TOOLS FOR INFORMATION SECURITY
click here complete Lecture Notes: Computer Networks
Firewalls
Remember the good days when a firewall was something you found in the front of your Chevy. Well, in today’s high-tech world, a firewall serves the same purpose, but for a network. Much the same as a Firewall is put in a car to provide a point of resistance to a burning or hot engine, a firewall on a network performs the same type of functionality for a computer sys-tem.
There are three main types of firewalls:
1) A packet filter,
2) A hybrid or
3) A proxy. A packet filter firewall examines each IP packet crossing the net-work, and based upon a set of rules, either lets the packet through, or denies access.
A proxy firewall actually acts as a secure gateway between net-works.
The proxy authenticates data and al-lows only specific information to enter or leave the secure side of the proxy. Often times, proxy servers are referred to as application level firewalls, protecting the network (inbound or outbound) depending on the specific application in use. Proxy firewalls are one of the most secure.
For that reason, administration of a proxy firewall can take special skills and discipline in keeping it accurate. The third type of a firewall actually is a hybrid between the two, providing the functionality of the packet filter with an increased security level found in a proxy.
A proxy firewall works much the same as a packet filter, except that a host would be in place between each of the stations desiring access to the Internet or outside services. This often is referred to as dual homed host architecture. The proxy server doesn’t always forward users’ requests to Internet services; it controls what users do because it makes decisions about the requests it processes based on the company’s security policy. Additionally the proxy server can control what access comes in to the network. A proxy service sometimes is more of a soft-ware solution, and not necessarily firewall architecture per se. below is a diagram showing a proxy service in place with a dual-homed host.
According to Visa’s Cardholder Information Security Program, a firewall mechanism is to be put into place so that all electronic cardholder data is protected from unauthorized access during all phases of its life, from generation to destruction, and to en-sure that it cannot be compromised, re-leased to any unauthorized entity or otherwise have its confidentiality or integrity placed at risk. The firewall mechanism must be built and maintained using the model of least privilege. All access is to be on a need-to- know basis, and more importantly, all access to cardholder data will be restricted to personnel who need to access said data to perform their stated job function only.
Management of system passwords
Going back a few years, employees used secret handshakes and code words to identify their right to use facilities or enter a building. Alpha bravo five, left shake right shake four finger dribble provided access to ever trade secret in the organization. This age-old tradition actually is still in place today, just in a different format. Now, systems and applications can assign, log and track an employee’s access to the network or facility by use of passwords and system identification numbers.
Each employee, contractor, or vendor accessing an organizations system should have a unique user ID and a private password. In addition, personnel needing access to systems, building infrastructure, networks and applications that access data in the organization should have prior written approval from an appropriate manager or supervisor. Requests for changes to account access also should follow established written procedures. Some common guidelines for pass-word
Management includes:
1. Avoid dictionary words.
2. Use both numbers and letters.
3. Difficult passwords that cannot be remembered.
4. Easily guessed names, such as a street address or product name.
5. Change passwords every few weeks —
Don’t allow users to re-select previous passwords.
6. If a user has multiple attempts to sign on with an incorrect password, block all access after a certain number of tries.
One of the simplest tools to implement with passwords is a shutdown of the application after a certain period of inactivity, say five minutes. This is critical for applications containing cardholder data. This way if a user unexpectedly steps away from the workstation, the system is not left vulnerable for a lengthy period of time. Additional measures should include training personnel to log off of the system when leaving the workstation.
Another method of authenticating users that is catching on rapidly is the use of a token or a physical device to validate the user’s identity. The most popular are smart cards. When users sign into a system, they are asked for a password; in addition they are prompted to insert a smart card. The system then validates both the smart card and the password prior to allowing the user to continue the session.
Other authentication methods use the human body as a token. This is most often referred to as biometrics. Biometrics serves as a gatekeeper of confidential information where authentication and the personal security of remote users are essential. Biometrics is the ultimate password replacement. The question a password seeks to answer is, “Does this user possess the right information?” With biometrics, the fundamental question that is answered is, “Is this the right person?” Biometric authentication methods include fingerprint validation, iris scans, voice recognition and other non-invasive methods to validate unique aspects of the user. Again, as with smart cards, the user can (at the discretion of the security policy) be required to supply a password that works in conjunction with the biometric scan.
To gain the most out of passwords and token systems, establish multiple controls and levels for the passwords. With a pass-word or smart card, it becomes easy to limit where an employee can go on the network. While many persons in the organization need cardholder information, many do not. Passwords protect or re- quire secure authentication from users prior to allowing access to applications that pro-vide this data.
Encryption
1. Encryption is an important tool in that even if other controls such as passwords or firewalls are compromised, the data is still is unusable. Data Encryption Standard (DES) is perhaps the most widely used data encryption mechanism. In a nutshell, DES uses an algorithm and a key value to take
Plain text and encrypt the data. Another encryption method is Secure Sockets Layer (SSL) that often is used to transmit data in a secure method over the Internet.
Several types of encryption packages are available on the market today. They range from complex software solutions to external hardware encryption devices (such as Attalla or Racal encryption devices). While both serve similar purposes, hardware encryption devices typically are much faster than a software solution. Many common software packages provide encryption tools for use by the operator or author when storing data or saving files.
Perhaps one of the main advantages to encryption is that only machines or operators in possession of the key can restore the encrypted text to a readable format. When providing access to keys, the user should be instructed not to write the key down or keep it in a physical place close to the secured data.
When using cryptographic keys to store cardholder information, or to access
Cardholder information, it is vital that the integrity of the keys not be compromised. For this reason, whether it is Personal Identification Number encryption, or PIN pad encryption processes, key management controls should be implemented. The key management controls should be clearly
Defined, written and audited on a regular basis.
2. Encryption is the process of transforming plaintext into unreadable form (called cipher text) using a mathematical process (RSA Data Security, 1998). An encryption system includes four elements: (1 the
Plaintext, the raw data or message to be encrypted, (2) the cryptographic algorithm, a mathematical method that determines how plaintext is to be combined with a key, (3) the key, a string of digits, and (4) the cipher text, the encrypted message. The longer the key string digits, the more difficult the encrypted data is to break. In theory, trying all possible keys in sequence can break any crypto-graphic Method with a key. If a brute force is used to attack the crypto-graphic algorithms, the required
Computing power increases exponentially with the length of the key. There are two classes of key-based mechanisms, symmetric (private-key or secret-key) and asymmetric (public-key) algorithms (SSH Communications Security, 1999). The difference between the two is that private-key algorithms
Use the same key for encryption and decryption, whereas public-key algorithms use a different key for encryption and decryption, and the decryption key cannot be derived from the encryption key. In general, symmetric algorithms are much faster to execute on a com putter than asymmetric ones. In practice, however, they are frequently used together. Asymmetric algorithm is used to encrypt a randomly generated encryption key, and a random key is used to encrypt the actual message using a symmetric algorithm. Cryptographic algorithms, both asymmetric and symmetric, are widely used in network security. The followings are some of the popular algorithms:
Public-Key Algorithms
• RSA (Rivest-Shamir-Adelman) encryption is the most commonly used public-key algorithm. The security of RSA relies on the difficulty of factoring large integers. With the advancement of computing power, currently 512- bit keys are considered weak against brute force attacks, 1024- bit keys are secure enough for most purposes, and 2048-bit keys are likely to remain secure for Decades (SSH Communications Security, 1999).
• Diffie-Hellman Algorithm involves two-way communications across the Internet without exchanging keys. Each party obtains the public key for the other from a certificate authority and performs a special calculation using a discrete logarithm with their own private keys. The result
Of the algorithm will be the same for both parties.
• Pretty Good Privacy (PGP) is an emerging encryption mechanism for protecting the privacy of Network files and e-mail. It provides the means for encrypting the files and e-mails, creating public and private keys, maintaining a database of public keys, adding digital signatures to documents, and certifying keys and obtaining keys from key servers (Sun Microsystems, 1999). PGP runs on virtually every operating system, such as UNIX, Windows, DOS, OS/2, and Mac OS.
• Elliptic Curve Cryptography (ECC) is an emerging network security technology that allows longer key size while decreases overhead and latency. ECC uses an algebraic system that is defined on the points of an elliptic curve to provide public-key algorithms. These algorithms can be used to create digital signatures, and provide a secure means to transmit confidential information. More applications of ECC algorithms have been identified, such as financial transfers and wireless data transmissions that require intensive use of signing during the process of authentication. They are performed at high-speed and with limited bandwidth (Sun Microsystems, 1999).
Private-Key Algorithms
• Data Encryption Standard (DES) is a symmetric cipher, which encrypts a message by breaking it down into blocks and encrypting each block (RSA Data Security, 1998). DES algorithm uses 56-bit keys out of a 64-bit block size. It was developed in the 1970s and has been adopted by the U.S. government. With today’s com-putting power, DES is easily breakable. A variant of DES, triple DES or 3DES, uses DES algorithm three times and follows an encrypt-decrypt-encrypt sequence with three different, unrelated keys. With three iterations of DES algorithms, the effective key length is 112 bits, which is much more securing than plain DES.
• RC4 is a cipher algorithm de-signed by RSA Data Security. RC4 is essentially a pseudo random number generator, and the output of the generator is logically exclusiveored with the data
Stream (SSH Communications Security, 1999). It is essential that the same RC4 key never be used to encrypt two different data streams. The U.S. government approves this type of algorithm with 40-bit keys only for export. The security is very weak for its key length even though the algorithm is very fast.
• International Data Encryption Algorithm (IDEA) is a fairly new algorithm developed at ETH Zurich,
Switzerland. It uses a 128-bit key and is considered very secure.
Security Protocols
Currently, public-key and private-key algorithms are being implemented in the network security protocols. These protocols are necessary because more and more companies are doing business on the Internet, and the issue of secure payments over the Web has become a greater network security problem. Merchant servers are developed to provide secure measures for electronic commerce applications. The following are some of the widely used protocols for performing secure transactions on the web.
• Secure Socket Layer (SSL protocol employs a private-key encryption nested within a public-key
Encryption, authenticated through the use of digital certificates (Netscape Communications, 1999). Netscape Communications based on RSA public key cryptography developed SSL. It allows private information, such as Credit Cards and purchase orders, to remain private while traveling across intranets and the public Internet. SSL is currently the most widely used method and particularly suitable for use in e-commerce applications due to the following features: (1) privacy is ensured through encryption, (2) integrity is ensured through decryption, and (3) authentication is provided through the use of digital certificates (Net savvy Communications, 1999).
• Secure Electronic Transaction (SET) protocol was developed by Visa and MasterCard for enabling
Secure credit card transactions on the Internet. It employs RSA public key encryption technology And DES single-key technology (Stallings & Van Slyke, 1998). SET uses digital certificates to ensure the identities of all parties involved in a transaction and encrypts credit card information before sending it across the Internet.
System Audits
Nearly all businesses undergo a financial audit on a regular basis. An audit of the security policy in place is just as important. During the security audit, the organization .Should review any policies that concern sys-tem security, as well as the processes and procedures put in place to enforce them. While it is not always necessary to have “fire” drills, it is recommended that as part of the ongoing security policy, organizations perform random testing of mission critical components.
Physical Security
Many organizations processing card information have physical security controls in place for entry into the operations building where information is kept. The typical scenario involves issuing of badges that must be swiped or presented to enter the building. Additionally, once inside the main
Building, administrators can determine where in the building the person can have access by requiring badges at doors to different areas of the building. For instance, an employee answering calls at a help desk probably doesn’t need access to the computer operations data center. However, this employee might need access to the file room containing original merchant setup information. This access should be administered and monitored on a daily basis. Changes to access should require written approval from the employees’ immediate supervisor and possibly require approval from other entities (Such as security or information technology).
While many organizations are good at implementing security at the head office, many neglect to implement the same types of controls at the remote sales offices or facilities beyond the main operations center. Remote sales offices tend to be a little lax in their implementation of security Procedures. While it may not be necessary to require a badge system at a small office, consider other physical controls in the office. Require that items such as CDs, diskettes and laptops be secured when not in use. When sending reports to remote locations, don’t include cardholder information on the reports or allow copying and printing of sensitive material at these sites.
A common mistake made with cardholder information is the improper destruction of cardholder data. Printed reports, microfiche or other media containing cardholder information should be destroyed .In a secure manner prior to disposal. This could include shredding, incineration or other commercially accepted methods for secure data destruction.
No comments:
Post a Comment
its cool