NETWORK SECURITY ARCHITECTURE
"Nothing happens unless first a dream" (Carl Sandburg)
COMPUTER SECURITY is the prevention and protection of computer assets from unauthorized access, use, alteration, degradation, destruction, and other threats. There are two main subtypes: physical and logical. PHYSICAL computer security involves tangible protection devices, such as locks, cables, fences, safes, or vaults. LOGICAL computer security involves non-physical protection, such as that provided by authentication or encryption schemes. Make a point of noting that the distinction between physical versus non-physical phenomena runs through a number of areas in computer science, despite minor differences in definition.
There are a variety of job titles in computer security, and all of them require a broad view of security - understanding the organization from a 30,000-foot view, an understanding of regulations and law, a skill set involving project management - being able to plan, develop, implement, and oversee a security program, and increasingly, an awareness of global or international matters. The typical computer security professional starts off as a SECURITY SYSADMIN (an entry level position that pays about $79K), then moves to the position of SENIOR SECURITY ANALYST ($91K), then WEB SECURITY MANAGER ($99K), then MANAGER ($112K), and finally to the top of the field as SECURITY VP/DIRECTOR ($132K). One can enhance their potential for moving up by getting certified, the CISSP certification probably being the best, followed by GIAC certifications.
Computer security, in many ways, is about SECRECY, not in the sense of being mysterious or clandestine, but because of the fact that you are always dealing with AUTHORIZATION and AUTHENTICITY. Authorization refers to the power you have over distinguishing authorized users from unauthorized users, and levels of access in-between. Authenticity refers to the constant checks you have to run on the system to make sure sensitive areas are protected and working properly. Some experts say this second duty involves both INTEGRITY and NECESSITY. Integrity can be likened to making sure what gets sent through the system remains true to the original. Necessity can be likened to making sure the mail gets through. One of the basic rules of follow when you get the power to give out passwords is the principle of least privilege, which means that, no-matter-what, users start out with the most restrictive access and work their way up. Conversely, you usually start off by giving users control over changing their initial passwords, but if you ever have to administer a classified or compromised network, you'll have to manage an encryption and dynamic password scheme.
The skills of a COMPUTER SECURITY expert are in high demand, and those skills are not just technical -- they require an interdisciplinary background -- someone trained in police science, law and legal analysis, organizational behavior, press relations, business management and computer information systems. Also, because we live in a globally connected society, experts need to know world geography, comparative politics, and current events. The idea of "forensics" (as in computer forensics) additionally requires the expert be good at English and communication since they often have to testify in court. Cyberforensic experts make an average of $2,500 a day. It takes a special kind of person to haul in that kind of cash - someone quick, thoughtful, responsive, and sure of themselves.
Managing a computer system is an unique responsibility, full of surprises. ANYONE or ANYTHING can be the target or instigator, although 85% of your security violations will be accounted for by insiders. It makes a difference if you're working for a government entity, a large, mid-size, or small corporation, a social service agency, or an educational institution. There are times in business when you don't want to call the police, because news of the break-in might devalue your company stock or advantage your competitors. Most breaches of computer security are handled administratively, no matter what type of organization. Only rarely do we hear of cases going to civil or criminal court.
Digital evidence is the MOST EASILY altered, damaged, and hidden crime scene evidence. The perpetrators are some of the smartest, clever, and most wily people in the world. They don't leave calling cards or signatures, and they always cover their tracks. They always seem two steps ahead of security, and the best that can often be done is to profile the attack and count the damage done. The perps also tend to leave instigators, or fall guys, behind. These are people you know who are unwittingly or unknowingly involved in helping, facilitating, or collaborating. It's not that your users are stupid; it's just that they are are at a serious disadvantage when it comes to computer security. Computer security has always been a tradeoff between usability and safety. Safety is an engineering concern that has to do with what harm computers can do or users can do with computers. The safest system wouldn't allow much usability, and the most usable system wouldn't afford much safety. In addition, nobody's really been a vocal advocate for computer safety, or security for that matter. The software companies know this, so their products and upgrades hit the shelves with the latest usability features consumers want, NOT the latest security features they need. Bugs, holes, flaws, and glitches are common in newly released software, and the fixes, patches, builds, and workarounds are slow in coming.
There's no such thing as perfect, 100% computer security. Computer systems are required to be open and closed at the same time. Straddling the fine line of this paradox is called creating a security INFRASTRUCTURE, and it's part of creating a security-conscious culture of users in your organization, which you should do. Users come and go, all with various degrees of trust relationships. Administrators come and go, each possessing secrets about your computer system. When you first go to work in this field, you'll quickly discover that about 60% of organization networks were thrown together without any thought to security at all. Knowledge bases and manuals are almost always incomplete, and probably most significant of all is that computer systems are a MAINTENANCE NIGHTMARE. It's not uncommon for an IT department to devote 50% or more of its resources to maintenance. About 99% of the time, computer maintenance has to be done while the system is running and available for use.
PROBLEMS OF COMPUTER INFORMATION MANAGEMENT
The most common source of a system problem is poor data quality. This can include data that are inaccurate, untimely, or inconsistent with other data. Let's take the first two, and use some criminal justice examples. It has been found that over half (54%) of the computerized criminal record files (county, state, and federal) contain errors, inaccuracies, ambiguities, or other problems with data quality (Laudon 1986; Mizell 1998). At the time, these databases contained records on about a third of the workforce (36 million people), and with the skyrocketing rate of employee screenings since then, you can imagine what a backlog there is. Even if each state assigned 100 employees working 365 days a year to clean up the problem, it would take 20 years. Untimely data are so prevalent with computerized law enforcement warrant systems today that it has become standard police procedure to manually double check the validity of every warrant in the system before serving it. Data that are inconsistent with other data is a problem stemming from the release of faulty software. We see this in action most often in military applications, as when software problems led to failure of the Patriot Missile Defense system during the 1992 Gulf War, or when computer-guided Air-to-Ground missiles accidentally hit Red Cross buildings during the 2001 Afghan War. Data quality problems have some disturbing implications. What can be done about it?
Expanding the traditional CONTROL approach, as the Laudons (2000) suggest, might work. This is a model of how security should be designed into the system environment early on by squarely facing the control issues. The basic principle is that computer systems are controlled by a combination of general and application controls. These are explained in the following table:
|
Control of Computer Systems |
|
| General Controls | Application Controls |
| 1. Systems development
-- before implementing or converting a system, the security manager
should have input, along with users, as to feasibility,
cost/benefit, testing, and quality assurance procedures 2. System software -- all system software should come with security software that ensures unauthorized changes cannot be made to system software 3. Hardware -- besides physically security, parity, validity, and echo checks should be run to detect equipment malfunctions 4. Operations -- storage and processing equipment should be consistent and work properly; IT employees as well as users should know their roles; follow backup and recovery instructions in the manual 5. Data security -- check terminal entry points, on-line access, inputs and outputs; set user privileges via password assignment 6. Administration -- segregate IT job functions so no overlap; supervise employees; write policies and procedures |
1. Input -- check data
for accuracy before entering it into system 2. Edit -- check data for reasonableness (20,000 years in a form field only designed to go up to 2,000) before entering it into system 3. Format -- check data for alphanumeric consistency (nine digit social security field should contain no alphabetic characters) and all (letter/digit) fields before entering it into system 4. Dependency -- check for logical relationships of session data (a login session to access a public area should not bump or jump into a private area) 5. Processing -- session runtimes for accessing data are convenient and short 6. Updating -- newly entered data refreshes conveniently and totals match what would be obtained manually 7. Matching -- computer files match what is recorded on master or suspense files, or consistent with previous month's files 8. Output -- sensitive printout is shredded |
Many of the procedures in the right column (above) can be automated using special auditing software, but a lot of it must be done by hand, and can be exhaustive. The factor that determines how exhaustive you want to be is the importance of the data. If you are in charge of a nuclear weapons system, you will definitely be exhaustive. I would think criminal justice ought to be up there in importance somewhere. In business, you'll find that the accounts receivable system gets the most attention. Upper management will typically express its priorities as well as perceptions of risk in qualitative terms, and about the only leverage you have are risk assessments and the MIS AUDIT to increase security awareness. MIS stands for Management Information Systems, which, broadly defined, is the use of computer information to assist managers in making decisions. An example of a MIS Audit appears below:
| Example of MIS Audit for Control of Computer Systems | ||||
| Weakness | Impact | Audit Procedure | Date | Response |
| Form field for social security number accepts alphabetic characters | Errors in data system may remain undetected | Format Application Control | 12/26/01 | Programmers assigned to look into it |
| Bug in system software allows remote control of USB devices | Hackers can access USB storage devices | System software general control | 12/28/01 | All USB devices disconnected until patch available |
As future computer security professionals, you should familiarize yourself with a number of other terms that relate to the traditional control model. These are terms you'll frequently encounter at some point when you are in a position to recommend the purchase of off-the-shelf software, or be involved in ordering customized packages from the software development industry. I'll list these in no particular order, and give some brief definitions.
implementation -- any activity that adopts, manages, and routinizes a new technology
prototype -- any experimental part, version, or build of a system or software
request for proposal (RFP) -- the list of questions you ask to find a software maker who can make something for you; its cost, user-friendliness, maintenance, documentation, and requirements
requirements -- a systems analysis of the user functions your system must provide
project management -- working with a software rep on requirements and deliverables
deliverables -- when the software company actually gives you a working product
walkthrough -- the testing/debugging process of going back over specifications after a computer run
outsourcing -- turning over your computer center operations to an external organization
metrics -- preset quantitative indicators (like the number of calls to the help desk) to measure system quality
SURVIVABILITY AND THE CONCEPT OF MISSION-CRITICAL
Survivability is the capability of a system to fulfill its mission in the presence of attacks, failures, or accidents. A mission, for any organization, is a formal statement of a vision for its objectives. Computer systems are deemed mission-critical by how important timeliness (in recovering from an attack, failure, or accident) and reasonableness (depending upon the amount of environmental stress) are to the mission. For example, an Internet e-business that makes $500,000 an hour would regard a 12-hour system crash as more mission-critical than a 6-hour crash, and any length of crash wouldn't be mission-critical at all for someone selling homemade jewelry over the Internet. An educational institution providing 15-week online courses could probably withstand a week's worth of their web server being down, but a crash during finals week of an 8-week online course might be mission-critical. There are three kinds of threats in the survivability model:
An attack is defined as any damaging or potentially damaging event orchestrated by an intelligent adversary. The threat of an attack can have just as much impact as an actual occurrence. This is because of overreaction on the part of system administrators, who reduce functionality and divert resources to protection. An attacker and user can also be peers in the same network.
A failure is any damaging or potentially damaging event caused by deficiencies in the system or deficiencies in an external element on which the system depends. Failures may be due to software design errors, hardware degradation, human errors, or corrupted data.
An accident is a randomly occurring event which is damaging or potentially damaging. Frequently the word accident is reserved for something completely beyond the control of the system administrator. The impact may be the same as other events, however.
Most of today's computer systems have a need to react and recover from events long before the cause is ever identified. Success matters, not excuses, and protection of at least some assets when other assets have been compromised is a hallmark of the SURVIVABILITY approach. From this perspective, computer security managers should concentrate on maintaining as many essential services as possible when one or more other services go down. Non-essential services can be recovered after intrusions have been handled. For example, web services may be lost, but internal e-mail services are kept up and running. Someone may have hacked the passwords file, but confidential data in the employee records database is maintained. There are different indicators (metrics) of quality information assurance -- integrity, confidentiality, performance, reliability, affordability. Even if one type of service is lost, the emphasis ought to be on protecting what remains in good operational order. Admittedly, the concept of survivability is a military one, based on the idea of maintaining technical superiority in the face of traditional defeat. It's also an excellent strategy because it focuses upon system strengthening (robustness) rather than system hardening (vulnerability repair). In the long run, it makes the system more adaptive. There's a lot to be said for the survivability model.
INTERNET RESOURCES
American Society for Industrial Security
Auerbach Publications
Computer Security Institute
Computer Security Resource Center (CSRC)
Computer Security Technology Center
Federal Computer Weekly
High-Tech Crime Network
Information Security Magazine
InfoWorld's Security Audit Resource Guide
Links at the Centre for Software
Reliability
Links on Software Reliability,
Safety, and Metrics
Network Security Library
Security Management Magazine
PRINTED REFERENCES
Davenport, Tom. (2000). Mission Critical. Cambridge: Harvard Univ. Press
[sample
pages]
Ellison, R. J. et. al. (1997). Survivable Network Systems. Pittsburgh:
CERT.
Frisch, Aeleen. (1995). Essential System Administration. NY: O'Reilly.
Gangemi, G.T. & D. Russell. (1991). Computer Security Basics. NY:
O'Reilly.
Laudon, Ken. (1986). Dossier Society. NY: Columbia Univ. Press. [author's
website]
Laudon, Ken & Jane. (2000). Management Information Systems. NJ: Prentice
Hall.
Levenson, N.G. (1995). Safeware: System Safety and Computers. NY:
Addison-Wesley.
Mizell, Louis. (1998). Invasion of Privacy. NY: Berkley Books.
Musa, J. et. al. (1987). Software Reliability. NY: McGraw Hill.
Schneider, Gary & J. Perry. (2000). Electronic Commerce. Cambridge:
Thomson Learning.
Last updated: Dec. 21, 2008
Not an official webpage of APSU, copyright restrictions apply, see
Megalinks in Criminal Justice
O'Connor, T. (Date of Last Update at bottom of page). In Part of web cited
(Windows name for file at top of browser), MegaLinks in Criminal Justice.
Retrieved from http://www.apsu.edu/oconnort/rest of URL accessed on
today's date.