Security – 4264 words – College Essay Example
Security – 4264 words – College Essay Example

Security – 4264 words – College Essay Example

Available Only on StudyHippo
Topics:
  • Pages: 1 (216 words)
  • Published: November 1, 2018
  • Type: Case Study
View Entire Sample
Text preview

Security, in its simplest form, is the act of safeguarding valuable assets from misuse by implementing effective measures. It entails protecting valuable things through the use of mechanisms such as locks and doors, as well as making appropriate choices and utilizing these mechanisms properly. When employed correctly, information security encompasses various aspects that ultimately revolve around managing risks. This concept shares similarities with risk management in other fields like finance and insurance.

When discussing risk management, it is customary to utilize the following vocabulary:

  • Asset: something important that requires protection
  • Risk: the probability of a threat resulting in actual harm
  • Cost 1: decrease in the value of an harmed asset
  • Cost 2: amount of resources needed to implement security measures for safeguarding an asset
  • Benefit: the value of a security measure
...

The aforementioned terms are commonly employed when addressing risk management, even though they may lack precision. Nevertheless, making informed assumptions can still be highly advantageous. By consistently estimating relative value and likelihood, one can typically determine which potential enhancements in information security should take precedence. The allocation of funds then becomes a matter of cost. Equipped with accurate information, those responsible for security funding can make well-informed decisions regarding budget distribution. It is often possible to evaluate whether significantly increasing the budget would enhance its overall value.

It is essential to have a thorough grasp of information security technology in order to make well-informed decisions. Fortunately, the basic technical aspects are not excessively complicated. There are different security concerns, including data security, computer security, system security, communication security, and network security. The term "information security" is commonly used to encompass al
View entire sample
Join StudyHippo to see entire essay

of these concerns and distinguish them from other important issues such as physical security, operational security, and personnel security. These latter concerns do not mainly rely on computing technology.

Computing poses a comparable level of risk as other aspects of contemporary life, if not greater due to the complexity of computing systems. Weaknesses can be discovered at various levels, including network, operating system, middleware, and application, as all software contains bugs and the administration process is susceptible to errors while users may be unreliable. Creating a flawless system is nearly unattainable. Nevertheless, we have acquired the ability to construct bridges in a manner that allows us to handle these imperfections.

When it comes to computing systems, it is possible to construct crash-free bridges by following proper engineering practices. However, the same level of assurance does not apply to developing crash-free systems and applications. In computing, bugs are commonly known as flaws that occur when the system operates unintentionally. If a bug can be used to compromise security, it becomes a security vulnerability. This allows authorized users to exceed their privileges or unauthorized users to gain access. Furthermore, effectively managing the complexities of modern computing systems presents challenges.

Configuration errors and administrative errors can lead to security vulnerabilities, making it challenging to verify the correct configuration of the system. To enhance the security of Windows NT for internet usage, Microsoft suggests implementing over a hundred configuration modifications that deactivate various features that were initially appealing to NT users. Furthermore, security experts propose additional recommendations apart from those provided by Microsoft. Similar to life, computing is susceptible to numerous threats.

If information security is not addressed in a systematic way, incidents

are likely to happen even with many threats, vulnerabilities, and attackers. There are different ways attacks can occur: lack of data security that lets unauthorized access sensitive information; weak passwords that can be exploited causing inadequate computer security; and applications with bugs enabling unauthorized transactions.

Insufficient system security, like a misconfigured operating system, can result in unintended network access, leading to various consequences. These include eavesdropping and password reuse for impersonation purposes. Furthermore, inadequate network security can lead to unintentional Internet access to private systems. These security vulnerabilities have numerous impacts, particularly affecting online consumers.

Companies store customer information on their corporate servers and networks, including sensitive details like credit card and social security numbers. These are typically stored in file servers. However, individuals with knowledge of networking protocols can intercept unsecured data flowing over the internet, putting the information that corporations are responsible for at risk due to IT organizations' lack of knowledge.

The problem is influenced by the convenience of the Internet and client-server systems, as the unprotected transmission of important and sensitive data between computers makes it vulnerable to theft and alteration. Dedicated attackers can exploit this vulnerability for illegal or malicious purposes, highlighting the fact that security for Internet-connected systems was not originally designed with such threats in mind.

At first, numerous Internet-connected systems were Unix-based, an operating system with its origins in academia. In the beginning, attacks sought unauthorized privileges for malevolent purposes like espionage or sabotage of sensitive data. However, over time, individuals honed their skills in automated attacks. Consequently, programs emerged that could inflict more damage than a solitary person could accomplish alone—examples include viruses and Trojan horses.

Despite potential changes in the

methods used to exploit vulnerabilities, the fundamental vulnerabilities themselves often remain unchanged. As a result, both companies and individuals who are connected to the Internet face a risk of being targeted by attacks. Below are some outlined risks:

One example is the finger program in Unix, which serves as a basic networking tool that provides information about a user's account, including their latest login time. The finger daemon, also known as the server program, remains active and listens for requests from any location on the network. This program, called fingered, is executed with root privilege due to its integration with networking and the operating system.

The software contains a known issue where messages that are unexpectedly long can overflow the message buffers in the code, leading to errors during execution. This particular execution error allows a skilled attacker to execute any command with complete administrative privilege. These types of bugs, including this one, are still exploited today to attack various network applications. Buffer overflow attacks are still prevalent, and the number of server software that may be vulnerable to these attacks continues to grow. An example of such server software is Sendmail, which is both invaluable and risky to have connected to the Internet.

The Morris worm was a unique case as it unintentionally caused the Internet to crash by taking advantage of a feature in the Sendmail program, rather than exploiting a bug. This feature, known as debug mode, granted anyone the ability to perform various actions on the host machine. Although this ability was necessary for troubleshooting complex issues with the send mails, it also allowed the Sendmail server program to run with administrative privileges. Despite

being considered a risky practice, few had disabled debug mode, resulting in numerous systems being affected by the Morris worm. By utilizing debug mode, the worm was able to replicate itself onto other computers and continue spreading until it had infected a large number of machines on the Internet.

The Morris worm had a positive impact by forcing people to address a dangerous vulnerability before it could be exploited by malicious individuals. Enterprise client/server applications, which extend beyond the traditional enterprise network with extranet and Internet features, are susceptible to security issues, including protocol implementation bugs that leave them vulnerable. The significance of applications on the Internet can be understood by Microsoft's emphasis on the OS and Internet as platforms. This has led to attempts to embed applications into the OS, resulting in unnecessary complexity and increased vulnerabilities.

Application security encompasses various features in an application that offer security measures to authenticate users, manage their access, and keep a record of their actions (audit). Each aspect has its own advantages and obstacles. The issue with authentication is the management of numerous user/password databases and users maintaining multiple passwords. Concerning access control, there are simply too many elements to control with an access rule or list (ACL) for each. Additionally, when it comes to auditing, different applications generate diverse log data that is highly challenging to analyze and correlate. In simpler terms, the main hurdles lie in security management, where complexity gives rise to practical complications that pose a distinct risk: misconfigured applications can lead to security vulnerabilities.

News coverage of credit card number theft from e-commerce sites has increased due to inadequate management of the SQL server responsible

for storing payment information. This vulnerability occurs when the administrator account is left unsecured. The term "Trojan horse" comes from Homer's Iliad, where the Trojans were deceived by the Achaeans into bringing a large wooden horse inside their walls, unknowingly hiding hidden Achaean warriors.

Sending an email attachment containing an executable file is a frequently utilized method for Trojans. This file installs and/or executes malicious software. Despite warning efforts by mail programs, users still encounter incidents. Recent reports indicate that netbus, a Trojan, has infected up to 25% of workstations in certain organizations. Hackers can be found on the internet.

When a user logged onto the Internet and entered some IRQ chat rooms frequented by hackers, they realized that their workstation was being probed for netbus. This incident serves as an example that there are dangerous areas on the internet, just like in the real world. One well-known alternative to netbus is back-orifice, also referred to as BO2K, developed by the Cult of the Dead Cow. Similar to netbus, BO2K allows remote control of the host system through the network. With enough knowledge, anyone can manipulate a trojaned workstation to perform any desired actions. BO2K gained some infamy when presented by the Cult of the Dead Cow as a remote management and debugging tool.

In fact, BO2K is considered to be quite useful and is not fundamentally different in techniques compared to legitimate products like PC Anywhere. A particularly clever Trojan horse was a free-ware e-mail tool that served as a fully functional and widely used program. It had some hidden features, alongside well-implemented ones, that enabled others to obtain the user's e-mail without their knowledge. The key

takeaway from Trojan horses is that software should be distrusted by default and only used if obtained through legitimate channels.

Typically, the inclusion of environments is addressed through security policies that give systems support staff the privilege of installing programs. These policies are backed by security mechanisms designed to prevent users from accidentally installing software and forgetting their security training. In pre-NT windows systems, viruses take advantage of a crucial vulnerability: the lack of an operating system. As a result, application programs have unlimited access to the entire system and are expected to follow ethical guidelines, avoiding any tampering with the file system or operating system software. However, viruses ignore these guidelines and engage in such activities.

When a program that is infected is executed, it will make copies of itself throughout the system. This enables the virus to remain present even if the original program is deleted. Moreover, it has the ability to reproduce so that whenever the infected PC interacts with external sources (like copying files using floppy disks), the virus spreads. Initially, viruses would only impact software and distribute through shared programs.

Virus writers quickly developed new tactics in the ongoing battle against anti-virus software. They created various sophisticated methods of self-replicating software and continuously devised ways to conceal their code. The task of virus writers became considerably simpler when macros, a form of executable code, began to be integrated into data files. This allowed viruses to easily spread through file-sharing within workgroups.

Viruses not only propagate themselves but also engage in malicious activities, such as data deletion. The measures encompass all aspects of information security. At the network level, it is crucial to segregate networks

from one another. An excellent illustration of this is separating an enterprise network from the Internet through router filtering or firewalls. When transmitting sensitive information via public networks (such as the Internet), it is often essential to utilize communication security services that rely on encryption techniques. Robust system security is imperative for systems communicating over open networks to prevent vulnerabilities to attacks originating from the network.

Proper configuration of both operating system and application security features is necessary to safeguard critical data. End-users must also utilize these features correctly, such as managing passwords and performing virus checks. Data security measures involve encrypting data and managing encryption keys. Computer security encompasses authentication and access control lists. Application security includes distributed authentication, directories, and authorizations.

Security measures for different systems include application-specific lockdown of dedicated servers, anti-virus protection, intrusion detection, cryptographic protocols, key management, usage of public key infrastructure, network segmentation, firewalls, packet filters, and intrusion detection. However, it is important to note that each of these measures has its limitations. Therefore, it is crucial to not only understand and implement effective security techniques but also be aware of their limitations.

In order to effectively use security measures, it is important to consider budget and risk management. A security program is a business function that encompasses technology management, risk management, technology operation, and budgeting. In reality, organizations have limited budgets for security and must allocate funds in a cost-effective manner for both ongoing operations and new acquisitions. The ultimate measure of effectiveness is the reduction of risk. Building a strong security program is challenging and requires clearly defined security requirements and goals, a rational approach to assessing risk, and an

objective analysis of costs and benefits.

Running a strong security program is challenging because it relies on top-level management support, budget allocation, and incentive for compliance from the entire range of individuals involved - from end-users to technology management and support staff. It is a social process that hinges on people's participation. However, people often differ in their opinions about specific details and may not always agree on the best course of action. Additionally, even the most well-thought-out plans can veer off track, as human nature often interferes. There are no quick technological solutions or miraculous wizards to execute them flawlessly; real-world implementations require compromises.

Many organizations can choose to take a structured approach instead of seat-of-pants when dealing with these realities. To ensure effective security, a security policy, an implementation plan to control acquisition, and the use of security technology are necessary. It is important to control and coordinate the acquisition and use of security technology. Every change should be driven by policy, deliberate, and justified by the quantifiable improvement in security posture. Alternatively, organizations can choose to fly by seat-of-pants and hope that someone occasionally considers worst cases, costs, and the likelihood of a security issue.

The precision of technology contrasts with the unpredictability of people. Risk management is crucial for any security program. If a company fails to evaluate risks and make decisions based on the findings, it is unlikely to have a successful security program, except for haphazard approaches that only account for worst-case scenarios. Risk management allows a company to gather information about priorities, values, costs, and benefits – all necessary for making well-informed choices regarding security tools and techniques.

An alternative approach is

to adopt a best practices method: purchasing and utilizing the products and services that others do, while relying on intuitive judgment to spend the budget reasonably well. Although this is better than trying to operate a genuine security program in the absence of requirements, it is still not as ideal as acquiring those requirements. A security policy encompasses both guidance on how to consider costs and benefits, and enforcement measures for the resulting priorities determined through cost/benefit analysis. In addition to stating fundamental objectives, the security policy further specifies them in three ways: delineating roles and responsibilities for management, IT, IT security, end-users, etc.; providing issue-specific guidelines on various topics; and establishing practices and procedures for operational staff tasked with IT and IT security. The security policy also upholds the value of the security program. A sound policy remains dynamic and undergoes a well-defined and managed review process.

The review process is necessary to ensure that all aspects of security, which have been consciously chosen, are sufficiently covered. Compliance audits also play a role in checking that the required security measures are implemented and used effectively. All these elements are essential for the functioning of a security program. Without a policy, a security program may or may not be achieving any meaningful results. This concept can be summarized by the old "Garbage In, Garbage Out" rule - having individuals responsible for security is insufficient unless there are clearly defined objectives and processes in place to achieve them.

In other words, a company may derive some benefit from its security measures without being aware of it. Establishing a network security perimeter can be challenging, while formulating a

policy is typically not straightforward. Executing a policy is difficult. However, if a policy is properly executed, only permitted network communications will traverse the perimeter.

Something changes that can affect the implementation of the policy, such as adding new hosts, altering the network topology, or installing new applications. These changes can lead to an incorrect implementation of the policy. Additionally, the policies themselves may also change. If an organization is functioning well, audits are conducted to ensure the correct implementation, and there is a rigorous change management process in place. However, even with proper implementation, there can still be security vulnerabilities. For example, a bug in the application software or a system administration issue could allow systems to be exploited. When constructing a policy, it is important to assume that anything not explicitly permitted should be denied. This concept is straightforward.

The default setting is to decline requests. However, many systems (including network components, operating systems, and recent applications) are designed differently. They prioritize providing service over restricting how it is provided. Packet filtering is a basic example of this principle. Each incoming data packet is inspected as it passes through the filter.

Unlesss a rule dictates its transmission, the package is discarded. However, this basic function is influenced by system configuration elements that humans can mistakenly adjust when updating rules to accommodate network changes. In essence, implementing security is never straightforward. Without established policies, even if you believe your implementation is accurate, there is no method of verification.

Defining policy and making decisions about using security measures is crucial for ensuring the value of employing security measures in various areas such as network perimeter security, extranets, Intranets,

system security measures, and communication security measures. Without clear blueprints or requirements, it is impossible to determine when the task is complete. Although defining policy can be a challenging task, it is necessary work that needs to be done. When implementing a security program, one must consider the tradeoffs involved and be careful not to take on more than can be handled.

The effectiveness of any security measure depends on how it is utilized. For instance, intrusion detection products are often put into operation but not utilized effectively as logs are rarely examined to identify potential serious incidents. Likewise, a misconfigured firewall provides a false sense of security and is therefore more harmful than beneficial. Conversely, if a firewall is configured correctly and used properly, it offers a valuable compromise.

Many firewalls will prevent certain remote login functions of operating systems, such as telnet implementations. While they may not offer a more secure alternative for remote access, they unquestionably obstruct outside attempts to telnet into internal computers. Instead of disabling and constantly auditing telnet on numerous internal computers, a straightforward firewall rule against telnet greatly diminishes the need for such precautions.

The same is applicable to network file systems (NFS) and other services that are beneficial within enterprises but too risky to be shared over the Internet due to protocol-level vulnerabilities. By prohibiting NFS traffic from the Internet, internal systems can freely utilize NFS without the need to ensure that each system rejects NFS communication from external sources. However, even these advantageous compromises that save effort in rejecting NFS communication carry risks in complex systems where any alteration may yield unforeseen consequences. For instance, blocking all UDP-based Internet

traffic can easily block NFS.

The common security issues of all UDP-based protocols used to make this scenario typical. However, some UDP-based protocols, especially those with relatively well-defined or tunable port usage, are allowed. This means that it might be acceptable to allow UDP packets on the port used by RealAudio. However, imagine a situation where a system has the NFS service enabled with non-standard port usage. If the ports typical to RealAudio are included in this usage, then NFS may accidentally be exposed to the Internet, making it vulnerable to attacks on files shared over the corporate network. This may seem unlikely, but remember buffer overflow attacks.

Recently, a buffer overflow bug in RealAudio software was found, showcasing the potential for attackers to take control of a system and manipulate network services. This vulnerability exposes the risk in allowing new forms of application communication, such as RealAudio, which can then be exploited for unauthorized access to services like NFS over the Internet. Balancing the usefulness and security of technologies is a critical consideration for corporations.

To accomplish this, an organization must assess the acceptable risk and establish a default policy that denies everything unless explicitly allowed. Implementing this straightforward yet crucial concept can be challenging. It is evident that a security program comprises both individuals and activities that merge knowledge of needs and solutions. The organization has the autonomy to determine its actions, evaluate their worth, and monitor for successful outcomes. The crucial factor is whether individuals within the organization will commit to effecting positive change and possess the determination to see it through. Security concerns encompass technical, business, cost/benefit, and budget matters.

Companies need to ensure that

their policies and processes are aligned with their goals and enable the assessment of expected outcomes. While it is possible for companies to operate without a security program, eventually the potential risks will necessitate the implementation of a structured approach to security. This is typically already underway in most large organizations. The challenge lies in finding effective ways to address these concerns and determining the appropriate timing for committing resources within the company.

Never doubt that a small group of thoughtful, committed citizens can change the world. Indeed, it is the only thing that ever has. Margaret Mead

References

  1. Building a Corporate Public Key Infrastructure. INFOSEC Engineering, 1999. http://www.infoseceng.com/corppki.htm.
  2. Glossary. Baltimore Learning Center, 1999. http://www.baltimore.com/library/mn_glossary.html.
  3. Green, Heather, and Mark France, and Marcia Stepanek, and Amy Borrus. Online Privacy: Its Time for Rules in Wonderland. Business Week 20 Mar. 2000:82-96.
  4. Levitt, Jason, and Gregory Smith. Are You Vulnerable? Information Week 21 Feb. 2000: 79-88.
  5. Sebes, John E.

Seminar. Understanding Computer and Network Security. Teracom Training Institute, 13 Apr. 2000.

  • Zuckerman, M.J. How the Government Failed to Stop the Worlds Worst Internet Attack. USA Today 9 Mar.
  • 2000: 2A. Bibliography:

    Get an explanation on any task
    Get unstuck with the help of our AI assistant in seconds
    New