality, it acts like a middle- aged man. On the inner network, an application proxy duplicates the behavior of a protected application, allowing only safe data in. An application-level gateway, also called an application proxy, acts as a relay of application- level traffic. The user connects to the gateway through TCP/IP, such as Telnet or FTP, and the gateway requests the name of the remote host to be accessed. The gateway addresses the program on the remote host and passes TCP segments carrying the application information between two endpoints when the user responds with a valid user ID and login details. The service is not recognized and cannot be routed across the firewall if the gateway does not execute the proxy code for a specific application. Furthermore, the gateway can be set up to support only those elements of a program that the network administrator deems appropriate, while rejecting all others. Packet filters are less secure than application-level gateways. Rather than attempting to deal with all of the conceivable combinations that must be allowed and disallowed at the TCP and IP levels, the application-level gateway simply needs to look at a few select apps. Furthermore, all incoming traffic may be easily logged and audited at the application level. A prime disadvantage of this type of gateway is the additional processing overhead on each connection. In effect, there are two spliced connections between the end users, with the gateway at the splice point, and the gateway must examine and forward all traffic in both directions. Circuit-Level Gateway A circuit-level gateway is a firewall that essentially allows one network to be an extension of another. It operates at OSI level 5, the session level, and it functions as a virtual gateway between two networks. 232
A circuit is a necessary link that is preserved for a set amount of time before being ripped apart or disconnected. When a circuit is first created, the firewall validates it. Following the circuit's verification, data passed via the circuit is not scrutinized. Circuit-level gateways can restrict the kind of connections that can be made through them. This can be a standalone system or a specialized function that an application-level gateway performs for specific applications. A circuit-level gateway, like an application gateway, does not allow an end-to-end TCP connection; instead, it establishes two TCP connections, one between itself and a TCP client on an inner host and the other between itself and a TCP user on an external host. The gateway normally transfers TCP segments from one link to the other without inspecting the contents once the two links are established. The security function is responsible for deciding which connections are permitted. A frequent scenario for circuit-level gateways is when the system administrator has faith in the internal users. On inbound connections, the gateway can be designed to work application-level or proxy service, and circuit-level functions on outgoing connections. The gateway can suffer the processing overhead of inspecting incoming application data for banned functionalities in this configuration, but not on departing data. 5.6 INTRUSION DETECTION SYSTEM A security service those watches and analyses system events in order to detect and warn of trying to enter system resources in an illegal manner in real time or near real time. The following are the different types of IDSs: • Host-based IDS: Looks for suspicious activity by monitoring the behaviour of a particular host and the events that occur within that host. • Network-based IDS: This type of IDS monitors‘ network traffic for specific network segments or devices and analyses network, transport, and application protocols to detect suspicious activities. Three logical components make up an IDS: • Sensors: Sensors are in charge of gathering data. Any portion of a system that potentially holds evidence of an attack could be used as a sensor's input. 233
Network packets, system logs, and system call traces are examples of sensor input. Sensors gather data and transmit it to the analyser. • Analysers: Analysers are devices that receive data from one or more sensors or other analysers. The analyser is in charge of determining whether or not an intrusion has occurred. This component's output is a notification that an intrusion has occurred. Evidence supporting the judgement that an incursion occurred could be included in the output. As a result of the incursion, the analyser may offer advice on how to proceed. • User interface: An IDS's user interface allows a user to monitor output from the system and manage its behaviour. The user interface may be equated to a manager, director, or console component in some systems. Host-based Intrusion detection Host-based IDSs add a specialized layer of security software to vulnerable or sensitive systems; examples include database servers and administrative systems. The host-based IDS monitor activity on the system in a variety of ways to detect suspicious behavior. In some cases, an IDS can halt an attack before any damage is done, but its primary purpose is to detect intrusions, log suspicious events, and send alerts. The primary benefit of a host-based IDS is that it can detect both external and internal intrusions, something that is not possible either with network-based IDSs or firewalls. Host-based IDSs follow one of two general approaches to intrusion detection: • Anomaly detection • Signature detection Network based intrusion detection A network-based intrusion detection system (NIDS) examines traffic at specific locations on a network or a group of interconnected networks. In order to detect intrusion patterns, the NIDS examines traffic packet by packet in real time or near real time. The NIDS may investigate network-, transport-, and/or application-level protocol activity. 234
In contrast to a host-based IDS, a network intrusion detection system (NIDS) monitors packet traffic directed at potentially exposed computer systems on a network. The activity of users and software on a host is examined by a host-based system. A typical NIDS installation consists of a number of sensors that monitor packet traffic, one or more servers that perform NIDS administration duties, and one or more management consoles that serve as the human interface. In order to detect intrusions, traffic patterns can beanalyzed at the sensor, the management server, or a combination of the two. Sensors Sensors can be deployed in one of two modes: inline and passive. An inline sensor is inserted into a network segment so that the traffic that it is monitoring OS audit information Alerts Modifications Query/ response Notable activity; Signatures; Noteworthy sessions Host audit record (HAR) Filter for security interest Reformat function OS audit function Analysis module Templates Central manager Logic module. Agent Architecture must pass through the sensor. Combining NIDS sensor logic with some other node, such as a firewall or a LAN switch, is one technique to create an inline sensor. This method has the advantage of requiring no additional hardware devices; all that is needed is the NIDS sensor software. A standalone inline NIDS sensor is another option. The fundamental objective for using inline sensors is to permit them to detect and prevent attacks.In this situation, the gadget serves as both an intrusion detection and prevention device. Passive sensors are more typically used. The actual network traffic does not go through the device; thus a passive sensor watches a duplicate of it. The passive sensor is more effective than the inline sensor in terms of traffic flow because it does not introduce an extra handling step that leads to packet delay. 5.7 SECURE EMAIL S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to the MIME Internet e-mail format standard, based on technology from RSA Data Security. MIME MIME is an extension to the old RFC 822 specification of an Internet mail format. RFC 822 235
defines a simple header with To, From, Subject, and other fields that can be used to route an e-mail message through the Internet and that provides basic information about the e-mail content. RFC 822 assumes a simple ASCII text format for the content. MIME introduces a number of additional header fields that describe information about the message's content, such as its format and any encoding used to speed up transmission. Most importantly, MIME establishes a set of content formats that standardize representations for multimedia e-mail support. S/MIME S/MIME is defined as a set of additional MIME content types (Table 22.2) and provides the ability to sign and/or encrypt e-mail messages. In essence, these content-types support four new functions: • Enveloped data: This function consists of any type of encrypted content as well as the encryption keys for that content for one or more recipients. • Signed data: A digital signature is created by encrypting the message digest of the content to be signed using the signer's private key. Following that, the content and signature are encoded using base64 encoding. Only a recipient with S/MIME capability can view a signed data message. • Clear-signed data: A digital signature of the information is created, just like with signed data. Only the digital signature is encoded with base64 in this scenario. As a result, recipients who do not have access to S/MIME can see the message content but cannot verify the signature. • Encrypted and signed data: Signed-only and encrypted-only entities can be nested, allowing encrypted data to be signed and signed data to be encrypted, or clear-signed data to be encrypted. Types of Email Attacks Cyber criminals use many different tactics to hack email, and some methods can cause considerable damage to an organization‘s data and/or reputation. Malware, which is malicious software used to harm or manipulate a device or its data, can be placed on a computer using each of the following attacks. 236
Phishing A phishing attack targets users by sending them a text, direct message, or email. The attacker poses as a trusted people or institution, and then takes advantage of the target's trust to steal sensitive information such as account numbers, credit card numbers, or login information. Spear phishing, ordinary phishing, and whaling are all examples of phishing. A whaler attacks someone high up in the corporation by claiming to be someone they trust, whereas spear phishing targets a specific person. Spam A phishing assault entails sending an SMS, direct message, or email to a user. The attacker poses as a trusted people or institution, and then takes advantage of the target's trust to steal sensitive information such as account numbers, credit card numbers, or login information. Spear phishing, ordinary phishing, and whaling are all examples of phishing. A whaler seeks someone high up in the corporation by claiming to be someone they trust, whereas spear phishing targets a specific person. Spoofing Spoofing is a serious email threat because it deceives the recipient into believing the message came from somebody other than the actual sender. As a result, spoofing is a powerful business email breach (BEC) tactic. Because the email platform just sees the metadata—the same data that the attacker has changed—it is unable to distinguish a forged email from a legitimate one. This makes it quite straightforward for an attacker to impersonate someone the target knows or respects. 5.8 LEGAL ETHICAL ISSUES The legal system has done a good job of adapting to computer technology by repurposing certain older kinds of legal security (copyrights and patents) and enacting new laws where none existed (malicious access). For two reasons, however, the courts are not an idealmechanism of 237
security for computer resources. First, rather than being proactive, the courts tend to be reactive. That is, rather than attempting to prevent a transgression from occurring in the first place, we must wait for it to happen and then adjudicate it. Second, resolving a problem through the courts may be time-consuming (often years) and costly; the latter trait inhibits all but the wealthiest from dealing with most security issues. On the other hand, because ethics is more contextual and subjective than the law, it has not had to alter. Personal information privacy, for example, is becoming increasingly crucial in computer security. Even while this is technically merely a matter of confidentiality, it has a lengthy history in both law and ethics. This chapter rounds out our study of protection for computing systems by considering the context in which security is assessed and applied. Law and computer security are related in several ways. To begin with, international, national, state, and local regulations can all have an impact on privacy and secrecy. These laws frequently pertain to people's right to privacy in their personal lives. Second, rules govern how data and program are used, developed, and owned. Patents, copyrights, and trade secrets are legal tools used to protect the rights of programmers and data owners. Controlling access to program and data is another part of computer security, andthese legal methods assist that control. Third, laws have an impact on the activities that can be taken to safeguard the confidentiality, integrity, and reliability of computer data and services. The laws that govern computersecurity strengthen and constrain these fundamental concerns. As a result, legal mechanisms work in tandem with other safeguards to ensure computer security. Protection of data and Information Laws Programmers, architects, users, and maintenance personnel of computing systems and computerized data banks are all affected by computer security regulations. These rules protect people who use computers, but they also control their activity. Furthermore, computer specialists are among the best-qualified proponents for amending and enacting new computer legislation . Before recommending change, however, professionals must understand the current state of computers and the law. Therefore, we have three motivations for studying the legal section of this chapter: 238
• To know what protection the law provides for computers and data • To appreciate laws that protect the rights of others with respect to computers, programs, and data • To understand existing laws as a basis for recommending new laws to protect computers, data, and people source code, object code, and even the ―look and feel‖ of a computer screen are recognizable, if not tangible, objects. The law deals reasonably well, although somewhat belatedly, with these things. But computing is in transition to a new class of object, with new legal protection requirements. Electronic commerce, publishing, voting, banking— these are the new challenges to the legal system. In this section we consider some of these new security requirements. Employee rights Employers hire employees to generate ideas and make products. Copyrights, patents, and trade secrets provide companies with valuable protection for their ideas and goods. The question of who owns the ideas and products, on the other hand, is complicated. Because it relates to an employer's rights to preserve the secrecy and integrity of works generated by employees, ownership is a computer security risk. In this section, we look at the rights of workers and employers when it comes to computer products. An employment contract clarifies for both parties an employee‘s rights to computer products. Software failure Program development is a human process of design, creation, and testing, involving a great deal of communication and interaction. For these reasons, there will always be errors in the software we produce. We have a tendency to anticipate flawless consumer goods, such as vehicles or lawn mowers. At other times, we anticipate items to be \"good enough\" to be used in the majority of cases. We usually don't mind if the amount of cheese on our pizza varies or if the colour of a ceramic tile varies slightly. We expect the seller to provide an appropriate remedy, such as repair or replacement, if an instance of a product is not useable. But the situation with software is very different. To be fair, an operating system is a great deal more complex than a pizza or a ceramic tile, and more opportunities for failure exist. 239
For this reason, this section addresses three questions: • What are the legal issues in selling correct and usable software? • What are the moral or ethical issues in producing correct and usable software? • What are the moral or ethical issues in finding, reporting, publicizing, and fixing flaws? The legal problems are changing in certain ways. Everyone agrees that all suppliers should develop high-quality software, yet this does not always occur. The more challenging problems concerning what to do when flaws are detected come in the design and support communities. Computer crime Computer crime, often known as cybercrime, is a broad word that refers to criminal action involving computers or computer networks as a tool, a goal, or a location. These categories are not mutually exclusive, and many activities can be classified into one or more of them. The term \"cybercrime\" connotes the usage of networks in particular, whereas \"computer crime\" can involve or exclude networks. The United States Department of Justice [DOJ00] divides computer crime into four categories based on the computer's role in the criminal activity: • Computers as targets: This type of crime targets a computer system in order to obtain information stored on it, to control the target system without consent or payment (theft of service), or to modify the integrity of data or to disrupt the computer's or server's availability. An attempt on data integrity, system integrity, data secrecy, privacy, or availability falls under this category. • Computers as storage devices: By employing a computer or a computer device as a passive storage medium, computers can be utilised to facilitate illegal behaviour. Stolen password lists, credit card or calling card details, sensitive company data, pornographic image files, or \"warez\" can all be stored on the computer (piratedcommercial software). • Computers as communications tools: Many of the crimes falling within this category are simply traditional crimes that are committed online. 240
Examples include the illegal sale of prescription drugs, controlled substances, alcohol, and guns; fraud; gambling; and child pornography. Privacy Information privacy has three aspects: sensitive data, affected parties, and controlled disclosure. Controlled Disclosure What is privacy? A good working definition is that privacy is the right to control who knows certain aspects about you, your communications, and your activities. In other words, you voluntarily choose who can know which things about you. People may ask you for your telephone number: your auto mechanic, a shop clerk, your tax authority, a new business contact, or a new friend. In each case, you consider why the person wants the number and then decide whether to give it out. But the key point is that you decide. So privacy is something over which you can have considerable influence. Privacy is the right to control who knows certain things about you. Sensitive Data Here are examples (in no particular order) of types of data many people consider private. • Identity: name, identifying information, the ownership of private data and ability to control its disclosure • Finances: credit rating and status, bank details, outstanding loans, payment records, tax information • Legal: criminal records, marriage history, civil suits • Health: medical conditions, drug use, DNA, genetic predisposition to illnesses • Opinions, preferences, and membership: voting records, expressed opinions, membership in advocacy organizations, religion, political party, sexual preference, reading habits, web browsing, favourite pastimes, close friends • Biometrics: physical characteristics, polygraph results, fingerprints • Documentary evidence: surface mail, diaries, poems, correspondence, recorded thoughts 241
• Privileged communications: with professionals such as lawyers, accountants, doctors, counselors, and clergy • Academic and employment information: school records, employment ratings • Location data: general travel plans, current location, travel patterns • Digital footprint: email, telephone calls, spam, instant messages, tweets, and other forms of electronic interaction, social networking history Affected Subject Individuals, groups, companies, organizations, and governments all have data they consider sensitive. We use terms such as ―subject‖ and ―owner‖ to distinguish between the person or entity being described by data and the person or entity that holds the data. we have described privacy from a personal standpoint, where the subject is a person. But public and private organizations are interested in privacy, too. Most governments consider military and diplomatic matters sensitive, but they also recognize their responsibilities to provide information that informs national discourse. At the same time, governments have a responsibility to protect and keep confidential the data they collect from citizens, such as tax information. Privacy is an aspect of confidentiality. As we have learned throughout this book, the three security goals of confidentiality, integrity, and availability can conflict, and confidentiality sometimes conflicts with availability. For example, if you choose not to have your telephone number published in a directory, then some people may not be able to reach you by telephone. Or refusing to reveal personal data to a shop may prevent you from receiving a frequent- shopper discount. So, it is important to consider privacy not only as a way to protect information but also as a possible obstacle to other important, positive goals. Ethics The study of ethics is not easy because the issues are complex. Sometimes people confuse ethics with religion because many religions supply a framework in which to make ethical choices. However, ethics can be studied apart from any religious connection. 242
Difficult choices would be easier to make if there were a set of universal ethical principles to which everyone agreed. But the variety of social, cultural, and religious beliefs makes the identification of such a set of universal principles impossible. Ethics are personal choices about right and wrong actions in a given situation. Ethics and Religion Ethics is a set of concepts or norms that can be used to justify what is right or wrong in a particular situation. To grasp what ethics is, we can begin by figuring out what it isn't. Religious views are not the same as ethical ideals. Religion is founded on personal beliefs about the origins of the universe and the existence of guiding forces or beings. Many moral concepts are embodied in the main faiths, and the basis of human morality, like religions, is a matter of belief and conviction. Two people from distinct theological origins, on the other hand, may adopt the same ethical ideology, whereas two adherents of the same religion may reach conflicting ethical judgments in a given situation. Finally, we can examine a scenario from an ethical standpoint and draw ethical conclusions without relying on a specific religion or theological framework. As a result, it's essential to differentiate ethics from religion. 5.9 SUMMARY • One of the most serious dangers to computer security is unauthorized access to a computer system or network. • Intrusion detection systems were created to provide early warning of an intrusion, allowing defensive action to be performed to prevent or reduce damage. • Detecting odd patterns of activity or patterns of activity that are known to correlate with invasions is part of intrusion detection. • Password management is a crucial part of intrusion prevention, as it prevents unauthorized individuals from accessing other people's passwords. 243
• A firewall creates a barrier through which traffic must pass in both directions. The security policy of a firewall determines which traffic is allowed to travel in each direction. • A firewall can be built to act as a filter at the IP packet level, or it can act at a higher protocol layer. • Each incoming and outgoing IP packet is subjected to a set of rules before being forwarded or discarded by a packet filtering firewall. • An application-level gateway, also known as an application proxy, is a device that functions as a conduit for application-level traffic. The user connects to the gateway through TCP/IP, such as Telnet or FTP, and the gateway requests the identity of the remote host to be accessed. • Database security is generally planned, implemented and maintained by a database administrator and or other information security professional. • A security policy documents an organization‘s security needs and priorities. • The legal system has adapted quite well to computer technology by reusing some old forms of legal protection and creating laws where no adequate ones existed. • The laws dealing with computer security affect programmers, designers, users, and maintainers of computing systems and computerized data banks. These laws protect, but they also regulate the behavior of people who use computers. • Copyright law protects the tangible or fixed expression of an idea, not the idea itself. A creator can claim copyright, and file for the copyright at a national government copyright office. 5.10 KEYWORDS • IP address spoofing- creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system • IP security- a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network 244
• Personal firewall- an application which controls network traffic to and from a computer, permitting or denying communications based on a security policy • Tiny fragment attack- occurs when a tiny packet fragment gets into the server. This happens when one of the fragments are so small that it can't even fit its own header • Virtual private network- an encrypted connection over the Internet from a device to a network. The encrypted connection helps ensure that sensitive data is safely transmitted • Digital Millennium Copyright- is meant to protect copyright holders from illegal piracy, but it‘s often broad application can stifle research and free speech • Infringement- a violation, a breach, or an unauthorized act. ... In intellectual property areas, an infringement refers to an unauthorized use of a copyrighted or patented invention • Patent- an exclusive right granted for an invention, which is a product or a process that provides, in general, a new way of doing something, or offers a new technical solution to a problem • Trademark- a sign capable of distinguishing the goods or services of one enterprise from those of other enterprises. Trademarks are protected by intellectual property rights. 5.11 LEARNING ACTIVITY 1. Review the results of a recent Computer Crime Survey such as the CSI/FBI or Aus CERT surveys. What changes do they note in the types of crime reported? 245
2. Assume you are a midlevel systems administrator for one section of a larger organization. You try to encourage your users to have good password policies and you regularly run password-cracking tools to check that those in use are not guessable. You have become aware of a burst of hacker password-cracking activity recently. In a burst of enthusiasm, you transfer the password files from a number of other sections of the organization and attempt to crack them. To your horror, you find that in one section for which you used to work (but now have rather strained relationships with), something like 40% of the passwords are guessable (including that of the vice-president of the section, whosepassword is ―pre$ident‖!). You quietly sound out a few former colleagues and drop hints in the hope things might improve. A couple of weeks later you again transfer the password file over to analyse in the hope things have improved. They haven‘t. Unfortunately, this time one of your colleagues‘ notices what you are doing. Being a rather ―by the book‖ person, he notifies senior management, and that evening you find yourself being arrested on a charge of hacking and thrown out of a job. Did you do anything wrong? Which of the potential ethical dilemmas does this case illustrate? Briefly indicate what arguments you might use to defend your actions. 3. In an IPv4 packet, the size of the payload in the first fragment, in octets, is equal to Total Length – (4 × IHL). If this value is less than the required minimum (8 octets for TCP), then this fragment and the entire packet are rejected. Suggest an alternative method of achieving the same result using only the Fragment Offset field. 246
4. Write scenario where an email has been tampered with. Explain the ways to secure it. 5. Write an example of cyber-crime happening very often. How we can handle or avoid the above-mentioned situation carefully. 5.12 UNIT END QUESTIONS A. Descriptive Questions 1. List the benefits that can be provided by an intrusion detection system 2. What is a honeypot? 3. List three design goals for a firewall. 4. What is an application-level gateway? 5. What are the basic conditions that must be fulfilled to claim a copyright? 6. Describe about Database Security schemes. 7. Illustrate about network security protocols. 8. Describe the role of firewalls 9. Explain about intrusion detection system. 10. Describe about copyrights, patents, trademark 11. What are the requirements for database security? 12. Explain Inference. 247
13. What is interception? What are the ways it is done? 14. What are different types of Intrusion detection systems? 15. Explain the terms Phishing, Spam and Spoofing. 16. What is Cyber-crime? Explain different categories of it. B. Multiple Choice Questions 1. Which of the following is / are the types of firewall? a. Packet Filtering Firewall b. Dual Homed Gateway Firewall c. Screen Host Firewall d. Dual Host Firewall 2. A firewall is installed at the point where the secure internal network and untrusted external network meet which is also known as a. Meeting point b. Firewall point c. Secure point d. Chock point 3. A stateful firewall maintains a which is a list of active connections. a. Connection table b. Routing table c. Bridging table d. State table 248
4. What are the different ways to classify an IDS? a. Network & Zone based b. Zone based c. Host & Network based d. Level based 5. What are the characteristics of signature-based IDS? a. Most are based on simple pattern matching algorithms b. It is programmed to interpret a certain series of packets c. It models the normal usage of network as a noise characterization d. Anything distinct from the noise is assumed to be intrusion activity Answers 1-a, 2-d, 3-b, 4-c, 5-a 5.13 REFERENCES Reference Books • William Stallings, Lawrie Brown, ―Computer Security Principles and Practices‖, Pearson, 2nd Edition • Charles P. Pfleeger, Shari Lawrence Pfleeger & Jonathan Margulies, ―Security in Computing‖, PHI 5th Edition • C K Shyamala, N Harini and Dr. T R Padmanabhan: Cryptography and Network Security, Wiley India Pvt.Ltd • Charlie Kaufman, Radia Perlman, and Mike Speciner, Network Security: Private Communication in a Public World, Prentice Hall, ISBN 0-13-046019-2 249
Textbooks • B. A. Forouzan & D Mukhopadhyay ,Cryptography and Network Security., McGraw Hill, 2nd ed.2010. • Stallings ,Cryptography and Network Security., PHI, 4th ed.2010. • Kahate, Cryptography and Network Security, TMH. Websites • https://www.brainkart.com/article/Security-Requirements_9640/ • https://www.javatpoint.com/firewall • https://www.barracuda.com/glossary/intrusion-detection-system 250
Search
Read the Text Version
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
