ubiccform 240

Document Sample
ubiccform 240 Powered By Docstoc
					                PROPOSED STRUCTURE FOR HIGH LEVEL SECURITY
                              ENHANCEMENT

                           Adnan G. Abuarafah                           Mohamed Osama Khozium
                          Faculty of Computer and                         Faculty of Computer and
                            Information Systems                             Information Systems
                         Umm Al-Qura University,                         Umm Al-Qura University,
                           Makkah, Saudi Arabia                            Makkah, Saudi Arabia
                           abuarafa@uqu.edu.sa                             Osama@khozium.com



                                                           ABSTRACT

              The increasing technology trends has turned each infrastructure to its new hazards. Present
              information policies designed are not readily equipped with up-to-date analysis or problems
              suffered throughout networks. This paper addresses not only technical security issues but also
              providing managerial solutions. It practically targets resources allocations keeping in new
              management issues with its technical adoption to available parameters. This technical solution
              provided; is strategic in its nature but with self assessment criteria. Now system reliability issues
              with security complexities can be targeted effectively.

              Keywords: Security Risks, Security Process Management, Security Assessment, Security Plans,
              Security Model, Security Audit

1 INTRODUCTION
                                                                       Actually Probability of loss is not based upon
  Every movement that comes to us bring new                            mathematical certainty; it is consideration of the
  challenges. Where as the rising slogan of IT has                     likelihood that a loss risk event may occur in the
  brought new horizons to our attention. Today                         future, based upon historical data, the history of like
  continuous progress & service delivery has changed                   events at similar enterprises, the nature of the
  business imperatives as IT security has become                       neighborhood,      immediate       vicinity,    overall
  integral part for any infrastructure.                                geographical location, political and social conditions,
  Information technology continuous advancements has                   and changes in the economy, as well as other factors
  open the number of possible security threats,                        that may affect probability.
  vulnerabilities and security incidents are even rising pace
  despite efforts done by national or international level.             All solutions still are necessary to manage the risk
  The current problems faced by organizations are not                  options includes security measures available to reduce
  only rising trends in information technology but there               the risk of the event. Equipment or hardware, policies
  unrealistic approach to coop with evolving                           and procedures and management practices, and
  environment that has caused the world the loss of                    staffing are the general categories of security related
  billions of US dollars.                                              options.
  Here is some data from real world [2],[3]:
  1.1 Computer fraud in the U.S. alone exceeds $3 billion              Where as service providers claming to protect with
      each year.                                                       help of sum of tools are providing unreliable results
  1.2 Less than 1% of all computer fraud cases are detected.           and that has been caused by security programs that are
  1.3 Over 90% of all computer crime goes unreported.                  not extending its boundaries to combined approach
  1.4 “Although no one is sure how much is lost to EFT                 that is people, process and technologies [1].
     (Electronic Funds Transfer) crime annually, the
     consensus is that the losses run in the billions of               Even inter departmental collaboration to manage
     dollars. Yet few in the financial community are                   effective processes is not up to mark to achieve high
     paying any heed.”                                                 level of IT security across any organization.
  1.5 Average computer bank theft amounts to $1.5 million              The rest of the paper is organized as follows. The next
      each year.                                                       section provides overview on general threats, Section


                                                                                                                          -1-
  three highlights the sources of threats and possible         2.7 Introduction of unauthorized software or hardware.
  impacts. In section four the projected risk assessment       2.8 Time bombs: software programmed to damage a
  problem will be discussed. In section five we will               system on a certain date.
  describe the proposed structure for security                 2.9 Operating System Design errors: Certain
  assessment. Section six introduces the risk assessment           systems were not designed to be highly secure (e.g.
  procedure, while section seven concludes the paper.              PCs, many UNIX versions).
                                                               2.10 Protocol Design errors: Certain protocols were
2 OVERVIEW ON GENERAL THREATS                                      not designed to be highly secure. Protocol
                                                                   weaknesses in TCP/IP can result in:
  A threat is a person, place, or thing that has the           • Source routing, DNS spoofing, TCP sequence
  potential to access resources and cause harm. Threats            guessing and unauthorized access is achievable.
  can originate from two primary sources: humans and           • hijacked sessions and Authentication session /
  catastrophic events. Human threats subsequently can              transaction replay are possible è Data is changed or
  be broken down into two categories: malicious and                copied during transmission.
  nonmalicious. Nonmalicious “attacks” usually come            • Denial of service, due to ICMP bombing,
  from users and employees who are not properly                    TCP_SYN flooding, large PING packets, etc.
  trained on computers and who are not aware of                2.11 Logic bomb: software programmed to damage a
  various computer security threats. Malicious attacks             system under certain conditions.
  usually come from external people or disgruntled             2.12 Viruses (in programs, documents and email
  current or ex-employees who have a specific goal or              attachments).
  objective to achieve [3],[7].
  In fact there are literally hundreds of ways to           3 SOURCES OF THREATS AND POSSIBLE IMPACTS :
  categorize threats, anyhow threats could be listed in       3.1 Sources of threats [2]
  general as follows :                                                a. Political espionage.
                                                                      b. Commercial espionage. Since the end of
  2.1 Human Error:                                                       the cold war, the entire intelligence
      • Accidental destruction, modification,                            community has undergone a significant
         disclosure, or incorrect classification of                      shift from classical east-against-west
         information.                                                    spying to each-country-must-protect-its-
      • Ignorance: Inadequate security awareness,                        economy. Former KGB and CIA
         lack of security guidelines, lack of proper                     employees are now working as freelance
         documentation, lack of knowledge (e.g.                          commercial intelligence services. Sources
         system administrators).                                         of such espionage are competitors
      • Workload: too many or too few system                             (domestic and international).
         administrators. Highly pressurized users.                    c. Employees:
      • Users may inadvertently give information on                     • Disgruntled employees and (former)
         security weaknesses to attackers.                                 employees.
      • Incorrect system configuration.                                 • Bribed employees.
      • The security policy is not adequate.                            • Dishonest employees (possible at all
      • The security policy is not enforced.                               levels: from top management down).
      • The security analysis may have omitted                             System & security administrators are
         something important, or be simply wrong!                          "high-risk" users because of the
                                                                           confidence required in them. Choose
  2.2 Dishonesty : Fraud, theft, embezzlement, selling                     with care.
      of confidential corporate information.                          d. Hackers:
                                                                        • Beginners: know very little, use old,
  2.3 Attacks By Social Engineering:                                       known attack methods
      • Attackers may use the telephone to                              • Braggers: Are learning a lot, especially
           impersonate employees to persuade users /                       from other hackers. They seek
           administrators to give username/passwords/                      gratification by bragging about their
           modem numbers etc.                                              achievements
      • Attackers may persuade users to execute                         • Experts: High knowledgeable, self
           Trojan horse programs.                                          reliant, inventive, try to be invisible.
                                                                           They may provide tools/information to
  2.4 Abuse of privileges / trust.                                         the braggers to launch attacks, which
  2.5 Unauthorized use of "open" terminals/PCs.                            hide their own, more subtle attacks.
  2.6 Mixing of test and production data or environments.
                                                                                                                  -2-
         e. Contractors / vendors who have access                       • The corporate network may distribute
            (physical or network) to the systems.                           software containing attacker software.
         f. Organized crime (with goals such as                         • Electronic fraud
            blackmail, extortion etc.).
         g. Private investigators, "mercenaries", "free     4 PROJECTED RISK ASSESSEMNET PROBLEM.
            lancers".
         h. . Law enforcement & government                     For effective risk management, sound business
            agencies (local, national and                      decisions with continuous monitoring over assets and
            international), who may or may not be              all issues related to their sensitivity and criticality are
            correctly following legal procedures               needed. Along with there associated assets proper
         i. Journalists looking for a good story.              decisions are needed to work up risk management
                                                               plans that can have impact to departments and
3.2 Possible Impacts                                           organization’s environment as well [12] .
         Impacts are very business specific, depending         Today several standards adopted by national and
         on the assets, the type of business, the current      international are needed with all their classification
         countermeasures (IT infrastructure). Impacts          and to be managed with up to date continuous
         describe the effect of a threat. The impact           coordinated directions for service providers. Here not
         may also depend on the length of time that            only technical but operational issues are also to be
         business functions are disrupted.                     targeted in well established way [4] .
         The following is a list of some basic impacts,        Information management can provide continuity of
         that company may be subjected to :                    plans and collaborative IT security where availability
         • Disclosure of company secrets, disclosure           of critical services are always ensured to its maximum
              of customer data, disclosure of                  level. For that organization has to apply self
              accounting data.                                 assessment criteria for continuous planning so that
         • Modification of accounting data or                  measured results can be inferred from resources; with
              customer data.                                   evolving security plans that can recognize and provide
         • Attackers impersonating the company or it's         remedial actions for the organizations [14] .
              customers.                                       Information management plans can lead us
         • Bad company publicity: hacker security              towards effective planning that enable us to audit
              breaches publicized.                             administrative and functional areas of IT in terms
         • Bad company publicity: customer                     of resources and finance concerned along with
              information modified/deleted/publicized.         positive reporting process [8] .
         • Bad division publicity: External attackers
              used a particular division as an entry        5 PROPOSED STRUCTURE FOR SECURITY
              point to the corporate network.                 ASSESSMENT
         • Major disruption of business functions.            Traditional approaches like intrusion detection system
         • Major disruption of the network.                   generally detects unwanted manipulations of computer
                                                              systems, mainly through the Internet. The
         • Fraud
                                                              manipulations may take the form of attacks by
         • Loss of customer confidence (if the
                                                              crackers. But in our proposed approach we focus on
              disruption lasts for a longer period of
                                                              the behavior of the employee of the organization
              time, or occurs frequently, customers
                                                              themselves.
              would probably be lost).
         • The company may be legally prosecuted
              (negligence, breaking the law or                 The following figures are included as example, to give
              regulatory requirements)                         an idea what is going on in the real world [2],[3]:
         • Reduction of quality of service                       • Common Causes of damage: Human Error
         • Possible gains for competitors and thus loss               52%, Dishonest people 10%, Technical
              of revenue.                                             Sabotage 10%, Fire 15%, Water 10% and
                                                                      Terrorism 3%. Figure 1.
         • The corporate network may be used as a
              base by attackers for attacking other              • Who causes damage? Current employees 81%,
              sites.                                                  Outsiders 13%, Former employees 6%.Figure 2.




                                                                                                                     -3-
  • Types of computer crime: Money theft 44%,                                16%, Alteration of data 12%, Theft of services
      Damage of software 16%, Theft of information                           10%, Trespass 2%.




                         60
                         50
                         40
                         30
                         20
                         10
                          0
                               Human      Dishonest    Technical      Fire         Water      Terrorism
                                Error      People      Sabotage


                                    Figure.1 : The common causes of damage in security area




From sections 3 and 4 once the threats, impacts and                 2. Continuous IT planning for technical &
corresponding risks have been listed and the                             operational tasks
constraints have been analyzed, the significant                     3. Self Assessment mechanism
business risks (or weaknesses) will be more evident,                4. Audit Process planning
allowing a counter strategy to be developed.                        5. Incident handling procedures
                                                                    6. Information recovery methodology
The formulation of following steps can enhance                      7. Back up of Data & Configuration
information security structure for any organization i.e.            8. Incident Impacts
1.         Identify Security Deficiency                             9. Future Security Visions
                                                                    10. Quality measures for security




                                                                      Outsiders
                                                                        13%


                                          Current
                                                                        Former
                                         Employees
                                                                       Employees
                                           81%
                                                                          6%




                                 Figure.2 : Types of employees who cause damage in security area




                                                                                                                       -4-
  Where as for any effective plan, senior management              priority as mentioned or described by security advisors
  should always be involved in implementation process             as described in figure 4.
  that bound ness can bring true strategy of
  management.
  Current infrastructure providing physical security
  measures hasn’t proved to be adequate enough
  because of potentially large scale undefined problems
  can not be limited to few work stations. Security                   Departments         IT Division          End Users
  safeguards needed to be improved via identification &
  authentication where low risk environment prevails.
  While considering security procedures access
  privileges need to be monitored and controlled for
  every level of access [5] .                                                             Security              Privacy
  Organizations have to apply departmental zones with
  reference to security control and access mechanism.
  As one key mechanism that is often neglected by
                                                                               Figure-4 : Securing User’s Privacy
  many organizations is continuous monitoring of
  network traffic with all its available resources.
  As shown in figure3, along with proper security
  standards controlling is also ensured to identify
                                                                6 RISK ASSESSMENT PROCEDURE
  security breaches, suspected or known security threats.
  Organizational security plan can be adopted with
                                                                  Risk assessment should take into account the potential
  proper control mechanism that are
                                                                  adverse impact on the organization reputation,
  1. Physical access controls
                                                                  operations and assets. Risk assessment should be
  2. Device & media controls
                                                                  conducted by teams composed of appropriate
  3. Procedural controls
                                                                  managers, administrators and all other personnel
  With all its departments, organizations should evaluate
                                                                  associated with those activities. [11]
  risk assessment plans often after certain period of time as
                                                                  Organizations need to adopt local notification
  tools associated with security are not at halt. Where as
                                                                  procedures which include reporting mechanism
  organizations have to share their experiences for better
                                                                  where as for disaster recovery plan should also specify
  control as tools provided by venders some time are not
                                                                  emergency procedures plan including system
  focused regional issues [11].
                                                                  documentation required for performing recovery.
  All technical and operational environments should log
                                                                  In many of organizations where proper systems hasn’t
  the event in case any incident occur .Management plan
                                                                  been deployed still missing corrective measures or
  should qualify to access potential impact and proper
                                                                  never considered in their security consideration need
  identification of the system so to tackle this issue,
                                                                  to apply recovery plans along with all possible
  system control should be configured with best
                                                                  strategic planning and that should not be limited to all
  practices[4].
                                                                  management decisions but communications and
                                                                  actions should be properly recorded.
                  Management Security Plan
                                                                7 CONCLUSION

                                                                  Information security issues can better be targeted if
                                                                  effective risk management plans come into existence
                                                                  as proposed in this paper that continuous planning
                  Creating      Monitoring &                      along with standards can bring IT infrastructure where
Standards                                           Risk
                 Awareness       Controlling
& Policies                                       Assessment       processes are not only managed but effective control
                                                                  along with audit can create awareness among humans
                                                                  that can readily initiate action plans for best security
                                                                  configuration [6], [10] .
Figure-3 : Information hierarchy for Security Implementation
                                                                  We strongly address that beside physical security
  All operational records associated with human’s                 measures following steps are needed for security
  operations and service delivery should always include           advancements both in management and technical
  risk related to IT system with reference to their               areas.
                                                                  1. Promote a culture of security
                                                                                                                          -5-
      2.   Raise awareness about the risk of Information         [6]    ISO/IEC 27002 " Code of practice for Information
           systems                                                      Security   Management",    BSI      Management
      3.   Enhance confidence level among all                           Systems, 2005.
           participants in information system
      4.   Adopt the culture of cooperation and                  [7]    MSSC, "Securing Widows          2000   server     ",
           information sharing                                          Microsoft TechNet, 2006.
      5.   Conduct full risk assessment in accordance
           with international accredited standards               [8]    Pfleeger, charles P., Security in Computing,
      6.   Coordination with departments for regular                    Prentice Hall,1989.
           monitoring of all servers.
      7.   Develop action plans and milestone for
           information security                                  [9]    Risk Management Group, "Sound Practices for
                                                                        Management & Supervision of Operational Risk"
                                                                        Bank for International Settlements (BIS), 2003.
REFERENCES
                                                                 [10]   Schwartz Mathew, " How to lower security
[1]        Bishop Matt, " Introduction to computer security ",          compliance costs ", IT compliance institute, June,
           prentice hall PTR, 2004.                                     15, 2005.

[2]        Boran Sean,          "IT    security   cookbook",     [11]   Stoneburner G., Goguen A. and Fringa A., " Risk
           linuxsecurity, 2003.                                         Management Guide for Information Technology
                                                                        Systems ", NIST special publication 800-30, July
                                                                        2002.
[3]        Devoney Chris, " Security in review : yesterday
           and tomorrow ", Enterprise strategies newsletters,
           esj.com, Dec., 18, 2007.                              [12]   Swindle Orson, " Cybersecurity and Consumer
                                                                        Data: What's at Risk for the Consumer? " Federal
                                                                        Trade Commission, 2003.
[4]        Glaessner Thomas, “Electronic Security: Risk
           Mitigation in Financial IT Transactions”, The
           World Bank, June 2002.                                [13]   US President’s Information Technology Advisory
                                                                        Committee,” Cyber Security Report”, Feb.2005.
[5]        Higgins, John C., “National Training Standard for
           Information Systems Security (INFOSEC)                [14]   Zamorski Michael, “Audit IT Examination
           Professionals”, Proceedings of the 12th National             Handbook” And “FFIEC Audit Examination
           Computer Security Conference, June. 1994                     Procedures”, US Federal financial Institutions
                                                                        Examination Council. HB 49, Proc.27, 2003.




                                                                                                                        -6-

				
DOCUMENT INFO
Shared By:
Categories:
Tags: UbiCC, Journal
Stats:
views:19
posted:6/17/2010
language:English
pages:6
Description: UBICC, the Ubiquitous Computing and Communication Journal [ISSN 1992-8424], is an international scientific and educational organization dedicated to advancing the arts, sciences, and applications of information technology. With a world-wide membership, UBICC is a leading resource for computing professionals and students working in the various fields of Information Technology, and for interpreting the impact of information technology on society.
UbiCC Journal UbiCC Journal Ubiquitous Computing and Communication Journal www.ubicc.org
About UBICC, the Ubiquitous Computing and Communication Journal [ISSN 1992-8424], is an international scientific and educational organization dedicated to advancing the arts, sciences, and applications of information technology. With a world-wide membership, UBICC is a leading resource for computing professionals and students working in the various fields of Information Technology, and for interpreting the impact of information technology on society.