Chapter 5

Protecting Information Resources

1. Computer and Network Security: Basic Safeguards

Computer and network security has become critical for most organizations, especially in recent years with hackers, or computer criminals, becoming more numerous and adept at stealing and altering private information. Hackers use a variety of tools to break into computers and networks, such as sniffers, password crackers, and rootkits, and many others, which can be found free on the web. A comprehensive security system protects an organizations resources, including information and computer and network equipment. The type of information an organization needs to protect can take many forms: e-mails, in voices transferred via electronic data interchange (EDI), new products designs, marketing campaigns, and financial statements.

A comprehensive security system includes hardware, software, procedures, and personnel that collectively protect information resources and keep intruders and hackers at bay. There are three important aspect of computer and network security: confidentiality, integrity, and availability, collectively referred to as the CIA TRIANGLE.

Confidentiality means a system must

not allow disclosing information to anyone who isnt authorized to access it.

Integrity- ensures the accuracy of

information resources in an organization.

Availability ensures that computers

and networks are operating, and authorized users can access the information they need. It should also ensure quickly recovery in case of system failure or disaster.

TYPES OF HACKERS

SCRIPT KIDDLE- an inexperienced, usually young

hacker who uses programs others have developed to attack computer and network systems and deface Web sites.

BLACK HAT- hackers who specialized in unauthorized

penetration of information system. They attack system for profit, fun, or political motivations or as part of a social cause. These penetration attacks often involve modifying and destroying data.

WHITE HAT (also known as ethical hacker)-

computer security experts who specialize in penetration testing and other testing methods to ensure that a companys information systems are secure.

When planning a comprehensive security system, the first step is designing faulttolerant system, which have a combination of hardware and software for improving reliability-a way of ensuring availability in case of a system failure. Some commonly used methods includes the following: a. Uninterruptible power supply (UPS) b. Redundant array of independent disks (RAID) c. Mirror disk

2. SECURITY THREATS: AN OVERVIEW

Threats can also be categorized by whether theyre unintentional (such as natural disasters, a users accidental deletion of data and structural failures) or intentional. Intentional threats include hacker attacks and attacks by disgruntled employees-spreading a virus on the company network, for instance.

2.1 INTENTIONAL THREATS

VIRUSES- consists of self propagating program code thats triggered by a specified time or event. WORM- also travels from a computer to computer in a network, but it doesnt usually erase data. Unlike viruses, worms are independent programs that can spread themselves without having to be attached to a host program. TROJAN PROGRAM- contains code intended to disrupt a computer, network, or Web site and is usually hidden inside a popular program. Users run the popular programs, unaware that the malicious program is also running in the background.

LOGIC BOMB- is a type of trojan program used to release a virus, worm, or other destructive code. Logic bombs are triggered at a certain time or by an event, such as user pressing Enter or running a specific program. BACKDOOR- (trapdoor) is a programming routine built into a system by its designer or programmer. This routine enables the designer or programmer to bypass system security and sneak back into the system later to access programs or files. BLENDED THREATS- is a security threat that combines the characteristics of computer viruses, worms, and other malicious codes with vulnerabilities found on public and private networks. DENIAL-OF-SERVICE (DoS) ATTACK- floods a network or server with service requests to prevent legitimate users access to the system.

SOCIAL ENGINEERING- means using people skills-such as being a good listener and assuming a friendly, unthreatening air-to trick others into revealing private information. This attack takes advantage of the human element of security systems.

3. Security Measures and Enforcement: An Overview

BIOMETRIC SECURITY MEASURES- use a physiological element to enhance security measures. These elements are unique to a person and cant be stolen, lost, copied, or passed on to others. The following list describes some biometric devices and measures : *facial recognition, fingerprints, hand geometry, iris analysis, palm prints, retinal scanning, signature analysis, vein analysis, and voice recognition

3.2 NONBIOMETRIC SECURITY MEASURES

CALLBACK MODEMS- is used to verify whether a users access is valid by logging the user off (after he attempts to connects to the network) and then calling the user back at a predetermined number. FIREWALL- is a combination of hardware and software that acts as a filter or barrier between a private network and external computers or networks, including the internet. A network administrator defines rules for access, and all other data transmissions are blocked. INSTRUSION DETECTION SYSTEM (IDS)- can protect against both external and internal access. Theyre usually placed in front of a firewall and can identify attack signatures, trace patterns, generates alarm for the network administrator, and cause routers to terminate connections with suspicious sources.

5.1 IDS VENDORS

VENDORS
Enterasys network inc. Cisco System, Inc. IBM Internet Security Systems Juniper Networks, Inc. Check Point Software Technologies, Ltd.

URL www.enterasys.com www.cisco.com www.iss.net

www.juniper.net/us/en www.checkpoint.com

3.3 PHYSICAL SECURITY MEASURES

PHYSICAL SECURITY MEASURESprimary control access to computers and networks and include devices for securing computers and peripherals from theft.

3.4 ACCESS CONTROLS

ACCESS CONTROL are designed to protect

systems from authorized access to preserve data integrity. The following sections describe two used access controls: terminal resource security and passwords.

TERMINAL RESOURCE SECURITY- is a

software feature that erases the screen and signs the user off automatically after a specified length of inactivity.

PASSWORDS- is a combination of numbers,

characters, and symbols thats entered to allow access to a system. A passwords length and complexity determines its vulnerability to discovery by unauthorized users.

3.5 VIRTUAL PRIVATE NETWORKS

VIRTUAL PRIVATE NETWORKprovides a secure tunnel through the internet for transmitting messages and data via a private network.

3.6 DATA ENCRYPTION

DATA ENCRYPTION- transforms data called plaintext or

cleartext, into a scrambled form called ciphertext that cant be read by others.

SECURE SOCKETS LAYERS- is a commonly used encryption

protocol that manages transmission security on the internet.

TRANSPORT LAYER SECURITY- is a cryptographic

protocol that ensures data security and integrity over public networks, such as the internet.

ASSYMETRIC ENCRYPTION- uses two keys: a public key

known to everyone and a private or secret key known to the recipient.

SYMMETRIC ENCRYPTION- also called secret key

encryption the same key is used to encrypt and decrypt the message. The sender and receiver must agree on the key and keep it secret.

3.7 E-COMMERCE TRANSACTION SECURITY MEASURES

In e-commerce transactions, three factors are critical for security: authentication, confirmation, and nonrepudiation. Authentication is important because using a credit card number in an online transaction doesnt mean the person using it is the cards legitimate owner. Confirmation- must also be incorporated into ecommerce transactions to verify orders and reciept of shipments. Nonrepudiation- is essential in case a dispute over a transaction is raised. Digital signatures are used for this factor and serve to bind partners in transaction.

E-commerce transaction security is concerned with the following issues: CONFIDENTIALITY AUTHENTICATION INTEGRITY NONREPUDIATION OF ORIGIN NONREPUDIATION OF RECEIPT