Networks Distributed by justEtc |
The information is taken from: ACM Communications, Vol 52, No-2. Author F. Gerlach, Badden Wurttemberg, Germany
Some security fundamentals are discussed in this short-note. As always, we did not spend too much time and efforts on researching and writing this short-note.
We are just providing some overviews where you can start (or how you can think). Security needs to be well planned and well-implemented. It's not a one hour job, or one time task. It requires understanding of your security requirements, understanding the vulnerabilities in your systems, networks, infrastructure, and software that you use and develop, researching possible ways of security implementation, planning security, designing your security architecture, may be creating security policy documents, and then comes the implementation. It also has to be monitored, reviewed, and improved periodically. Security applies to both infrastructures and software development. You can secure your infrastructure by configuring the operating systems, and networks securely. You can also develop your software with no or minimal security holes.
Building blocks of security: CIA Principle: Confidentiality, Integrity, and Availability. You need to maintain the confidentiality/privacy of your information/data/communications, you need to ensure that data are not modified without authorization (Integrity), the data should be available to the authorized users.
Threats: What are the potential security threats: Unauthorized access or changes, interruption of services, damage to the hardware
Vulnerabilities that expose security threats: Improperly/poorly designed/configured networks, bugs in software/operating systems, insecure passwords, misuse of software or protocols, unchecked user input
Security System Principles: Security system implementation usually involves: Authentication (verify the user), Authorization (user rights and privileges), Access Control (resource rights and privileges), Auditing (track activities and access)
Four types of Access Controls: Mandatory Access Control (MAC) (Objects' security levels are compared with users' clearance levels), Discretionary Access Control (DAC) (In DAC, objects are assigned ACLs, users/groups are placed to those ACLs for access), Role-based Access Control (Users are assigned to roles, permissions are assigned to the roles), Rule Based Access Control (permissions are based on rules for example firewall based security rules)
Some forms of security implementation
What is the implicit deny principle? If permissions are not given, it is assumed to be inaccessible
What is the least privilege principle? give users the minimal permissions they need to perform their tasks.
Distribution/separation of Tasks and Powers: The tasks such as backup, auditing, and system administration can be distributed among multiple professionals instead of one. That way one person will not have too much power/control to exploit the system
Job Rotation: No one person is kept with a major job role (firewall administration, ACL administration) for a long time. Rotating prevents abuse of power, creates multiple experts in one area.
Mandatory Vacation: Employees are required to take vacations for a while and then the systems can be checked for malicious activities. The employees may be informed about the policy beforehand, also the company may have written policies to what constitute to malicious activities (any misunderstanding should be cleared upfront)
Privilege Administration: Involves authentication and authorization including auditing of privilege usage.
Authentication Methods
Commonly used Authentication Factors: Password, key/ID, Fingerprints
Knowledge Based Authentication: Example: what is the name of your first pet?
Out of Band: If authentication fails multiple times, lock the system
Other Authentication Methods: Kerberos (Single Sign on), Tokens/Chips/cards, Biometrics (Fingerprint, Retina Scan, Face recognition), Multi-factor authentication (use more than one ways of authentications password+fingerprint), Mutual Authentication (both parties verify each other)
Security Policy
Security policy is a formalized document to state all the security rules in the organization. The security rules may involve policies to ensure CIA principle, and network design rules. For each rules, the police document may contain policy statement (plan for the individual security component), standards (how to measure the level of adherence), guidelines (how to meet standards), and procedures (how to implement the policy)
Commonly used security policies: Acceptable use, Privacy, Separation of duties, Job Rotation, Mandatory Vacation, Need to know (who should have access and how), least privilege, implicit deny, audit policy, password policy, wireless standard policy, extranet policy
Other security documents that you may need to maintain and also make sure that the documents are secured as well (with some policies): System Architecture, documents that logs the changes in the system, data, and architecture, Logs (system logs, security audit logs), Inventories (Equipment and asset inventory)
Create Document Handling measures for Security Implementation Classify the document (Public, internal, and confidential), retention and storage (how long the documents need to be retained or stored), disposal and destruction (create a plan for disposal and destruction of documents)