Security issues and concerns regarding one’s current security status or lack thereof have been with us since day one. Let’s have a quick look at them.

Security issues and concerns regarding one’s current security status or lack thereof have been with us since day one. Let’s have a quick look at them.

Upside/Downside

The Internet is an open standards-based bunch of technologies that the IAB and IETF document thereby ensuring that all the various software developers have a set of basic reference specifications that can form the foundation core upon which they build their applications.

Unfortunately, the down side to this is that those wishing to perpetrate malicious activities also have access to these very same standards and specifications. It is this access to the technical specifications of how the Internet and Internet technologies are implemented that allows an attacker to subvert systems, networks and the Internet for their own ends.

Read more in Management
« Cognitive Bias in Decision Making
Seven Ways to a Better Management »

Today we find that this tends to mean cybercrime such as identity theft, fraud, theft, malicious intent (creating damage to the detriment of others) various forms of Denial-of-Service (DoS) attacks, phishing, malware in general and the one we all hate with a passion Spam.

Civilizations, Societies, and Protocols

In order for a civilization to develop and prosper social beings and the societies they belong to create various protocols (rules concerning acceptable/”normal” roles, behaviors, customs and etiquettes etc.) which allow them to communicate with other members of that society. Language is but one of these protocols.

In these regards humans, bees, ants etc all have much in common. The important difference is that humans have a capacity for conceptualization and virtualization of thought and self.

Knowledge and Information Technologies

Over time it has proven most beneficial for one generation to pass onto succeeding generations the knowledge that it inherited, developed and further progressed. The label we humans have given to these processes is Information Technology (IT) and its most obvious manifestation in today is the Internet.

The benefits and freedoms delivered by these Information Technologies are susceptible to damage, degradation, subversion and destruction from a host of very diverse threats. Thus, securing information technologies against these threats becomes a desirable necessity and is achieved by way of a wide variety of technologies, processes, and training.

Before we can design and implement security procedures it is important that we first define the ultimate goals which we hope that our initiatives will achieve once implemented. Here are some of the more important security related concepts.

Security and Privacy

Because of the significant degree of entanglement of privacy and security it is practically impossible to deal with the one without involving the other. In order to deal with security and privacy related issues we must first clarify what we mean by security and being in a secure state.

In short; security is the state of being safe, protected, and free from worry about possible loss by the assurance that something of value will not be taken away, degraded, or threatened in any manner by attack from without or subversion from within.

Security measures and initiatives on the other hand are those precautions taken to defend, maintain or improve the safety and sanctity of an entity(s) (somebody or something) from attack, danger, or crime be they potential perceived or real.

Security Goals

Security goals are the predefined targeted levels of protection, precautions, and/or defensive strategies deemed to be adequate and/or appropriate for specific “real world” scenarios. Thus security goals can and do vary considerably from one entity to the next.

However; from the “big picture” perspective, we find that security goals developed by different organizations will all have the commonality of providing an acceptable predefined level(s) of security assurance in conjunction with varying degrees of acceptable exposure(s) usually weighted by economic factors such as cost effectiveness.

Security Auditing and Accounting

Security auditing is the process of recording; usually to a log file, information regarding network and resource access and access requests including which computer(s) and/or user(s) are issuing said access requests. Typically audited criteria include system/network resources, security events, unauthorized access, logon attempts and outcomes as well as communications related events.

Security-in-Depth

Security-in-depth is a strategic security concept based around hierarchies, multiple layers of defenses and the removal of single-point-of-failure instances. The basic philosophy here is to use multiple layers of defenses with each using multiple different types of defenses at every stage and station of a security infrastructure.

The result of this is that any time a user requires access to assets or resources with prescribed access and privilege levels above that of the user’s current logon account status said user will be required to supply additional authentication credentials in order to proceed.

For instance an example of security/defense-in-depth would use variable combinations of password authentication in conjunction with and supplemental to smart cards, keypads, biometrics, digital signatures/certificates etc.

Additional Networking and Security Infrastructure

Additional factors worthy of consideration when designing and building a security infrastructure include: physical accessibility, system/network availability, firewalls, Demilitarized Zones (DMZs), surveillance systems (video cameras), traffic control mechanisms, check-points, email security initiatives, multi-factor authentication, intrusion detection systems and intrusion prevention systems.

Security Policies

A security policy is a document containing a set of organization/enterprise-level rules governing acceptable usage of enterprise assets and resources as well as user behaviors. Response measures (what to do when things go wrong) are usually included in security policy documentation as well.

Other criteria commonly found in security policies includes: information technology resources, acceptable security practices, acceptable operational procedures, best practices guidelines, recommended procedure and practices, glossary of terms and terminology used etc.

There are quite a number of different types of policies that all organizations, enterprises, business and institutions must develop and implement. Most of these policies will be created primarily in response to legislation.

Generally speaking, this group of essential and mandatory policies includes: authentication policies, password policies, privacy policies, environmental policies, auditing and accounting policies, physical security policy, emergency events and response policies, general resources and assets usage policies.

Under Attack

An attack is considered to be the direct or indirect; real or perceived, consequences and effects of action(s) perpetrated by one or more entities with the intent to intrude, compromise, degrade, control, or adversely affect; either directly or indirectly, the assets, prerogatives, freedoms and rights of one or more other entities; generally with deliberate malicious intent, manner or purpose.

A threat is any entity possessed with the deliberate intent to cause hazard, harm, degradation or unsolicited action to the disadvantage, peril or jeopardy of another entity or asset. An exploit is usually some vulnerability that can be taken advantage of by a threat in an unsolicited, unfair or selfish manner; to the advantage or intent of said threat, and/or disadvantage or detriment of that being exploited (target/victim).

Security analysts have identified a special category of vulnerability; known as a zero-day vulnerability, which is generally considered by security professionals to be of the highest order of risk because there are no known patches or countermeasures available at the time the vulnerability, exploit or flaw is first publically disclosed.

Napoleonic Tactics – Divide and Conquer

In order to be able to manage the vast array and types of attacks with an eye to producing the most appropriate response with the shortest possible delay/lag between identification/notification and the development and roll-out of countermeasures it is helpful to break up the attacks into classes delineated by the relative location of the source of the attack as well as the relative location of the target as follows:

Outside

Resources and assets external to an organization come under attack. The effects and consequences of which are felt by the organization and other parties. This type of attack can result in damage arising directly from malicious intent by the attacker and targeting you specifically.

Damage from outside sources can also be collateral in nature. This type of damage arises directly or indirectly out of malicious intent and/or actions by the attacker directed at another party but adversely affecting you in the processes.

Outside-In

A more classical form of attack whereby an external attacker desires to intrude into the targeted system/network by penetrating said system or network defenses in order to execute ill intent or to perpetrate malicious and vindictive activities.

Data theft; particularly of Personally Identifiable Information (PII) and financial information in general, tends to be the main motive here. Other vindictive actions such as data corruption do occur as the result of outside-in attacks.

A more recent twist on this theme sees the villains gaining access to inside resources including databases and accounts information. Once in; they will encrypt your data thereby denying you rightful access to it. For a sum of money the perpetrators will give you the encryption key. In short; this form of outside-in attack is nothing other than extortion.

Inside

The attacker is internal to the target system or network. A very common example of this is when authentic users of a system/network attempt inappropriate access of resources, services, or data to which they are not explicitly entitled.

Examples of insider attacks include the inappropriate unauthorized downloading of materials of a non-work related nature or use of an organization’s resources in the pursuit of personal activities. Using the company printer to print family photos or using network resources to play online games or downloading movies and MP3s are all examples of this class of insider attack.

There is another more serious type of insider attack where an authentic user attempts to gain access to resources which they are not and may never be entitled to access. Company financial records, upper management documents and employee history records are examples of this type of insider attack.

Inside-Out

The attacker is inside the target and either instigates a remote malware download and then does its damage or the attacker wishes to propagate from its current host system to other external systems. The unauthorized export of company data to the attacker’s external offsite storage devices is a classic example of the inside-out attack. Most consider this to be industrial espionage.

Proxy

The attacker focuses on surreptitiously enslaving; usually very large numbers, of unprotected innocent 3RD party machines and then; when ready, will launch an attack from all enslaved machines simultaneously. The intended result is to over-whelm the target by sheer volume. Malicious “botnets” are an example of this attack source category that has gained much notoriety of late.

Diffuse Perimeter

A relatively new category related to the morphing of the “security perimeter” as a result in the recent massive expansion of ad hoc wireless public access networks.

Secure resources are now traveling out into an ever more insecure environment where they will encounter wireless networks in places where once there were no freely publicly accessible networks. Now there are many. Airports and transit centers along with the hospitality industry are primary locations from which nefarious activities are launched upon the unsuspecting.

Mobile

Many attacks today are implemented by mobile (in transit) devices such as laptops and notebooks. This makes it very hard to identify the attacker. Another much publicized form of mobile attack is the practice of “war driving”.

Generally; war driving entails an attacker cruising around in a vehicle with a wireless enabled laptop or notebook placed on the seat next to them. When a wireless is detected the attacker will use packet-sniffing software among others to determine as to whether or not the victim network is transmitting in plain language (not encrypted).

Cloud

Considering the current rate of uptake; by business and individuals alike, of cloud computing technologies such as Software-as-a-Service (S-a-a-S) it comes as no surprise to learn that the security world now recognizes that attackers and attack mechanisms that exploit various aspects of cloud computing technologies constitute a new attack source.