Information security threats: Characteristics of the threats, Targeted systems and their complexities: by Kenneth Fung

Major categories of information security threats:

Anderson (1994) cited that the purpose of information security is to protect information systems, assets and environments from security threats. The business impact of these security threats would be the loss or potential loss of confidentiality of data, integrity of data and the availability of process (denial of service). Marchany (2001) cited the ten most critical internet security threats and the way to eliminate them. (Anderson, Longley, & Kwok, 1994), (Marchany, 2001)

Characteristics of the threats:

Loss of confidentiality of data is characterized by the threats such as eavesdropping on the network, theft of data/information from the server, the client and network configuration and the data/information being transmitted. Loss of data integrity is characterized by threats such as modification of user data, memory and messages in transit and Trojan horse intrusion. It also would include authentication threats such as impersonation of legitimate users and data forgery. Loss of availability of service (denial of service) is characterized by threats such as killing of user threads, flooding the server with bogus requests, filling up disk or memory and isolating the machine by DNS (Domain Name Service) attack (Stallings, 1999).

Type of target systems, techniques and technologies to protect from these threats:

Loss of confidentiality data:

Intruders from outside can target the network infrastructure, the server and any database with sensitive information (Davis, 1997). Not all of these thefts are from external attack. Contractors and disgruntled employee may take proprietary information for personal gain or take revenge on the company. Because they threaten the core of the information systems, they are complex. The counter measures are sophisticated and intensive. They are especially important in e-commerce. Secured Socket Layer (SSL) infrastructure is designed to instill privacy and confidentially across the internet. Secure Electronic Transaction Protocol (SET) includes protocols for purchasing goods and services electronically, requesting authorization of payment, and requesting “credentials” (certificates) binding public keys to authenticate. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a protocol that adds digital signatures and encryption to Internet Multipurpose Internet Mail Extension (MIME) messages. To prevent eavesdropping on the network, system administrators implement cryptography with encryption and authentication. Some of the common techniques and technologies are Public and Private keys cryptography, DES, RSA and Digital Signature. To protect the theft of data/information, companies implement access control measures to ensure that the right person can access the data/information. Some access control techniques are Discretionary Access Control (DAC) and Mandatory Access Control (MAC) and Role-Based-Access Control (RBAC).

Loss of data integrity:

This kind of security threats takes advantage of some software vulnerabilities.  Marchany (2001) cited the ten most critical internet security threats and the way to eliminate them. These security threats once know they are not complicate to protect.

1.      The Berkeley Internet Name Domain (BIND) package is the most widely used implementation of Domain Name Service (DNS). Systems use it to locate systems on the Internet by name without having to know specific IP addresses. Intruders can intruders erased the system logs, and install tools to gain administrative access. The target systems were UNIX and Linux systems. Disable the BIND name daemon (named) on all systems that are not authorized to be DNS servers, is one way to eliminate this threat.

2.      Most web servers use Common Gateway Interface (CGI) programs to provide interactivity in web pages, such as data collection and verification. Intruders can locate the vulnerable CGI programs to vandalize web pages, steal credit card information, and set up back doors to enable future intrusions. All web servers are affected. Remove all unsafe CGI programs on a production server and do not run web servers as root are a couple of ways to remedy this threat.

3.      Remote procedure calls (RPC) allow programs on one computer to execute programs on a second computer to access network services. Flaws in RPC can be exploited.  Target systems are UNIX and Linux systems. Install system patches to protect intruders to exploit this vulnerability.

4.      Microsoft’s Internet Information Server (IIS) is the web server software found on most web sites deployed on Microsoft Windows NT and Windows 2000 servers.  Intruders exploited the programming flaws in Microsoft Internet Information (IIS), use the Remote Data Services (RDS) to run remote commands with administrator privileges.  This security threat target Window NT with IIS. Install patches or upgrades to fix the RDS would protect the systems from this threat.

5.      Attackers took advantage of the exploitable weakness of Sendmail. An attacker would send a special mail message which Sendmail read it as instructions requiring the victim machine to send its password file to the attacker’s machine where the passwords can be cracked. Upgrade Sendmail with the latest patch would resolve this threat.

6.      Attackers introduce a buffer overflow in Sadmind (remote administration access application of Solaris) and Mountd (controls and arbitrates access to NFS mounts on UNIX hosts). They exploited these buffer overflow to gain control with root access. Turn off and/or remove these services on machines directly accessible from the Internet and install the latest patches would protect them from this threat.

7.      File sharing over UNIX, Windows and Macintosh networks when improperly configured can expose critical system files or give full file system access to intruders connected to the network. Implement strong security to protect file sharing would remedy this threat.

8.      Attackers try the default passwords and easily guessed guess passwords on accounts that are compromised. Through these accounts, the attackers get inside the firewall and inside the target machine. Most attackers can use widely accessible exploits to gain root or administrator access. Create and enforce a strong password policy would remedy this threat.

9.      Attackers exploit flaws in IMAP or POP (remote access mail protocols) and gain instant root-level control to UNIX and Linux systems.  Implement strong controlling access to these services using wrappers and encrypted channels to protect passwords.

10.  Attackers take advantage the vulnerability in Simple Network Management Protocol (SNMP) to reconfigure or shut down devices remotely.  Intruders use sniffed SNMP traffic information to pick targets and plan attacks. All system and network devices are vulunarble. Apply strong password policy on SNMP would remedy this threat.

Loss of availability of services (Denial of service):

Denial of service (DoS) is a simple and popular method of attacking and removing the availability of corporate information resources. The attacker sends a flood of traffic that overloads Web servers, hosts, routers, and other network devices. The volume is overwhelming that users, customers, and partners cannot access the network resources. Many commercial web sites were subject to this attacks and lost consumer confidence. The techniques can not complex. To intensify the impact, attackers uses sophisticated tools to recruit systems to be part of a coordinated mass attack (distributed denial of service, or DDoS) (Lau, Robin, Smith, & Trajkovic, 2000). If the machine under attack is a Web server, denial of service is an annoyance. The costs to the organization could be staggering. Lau (2000) suggested several defenses against attacks. These measures are: Filtering routers, Disabling IP Broadcasts, Applying Security Patches, Disabling Unused Services and Performing Intrusion Detection.

References:

Anderson, A., Longley, D., & Kwok, L. F. (1994). Security modelling for organizations. Paper presented at the Proceedings of the 2nd ACM Conference on Computer and communication security.

Davis, C. E. (1997). An Assessment of ACCOUNTING INFORMATION SECURITY. The CPA Journal, 67, 28 - 37.

Lau, F., Robin, S. H., Smith, M. H., & Trajkovic, L. (2000, Oct.). Distributed Denial of Service Attacks. Paper presented at the Proc. 2000 IEEE Int. Conf. on Systems, Man, and Cybernetics, Nashville, TN.

Marchany, R. (2001). How to eliminate the Ten Most Critical Internet Security Threats (Version 1.33). SANS Institute [Online]. Available: http://www.sans.org/topten.htm [2001, August 1].

Stallings, W. (1999). Network Security Essentials: Applications and Standards. Upper Saddle River, NJ: Prentice-Hall.