Read an Excerpt
CIW: Security Professional Study Guide
By James Stanger
John Wiley & SonsISBN: 0-7821-4084-X
Chapter OneWhat Is Security?
THE CIW EXAM OBJECTIVE GROUPS COVERED IN THIS CHAPTER:
So much has been written about network security and network intrusions, yet one question never seems to get answered: What is it about the Internet that allows so many attacks to take place? Several technical explanations exist. However, the creators of the CIW Security Professional exam have found that the chief reason is that the Internet, which includes the World Wide Web and many other networks and services, was originally designed as an open network. An open network is a group of clients and servers that can freely access each other using protocols such as the Transmission Control Protocol/Internet Protocol (TCP/IP).
In the beginning, it was something of a challenge for military and academic engineers to get the Internet up and running. They met this challenge head on, creating hardware and protocols that are scalable and reliable and have remained fundamentally the same for 20 years. For example, the parameters for TCP, as found in Request for Comment (RFC) 793, have remained largely unchanged since 1981. When this protocol was created, the developers were happy that it worked so well. Little or no effort was given to ensuring privacy or identity verification.
With the advent of corporate acceptance of the Internet, its open nature has introduced several challenges. Because TCP/IP has little or no built-in capacity for securing information, users of the Internet can send messages to each other without first verifying their identity. Servers can participate on the network even though they have not been configured for optimal security. These examples of easy access have made it possible for abuses to take place. Relatively simple programs, written by individuals with little or no formal training, have been used to attack e-mail and web servers. These applications, often called viruses, have been unleashed on the Internet and have caused serious damage. Malicious users, often called "hackers," have written and disseminated code specially designed to exploit vulnerable servers, including those created by Microsoft, Sun, and all Linux vendors.
Notable achievements have been made in securing systems. Today, it is much easier to scramble network transmissions through encryption. It's much easier to verify a user's identity. It's also easier to isolate networks and control what comes in and out of them. Nevertheless, changing the fundamentally open nature of the Internet remains somewhat of a struggle.
In spite of the difficulty, businesses and individuals still want to use the Internet. They want to use it to transmit sensitive information and communicate quickly. This has introduced a new challenge: Protect sensitive data and allow only authorized personnel to use Internet-enabled systems, but make such use as easy as possible. In this chapter, we will discuss security on the Internet, as well as security standards and mechanisms that can help you secure network transactions.
Security in an open networking environment is the ability to do two things:
* Differentiate your LAN or WAN from other networks.
* Identify and then eliminate threats and vulnerabilities.
It is a security professional's job to ensure the above two duties are properly carried out. Remember these two duties as you safeguard organizational assets.
Complete Security Is a Myth
There is no such thing as a system that is completely secure. Connectivity always implies risk. If you allow legitimate users to access your computers or networks, whether from a local or remote location, the opportunity exists for abuse. One popular saying is that the only secure computer is one that has been disconnected from the network, shut off, and locked in a safe. Although this solution secures the computer from intrusions, it also defeats the purpose for having a networked computer in the first place.
Although you can never reach a point of complete security, you can achieve a level that prevents all but the most determined and skilled hackers from accessing your system. Proper security techniques can minimize the negative effects of hacker activity on your organization. They can deter even the most determined hacker. Regarding Internet security, you can usually restrict legitimate user accounts just enough so users can accomplish their tasks but have no more access than necessary. The result of this simple measure is that even if a hacker can steal a legitimate user's identity and enter the system, the hacker will be able to gain only the level of access authorized for that user. Such a restriction will confine any possible damage that the hacker might cause using the stolen username and password.
Security as Balance
A key security principle is to use solutions that are effective but that do not burden legitimate users who want access to needed information. It is quite easy to employ security techniques that become so onerous that legitimate users disregard-or even circumvent-your security protocols. For example, a security policy that requires users to change their password each week might cause them to write down their passwords and leave them in accessible places (such as under their keyboards or in the traditional sticky note on a monitor). Hackers are always ready to capitalize on such seemingly innocent activity. Thus, having an overzealous security policy could result in less effective security than if you had no security policy at all. Always consider the effect that your security policy will have on legitimate users. In most cases, if the effort required by your users is greater than the resulting increase in security, your policy will actually reduce your company's effective level of security.
"White Hat" and "Black Hat" Hackers
The term hacker originated from a term given to a gifted programmer who was able to put, or "hack," together an application to solve a problem. These days, a hacker is most often defined as someone who illegally scans and penetrates a computer network to access and manipulate data. Some security professionals make the distinction between a "hacker," who is supposed to be a skilled user, and a "cracker," who is a malicious user. With one exception, the CIW exam generally uses the term hacker to refer to a malicious user. The exception is as follows: The CIW exam makes the distinction between white hat hackers (i.e., "good guys") and black hat hackers (sometimes called "crackers"). A white hat hacker is a person who is specifically employed to test a computer network's security. A black hat hacker is a person who breaks into a system without warning to take advantage of your systems and gain information. In either case, a hacker's ultimate goal is to discover and take advantage of information stored on a network.
Understanding Black Hat Hackers
Two types of black hat hackers exist. The casual hacker is a person who is simply curious, or is a cyberspace "thrill seeker" who enters a system "because it's there." The casual hacker category can be further broken down into two subcategories. Skilled casual hackers are able to create their own custom applications to take advantage of a vulnerability they discover. Other casual attackers are less experienced. These types of users are often called "script kiddies," because they rely on the work of others to exploit a vulnerability. This type of hacker will often leave behind traces of his or her activity.
It is important to understand that all modern network operating systems keep log files that track user logins. Experienced attackers will modify the log files, if possible, to eliminate any trace of activity. However, some attackers intentionally leave behind evidence of an attack. Examples of this type of activity include web graffiti, which is where the legitimate contents of a web site are replaced with images and other files of the hacker's own choosing. Hackers often leave behind web graffiti as an attempt to demonstrate their supposed skill.
The second type of black hat hacker is the determined hacker. This type of hacker is bent on attacking your network, often due to financial or ideological motivation, and often employs sophisticated techniques so that the attack cannot be traced. Such stealth makes the determined attacker quite difficult to catch. A determined attacker usually has enough skill and resources to penetrate unless you take extreme measures that can greatly inconvenience you and your employees. One example of a determined hacker is the corporate spy, who can devote enough time and money so that eventually, your system will likely be compromised unless you take extremely expensive countermeasures. Determined hackers are capable of taking advantage of improperly configured systems, as well as flaws in the services run by these systems. They can also take advantage of careless employees who can unwittingly provide sensitive information. Determined hackers can also apply for a job with that company and obtain inside access.
Now that you understand the nature of open networks, as well as the types of hackers, it is important to know how the CIW Security Professional exam categorizes resources:
End-user resources Includes client workstations and their associated peripherals. Employees remain largely unaware of the hazards involved in double-clicking attachments from e-mails apparently sent from friends, for example. Still others have not enabled password-protected screensavers to prevent people from mapping the contents of a system's hard drive while the employee is out of the office for even short periods of time. This hacker activity is often known as system snooping. If left unsecured, this type of resource can become a platform where an illicit user can stage an attack on other systems.
Network resources Routers, switches, hubs, wiring closets, and the wiring in the walls all count as network resources. If a hacker obtains control of these resources, then your network is no longer under your control. A hacker can obtain control of these resources either by logging into them remotely or by physically tampering with them. Once a hacker is able to compromise an unlocked wiring closet, he or she can begin taking control of your network.
Server resources Your World Wide Web, e-mail, and File Transfer Protocol (FTP) servers are vulnerable to attacks designed to crash the server so that its services are unavailable. As with end-user resources, server resources become a target because compromising one of these resources often allows hackers to move on and control other resources.
Information storage resources A database server often stores the most important information in a network-information that hackers prize highly. A database can contain credit card numbers, human resources information, and sensitive invoice information.
You have now identified what security means on the CIW Security Professional exam, and you have identified the resources that commonly need to be secured. The CIW Security Professional exam requires that you understand the terminology, or nomenclature, used in these documents.
The International Organization for Standardization (ISO) 7498-2 Security Architecture document defines security as minimizing the vulnerabilities of assets and resources. An asset is defined as anything of value. A vulnerability is any exploitable weakness that allows entry. A threat is a potential security violation.
ISO further classifies threats as either accidental or intentional, and either active or passive. Accidental threats are those that exist with no premeditated intent. Such threats as natural disasters, as well as system malfunctions, fall within this group. Intentional threats range from the casual examination of computer or network data to sophisticated attacks using special system knowledge. Passive threats do not modify information contained in the systems; neither the operation nor the state of the system is changed. Alteration of information or changes to the system's state or operation is considered an active threat to the system. The ISO 7498-2 document defines several security services, as summarized in Table 1.1.
Security mechanisms are used to implement security systems. Two forms of mechanisms exist: specific and wide. A specific mechanism applies to levels of the Operating Systems Interconnection Reference Model (OSI/RM), as well as to protocols used on the Internet. A wide mechanism applies to entire applications and operating systems.
Specific Security Mechanisms
During network communication, certain techniques can be implemented to provide security. Security mechanisms include:
Encipherment Encrypts the data moving among systems on a network (or between two processes on a local host). Digital signature mechanisms Very much like encryption, but with the added advantage that a third party has verified that the sender and the contents are authentic. Unlike with simple encryption mechanisms, a third party verifies the transaction. Access control Simple checks to ensure that the sender or receiver is authorized to carry out a task or procedure. For example, network access may be allowed for prequalified users when logging on remotely. Data integrity Techniques to ensure that each data piece (such as several parts of a transaction being sent over a network) is sequenced, numbered, and time-stamped. Authentication Can include simple or complex operating system and network password schemes. Authentication can be used for individual applications, too, requiring each access to be authenticated and reducing the chances for global access if unauthorized entry is gained. Traffic padding Additions to the network packets flowing in and out, to prevent network watchers from exploiting their knowledge about packet sizes and trends to gain access. To illustrate, when a new login session is established, certain known packet sizes are transmitted and received at the beginning of the session. Analysis of the headers can alert these network watchers to capture the next few packets (due to their small size and the presence of certain fields in the headers). Padding can make all packets look the same size, so one can avoid being singled out for analysis.
Wide Security Mechanisms
Other mechanisms are not limited to any specific layers or levels. These mechanisms are as follows:
Trusted functionality A procedure that establishes that certain services or hosts are secure in all aspects and can be trusted. This can be a piece of software or other operating system add-on that strengthens an existing mechanism.
Security labels Can be applied to indicate the data's level of sensitivity. Security labels are used in addition to other measures. For example, a file may get an additional label, besides the read/write privilege, that allows access only to those who log on with account levels matching or exceeding those of that label.
Audit trails Usually employed at various levels and monitored for exceptions to facilitate intrusion detection and security violations. For example, daily examination of the Linux system file log to search for patterns of text may point to attempts to access certain accounts.
Security recovery A set of rules to apply when dealing with a security event.
ITSEC Document BS 7799
In Europe, the Information Technology Security Evaluation Criteria (ITSEC) document British Standard (BS) 7799 outlines network threats and various controls you can implement to reduce the likelihood of a crippling attack. It defines vulnerability as something for which the systems administrator is responsible. It characterizes a threat as something over which you have little control. The BS 7799 document was rewritten in 1999 and details the following procedures that you can implement:
Auditing processes Auditing file systems
Assessing risks Maintaining virus controls Properly managing IT information in regard to daily business and security issues
Additional concerns include e-commerce, legal issues, and reporting methods.
For more information on ITSEC, visit cesg.gov.uk/assurance/iacs/ itsec/index.htm.
Excerpted from CIW: Security Professional Study Guide by James Stanger Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.