Professional Documents
Culture Documents
Security administration is the set of functions and activities related to the security of
the system or enterprise and are typically performed by the security administrators.
Actually the specific activities of security are performed by the system and network
administrators but the responsibility of planning and designing is with the security
administrator. It is not always that all the functions are accomplished e.g. auditing of
the systems. System administrator ensures that system security is maintained and all
the efforts to repair the security flaws are taken.
A security administrator cannot administrator something that does not exist. For
administration, planning is the most important element whether it is security of system
network, corporate or any other type of asset. Lack of planning can result in
expenditure of funds which may lead to disastrous consequences.
SECURITY EQUATION:
Definition (of risk): Risk is a function of the likelihood or possibility of a given threat
source exploiting a particular vulnerability and the resulting impact of that adverse
event on the organization.
So, risk management is all about identifying, measuring and controlling risk.
Definition: "System life cycle is the process of developmental changes through which a
system passes from its conception to the termination of its usefulness and its disposal."
For large and complex systems considerable time, efforts and fund is allocated.
Generally systems development is cheaper than the maintenance phase. To reduce the
cost of maintenance, pre-planning for each of the phases is required. The systems are
always developed in phases and the outcome at each phase is checked with the
requirements to identify whether they are met or not.
The Security Development Life Cycle uses the same traditional development cycle, with
the added activities performed by the security in charge to meet the security
requirements in parallel to SDLC. Security mechanism may be implemented from a
simple application to the entire network infrastructure. The security mechanisms
provide protection using components like encryption, public key infrastructure, etc.
Whenever new security mechanisms are added to the existing operational capabilities,
changes must be made throughout the infrastructure of the network.
The steps listed below may not apply to all the organizations and few other steps may
also be performed as per organizational requirements.
1. Conceptual analysis:
It is performed with the system analysis phase to identify the security
mechanisms which could meet the security requirements. A security policy is
developed as a result during this phase. This phase includes activities like:
User's and Owner's analysis
Data analysis
Threat analysis
Vulnerability analysis
Risk analysis and assessment
3
Definition: Access control permits management to specify what users can do, which
resources they can access, and what operations they can perform on a system.
Access control provides system managers with the ability to limit and monitor
who has access to a system and to restrain or influence the user's behavior on
that system.
6
Each resource has several assets that require protection. The assets also include
confidentiality, integrity, authenticity, availability.
2. Assurance Of Accountability:
Accountability is the integrity objective sub-element that provides the system
security practitioner personnel with the ability to know who has been on the
system and what they did. When systems are set up with unique identification
and authentication for users, the users can be held accountable for their
actions while logged on to the systems. Accountability also provides a way to
detect whether an attack has taken place.
When authorized users gain access to a system, they might pass through
several types of access controls. But for an unauthorized user, access controls
can minimize and even prevent most attacks like:
Denial of Service / DoS attacks
Spamming
Brute force attacks
AUTHENTICATION:
All authentication processes follow the same basic principle that we need to prove who
we are or who the individual or service or process is before we allow them to use our
resources. Authentication allows sender and receiver of information to validate each
other as the appropriate entities with which they want to work. The simplest form of
authentication is the transmission of a shared password between entities wishing to
authenticate each other.
There are a few authentication methods which are followed as given below.
4. Multi-Factor Authentication:
Multi-factor authentication is the process in which we expand on the traditional
requirements that exist in the single factor authentication like a password. Two
factor authentication occurs when 2 different factors are required to provide
authentication. To accomplish this it will use another item for authentication in
addition to or in place of the traditional password. There are 4 possible types of
factors that can be used for multi-factor authentication.
A password or PIN can be defined as something your know factor.
A token or a smart card can be defined as something you have factor.
A thumbprint, retina, hand/any other biometrically identifiable item can be
defined as something you are.
Voice/handwriting analysis can be defined something you do factor.
The multi-factor authentication is more secure than other methods because it
adds steps that increase the layer of security. When 2 or more different factors
are employed, 2 or more different types/methods of attack must be successful
to collect all relevant authentication elements. But the disadvantage is that if
the number of steps required to achieve authentication becomes tedious to the
users, they may no longer use the process or may attempt to bypass the
necessary steps for authentication.
5. Tokens:
Tokens are password generating devices that subjects must carry with them.
They are the physical devices used for randomization of a code that can be used
to assure the identity of the subject holding the token. It is more secure than
most forms of biometric authentications because impersonation and
falsification of the token value is extremely difficult.
Token authentication can be provided by way of either hardware or software
based tokens. You must have a process to create and track random token
access values for which 2 components are used:
1. A hardware device that generates token values at specific intervals.
2. A software or server based component that tracks and verifies that these
codes are valid.
To use this process, the token code is entered into the server system during
setup of the system. A user wishing to be authenticated must enter a PIN
number in place of the usual user logon password. They are then asked for the
randomly generated number currently present on their token. When entered,
this value is checked against the server system’s calculation of the token value.
10
11
8. Kerberos:
It is used as a network authentication protocol in many medium and large
enterprises to authenticate users and services requesting access to resources. It
is designed to centralize the authentication information for the user or service
requesting the resource. It allows authentication of the entities requesting
access by the host of the resource being accessed through the use of secure
and encrypted keys and tickets from the authenticating KDC (Key distribution
Center). It allows for cross-platform authentication. Kerberos uses time-
stamping of its tickets, to help ensure they are not compromised by other
entities and provide for non-repudiation objective. It also limits the possibility
of replay or spoofing of credentials. The initial time-stamp refers to any
communication between the entity requesting authentication and the KDC and
is normally not allowed to exceed 5 minutes otherwise the ST will be discarded.
Two events are occurring as credentials are presented to KDC for
authentication:
1. The authentication credentials are presented to the KDC.
2. The KDC issues a TGT (ticket granting ticket) that is associated with the
access token while you are actively logged in and authenticated. These TGT
expires when you or the service disconnects or logs off the network. The
TGT is stored locally during the active session.
When a connection is requested by a user, it presents a previously granted TGT
to the authenticating KDC. The authenticating KDC returns a ST (session ticket)
to the entity wishing access to the resource. This ST is then presented to the
remote resource server which would authenticate the user and allows the
session to be established with the resource server and allows the
communication to start. Once the data communication is over, the session
ticket is destroyed and becomes invalid. So when again communication is
required, the TGT must sent be to KDC to fetch a new session ticket.
12
Audit Characteristics:
The term audit carries 2 meanings in the information system security field:
1. To collect, store and review system logs in order to gain an understanding of
what has happened through audit logs or audit trails.
2. To conduct a review of security (Auditing) of your system.
A commonly accepted practice to ensure that the amount of data collected is
adequate is to log all activities that could be an indication that something is wrong.
Auditing can include the capture of all network traffic, login failures, last login and
so on. Organizations must define auditing standards which specify the most critical
audit requirements and those that are less critical. Automated tools greatly assist
with the reduction of audit data into comprehensible information. Some security
related reasons for which we do auditing are as follows:
1. To identify a potential breach in security.
2. To re-construct the events which led to the security breach?
3. To re-construct the activities performed during the breach.
4. To prove that something has happened.
Auditing can be performed at the gateway, at the servers like emails, DBMS, file,
applications, firewall, routers and so on, within the applications, at the user
workstations or where ever possible.
Components to Audit:
Basically the accepted practice is to audit everything that has the capability to log
events.
There are 4 components within the protection layers that can be audited:
1. External/Internal Network Boundary Auditing:
Regardless of whether you have established a DMZ (De-Militarized Zone),
you need to audit the components at the outer edge of your network. At
13
3. Server Audit:
The majority of major functions in a system are distributed across several
hosts that provide dedicated support for that major application, often
referred to as servers. The server logs must be capable of collecting and
storing adequate data about the number of activities being performed on
the server. There can be servers like Mail, File, Web, Database, Print, etc,
each of which requires different kind of auditing mechanisms. Auditing
depends on the specific operating system being used and the capabilities of
the application itself. Server logs must be capable of collecting and storing
adequate data to assist you in any number of activities.
4. User Workstations:
Auditing functions exists on workstations at differing levels according to the
operating system being used. Generally, a workstation auditing is co-related
to the server auditing to get a complete picture of security failure events
that may have occurred on a workstation or on a server through a
workstation. The log contains the following information about every event:
- Date and time, Source of Event, Type of Event, User ID, Account,
Computer name, Login and Logouts, Success or failure of the event,
Privileged activities it perform.
14
16
Michael Cross, Norris L Johnson; Security + Study Guide; Syngress Publication, Latest
Edition.
Debra S. Isaac, Michael J. Isaac: The SSCP Prep Guide: Mastering the Seven Key Areas of
System Security: Wiley, Latest Edition.
Ronald L. Krutz, Russell Dean Vines: The CISM Prep Guide: Mastering the Five Domains
of Information Security Management: Wiley, Latest Edition.
William Stallings: Network Security Essentials: Applications and Standards, Pearson,
Latest Edition.
William Stallings; Cryptography and Network Security - Principles and Practice, Pearson,
Latest Edition.
Charles P. Pfleeger, Security in Computing, Pearson, Latest Edition.
17