COMPUTER AND NETWORK SECURITY PRINCIPLES

What You’ll Learn in This Chapter

▲Why networks need security

▲Types of attacks

▲Key aspects of security

▲Threat analysis

▲Social engineering

▲Security policies, procedures, and standards

After Studying This Chapter, You’ll Be Able To

▲Identify the key aspects of security and explain why they are important to a business

▲Describe how social engineering presents a security risk

▲Compare quantitative risk analysis and qualitative risk analysis

▲Identify assets and assess their value

▲Identify vulnerabilities and assess their criticality

▲Identify threats and assess their likelihood

▲List the elements of the ISO 17799 standard and describe how they relate to network security

INTRODUCTION

When you begin to learn about computer and network security, you need to understand why
you’re doing so. The main purpose of this chapter is to get you thinking about the things that can
happen when security is not implemented on a computer or network—to increase your paranoia a
little—and to give you a foundation in some key security concepts. Therefore, the first section of
this chapter describes some potential threats to computer security at a general level.

Next the chapter looks at the key aspects you need to consider when implementing security on a
computer or network. Then the chapter introduces threat modeling and risk mitigation. The
chapter concludes with an introduction to security policies and procedures.

1.1 Importance of Computer and Network Security

Computer security involves implementing measures to secure a single computer. When
securing a single computer, you are concerned with protecting the resources stored on that
computer and protecting that computer from threats.

Network security involves protecting all the resources on a network from threats. You must
consider not only the computers on the network, but other network devices, network
transmission media, and the data being transmitted across the network. In this section, you will
learn to appreciate the importance of computer and network security by looking at a few
examples of attacks that could occur. These examples should get you thinking about what could
happen if computer and network security is not implemented. We’ll also define security as it will
be used in the context of this book.

1.1.1 Exposing Secrets

The more wired our society becomes, the more our confidential data is subject to being
discovered by those who will use it maliciously or for their own benefit. For example, in the
spring of 2005, hackers discovered the password to Paris Hilton’s T-Mobile© Sidekick© and
published her address book and other personal information on the Internet. Think about the
vulnerability of the data you store on your cell phone or on your personal digital assistant (PDA).
Do you use passwords that are hard to guess to protect it?

Similar confidentiality concerns are raised by the use of credit cards to make purchases
over the Internet. Figure 1-1 illustrates two potential attacks on your private financial data. The
basic Internet protocols provide no confidentiality protection, so parties located between
customer and merchant could capture credit card numbers and use them later for fraudulent
purchases. Secure Sockets Layer (SSL) was developed by Netscape® to deal with this very
problem. SSL defines the Hypertext Transfer Protocol over SSL (HTTPS), which provides
encryption of data sent using Hypertext Transfer Protocol (HTTP),the protocol used on the
World Wide Web. Transport Layer Security (TLS)offers stronger protection than SSL and is
gradually replacing it.

Although SSL and TLS can protect data while it is being sent across the Internet (or
another unsecured network), its use does not mean your credit card number is safe. Scanning
Internet traffic for packets containing credit card numbers is an attack strategy with a low yield.
Badly protected servers at a merchant site that hold a database of customer credit card numbers
are a much more rewarding target. There is documented evidence that such attacks have
occurred, either to obtain credit card numbers or to blackmail the merchant.

Another potential risk is identity theft. Identity theft, that is, using somebody else’s
“identity” (name, social security number, bank account number, etc.) to gain access to a resource
or service, exploits an inherent weakness in services that use non secret identifying information
to authenticate requests.

1.1.2 Causing System Failures

Some attackers are not after confidential data. Instead, they want to disrupt business. These
attackers use a variety of techniques to cause damage.

Vulnerabilities in software that accepts user input, such as Internet browsers or email
software, can allow external parties to take control of a device. Attackers might corrupt data on
the device itself or use the device as a stepping stone for attacks against third parties.

Worms and viruses make use of overgenerous features or vulnerabilities to spread widely
and overload networks and end systems with the traffic they generate. The Internet worm of
November 1988 is an early well-documented example of this species. Denial-of-service attacks
against specific targets have started to occur in the last decade. A denial-of-service attacks one
that prevents a server from performing its normal job. Resilience against denial-of-service
attacks has become a new criterion in the design of security protocols.

1.1.3 Profile of an Attacker

In the scenarios described above, the attacks come from the outside. Keeping the enemy outside
the castle walls is a traditional paradigm in computer security. However, typical statistics for the
sources of attacks show that attacks from insiders account for a majority of incidents and the
largest proportion of damages. Although there have been some very high profile attacks via the
Internet, insider fraud remains a considerable concern in organizations and in electronic
commerce transactions.

Understanding your enemy is a good first step in learning how to defeat him or her.
When designing security, it helps to understand something about why hackers attack and their
different levels of expertise.

Attacker Motivation

It has been said that the goal of security engineering is to raise the effort involved in an attack to
a level where the costs exceed the attacker’s gains. Such advice might be short-sighted. Not
every attacker is motivated by a wish for money. Employees who have been fired might want
revenge on their former employers. Hackers might want to demonstrate their technical expertise
and might draw particular satisfaction from defeating security mechanisms that have been put in
their way. Cyber vandals might launch attacks without much interest in their consequences.
Political activists might deface the websites of organizations they dislike or launch attacks on a
politician’s site so that visitors are redirected to a different site.

Attacker Expertise

There is similar variance in the expertise required to break into a system. In some cases insider
knowledge will be required to put together a successful attack plan. In this respect, social
engineering could be more important than technical wizardry. Hassling computer operators on
the phone to give the caller the password to a user account is a favorite ploy. Some attacks
require deep technical understanding. Other attacks have been automated and can be downloaded
from websites so that they can be executed by script kiddies, attackers who have little insight
into the vulnerabilities or features of a system, but use scripts to launch attacks.

1.1.4 Social Engineering

One of the common ways attackers gain information is through social engineering. A social
engineering attack is one that involves people, not computers. This makes it especially difficult
for the network administrator to thwart. The following are some examples of social engineering
attacks:

▲An attacker calls an employee on the phone claiming to be an administrator. The person asks
for the user’s name and password so they can verify the user’s network settings.

▲An attacker who does not work for the company claims to be a temporary employee or
contractor. The attacker is allowed access to a computer or worse, to the server room.

▲An attacker sifts through documents in the trash bin to discover employee names,
organizational hierarchy, or even network configuration data.

These are just a few examples of social engineering attacks. The best way to prevent a
social engineering attack is by educating employees about unsafe practices.

1.1.5 Security Defined

Software might crash, communication networks might go down, hardware components might
fail, and human operators might make mistakes. As long

FOR EXAMPLE

A Network Without Security

You have been hired at a small company as a network administrator. The

company has been using peer-to-peer networking to allow users to share

files. The company does not have a security policy and users frequently

share their passwords with other users so that they can share files.

When you raise concerns to the owner of the company, he shrugs his

shoulders. “Nothing has happened so far. Besides, we’re not even connected

to the Internet,” he says.

You explain that a password should be a secret that only a single person knows because that
password gives them access to confidential files. You
ask the owner to think about the kinds of data that are stored on each

person’s computer and what would happen if the data fell into the wrong

hands. You give the example of a disgruntled employee who leaves with the

customer list.

The owner thinks for a moment and turns pale. “You know, I hadn’t

thought about that before. Your first job is to figure out how I can protect

my company from an attack that compromises its confidential data.”

as these failures cannot be directly attributed to some deliberate human

action, they are not classified as security issues. Accidental failures are reliability issues.
Operating mistakes are usability issues. Security is concerned, in

contrast, with intentional failures. There might not always be a clear intent to

achieve a particular goal, but there is at some stage a decision by a person to

do something he or she is not supposed to do. As outlined previously, there

can be different reasons for such actions. The root cause of security problems

is human nature.

Security practitioners know that security is a “people problem” that cannot be solved by
technology alone. The legal system has to define the boundaries of acceptable behavior through
data protection and computer misuse

laws. However, responsibility for security within organizations resides ultimately with
management and with the users on the network. Managers must

enforce the company’s security policies. Users have to cooperate and comply

with the security rules laid down in their organization. Of course, correct

deployment and operation of technical measures is also part of the overall

solution.

1.2 Underlying Computer and Network Security Concepts

In this section, we examine some key concepts underlying computer and network security. These
concepts include the following:

▲Confidentiality: prevention of unauthorized disclosure of information.

▲Integrity: prevention of unauthorized modification of information.

▲Availability: prevention of unauthorized withholding of information or resources.

▲Accountability: holding users accountable for their actions.

▲Non repudiation: the ability to ensure that someone cannot deny (i.e.,

repudiate) his or her actions

1.2.1 Confidentiality

Historically, security and secrecy were closely related. Even today, many people

still feel that the main objective of computer security is to stop unauthorized

users from learning sensitive information. Confidentiality (privacy, secrecy) captures this aspect
of computer security.

The terms privacyand secrecy are sometimes used to distinguish between

the protection of personal data (privacy) and the protection of data belonging

to an organization (secrecy).As you examine confidentiality issues, you will also

face the question of whether you only want to hide the content of a document

from unauthorized view, or also its existence. To see why one might take this

extra step, consider traffic analysis in a communications system. If the contents

of messages are hidden, an unauthorized observer might simply look at who is

talking to whom how often, but not at the content of the messages passed. Even

so, an observer could derive useful information about the relationship between

the corresponding parties. This very issue has been debated recently in the

United States Senate with regard to whether phone companies should be

required to provide records of telephone calls to the government and what

restrictions apply.

You need to consider the confidentiality of data both when it is stored on a

computer and when it is being transmitted across the network. Another consideration is ensuring
the confidentiality of data stored on laptop computers or

removable devices, such as a USB drive. There have been several recent incidents

involving missing laptops that store confidential data. Whenever data leaves a

company’s site, it becomes vulnerable.

1.2.2 Integrity

It is quite difficult to give a concise definition of integrity. In general, integrity

is about making sure that everything is as it is supposed to be, and in the context of computer
security, the prevention of unauthorized modification of information. However, additional
qualifications like “being authorized to do what one

does” or “following the correct procedures” have also been included under the

term integrity, so that users of a system, even if authorized, are not permitted to

modify data items in such a way that assets or accounting records of the company

are lost or corrupted.

So far we have defined security by specifying the user actions that have to

be controlled. From a systematic point of view, integrity is better defined in terms

of the state of the system. The Orange Book (or Trusted Computer System Evaluation Criteria,
developed by the United States Department of Defense) defines

integrity in just this way: as the state that exists when computerized data is the

same as that in the source documents and that has not been exposed to accidental or malicious
alteration or destruction.

In this definition, data integrity is a synonym for external consistency.The

data stored in a computer system should correctly reflect some reality outside

the computer system. However, while this state is highly desirable, it is impossible to guarantee
this property merely by mechanisms internal to the computer
system.

Integrity is often a prerequisite for other security properties. For example,

an attacker could try to circumvent confidentiality controls by modifying the

operating system or an access control table referenced by the operating system.

Hence, we have to protect the integrity of the operating system and the integrity

of access control data structures to achieve confidentiality.

Integrity is also an issue when data is transmitted across a network. An

attacker could intercept and modify packets of data on the network if that data’s

integrity is not protected (see Figure 1-2). This type of attack is known as a

man-in-the-middle attack.

1.2.3 Availability

Availability is very much a concern beyond the traditional boundaries of computer security.
Engineering techniques used to improve availability often come from other areas like fault-
tolerant computing (a computer system or systems that can tolerate the failure of a component).
In the context of security, we want to ensure that a malicious attacker cannot prevent legitimate
users from having reasonable access to their systems. That is, we want to prevent denial of
service.

There have now been a number of incidents of flooding attacks on the Internet where an
attacker effectively disabled a server by overwhelming it with connection requests. Figure 1-3
shows one of the first denial-of-service attacks, a smurf attack. A smurf attack requires the
attacker to spoof(pretend to be someone you are not) the identity of the victim. In a smurf
attack,the attacker sends an Internet Control Messaging Protocol (ICMP) echo request to the
broadcast address of some network with a spoofed sender address (the victim’s address). The

echo request will be distributed to all nodes in that network. Each node will reply back to the
spoofed sender address, flooding the victim with reply packets. The amplification provided by
the broadcast address works to the attacker’s advantage.

In many situations, availability might be the most important aspect of computer and
network security, but there is a distinct lack of security mechanisms for handling this problem.
As a matter of fact, security mechanisms that are too restrictive or too expensive can themselves
lead to denial of service. Designers of security protocols now often try to avoid imbalances in

workload that would allow a malicious party to overload its victim at little cost to itself.
 A denial-of-service attack can also be launched against network resources. For example,
in February 2007, a denial-of-service attack was launched against the domain name system root
servers on the Internet. Fortunately, the attack did not disrupt Internet traffic.

1.2.4 Accountability

Confidentiality, integrity, and availability all deal with different aspects of access control and put
their emphasis on the prevention of unwelcome events. You have to accept the fact that you will
never be able to prevent all improper actions. First, you might find that even authorized actions
can lead to a security violation.

Second, you might find a flaw in your security system that allows an attacker to find a way past
your controls. Therefore, you might add a new security requirement to your list: users should be
held responsible for their actions (accountability).

To provide accountability, the system has to identify and authenticate users. It has to keep
an audit trail of security-relevant events. If a security violation has occurred, information from
the audit trail could help to identify the perpetrator and the steps that were taken to compromise
the system.

1.2.5 Non repudiation

Non repudiation provides undeniable evidence that a specific action occurred. This definition is
meaningful when analyzing the security services that cryptographic mechanisms can provide.
Typical non repudiation services in communications security are non repudiation of origin,
providing evidence about the sender of a document, and non repudiation of delivery, providing
evidence about the fact that a message was delivered to a specific recipient.

A physical example of non repudiation is sending a letter with a return receipt requested.
When you do so, a person must sign for the letter. This is an example of non repudiation of
delivery because you can prove that the letter was delivered. Of course, the person who signs for
the letter might not be the person to whom the letter was addressed. This raises a potential
weakness in non repudiation. Suppose the person who signs for the letter forges the name of the

addressee. This means that the delivery can be repudiated(denied) by the actual addressee.

An example of non repudiation on a network is digital signature. A digital signature

allows a recipient to verify that the letter was actually sent by a sender. This is an example of non
repudiation of origin.

1.3 Threats and Countermeasures

Risk is the possibility that some incident or attack will cause damage to an organization’s
network. An attack consists of a sequence of actions that attempts to exploit weak points in an
organization’s practices or its network configuration. To assess the risk posed by the attack you
have to evaluate the amount of potential damage and the likelihood that the attack will occur.
This likelihood will depend on the attacker’s motivation and on how easy it is to mount the
attack. In turn, this will further depend on the security configuration of the system under attack.
The process of identifying a risk and assessing its likelihood and impact is known as risk
analysis.

Many areas of engineering and business have developed their own disciplines and
terminology for risk analysis. This section gives a brief overview of risk analysis for Information
Technology (IT) security. Within IT security, risk analysis is applied

▲Comprehensively for all information assets of an enterprise.

▲Specifically for the IT infrastructure of an enterprise.

▲During the development of new products or systems—for example, in

the area of software security.

1.3.1 Assessing Assets, Vulnerabilities, and Threats

to Calculate Risk

The first step in risk analysis is to identify assets, vulnerabilities, and threats, and

to rank them according to their value (assets), impact on the business if they are

exploited (vulnerabilities), and likelihood of occurrence (threats). Let’s take a

look at each of these elements.

Assets

First, assets have to be identified and valued. In an IT system, assets include the

following:

▲Hardware: laptops, desktops, servers, routers, PDAs, mobile phones,

smart cards, and so on.

▲Software: applications, operating systems, database management systems,

source code, object code, and so on.

▲Data and information: essential data for running and planning your business, design
documents, digital content, data about your customers, data
belonging to your customers (like credit card numbers), and so forth.

▲Reputation: the opinion held by your customers and the general public

about your organization. Reputation can affect how likely a person is to

place an order with you or provide you with information.

Identification of assets should be a relatively straightforward, systematic exercise.

Valuation of assets is more of a challenge. Some assets, such as hardware,

can be valued according to their monetary replacement costs. For other assets,

such as data and information, valuation is more difficult. If your business plans

are leaked to the competition or private information about your customers is

leaked to the public you have to account for indirect losses due to lost business

opportunities and damage to reputation. The competition might underbid you

and your customers might desert you. Even when equipment is lost or stolen

you have to consider the value of the data stored on it, and the value of the services that were
running on it. In such situations, assets can be valued according

to their importance. As a good metric for value, ask yourself how long your business could
survive when a given asset has been damaged: a day, a week, a month?

Vulnerabilities

Vulnerabilities are weaknesses of a system that could be accidentally or intentionally exploited

to damage assets. In an IT system, the following are typical

vulnerabilities:

▲Accounts with system privileges where the default password, such as

‘MANAGER’, has not been changed.

▲Programs with unnecessary privileges.

▲Programs with known flaws.

▲Weak access control settings on resources, for example, granting everyone

full control to a shared folder.

▲Weak firewall configurations that allow access to vulnerable services.

Vulnerability scanners(also called risk analysis tools) provide a systematic and automated way
of identifying vulnerabilities. However, their knowledge

base of known vulnerabilities has to be kept up to date. Organizations like the

SANS Institute or the Computer Emergency Response Team (CERT) provide this

information, as do security advisories of software companies. One vulnerability

scanner provided by Microsoft

is the Microsoft Baseline Security Analyzer

(MBSA).

Vulnerabilities can be rated according to their impact (level of criticality). A

vulnerability that allows an attacker to take over an administrator account is

more critical than a vulnerability that gives access to an unprivileged user

account. A vulnerability that allows an attacker to completely impersonate a user

is more critical than a vulnerability that allows a user to be impersonated only

in the context of a single specific service. Some vulnerability scanners give a rating for the
vulnerabilities they detect.

Threats

Threats are actions by adversaries who try to exploit vulnerabilities in order to

damage assets. There are various ways to identify threats. You can categorize

threats by the damage done to assets. For example, Microsoft’s STRIDE threat

model for software security lists the following categories.

▲Spoofing identities: The attacker pretends to be somebody else.

▲Tampering with data: Security settings are changed to give the attacker

more privileges.
▲Repudiation: A user denies having performed an action like mounting an

attack or making a purchase.

▲Information disclosure: Information might lose its value if it is disclosed

to the wrong parties (e.g., trade secrets); your organization might face

penalties if it does not properly protect information (e.g., personal information about
individuals).

▲Denial of service (DoS): DoS attacks can make websites temporarily

unavailable; there have been stories in the press that businesses use such

attacks to harm competitors.

▲Elevation of privilege: The term elevation of privilege refers to a user who

gains more privileges on a computer system than he or she is entitled to.

You can also categorize threats by the source of the attacks. Is the adversary

a member of your organization or an outsider, a contractor or a former member? Does the

adversary have direct access to your systems or is the attack

launched remotely?

You can also analyze in detail how an attack is executed. One way to do this

is to draw an attack tree(a hierarchical diagram that illustrates how an attack

might occur), like the sample in Figure 1-4.

An attack might start with innocuous steps, such as gathering information

needed to move on to gain privileges on one computer, and then might progress

with more alarming steps such as jumping to another computer, and so on until

the final target is reached. To get a more complete picture of potential threats,

a forest of attack trees can be constructed. The root of an attack tree is a generic

attack. The nodes in the tree are subgoals that must be achieved for the attack

to succeed. Subgoals can be broken into further subgoals.

 There are AND nodes and OR nodes. To reach an AND node, all subgoals

have to be achieved. To reach an OR-node, it is enough if one subgoal is

achieved. Figure 1-4 gives a basic attack tree for the attack “get password.”

A password can be obtained by guessing, by tricking an operator to reveal

it, or by spying on the user. Guessing can occur online or offline. For offline

guessing, the attacker needs the encrypted password and has to perform a dictionary attack or a
brute force attack. A dictionary attackis one in which all

the words in the dictionary are tried until a match is found. A brute force

attackis one in which software tries different combinations of letters, numbers,

and symbols until a match is found. The attacker can also spy on the victim in

person (so-called shoulder surfing), direct a camera at the keyboard to see the

keys typed, or direct a microphone at the keyboard to distinguish the keys

pressed by sound.

It is possible to assign values to the various strategies represented in an attack

tree (e.g., dictionary attack, ask operator). These values can indicate the estimated

cost of an attack, the likelihood that it will occur, the likelihood that it will succeed or some other
aspect of interest. From these values, the cheapest attack, the

most likely attack, or the attack most likely to succeed can be computed. Attack

trees are thus a formalized and structured method for analyzing threats.

Threat assessments become reproducible as the overall assessment of a threat

can be traced to the individual assessments of subgoals. If the final result appears

implausible, the tree can be consulted to see which subgoals were most critical

for the final result, and those individual valuations can be adjusted to more plausible values.
Note that the construction of attack trees is more an art than a science. You need experience to
know when to readjust your ratings for subgoals,

and when to adjust your preconceived opinion of the severity of a threat. You
also need experience to know when to stop breaking up subgoals into ever more

subgoals, a phenomenon known in the trade as analysis paralysis.

Threats can be rated according to their likelihood. The likelihood depends

on the difficulty of the attack, on the motivation of the attacker, and on the number of potential
attackers. Attack scriptsautomate attacks, making it easy to

launch the attack. They are also likely to be available to a larger set of attackers. As a result, such
attacks would be rated more likely than an individual handcrafted attack.

1.3.2 Calculating Risk

Having rated the value of assets, the critical nature of possible vulnerabilities,

and the likelihood of threats, you now face the task of actually calculating risk.

You can calculate risk as follows:

Risk = Assets Vulnerabilities Threats

In the process of risk analysis, values are assigned to assets, vulnerabilities,

and threats. In quantitative risk analysis,mathematical values are used—for

example, by assigning monetary values to assets and probabilities to threats, the

expected loss can be calculated. In qualitative risk analysis,risk is calculated

based on rules that capture the consolidated advice of security experts and that

do not necessarily have a mathematical underpinning.

In quantitative risk analysis, expected losses are computed based on monetary values for
the assets and probabilities for the likelihood of threats. This

method has the benefit of being based on a well-established mathematical theory, but also has the
considerable drawback that the ratings obtained are often

based on educated guesses. The quality of the results obtained cannot be better

than the quality of the inputs provided. There are areas of risk analysis where

quantitative methods work, but more often the lack of precision in the inputs

does not justify a mathematical treatment.

In qualitative risk analysis, the following principles are used:

▲Assets can be rated on a scale of critical–very important–important–not

important.

▲Criticality of vulnerabilities can be rated on a scale of has to be fixed

immediately–has to be fixed soon–should be fixed–fix if convenient.

▲Threats can be rated on a scale of very likely–likely–unlikely–very unlikely.

A finer method of scaling could be provided for each variable, that is, numerical values from 1 to
10.

Whatever scheme is used, guidance has to be given on how to assign ratings. The mapping of the
ratings for assets, vulnerabilities, and threats to risks

is often given by a table drawn up to reflect the judgment of security experts.

The DREAD methodologythat complements STRIDE serves as an example of

a scheme for qualitative risk analysis, as discussed below:

▲Damage potential: relates to the values of the assets being affected.

▲Reproducibility: one aspect of how difficult it is to launch an attack;

attacks that are easy to reproduce are a greater risk than attacks that only

work in specific circumstances.

▲Exploitability: relates to the effort, expertise, and resources required to

launch an attack.

▲Affected users: for software vendors, another important contributing factor

to damage potential.

▲Discoverability: When will the attack be detected? In the most damaging

case, you will never know that your system has been compromised. If

you don’t know you’ve been attacked, then you don’t know to take steps

to recover.
1.3.3 Countermeasures—Risk Mitigation

The result of a risk analysis is a prioritized list of threats, together with recommended
countermeasures to mitigate(reduce the likelihood or impact of) risk.

Risk analysis tools usually come with a knowledge base of countermeasures for

the threats they can identify.

It might seem as if one should first go through a risk analysis before deciding on which
security measures to implement. However, there are two reasons

why this ideal approach might not work. Conducting a risk analysis for a larger

organization will take time, but the IT system in the organization and the world

around it will keep changing. So, by the time the results of the analysis are presented, they are
already somewhat out-of-date. Moreover, the costs of a full risk

analysis might be difficult to justify to management.

For these reasons, organizations might opt for baseline protection as an alternative. This
approach analyzes the security requirements for typical cases and recommends security measures
deemed adequate. One of the best-known IT security

baseline documents is maintained by the German Information Security Agency.

Another trend embraced by operating system manufacturers, including

Microsoft is to make their software secure by default.This doesn’t mean that the

operating system does not have vulnerabilities. Instead, it means that known vulnerabilities are
closed when the software is installed with default settings. An example of this is the requirement
to provide a password for the Administrator account

when you install Windows

Server 2003. Another example is the browser security settings configured by default in Windows
Server 2003. Although you will

most likely need to relax those settings at some point, a default installation will

ensure that cookies, ActiveX controls, or other dynamic content cannot be downloaded through a
web browser. Another example is that Windows Vista™ includes
Windows Defender, an application that protects against spyware, adware, and popups. It also
installs with Windows Firewall and is enabled by default.

1.4 Policies and Standards

Protecting the assets of an organization is the responsibility of management. Assets

include sensitive information like product plans, customer records or financial

data, and the IT infrastructure of the organization. At the same time, security measures often
restrict people in their working habits and make some activities less

convenient. This results in a temptation to flaunt security rules. It is up to a network

administrator to enforce the company’s security policy without impacting,

any more than necessary, usability or the ability of the users to perform their jobs.

The first step in enforcing policies is to define the policies that will be

enforced. In this section, we’ll discuss security policies, both organizational

and those that can be enforced through a computer configuration. Next we’ll

take a brief look at the recommendations suggested by the ISO 17799 security standard.

1.4.1 Security Policy

A security policyis a document that defines the security goals of the business.

It should identify assets that need to be secured, how they will be secured, and

a plan that should be followed if an asset is compromised. The policy should

also include documentation of server configuration and a process for managing

changes to that configuration.

Depending on the industry and where the business is located, you may need

to comply with legal regulations. These factors should also be included in your

security policy. Some legal regulations your security policy may need to comply

with include the following:

▲Health Insurance Portability and Accountability Act of 1996 (HIPAA)

▲Federal Information Security Management Act of 2002 (FISMA)

▲National Industrial Security Program Operating Manual (NISPOM)

▲Gramm-Leach-Bliley Act (GLBA)

A security policy should also outline an appropriate use policy,which is a

set of rules employees will be expected to follow. For example, you might restrict

users from sharing documents on the network, from visiting websites that host

games, or from installing software on their computers.

Keep in mind that the more stringent a security policy, the more likely it is

that users will attempt to circumvent it. You need to balance ease of use and

user productivity requirements with the need for security.

1.4.2 Standards

Security management standards that specify certain security measures required

to be taken by an organization exist for a number of different types of industries. Typical

examples are regulations for the financial sector or rules for dealing with classified material in
government departments.

Other management standards are best described as codes of best practice

for security management. The most prominent of these standards is ISO

17799(ISO stands for International Organization for Standardization). ISO

17799 is not a technical standard for security products or a set of evaluation

criteria for products or systems. Instead, the major topics in ISO 17799 are

as follows:

▲Establishment of organizational security policy:An enterprise must

provide management direction and support on security matters.

▲Organizational security infrastructure:Responsibilities for security

within an enterprise have to be properly organized. Management has to

be able to get an accurate view of the state of security within an enterprise. Reporting structures
should facilitate efficient communication and

implementation of security decisions. Security has to be maintained when

information services are being outsourced to third parties.

▲Asset classification and control:To know what is worth protecting, and

how much to spend on protection, an enterprise has to have a clear picture of its assets and of
their value.

▲Physical and environmental security:Physical security measures

(fences, locked doors, etc.) protect access to business premises or to sensitive areas (rooms)
within a building—for example, only authorized personnel should have access to server rooms.
These measures can prevent

unauthorized access to sensitive information and theft of equipment. The

likelihood of natural disasters can depend on environmental factors—for

example, is the area subject to flooding?

▲Personnel security:An organization’s employees can be a source of insecurity. There should be

procedures for new employees joining and for

employees leaving (such as collecting keys and entry badges and deleting

user accounts of employees that leave the company). Enforced holiday

periods can prevent staff from hiding the traces of fraud they are committing. Background
checks on new hires are a good idea. In some sectors

those checks may be required by law, but there might also be privacy

laws that restrict which information an employer may seek about its

employees.

▲Communications and operations management:The day-to-day management of IT systems and

of business processes has to ensure that security

is maintained.

▲Access control:Access control can apply to data, services, and computers.

Particular attention should be applied to remote access, such as through

the Internet or dial-in connections. Automated security policies define

how access control is being enforced.

▲Systems development and maintenance:Security issues should be considered when an IT

system is being developed. Operational security

depends on proper maintenance (for example, patching vulnerable code

and updating virus scanners). IT support has to be conducted securely

(for instance, how does the organization deal with users who have

forgotten their passwords?) and IT projects have to be managed with

security in mind (who is writing sensitive applications? Who gets access

to sensitive data?).

▲Business continuity planning:An organization must put measures in

place so that it can cope with major failures or disasters. For example,

backups of important data should be kept in a different building. Larger

organizations might want to develop reserve computing facilities in a

remote location. Organizations must also develop a plan to deal with the

unavailability of key staff members.

▲Compliance: Organizations have to comply with legal, regulatory, and contractual obligations,
as well as with standards and their own organizational

security policy. The auditing process to determine compliance should

be efficient while trying to minimize its interference with business

processes.

Achieving compliance with ISO 17799 can be quite an onerous task. The

current state of your organization vis-à-vis the standard has to be established and

any shortcomings identified have to be addressed. There are software tools that
partially automate this process, again applying best practices, only this time

ensuring compliance with the standard.

1.4.3 Informing Users of the Importance of Security

It is strongly recommended that you organize and publish security responsibilities in an

organization in a way that makes it clear that security measures

have the full support of senior management. A brief policy document signed

by the chief executive that lays down the ground rules can serve as a starting point. This
document should be part of everyone’s employment handbook. Then, security awareness
programs should be organized. Not every

member has to become a security expert, but all members should know the

following:

▲Why security is important for themselves and for the organization.

▲What is expected of each member.

▲Best practices they should follow.

Trying to force users to follow rules they regard as arbitrary is not an efficient approach. Studies
have shown that involving users as stakeholders in the

security of their organizations encourages users to voluntarily comply with rules

rather than look for work-arounds.

Organizations developing IT services or products have the additional task of

providing security training for their developers. There is rarely a clear dividing

line between the security-relevant components and the rest of a system. It thus

helps if developers in general are aware of the environment that a service will

be deployed in and of the expected dangers, so that they can highlight the need

for protection even if they do not implement the protection mechanisms themselves. Developers
should also be alert to the fact that certain categories of sensitive data (e.g., personal data) have
to be processed according to specific rules

and regulations. Finally, developers should keep up-to-date with known coding
vulnerabilities.

SUMMARY

In this chapter you were introduced to a number of concepts and terms related to

computer and network security. You learned why network security is important.

You were introduced to the three key aspects of security: confidentiality, integrity,

and availability. Next you learned about risk analysis. You learned that risk analysis involves
identifying the assets, vulnerabilities, and threats, and assessing their

importance, criticality, and likelihood. Finally, you learned the importance of security policies.
You also learned what is required for ISO 17799 compliance.

FOR EXAMPLE

Defining a Security Policy

You meet with the owner of the company to plan how you will implement

the security requirements you identified. You stress to him the importance

of his support when presenting security guidelines to the other employees.

You recommend that he create a written security policyand that each

employee read and sign it.

You explain that some policies, such as requiring that users change

their passwords periodically, can be enforced through software policies.

But others, such as users not sharing passwords with other employees or

with people outside the company, are more difficult to enforce. It is these

policies that require user training. You suggest that the company sponsor

a security awareness day in which employees receive training about the

importance of security and the best practices for protecting company

assets.
KEY TERMS

Accountability

Analysis paralysis

Appropriate use policy

Attack script

Attack tree

Availability

KEY TERMS 25

Brute force attack

Computer security

Confidentiality

Data integrity

Denial-of-service attack

Dictionary attack

DREAD methodology

Elevation of privilege

External consistency

Fault-tolerant computing

Hypertext Transfer Protocol (HTTP)

Hypertext Transfer Protocol over

SSL (HTTPS)

Identity theft

Integrity

ISO 17799
Man-in-the-middle attack

Mitigate

Network security

Nonrepudiation

Nonrepudiation of delivery

Nonrepudiation of origin

Privacy

Qualitative risk analysis

Quantitative risk analysis

Repudiated

Risk

Risk analysis

Risk analysis tool

Script kiddies

Secrecy

Secure by default

Security policy

Shoulder surfing

Smurf attack

Social engineering

Spoof

STRIDE threat model

Threat

TLS
Vulnerability

Vulnerability scanner

Written security policy