Home • About • Contact
Welcome • Page Content • Site Map

Search
GH.com   GH.com dir
Wikipedia   Web

Security is the set of preventative and reactive measures taken to minimize harm, whether intentional or not. Depending on your need for security, there are different measures that can be taken. See also my section on Passwords.

Confidentiality, Integrity, Availability (CIA). Some folks make think it should be Confidentiality, Integrity, Availability, Accountability (CIAA). CIAA is the foundation of information security.

Physical Security

Physical security means to control the physical and electrical means by which access is gained to a system.

Physical security includes the following:

• Locking doors to sensitive systems.
• Strict policies on who has access to sensitive areas.
• Not allowing sensitive computers to be connected to outside systems.

Fault Tolerance

Fault tolerance is the ability to recover from hardware failure or mistakes with little or no interruption. A fault tolerant system is said to be robust and often has redundant or back up components.

• Eliminate single points of failure. That is if something fails, a replacement should be take over automatically.
• The need for fault tolerance of a point is determined by the number of users that would be hampered if that point failed.
• Points include the following:
  • Electrical disaster prevention equipment (surge protectors, UPSs, etc.)
  • Data protection and recovery (backup data, RAID, roll back transactions, etc.)
  • Software and hardware components that are redundant, parallel, and replaceable, including the following:
    • operating system software, application software, storage (disks), power supply (usu. a transformer in a machine), network connectors, network card, processor chip, RAM, etc.

Secured Transmissions

Secure transmission ensures that communications are only between the appropriate parties.

Secure transmission includes the following:

• Data encryption. Public keys (like PGP), symmetric keys (like DES), SSL, etc.
• Data compression. WinZip for PCs, StuffIt for Macs, gzip for UNIX, etc.
• Digital certificates. Clients and servers can acquire certificates of identification by registering with a certificate authority (like www.VeriSign.com). This is usually used for data encryption when accessing pages via https://, i.e. via SSL. See also my article on Encryption.

A Man-in-the-middle attack (aka MITM attack; bucket-brigade attack; Janus attack) happens when an attacker eavesdrops between two communicatiing parties. Secured transmissions prevent MITM attacks.

Audits

Audits involve logging activity for the purposes of determining what occurred, when, and who did it.

Audits include the following:

• Network operating system logs.
• Operating system logs. Like Event Viewer for Windows NT.
• Database logs.
• Specialty server logs. EG: MS IIS, MS VSS.
• Logs kept by applications and business objects.

Databases in particular can be set up so that every insert, update, and delete is logged: When, who did it, where in the app they did it, and what they changed the data from and to.

Access Control

Access control deals with enabling an authority to control which entities access which resources with what permissions.

Before proceeding, we must define entities, resources, and permission:

• Entities include computers, processes, individual users, and groups of users. Some entities may have the authority to manage access control.
• Resources include other entities, domains, directories, files, portions of applications, and specialty resources (EG: Web sites on a web server).
• Permissions (aka rights) are what an entity can do with resources.
  • Permissions can vary with different systems, but these are the most common permissions:
    • Read, aka r.
    • Write, aka 2.
    • Execute. One of the following
      • Scripts, aka s.
      • Executables & scripts, aka x.
      • Neither.
    • Delete, aka d.
    • Control permissions, aka p.
    • Take ownership, aka o.
    • List contents, aka l.
  • It is common to use rwx characters as short hand for permissions. EG:
    • r-x permissions to read and execute but not write.
    • r-- permissions to read but not write or execute.
    • rwx permissions to read, write, and run executable.
    • rwx
  • Other sets of permsissions may be represented with shorthand. EG:
    • rwxd-- permissions to read, write, delete, run scripts, run executables, but not to manage access control or take ownership. This entity is said to have "Modify" permissions.
    • rwxdpo permissions to read, write, delete, run scripts, run executables, manage access control, and take ownership. This entity is said to have "Full Control" permissions.

An Access Control List (ACL) is a list of permissions attached to a resource. This means which entities have what permissions for that resource. A user is usually a member of multiple groups. When a user is trying to access a resource and is a member of multiple groups that have permissions to that resource, then the permissions of the least restrictive group takes precedence unless the user is a member of a group that is specifically denied access or given "No Access" to that resource.

Access to network resources is ultimately controlled on a per user basis. However there are at least two ways to do this:

• Share-Level Security. In this case each resource must be designated as shared and will ask for a password from each entity that tries to use it.
• User-Level Security. In this case each resource must be designated as shared and must assign which entities have what permissions to the resource. Access can be granted to individual user accounts but it is usually easier to to control access of groups and just change group membership as needed.

Once the entities, resources, and permissions are in place, a system must be provisioned to provide access. Provisioning is initializing, preparing, and equipping a system so it can provide services and resources to users. When an entity wants to access a resource they must first be authenticated then authorized.

1. Authentication (aka A1; AuthN; An) is the act of estabilishing or confirming that an entity is what or who they say they are. They are usually checked by one (the most common) or more means (aka two-factor authhentication; T-FA; 2FA; multi-factor authentication; MFA) :
   • Knowledge. The entity knows something like user name, password, PIN, pass phrase.
   • Ownership. The entity has something like a wrist band, security token, cell phone.
   • Inherence. The entity is or does something like signature, fingerprints, retina, voice, DNA.
   • Location. The entity is at the specified location.
   • Time. The entity is at the specified date and time.
   • Referral. The entity is checked by a social contact, a friend, a 3rd party. Social sites do this. When one party does authentication for another party, then they have federated the identity. A party that provides Single Sign-On (SSO) for other parties does identity federation.
2. Authorization (aka A2; AuthR; AuthZ; Az) is the act of parsing the user against the ACL and providing the appropriate resources with the appropriate permissions. EG: Users in human resources can access things that the typical worker can't.

Access control includes the following:

• Network security. Portal devices can protect networks by identifying entities and controlling who has access to portions of the network. This includes repeaters, hubs, bridges, routers, brouters, gateways, dial back modems, firewalls, and proxy servers.
• Network operating system security. This includes identifying domains, users, groups, and computers, and using domain controllers. This is where user-level security is typically applied.
• Operating system security. This is where share-level security is typically applied.
• Database security, eg SQL Server Security.
• Specialty server security, eg MS IIS, MS VSS.
• Application security. Custom security can be placed in apps and web apps. Usually these authenticate a user's input against a database.
• Lightweight Directory Access Protocol (LDAP), a cross-platform application protocol for reading and editing directories over an IP network. The "directories" correspond to resources.
• Kerberos, a cross-platform authentication protocol that uses symmetric key cryptography.

Network Access

• Network. LAN/WAN (Local Area Network and Wide Area Network) access is usually done via the network operating systems control over access authentication. 
• Intranet. An intranet is a portion of a LAN/WAN that is connected via TCP/IP and is protected from the Internet.
• Extranet. Two intranets connected together. This may also cover an intranet accessed via VPN (Virtual Private Network) through PPTP (Point-to-Point Tunneling Protocol).
• Internet. LANs/WANs, intranets, and extranets must be protected from the Internet and yet, if possible, have access to the Internet.

A firewall is usually hardware (eg a screening router), software (eg a proxy server), or both. Most firewall systems use one or more of the following methods:

• Packet filtering: A hardware method that utilizes a SR (screening router) to check incoming and outgoing packets and then either allows or rejects the packet based on security parameters such as whether the IP address is preauthorized, or based upon the TCP and UDP port numbers, thus enabling certain types of connections such as telnet or FTP. This method if effective, but is difficult to configure and may still be surpassed by IP spoofing. Packet filtering operates at the Network layer of the OSI Reference Model.
• Proxy server: A software version of a router. It also intercepts messages to and from the network. It hides the true network address (thus making it spoof proof) and can perform function beyond just security. A proxy server may be an application-specific proxy. EG: A server may proxy HTTP for Web pages, FTP, RealAudio/Video, SMTP/POP for e-mail, NNTP for newsgroups, nearly any MIME type etc. Proxy servers work at the Application layer of the OSI Reference Model.
• Application gateway: A software method that only allows applications like FTP or telnet servers to connect. This method is effective but has connection limitations.
• Circuit level gateway: A hardware methods that only allows certain circuits to connect.

Here is a belt & suspenders firewall, a typical enterprise level setup for network access security:

The SRs are screening routers, ie packet filters. The BHs (Bastion Hosts) are servers such as IIS, RAS, and Exchange. The DMZ (De-Militarized Zone) demarcate machines that have more exposure to the Internet than the LAN does.

Links

Here are links that lead to off-site pages about security.

Antivirus (AV)

• [icsalabs.com]. "For over a decade, ICSA Labs, an independent division of Verizon Business, has been the security industry's central authority for research, intelligence, and certification testing of products. ICSA Labs sets standards for information security products and certifies over 95% of the installed base of anti-virus, firewall, IPSec VPN, cryptography, SSL VPN, network IPS, anti-spyware and PC firewall products commonly deployed in the world today."
• Virus Bulletin [virusbtn.com]. Compares AV software. " Virus Bulletin started in 1989 as a magazine dedicated to providing PC users with a regular source of intelligence about computer viruses, their prevention, detection and removal, and how to recover programs and data following an attack. Virus Bulletin quickly became the leading specialist publication in the field of viruses and related malware."
• Virus Information [http://csrc.nist.gov/archive/virus/]
• Antivirus software [W] and
• Antivirus software
  • Computer Associates [cai.com] . Usu. product: InoculateIT.
  • F-Secure [f-secure.com] (formerly Data Fellows). Usu. product: F-Secure Anti-Virus.
  • Kaspersky [http://usa.kaspersky.com]. Usu. product: Anti-Virus; Internet Security.
  • McAfee [mcafee.com (aka Network Associates). Usu. product: VirusScan.
  • Panda Software [pandasoftware.com] . Usu. product: Panda Antivirus.
  • Sophos Plc [sophos.com] . Usu. product: Sophos Anti-Virus.
  • Symantec Corporation [symantec.com] (aka Norton). Usu. product: AntiVirus.
  • Trend Micro, Inc [trendmicro.com] . Usu. product: PC-cillin.

Wikipedia

Wikipedia has many articles related to security. Here are just a few.

• Access control [W]
• Audit trail [W]
• Authentication [W]
• Authorization [W]
• Computer insecurity [W]
• Computer security [W]
• Enterprise Information Security Architecture [W]
• Identity management [W]
• Information security [W]
• Principle of least privilege [W]
• Two-factor authentication [W]

Miscellany

• CAPTCHA.com. "Completely Automatic Public Turing Test to tell Computers and Humans Apart". The current CAPTCHA programs generate and grade tests that involve distorted text that humans can make out but computers have difficulty with.
• Computer Security Resource Center [csrc.nist.gov]. Part of the Computer Security Division of the National Institute of Standards and Technology (NIST).
• EMC [emc.com] and its subsidiary RSA [rsa.com].
  • "RSA Adaptive Authentication"
• "Governing for Enterprise Security" [http://www.cert.org/governance/]
  • Home Computer Security [http://www.cert.org/homeusers/HomeComputerSecurity/]. A cool list of the primary tasks to secure a home computer.
• Halock [halock.com].
• National Security Agency [NSA.gov]
  • Operating System Guides
• PreEmptive.com. "products and services help businesses reduce risk by helping them protect their intellectual property against hackers and thieves." Particularly in obfuscation of Java and .NET code.
• Simplicity and Security [http://www.codesimplicity.com/post/simplicity-and-security/]. It is easier to secure a place that has 2 doors than building that has a 100 doors.
• SysAdmin, Audit, Network, Security (SANS) [sans.org]. 'the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - Internet Storm Center.'
• SecurityFocus.com.
  • "Auditing Web Site Authentication, Part One" and Part Two. By Mark Burnett.
• Web App Security Consortium [webappsec.org]

Page Modified: (Hand noted: 2007-08-31 10:33:15Z) (Auto noted: 2011-06-22 14:46:44Z)