Title: IPICS2004 Information Systems Security (Security of Distributed and Internet Based Information Systems) G. Pangalos Informatics Laboratory Aristotelean University of Thessaloniki
1IPICS2004 Information Systems Security
(Security of Distributed and Internet Based
Information Systems)G. PangalosInformatics
LaboratoryAristotelean University of
Thessaloniki
2Topics for discussion
- The security problem - Basic security concepts
- The security of internet based IS
- Acceptable approaches to internet security
- A methodology tool for selecting the
appropriate security measures / guidelines
31. Basic Security Issues
4the need for security
- Many I.S. handle sensitive information that
should be protected. - Without an appropriate level of security in
place, no such a system can be operational. - A secure operational environment is thus
required. - Security is therefore an important issue for most
I.S.s
5What is Security?
- Basic concepts
- Confidentiality
- The protection of information from unauthorized
access, or unintended disclosure. - Integrity
- The protection of information from unauthorized
modification - Availability Resources are in the place,
without unreasonable delay, when the user needs
them
6need for security
- As organizations increase their reliance on the
information systems and the Internet for daily
business, they become more vornurable to security
breaches
7Several major questions arise, for example
- How to safeguard the confidentiality of the
information (i.e. who should be allowed to see
what and under what conditions), - How to safeguard the integrity of the
information, - - How to improve its availability to legitimate
users, etc..
8In order to answer those questions it is
necessary to
- 1. Identify the security requirements / threats /
vulnerabilities associated to the various
categories of users and data types - 2. Study the related security technology
available - 3. Study the impact of adding security on the
availability / performance / cost of the system - 4. Propose specific measures required to improve
the security of the system. - 5. Define an appropriate security policy for
accessing the information
9Some problems to think on...
- Confidentiality vs Availability vs Integrity (vs
Accountability) - The ease of Attack (e.g. through internet)
- The emergence of new, internet based,
applications (electronic commerce, e payments,
) - The Holistic Approach necessary
10Why is this still a problem?
- We
- Have been working on it for 30 years
- Have A Good Theoretical Foundation
- Understand the Problem
- Have Products
- Continue to Make Progress
- We have Ethics classes
11. . . But!
- Security Controls Have Operational Impact
- Security costs (security should not cost. It
should pay) - Products Do Not Match Problems
- Not enough Flexibility
- Rapidly Evolving Technology
- No security culture
12Computer Security Topics
- Operating Systems Security
- Database Security
- Network Security
- Internet Security
- Electronic Commerce security
- Office Automation Security
- Formal Models of Secure Systems
- Risk Analysis/Threat Analysis
- Encryption (symmetric and asymmetric)
13So, Why Arent Systems Secure?
- Security is usually an afterthought
- Security can be expensive
- Security is fundamentally hard to address
- False solutions
- Belief that computers are the problem - not
people (teach ethics) - Technology is oversold
14Possible Information States ...
- Processing
- Storage
- Transmission
15What we are trying to do ...
- The Information Security Objective then becomes
- To preserve Security Characteristics across all
three possible states of processing. - Maintain the appropriate level of security
16Security Threats - Risks
17- A threat is any circumstance or event with the
potential to cause harm to an organisation
(through the disclosure, modification or
destruction of information, or by the denial of
critical services). - The presence of a threat does not mean that it
will necessarily cause actual harm. - To become a risk a threat must take advantage of
a vulnerability in the system security controls
18Why not just Encrypt ?
- Encryption is likely the most powerful tool
available - but does not solve all problems. - Steganography Encryption ..
19What Tends to Work ...
- User Education
- Strong holistic approach
- Good Risk Analysis
- Plans and Procedures Enforcement
- Strong Identification and Authentication
- Firewalls on networks
- Law and Regulation
20Basic Concepts
- Access control. There is a need to protect
resources against unauthorised access. The
access control components decide whether an
subject can access a particular resource
(object). This functionality is related to both
the secrecy and integrity.. - Authentication . Verification of the identity of
users. This is of crucial importance in
distributed systems due to the inherent ability
of these systems to allow access to remote
resources via physically untrusted communication
environments. - Auditing .Users that access resources should be
accountable The audit components should record
the identities and actions of them.
21Basic Concepts
- Non-repudiation. For some applications it is
important to provide evidence of actions. Typical
examples of this are proof of receipt of a
message or proof of sending a message. - Security management . This is the management of
information related to the security of a system.
Typically this determines the security
characteristics of a system. - Cryptography. The provision of the above
mentioned functionality is usualy based on
cryptography which is essential in distributed
systems where communication is based on insecure
links.
222.The Internet Security Problem
23Facts
- The Internet is the fastest growing
telecommunications medium in history - It provides unprecedented opportunities for
interaction and data sharing.
24Advantages of using Internet/Web browsers to
provide access to information
- Ease of deployment of information
- No specific network infrastructure is required.
- Everybody has a navigation program for the WWW
(Netscape Navigator, Internet Explorer etc.) - User-friendly environment
- Users need not specific knowledge to access data.
- Everybody knows how to use a Web browser.
- Ease of administration
- The Web server handles all of the communications
and simply passes the data back to the client.
25The Internet Security problem
26- Vulnerable TCP/IP services a number of the
TCP/IP services are not designed to be secure and
can be compromised by knowledgeable intruders - Ease of eavesdropping and spoofing the majority
of Internet traffic is not encrypted - Lack of policy many sites are configured
unintentionally for wide-open Internet access
without regard for the potential for abuse from
the Internet - Complexity of configurationhost security access
controls are often complex to configure and
monitor
27Threats in Internet
- Information Browsing Unauthorised viewing of
sensitive information by intruders or legitimate
users may occur through a variety of mechanisms - Misuse The use of information assets for other
than authorised purposes can result in denial of
service, increased cost, or damage to
reputations. - Component FailureFailure due to design flaws or
hardware/software faults can lead to denial of
service or security compromises through the
malfunction of a system component.
28Threats in Internet
- Unauthorised deletion, modification or disclosure
Intentional damage to information assets that
result in the loss of integrity or
confidentiality of business functions and
information. - Penetration Attacks by unauthorised persons or
systems that may result in denial of service or
significant increases in incident handling costs. - Misrepresentation Attempts to masquerade as a
legitimate user to steal services or information,
or to initiate transactions that result in
financial loss or embarrassment to the
organisation.
29Internet Security Riscs
- The advantages provided by the Internet come with
a significantly greater element of risk to the
confidentiality and integrity of information
(open environment, uncontrolled
platforms, etc.). - The very nature of the Internet means that
security risks cannot be totally eliminated.
30!!!
- Because of these security risks and the need to
research security requirements vis-a-vis the
Internet, in the past some organizations (e.g.
HCFA) had even prohibited until recently the use
of the Internet for the transmission of sensitive
data.
31On the other hand
- There is a growing demand for using the Internet
for fast and inexpensive transmission of
information.
32- It is therefore necessary to accommodate this
need, provided that it can be assured that proper
steps are being taken to maintain an acceptable
level of security for the information involved.
33Solving the problem requiresA. To activate
the necessary security toolsB. To have an
adequate Internet Security Policy in place
34A.Activate the necessary security tools
35Levels of Internet security
- Security at the Application Layer
- 2. Security at the Transport Layer
- 3. Security at the Physical Layer
36Hierarchical Layers of Internet Security
(Application Layer)
37Security at level 1 (Aplication Layer)
- Tools available
- a. Use of a Secure Transfer Protocol (e.g.
S-HTTP) - b. Use of end-to-end Encryption
- c. Use of Digital Signatures and user
Certificates - .
38Security at level 2 (Transport Layer)
- Method Activate an SSL connection
- Set up a PKI / TTP infrastructure
- Provide SERVER / CLIENT / USER certificates
- Use them to activate an SSL / https connection
between client / server
39B.Have an adequate InternetSecurity Policy in
place
40That is .
- To establish the basic security requirements that
must be satisfied in order to use the Internet to
safely transmit sensitive information.
41What is needed
- To define a suitable Internet Security Policy,
- and
- To describe the set of technical measures that
are needed for its implementation.
42 - A. Development of an
- Internet Security Policy
- Acceptable Security Approaches
43Basic Security Principles for the transmission
of sensitive data over the Internet
441. Access and modification of information
- Sensitive information sent over the Internet
must be accessed and modified
only by authorized parties
452. Use of Acceptable technologies
- Appropriate technologies must be used to ensure
that data travels safely over the Internet and is
only disclosed to authorised parties. - These technologies should
- allow users to prove they are who they say they
are (identification and authentication), and - allow the organized scrambling of data
(encryption) to avoid inappropriate disclosure or
modification
46As seen later
- The Internet can be used for the safe
transmission of sensitive data, provided that - a suitable Internet Security Policy is in place,
- an acceptable method of encryption is utilized to
provide for confidentiality and integrity of the
data, and - Suitable identification and authentication
procedures are employed to assure that both the
sender and recipient of the data are known to
each other and are authorized to receive and
decrypt such information.
47II. Acceptable Security Methods
48Acceptable Security Methods
- In order to safely use the internet for the
transmission of sensitive data,
the method(s) employed by all users must come
under one of the acceptable approaches to
security described below.
49These approaches ...
- Are as generic as possible and as open to
specific implementations as possible, to provide
maximum user flexibility within the allowable
limits of security and manageability - Have been based on a detailed study of the
existing security framework and guidelines in the
EU countries, USA and Canada.
50Major sources
- Development of a H.L. Security Policy for the
processing and transmission of data through the
INTERNET, Medical informatics and internet
applications Journal, 1999. - The Intranet Health Clinic project, WP6 report
security, The IHC project, EU, 2000. - European prestandard CEN/TC 251/SEC-COM
Security for Healthcare Communication, 1999 - Recommendation No. R (99)5 for the protection of
privacy on the Internet,1999. - Directive 95/46/EC on the protection of
individuals with regard to the processing of
personal data and on the free movement of such
data.
51- Recommendation N R(95)4 on the protection of
personal data in the area of telecommunication
services. - Recommendation N R(97)5 protection of medical
data. February 1997. - CEN/TC 251 technical report N98-110, framework
for security protection of healthcare
communication, 1998 - CSA standard CAN/CSA Q830, Model Code for the
Protection of Personal Information, 1995 - Canadian Organisation for the Advancement of
Computers in Health (COACH), Security and Privacy
Guidelines for Health Information Systems,
Canadas Health Informatics Association, 1995.
52- TrusthHelath1, Examination of the Implications of
the EU Data Protection Directive to a TrustHealth
Information System, Deliverable D6.2,
INFOSEC/TrustHealth Project, 1996. - Department of Health and Human Services,
Security and electronic Signature standards,
Federal Register/Vol. 63, No. 155, 1998 - HCFA, Internet Communications Security and
Appropriate Use Policy and Guidelines, 1998. - Report and Recommendations from the Provincial
Steering Committee on the Health Information
protection Act, 1998. - FOIP Policy and Practices, USA, 1998.
530. Acceptable Approaches to Internet Usage
54I. General statement
- It is permissible to use the Internet for the
transmission of sensitive information, as long
as - an acceptable method of encryption is utilised to
provide for confidentiality and integrity of this
data, and - adequate identification and authentication
procedures are employed to assure that both the
sender and recipient of the data are known to
each other and are authorised to receive and
decrypt such information.
55II. Acceptable Technical Measures (to achieve
those objectives)
56ACCEPTABLE TECHNICAL MEASURES
- 1. Acceptable Identification and Authentication
approaches - 2. Acceptable WEB server usage
- 3. Acceptable mail usage
- 4. Acceptable protection from virus and
Interactive software - 5. Acceptable Intrusion Detection methods
- 6. Acceptable Encryption approaches
571.Acceptable Identification and Authentication
approaches
58The problem
- Authentication over the Internet presents several
problems. - e.g. It is relatively easy to capture
identification and authentication data
(or any data) and replay it in order to
impersonate a user.
59 Acceptable Identification and Authentication
approaches
601. use of digital certificates
- Any site must use digital certificates to
validate the identity of both the user and the
server. - Certificates at the user end must be used in
conjunction with standard technologies such as
Secure Sockets Layer (SSL).
61- Only the use of Formal Certificate Authority -
based digital certificates is acceptable. - Certificates can be issued only by the
organization or by a Trusted Third Party. - Access to digital Certificates stored on PCs
should be protected by passwords.
622. Use of passwords
- Passwords may be sent over the Internet only when
encrypted - Passwords and user logon IDs must be unique to
each authorized user. - Passwords must be changed at a suitable period
(eg 90 days).
633. Logon procedures
- User accounts will be frozen after 3 failed logon
attempts. - All erroneous password entries will be recorded
in an audit log for later inspection and action,
as necessary. - Sessions will be suspended after 15 minutes (or
other specified period) of inactivity and require
the password to be re-entered.
64- Successful logons should display the date and
time of the last logon and logoff. - Logon IDs and passwords should be suspended after
a specified period of disuse. - Each site would be required to be able to prove
that data in its possession has not been altered
or destroyed in an unauthorised manner.
65Acceptable approaches for WEB server usage
66- There shall be no remote control of the Web
server. - All administrator operations (e.g., security
changes) shall be done from the console. - Supervisor-level logon shall not be done at any
device other than the console. - The Web server software, and the software of the
underlying operating system, shall contain all
manufacturer recommended patches for the version
in use.
67- The Web server must be located internal to the
firewall. - The Web servers shall be configured so that users
cannot install CGI scripts. - All network applications other than HTTP should
be disabled from the WEB server (e.g., SMTP, ftp,
etc.)
68Acceptable usage of UNIX WEB servers
- Unix Web servers shall not be run as root.
- The implementation and use of CGI scripts shall
be monitored and controlled. - CGI scripts shall not accept unchecked input.
69- Any programs that run externally with arguments
should not contain metacharacters. - The developer is responsible for devising the
proper regular expression to scan for shell
metacharacters and shall strip out special
characters before passing external input to the
server software or the underlying operating
system.
70Acceptable approaches tomail usage
71Objective
- Implement suitable policies for e-mail usage to
help users - use electronic mail properly,
- reduce the risk of intentional or unintentional
misuse, and - assure that sensitive records transferred via
electronic mail are properly handled.
72acceptable approaches for e-mail usage
73- If confidential or proprietary information must
be sent via email, it must be encrypted so that
it is only readable by the intended recipient,
using digital signatures.
74- All incoming messages will be scanned for viruses
and other malign content. - The mail server, or other mail server which is
servicing users, will be configured to accept
only encrypted passwords from local machines
using SSL 3.0 or other encrypted channel.
75- e-mail servers shall be configured to refuse
e-mail addressed to non-organizational systems. - E-mail clients will be configured so that every
message is signed using the digital signature of
the sender.
764. Acceptable approaches for protection from
virus and interactive software
77The problem
- Internet provides another channel for virus
infections, one that can often bypass traditional
virus controls.
78- The security service policy for viruses
- has to prevent the introduction of viruses into
a computing environment, and - must be able to determine that an executable,
boot record, or data file is contaminated with a
virus.
79i. acceptable approaches for virus protection
80- Anti-virus software should be installed in the
servers to limit the spread of viruses within the
network. - Scanning of all files and executables will occur
daily (or weekly) on the servers. - Workstations will have memory resident anti-virus
software installed and configured to scan data as
it enters the computer. - Programs will not be executed, nor files opened
by applications prone to macro viruses without
prior scanning.
81- All incoming mail and files received from the
Internet must be scanned for viruses as they are
received. -
- Virus checking will be performed if applicable at
firewalls that control access to networks. - This will allow centralised virus scanning for
the entire organisation. - It also allows for centralised administration of
the virus scanning software.
82- All data imported on a computer (e-mail, or file
transfer) will be scanned before being used. - Use off-the-shelf scanning software should be
enhanced by state of the art virtual machine
emulation for polymorphic virus detection. - All other new virus detection methods will be
incorporated into the detection test bed. - To keep abreast of the latest viruses which have
been identified, scanning software will be
updated monthly or as updates arrive.
83- Users will inform the system administrator of any
virus that is detected, configuration change, or
different behaviour of a computer or application. - When informed that a virus has been detected, the
system administrator will inform all users that a
virus may have also infected their system. - The users will be informed of the steps necessary
to determine if their system is infected and the
steps to take to remove the virus.
84ii. acceptable approaches for using Interactive
Software
85Use of Interactive Software
- In an Interactive Software environment a user
accesses a server across a network. The server
downloads an application (applet) onto the users
computer that is then executed. - ?
- There are significant risks involved in this
strategy. - Fundamentally, one must trust that what is
downloaded will do what has been promised.
86?
- Users should configure their browsers to accept
applets only from the servers. -
- If this is not possible, then browsers should be
configured not to accept applets.
875.Acceptable Intrusion Detection methods
88- Intrusion detection plays an important role in
implementing the Internet Security Policy.
89acceptable approaches for Intrusion detection
90i. Normal logging processes
- Normal logging processes shall be enabled on all
systems. - Alarm and alert functions, as well as logging, of
any firewalls and other network perimeter access
control systems shall be enabled.
91ii. additional monitoring tools
- In addition to the activity logging process
provided by the operating system, - All servers shall have additional monitoring
tools (eg. tripwire or appropriate software
wrappers) installed.
92iii. perimeter access control
- System integrity checks of the firewalls and
other network perimeter access control systems
must be performed on a routine basis.
93iv. Review
- Audit logs from the perimeter access control
systems shall be reviewed daily. - Audit logs for servers shall be reviewed on a
daily basis. - User education shall be provided in order to
train users to report any anomalies in system
performance to their system administration staff.
946.Acceptable encryption approaches
95i. Level of Encryption
- A level of encryption protection equivalent to
that provided by an algorithm as follows, is
recognised as minimally acceptable - Triple 56 bit DES (defined as 112 bit
equivalent) for symmetric encryption, - 1024 bit algorithms for asymmetric systems, and
- 160 bits for the emerging Elliptical Curve systems
96- The organization will have however to increase
these minimum levels when deemed necessary by
advances in techniques and capabilities
associated with the processes used by attackers
to break encryption.
97ii. Hardware-Based Encryption
- Hardware encryptors are acceptable
- (While likely to be reserved for the largest
traffic volumes to a very limited number of
Internet sites). -
- symmetric password "private" key devices (such as
link encryptors)
98iii. Acceptable Software-Based Encryption
- Secure Sockets Layer (SSL) implementations at a
minimum SSL level of Version 3.0, - standard commercial implementations of PKI, or
some variation of, implemented in the SSL. - S-MIME - Standard commercial implementations of
encryption in the e-mail layer
99Acceptable Software-Based Encryption-2
- In-stream - Encryption implementations in the
transport layer, such as pre-agreed passwords - Offline - Encryption/decryption of files at the
user sites before entering the data - communications process
100III. Basic Security Principles for the
transmission of sensitive (database) data over
the Internet
101Basic Security Principle
- Sensitive information sent over the Internet
must be accessed and modified
only by authorized parties
102Basic Security Guidelines for the transmission
of sensitive data over the Internet
- The Internet can be used for the transmission of
sensitive data, provided that - a suitable Internet Security Policy is in place,
- an acceptable method of encryption is utilized to
provide for confidentiality and integrity of the
data, and - suitable authentication or identification
procedures are employed to assure that both the
sender and recipient of the data are known to
each other and are authorized to receive and
decrypt such information.
103Related Security Guidelines
104G7.1 Acceptable technologies
- Appropriate technologies must be used to insure
that data travels safely over the Internet and is
only disclosed to authorised parties. - These technologies should
- allow users to prove they are who they say they
are (identification and authentication), and - allow the organized scrambling of data
(encryption) to avoid inappropriate disclosure or
modification
105G7.2 Encryption
- In order to make the Internet adequately safe, a
complete Internet communications implementation
must include adequate encryption - Encryption must be at a sufficient level of
security to protect against the cipher being
readily broken and the data compromised. - The length of the key and the quality of the
encryption framework and algorithm must be
increased over time as new weaknesses are
discovered and processing power increases.
106G7.4 Authentication and Identification
- In order to make the Internet adequately safe, a
complete Internet communications implementation
must include employment of sufficient
authentication or identification of
communications partners.
107G7.5 Password/key management systems
- In order to make the Internet adequately safe, a
complete Internet communications implementation
must include a management scheme which
incorporates effective password/key management
systems -