Defining Basic Security Concepts - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

Defining Basic Security Concepts

A generic definition of security is 'freedom from risk or danger; safety.' (The American Heritage Dictionary).

This definition is perhaps a little misleading when it comes to computer and networking security, as it implies a degree of protection that is inherently impossible in the modern connectivity-oriented computing environment.

This is why the same dictionary provides another definition specific to computer science: 'The level to which a program or device is safe from unauthorized use [emphasis added].' Implicit in this definition is the caveat that the objectives of security and accessibility-the two top priorities on the minds of many network administrators-are, by their very natures, diametrically opposed. The more accessible your data is, the less secure it is. Likewise, the more tightly you secure it, the more you impede accessibility. Any security plan is an attempt to strike the proper balance between the two.

As in any other specialty field, security professionals speak a language all their own and understanding the concepts requires that you learn the jargon. At the end of this section, you will find a list of some common terms that you are likely to encounter in the IT security field.

Knowledge is Power

The above title is a famous hacker's motto (along with such other gems as 'Information wants to be free,' and the simplistic but optimistic, 'Hack the world!'). However, it is a truism that applies not only to those attempting to gain access to data they aren't supposed to see, but also to those who are trying to protect themselves from the intruders. The first step in winning any battle-and network security is a battle over the ownership and control of your computer files-is the same as it's always been: 'know thine enemy.'

To protect your network resources from theft, damage, or unwanted exposure, you must understand who initiates these things, why, and how they do it. Knowledge will make you powerful, too-and better able to prevent unauthorized intrusions into your network. In the section entitled Detecting and Preventing Unauthorized External Intrusions, we will discuss the various motivations that drive different network intruders and the types of people who make a practice of 'breaking and entering' networks.

The very best place to learn is from the hackers themselves. Many network administrators and even some security specialists eschew the books and websites that are written to a hacker audience or from the hacker's point of view. This may be because one fears 'guilt by association' or believes that it would be somehow demeaning to hang out with the hackers. This attitude may be based on high moral ground, but strategically, it's a mistake.

Think Like a Thief

It is well known in law enforcement circles that the best criminal investigators are those who are best able to 'get inside the mind' of the lawbreaker. Network intrusion detectives will find that the same is true-to prevent your network from falling prey to hackers, or to catch data thieves when they do get in, requires that you be able to adopt a mindset emulating theirs.

This means learning to anticipate the intruder's actions. First, you must determine what needs to be protected, and to what degree. A wealthy person not only establishes a general security perimeter by building fences around the house and locking doors and windows, but also places the most valuable items in a wall or floor safe. This provides multiple layers of protection. The practice of implementing multiple layers of protection is known as defense in depth.

ISA Server can be an important layer of protection in your organization's security plan.

The Intrusion Triangle

Borrowing again from the law enforcement community, crime prevention specialists use a model called the 'Crime Triangle' to explain that certain criteria must exist before a crime can occur. We can adapt this same triangle to network security: the same three criteria must exist before a network security breach can take place. The three 'legs' or points of the triangle are shown in Figure A.1.

Figure A.1 All three legs of the triangle must exist for a network intrusion to occur

Let's look at each point individually:

Motive: An intruder must have a reason to want to breach the security of your network (even if the reason is 'just for fun'); otherwise, he/she won't bother.

Means: An intruder must have the ability (either the programming knowledge, or, in the case of 'script kiddies,' the intrusion software written by others), or he/she won't be able to breach your security.

Opportunity: An intruder must have the chance to enter the network, either because of flaws in your security plan, holes in a software program that open an avenue of access, or physical proximity to network components; if there is no opportunity to intrude, the would-be hacker will go elsewhere.

If you think about the three-point intrusion criteria for a moment, you'll see that there is really only one leg of the triangle over which you, as the network administrator or security specialist, have any control. It is unlikely that you can do much to remove the intruder's motive. The motive is likely to be built into the type of data you have on the network or even the personality of the intruder him/herself. It is also not possible for you to prevent the intruder from having or obtaining the means to breach your security. Programming knowledge is freely available, and there are many experienced hackers out there who are more than happy to help out less-sophisticated ones. The one thing that you can affect is the opportunity afforded the hacker.

Removing Intrusion Opportunities

Crime prevention officers tell members of the community that the 'good guys' probably can't keep a potential burglar from wanting to steal, and they certainly can't keep the potential burglar from obtaining burglary tools or learning the 'tricks of the trade.' What citizens can do is take away, as much as possible, the opportunity for the burglar to target their own homes.

This means putting dead-bolt locks on the doors (and using them), getting a big, loud, unfriendly dog, installing an alarm system, and the like. In other words, as a homeowner, your goal is not to prevent the burglar from burglarizing, but to make your own home a less desirable target. As a network 'owner,' your objective is to 'harden' your own network so that all those hackers out there who already have the motive and the means will look for an easier victim.

The best and most expensive locks in the world won't keep intruders out of your house if you don't use them. And if those locks are difficult to use and result in inconvenience to you in your everyday comings and goings, you probably won't use them-at least, not all the time. A poorly implemented network security system that is difficult to administer or that unduly inconveniences network users may end up similarly unused; eventually, you will throw your hands up in frustration and just turn the darn thing off. And that will leave your network wide open to intruders.

A good network security system will help you to remove the temptations (open ports, exploitable applications) easily and will be as transparent to your users as possible. ISA Server, when properly configured, meets these requirements-and more. We will discuss the characteristics of a good network security system component further in the section entitled 'Preventing and Detecting Unauthorized External Intrusions.'

Security Terminology

Every industry has its own 'language,' the jargon that describes concepts and procedures peculiar to the field. Computer networking is infamous for the 'technotalk' and the proliferation of acronyms that often mystify outsiders. Specialty areas within an industry often have their own brands of jargon, as well, and the computer security sub-field is no exception.

It is not possible to provide a complete glossary of security-related terms within the scope of this chapter, but in this section, we will define some of the more common words and phrases that you may encounter as you begin to explore the fascinating world of computer security:

Attack In the context of computer/network security, an attack is an attempt to access resources on a computer or a network without authorization, or to bypass security measures that are in place.

Audit To track security-related events, such as logging onto the system or network, accessing objects, or exercising user/group rights or privileges.

Availability of data Reliable and timely access to data.

Breach Successfully defeating security measures to gain access to data or resources without authorization, or to make data or resources available to unauthorized persons, or to delete or alter computer files.

Brute force attack Attempt to 'crack' passwords by sequentially trying all possible combinations of characters until the right combination works to allow access.

Buffer A holding area for data.

Buffer overflow A way to crash a system by putting more data into a buffer than the buffer is able to hold.

CIA triad Confidentiality, Integrity, and Availability of data. Ensuring the confidentiality, integrity, and availability of data and services are primary security objectives that are often related to each other. See also availability of data, confidentiality of data, and integrity of data.

Confidentiality of data Ensuring that the contents of messages will be kept secret. See also integrity of data.

Countermeasures Steps taken to prevent or respond to an attack or malicious code.

Cracker A hacker who specializes in 'cracking' or discovering system passwords to gain access to computer systems without authorization. See also hacker.

Crash Sudden failure of a computer system, rendering it unusable.

Defense-in-depth The practice of implementing multiple layers of security. Effective defense-in-depth strategies do not limit themselves to focusing on technology, but also focus on operations and people. For example, a firewall can protect against unauthorized intrusion, but training and the implementation of well-considered security policies help to ensure that the firewall is properly configured.

Denial of Service attack A deliberate action that keeps a computer or network from functioning as intended (for example, preventing users from being able to log onto the network).

Exposure A measure of the extent to which a network or individual computer is open to attack, based on its particular vulnerabilities, how well known it is to hackers, and the time duration during which intruders have the opportunity to attack. For example, a computer using a dialup analog connection has less exposure to attack coming over the Internet, because it is connected for a shorter period of time than those using 'always-on' connections such as cable, DSL or T-carrier.

Hacker A person who spends time learning the details of computer programming and operating systems, how to test the limits of their capabilities, and where their vulnerabilities lie. See also cracker.

Integrity of data Ensuring that data has not been modified or altered, that the data received is identical to the data that was sent.

Least privilege The principle of least privilege requires that users and administrators have only the minimum level of access to perform their job-related duties. In military parlance, the principle of least privilege is referred to as need to know.

Malicious code A computer program or script that performs an action that intentionally damages a system or data, that performs another unauthorized purpose, or that provides unauthorized access to the system.

Penetration testing Evaluating a system by attempting to circumvent the computer's or network's security measures.

Reliability The probability of a computer system or network continuing to perform in a satisfactory manner for a specific time period under normal operating conditions.

Risk The probability that a specific security threat will be able to exploit a system vulnerability, resulting in damage, loss of data, or other undesired results. That is, a risk is the sum of the threat plus the vulnerability.

Risk management The process of identifying, controlling, and either minimizing or completely eliminating events that pose a threat to system reliability, data integrity, and data confidentiality.

Sniffer A program that captures data as it travels across a network. Also called a packet sniffer.

Social engineering Gaining unauthorized access to a system or network by subverting personnel (for example, posing as a member of the IT department to convince users to reveal their passwords).

TCSEC Trusted Computer System Evaluation Criteria. A means of evaluating the level of security of a system.

Technical vulnerability A flaw or bug in the hardware or software components of a system that leaves it vulnerable to security breach.

Threat A potential danger to data or systems. A threat agent can be a virus; a hacker; a natural phenomenon, such as a tornado; a disgruntled employee; a competitor, and other menaces.

Trojan horse A computer program that appears to perform a desirable function but contains hidden code that is intended to allow unauthorized collection, modification or destruction of data.

Virus A program that is introduced onto a system or network for the purpose of performing an unauthorized action (which can vary from popping up a harmless message to destroying all data on the hard disk).

Vulnerability A weakness in the hardware or software or security plan that leaves a system or network open to threat of unauthorized access or damage or destruction of data.

Worm A program that replicates itself, spreading from one machine to another across a network.

Once you are comfortable with the terminology, you can begin to address the individual objectives that will assist you in realizing your goal to create a secure network environment.