1.22k likes | 1.41k Views
Logical IT Security By Prashant Mali. Business Objectives. To retain competitive advantage and to meet basic business requirements organizations must: Ensure the integrity of information stored on their computer systems Preserve the confidentiality of sensitive data
E N D
Logical IT Security By Prashant Mali
Business Objectives To retain competitive advantage and to meet basic business requirements organizations must: • Ensure the integrity of information stored on their computer systems • Preserve the confidentiality of sensitive data • Ensure the continued availability of their information systems • Ensure conformity to laws, regulations, and standards.
Session Agenda 1. Components of a Security Policy 2. Paths of Logical Access 3. Logical Access Issues and Exposures 4. Access Control Software 5. Logical Security Features, Tools, and Procedures 6. Auditing Logical Access
Security Policy requirement • Security losses can be costly to business. • Losses suffered as a result of the failure itself or costs incurred while recovering from the incident, followed by more costs to secure the systems and prevent further failure. • A well-defined set of security policies and procedures can prevent losses and save money.
Security Policy - Components • Management Support and Commitment • Access Philosophy • Compliance with Relevant Regulations • Access Authorization • Reviews of Access Authorization • Security Awareness • Role of Security Administrator • Security Committee
Paths of Logical Access Logical Access into the computer can be gained through several avenues. Each avenue is subject to appropriate levels of security. Methods of access include the following: • Operator Console • Online Terminals • Batch Job Processing • Dial-up Ports • Telecommunications Network
Logical Access Exposures Inadequate logical access controls increase the potential for losses. These exposures can result in minor inconveniences or total shutdown of the computer system. • Technical Exposures • Virus Exposures • Computer Crime Exposures • Agents of Exposures
Access Control Software Access Control Software is designed to prevent unauthorized access to data, use of system function and programs, unauthorized changes to data and to detect and prevent unauthorized attempts to access computer resources. • Access Control Software tasks • Access Control Software functions • Access Control Software authorization components • Decentralized / Remote Processing issues
Logical Security Features • Two phase User Identification / Authentication process • Logging Computer Access • Computer features that bypass security • Data Classification • Safeguarding Confidential Data on a PC • Naming conventions for Access Controls
Auditing Logical Access • Evaluating Logical Access Controls • Review Reports from Access Control Software • Data Ownership Issues • Bypass Security Controls
Management Support Management Support and Commitment • Management must demonstrate a concern for security • Management must clearly approve and support formal security awareness and training. • This may require special management security training since security is not necessarily a part of management expertise.
Access Philosophy Access Philosophy • Access to computerized resources and information must be based on a documented “need-to-know, need-to-do” basis only. • “need-not-know” basis ?
Compliance Compliance with Relevant Legislation and Regulations • The policy should state that compliance is required with all relevant legislation, such as that requiring confidentiality of personal information, or specific regulations relating to particular industries; e.g. banking or financial institutions.
Access Authorization Access Authorization • The data owner or manager who is responsible for the accurate use and reporting of the information should provide written authorization for users to gain access to computerized information. • The manager should give this documentation directly to the security administrator so mishandling or alteration of the authorization does not occur.
Reviews of Access Authorization Reviews of Access Authorization • Like any other control, access controls should be evaluated regularly to ensure that they are still effective. • Personnel and departmental changes, malicious efforts and just plain carelessness can impact the effectiveness of access controls. • The security manager, with the assistance of the managers who provide access authorization, should review the access controls. • Any access exceeding the “need-to-know, need-to-do” philosophy should be changed accordingly.
Raising Security Awareness • Distribution of a written security policy. • Training on a regular basis for new employees, users, and support staff. • Non-disclosure statements signed by the employees • Use of newsletter, web page, videos to promulgate security awareness • Visible enforcement of security rules. • Simulate security incidents for improving security procedures. • Reward employees who report suspicious events • Periodic audits
Employee Responsibilities • Reading the security policy • Keeping logon-Ids and passwords secret • Reporting suspected violations of security to the security administrator. • Maintaining good physical security by keeping doors locked, safeguarding access keys, not disclosing access door lock combinations and questioning unfamiliar people. • Conforming to local laws and regulations • Adhering to privacy regulations with regard to confidential information (health, legal, etc)
Employee Responsibilities • Non-employees with access to company systems should also be held accountable for security policies and responsibilities. • These include contract employees, vendors, programmers/analysts, maintenance personnel and clients.
Role of Security Administrator • The security administrator, typically a member of the IS department, is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized. • In large organization, the security administrator is usually a full-time function; in small organizations someone may perform this function with other non-conflicting responsibilities.
Role of Security Administrator • For proper segregation of duties, the security administrator should NOT be • responsible for updating application data • an end user • application programmer • computer operator • data entry clerk.
Security Committee • Security guidelines, policies, and procedures affect the entire organization and as such should have the support and suggestions of end users, executive management, security administration, IS personnel, and legal counsel. • Individuals representing various management levels should meet as a committee to discuss these issues and establish security practices. • The committee should be formally established with appropriate terms of reference and regular minuted meetings with action items, which are followed up on at each meeting.
Operator Console • These privileged computer terminals control most computer operations and functions. • Most operator consoles do not have strong logical access controls and provide a high level of computer system access - a high risk combination. • These terminals should be be placed in a suitably controlled facility so that physical access can only be gained by authorized personnel.
Online Terminal • Online access to computer systems through terminals typically requires entry of at least a logon-ID and password. • May also require further entry of authentication or identification data for access to specific application systems. • Personal Computers (PCs) are often used as online access terminals through terminal emulation software. • This poses a particular risk as the PCs can be programmed to store and recall user access codes and passwords.
Batch Job Processing • This mode of access is indirect since access is achieved via processing of transactions. • It involves accumulating input transactions and processing them as a batch after a given interval of time or after a certain number of transactions. • Security is achieved by restricting who can accumulate transactions (data entry clerks) and who can initiate batch processing (computer operators or the automatic job scheduling system) • Additionally, procedures and authorization to manipulate accumulated transactions prior to processing the batch should be carefully controlled.
Dial-up Ports • Involves hooking a remote terminal or PC to a telephone line and gaining access to the computer by dialing a telephone number that is connected to the computer. • Security is achieved by providing a means of identifying the remote user to determine authorization to access. • This may be done by means of a call-back feature, use of logon-ID and password, use of access control software, or by requiring a computer operator to verify the identity of the caller and then provide the connection to the computer.
Telecommunications Network • Involves linking a number of computer terminals or PCs to the host computer through a network of telecommunication lines. • The telecommunication lines may be private (dedicated to one user) or public, such as the public switched network.. • Security should be provided in the same manner as applied to online terminals.
Technical Exposures Technical Exposures involve unauthorized or unintentional implementation or modification of data and software. • Data Diddling - Involves changing data before or as it is entered into the computer. This is one of the most common abuses because it requires limited technical knowledge and occurs before computer security can protect data.
Technical Exposures Trojan Horses • Involves hiding malicious, fraudulent code in an authorized computer program • This hidden code will be executed whenever the authorized program is executed. • A classic case is the Trojan horse in a payroll calculating program that shaves a barely noticeable amount off each paycheck and credits it to the perpetrator’s payroll account.
Technical Exposures Logic Bombs • The creation of logic bombs requires some specialized knowledge, as it involves programming the destruction or modification of data at a specific time in the future. • They are very difficult to detect before they blow up; thus of all the computer crime schemes they have the greatest potential for damage. • Detonation can be timed to cause maximum damage and to take place long after the departure of the perpetrator. • Could also be used in extortion schemes.
Technical Exposures Rounding Down • Involves drawing off small fractions of money from a computerized transaction or account and rerouting this amount to the perpetrator’s account. • Since the amounts are so small, they are rarely noticed. • For example, if a transaction amount were Rs.12,30,456.39, the rounding down technique may round the transaction to Rs. 12,30,456.35
Technical Exposures Salami Techniques • Involves slicing small amounts of money from a computerized transaction or account and is similar to rounding down technique. • For example, if a transaction amount were Rs.12,30,456.39, the Salami technique truncates the last few digits from the transaction amount so that it becomes Rs. 12,30,456.30 or Rs. 12,30,456.00 depending on the calculation built into the program.
Technical Exposures Worms • These are destructive programs that may destroy data or utilize tremendous communication resources but do not replicate like viruses. • These do not change other programs, but can run independently and travel from machine to machine across network connections. • Worms may also have portions of themselves called segments running on different machines.
On 2 November 1988, Robert Tappan Morris, a graduate student at Cornell University, unleashed a program which spawned copies of itself and spread throughout the network. Within hours, the worm had invaded 2,000 to 6,000 computers, about 10% of the Internet at the time. The program also clogged all the systems it hit, dialing virtually every computer it invaded. When Morris saw the damage that was taking place, he posted a message on the Net with instructions for disabling the worm. However by then the damage was done. On 16 May 1990, Morris was convicted and fined $10,000 and sentenced to 3 years probation.
Technical Exposures Trap Doors • Are exits out of an authorized program that allow for insertion of specific logic, such as program interrupts, to permit a review of data during processing. • These holes also permit insertion of unauthorized logic.
Technical Exposures Asynchronous Attacks • These occur in multiprocessing environments where data moves asynchronously (one character at a time with start and stop bits). • As a result, numerous data transmissions must wait for the line to be free. • Data that are waiting are susceptible to unauthorized access called asynchronous attacks. • These attacks, usually small pin-like insertions into cable, may be committed via hardware and are extremely hard to detect.
Technical Exposures Data Leakage • Involves siphoning or leaking information out of the computer. This can involve dumping files to paper or can be as simple as stealing computer reports and tapes.
Technical Exposures • Wire-tapping - involves eavesdropping on information transmitted over transmission lines. Also known as sniffing. • Piggybacking - is an act of following an authorized person through a secured door or electronically attaching to an authorized telecommunication link.
Technical Exposures Shut down of the Computer • Can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up lines) to the computer. • Only individuals having high-level systems logon-ID can usually initiate the shut down process. • Some systems have proven to be vulnerable to shutting themselves down under certain conditions of overload.
Technical Exposures Denial of Service Attack • This is an attack that disrupts or completely denies service to legitimate users, networks, systems, or other resources. • The intent of any such attack is usually malicious in nature and often takes little skill because the requisite tools are readily available.
Viruses Viruses are the colds and flus of computer security: ubiquitous, at times impossible to avoid despite the best efforts, and often very costly to an organization's productivity.
Viruses Viruses are a significant and a very real logical access issue. • The term “virus” is a generic term applied to a variety of malicious computer program code inserted into other executable code that can self-replicate and spread from computer to computer. • Traditional viruses attach themselves to other executable code, infect the user’s computer, replicate themselves on the user’s hard disk and then damage data, hard disk or files.
How many viruses are there? • By early 2002, there were more than 15,000 computer viruses ! • The huge number is explained in part by the ease with which potential viral writers can get the tools and actual viral code to work with, either from the Internet or other channels. • In May 1997, the Digital Hackers’ Alliance announced the availability of a CD-ROM with over 10,000 viruses. They also offered to give the first 100 customers a collection of 50 virus creation tools free of charge.
Viruses Viruses usually attack the following parts of the computer • Executable program files (.exe or .com files) - 85% of all viruses are program viruses. • File-directory system that tracks the location of all the computer’s files. (FAT table) • Boot and system areas that are needed to start the computer. - Michelangelo virus • Macro Viruses (Microsoft Word viruses - Concept, Wazzu)
Viruses Can a virus infect data files? • Some viruses (e.g., Frodo, Cinderella) modify non-executable files. • However, in order to spread, the virus code must be executed. • Therefore "infected" non-executable files cannot be sources of further infection. • Such "infections" are usually mistakes, due to bugs in the virus. However, there is an increasing possibility of viruses spreading through the sharing of data files.
Viruses Viruses can spread rapidly via • Removable Drives - 62% • Email - 20% • Downloads - 11% • Web Browsing - 5% • Shrink wrapped software - 2%
Anti-Virus Policies • Build any system from original, clean master copies. Boot only from original diskettes whose write-protection has always been in place. • Allow no disk to be used until it has been scanned on a stand-alone machine that is used for no other purpose and is not connected to the network. • Update virus software scanning definitions regularly. • Write-protect all diskettes with .exe and .com extensions • Have vendors run demonstrations on their machines not yours.
Anti-Virus Policies • Enforce a rule of not using shareware without first scanning the shareware thoroughly for a virus. • Insist that field technicians scan their disks on a test machine before they use any of their disks on the system. • Ensure that the network administrator uses workstation and server anti-virus software. • Ensure that all servers are equipped with an activated current release of the anti-virus software. • Educate users so they will heed these policies.
Anti-Virus - Hardware Tactics • Use workstations without floppy drives. • Use boot virus protection (i.e. built-in firmware-based virus protection) • Use remote booting. • Use a hardware-based password. • Use write-protect tabs on floppy disks.
What is the best Anti-virus program? None! Different products are more or less appropriate in different situations, but in general you should build a cost-effective strategy based on multiple layers of defence. There are three main kinds of anti-virus software: • Scanners • Activity Monitoring Programs • Integrity Checkers
Anti-Virus Software Scanners • These look for sequences of bits called signatures that are typical of virus programs. • Scanners examine memory, disk boot sectors, executables and command files for bit patterns that match a known virus. • Scanners therefore need to be updated frequently to be effective. • Examples: FindViru in Dr Solomon's AntiVirus ToolKit, Frisk Software's F-PROT, McAfee's VirusScan