Insecurity and the Internet

The federation of networks that became the Internet consisted of a relatively small community of users by the 1980s, primarily in the research and academic communities. Because it was rather difficult to get access to these systems and the user communities were rather closely knit, security was not much of a concern in this environment. The main objective of connecting these various networks together was to share information, not keep it locked away. Technologies such as the UNIX operating system and the Transmission Control Protocol/Internet Protocol (TCP/IP) networking protocols that were designed for this environment reflected this lack of security concern. Security was simply viewed as unnecessary.

By the early 1990s, however, commercial interest in the Internet grew. These commercial interests had very different perspectives on security, ones often in opposition to those of academia. Commercial information had value, and access to it had to be limited to specifically authorized people. UNIX, TCP/IP, and connections to the Internet became avenues of attack and did not have much capability to implement and enforce confidentiality, integrity, and availability. As the Internet grew in commercial importance, with numerous companies connecting to it and even building entire business models around it, the need for increased security became quite acute. Connected organizations now faced threats that they had never had to consider before.

When the corporate computing environment was a closed and limited-access system, threats mostly came from inside the organizations. These internal threats came from disgruntled employees with privileged access who could cause a lot of damage. Attacks from the outside were not much of an issue since there were typically only a few, if any, private connections to trusted entities. Potential attackers were few in number, since the combination of necessary skills and malicious intent were not at all widespread.

With the growth of the Internet, external threats grew as well. There are now millions of hosts on the Internet as potential attack targets, which entice the now large numbers of attackers. This group has grown in size and skill over the years as its members share information on how to break into systems for both fun and profit. Geography no longer serves as an obstacle, either. You can be attacked from another continent thousands of miles away just as easily as from your own town.

Threats can be classified as structured or unstructured. Unstructured threats are from people with low skill and perseverance. These usually come from people called script kiddies—attackers who have little to no programming skill and very little system knowledge. Script kiddies tend to conduct attacks just for bragging rights among their groups, which are often linked only by an Internet Relay Chat (IRC) channel. They obtain attack tools that have been built by others with more skill and use them, often indiscriminately, to attempt to exploit a vulnerability in their target. If their attack fails, they will likely go elsewhere and keep trying. Additional risk comes from the fact that they often use these tools with little to no knowledge of the target environment, so attacks can wind up causing unintended results. Unstructured threats can cause significant damage or disruption, despite the attacker's lack of sophistication. These attacks are usually detectable with current security tools.

Structured attacks are more worrisome because they are conducted by hackers with significant skill. If the existing tools do not work for them, they are likely to modify them or write their own. They are able to discover new vulnerabilities in systems by executing complex actions that the system designers did not protect against. Structured attackers often use so-called zero-day exploits, which are exploits that target vulnerabilities that the system vendor has not yet issued a patch for or does not even know about. Structured attacks often have stronger motivations behind them than simple mischief. These motivations or goals can include theft of source code, theft of credit card numbers for resale or fraud, retribution, or destruction or disruption of a competitor. A structured attack might not be blocked by traditional methods such as firewall rules or detected by an Intrusion Detection System (IDS). It could even use non-computer methods such as social engineering.

Another key task in securing your systems is closing vulnerabilities by turning off unneeded services and bringing them up to date on patches. Services that have no defined business need present an additional possible avenue of attack and are just another component that needs patch attention. Keeping patches current is actually one of the most important activities you can perform to protect yourself, yet it is one that many organizations neglect.

The Code Red and Nimda worms of 2001 were successful primarily because so many systems had not been patched for the vulnerabilities they exploited, including multiple Microsoft Internet Information Server (IIS) and Microsoft Outlook vulnerabilities. Patching, especially when you have hundreds or even thousands of systems, can be a monumental task. However, by defining and documenting processes, using tools to assist in configuration management, subscribing to multiple vulnerability alert mailing lists, and prioritizing patches according to criticality, you can get a better handle on the job.

One useful document to assist in this process has been published by the U.S. National Institute of Standards and Technology (NIST), which can be found at http://csrc.nist.gov/publications/nistpubs/800-40/sp800-40.pdf (800-40 is the document number).

Also important is having a complete understanding of your network topology and some of the key information flows within it as well as in and out of it. This understanding helps you define different zones of trust and highlights where re-architecting the network in places might improve security—for example, by deploying additional firewalls internally or on your network perimeter.

Defining Information Security

Over the last couple of decades, many companies began to realize that their most valuable assets were not only their buildings or factories but also the intellectual property and other information that flowed internally as well as outwardly to suppliers and customers. Company managers, used to dealing with risk in their business activities, started to think about what might happen if their key business information fell into the wrong hands, perhaps a competitor's.

For a while, this risk was not too large, due to how and where that information was stored. Closed systems was the operative phrase. Key business information, for the most part, was stored on servers accessed via terminals or terminal emulators and had few interconnections with other systems. Any interconnections tended to be over private leased lines to a select few locations, either internal to the company or to a trusted business partner.

However, over the last five to seven years, the Internet has changed how businesses operate, and there has been a huge acceleration in the interconnectedness of organizations, systems, and networks. Entire corporate networks have access to the Internet, often at multiple points. This proliferation has created risks to sensitive information and business-critical systems where they had barely existed before. The importance of information security in the business environment has now been underscored, as has the need for skilled, dedicated practitioners of this specialty.

We have traditionally thought of security as consisting of people, sometimes with guns, watching over and guarding tangible assets such as a stack of money or a research lab. Maybe they sat at a desk and watched via closed-circuit cameras installed around the property. These people usually had minimal training and sometimes did not understand much about what they were guarding or why it was important. However, they did their jobs (and continue to do so) according to established processes, such as walking around the facility on a regular basis and looking for suspicious activity or people who do not appear to belong there.

Information security moves that model into the intangible realm. Fundamentally, information security involves making sure that only authorized people (and systems) have access to information. Information security professionals sometimes have different views on the role and definition of information security

The three primary areas of concern in information security have traditionally been defined as follows:

• Confidentiality Ensuring that only authorized parties have access to information. Encryption is a commonly used tool to achieve confidentiality. Authentication and authorization, treated separately in the following discussion, also help with confidentiality.

• Integrity Ensuring that information is not modified by unauthorized parties (or even improperly modified by authorized ones!) and that it can be relied on. Checksums and hashes are used to validate data integrity, as are transaction-logging systems.

• Availability Ensuring that information is accessible when it is needed. In addition to simple backups of data, availability includes ensuring that systems remain accessible in the event of a denial of service (DoS) attack. Availability also means that critical data should be protected from erasure—for example, preventing the wipeout of data on your company's external Web site.

Often referred to simply by the acronym CIA, these three areas serve well as a security foundation. To fully scope the role of information security, however, we also need to add a few more areas of concern to the list. Some security practitioners include the following within the three areas described above, but by getting more granular, we can get a better sense of the challenges that must be addressed:

• Authentication Ensuring that users are, in fact, who they say they are. Passwords, of course, are the longstanding way to authenticate users, but other methods such as cryptographic tokens and biometrics are also used.

• Authorization/access control Ensuring that a user, once authenticated, is only able to access information to which he or she has been granted permission by the owner of the information. This can be accomplished at the operating system level using file system access controls or at the network level using access controls on routers or firewalls.

• Auditability Ensuring that activity and transactions on a system or network can be monitored and logged in order to maintain system availability and detect unauthorized use. This process can take various forms: logging by the operating system, logging by a network device such as a router or firewall, or logging by an intrusion detection system (IDS) or packet-capture device.

• Nonrepudiation Ensuring that a person initiating a transaction is authenticated sufficiently such that he or she cannot reasonably deny that they were the initiating party. Public key cryptography is often used to support this effort.

You can say that your information is secure when all seven of these areas have been adequately addressed. The definition of adequately depends, however, on how much risk exists in each area. Some areas may present greater risk in a particular environment than in others.

Common Information Security Concepts

A generic dictionary definition of security (taken from the American Heritage Dictionary) is "freedom from risk or danger; safety." This definition is perhaps a little misleading when it comes to computer and networking security, because it implies a degree of protection that is inherently impossible to achieve in the modern connectivity-oriented computing environment.

For this reason, the same dictionary provides another definition specific to computer science: "The level to which a program or device is safe from unauthorized use" (emphasis added). Implicit in this definition is the caveat that the objectives of security and accessibility—the two top priorities on the minds of many network administrators—are, by their very nature, diametrically opposed. The more accessible your data, the less secure it is. Likewise, the more tightly you secure your data, the more you impede accessibility. Any security plan is an attempt to strike the proper balance between the two.

Knowledge Is Power

The preceding heading is a famous hacker's motto (along with such other gems as "Information wants to be free" and the simplistic but optimistic "Hack the world!"). "Knowledge is power" is a truism that applies not only to people attempting to gain access to data they aren't supposed to see, but also to those who are trying to protect themselves from such intruders. The first step in winning any battle—and network security is a battle, a battle for the ownership and control of your computer files—is the same as it's always been: "Know thine enemy."

To protect your network resources from theft, damage, or unwanted exposure, you must understand who initiates these events, why they do it, and how they do it. This knowledge will make you powerful, too—and better able to prevent unauthorized intrusions into your network. The section "Preventing Unauthorized External Intrusions and Attacks" discusses the various motivations that drive network intruders and the types of people who make a practice of "breaking and entering" networks.

The very best place to learn is from hackers themselves. Even so, many network administrators and even some security specialists eschew the books and Web sites that are written to a hacker audience or from the hacker's point of view. This might be because they fear "guilt by association" or believe that they would be somehow lowering themselves to "hang out" with hackers. Although possibly based on high moral ground, this attitude is, strategically, a mistake. Whether you take a more formal route, such as the SANS GIAC or CISSP certification courses, or opt to learn on your own, you'll need to understand who the hackers are, what they do, and how and why they do it if you want to effectively protect your network from unwanted intrusions.

Think Like a Thief

It is well known in law enforcement circles that the best criminal investigators are those who are best able to "get inside the mind" of the lawbreaker. Network intrusion detectives will find that the same is true: to prevent your network from falling prey to hackers or to catch data thieves when they do get in requires you to be able to adopt a mindset emulating theirs.

This means learning to anticipate the intruder's actions. First, you must determine what needs to be protected, and to what degree. A wealthy person not only establishes a general security perimeter by building fences around his or her house and locking doors and windows, but the wise person also places the most valuable items in a wall or floor safe. This action provides multiple layers of protection.

Removing Intrusion Opportunities

The term computer security encompasses many related but separate topics. These topics can be stated as security objectives:

• Control of physical accessibility to the computer(s) and/or network

• Prevention of accidental erasure, modification, or compromise of data

• Detection and prevention of intentional internal security breaches

• Detection and prevention of unauthorized external intrusions (hacking)

Network security solutions can be loosely divided into three categories:

• Hardware

• Software

• Human

This chapter provides an overview of basic security concepts, then examines all four security objectives and takes a look at each of the three categories of security solution. A good network security system will help you easily remove the temptations (open ports, exploitable applications) and will be as transparent to your users as possible.

Crime prevention officers tell members of the community that they probably can't keep a potential burglar from wanting to steal, and they certainly can't keep the potential burglar from obtaining burglary tools or learning the "tricks of the trade." What community members can do is take away, as much as possible, the opportunity for the burglar to target their own homes.

This means putting dead-bolt locks on the doors (and using them); getting a big, loud, unfriendly dog; installing an alarm system, and the like. In other words, the homeowner's goal is not to prevent the burglar from burglarizing (that's the job of the police) but to make his or her home a less desirable target. Similarly, as a network "owner," your objective is to "harden" your own network so that all those hackers out there who already have the motive and the means will look for a more likely victim.

If you don't use them, the best and most expensive locks in the world won't keep intruders out of your house. And if those locks are difficult to use and cause you inconvenience in your everyday comings and goings, you probably won't use them—at least, not all the time. A poorly implemented network security system that is difficult to administer or that unduly inconveniences network users could end up similarly; eventually you will throw your hands up in frustration and just turn the darn thing off. And that will leave your network wide open to intruders.

For example, a network administrator would add Intrusion Detection Systems, router access lists, Tripwire to the local systems to check for changed system binaries, and public key or digital certificate authentication to allow him or herself a substitute for a password. However, if you've implemented this and not used it, you're wasting your resources.

It is not the job of the homeowners to prevent burglars from burglarizing—only to protect themselves from being victimized. Likewise, it is not the job of a network administrator or network security manager to keep hackers from hacking. You can only take steps to protect your network and its resources from those who "break and enter" networks for fun or profit.