Network Security - Information Assurance - Coursework Example

Network Security – Information Assurance Institute Network Security – Information Assurance Introduction The growth of information systems and associated systems has been unprecedented in the last decade of the 20th century and the first decade of the new millennium. Personal computers run by powerful processors, high-bandwidth for data transmission and multiple channels for networking technologies, and the widespread use of the Internet have transformed stand-alone computing systems and predominantly closed networks into the virtually seamless fabric of today’s information technology (IT) infrastructure. Perhaps, the biggest shift in lifestyle that mankind has seen since the industrial revolution of the 1600s and 1700s. This infrastructure provides for the processing, transmission, and storage of vast amounts of vital information used in virtually every facet of society. The fields that information technology has not treaded to are unknown today. As the IT infrastructure has broadened to global scale, the volume of electronic information exchanged through the cyberspace has grown dramatically and new applications and services proliferate. Information Assurance The explosive growth of Information Technology and the resultant growth in the amount of information handled have fundamentally made information assurance of prime importance. Information Security could be defined as the protection of information and the associated systems against unauthorized access to or modification of information, whether in storage, processing or transit and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats. With the multi-dimensional growth of information, information systems and the states of existence of information, the environment has grown to be highly information intensive and the availability of information in an assured manner is of paramount importance. It is essential to understand what information is and how is it different from data. “Information is data endowed with relevance and purpose. Converting data into information thus requires knowledge. Knowledge by definition is specialized.” (Blyth and Kovacich, p. 17) To further understand the differences, raw fact with an unknown coding system is called Noise. When these raw facts are sequenced in a known coding system, then it is called Data. The data is processed depending upon the requirement to obtain information. Finally, Knowledge, which is a collection of accepted facts, principles and rules of thumb in specific domains, is developed over a period of time from the result of inferences and implications produced from information (Raggad (pp. 14ff). It can be then seen that processed data using which knowledge can be enhanced and conclusions deduced is termed Information. The characteristics of information include accuracy, timeliness, completeness, verifiability, consistency, and availability. Apart from protecting information to maintain the aforesaid characteristics, it is also vital to ensure the information systems that are used to store, process and transmit this information is also secured. Information Assurance is the study of how to protect the information and the relevant information assets from destruction, degradation, manipulation and exploitation (Herrmann, 2007). It also includes the ability to recover from any of these incidents should any happen. The scope of information assurance has expanded well beyond the ambit of information technology and today covers signal processing and communication for the wide range of technologies used for information transfer, and mathematics for information encryption both during storage and transfer of data. Actions involved in information assurance are both proactive and reactive. Timely detection of attack on information or associate systems and necessary countermeasures are equally important. Information assurance therefore implies that information is freely available to the authorized personnel and at the same time is protected from unauthorized entities. The available information must be assured to be correct and from the right source. The five aspects of information needing protection (Department of Defense, 2007) are as follows: - (a) Availability: timely, reliable access to data and information services for authorized users; (b) Integrity: protection against unauthorized modification or destruction of information; (c) Confidentiality: assurance that information is not disclosed to unauthorized persons; (d) Authentication: security measures to establish the validity of a transmission, message, or originator. (e) Non-repudiation: assurance that the sender is provided with proof of a data delivery and recipient is provided with proof of the sender’s identity, so that neither can later deny having processed the data. Dimensions of Information Assurance As seen previously, Information Assurance is today viewed as both multidisciplinary and multidimensional. Complete coverage of all aspects of the subject will involve four dimensions which include information states, information security, system security measures and time. At any given point of time, information is in one or more of the three states which are stored, processed, or transmitted. It is important to recognize that information can coexist in two states. The fundamentals of Information Assurance necessitates the provisioning of five information security services which are Availability, Integrity, Authentication, Confidentiality, and Non-Repudiation as seen earlier. The system security measures include technology, operations and personnel. Technology includes hardware, software and firmware that comprise a system or network. Technology, from a security perspective today comprises of devices such are firewalls, routers, intrusion detection monitors, and other security components. Operations include the procedures employed by system users, the configurations implemented by system administrators, and the rules invoked by software during specified system operations. People are the heart and soul of secure systems. Awareness, literacy, training and education in sound security practices is key to information security and assurance. And finally, time the fourth dimension of information assurance. Time plays a significant role depending on the duration that the information or associated system is available either online or offline for access, the duration for which the available information is worthy of it and the amount of time that an attack can be detected and risk mitigation measures be taken. Influx of Information Technology The widespread use of information technology has hiked the risks associated information systems and has correspondingly increased vulnerabilities of, threats to, and attacks against IT infrastructure. Rapidly changing trends in both technologies and threats make it likely that the security issues of the IT infrastructure will only intensify over the next few years. Major areas of concern include the ever increasing complexity of IT systems and networks resulting in mounting security challenges for both developers and consumers, the developing nature of the telecommunications infrastructure now including multitudes of wired and wireless systems along with a merger of communication infrastructure with the IT networks of the world forming a unified architecture, the loss of perimeter due to increased use of wireless systems thereby negating the advantage of physical security of networks and finally, the increasing interconnectivity and accessibility of processor-based systems across the arena including supply chain management systems, financial organizations, and distributed control systems for factories and utilities (Landoll, 2006). Technology Involved for Information Assurance Access Control Access control technologies ensure that only right entities, authorized users or systems can access and use computers, networks, and the information stored on these systems, and these technologies help to protect sensitive data and systems. Access control simplifies network security by reducing the number of paths that attackers might use to penetrate system or network defenses. Access control includes three different control types which are boundary protection, authentication, and authorization (Herrmann, 2007). Boundary protection provides for an overall “defense-in-depth” strategy for providing Information Assurance (Whitman and Mattord, 2009) for enterprise systems with a range of functional responsibilities like command and control, administrative and logistics. The technology systems providing boundary include firewalls and guards, as well as authenticators, encryptors, and virus and intrusion detectors. The technology involved includes Packet Filter firewalls, Stateful Inspection firewalls, Application Proxy Gateway firewalls, Proxy Servers, Network Address Translation technology, and Distributed firewalls (NSTISSC, 1998). Authentication is fundamental to all information security as it connects the actions performed on a computer to an identified user that can be held accountable for those actions. The expanding means available for accessing networks make security breaches and uncontrolled user access a growing concern. Authentication of a user is based on one or more of the three factors which are physical attributes like fingerprint or biometric data, an artifact like an Automatic Teller Machine card or cryptographic token, and/or a data key like a password. System Integrity System integrity technologies are used to ensure that a system and its data are not illegitimately modified or corrupted by malicious code. Malicious code includes viruses, Trojan horses, and worms (Landoll, 2006). A virus is a program that infects computer files, usually executable programs, by inserting a copy of itself into the file. These copies are usually executed when a user takes some action, such as opening an infected e-mail attachment or executing a downloaded file that includes the virus. When executed, the virus can infect other files. Unlike a computer worm, a virus requires human involvement to propagate. A Trojan horse is a computer program that conceals harmful code. A Trojan horse usually masquerades as a useful program that a user would wish to execute. A worm is an independent computer program that reproduces by copying itself from one system to another. Unlike a computer virus, a worm does not require human involvement to propagate. Antivirus software provides protection against viruses and malicious code, such as worms and Trojan horses, by detecting and removing the malicious code and by preventing unwanted effects and repairing damage that may have resulted. Antivirus software uses a wide range of techniques including signature scanners, activity blockers, and heuristic scanners to protect computer systems against potentially harmful viruses, worms, and Trojan horses. Signature scanners can identify known malicious code. Scanners search for “signature strings” or use algorithmic detection methods to identify known code. They rely on a significant amount of prior knowledge about the malicious code. File integrity checkers are software programs that scrutinize changes to files that are considered critical either to the organization or the operation of the computer including changes to the data in the file, permissions, last use, and deletion. Because both authorized and unauthorized activities alter files, file integrity checkers are designed for use with critical files that are not expected to change under normal operating conditions. File integrity checkers enable intrusion detection, administration, policy enforcement, hardware or software failure detection, and analysis of systemic failures. Cryptography Cryptography is used to secure transactions by providing ways to ensure data confidentiality (assurance that the information will be protected from unauthorized access), data integrity (assurance that data have not been accidentally or deliberately altered), authentication of the message’s originator, electronic certification of data, and non-repudiation (proof of the integrity and origin of data that can be verified by a third party). Accordingly, cryptography has an important role in protecting information both within a computer system and when information is sent over the Internet and other unprotected communications channels. Encryption is the process of transforming ordinary data into code form (cipher-text) using a special value known as a key and a mathematical process called an algorithm. Cryptographic algorithms are designed to produce cipher-text that is unintelligible to unauthorized users. Decryption of cipher-text is possible only by using the proper key. Technologies that use cryptographic algorithms (Whitman and Mattord, 2009) can be used to encrypt message transmissions so that eavesdroppers cannot determine the contents of a message. Hash technologies use cryptography to provide assurance to a message recipient that the contents of the message have not been altered. For example, operating systems use cryptography to protect passwords. Protocols such as IP Security protocol (IPSec) and Secure Sockets Layer (SSL) use cryptographic technologies for confidential communications. SHA and MD5 are examples of hash technology implementations. Digital signature technologies use cryptography to authenticate the sender of a message. Virtual private networks (VPN) use cryptography to establish a secure communications link across unprotected networks. Audit and Monitoring Audit and monitoring technologies enable security administrators to regularly evaluate computer security, carry out investigations during and after an attack, and even identify an ongoing attack. Audit and monitoring technologies include intrusion detection systems, intrusion prevention systems, security event correlation tools, and computer forensics. Intrusion detection and intrusion prevention systems monitor and analyze events occurring on a system or network and either alert appropriate personnel or prevent an attack from proceeding (Whitman and Mattord, 2009). Audit logs are produced by many operating systems and software applications. Depending on the configuration of the logging functions, critical activities such as access to administrator functions are logged and can be monitored for anomalous activity. Security event correlation tools can help to detect security events and examine logs to determine the method of entry that was used by an attacker and to ascertain the extent of damage that was caused by the attack. Because of the volume of data collected on some systems and networks, these tools can help to consolidate the logs and to identify key information using correlation analysis. Computer forensics involves the identification, preservation, extraction, and documentation of computer-based evidence. Configuration Management Configuration management and assurance technologies help security administrators to view and change the security settings on their hosts and networks, verify the correctness of the security settings, and maintain operations in a secure fashion under duress. Technologies that assist configuration management and assurance include policy enforcement tools, network management tools, continuity of operations tools, scanners for testing and auditing security, and patch management tools. Future Trends in Information Assurance With the involvement of private industry in information technology and security related product development, a large number of Commercially Off The Shelf (COTS) solutions are available for Information Assurance. Intel processors and chipsets, together with validated third-party hardware ingredients and software solutions, enable information assurance computing systems based on COTS solutions. These systems promise to be far more cost effective to develop, validate and support than legacy systems, while preventing the compromise of data security (Intel Corporation, 2007). Intel Virtualization Technology and Intel Trusted Execution Technology are the key technologies which enable Multi-Level Security (MLS) while improving system performance, robustness, security and trust. Companies Developing IT Security Products A large number of firms are today involved in developing technologies related to Information Assurance. While major firms like CISCO Systems, Intel, Symantec Corporation and Sourcefire are involved in multiple fields of technology, a large number of smaller firms are forcing their way upwards with cutting edge technology and new ideas (Garretson and Messmer, 2006). BitArmor Security Suite, software from BitArmor lets IT protect and manage the life cycle of stored data. The product eliminates the need for public key infrastructure-based key management through a proprietary, automated approach. In addition to encrypting data, BitArmor lets administrators create policies for data storage and retention. Policy management is a growing issue with encrypted data. Cognetos impetus on cognitive psychology research to develop a risk-management product for government and industry to authenticate users online is noteworthy. The Mobio handheld device supports multiple strong authentication methods, including encryption-generated one-time passwords, VPN methods, a fingerprint scanner that can convert this biometric into a biocode number, plus a wireless-based door reader for physical access. The Cryptolex Universal ID System has a back-end software library for building an authentication server on Unix-, Linux- or Windows-based computers. Specialized applications bundled with the product allow for Cryptolex-based authentication on PDAs and laptops, network access, and physical-access control. Regulatory Issues on Information Assurance The proliferation of high profile business scandals in the US, including Enron and WorldCom, the Sarbanes-Oxley Act of 2002 (SOX) (Ribstein, 2003) was passed as legislation in 2002. The purpose is to “protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes”. This regulation affects all companies listed on stock exchanges in the US. Although information security requirements have not been specified directly in the Act, there would be no way a financial system could continue to provide reliable financial information, whether due to possible unauthorized transactions or manipulation of numbers, without appropriate security measures and controls in place. SOX requirements indirectly compel management to consider information security controls on systems across the organization in order to comply with SOX. The Gramm Leach Bliley Act (GLBA) of 1999 ensures the security, integrity and confidentiality of Nonpublic Personal Information (as defined in GLBA), protect against any anticipated threats or hazards to the security or integrity of such information; and, protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to the person that is the subject of such information (Gramm–Leach–Bliley Act, 1999). Global implications As seen in the preceding paragraphs, the explosive growth of Information Technology and the amalgamation of IT with telecommunication have brought together the world much closer than any time before in history. Additionally, the technology has grown leaps and bounds to provide multiple channels of access to various systems blurring the line between physical and logical systems. The use of hardware from across the world for developing systems has mandated the need to trust the suppliers of these products. Put together, all these changes are making ‘Information Assurance’ all the more difficult to be assured. The large number of court cases being fought by various IT firms around the world is testimony to the fact trust is probably at an all time low and competition at an all time high amongst the developers of products. The users of these products have to equally be wary of the security being provided by these products especially in mission critical areas like Defense and Space. Financial organizations are fulfilling their security needs mostly through COTS products as they are the most viable options available unlike in Defense where government sponsored projects would provide alternatives. The legal requirements for Information Assurance have been strengthened and are more stringent today than a couple of decades ago. To conclude, it must be said that Information is key and assured availability of information is vital in all walks of life. The users of the data and the information systems to access this data would prefer to be assured that the data they are using has been well protected and would be available to them as and when required. The providers of such services have a significant responsibility in leading the way to guarantee ‘information assurance’. The opportunity for developers of products for ‘information assurance’ lies in the unlimited possibilities that the fast paced technology presents to them today. References Blyth, Andrew and Kovacich, Gerald. L. (2001). Information Assurance: Surviving in the Information Environment. Springer. Department of Defense (2007). Directive on Information Assurance. Retrieved from http://www.dtic.mil/whs/directives/corres/pdf/850001p.pdf Garretson, Cara and Messmer, Ellen. (2006). Network World Top 10 Security Companies to Watch, Network World. Retrieved from http://www.networkworld.com/news/2006/102306-security-companies-to- watch.html?page=4 Gramm–Leach–Bliley Act (1999). Gramm–Leach–Bliley Act, Public Law 106–102 106th Congress. Retrieved from http://www.gpo.gov/fdsys/pkg/PLAW- 106publ102/pdf/PLAW-106publ102.pdf Herrmann, Debra. S. (2007). Complete Guide to Security and Privacy Metrics. Auerbach. Intel Corporation. (2007). Intel® Technologies for Information Assurance. Intel Corporation, United States. Landoll, Douglas. J. (2006). The Security Risk Assessment Handbook. Auerbach. National Security Telecommunications & Information Systems Security Committee (NSTISSC). (1998). The Role of Firewalls and Guards in Enclave Boundary Protection. Retrieved from http://www.cnss.gov/Assets/pdf/nstissam_compusec_1-98.pdf Raggad, Bel. G. (2010). Information Security Management: Concepts and Practice. CRC Press. Ribstein, Larry. E. (2003). International Implications of Sarbanes-Oxley: Raising The Rent On US Law. Illinois Law and Economics Working Papers Series Working Paper No. LE03- 005. Retrieved from http://papers.ssrn.com/pape.tar?abstract_id=401660 Whitman, Michael E. and Mattord, Herbert. J. (2009). Principles of Information Security. Thomson. Read More