IPICS2004 Information Systems Security (Security of Distributed and Internet Based Information Systems) G. Pangalos Informatics Laboratory Aristotelean University of Thessaloniki

About This Presentation

Title:

IPICS2004 Information Systems Security (Security of Distributed and Internet Based Information Systems) G. Pangalos Informatics Laboratory Aristotelean University of Thessaloniki

Description:

IPICS2004 Information Systems Security (Security of Distributed and Internet Based Information Systems) G. Pangalos Informatics Laboratory Aristotelean University of ... – PowerPoint PPT presentation

Number of Views:1062

Avg rating:3.0/5.0

Slides: 108

Provided by: Georg239

Category:

more less

Transcript and Presenter's Notes

Title: IPICS2004 Information Systems Security (Security of Distributed and Internet Based Information Systems) G. Pangalos Informatics Laboratory Aristotelean University of Thessaloniki

1
IPICS2004 Information Systems Security
(Security of Distributed and Internet Based
Information Systems)G. PangalosInformatics
LaboratoryAristotelean University of
Thessaloniki
2
Topics for discussion

The security problem - Basic security concepts
The security of internet based IS
Acceptable approaches to internet security
A methodology tool for selecting the
appropriate security measures / guidelines

3
1. Basic Security Issues
4
the need for security

Many I.S. handle sensitive information that
should be protected.
Without an appropriate level of security in
place, no such a system can be operational.
A secure operational environment is thus
required.
Security is therefore an important issue for most
I.S.s

5
What is Security?

Basic concepts
Confidentiality
The protection of information from unauthorized
access, or unintended disclosure.
Integrity
The protection of information from unauthorized
modification
Availability Resources are in the place,
without unreasonable delay, when the user needs
them

6
need for security

As organizations increase their reliance on the
information systems and the Internet for daily
business, they become more vornurable to security
breaches

7
Several major questions arise, for example

How to safeguard the confidentiality of the
information (i.e. who should be allowed to see
what and under what conditions),
How to safeguard the integrity of the
information,
- How to improve its availability to legitimate
users, etc..

8
In order to answer those questions it is
necessary to

1. Identify the security requirements / threats /
vulnerabilities associated to the various
categories of users and data types
2. Study the related security technology
available
3. Study the impact of adding security on the
availability / performance / cost of the system
4. Propose specific measures required to improve
the security of the system.
5. Define an appropriate security policy for
accessing the information

9
Some problems to think on...

Confidentiality vs Availability vs Integrity (vs
Accountability)
The ease of Attack (e.g. through internet)
The emergence of new, internet based,
applications (electronic commerce, e payments,
)
The Holistic Approach necessary

10
Why is this still a problem?

We
Have been working on it for 30 years
Have A Good Theoretical Foundation
Understand the Problem
Have Products
Continue to Make Progress
We have Ethics classes

11
. . . But!

Security Controls Have Operational Impact
Security costs (security should not cost. It
should pay)
Products Do Not Match Problems
Not enough Flexibility
Rapidly Evolving Technology
No security culture

12
Computer Security Topics

Operating Systems Security
Database Security
Network Security
Internet Security
Electronic Commerce security
Office Automation Security
Formal Models of Secure Systems
Risk Analysis/Threat Analysis
Encryption (symmetric and asymmetric)

13
So, Why Arent Systems Secure?

Security is usually an afterthought
Security can be expensive
Security is fundamentally hard to address
False solutions
Belief that computers are the problem - not
people (teach ethics)
Technology is oversold

14
Possible Information States ...

Processing
Storage
Transmission

15
What we are trying to do ...

The Information Security Objective then becomes
To preserve Security Characteristics across all
three possible states of processing.
Maintain the appropriate level of security

16
Security Threats - Risks
17

A threat is any circumstance or event with the
potential to cause harm to an organisation
(through the disclosure, modification or
destruction of information, or by the denial of
critical services).
The presence of a threat does not mean that it
will necessarily cause actual harm.
To become a risk a threat must take advantage of
a vulnerability in the system security controls

18
Why not just Encrypt ?

Encryption is likely the most powerful tool
available - but does not solve all problems.
Steganography Encryption ..

19
What Tends to Work ...

User Education
Strong holistic approach
Good Risk Analysis
Plans and Procedures Enforcement
Strong Identification and Authentication
Firewalls on networks
Law and Regulation

20
Basic Concepts

Access control. There is a need to protect
resources against unauthorised access. The
access control components decide whether an
subject can access a particular resource
(object). This functionality is related to both
the secrecy and integrity..
Authentication . Verification of the identity of
users. This is of crucial importance in
distributed systems due to the inherent ability
of these systems to allow access to remote
resources via physically untrusted communication
environments.
Auditing .Users that access resources should be
accountable The audit components should record
the identities and actions of them.

21
Basic Concepts

Non-repudiation. For some applications it is
important to provide evidence of actions. Typical
examples of this are proof of receipt of a
message or proof of sending a message.
Security management . This is the management of
information related to the security of a system.
Typically this determines the security
characteristics of a system.
Cryptography. The provision of the above
mentioned functionality is usualy based on
cryptography which is essential in distributed
systems where communication is based on insecure
links.

22
2.The Internet Security Problem
23
Facts

The Internet is the fastest growing
telecommunications medium in history
It provides unprecedented opportunities for
interaction and data sharing.

24
Advantages of using Internet/Web browsers to
provide access to information

Ease of deployment of information
No specific network infrastructure is required.
Everybody has a navigation program for the WWW
(Netscape Navigator, Internet Explorer etc.)
User-friendly environment
Users need not specific knowledge to access data.
Everybody knows how to use a Web browser.
Ease of administration
The Web server handles all of the communications
and simply passes the data back to the client.

25
The Internet Security problem
26

Vulnerable TCP/IP services a number of the
TCP/IP services are not designed to be secure and
can be compromised by knowledgeable intruders
Ease of eavesdropping and spoofing the majority
of Internet traffic is not encrypted
Lack of policy many sites are configured
unintentionally for wide-open Internet access
without regard for the potential for abuse from
the Internet
Complexity of configurationhost security access
controls are often complex to configure and
monitor

27
Threats in Internet

Information Browsing Unauthorised viewing of
sensitive information by intruders or legitimate
users may occur through a variety of mechanisms
Misuse The use of information assets for other
than authorised purposes can result in denial of
service, increased cost, or damage to
reputations.
Component FailureFailure due to design flaws or
hardware/software faults can lead to denial of
service or security compromises through the
malfunction of a system component.

28
Threats in Internet

Unauthorised deletion, modification or disclosure
Intentional damage to information assets that
result in the loss of integrity or
confidentiality of business functions and
information.
Penetration Attacks by unauthorised persons or
systems that may result in denial of service or
significant increases in incident handling costs.
Misrepresentation Attempts to masquerade as a
legitimate user to steal services or information,
or to initiate transactions that result in
financial loss or embarrassment to the
organisation.

29
Internet Security Riscs

The advantages provided by the Internet come with
a significantly greater element of risk to the
confidentiality and integrity of information
(open environment, uncontrolled
platforms, etc.).
The very nature of the Internet means that
security risks cannot be totally eliminated.

30
!!!

Because of these security risks and the need to
research security requirements vis-a-vis the
Internet, in the past some organizations (e.g.
HCFA) had even prohibited until recently the use
of the Internet for the transmission of sensitive
data.

31
On the other hand

There is a growing demand for using the Internet
for fast and inexpensive transmission of
information.

It is therefore necessary to accommodate this
need, provided that it can be assured that proper
steps are being taken to maintain an acceptable
level of security for the information involved.

33
Solving the problem requiresA. To activate
the necessary security toolsB. To have an
adequate Internet Security Policy in place
34
A.Activate the necessary security tools
35
Levels of Internet security

Security at the Application Layer
2. Security at the Transport Layer
3. Security at the Physical Layer

36
Hierarchical Layers of Internet Security
(Application Layer)
37
Security at level 1 (Aplication Layer)

Tools available
a. Use of a Secure Transfer Protocol (e.g.
S-HTTP)
b. Use of end-to-end Encryption
c. Use of Digital Signatures and user
Certificates
.

38
Security at level 2 (Transport Layer)

Method Activate an SSL connection
Set up a PKI / TTP infrastructure
Provide SERVER / CLIENT / USER certificates
Use them to activate an SSL / https connection
between client / server

39
B.Have an adequate InternetSecurity Policy in
place
40
That is .

To establish the basic security requirements that
must be satisfied in order to use the Internet to
safely transmit sensitive information.

41
What is needed

To define a suitable Internet Security Policy,
and
To describe the set of technical measures that
are needed for its implementation.

A. Development of an
Internet Security Policy
Acceptable Security Approaches

43
Basic Security Principles for the transmission
of sensitive data over the Internet
44
1. Access and modification of information

Sensitive information sent over the Internet
must be accessed and modified
only by authorized parties

45
2. Use of Acceptable technologies

Appropriate technologies must be used to ensure
that data travels safely over the Internet and is
only disclosed to authorised parties.
These technologies should
allow users to prove they are who they say they
are (identification and authentication), and
allow the organized scrambling of data
(encryption) to avoid inappropriate disclosure or
modification

46
As seen later

The Internet can be used for the safe
transmission of sensitive data, provided that
a suitable Internet Security Policy is in place,
an acceptable method of encryption is utilized to
provide for confidentiality and integrity of the
data, and
Suitable identification and authentication
procedures are employed to assure that both the
sender and recipient of the data are known to
each other and are authorized to receive and
decrypt such information.

47
II. Acceptable Security Methods
48
Acceptable Security Methods

In order to safely use the internet for the
transmission of sensitive data,
the method(s) employed by all users must come
under one of the acceptable approaches to
security described below.

49
These approaches ...

Are as generic as possible and as open to
specific implementations as possible, to provide
maximum user flexibility within the allowable
limits of security and manageability
Have been based on a detailed study of the
existing security framework and guidelines in the
EU countries, USA and Canada.

50
Major sources

Development of a H.L. Security Policy for the
processing and transmission of data through the
INTERNET, Medical informatics and internet
applications Journal, 1999.
The Intranet Health Clinic project, WP6 report
security, The IHC project, EU, 2000.
European prestandard CEN/TC 251/SEC-COM
Security for Healthcare Communication, 1999
Recommendation No. R (99)5 for the protection of
privacy on the Internet,1999.
Directive 95/46/EC on the protection of
individuals with regard to the processing of
personal data and on the free movement of such
data.

Recommendation N R(95)4 on the protection of
personal data in the area of telecommunication
services.
Recommendation N R(97)5 protection of medical
data. February 1997.
CEN/TC 251 technical report N98-110, framework
for security protection of healthcare
communication, 1998
CSA standard CAN/CSA Q830, Model Code for the
Protection of Personal Information, 1995
Canadian Organisation for the Advancement of
Computers in Health (COACH), Security and Privacy
Guidelines for Health Information Systems,
Canadas Health Informatics Association, 1995.

TrusthHelath1, Examination of the Implications of
the EU Data Protection Directive to a TrustHealth
Information System, Deliverable D6.2,
INFOSEC/TrustHealth Project, 1996.
Department of Health and Human Services,
Security and electronic Signature standards,
Federal Register/Vol. 63, No. 155, 1998
HCFA, Internet Communications Security and
Appropriate Use Policy and Guidelines, 1998.
Report and Recommendations from the Provincial
Steering Committee on the Health Information
protection Act, 1998.
FOIP Policy and Practices, USA, 1998.

53
0. Acceptable Approaches to Internet Usage
54
I. General statement

It is permissible to use the Internet for the
transmission of sensitive information, as long
as
an acceptable method of encryption is utilised to
provide for confidentiality and integrity of this
data, and
adequate identification and authentication
procedures are employed to assure that both the
sender and recipient of the data are known to
each other and are authorised to receive and
decrypt such information.

55
II. Acceptable Technical Measures (to achieve
those objectives)
56
ACCEPTABLE TECHNICAL MEASURES

1. Acceptable Identification and Authentication
approaches
2. Acceptable WEB server usage
3. Acceptable mail usage
4. Acceptable protection from virus and
Interactive software
5. Acceptable Intrusion Detection methods
6. Acceptable Encryption approaches

57
1.Acceptable Identification and Authentication
approaches
58
The problem

Authentication over the Internet presents several
problems.
e.g. It is relatively easy to capture
identification and authentication data
(or any data) and replay it in order to
impersonate a user.

59
Acceptable Identification and Authentication
approaches
60
1. use of digital certificates

Any site must use digital certificates to
validate the identity of both the user and the
server.
Certificates at the user end must be used in
conjunction with standard technologies such as
Secure Sockets Layer (SSL).

Only the use of Formal Certificate Authority -
based digital certificates is acceptable.
Certificates can be issued only by the
organization or by a Trusted Third Party.
Access to digital Certificates stored on PCs
should be protected by passwords.

62
2. Use of passwords

Passwords may be sent over the Internet only when
encrypted
Passwords and user logon IDs must be unique to
each authorized user.
Passwords must be changed at a suitable period
(eg 90 days).

63
3. Logon procedures

User accounts will be frozen after 3 failed logon
attempts.
All erroneous password entries will be recorded
in an audit log for later inspection and action,
as necessary.
Sessions will be suspended after 15 minutes (or
other specified period) of inactivity and require
the password to be re-entered.

Successful logons should display the date and
time of the last logon and logoff.
Logon IDs and passwords should be suspended after
a specified period of disuse.
Each site would be required to be able to prove
that data in its possession has not been altered
or destroyed in an unauthorised manner.

65
Acceptable approaches for WEB server usage
66

There shall be no remote control of the Web
server.
All administrator operations (e.g., security
changes) shall be done from the console.
Supervisor-level logon shall not be done at any
device other than the console.
The Web server software, and the software of the
underlying operating system, shall contain all
manufacturer recommended patches for the version
in use.

The Web server must be located internal to the
firewall.
The Web servers shall be configured so that users
cannot install CGI scripts.
All network applications other than HTTP should
be disabled from the WEB server (e.g., SMTP, ftp,
etc.)

68
Acceptable usage of UNIX WEB servers

Unix Web servers shall not be run as root.
The implementation and use of CGI scripts shall
be monitored and controlled.
CGI scripts shall not accept unchecked input.

Any programs that run externally with arguments
should not contain metacharacters.
The developer is responsible for devising the
proper regular expression to scan for shell
metacharacters and shall strip out special
characters before passing external input to the
server software or the underlying operating
system.

70
Acceptable approaches tomail usage
71
Objective

Implement suitable policies for e-mail usage to
help users
use electronic mail properly,
reduce the risk of intentional or unintentional
misuse, and
assure that sensitive records transferred via
electronic mail are properly handled.

72
acceptable approaches for e-mail usage
73

If confidential or proprietary information must
be sent via email, it must be encrypted so that
it is only readable by the intended recipient,
using digital signatures.

All incoming messages will be scanned for viruses
and other malign content.
The mail server, or other mail server which is
servicing users, will be configured to accept
only encrypted passwords from local machines
using SSL 3.0 or other encrypted channel.

e-mail servers shall be configured to refuse
e-mail addressed to non-organizational systems.
E-mail clients will be configured so that every
message is signed using the digital signature of
the sender.

76
4. Acceptable approaches for protection from
virus and interactive software
77
The problem

Internet provides another channel for virus
infections, one that can often bypass traditional
virus controls.

The security service policy for viruses
has to prevent the introduction of viruses into
a computing environment, and
must be able to determine that an executable,
boot record, or data file is contaminated with a
virus.

79
i. acceptable approaches for virus protection
80

Anti-virus software should be installed in the
servers to limit the spread of viruses within the
network.
Scanning of all files and executables will occur
daily (or weekly) on the servers.
Workstations will have memory resident anti-virus
software installed and configured to scan data as
it enters the computer.
Programs will not be executed, nor files opened
by applications prone to macro viruses without
prior scanning.

All incoming mail and files received from the
Internet must be scanned for viruses as they are
received.
Virus checking will be performed if applicable at
firewalls that control access to networks.
This will allow centralised virus scanning for
the entire organisation.
It also allows for centralised administration of
the virus scanning software.

All data imported on a computer (e-mail, or file
transfer) will be scanned before being used.
Use off-the-shelf scanning software should be
enhanced by state of the art virtual machine
emulation for polymorphic virus detection.
All other new virus detection methods will be
incorporated into the detection test bed.
To keep abreast of the latest viruses which have
been identified, scanning software will be
updated monthly or as updates arrive.

Users will inform the system administrator of any
virus that is detected, configuration change, or
different behaviour of a computer or application.
When informed that a virus has been detected, the
system administrator will inform all users that a
virus may have also infected their system.
The users will be informed of the steps necessary
to determine if their system is infected and the
steps to take to remove the virus.

84
ii. acceptable approaches for using Interactive
Software
85
Use of Interactive Software

In an Interactive Software environment a user
accesses a server across a network. The server
downloads an application (applet) onto the users
computer that is then executed.
?
There are significant risks involved in this
strategy.
Fundamentally, one must trust that what is
downloaded will do what has been promised.

86
?

Users should configure their browsers to accept
applets only from the servers.
If this is not possible, then browsers should be
configured not to accept applets.

87
5.Acceptable Intrusion Detection methods
88

Intrusion detection plays an important role in
implementing the Internet Security Policy.

89
acceptable approaches for Intrusion detection
90
i. Normal logging processes

Normal logging processes shall be enabled on all
systems.
Alarm and alert functions, as well as logging, of
any firewalls and other network perimeter access
control systems shall be enabled.

91
ii. additional monitoring tools

In addition to the activity logging process
provided by the operating system,
All servers shall have additional monitoring
tools (eg. tripwire or appropriate software
wrappers) installed.

92
iii. perimeter access control

System integrity checks of the firewalls and
other network perimeter access control systems
must be performed on a routine basis.

93
iv. Review

Audit logs from the perimeter access control
systems shall be reviewed daily.
Audit logs for servers shall be reviewed on a
daily basis.
User education shall be provided in order to
train users to report any anomalies in system
performance to their system administration staff.

94
6.Acceptable encryption approaches
95
i. Level of Encryption

A level of encryption protection equivalent to
that provided by an algorithm as follows, is
recognised as minimally acceptable
Triple 56 bit DES (defined as 112 bit
equivalent) for symmetric encryption,
1024 bit algorithms for asymmetric systems, and
160 bits for the emerging Elliptical Curve systems

The organization will have however to increase
these minimum levels when deemed necessary by
advances in techniques and capabilities
associated with the processes used by attackers
to break encryption.

97
ii. Hardware-Based Encryption

Hardware encryptors are acceptable
(While likely to be reserved for the largest
traffic volumes to a very limited number of
Internet sites).
symmetric password "private" key devices (such as
link encryptors)

98
iii. Acceptable Software-Based Encryption

Secure Sockets Layer (SSL) implementations at a
minimum SSL level of Version 3.0,
standard commercial implementations of PKI, or
some variation of, implemented in the SSL.
S-MIME - Standard commercial implementations of
encryption in the e-mail layer

99
Acceptable Software-Based Encryption-2

In-stream - Encryption implementations in the
transport layer, such as pre-agreed passwords
Offline - Encryption/decryption of files at the
user sites before entering the data
communications process

100
III. Basic Security Principles for the
transmission of sensitive (database) data over
the Internet
101
Basic Security Principle

Sensitive information sent over the Internet
must be accessed and modified
only by authorized parties

102
Basic Security Guidelines for the transmission
of sensitive data over the Internet

The Internet can be used for the transmission of
sensitive data, provided that
a suitable Internet Security Policy is in place,
an acceptable method of encryption is utilized to
provide for confidentiality and integrity of the
data, and
suitable authentication or identification
procedures are employed to assure that both the
sender and recipient of the data are known to
each other and are authorized to receive and
decrypt such information.

103
Related Security Guidelines
104
G7.1 Acceptable technologies

Appropriate technologies must be used to insure
that data travels safely over the Internet and is
only disclosed to authorised parties.
These technologies should
allow users to prove they are who they say they
are (identification and authentication), and
allow the organized scrambling of data
(encryption) to avoid inappropriate disclosure or
modification

105
G7.2 Encryption

In order to make the Internet adequately safe, a
complete Internet communications implementation
must include adequate encryption
Encryption must be at a sufficient level of
security to protect against the cipher being
readily broken and the data compromised.
The length of the key and the quality of the
encryption framework and algorithm must be
increased over time as new weaknesses are
discovered and processing power increases.

106
G7.4 Authentication and Identification

In order to make the Internet adequately safe, a
complete Internet communications implementation
must include employment of sufficient
authentication or identification of
communications partners.

107
G7.5 Password/key management systems

In order to make the Internet adequately safe, a
complete Internet communications implementation
must include a management scheme which
incorporates effective password/key management
systems

Write a Comment

User Comments (0)