- Introduction to Security
Security refers to any measures taken to protect something. Examples of security in the real world include locks on doors, alarms in our cars, police officers.
Computer security is a field of computer science concerned with the control of risksrelated to computer use.It describe the methods of protecting the integrity of data stored on a computer.In computer security the measures taken are focused on securing individual computer hosts.
Network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access and the effectiveness (or lack) of these measures combined together. It starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are allowed to be accessed by the network users. Even though it prevents unauthorized access, it prevents harmful contents such as computer worms being transmitted over the network. An intrusion prevention system (IPS) helps detect and prevent such malware.
1.1 Threats in Network Security
The following describe the general threats to the security of the distributed systems
Disclosure of information
Organizations maintain valuable information on their computer systems. This information may be used by other parties in such a way as to damage the interest of the organization owning the information. Therefore information stored on or processed by computer systems must be protected against disclosure both internal and external to the user organization.
Contamination of information
Valuable information may become worthless if unauthorized information is mixed with it. The damage may be as great as the damage through information disclosure.
Unauthorized use of resources
Unauthorized use of resources may lead to destruction, modification, loss of integrity etc. of resources and thus the authorization of individual users will be limited.
Misuse of resources
Authorized use of resources may give authorized individuals the opportunity to perform activities that are harmful to the organization. Misuse of resources, intentional or accidental, may be harmful to the organization through corruption, destruction, disclosure, loss or removal of resources. Such misuse may affect the liability of an organization for information entrusted to it or for transactions and information exchanged with other organizations.
Unauthorized information flow
In adistributed system, information flow must be controlled not only between users of end-systems but also between end-systems. Depending on the prevailing security policy information flow restrictions may be applied to the basis of classification of data objects and end-systems, user clearances, etc.
Repudiation of information flow
Repudiation of information flow involves denial of transmission or receipt of messages. Since such messages may carry purchasing agreement, instructions for payment etc., the scope for criminal repudiation of such messages is considerable.
Denial of service
Because of the wide range of services performed with the aid of computer systems, denial of service may significantly affect the capability of a user organisation to perform its functions and to fulfill its obligations. Detection and prevention of denial of service must be considered as part of any security policy.
1.2 Security Services
In order to protect against perceived threats, various security services need to be provided, the main security services are:
Authentication
Authentication is the process of proving the identity of a user of a system by means of a set of credentials. Credentials are the required proof needed by the system to validate the identity of the user. The user can be the actual customer, a process, or even another system. A person is a validated through a credential. The identity is who the person is. If a person has been validated through a credential, such as attaching a name to a face, the name becomes a principal.
An authentication service is concerned with assuring that the communication is authentic. In the case of a single message, such as warning or alarm signal, the function of the authentication service is to assure the recipient that the message is from the source that it claims to be from. In the case of an ongoing interaction, such as the connection of a terminal to a host, two aspects are involved. First, at the time of connection initiation, the service assures that the two entities are authentic, that is, that each is the entity that it claims to be. Second, the service must assure that the connection is not interfered with in such a way that a third party can masquerade as one of the two legitimate parties for the purpose of unauthorized transmission or reception.
Authorization
The process by which a user is given access to a system resource is known as authorization.The authorization process is the check by the organization’s system to see whether the user should be granted access to the user’s record. The user has logged in to the system, but he still may not have the permission necessary from the system to access the records.
When deploying a system, access to system resources should also be mapped out. Security documents that detail the rights of individuals to specific resources must be developed. These documents must distinguish between the owners and the users of resources as well as read, write, delete, and execute privileges.
Confidentiality
Confidentiality is the protection of transmitted data from passive attack. With respect to the release of message contents, several levels of protection can be identified.The broadest service protects all user data transmitted between two users over a period of time. Narrower forms of this service can also be defined, including the protection of single message or even a specific fields within a message. The other aspect of confidentiality is the protection of traffic flow from analysis. This requires the prevention of the attacker from observing destination, frequency, length, or other characteristics of the traffic on a communications facility.
When the information is in a protected form, it is called a cipher text. Cipher text uses a cipher, which changes the plaintext into cipher text. The cipher requires keys to change the information from one form to the other.
Integrity
During the transmission or storage of data, information can be corrupted or changed, maliciously or otherwise, by a user. Validation is the process of ensuring data integrity. When data has integrity, it means that the data has not been modified or corrupted. One technique for ensuring data integrity is called data hashing.
Integrity can apply to a stream of messages, a single message, or selected fields within a message. Again the most useful and straightforward approach is total stream protection.A connection-oriented integrity service, one that deals with a stream of messages, assures that messages are received as sent, with no duplication, insertion, modification, reordering or replay. The destruction of data is also covered under this service. Thus, the connection-oriented integrity service addresses both message stream modification and denial of service. On the other hand, a connection-less integrity service, one that deals with individual messages only without regard to any larger context, generally provides protection against message modification only.
Non-repudiation
Non repudiation prevents either sender or receiver from denying a transmitted message. Thus, when a message is sent, the receiver can prove that the message was in fact sent by the alleged sender. Similarly, when a message is received, the sender can prove that the message was in fact received by the alleged receiver.In other words, non-repudiation of origin proves that data has been sent, and non-repudiation of delivery proves it has been received.
Access Control
Access control is the ability to limit and control the access to host systems and applications links. To achieve this control, each entity trying to gain access must first be identified, or authenticated. The goal of access control is to be able to specify and restrict access to subjects and resources to those users and processes which have the appropriate permission. Access control is implemented according to a policy that defines methods for both authentication and authorization, and applies to a security domain.
Availability
A variety of attacks can result in a form of reduction in availability. Some of these attacks are amenable to automated countermeasures, such as authentication and encryption, whereas others require some sort of physical action to prevent or recover from loss of availability of elements of a distributed system.
1.3 Security Mechanism
A mechanism that is designed to detect, prevent, or recover from a security attack.No single mechanism will support all required functions. Cryptography is one of the security mechanisms. Some of the common security mechanisms are:
- Encryption
- Digital padding
- Traffic padding
- Routing control
- Trusted functionality
- Security labels
- Access controls
- Event detection
- Audit trials
1.4 Security Attacks
Any action that compromises security of information is called a security attack. Some of the common security attacks are given below.
Ref: Attacks
Attacks can be active or passive
Passive Attacks
- Learn or make use of information from system, but does not affect system resources.
- Intercept or read data without changing it.
- Goal of opponent is to obtain information that is being transmitted.
- This type of attack has been perpetrated against communication systems ever since the invention of the electric telegraph.
- Two types of passive attacks are release of message contents and traffic analysis (masking the content of message. e.g. Encryption).
- Difficult to detect, because no alteration of data. Normally done using encryption.
Active Attacks
- Involve modification of data stream or creation of a false stream.
- The active threat is potentially far more serious.
- Use of encryption can protect against alteration of the data by arranging that the encrypted data is structured in such a way that meaningful alteration cannot take place without cryptanalysis.
- Subdivided into four categories: masquerade, replay, modification of messages, and denial of service.
Masquerade: One entity pretends to be a different entity. e.g., Authentication sequences can be captured and replayed after a valid authentication sequence takes place.
Replay: Passive capture of data unit and its subsequence retransmission to produce an unauthorized effect.
Modification of message: Some portion of message altered, or delayed or reordered.
Denial of Service: Prevents normal use or management of communication facilities.
e.g., suppressing all messages directed to a particular destination.
Other active attacks include:
- Flooding
- Jamming
- Routing attacks: False routes, Configuration changes
- Trap doors, Logic bombs etc,
- Remote arbitrary code execution via., worms and viruses.
1.5 Hackers and Crackers
Ahacker(also called a White Hat)is often someone who creates and modifies computer software and computer hardware, including computer programming, administration, and security-related items. A hacker is also someone who modifies electronics, for example, ham radio transceivers, printers or even home sprinkler systems to get extra functionality or performance.A hacker obtains advanced knowledge of operating systems and programming languages. They may know the holes within systems and the reasons for such holes. Hackers constantly seek further knowledge, freely share what they have discovered, and never, ever intentionally damage data.
For further reading:
A cracker(also called a Black Hat)is a person who uses their skills with computers and other technological items in a malicious or criminal manner. He breaks into or otherwise violates the system integrity of remote machines, with malicious intent. Crackers, having gained unauthorized access, destroy vital data, deny legitimate users service, or basically cause problems for their targets. Usually a Black Hat is a person who uses their knowledge of vulnerabilities and exploits for private gain, rather than revealing them either to the general public or the manufacturer for correction.
For further reading:
1.6 Common Intrusion Techniques
Virus
In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. A virus is a program that can copy itself and infect various parts of your computer, such as documents, programs, and parts of your operating system. Most viruses attach themselves to a file or part of your hard disk and then copy themselves to other places within the operating system. Some viruses contain code that inflicts extra damage by deleting files or lowering your security settings, inviting further attacks. Usually to avoid detection, a virus disguises itself as a legitimate program that a user would not normally suspect to be a virus. Viruses are designed to corrupt or delete date on the hard disk, i.e. on the FAT (File Allocation Table).
A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of the virus into a program is termed infection, and the infected file (or executable code that is not part of a file) is called a host. Viruses are one of the several types of malware or malicious software. Computer viruses cannot directly damage hardware, only software is damaged directly. The software in the hardware however may be damaged.
Types of Viruses
System or Boot Sector Virus
System sectors are special areas on thedisk containing programs that are executed when we boot (start) the PC. Every disk (even if it only contains data) has a system sector of some sort. System sector viruses infect executable code found in certain system areas on a disk. There are boot-sector viruses, which infect only the DOS boot sector, this kind of virus can prevent us from being able to boot the hard disk. All common boot sector and MBR viruses are memory resident. System sector viruses spread easily via floppy disk infections and, in some cases, by cross infecting files which then drop system sector viruses when run on clean computers.
File or Program Virus
These viruses infect applications. These viruses usually infect COM and/or EXE programs, though some can infect any program for which execution or interpretation is requested, such as SYS, OVL, OBJ, PRG, MNU and BAT files. The simplest file virus work by locating a type of file they know how to infect (usually a file name ending in .COM or .EXE) and overwriting part of the program they are infecting. When this program is executed, the virus code executes and infects more files. The more sophisticated file viruses save (rather than overwrite) the original instructions when they insert their code into the program. This allows them to execute the original program after the virus finishes so that everything appears normal.
File viruses have a wide variety of infection techniques and infect a large number of file types, but are not the most widely found in the wild.
Macro Virus
These are the most common viruses striking computers today. While some can be destructive, most just do annoying things, such as changing your word processing documents into templates or randomly placing a word such as "Wazoo" throughout a document. While these actions may not permanently damage data, they can hurt productivity. The reasons these viruses have become so widespread, and the reasons they are so troublesome, are twofold: They are easy to write, and they exist in programs created for sharing.
It is a program or code segment written in the internal macro language of an application and attached to a document file (such as Word or Excel). It infects files you might think of as data files. But, because they contain macro programs they can be infected.
When a document or template containing the macro virus is opened in the target application, the virus runs, does its damage and copies itself into other documents. Continual use of the program results in the spread of the virus. Some macros replicate, while others infect documents.
Stealth Viruses
These viruses are stealthy in nature and use various methods to hide themselves to avoid detection. They sometimes remove themselves from the memory temporarily to avoid detection and hide from virus scanners. Some can also redirect the disk head to read another sector instead of the sector in which they reside. Some stealth viruses conceal the increase in the length of the infected file and display the original length by reducing the size by the same amount as that of that of the increase, so as to avoid detection from scanners, making them difficult to detect.
Polymorphic Viruses
They are the most difficult viruses to detect. They have the ability to mutate implying that they change the viral code known as the signature (A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses) each time they spread or infect. Thus, anti-viruses which look for specific virus codes are not able to detect such viruses. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses however, this decryption module is also modified on eachinfection. A well-written polymorphic virus therefore has no parts that stay the same on each infection, making it impossible to detect directly using signatures.