A Taxonomy of Loss

Article Index

Page 4 of 5

 

Beyond the Wall

The fixed defence mechanisms and procedures described above are an essential starting point for any computer systems security implementation.

This section describes additional approaches which can enhance the overall security of a computer system. Each of these approaches warrants a more detailed explanation than can be given here.

Defence in depth

Most security systems rely on a perimeter defences such as firewalls to protect the core computing systems from external attack. If the attacker is an employee or can gain access to part of the internal network, they are largely free to launch additional attacks at leisure.

A layered approach to security, including internal systems layers, extends the protection of systems to within the organizational structure without substantially impeding normal systems use. This can seem overly paranoid, but a large proportion of security breaches are committed by or with the assistance of people within the target organization.

Continuous Improvement

The dynamic nature of modern business, and in particular the computing environment, means that the comprehensive security policy of today may not longer be adequate tomorrow.

Regular reviews of the security status are essential to ensure that any additions or modifications to the computer systems are supported.

Changes in the business environment may shift the balance of risk and reward for some operations. A computer systems security policy must always be driven by the requirements of the organization rather than attempt to constrain the organization within the comfort zone of the systems staff.

Monitoring

Most server applications can generate log files of all the requests to which they respond. These log files can be examined for traffic patterns which may indicate either attempted or actual breaches of the security policy.

The log file monitoring processes are a form of intrusion detection system, although the analysis of log archives can only reveal an attack after it has occurred.

  • Internet proxy server logs can show all the web sites which users are accessing. These can be checked for possible ‘inappropriate’ content in breach of acceptable use guidelines.
  • Web server logs can show attempts to access known server vulnerabilities. These logs will also show those portions of your web site that are most in use (which pages are requested).
  • Firewall logs can show attempted access to restricted ports. A pattern of such attempts may indicate a concerted effort to attack a computer system.

Publishing selected information from such log analyses can promote self-censorship amongst the user population; if they know someone is watching, they are less likely to misbehave.

Warning 1

There are significant privacy issues which you should consider before undertaking any traffic analysis. Even if you choose not to publish any results of a log analysis, you should ensure that all users are aware that such logs are collected.

Warning 2

Information is log files is not always accurate. A sophisticated attacker can conceal their actions behind a false address or identity. Server logs can reveal an attack but are not sufficient to completely identify the attacker.

Testing and Auditing

Keys features of the security system can be tested to ensure that security policies are being observed and that defence systems are functioning correctly.

  • In many cases passwords can be checked for easily guessed values.
  • Expired and unused accounts can be suspended or removed.
  • Firewall systems can be checked for correct operation.
  • Server operating systems and application software can be checked for required upgrades.

A program of regular audits can reveal potential security problems before the attackers have the opportunity to exploit them.

Intrusion Detection Systems

Intrusion detection systems (IDS’s) monitor traffic in real-time and generate alarms if they detect a pattern which indicates that an attack is occurring.

  • Log File Monitors (LFM) examine log files generated by network services for patterns which indicate an attack. LFMs require detailed knowledge about the format of the log files being examined.

A live monitor may depend on specific features in the application being monitored.

  • Network Intrusion Detection Systems (NIDS) monitor network traffic to detect attacks.

NIDS are usually installed on an internet firewall and can only monitor the traffic passing through that device. NIDS can be open to subversion by avoidance and concealment techniques and are subject to the integrity of the system on which they execute.

  • System Integrity Verifiers (SIV) detect changes to system files which may indicate that a successful attacker has left a backdoor entry mechanism for later exploitation.

An effective SIV will monitor several different attributes of system files, including the file size and timestamp and multiple checksum values. These values are compared to a reference database which must be stored securely and updated whenever a legitimate change is made to the system.

  • Deception Systems (decoys, lures, fly-traps, honeypots) present fake interfaces which emulate weaknesses in order to entrap attackers.

The value of a deception hosts to a normal organization is debatable. Although legal sanctions are available, there is little return for the time and effort required to prove the identity of any attacker.

IDS’s are highly complex systems requiring detailed configuration and maintenance. IDS’s can have problems with false positives and slow or stealth attacks.

Search Tags

moodle  audit  joomla  wireless  implementation  testing  analysis  programming  office  email  vba  process  owncloud  browser  website  software  documentation  open source  security  psychology

Features Articles

Beyond the Blackboard

Considerations when designing or specifying an on‑line learning environment.

For many organisations, the provision of training to staff and customer represents a significant cost. As the processing power and network bandwidth available to desktop PCs increases, the performance and features of on‑line learning systems have improved to the point where the delivery of training via a computer has become a viable option.

While on‑line learning is not an appropriate solution for all training needs, it does provide an effective training delivery mechanism in the right circumstances.

This article discusses some of the issues involved in creating an on‑line learning environment, viewed from the perspective of the different interest groups involved. The information and concepts shown here are not definitive; you should carefully consider your own specific requirements before implementing any computer system.

Open Source

You shouldn't be using open source software because it's cheaper (although it is), you should be using it because of its features and flexibility and the fact that it doesn't lock you in to restrictive license agreements.

Documentation

It might be the last thing you want to read, but not having a well documented IT infrastructure (servers and networks) can lead to surprising events like critical systems running on unsupported servers.

Documentation must not only be accurate at the time it was created it should also meet these additional criteria:

  • Available The people who need the information must be able to get at it.
  • Editable Any documentation in the IT industry is quickly out of date, so it is essential that information is able to be correctly updated as soon as a change is required. Ideally the client or end-user should be able to do this, rather than waiting on the 'approved editor'.
  • Current 'Out of date' is just a nice way of saying 'wrong'. The date on which the underlying information was updated should be shown on any reports either printed or viewed online.

A Taxonomy of Loss

The widespread commercial use of the internet has led to an increasing focus on systems security. Media driven hype and a lack of independent information can make the true level of threat to an organization difficult to determine. Adopting a structured approach to the analysis of computer system security risks and allows an organization to more effectively balance their operational requirements against the potential for loss, whether that loss involves physical equipment, information or reputation.

This article discusses the components of a computer system, the types of attack to which they are exposed, some typical defence mechanisms and some weaknesses in the standard defences. The information and concepts shown can form a starting point for the development of suitable security and operational strategies to assist organizations to obtain the maximum value from their investments in computer systems.

Online surveys

How do you know what your customers want? Perhaps you should ask them.

Surveying your internal or external customers gives you hard information on which to base decisions about product development, marketing campaigns, resourcing or any other area where you organisation or department interacts with another group (which means in nearly everything you do).

Network Security

External Network Scanning

One of the core mechanisms for protecting networks is to install a firewall to mediate traffic between systems on the internal network, publicly accessible systems is a DMZ (from the military term demilitarised zone) and the internet.

Latest blog posts

"In theory, there is no difference between theory and practice; in practice, there is."
Chuck Reid

IP:3.140.185.170

FacebookTwitterLinkedinRSS Feed

Hosted at Panthur web hosting.

© Dropbear Consulting Pty Limited
Privacy policy