1

Security Considerations

Security Considerations

Robert Robbins

CMTG/400

April 19, 2014

Dave Fedorchak

Security Considerations

Introduction Security authentication in an information system is critical. It involves the process of identifying a user, normally based on a specific username and password. Authentication ensures that the user is the user that they claim to be. This is very different from authorization, which involves enabling users to have access to a system given their status, and identity. Authentication of authorized personnel is a key component in establishing a secure information system for a business. This paper will go over this and other security considerations that will create that security, and what to avoid.

Authentication Security Considerations There are five security main security concerns that can affect the design and development processes of information systems. The first is weak passwords. Most often people normally create passwords that are easily remembered. If a password is extremely easy to remember, the odds are that an unauthorized person could be able to guess what it is. Brute force attacks are a common practice against easily remembered passwords. There are tools available on the Internet to help with this. The term brute force means to make as many attempts as possible. A way of protecting against this is to set an account lock after a set number of failed attempts. An unfortunate occurrence is that many users set the same easy to remember password on many websites. This just adds to the possibility that a malicious user will figure it out.

Security Considerations A second security concern would also involve passwords. It is the failure to change from a default password. Most new information systems will come with a default password, and failure to change that leaves the system vulnerable. If the system is one that is used by many then the possibility of an unauthorized user being able to gain access is increased, especially if they are familiar with the software. The thirds security concern is the use of unencrypted communication. It is not uncommon today for a business to fail to use a secure communication channel such as SSL for business related communications. This leaves network communications at risk from eavesdropping. Encrypted channels takes out the possibility of this risk. The fourth security concern involves communication as well. If a business is not using a secure SSL for communications, that leaves the LDAP connections vulnerable. Various information systems use LDAP or lightweight directory access protocol server for communications. Without SSL security the server is vulnerable. The last security concern involves non-secured single sign on solutions. This solution enables sharing of authentication credentials across business systems. Most SSO solutions use internet cookies or HTTP headers for this sharing process. These transmissions are normally encrypted, but are still vulnerable to attack. It is a necessity to make sure that SSO solution is in compliance with all the most up to date security policies.

Securing Data While normally security is something that businesses integrate into an information system after it has been coded developed, tested, and then deployed, it is a good idea to if possible to

Security Considerations integrate security into the process of software development. Building it into each facet of the information system as you develop it is the way to achieve this goal. There are two separate and required elements needed to achieve this objective. First, the inclusion of security requirements and measures in the specific process model being used. Second, the use of secure coding methods to prevent opportunities to introduce security failures into the softwares design (Conklin, A., White, G., Williams, D., Davis, R., Cothren, C., 2012). For many years secure coding was not high priority in software development no matter which of many development methods were being used to build the software. This much overlooked technique was an issue in most software engineering methods, until recent years with the uprising of malware and malicious attacker it came forefront. Many software developers, with Microsoft being one of the biggest supporters of using secure coding in software development have begun using this technique in the development of their software. With this renewed interest in secure coding. The technique has become a standard, no matter what process model is being implemented. Requirements Phase In the requirements phase of software development the security needs should be defined. This way if secure coding is going to be implemented the groundwork will be laid out for it. That way no matter what method is used the coding process will be done with security requirements in mind as it is being completed. Some common security requirements should include password management, authentication and authorization management, data validation and security, and network security. During this phase of development, the project manager and administration are

Security Considerations in communication about what requirements need to be put into place in the software so that it performs as it is intended and only that way.

Design Phase Before coding ensues, there has to be a designing phase. If the project was small this would not be as big of an issue. For larger projects it is a necessity. Designing a software program is a complex procedure. There are many ways to construct a program. The designing process is a procedure that involves concessions and choices. The criteria decided upon during this process will affect the program throughout the entire construction of the program. There are two techniques in writing secure code. One involves minimizing the attack surface area. This reduces the places a hacker could attack a program, keeping it safer. The other involves a term called threat modeling. Threat modeling involves identifying risks and their possible effects on the program. The output of this technique is a gathering of threats and how they might interact with the software itself. This information is then relayed to the respective parties involved in the construction of the program.

Coding Phase The next phase in constructing a program is the coding phase. In this phase the ideas and requirements are turned into code for building the program. During this phase of development, encryption of data is also important. This can provide a vast amount of functionality for the

Security Considerations software program. This entails using only approved cryptographic functions so that the possibility of errors is kept to a minimum. At this point the ideas that have been turned into code is the place that errors can access the process. These errors fall into two main categories. The first is the inability to give desired functionality. The other is the including of unwanted behavior in the program code. With this event comes the next phase, which is the testing phase.

Testing Phase The testing phase of program development is of the upmost importance as this is the final procedure before a program is released. This is where designers find errors in code before the software is released, and the possibility of the end user encountering them becomes a real possibility. There are many techniques to do this. One common one is to employ use case testing for the program to analyze common inputs against expected outputs for the intended use of the software. Applying security use case scenarios helps test the security facets of the program. Testing for security by itself, involves a larger spectrum of testing. This involves white-box and black-box testing, fuzz testing, and penetration tests. Fuzz testing being fairly new, but is becoming an important tool in security testing of software.

Securing Data Securing data in an information system is crucial. There are many procedures to do this. First there is the normal basic security measures. The first is secure password protection. Next is Software updates. The last two basic security measures are firewall and malware protection. As

Security Considerations the amount of sensitive data increases, so must the security measures. At this point access controls must be put into place to ensure that people accessing sensitive data are properly authorized, and authenticated. This can be accomplished through making sure that passwords are unique for users needing to access this data. Another idea is to limit unsuccessful login attempts so that brute force guessing is taken out of the equation. A very important way to secure data against intrusions and the possibility of natural disasters is a regularly scheduled regimen of backups. This would be even more effective if a remote server was used to store these so that if an intrusion or natural disaster occurred, the system could be restored from this server, while keeping data integrity intact. Included with this would be a continuous risk analysis to make sure that these procedures are current.

Systems and Devices Systems and devices that can help with securing data in an information system are important. These would include servers. Databases, network configuration, VPNs, and workstations are all part of this. All of these entities will be helpful in keeping data secure as long as they are properly configured for the system in question. With all of these, the proper configurations are all essential for performance. The proper protocols would need to be in place for storing, transmitting, communicating this data. SSL protocols being the most important with transmitting data. These entities would also need to be kept up to date on all security patches and updates.

Security Considerations Conclusion In conclusion, if these preceding steps are taken into account and used accordingly the program has a good chance of being functional, secure, and relatively error free for the end user it is intended for. This paper discusses how to use secure coding when developing software. Lists the major errors that are common for software development. Gives a good description of proper software development practices, and how they can affect the end product. Gives a description of how using these processes promote security in a software project.

Security Considerations References Latest Security Brief. (2014). Retrieved from http://www.emc.com/domains/rsa/index.htm Authentication. (2014). Retrieved from http://www.webopedia.com/TERM/A/authentication.html authentication Keen, M. (2014). Top 5 authentication security considerations for Business Process Management. Retrieved from https://www.ibm.com/developerworks/community/blogs/WebSphere_Process_Server/entry/top_ 5_auth_security_holes_in_bpm?lang=en Data and system security measures. (2010). Retrieved from http://www.nyu.edu/its/policies/sec_datasys.html 2010 Secure computing. (2014). Retrieved from http://its.yale.edu/secure-computing/minimumsecurity-controls-devices-systems-and-servers Conklin, A., White, G., Williams, D., Davis, R., Cothren, C. (2012). Principles of Computer Security: CompTIA Security+ and Beyond (Exam SY0-301), (3rd ed.). Retrieved from The University of Phoenix eBook Collection database..

10

Security Considerations