A Taxonomy of Loss
Beyond the Wall
The fixed defence mechanisms and procedures described above are an essential starting point for any computer systems security implementation.
This section describes additional approaches which can enhance the overall security of a computer system. Each of these approaches warrants a more detailed explanation than can be given here.
Defence in depth
Most security systems rely on a perimeter defences such as firewalls to protect the core computing systems from external attack. If the attacker is an employee or can gain access to part of the internal network, they are largely free to launch additional attacks at leisure.
A layered approach to security, including internal systems layers, extends the protection of systems to within the organizational structure without substantially impeding normal systems use. This can seem overly paranoid, but a large proportion of security breaches are committed by or with the assistance of people within the target organization.
The dynamic nature of modern business, and in particular the computing environment, means that the comprehensive security policy of today may not longer be adequate tomorrow.
Regular reviews of the security status are essential to ensure that any additions or modifications to the computer systems are supported.
Changes in the business environment may shift the balance of risk and reward for some operations. A computer systems security policy must always be driven by the requirements of the organization rather than attempt to constrain the organization within the comfort zone of the systems staff.
Most server applications can generate log files of all the requests to which they respond. These log files can be examined for traffic patterns which may indicate either attempted or actual breaches of the security policy.
The log file monitoring processes are a form of intrusion detection system, although the analysis of log archives can only reveal an attack after it has occurred.
- Internet proxy server logs can show all the web sites which users are accessing. These can be checked for possible ‘inappropriate’ content in breach of acceptable use guidelines.
- Web server logs can show attempts to access known server vulnerabilities. These logs will also show those portions of your web site that are most in use (which pages are requested).
- Firewall logs can show attempted access to restricted ports. A pattern of such attempts may indicate a concerted effort to attack a computer system.
Publishing selected information from such log analyses can promote self-censorship amongst the user population; if they know someone is watching, they are less likely to misbehave.
There are significant privacy issues which you should consider before undertaking any traffic analysis. Even if you choose not to publish any results of a log analysis, you should ensure that all users are aware that such logs are collected.
Information is log files is not always accurate. A sophisticated attacker can conceal their actions behind a false address or identity. Server logs can reveal an attack but are not sufficient to completely identify the attacker.
Testing and Auditing
Keys features of the security system can be tested to ensure that security policies are being observed and that defence systems are functioning correctly.
- In many cases passwords can be checked for easily guessed values.
- Expired and unused accounts can be suspended or removed.
- Firewall systems can be checked for correct operation.
- Server operating systems and application software can be checked for required upgrades.
A program of regular audits can reveal potential security problems before the attackers have the opportunity to exploit them.
Intrusion Detection Systems
Intrusion detection systems (IDS’s) monitor traffic in real-time and generate alarms if they detect a pattern which indicates that an attack is occurring.
- Log File Monitors (LFM) examine log files generated by network services for patterns which indicate an attack. LFMs require detailed knowledge about the format of the log files being examined.
A live monitor may depend on specific features in the application being monitored.
- Network Intrusion Detection Systems (NIDS) monitor network traffic to detect attacks.
NIDS are usually installed on an internet firewall and can only monitor the traffic passing through that device. NIDS can be open to subversion by avoidance and concealment techniques and are subject to the integrity of the system on which they execute.
- System Integrity Verifiers (SIV) detect changes to system files which may indicate that a successful attacker has left a backdoor entry mechanism for later exploitation.
An effective SIV will monitor several different attributes of system files, including the file size and timestamp and multiple checksum values. These values are compared to a reference database which must be stored securely and updated whenever a legitimate change is made to the system.
- Deception Systems (decoys, lures, fly-traps, honeypots) present fake interfaces which emulate weaknesses in order to entrap attackers.
The value of a deception hosts to a normal organization is debatable. Although legal sanctions are available, there is little return for the time and effort required to prove the identity of any attacker.
IDS’s are highly complex systems requiring detailed configuration and maintenance. IDS’s can have problems with false positives and slow or stealth attacks.