Академический Документы
Профессиональный Документы
Культура Документы
BASICS:
FUNDAMENTAL READING FOR INFOSEC
INCLUDING THE CISSP, CISM, CCNASECURITY CERTIFICATION EXAMS
R ON M C F ARLAND , P H .D.
http://www.wrinkledbrain.net
TABLE OF CONTENTS
Why I Wrote This Book ............................................................................2
Why You Should Read This Book .........................................................4
Table of Contents ........................................................................................6
Introduction ..................................................................................................7
Chapter 1. Introduction to Encryption ..............................................9
Chapter 2. Introduction to Symmetric Key Algorithms .......... 40
Chapter 3. Malware ................................................................................. 53
Chapter 4. Firewalls ................................................................................ 73
Chapter 5. Denial of Service Attacks................................................ 86
Chapter 6. Cryptographic Tools...................................................... 103
Chapter 7. Wireless Security ............................................................ 116
Chapter 8. Operating System Security ......................................... 151
Chapter 9. Database Security ........................................................... 166
Chapter 10. Computer Auditing ..................................................... 183
Summary .................................................................................................. 199
References ............................................................................................... 201
About The Author ................................................................................. 211
Other Books By Ron McFarland ..................................................... 213
INTRODUCTION
Information Security is a hot topic and, for the
professional information technologist, is an important
set of skills to be proficient in. Further and more
importantly, since we are in this ever-expanding and
ever growing field of information technology and
information systems, having a certification or two in the
information security area can be a boost to our career.
On a very recent Internet search from a reputable
source (Global Knowledge:
http://www.globalknowledge.com/training/generic.as
p?pageid=3430 ), the CISSP (Certified Information
Systems Security Professional) offered by ISC 2 was as
the second top-paying industry certification (followed
by the Project Management Professional PMP), which
further emphasizes the importance of the information
security field in the technology industry. Likewise, other
security-related certifications are as important in other
aspects of the information technology and information
security fields.
7
CHAPTER 1. INTRODUCTION TO
ENCRYPTION
I know that talking about encryption isnt a sexy topic.
Try talking about encryption at your next social event
and count the number of people who roll their eyes or
who immediately change the topic! However, if youre
reading this eBook, Im going to assume that youre one
of three types of people youre a geek (like me), youre
a wanna-be-geek (as I once was), or a student/learner
interested in information security (I suppose I fit this
category earlier on as well). Well start our discussion
about encryption since it is the basis of much of the
work done in information security.
In general, encryption (of a few flavors) of digitally
stored (also known as static data) and transmitted data
(also known as data in motion) has been important
since computers and networks were first used. Recently
the subject of information security and encryption has
become a topic of high public interest following the
release of documents by Edward Snowden which
9
10
WHAT IS ENCRYPTION
Before we discuss encryption and what it is in terms of
information technology, lets chat a bit (pun intended, I
suppose) about where encryption comes from.
Encryption comes from the field of cryptography. Thats
another one of those terms that you can share in your
next party! Cryptography is the field of secret
writing that has its origins from the ancient Greeks.
Caesar, for example, would scramble his messages sent
to his generals in case the messages were inadvertently
intercepted. With scrambled writing, messages could
not be interpreted by the enemy. Theres an entire
history of cryptography that you can, optionally, read
up on. While there are textbooks galore about the
history of cryptography, you can find a bit of brief (and
interesting) reading about cryptography on one of the
premier technology websites Wikipedia!
Encryption is one aspect of cryptography that is
relevant to our discussion in this book. Encryption is the
11
THE MESSAGE
To emphasize a bit more on the message portion in our
discussion on encryption, think of the message that a
typical web page will form. If youre on Amazon
ordering a new book (or an eBook) the screen may have
quite a few fields on it. The screen that youre working
with may have fields like your name, address, city, state,
zip code, and all the fields for the book information.
When you press enter, you send this information
bundled in a large message (for our example, it could be
as large as 5000 bytes). This message will ultimately be
sent to various networking components, sliced up into
smaller packets to be delivered from the sending end
(your side of the transaction) to the receiving side
(Amazon, in our example). During this process, the
13
THE KEY
Whenever I think about keys, I think about the lock on
my storage shed and all of the stuff that I want to keep
secure behind the locked door. I know that I keep a lot
of both needed and useless items in my storage shed,
but thats for another discussion. Anyway, to secure and
protect your data, like you would if youre securing your
old furniture and miscellaneous items in a storage shed,
youd typically use a key and a lock to secure the
storage shed door. The analogy that we use for the
encryption of data is the same. When we encrypt data
(again, scramble data), the algorithm (program,
process) that scrambles the data requires, of course, the
14
THE CIPHER
The result of your message and unique key that is sent
to the encryption algorithm is the cipher. The cipher is
literally a disguised way of writing. I dont know if you
remember Cracker Box candy (maybe Im dating
myself). Anyway, Cracker Box came with a small toy and
when I was young, I would buy Cracker Box mostly for
16
DECRYPTION
Decryption, as youve probably already know by now, is
converting the cipher text into readable form. My
description about my brother and I using a ring to
encrypt and decrypt messages that we hid from our
sister holds with this definition of decryption. But
theres a twist here. Both my brother and I had identical
rings (other than the fact that I decided to paint my
ring). The ring that he used and the ring that I had were
used to both encrypt and decrypt messages. If were
using the same key to both encrypt and decrypt a
message, this is known as a symmetric key. Later, well
discuss what an asymmetric key is, but first, lets
18
ENCRYPTION STRENGTH
One of the primary issues around the strength of
encryption centers around the key length (remember
private and public keys from the prior section?). The
strength of the encryption (and ease of decryption), in a
significant part, rests on the key length. Lets say if I had
a combination lock on my bicycle. And lets say that if I
park my bike and tie it up to a pole right out of
Starbucks where I sometimes get a morning cup of
coffee. If my combination lock only had 2 cylinders that
each tumbled from 0 through 9, it would take someone
seconds to figure out the combination. My key space is
defined by the number of tumblers (2) and the number
of numbers on each tumbler (10: 0 through 9). From
this small key space, I can mathematically calculate that
Id have 10 (total possible numbers on the first tumbler)
times 10 (total possible numbers on the second
tumbler) for a maximum possible combination numbers
of 100. That would take someone a minute or two to
break in to. And off goes my bike.
Now if I had 5 tumblers, the number of possible
combinations, each of 10 possible numbers, the total
26
29
ONE-TIME PAD
The one-time pad symmetric key encryption can be
viewed as a disposable key, thus the one-time name.
A one-time pad encryption method uses a generated
key that matches the length of the information to be
encrypted. Each character of the message is shifted by
the value of the matching value in the key. This method
(assuming the key can be successfully randomly
generated) has been proven to be theoretically
unbreakable, but there are a few important difficulties
associated with the use of a one-time pad.
The first difficulty with a one-time pad is in generating
the key itself. Since there is no fixed key length because
the length varies dependent on the length of the data
being encrypted, there is a problem with the true
randomness of the key. To secure encryption, security
relies on not only the length of the key, as noted earlier,
but on the uniqueness of the key. For example, if we had
30
31
STREAM
Whenever I think of a stream cipher, I think of a stream
of water flowing in the mountains where I hike in the
summer time. The analogy of a mountain stream with a
stream of continuous flowing data holds. A stream
cipher operates similar to how a one-time pad
functions. A stream, however, uses a smaller key, called
a seed, rather than a unique key built off of the entire
file. The seed is used to generate pseudo-random
35
BLOCK
A block cipher takes in a chunk (block) of plaintext data
and encrypts that block using a key. Algorithms such as
DES (Data Encryption Standard), 3DES (Triple Data
Encryption Standard), and AES (Advance Encryption
Standard), to name a few, fall. Each of these algorithms
takes in a block of the plain text, and encrypts that block
37
38
39
CHAPTER 2. INTRODUCTION TO
SYMMETRIC KEY ALGORITHMS
As we noted in the prior chapter, there are several
encryption algorithms that have been or are currently
in use for symmetric encryption. The earliest
recommended encryption algorithm was the Data
Encryption Standard (DES) which is a block encryption
algorithm designed to use 40 or 56 bit key length plus
an additional 8 bits for error checking. The DES
encryption standard was originally adopted as a FIPS
(Federal Information Processing Standards) standard in
1977 and is in use for some limited applications even
today. The key length received criticism as being too
short, as it is susceptible to hacking. There are also
continued questions about NSAs involvement in its
development, since there are reported back-door
methods to readily hack into DES encrypted files.
DES remained the suggested encryption method
through the 1990s and even as late as 2003 (and can be
found in some limited use today). FIPS, in 1999, stated
40
KEY SHARING
Recall that keys will unlock encrypted files. So well
need to distribute the keys in symmetric encryption.
Also recall that symmetric encryption uses the same key
on both sides used by the sender and recipient of the
encrypted data. With both sides needing the same key,
there is an implied trust that the key was not shared
either intentionally or unintentionally to a third party
by either the sender or receiver. Because of the key
sharing trust issue, it is noted by information security
experts that the key sharing is the most difficult item to
handle.
43
Diffie-Hellman key exchange. In summary, DiffieHellman is a way of exchanging cryptographic keys and,
while it was developed in 1976, this method for key
exchange is still readily used. For example, if youre
studying for the CCNA-Security exam or the CISSP, this
is a vital part of the VPN setup that youll need to
understand and know. While this is an introductory
book on information security, Ill continue to note a few
items that you will run into later in your studies.
The third solution for key distribution will be examined
a bit more in the next section is the Kerberos system
that was designed by the Massachusetts Institute of
Technology (MIT) in the 1980s and 1990s which is still
in use in many production level products (like Microsoft
Server products, for example). Well look at Kerberos
next.
KERBEROS
Kerberos is a name derived from Greek mythology.
Kerberos is the three-headed dog that guards the entry
to Hades. I suppose that the MIT researchers had a bit of
a sense of humor. But, well see how the three aspects of
45
CONCLUSION
As weve seen so far, organizations wanting to protect
their data have several choices among symmetric
encryption algorithms that will help to keep their data
safe. But while the many symmetric encryption
algorithms available today are assumed to be fairly
robust and secure, the primary factor that presents a
stronger encryption key is basically the key length.
In summary, the key length required to keep data
secured will be dependent at least partially on how long
a user wants that data to be secure. The general rule of
thumb with key lengths is that the longer the time
51
52
CHAPTER 3. MALWARE
The world of malware is teeming with various breeds of
software, each with their own behavioral presentations.
It is imperative that users develop an understanding of
the major categories of malware, and their signature
behaviors, in order to devise appropriate strategies of
prevention and defense. The following pages endeavor
to present the reader with a general survey of malware,
describing their presentations as well as standing
current techniques of handling instances of the
malware. These categories of malware are used to
describe how the software behaves within a system, or
how it propagates amongst users.
Information technology has become an
increasingly used tool with developed applications in
nearly every field of society. As the world of information
systems has developed to its current level of
sophistication, so have the methods of malicious
attackers and users who compromise security. Lets
look at several categories of malware that are used to
53
ROOTKITS
Generally, there are two primary forms of rootkits that
use different methodologies to compromise a computer
system. These are the binary-level rootkits and kernellevel rootkits.
Binary level rootkits operate in ways that modify data
upon finer levels of system processing. Essentially,
binary-level rootkits tamper with user-level processes.
In contrast, Kernel level rootkits work with a more
atomic level of the system. Kernel-level rootkits work
within the kernel of the operating system and tamper
with system-level processes and system-level calls.
Both rootkit types are type of Trojan file that live upon
the essential levels of a system that are installed in
order to grant a malicious user access control, or
otherwise tamper with a system in some time in the
54
TROJANS
The intrusion architecture that makes up Trojan
infections generally comes in several forms. The main
forms are:
56
VIRAL MALWARE
This category of malware is often the most misused in
order to label instances of malware. It is often times
used to identify an existing instance of malware that
does not fit the constraints of its definition. Amongst the
earlier forms of malware, viral malware infections can
be the most troublesome to purge from a system, as
they are defined by their ability to reproduce
themselves rapidly within a local machine. As viral
malware has had much time to evolve, these infectious
pieces of software see various levels of sophistication
and employ a great many methodologies in their
propagation. Often times, modern viruses do not simply
multiply upon a system, but evolve themselves
periodically with further generations as a method of
defense against detection or eradication; meaning that
most viruses increase their affects upon a system at
something of an exponential rate. Like many of its
malware cousins, viral infections have a great many
architectures that determine its function, method of
evolution, propagation, and its many other traits.
However, viruses generally share a handful of common
60
63
65
BOTS
While bots are software systems that can be
constructed to serve benign purposes upon a system,
this type of software has also been utilized to be the
core architecture of many forms of malware.
Distinguishing itself by its behavior, bots are instances
of software that are placed upon a machine to perform
automated tasks in the stead of its malicious user.
Normally, modern bots infect collections of computers
that become a part of a network of computers with a
similar instance of the bot; this web of infected
computers becoming part of the botnet. Normally, bots
that take over systems give the distributor of the
67
68
SPYWARE
Within this class, there are a number of formats of
malware that are responsible for directly or indirectly
enabling a malicious user to monitor and direct the
activity of a system that has been compromised by
Spyware. The general forms that Spyware may take
are:
1. Cookies/Web Bugs: Cookies offer small spaces
to save state information to individual clients,
enabling websites to store user-specific
69
CONCLUSION
The pages above have presented the broad forms of
malware that exist in the world of information
71
72
CHAPTER 4. FIREWALLS
The internet like any untrusted network can be a scary
place. Every day, new vulnerabilities are being
discovered and also exploited. When a flaw is discovered,
it needs to be patched. While this is easy to do for one
system, it becomes complicated when many systems are
involved, and only gets worse when those systems
employ different software and setups. While this is
recommended but difficult, it can be done with host
based security. However, this can be impractical for the
large scale. An alternative to this is the firewall.
TYPES
There are three types of firewalls. The first type of
firewall is the packet filter which has a fairly basic
security method. After packet filters came stateful filters.
Stateful filters are more aware of the network data and
provide a higher level of security than packet filters. The
final type of firewalls is gateway firewalls, also known
as proxies.
74
PACKET FILTER
Packet filters are aware of the packets data is
transferred in and the basic parts of each packet. The
parts a packet filter knows about are the source and
destination IP addresses, the port numbers, and the IP
protocol field. Packet filters work by allowing or
blocking packets based on a set of rules related to the
packet information they understand. If a packet does not
match a rule then there are two possible default actions
they may take.
The discard default policy blocks any packet that is not
allowed by a rule, while the default forward policy
allows any packet not blocked by rules to pass. The
default discard policy is more secure but it may hider
users more until rules to allow specific traffic are added.
Packet filters are simple which makes them fast, but they
can be difficult to configure correctly and they provide
no authentication for use of the connection.
STATEFUL FILTER
The solution to the problems of a packet filter is the next
type of firewall, a stateful filter. A stateful filter knows
75
GATEWAY
76
CONFIGURATIONS
Firewalls are a central point in the network where all
network traffic passes through. Because of this they are
a continent point for network management, and an
integral point in network security. This allows firewalls
to be configured to perform some advanced network
management, allowing additional features to be easily
added into the firewall.
79
DISTRIBUTED FIREWALLS
82
CONCLUSION
Firewalls are an integral part of network security.
Firewalls keep out attackers and unwanted traffic. As
central point in the network they can easily have
additional features added to enhance the network,
including advanced monitoring and VPN. Without
Firewalls larger networks like the internet could not
function. They are the first and often best defense
available.
85
88
Attack Source Trace-back and Identification during and after the attack
INGRESS FILTERING
Ingress Filtering will drop traffic on a network if it does
not already have previous knowledge of an IP address
that does not match its own domain prefix. An ISP is
able to reduce spoofing and can locate the source of an
attack if it has implemented ingress filtering. Ingress
filtering is not able to prevent all illegitimate uses
though. A user can forge their hosts source address
with another that has a permitted domain prefix.
EGRESS FILTERING
Egress Filtering is a filter that filters outbound traffic. It
makes sure that only IP addresses that have been
assigned an address within the IP address space are
allowed to create outbound traffic. This type of filtering
is able to protect other Internet domains from an attack
from an unknown user of a system. However the
98
LOAD BALANCING
ISPs can increase the bandwidth provided to critical
connections in order to prevent them from being
affected by an increase in traffic (legitimate or not).
Implementation can be costly and complex. However
normal performance can improve in multiple server
architecture because of this load balancing.
HONEYPOT
An attacker is lead to attack a honeypot instead of the
actual system. Because of the implementation of
honeypots, an attacker believes they are attacking the
actual system. If the signature of an attack is detectable,
records of the attacker are able to be traced and stored
including the software and type of attack used.
CONCLUSION
DDoS attacks come in many forms with varying levels of
complexity, which are always evolving. The current
solutions for detection and prevention that we have
discussed have proved inadequate in protecting
systems from the ever-growing threat of DDoS attacks.
There is more research needed in this area, which will
have to be ongoing to keep up with evolution of DDoS
attack types. Currently the best way to protect a system
from DDoS attacks is to use a comprehensive solution,
which includes detection, prevention, and DDoS trace
back.
102
CONCLUSION
Through this examination of security over the ages, it is
apparent that cryptography has only become a field of
ever expanding research, whether in the pursuit of
strengthening it or that of breaking it. With technology
and connected devices doing nothing but proliferating
through our everyday lives, keeping all of our data and
communications secure becomes more and more of a
pressing issue. Throughout the world, new ideas and
inventions are being created and implemented for
people to use for entertainment (communicating with
loved ones or sharing pictures), making our day to day
lives more convenient (sending money, electronic locks
on our houses), or even making them safer (connected
smoke alarms, collision detection systems). In all of
these areas, there will always be someone who wants to
get their hands on this information for one reason or
114
115
OVERVIEW
Computer security represents today a very important
part of computer science, especially the network
security. Almost everything is today linked to a
computer network or another; internet or private
network, and computer are used for almost every
modern work. Ensure the security of such practice
became the priority for users and companies, as data
exchanged through networks were more and more
confidential, and the possible threat against network
were growing.
A large amount of effort has been put into research on
network security, in order to prevent data loss, identity
stealing, and every problem caused by lack of security.
In this section, we will focus on wireless network,
117
SYMMETRIC ENCRYPTION
As a recap from a prior section where we discussed
symmetric encryption, symmetric encryption uses a
single key, for both encrypting and decrypting data. The
schema is very simple: the text is enciphered using an
119
ASYMMETRIC ENCRYPTION
As we described in a prior section, asymmetric
encryption (aka Public Key Encryption) are the same.
Recall that the sender and the receiver having different
keys to encrypt or decrypt messages, the emphasis with
the term (and the term only) is that the public key is
one of the 2 keys in asymmetric encryption that can
actually be publicized. I can place my public key on any
public forum, send it with each email, post it
anywhere. It will still keep an encrypted message secure
even if everyone had the public key available. Again, to
either scramble or encrypt a message that uses an
120
BLOCK CIPHER
The block cipher, as shown by its name, will take as
input a block of data / plaintext, to produce a block of
cipher data. Thus, all the data to be enciphered will be
cut down into blocks, in order to produce multiple
blocks of enciphered data.
They usually are more susceptible to noise during
transmission resulting in a loss of all the data contained
in the block. However, they can provide integrity and
authentication protection.
STREAM CIPHER
Stream cipher differs to block cipher, as it takes in input
our plaintext bit by bit. It has two main components: a
121
122
SURVEILLANCE - EAVESDROPPING
On unencrypted networks, the attacker could read the
data stream which is sent from and to this network.
From encrypted network, such as those using WEP, the
attacker could use a crack software in order to break
the key.
DOS ATTACK
A DoS attack can be performed on network layer 1 and
2. The layer 1 attack consist in emitting a strong signal,
stronger than the one attacked, in order to increase the
noise on the channel used and unable any user to
access the legitimate network. The layer 2 attack will
consist in a flood of the network and attached client
with malicious packets.
IMPERSONATION
After the surveillance, one is able to identify MAC
address of the users of the network. Even if network is
123
DETECTING AN ATTACK
There are several ways to detect an attack on a wireless
network. There are presented below.
1. Monitor the access point: Monitor every packet
sent by every known AP on the network. If there
is a new AP coming, one getting down, or any
change which is not supposed to happen in the
network, an attack could be occurring.
2. Monitor the clients: It can be possible to
monitor the client, with mechanisms such as
black-listing,
detecting
124
potentially
harmful
Global architecture
The 802.11 standard is structured as follows:
125
Standard
Data
Frequency
Rate
(MHz)
(Mbps)
802.11
1-2
2.4
802.11a
6-54
802.11b
1-11
2.4
802.11g
20+
2.4
AUTHENTICATION
WLAN authentication consists of:
1.
2.
3.
Authentication attacks
MITIGATION MECHANISMS
It is recommended to use WEP encryption wherever
possible to circumvent the lack of security offered by
SSIDs and open authentication.
GLOBAL ARCHITECTURE
WPAN can be divided into two global architectures: lowrate and high-rate architecture. Low rate will use low
radio frequency, where high-rate will use high radio
frequency.
BLUETOOTH
131
ZIGBEE
ZigBee is a Low Rate WPAN, low cost and very low
power consumption, using a two-way communication.
ZigBee is vulnerable to several attacks:
1. Jamming, sort of DOS attack. As ZigBee systems
often use only one channel, it is easy to send a
lot of information on this channel in order to
disable the device.
2. Collision attack, especially using
acknowledgment frames, which is very effective
133
WMAN - 802.16
Specification 802.16 consists of wireless broadband
communication standards for Metropolitan Area
Networks (MAN). It is designed to cover a larger area
than WLAN networks and use a tall antenna to make
this possible.
135
GLOBAL ARCHITECTURE
The security architecture is laid out as follows:
MITIGATION MECHANISMS
In order to prevent the inception or writing of messages
by unauthorized parties, confidentiality mechanisms
and data authenticity mechanisms need to be in place.
To prevent an attacker from communicating with two
parties, replayed frames need to be detected.
GLOBAL ARCHITECTURE
The 3G protocol is based on its predecessor, GSM, but is
nonetheless very different.
The users phone will first communicate with the NODEB, which is the base station equipment. The Node-Bs
will then communicate with its RNC. The RNC manage
multiple Node-B, allowing resources and capacity for
data calls.
138
DATA INTEGRITY
Data integrity is ensured using some main features:
integrity algorithm agreement and integrity key
agreement, allowing checking the data integrity
between the receiving and sending entity.
WEAKNESSES
When reallocating the Temporary Mobile Subscriber
Identity (TMSI), it may happen that the SN or VLR fail to
associate the TMSI to the International Mobile
Subscriber Identity (IMSI). In such case, the IMSI is
requested directly to the user. It may allow an attacker
to pretend a SN to request the permanent user identity.
Also, the IMSI request this way is transmitted
unencrypted on the radio path, allowing
eavesdropping.
141
PROPOSED PROTECTIONS
To avoid the use of IMSI directly on the network, it is
possible to use 2 TMSI instead of one. Thus, if the first
TMSI is compromised or fail to give an IMSI, the second
one is used. If both fail, the user is not attached to the
network.
It is also possible to enable the use of an end-to-end
VPN for data transmission. Thus, the data will go
encrypted directly from the user end to the server-end,
without the need to be decrypted and eventually reencrypted on the network.
NETWORK MONITORING
144
BACKUP DATA
Regardless of how many safety measures are in place, it
is always important to have data backed up.
145
ATTACK ENVIRONMENT
Our attack was very simple. Our Victim (V), was surfing
on the Internet using an unencrypted public Wi-Fi, and
wanted to create a discussion forum to discuss about
network security matters.
Our Attacker (A) was monitoring all the Wi-Fi traffic in
the area using Wireshark, and was able to see the traffic
of V. As the Wi-Fi was unencrypted, and the website
unsecured, A was able to see all the internet traffic of V.
ATTACK RESULT
The attack allowed us to discover the password and email used to create the forum. As both the Wi-Fi and
website connection were unencrypted, we were able to
148
CONCLUSION
In this section, we have looked at various wireless
technologies from smaller wireless local area networks
to extensive wireless wide area network. Each
technology has its own weaknesses and administrators
need to know the ins and outs of the technology used in
order to thwart attackers and ensure network security.
Laxness in security can lead to devastating
consequences for individuals and business entities
since almost all tasks performed today are over the
internet.
149
150
its image and store it. Clients can boot over the network
and download these images. When the system boots for
the first time, it will be fully patched and secured. Using
Sysprep, these images can even be made hardwareagnostic, allowing for large-scale rollouts across
organizations. Centralized configuration such as group
policy enables administrators to change the settings of
every endpoint at once by requiring them to check with
the active directory server at boot or login. Similarly,
roaming profiles can centralize user accounts
themselves, allowing end users to have all their
documents and personalization settings on any machine
they log into, while simultaneously ensuring user
permissions are in sync throughout the organization.
In general, it is important to remember that the security
of organizations end-user computer systems is an
ongoing process that should itself be kept up to date.
Ensuring that all systems are protected according to the
most recent practices minimizes the likelihood of users
compromising data security from inside or outside
attackers doing the same.
159
163
CONCLUSION
This research represents an infinitesimal fraction of the
greater field of operating system security. Securing an
operating system is a difficult process; it requires the
cooperation of several parties and a constant routine of
maintenance. While operating system vendors are
responsible for many aspects of the security of their
products, it is impossible for them to guarantee
security. Systems administrators must play an equally
large part in securing end user systems, by establishing
policies both technical and organizational in nature.
Even the end users themselves must be careful not to
breach security, even inadvertently. Once an attacker
164
165
168
DATABASE VIEWS
In addition to the method in granting and revoking user
privileges, there is another layer of security for
database users called views. These views are merely
queries that are assigned to specific users or groups of
users. When a user in one of these restricted groups
queries a database the view dynamically created a
virtual table. The view represents a subset of the data
contained in the base table restricting access, and
limiting the degree of exposure the user gets to the data
depending on their level of access. Rather than creating
171
DATABASE ENCRYPTION
No matter what size a database may be, there is a strong
possibility that important information is being stored,
such as credit card information, user credentials for a
sensitive system(online banking), or mass listings of
personal contact information. Placing data into a
database does not make the data safe- it only gives it
space for storage.
Database encryption is a necessity to shield data from
prying eyes that could intercept data transactions
through various spying and intruding techniques. The
encryption is utilized at the Database Management
System (DBMS), and can vary between the different
172
SQL INJECTION
The topic of SQL injection is known to many individuals
who specialize in either web programming or security.
SQL injection is an exploit that can read sensitive data
from database, modify database data
(insert/update/delete) execute admin operations on
the database including shutting down the Database
Management Systems (DBMS). The attacks are
175
176
String custname =
request.getParameter("customerName");
// This should REALLY be validated too
// perform input validation to detect
attacks
String query = "SELECT account_balance
FROM user_data WHERE user_name = ? ";
PreparedStatement pstmt =
connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results =
pstmt.executeQuery( );
(Source: OWASP)
As seen above, the customer name field is
parameterized before entering a dynamically
constructed query. This would successfully protect the
system from an attempted SQL injection attack.
177
to house data so that if one disk fails, the data will not
be lost without recovery. RAID commonly uses five
different distinctions and each offer unique benefits.
These RAID types are:
1. RAID 0: RAID 0 provides data striping (a process
that spreads out blocks of each file across
multiple disks) and does not contain data
redundancy, improving performance but does
not offer fault tolerance.
2. RAID 1: RAID 1 provides disk mirroring.
3. RAID 3: RAID 3 is similar to RAID 0 however
reserves a dedicated disk for error correction
data, providing good performance and a
moderate level of fault tolerance.
4. RAID 5: RAID 5 allows data striping at the byte
level as well as stripe error correction
information, giving excellent performance and
good fault tolerance.
5. RAID 10: RAID 10 is a combination of RAID 0
and RAID 1.
The RAID system is a good way to protect information
in the event of electrical damage to one or more disk
179
DATABASE USERS
Even with all of these security mechanisms and
recovery mechanisms in place it is important that the
180
182
THREATS
A threat is the possibility that an unauthorized user
could access a systems information and/or change it. If
an unauthorized user tries to access a system, an attack
has occurred, and if they are successful, then the system
has been penetrated. The possibility that information
could be leaked due to an unknown problem in the
system is a risk. Similarly, a vulnerability is due to a
known problem with the system.
There is always the threat that a computer system may
be attacked. Computer auditing helps us to prevent this
by attempting to detect suspicious or unwanted
behaviors. This could happen by two types of users:
external and internal. An external user is a person who
is not affiliated with an organization or an employee
who does not have computer privileges who tries to
access computer resources. An internal user is someone
184
COMPUTER USE
Monitoring computer use is the foundation of a security
audit. Anderson establishes the basic unit of computer
use as a session or job, which is defined by four
parameters. These include the user identifiers, the
program and data files that are accessed, time a job or
session is initiated, and its duration. In some cases, it is
more useful to monitor files, devices, or programs; the
parameters used to monitor this are the user identifiers
and programs that access a particular resource, the
records read and written to, and whether or not a
program is being executed or being read. These audit
logs allow for a statistical analysis of which user
accounts were accessing which system resources, as
well as when and for how long. Once a baseline for
normal use is established, the audit trail enables the
detection of anomalies that could indicate a potential
intrusion.
186
SURVEILLANCE
Collecting audit data to monitor computer use is merely
the first step in Andersons proposed form of
surveillance. The data analysis is what allows the audit
data to be useful. A pattern of normal behavior can be
187
SYSTEM DESIGN
Essentially, there are the main parts of a computer
auditing system: a security surveillance subsystem and
trace subsystem. The surveillance subsystem looked for
unwanted or abnormal behaviors and returns reports
based on what was found. The trace subsystem allows
one to search a users activity based on a given
timeframe. These functionalities continue to be present
in intrusion detection systems.
Computer auditing techniques generally fall under two
categories: intrusion detection systems (IDS) and
intrusion prevention systems (IPS). An intrusion
189
INITIAL DEVELOPMENT
Implementation of the idea of using audit trails as a
security tool began in the early 80s. In 83, Dr. Denning
and SRI International worked on a project that analyzed
audit data from government computers to create user
activity profiles, which subsequently led to both SRIs
development of the first functional IDS, called IDES, and
to the publication of Dr. Dennings An Intrusion
Detection Model, which became a basis for ID.
IDES (Intrusion-Detection Expert System) was designed
with the goal of providing real-time monitoring and
analysis to detect potential problems immediately,
using pre-established rules of automatically suspicious
behavior as well as abnormal behavior detection. The
IDES model is composed of the following components:
1. Types of information and their positions in the
audit record must be known in advance so that
191
COMMERCIAL EXPANSION
192
MODERN TECHNIQUES
Intrusion detection systems are now a staple of
computer security, and have a wide variety of
classifications and detection techniques. There are two
general ways of classifying IDS: by location (host-based
vs. network-based) or by general detection philosophy
(signature-based vs. anomaly-based). Within these
categories are subspecies of IDS made distinct by their
intrusion detection paradigms.
One of the broadest ways of categorizing modern
intrusion detection systems is by their location: an IDS
is either host-based, in which the system monitors a
single computer (the host), network-based, in which the
system monitors network traffic within a network, or a
194
196
CONCLUSION
As we have seen there are many different ways that a
system can be compromised by unauthorized users.
There are also many techniques that have been to
prevent this as well as regulations in place to create a
minimum standard for organizations to adhere to.
Progress in the field continues to propose new solutions
that solve known weakness in the current approaches
and develops new tools to implement those solutions.
198
SUMMARY
As noted in the introduction, this book was written in a
broad manner as a primer. This brief guide was to help
introduce InfoSec topics and (hopefully) will be the
doorway to future studies for the CISSP, CISM or CCNASecurity realms. As a primer to InfoSec, this eBook does
cover many (not all) of the CISSP, CISM and CCNASecurity aspects and also discusses many Information
Security (InfoSec) topics in general. Following this, you
should be well versed and prepared to dive into more
detailed InfoSec work.
If you are considering certification, my recommendation
is to get the Certification Vendors suggested book (for
example, if you plan on taking the CCNA-Security test,
get the Cisco book). Also, consider purchasing a test
engine with frequent downloads. While you can get
copies of tests for various certs online for free, many
have errors or some tests were completed with errors.
You dont need to study errors
199
200
REFERENCES
Anderson, J. P. (1980). Computer security threat
monitoring and surveillance.
Andress, J. (2011). Operating System Security. The
Basics of Information Security (pp. 131-145).
Waltham: Syngress.
Ayushi. (2010). A Symmetric Key Cryptographic
Algorithm. International Journal of Computer
Applications, 1(15). Retrieved November 10,
2013, from
http://www.ijcaonline.org/journal/number15/p
xc387502.pdf
Bhuyan, M. H., Bhattacharyya, D. K., & Kalitaya, J. K.
(2013). Detecting distributed denial of service
attacks: Methods, tools and future directions. The
Computer Journal, 56(12), 31-52.
Biermann, E., Cloete, E., & Venter, L. M. (2001). A
comparison of intrusion detection systems.
Computers & Security, 20(8), 676-683.
201
202
http://docs.oracle.com/cd/B19306_01/network.
102/b14268/asotrans.htm
Poston III, H. E (2012). A Brief Taxonomy of Intrusion
Detection Strategies. In Aerospace and
Electronics Conference (NAECON), 2012 IEEE
National (pp.255-263). IEEE.
Provos, N. (2003). Improving Host Security with System
Call Policies. USENIX Security Symposium, 12, 130. Retrieved December 2, 2013, from the
USENIX database.
Saroiu, S. (2004). Measurement and analysis of spyware
in a university environment. (Master's thesis,
University of Washington)Retrieved from
http://static.usenix.org/events/nsdi0/tech/full_
papers/saroiu/saroiu_html/
Shulman, Michal (2006). Top Ten Database Security
Threats. Imperva, Inc.
Smaha, S. E. (1988, December). Haystack: An intrusion
detection system. In Aerospace Computer
Security Applications Conference, 1988, Fourth
(pp. 37-44). IEEE.
206
http://csrc.nist.gov/publications/fips/fips463/fips46-3.pdf
Vaccaro, H.S., Liepins, G.E. (1989) Detection of
anomalous computer session activity. IEEE
Symposium on Security and Privacy, 280-289.
Wing, W. (2004). Analysis and detection of metamorphic
computer viruses. (Master's thesis, San Jose State
University)Retrieved from
http://www.cs.sjsu.edu/faculty/stamp/students
/Report.pdf
Wood, C. (2011, July) Chaos-Based Symmetric Key
Cryptosystems. Paper presented at Rochester
Institute of Technology Symposium, Rochester,
New York.
Yang, J. , & Goodman, J. (2007, December). Symmetric
Key Cryptography on Modern Graphics
Hardware. AsiaCrypt 2007. Lecture conducted at
International Association for Cryptographic
Research, Kuching, Sarawak, Malaysia.
Yuan, J., & Mills, K. (2005). Monitoring the macroscopic
effect of DDoS flooding attacks. IEEE
Transactions on Dependable and Secure
Computin, 2(4).
209
210
212
214
215