G IN LV TY ION SO RI AT M CU T R LE SE IS B IN O M PR AD

CHAPTER 11

D N

Computer Security
By. Robert C. Newman

Protecting Digital Resources

Khalid Al-

Presented by

Understand the need and content of a baseline. Identify the documentation required for network management. Look at the numerous administration, troubleshooting, and problem-solving issues. Review the requirements of a security audit. Become familiar with computer forensic issues. Look at the various types of situations that can affect the security and integrity of a network. identify the various hardware and software tools used in network management. Understand the issues and options for network management and control.

Chapter Content

Network problems can typically be resolved in one of two ways: Proactive prevention or, Reactive response.

pay me now or pay me later

Network management and planning should combine to form an overall security plan. A baseline should be developed. Tools are a must, particularly for large networks. Network management and security are not add-ons. Troubleshooting is an art that can only be gained from experience along with some documented methodology.

INTRODUCTION

The trend is toward an increasingly complex. More complex network environments mean that the potential for availability and performance issues in these internetworks is high, and the source of problems is often difficult to pinpoint. The keys to maintaining a secure, problem-free network environment, as well as maintaining the ability to isolate and fix a network fault or security breach quickly, are documentation, planning, and communication. This requires a framework of procedures and personnel in place before the requirement for problem solving and recovery occurs. Establishment of policies and procedures must be developed during its planning stages and continue throughout the networks life. Such policies should include security, hardware and software standards, upgrade guidelines, backup methods, network intrusions, and documentation requirements.(contingency and disaster recovery plan). Through careful planning, it is possible to minimize the damage that results from most predictable events and control and manage their impact on the organization.

THE NEED FOR PROBLEM SOLVING

The tasks involved in maintaining a secure network and computer system can be both time-consuming and difficult. A security audit should be part of the ongoing operating processes in the organization. There are a number of questions that must be formulated and answered as to what resources need protection.

THE SECURITY AUDIT

Manual or systematic measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the systems. Automated assessments include system-generated audit reports or using software to monitor and report changes to files and settings on a system. Categories that should be addressed are included in the following list:

Physical security. Network security. Protocols/services. Passwords. User security. Data storage security. System administration.

COMPUTER SECURITY AUDIT

A well-documented network includes everything necessary to review history, understand the current status, plan for growth, and provide comparisons when problems occur. This is called a baseline. The following list outlines a set of documents and information that should be included in a network plan:
Address list. Cable map. Capacity information. Contact list. Equipment list. Important Files and their layouts. Network history. Network map. Server configuration. Software configuration. Software licenses. Protocols and network standards. User administration.

BASELINE

It is essential to take the time during installation to ensure that all hardware and software components of the network are correctly installed and accurately recorded in the master network record. This documentation also applies to the hardware and software configuratio5 for each of the network components. A considerable amount of personnel effort and time can be saved by being able to quickly find a faulty network component and having documentation on the configuration. Documentation should be kept in both hard-copy and electronic form so it is readily available to anyone who needs it. This includes information on systems that are accessed by the telecommunications network. Complete, accurate, and upto-date documentation will aid in troubleshooting the network, planning for growth, and training new employees.

BASELINE

Network-management is a collection-of activities that are required to plan, design, organize, control, maintain, and expand the communications network. Activities that pertain to the operation, administration, maintenance, and provisioning of networked systems include the following: Operation deals with keeping the networkand the services that the network provides up and running smoothly. (e.g. monitoring) Administration deals with keeping track of resources in the network and how they are assigned. It includes all the housekeeping necessary to keep the network under control. Maintenance is concerned with performing repairs and upgrades. This includes equipment replacement, router patches for an operating system image, and addition of switches to a network. Maintenance also involves corrective and preventive measures to make the managed network run better,. such as adjusting device configuration parameters. Provisioning is concerned with configuring resources to support a given service. For example, setting up the network so that a new customer can receive voice service.

Network Management and Monitoring

An initial step is to develop a baseline of the current state of the network and computer resources. After a baseline for the network has been developed, it will be possible to monitor the network for changes that could indicate potential problems. It is essential to establish what is normal in the network so abnormal situations can be readily identified. Network monitoring software can gather information on events, system usage statistics, and system performance statistics. Information gathered from these monitors can assist the network administration in the following ways: Monitoring trends in network traffic and utilization. Developing plans to improve network performance. Providing forecasting information for growth. Identifying those network devices that create bottlenecks. Monitoring events that result from upgrades. Management must also consider the implications of any IPS and IDS might be active in the network.

Network Management and Monitoring

Forensic analysis consists of a cycle of data gathering and processing of evidence that has been gathered from some incident. Data collected can be used to analyze and evaluate the extent to which a network has been compromised by an attack on intrusion. Logs are an essential source of information for this type of forensic examination Incident Response processes and tactics must be developed for a successful reaction to some computer incident. The plan must be well documented and formally practiced. Law enforcement agencies have first responders whose job is to secure computer evidence. A number of computer forensic tools are available to forensic investigators and law enforcement first responders. A note is important here. If an incident is reported to law enforcement, the organization loses control of the situationand it may become public knowledge.

SECURITY INVESTIGATIONS

A computer crime investigation would begin as soon as an incident report is provided to the authorities. 6 steps are required to determine if crime has occurred and to protect evidence: Detection and containment review audit trails and preserve the evidence. Notification of management report to limited number of supervisors. Preliminary investigation determine if a crime has actually occurred. Crime disclosure determination notify authorities if required or desired. Investigation process identify potential suspects and witnesses. Report generation provide documentation to management and law enforcement Evidence is defined as information that would be presented in a court of law to substantiate the charges. There are 4 general categories of evidence that might be presented in court: Direct evidence oral testimony or written statements. Real or physical evidence tangible objects such as tools and property. Documentary evidence printouts and manuals. Demonstrative evidence expert and non-expert witnesses.

Computer Investigations

Two other categories of evidence might be relevant to a computer crime or incident corroborative and circumstantial evidence. Corroborative evidence other case evidence, whereas circumstantial evidence is used for reasonable inferences to fact. An important concept is termed the hearsay rule. Hearsay evidence is not based on firsthand knowledge of the witness. This information is usually obtained through some other source and is usually not admissible in court. For evidence to be admissible in a court of law, it must pass several proofs or validations. Two important processes that must be addressed when prosecuting criminal activities are the chain of custody and the evidence life cycle. These also apply to computer crimes. The chain of custody provides accountability and protection of evidence throughout its life cycle. Evidence must be secured in locked areas, and documentation must follow the entire trail, including information about who handled it and when. An evidence log would include the following: Individuals involved. Evidence description. Evidence location. Evidence movement

Computer Investigations

Intrusion detection techniques and equipment are utilized to detect and respond to computer and networking misuse. Different intrusion detection techniques provide different benefits for different situations and environments; therefore, it is essential that the security administrator deploy the security system that best matches the need. Unnecessary cost can be incurred for nonessential detection devices. The key to selecting the right security detection system is to define the specific security requirements first and then implement a system based on those requirements. In addition to detection, new products are being offered that provide for intrusion prevention capabilities.

Intrusion Detection

Internal staff can conduct network and physical monitoring; however, there are vendors that specialize in security monitoring and surveillance. Some providers deploy intrusion detection sensors at customer locations and provide security experts to monitor corporate resources such as routers and firewalls. Others place probes on the customers networks to collect audit data from network devices. The data are transmitted in encrypted form back to the central facility, where the data are monitored continuously. Investigation and prosecution can be aided with sufficient video evidence. Some networkbased intrusion detection systems consist of sensors deployed through out a network that provide a data stream to a central console. Sensors may contain logic that collects network packets, searches for patterns of misuse, and then reports an alarm situation back to the console. Two types of sensor-based architectures include the traditional sensor design and the network node design. Sensor-based systems monitor whole network segments. They are not widely distributed because there are relatively few segments to monitor as opposed to the sensor-based systems that are widely distributed onto every mission-critical target. Network-node systems place an agent on each managed network computer device in the network to monitor traffic bound only for that individual target.

Monitoring

Network management and administration must be proactive in the fight against cybercrime threats and attacks. A considerable amount of information has been presented in this book that can be used as effective approaches to countering these situations. Incorporating the numerous suggestions will take time and resources, but not addressing the issues can cost a lot more.

Preemptive Activities

The following list of initiatives summarizes programs and activities that might be undertaken to counter the negative impacts of computer and network incidents. While this is a formidable list, not taking action is unacceptable. The categories include access controls, hardware, software, and management. Access controls: User authentication Properly defined user rights. Prompt removal of employee accounts upon separation. Require approval by management of user authorization. Proper registry permissions. Hardware: Workstation screen locks. Computer keyboard locks. Firewalls. Screening routers. Properly configured routers. Properly configured modems.

Preemptive Activities

Software: Anti-virus software. Anti-spyware software. Encryption. Prompt application of patches and updates. VPN tunneling. Checksums. Management: Change control policy. Separation of duties. Audit logs and log reviews. Review open ports and service. Social engineering prevention. Employee training and awareness.

Preemptive Activities

 Established in 1988, the Computer Emergency Readiness Team (CERT) Coordination Center (CERT/CC) is a center of Internet security expertise. The High Technology Crime Investigation Association (HTCIA) is designed to encourage, promote, aid, and affect the voluntary interchange of data, information, experience, ideas, and knowledge about methods, processes, and techniques relating to investigations and security in advanced technologies among its membership. The International Association for Computer Information Systems (IACIS) is an international volunteer nonprofit corporation comprised of law enforcement professionals dedicated to education in the field of forensic computer science. The IEEE Computer Society is the worlds leading organization of computer professionals. Founded in 1946, it is the largest of the 37 societies of the Institute of Electrical and Electronics Engineers (IEEE). The Internet Crime Complaint Center (lC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).

Computer Security Organizations

Many network problems can be solved by first verifying the status of the affected computers or networking components. Taking several initial steps can help the administrator in resolving network problems: Identify possible cockpit problems and user errors. Ensure that all physical connections are in place. Verify that the network interface card (NIC) is working. Warm-start the device (reload the software). Cold-start the device (power cycle off and on). It is essential that a structured approach be taken when troubleshooting. These simple steps include the following: Prioritize the problem in relation to all other problems in the network. Develop information about the problem. Identify possible causes. Eliminate the possibilities, one at a time. Ensure that the fix does not cause other problems. Document the solution.

NETWORK PROBLEM SOLVING

The first step in solving a problem is to collect and document as much information as possible in order to have an accurate description of the situation. If the problem involves user interaction, it will be necessary to check the sequence of steps the user took. Before troubleshooting the physical devices and system software, attempt to recreate or confirm the problem to ensure the problem is not user (cockpit) error. From the information gathered for the trouble report, a structured approach can begin to list, prioritize, and examine possible causes of the reported incident, It is essential that the problem be logically evaluated, starting with the most basic causes.

Collecting Information Methodology

Define the situation look at baseline. Gather details Consider alternatives Follow methodology for troubleshooting Observe results NO YE S

Problem corrected ?

Problem solved Document results

Standard Process Flow for Troubleshoot

 Definition of the problem: the problem should be defined in terms of a set of symptoms and

potential causes. By using the baseline, it is possible to identify the location of the problem or at least know where to start the troubleshooting effort. Details of the problem: information can be collected from sources such as network management systems, protocol analyzer traces, network monitors, and network surveillance personnel. Alternatives assessment: now is the time to consider the possible problems based on the facts that have been gathered. The obvious non-issues can be eliminated at this time. Problem-solving methodology: an action plan can be developed and the most likely cause of the problem can be identified. The plan will allow for one variable to be changed at a time until all options are exhausted. Results observation: tests must be made at this module to ensure that the modifications are correcting the problem and not creating other problems. This process reiterates the process for each test and may require additional details for each cycle. Problem resolution: when the problem has been solved, the next and last step of the process flow is to document the situation. If the problem has not been solved, the process is repeated. Documentation: the final step is important because the problem may well occur again and it is essential that the troubleshooting efforts not be duplicated.

Details of Process Flow Steps

Some type of electronic tracking or journal can be maintained to accumulate troubleshooting and problem-solving information, which will ensure that time is not wasted repeating work that has already been completed and that an audit trail is developed for each trouble. The information developed can also be utilized in requests for additional equipment, personnel, and training. It can also be a useful tool for training future network support personnel. A typical method for administering such a database is to assign some unique identifier to each problem or trouble report. A trouble report would be generated for each incident and cross-referenced for recurring incidents to the same network element. The trouble report documents issues and requests for service from network users and can be used to ensure that a consistent troubleshooting methodology is being followed.

Troubleshooting Documentation

A typical trouble report might include the following elements:

A trouble report identifier. A preliminary description of the situation. Investigation and analysis of the situation. The service actions taken to resolve the issue. A summarization of the incident.

Another source of information that can be useful in troubleshooting the network is the data, usually in the form of traps or alerts, that are collected from the managed network devices. It is essential that data collected from the managed devices be stored so that problems can be tracked and trends can be analyzed. There are a number of trouble-tracking products for both voice and data communication systems available in the market today.

Troubleshooting Documentation

A number of aids are available for the network user to perform simple tests:

TRACEROUTE (tracert): work by sending packets with low time-to-live (TTL) fields. The TTL value specifies how many hops the packet is allowed before it is returned. When a packet cant reach its destination because the TTL value is too low, the last host returns the packet PING: uses ICMP messages to check the physical connectivity of the machines on a network. Note that PING can be used in a network attack. WHOIS: searches across multiple registrar databases to provide registration information on millions of domain names with many different extensions, regardless of where they are registered. IPCONFIG: is a command line tool used to control the network connections on Windows. PORT SCAN: is a series of messages sent by someone attempting to break into a computer to learn which computers the network services. These scans are associated with a well-known port number.

Port scanning is a favorite approach of computer crackers and gives the assailant an idea of where to probe for weaknesses. Essentially, a port scan consists of sending a message to each port, one at a time.

NETWORK TESTING SUPPORT AND RESOURCES

Network Utilities and Software Routines

Instead of passively gathering network statistics like auditing tools, security probes actively test various aspects of enterprise network security and report results and suggest improvements. There are a number of security probes that perform vulnerability scanning. Three such products are SAINT, Retina, and SATAN.

Security Probes and Network Penetration Testing Tools

Network monitors, network analyzers, and cable testers each provide the network manager and technician with a different suite of tools. Security tools such as sniffers are also available in hardware instruments. A network-connected device operating in promiscuous mode can capture all frames on a network, not just frames addressed directly to it.

SECURITY TOOLS

Is a collection of activities that are required when managing the communications network. Functions that are performed as part of network management include:
Controlling. Planning. Allocating. Deploying. Coordinating. Network planning. Bandwidth management. Monitoring the resources of a network. Predetermined traffic routing to support load balancing. Cryptographic key distribution authorization.

Additional major management functions:

Accounting management. Configuration management. Fault management. Security management. Performance management.

MANAGING THE NETWORK

Network management tools allow for the performance of management functions such as monitoring network traffic levels, monitoring software usage, finding efficiencies, and finding bottlenecks. Network managers need a comprehensive set of tools to help them perform the various network tasks. Most tools can be classified as primarily hardware or software, and most hardware test instruments are supported by software. Network management software is categorized into three different types:
Device management, System management, and Application management.

These management tools typically have three components:

Agent: the client software part of the management tool. The agent resides on each managed network device.
Manager: a centralized software component that manages the network. The management software stores the information collected from the managed devices in a standardized database. Administration system: the centralized management component that collects and analyzes the information from the managers. Most administration systems provide information, alerts, traps, and the ability to make programmable modifications to the network components.

The two main management protocols used with network management systems are simple network management protocol (SNMP) and common management information protocol (CMIP)

Network Management Tools

Any network, whether it is a LAN, MAN, or WAN, is really a collection of individual component working together. Network management helps maintain this harmony, ensuring consistent reliability and availability of the network, as well as timely transmission and routing of data. A network management system (NMS) is defined as the systems or actions that help maintain, characterize, or troubleshoot a network. The three primary objectives to network management are to support systems users, to keep the network operating efficiently, and to provide cost-effective solutions to an organizations telecommunications requirements. A large network cannot be engineered and managed by human effort alone. The complexity of such a system dictates the use of automated network management tools. No matter how network management is performed, it usually includes the following key functions:

Network control.
Network monitoring.

Network troubleshooting. Network statistical reporting.

Network Management System

Network management is a collection of activities that are required to plan, design, organize, maintain, and expand the network. A network management and control system consists of a collection of techniques, Policies procedures, and systems that are integrated to ensure that the network delivers its intended functions. At the heart of the system. is a database of information, either on paper or computerized. The database consists of several related files that allow the network managers to have the information they need to exercise control over its functions. A network control system has five major functions: Managing network information. Managing network performance. Monitoring circuits and -equipment on the network. Isolating trouble when it occurs. Restoring service to end users.

NETWORK MANAGEMENT AND CONTROL

Network management is generally concerned with monitoring the operation of components in the network, reporting on the events that occur during the network operation, and controlling the operational characteristics of the network and its components. Taking preemptive precautions may be costly in the short term, but they save time and resources when problems arise, prevent equipment problems, and ensure data security. A preemptive approach can prevent additional expense and frustration when trying to identify the causes of failures. Functions include monitoring, reporting, and controlling. Additionally, three areas of protection should be addressed. These include intruders, theft, and natural disasters.

NETWORK MANAGEMENT AND CONTROL

Monitoring involves determining the status and processing characteristics currently associated with the different physical and logical components of the network. Depending on the type of component in question, monitoring can be done either by continuously checking the operation of the component or by detecting the occurrence of extraordinary events that occur during the network operations.

Monitoring

Reporting

The results of monitoring activities must be reported, or made available, to either a network administrator or to network management software operating on some machine in the network.

based on the results of monitoring and reporting functions, the network administrator or network management software should be able to modify the operational characteristics of the network and its components These modifications should make it possible to resolve problems, improve network performance, and continue normal operation of the network.

Controlling

NETWORK MANAGEMENT AND CONTROL

The International Organization for Standardizations (ISOs) approach to network management is CMIP. This protocol defines the notion of objects, which are elements to be managed. The key areas of network management as proposed by the ISO are divided into five specific management functional areas (SMFAs): Accounting management: records and reports usage of network resources. Configuration management: defines and controls network component configuration and parameters. Fault management: detects and isolates network problems. Performance management: monitors, analyzes, and controls network data production Security management: monitors and controls access to network resources.

COMMON MANAGEMENT INFORMATION PROTOCOL

Many organizations today deal with network management standardization. The roles played by these organizations range from setting the network management standards to promoting acceptance of the standards. The organizations that play a role in network management include: American National Standards Institute (ANSI). International Organization for Standardization (ISO). Institute of Electrical and Electronic Engineers 802 Committee (IEEE 802). Internet Activities Board (TAB). International Telecommunications Union Telecommunications Sector (ITU-T). National Institute of Standards and Technology (NIST). Open Systems Foundation (OSF).

NETWORK MANAGEMENT STANDARDS ORGANIZATIONS

Network administrator has a broad range of responsibilities that include network planning, monitoring and maintenance. Typical activities revolve around network configurations, user connectivity, security, data and asset protection, problem solving, and troubleshooting. Network problems and security issues can be resolved in one of two ways: preventing the situation before it happens through network planning and management or fixing the problem after it happens through troubleshooting techniques. Troubleshooting techniques that are effective in solving problems in the enterprise network include the following: Implement a program for system upgrades and change control. Develop a baseline for the enterprise network. Use a systematic approach to isolate and correct network problems. Look at various alternatives and develop a hypothesis rather than getting tunnel vision. Change only one attribute at a time when troubleshooting and test each change thoroughly. Document the entire troubleshooting incident with the discoveries and conclusions. Hardware and software solutions that can be utilized in the troubleshooting and problem-solving environment include, protocol analyzers, monitors, sniffers, cable testers, specialty tools, and network management systems. Computer and network incidents could involve the use of forensic techniques to recover and protect evidence in the event criminal activities have occurred or are suspected. Specialized data collection forms are used in this endeavor.

CHAPTER SUMMARY