Computing [Home Page]
---------------------------------------------------------------------------

Computer Security Framework and Principles

25 March 1998 Version 0.3

Overview  
Resources
,
   ThreatsRisk AnalysisSecurity Policy  
Security Services   
Security Mechanisms  
Security Management   
Security Objects  
References   

Introduction

Despite the spectacular cases of external break-ins, most damage to computer systems and data comes not from malicious outside attacks, but rather from simple mistakes, or the unauthorized or unintended actions of legitimate users of a system. Enhancing the culture of information security awareness through improved training and education is the key to ensuring that security plans are taken seriously and that everyone complies with security policies in a consistent way.

In addition to technical measures that can be applied to protect information systems, perhaps the most practical way to provide security is through a clearly defined, consistent set of policies and procedures. Indeed, one of the most important benefits of defining a security policy is helping to ensure that available technical methods are actually consistently used: if ignored, even the best security mechanisms are worthless.

Finally, often security comes down to a matter of cost: The loss of research data, of critical information, and of other computing or communications resources, can all be quantified in terms of the loss caused to the basic business of the University. Security measures have direct costs in terms of equipment and administrative expenses. Beyond these costs, are the expenses related to the inconvenience of a given security measure. While it is critical that the campus allocates resources toward developing and maintaining security measures, the costs of such measures implemented should be in a proper relation to the value of the assets protected by them.

Overview of security

Resources and assets

A basic goal of information security is to protect resources and assets from loss. Resources may include:

  • information: including information in transmission such as e-mail, research data, configuration data, etc.
  • services: systems, applications
  • equipment: computers, networking components

Each resource has several assets that require protection:

  • confidentiality (secrecy or privacy): preventing disclosure of information to unauthorized persons
  • integrity: preventing corruption, impairment, or modification of information, services, or equipment
  • authenticity: proof that a person or other agent has been correctly identified, or that a message is received as transmitted
  • availability: assurance that information, services, and equipment are working and available for use

Threats

The classes of threats include the following:

  • accidental threats: losses due to malfunction and error
  • intentional threats: intentional damage or corruption of assets, sabotage
  • passive threats: those that do not change the state of the system; they may include loss of confidentiality, but not of integrity or availability
  • active threats: those that change the state of the system; this includes changes to data and to software

Examples of specific types of threats include:

  • masquerade: impersonation of one entity by another
  • replay: repetition of a valid message in order to gain unauthorized access
  • modification of messages
  • denial of service: loss of availability of a service; examples of this include e-mail spamming and network packet attacks aimed at host vulnerabilities
  • insider attack: unauthorized or unintended actions of legitimate users of a system; the source of most known cases of computer crime
  • outsider attack: intentional violations of security by unauthorized users; this might include site invasion: an unauthorized entry into a workplace that often uses elements of "social engineering" to gain trust and access to information
  • trapdoor: alteration of a part of the system to allow unauthorized access or effects
  • trojan horse: a form of masquerade in which an authorized part of a system also contains an unauthorized part
  • viruses: small, potentially damaging programs that are often propagated by unsuspecting users
  • traffic analysis: a form of eavesdropping in which analysis of traffic patterns is used to infer information that is not explicit
  • exhaustion attacks and dictionary attacks on password files and other encrypted information
  • electronic eavesdropping and cable sniffing to gather information from network transmissions
  • natural threats: power failures, hardware failures, fire, flood, earthquake

Risk Analysis

Planning for security and developing a security policy involves performing the following general steps:

  1. Identify resources and assets to be protected; also determine who needs to access what.
  2. Analyze possible threats, and their likelihood and consequences.
  3. Estimate the cost or importance of each loss; also consider legal liabilities.
  4. Analyze potential countermeasures and their costs and other disadvantages.
  5. Select appropriate mechanisms and include them in the security policy.

Security Policy

A security policy is an organization's statement defining the rules and practices that regulate how it will provide security, handle intrusions, and recover from damage caused by security breaches. Based on the results of a risk analysis and cost considerations, it sets policies for employees and for how security is managed. Such policies are most effective when users read, understand, and agree to abide by them at the time they receive their computer accounts. Specific items to develop in a security policy and plan include:

  • site physical security measures:
    • locks and safes to prevent theft
    • measures to guard against natural disasters
    • security measures for desktop systems to prevent theft of equipment or data
    • security for LAN and WAN communications equipment to prevent line monitoring or transmissions by unauthorized areas
  • technical security measures:
    • e-mail safeguards, including the use of digital signatures to validate messages
    • encryption techniques to protect stored data, backups, e-mail, and data transmissions across networks
    • encryption techniques to protect information on laptops and other portable systems
    • virus and trojan horse controls for the entire network
    • security for access to services based on Internet standards such as ftp, Web, etc.
    • active monitoring to detect break-ins, unauthorized activities, or unauthorized access to resources by employees
    • methods for securely distributing programs and information throughout the organization
  • definition of security levels of software, for example C2 security level as defined in "The Orange Book"
  • definition of organizational security measures, such as regulations concerning employees' behavior, how access rights to sensitive data are to be determined, etc. Some examples include:
    • who is allowed to use an account
    • proper and improper use of local computers and those remotely accessed
    • conditions under which the user can lose an account
    • rules and guidelines about what kinds of use are allowed on which computers
    • consent to monitoring of all aspects of account activity by system administration staff as needed for system or network security, performance optimization, general configuration, and accounting purposes
    • guidelines on disposal or removal from the premises of printed output, diskettes, and other media
    • data protection plans that define backup procedures, off-site storage, and data recovery methods
    • password policies that encourage long, hard-to-guess (but easy to remember) passwords or a coding scheme that creates hard-to-guess passwords from phrases and other information
    • intrusion detection and reporting and lockout policies that protect the University and its officers from accusations of cover-ups, misappropriations, and theft
    • management structures that define administrators, local managers, users, information security officers, and information security auditors
  • definition of audit measures, such as what records to keep and for how long
  • guidelines for actions to be taken when security requirements are violated
  • employee training and education programs designed to reduce security exposures and to define security policies for legal purposes

Security Services

Security services are the services provided by a system for implementing the security policy of an organization. A standard set of such services includes:

  • identification and authentication: unique identification and verification of users through various means, for example:
    • what you know, such as a logon password
    • what you have, such as a key or card
    • what you are; this includes various biometrics such as fingerprints, retina patterns, voice and face characteristics

    This also includes identification and authentication of the remote service or data source via such services as certification servers and global authentication services (single sign-on services).

  • access control and authorization: rights and permissions that control how user can access resources, services, and files
  • accountability and auditing: services for tracking and logging activites on network systems and linking them to specific user accounts or sources of attacks; an alerting service may also be provided
  • data confidentiality: services to prevent unauthorized disclosure of data
  • data integrity and recovery: methods for protecting resources against error, corruption, and unauthorized modification; this usually involves mechanisms using checksums and encryption technologies
  • data exchange: services which secure data transmissions over internal or external communication channels
  • object reuse: services which allow multiple users secure access to individual resources; concepts of transactional security may apply here
  • non-repudiation (origin and delivery): services to protect against any attempt by the sender to falsely deny sending the data, or subsequent attempts by the recipient to falsely deny receiving the data
  • reliability: methods for ensuring that systems and resources are available and protected against failure or loss

Security Mechanisms: Prevention

Security mechanisms are the means for implementing security services. They can be divided into three broad categories:

  • prevention
  • detection
  • recovery

Detection and recovery mechanisms generally involve long-term activities and are necessary because prevention alone can never be adequate. They are described under the Security Management topic later.

Commonly used prevention mechanisms include the following:

  • physical security: lockup of physical assets such as networking infrastructure, computing systems, and data storage to provide protection from unauthorized monitoring, theft, corruption, and natural disasters
  • personnel security: precedures for ensuring that personnel in the organization can be trusted to comply with security policies
  • trusted computing base: establishing the components of a computing system that are trustworthy; included are such items as the access-control mechanism used to protect such components
  • access control lists and security labels: mechanisms to define the rights of a principal to access a particular object; these may also be based on capabilities, which are tokens or tickets granted by a security service on the basis of defined access rights
  • authentication exchange: used to provide authentication of users, data origin, and communications partners; most are based on cryptographic techniques
  • fault tolerance and redundant systems: systems that are designed to withstand hardware failures and software errors using technologies such as RAID, data replication, server clustering, and UPS services
  • backups: an essential mechanism to recover lost or corrupted data
  • encryption: cryptographic methods for protecting files on disks and backups, data transmissions, and e-mail
  • digital signatures: these implement non-repudiation and are usually based on encryption technologies such as a pubic key infrastructure (PKI)
  • notarization: a trusted third party that can be used to provide services to the other entities of a system; these services include proof of integrity, origin, destination, and time of transmission
  • virus protection: usually implemented via automatic programs that monitor systems (including e-mail services) for the telltale signs of virus presence or activity
  • data integrity mechanisms: checksums and several related techniques provide protection against accidental threats and errors for communications protocols and for storage media
  • traffic padding: inserting meaningless data into a message to protect against loss of confidentiality through intentional attacks using traffic analysis; this is most effective when the process is protected by cryptographic measures
  • firewalls: a mechanism for restricting network traffic through well-defined and easily monitored channels using techniques such as packet filtering and proxy services; a related concept takes isolation to the extreme in the form of a physical barrier, or airwall
  • routing control: methods for ensuring that specific types of sensitive data are transmitted only via secure links

Security Management

Security management deals with the definition of security policies, users and access rights, activation and deactivation of security services, and the monitoring of the proper operation of the system. The following broad categories of functions are included:

  • event detection: normal events and security violations are logged, reported and monitored
  • recovery: access denial, changing [??], updating vunerabilities

Security Objects

Security management, like network and systems management, can define Managed Objects (MOs) in a Security Management Information Base (SMIB). These objects can include the following:

  • users: the basis for identification and authentication services and a primary generator of activities that can be audited
  • groups: primarily used for simplification in applying security managment for large numbers of users
  • passwords: used in the logon event and thus a primary target of attack
  • access control lists, priviledges, policies: the basis for ensuring authorized use of system resources; when applied to directories and files, this provides another level of post-logon access control
  • encryption keys: keys must be changed periodically and private keys must be securely distributed
  • event filters: how are events handled and management of changes to reporting and theshhold levels for generating alerts
  • audit logs: mechanisms for tracing of security relevant activities to allow analysis after the fact are essential; management functions may also include services for analysis and preparing reports

References

Chapter 25: Security; in Client/Server Communications Services; Thomas S. Ligon; McGraw-Hill, 1997.

Part 1: Security Boot Camp; in Windows NT Security Handbook; Tom Sheldon; Osborne McGraw-Hill, 1997.

Chapter 10: Security; in Essential Windows NT System Administration; ´┐Żleen Frisch; O'Reilly, 1998.

Page modified: 13 Apr 2016 12:25:02 -0700

--------------------------------------------------
[Back to Top   [Home Page]