Introduction

The birds and the bees do it. From microbes to ants to dogs, to lions and elephants and all the way to the biggest of them all, the blue whale, it is the one thing that all have in common. The need to perpetuate the species can be totally consuming at different points in time but can only be successful with adherence to the social rules of each species.

Humans well we are no different. Except for the antisocial element and it's their “raining on the party” activities that we are going to have a look into here.

Security, Society and Civilizations

Security, security threats, security risks and other security issues and concerns; have with respect to security status or lack thereof, been with us since day one. A basic fact-of-life inherent to all social beings and the collective societies and social protocols they forge in establishing their civilizations.

In these regards humans, bees, ants etc all have much in common, where humans differ is in their capacity for conceptualization and virtualisation of thought and self.

Passing the Torch

Among the most powerful and pervasive products of these processes are the concepts of knowledge, information, and the accessibility, transmission, and passing-on of said knowledge and information to contemporaries and succeeding generations alike.

The label we humans have given to this is Information Technology (IT) and its most obvious manifestation in our world today is The Internet.

Technological Benefits and Freedoms

The benefits and freedoms delivered by these technologies and the technologies are as with everything else in the universe, susceptible to damage, degradation, or destruction from a host of very diverse threats.

The securing of our information technologies by way of protection of information assets using technology, regulatory compliance, experience, processes, and training.

It is the security threats, risks, vulnerabilities, impacts and counter measures involved with IT and Internet security in particular that we are going to be investigating.

Speaking the “Lingo”

They say that you must walk the walk and talk the talk before you can get in. Well in our case, we do need to do as the Romans did and come to a consensus regarding the basic technical terms used in information technology and Internet security circles.

Here is a brief list of the most basic terms and concepts that we will need to further our understanding of security threats, security risks, security vulnerabilities and the counter measures that we can use to protect ourselves from malicious intent.

Entity - That which exists or is perceived to exist

Attack - The direct or indirect, real or perceived, consequences and effects of actions perpetrated by one or more entities; with the intent to intrude, compromise, degrade, control, or adversely affect; either directly or indirectly, the assets, prerogatives, freedoms, rights or the sense of “security” or that of feeling of “being secure” of one or more other entities; generally with deliberate malicious intent, manner or purpose

Security - The state of being safe, protected, and free from worry about possible loss by the assurance that something of value will not be taken away, degraded, or threatened in any manner by attack from without or subversion from within

Security Measures - The precautions taken to defend maintain or improve the safety and sanctity of an entity(s) (somebody or something) from attack, danger, or crime whether these security threats are potential, real or merely perceived to exist

Security Goals - The predefined targeted levels of protection, precautions, or defensive strategies deemed to be "adequate` and/or "appropriate` for specific "real world` scenarios.

It comes as no surprise that security goals will vary considerably from one entity to the next but all will have a commonality of providing an acceptable, predefined level of security assurance in conjunction with elements of acceptable exposure that are usually weighted by economic factors such as cost effectiveness.

Security Policy - A set of organisation-level rules governing the acceptable usage of such resources as:

• Information Technology Resources
• Acceptable Security Practices
• Acceptable Operational Procedures
• Best Practices Guidelines

Security Threats - Any entity possessed with the deliberate intent to cause hazard, harm, degradation or unsolicited action to the disadvantage, peril or jeopardy of another entity or asset

Security Vulnerabilities - That which is potentially susceptible to attack by a threat(s)

Security Exploit - Something that can be used to the advantage of a threat in an unsolicited, unfair or selfish manner to the advantage or intent of said threat, and/or disadvantage or detriment of the exploited

Malicious - Motivated by or resulting from a malevolent desire to cause harm, degradation or pain to others

Vindictive - Motivated by the malicious desire or intent to harm or degrade a specific target; often as a result of a desire for revenge for some perceived "wrong' or "unfairness` allegedly perpetrated by the target

Security Risks - The chance or statistical probability that a threat will eventuate as well as the jeopardy that such a scenario will impart upon the entity deemed at risk.

Security Impact - The amount or type of potential losses that could result should a given threat eventuate

Zero-Day Vulnerabilities - No patches were available at the time of public disclosure of the vulnerabilities

Auditing - The process of recording; usually to a log file, information regarding network and resource access including which computer(s) and/or user(s) are issuing said access requests. Typically, audited criteria include:

• System/Network Assets and Resources Access Requests - Both successful and unsuccessful can be monitored and recorded
• Security Events - Can be categorized into many predefined classes of attacks and security risks and threats to facilitate easier analysis and so promote quicker response times for the deployment of counter measures
• Authorised Access - Legitimate users are entitled to different levels of resource access
• Unauthorised Access - Also includes authorised users attempting to access beyond their access rights and privileges as well as the absolutely no authorised access what-so-ever category of attack
• Successful and Unsuccessful Login Events

Not all attempts by authorised users are successful and it is an important warning that you may be under attack from some unknown threat when those who should be able to access assets and resources cannot do so.

It could also be the result of an authentication problem. An actual security threat or real attack event are not always the correct explanation.

Files do become corrupted or errors can creep in undetected. It is just too bad if they happen to be in your Active Directory group policy structures for example.

• Communications - Such as attacks that attempt to access external assets and/or resources including other web sites

Today events such as monitoring the use of IP Telephony systems such as VoIP and wireless communications network resources are becoming increasingly more of a security “blind spot” that can often place an organisation into a situation of excessively unacceptable degree of risk.

The abuse of these services is also of major concern. The frequency of incidence is escalating as we speak as the experts and their surveys show.

Security Risk and Attack Source Categories

1. Outside - Resources and assets external to an organisation come under attack. The effects and consequences of which are felt by the organisation and other parties. This type of collateral damage can be resultant from malicious intent by the attacker or as a side-effect unforeseen by the attacker.
2. Outside In - This is a more of the classic form of attack whereby an external attacker desires to intrude into the targeted system/network by penetrating said system or network"s defenses in order to execute ill intent
3. Inside - The attacker is internal to the target system or network. A very common example of this is authentic users of a system/network attempting to inappropriately access resources, services, or data to which they are not explicitly entitled.
4. Inside Out - The attacker is inside the target and either instigates the download of remote malware and then leaves it to do its damage or the attacker wishes to propagate from its current host system to other external systems
5. Proxy - The attacker focuses on surreptitiously enslaving; usually very large numbers, of unprotected innocent 3RD party machines and then; when ready, will launch an attack from all enslaved machines simultaneously. The intended result is to simply over-whelm the target by sheer volume.

Typical Security Risks, Threats and Vulnerabilities

Physical Security Risks - Breaches of physical security are the most basic of all security risks as they have been with us for a long time now. Physical robbery and theft along with kidnapping and extortion are tools the most determined can put to use in forcing an individual to assist them breach security. There are multitudes of other ways of acquiring passwords, key codes, and smart cards for nefarious purposes.

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks

All means and manner from the very basic to the most sophisticated of technologies; have at one time or other, been used to perpetrate these attacks. For example taking down a few telephones lines can take an organisation and many others off the Internet. No phone line = No Internet.

As ever more sophisticated ways to implement these forms of attacks develop so to our detection and counter measures need to be at least as sophisticated to provide us with the degree of security and freedom of threat or risk that being more secure makes us or at least makes us feel.

Spoofing - Here is another area in which organisations and individuals face a very real and critical security risk. The falsification of credentials particularly in the electronic form is something that we all need to be on our guard for.

Man in the Middle Attacks - A form of message interception/injection attack

TCP/IP Session Hijacking - Redirection and false URLs are very common tactics that are very easy to instigate

Social Engineering

People are too trusting of callers claiming to be who they are not. When combined with a multitude of other tactics that prey on the normal social behaviors of people to extract or to be able to “deduce” information that can then be used “against them” in some form of security breach attempt.

Vulnerabilities Scanning, Sniffing and Eavesdropping - Checking for known vulnerabilities and exploits as well as for casual security measures at the machine (OSI Layer one, two, three and/or four levels). Backdoors are a favorite target here.

Password Attacks

Passwords that have are stolen, overseen, acquired via social engineering, dictionary attacks and other brute force type tactics are being joined by new threats in this arena arising from massive increase in processing power that has taken place over the years.

What was once impractical is now a very real and quick to deploy security risk such as those to be seen in “rainbow tables” encryption cracking

Malicious Code Attacks

Including the more traditional types of attack such as viruses, worms, Trojan horses, polymorphic viruses, botnets, spyware, adware, script attacks, rootkits, backdoor vulnerabilities and spam to name but a few of the types of security risks and threats that can originate from this quarter.

Hackers

I would be amiss to leave these folk out of the discussion. Yet not all hackers have purely evil or malicious intentions, just as not all programmers make software with more security holes than Swiss cheese.

Common Exploits of Wireless Networks

Many of which originate from poor or obsolete connectivity processes and poor encryption technologies

Identity Theft and Fraud

The security risks posed by impersonation for profit have been around for a long time and can be a very effective means to breach the security of many organisations

New Exploits

It seems that with every new day some new form or variation of an existing attack is jumping up out of the woodwork to invade our sense of security. Keeping on top of it all is a daunting prospect in deed. I will show you some ways that you can strike back.

Defensive Strategies

Just as the perpetrators of these malicious activities have a vast array of tools upon which to draw so do their intended targets have an equally impressive array of tools at their disposal to counter these and many more types of security risk and attacks. Some of the more common of these include:

• Antivirus Software - Basic security measure to guard against; the most well-known form of security threat, the malicious code attack
• Antispyware Software - Another area of great concern. Who is watching you? This is something that we will find out
• Spam Filters - Get rid of spam - Most work on using a database of known spammers or with the addition of a “learning system”
• Intrusion Detection Systems (IDS) - Lets you know when somebody is trying to do something that they are not authorised to do
• Intrusion Prevention Systems (IPS) - Unlike IDS these systems do more than just warn you when somebody or something is attempting to execute activities for which they do not have the appropriate credentials
• Access Control Systems - From the most basic to the most sophisticated, the majority of access control systems are built specifically to limit access; to your resources to various groups with various different access rights and permissions. Authentication is one of the main access control security measures that is commonly to be found today
• Firewalls - Both hardware and software based as well as the free, open source and fully subscribed commercial varieties will be discussed
• Honey-Pots - Very much like dangling a carrot in front of a horse's nose but none-the-less a highly effective way of degrading the severity of an attack or totally nullifying it
• Encryption - Technologies designed to provide you with confidentiality
• Verification and Validation - Designed to protect against the threats and risks posed by tampered objects and persons not being who they claim to be. SSL and extended SSL certificates are very widely used today for validation purposes.
• Service packs for your operating system, general OS and software updates, security fixes, patches, vulnerabilities addressing and fixes and work-a-rounds, threat specific counter measures and on the list goes
• Security Hardening - This is the technical term for improving your current levels of security preparedness to levels that are better or perceived to be better and with the overall effect of reducing the risks and threats to which you are exposed to at least tolerable levels
• Penetration Testing - The object is to use numerous well known and readily available tools to attempt to breach security thereby aiding in the identification of areas of security weakness and the vulnerabilities that need immediate attention as well as providing an indication of your overall security readiness
• Administrative Practices - NTFS file and folder permissions along with Share permissions and Group Policy are all avenues we can all take advantage of to harden our systems against security threats and risks from many quarters. These and many other operating system level security tools and counter measures will be discussed
• Security Policies - A best practices document and standard organisational policy do help the everyday user to ward off attackers at least from a preventative point or view. Forewarned is forearmed.
• Black Hat Hackers - Not many people realise this but a whole bunch of people out there who do nothing but attempt to hack into various systems. I know there is a lot but what makes this group different is that they are on your side.

It has been through the diligence and dedication of these folk that many security flaws and vulnerabilities have been exposed and subsequently patched or the software has been re-written. The potential risks and threats; that may have existed, being removed before the software hits the store shelves. We will be having a look at what these folk do.

Tools

It is always good to have a well-stocked toolbox whenever you tackle a tricky job. You just never know what you might come across. Like the Boy Scout's “it pays to be prepared” and that is just what we are going to do. Get prepared.

I will be introducing a number of tools that can be of great value in the fight against security threats and the best part is that many of them are free or free to use. So stay tuned and I will let you know where you can get your hands on these goodies.

Prevention is better than the Cure

Proactive measures are always to be preferred over knee jerk responses. Over the course of the next few days, I will be exploring all of these and many more topics with a focus on security risks and prevention and counter measures and the many tools at our disposal will come under our microscope. Many of which are free or open-source.

So until next time enjoy!

Security Foundations

It matters not if the system is a single stand-alone PC, a small group of machines or a large organisational conglomerate network the basic tenets are the same. All security starts at the bottom or physical level with additional layers built upon this.

It makes very little difference that your laptop or notebook is password protected when it gets stolen. The thieves will have ample time to spend breaking into your machine once they have alleviated you of its company.

Security-In-Depth

So we will investigate IT security and all of the options available to us from the perspective of security-in-depth; meaning that we will not be relying upon one or two measures in the hope that they will be enough to ensure that we get to keep that which is ours. Rather; we will be developing a regime of measures, which we will be able to employ in our battle against the bad guys.

Napoleonic Tactics

The security-in-depth approach is by its very nature hierarchal in form and as with most things we humans do the understanding of complex systems is best achieved when we are able to deal with them a little bit at a time. As the little General said; “divide and conquer”. It worked well for him and so we will follow suite. This method is referred to as Napoleonic tactics after the little General.

Using Napoleonic tactics we will build a system of measures that we can put into place in order to render ourselves and our systems "more" secure than before they were implemented. Each measure will be designed specifically to address one or more risk element with the intention of reducing that risk as far as possible. I say “as far as possible” because economics will play a very important part in constraining just how far we are prepared to go and to what degree or level of residual risk we are willing to remain exposed to.

Risk/Threat Impact Matrix

We will therefore be identifying, analysing, discussing and planning actions and strategies for the various risk factors that we will have identified. In so doing we will develop a risk/threat impact matrix by which we can quantify the various risks/threats, their impact and the likelihood of the occurrence (frequency).

We will then continue to use our risk/threat impact matrix to help us to identify just where we are in the security hardening process and what it is that we have still to do. Part of this will also involve decisions concerning such factors as:

• “I/We are not prepared to spend any more time/money to reduce a given risk element any further” or
• “I/We are prepared to live with this and spend resources on other areas that I consider to be more urgent, more rewarding, more appropriate or even more cost-effective”

Security Policy

All of the above factors and strategies that we have identified, the plans that we have or will implement along with our reviewing, maintenance and re-assessing regimes when combined and formally set forth will constitute our security policy. It is important that not only should our security policy be produced as a formal statement document but it must also be enacted upon and most importantly of all it must be a "living" document.

As we continue to implement our security policy some of the risk/threat elements that were of the highest priority will have had their impact should they occur greatly reduced or mitigated; by insurance for example, to the extent that other once more secondary risk/threat factors are now in greater need of immediate attention. So we will readjust our tactics and implementations to reflect this change.

Change

The first step in making this type of adjustment to a security policy is of course identifying that circumstances have changed. This is a fact that will be present no matter what you do. Change is an everyday part of life and security in its many aspects is no different.

One important aspect of change that is too often over-looked is that of change yet to happen (impending or unrealised change). It may be the case that you have conducted your review of the situation before the full effects of your implementation have come into force. In some situations this "lag" period may be considerable as it may be the result of a composite of lesser events; the so-called chain-reaction or "domino effect".

The Domino Effect

This can be partially viewed as being a cause and effect relationship where specific elements or entities will when implemented to address one issue have a secondary or side-effect that may or may not be desirable. Your actions may be shutting the front door on a given risk/threat; but unknown to you, opening the back door for another. For example:

Some organisations; for reasons that I will discuss to a greater depth in part two, fill the external adapter port of USB ports with superglue and so remove the risk of data theft via USB memory disks.

Unfortunately this makes the process of taking backups to an external USB hard drive very difficult if not impossible. Once done; it is very hard to undo, and so the organisation will have to use other methods for the data transfer. I myself had the unpleasant experience of inheriting a network where this had been done.

Over the course of this series we will examine many aspects of security, risks, threats, impacts and strategies for dealing with them. We will also be looking into the tools and utilities at our disposal as well as simple but effective measures that can be easily implemented and with minimal fiscal impost.

In order to give you an overview of what is to come here are some of the topics and security categories that we will be discussing with regards to the security hardening of our IT systems:

• Physical Security Measures
• User Security Measures
• Data Security Measures
• CIA - Confidentiality, Integrity & Authenticity
• Authentication
• Availability
• Risk/Threat Analysis
• Impact Analysis
• Risk/Threat Impact/Occurrence Assessment
• Security Policies
• Maintenance - Passive & Proactive
• Preventative Measures - Network Access Control (NAC) & Intrusion Detection/Prevention Systems (IDS & IPS)
• Cost/Benefit Analysis
• Wireless Networking Security Considerations