G. Pangalos,IPICS, Brno, 2004 Information Systems Security (Security of Distributed and Internet Based Information Systems) IPICS2004 Information Systems

G. Pangalos,G. Pangalos,IPIPICS, Brno, 2004ICS, Brno, 2004

IPICS2004

Information Systems SInformation Systems Securityecurity

(S(Security of ecurity of Distributed and Internet Based Information Systems)Distributed and Internet Based Information Systems)

G. Pangalos

Informatics Laboratory

Aristotelean University of Thessaloniki


Topics for discussion:

• The security problem - Basic security concepts

• The security of internet based IS

• Acceptable approaches to internet security

• A methodology – tool for selecting the appropriate security

measures / guidelines


1. Basic Security Issues


the need for securitythe need for security

– Many I.S. handle sensitive information that should be protected.

– Without an appropriate level of security in place, no such a

system can be operational.

– A secure operational environment is thus required.

– Security is therefore an important issue for most I.S.s


What is Security?

Basic concepts:Basic concepts:

• Confidentiality: The protection of information from unauthorized access, or unintended disclosure.

• Integrity: The protection of information from unauthorized modification

• Availability: Resources are in the place, without unreasonable delay, when the user needs them


need for security

• As organizations increase their reliance on the information systems and the Internet for daily business, they become more vornurable to security breaches


Several major questions arise, for example:Several major questions arise, for example:

- How to safeguard the confidentiality of the information (i.e. who should be allowed to see what and under what conditions),

- How to safeguard the integrity of the information,

- How to improve its availability to legitimate users, etc..


In order to answer those questions it is necessary to:In order to answer those questions it is necessary to:In order to answer those questions it is necessary to:In order to answer those questions it is necessary to:

1. Identify the security requirements / threats / vulnerabilities associated

to the various categories of users and data types

2. Study the related security technology available

3. Study the impact of adding security on the availability /

performance / cost of the system

4. Propose specific measures required to improve the security of

the system.

5. Define an appropriate security policy for accessing the information


Some problems to think on...

• Confidentiality vs Availability vs Integrity (vs Accountability)

• The ease of Attack (e.g. through internet)

• The emergence of new, internet based, applications (electronic commerce, e – payments, …)

• The Holistic Approach necessary


Why is this still a problem?

We:

Have been working on it for 30 years

Have A Good Theoretical Foundation

Understand the Problem

Have Products

Continue to Make Progress

We have Ethics classes


. . . But!

Security Controls Have Operational Impact

Security costs (security should not cost. It should pay)

Products Do Not Match Problems

Not enough Flexibility

Rapidly Evolving Technology

No security culture


Computer Security Topics

• Operating Systems Security• Database Security• Network Security• Internet Security• Electronic Commerce security• Office Automation Security• Formal Models of Secure Systems • Risk Analysis/Threat Analysis• Encryption (symmetric and asymmetric)• …


So, Why Aren’t Systems Secure?

• Security is usually an afterthought• Security can be expensive• Security is fundamentally hard to address• False solutions• Belief that computers are the problem - not

people (teach ethics)• Technology is oversold


Possible Information States ...

• Processing

• Storage

• Transmission


The Information Security Objective then becomes:

• To preserve Security Characteristics across all three possible states of processing.

• Maintain the appropriate level of security

What we are trying to do ...


Security Threats - Risks


• A threat is any circumstance or event with the potential to cause harm to an organisation (through the disclosure, modification or destruction of information, or by the denial of critical services).

• The presence of a threat does not mean that it will necessarily cause actual harm.

• To become a risk a threat must take advantage of a vulnerability in the system security controls


Why not just Encrypt ?

• Encryption is likely the most powerful tool available - but does not solve all problems.

• Steganography + Encryption + …..


What Tends to Work ...

• User Education

• Strong “holistic” approach

• Good Risk Analysis

• Plans and Procedures Enforcement

• Strong Identification and Authentication

• Firewalls on networks

• Law and Regulation


Basic Concepts:

• Access control. There is a need to protect resources against unauthorised access. The access control components decide whether an subject can access a particular resource (object). This functionality is related to both the secrecy and integrity..

• Authentication . Verification of the identity of users. This is of crucial importance in distributed systems due to the inherent ability of these systems to allow access to remote resources via physically untrusted communication environments.

• Auditing .Users that access resources should be accountable The audit components should record the identities and actions of them.


Basic Concepts:

• Non-repudiation. For some applications it is important to provide evidence of actions. Typical examples of this are proof of receipt of a message or proof of sending a message.

• Security management . This is the management of information related to the security of a system. Typically this determines the security characteristics of a system.

• Cryptography. The provision of the above mentioned functionality is usualy based on cryptography which is essential in distributed systems where communication is based on insecure links.


2.The Internet Security Problem:


Facts:

• The Internet is the fastest growing telecommunications medium in history

• It provides unprecedented opportunities for interaction and data sharing.


Advantages of using Internet/Web browsers to provide access to information

Ease of deployment of information:

No specific network infrastructure is required.

Everybody has a navigation program for the WWW (Netscape Navigator, Internet Explorer etc.)

User-friendly environment:

Users need not specific knowledge to access data.

Everybody knows how to use a Web browser.

Ease of administration:

The Web server handles all of the communications and simply passes the data back to the client.


The Internet Security problem


• Vulnerable TCP/IP services a number of the TCP/IP services are not designed to be secure and can be compromised by knowledgeable intruders

• Ease of eavesdropping and spoofing the majority of Internet traffic is not encrypted

• Lack of policy many sites are configured unintentionally for wide-open Internet access without regard for the potential for abuse from the Internet

• Complexity of configurationhost security access controls are often complex to configure and monitor


Threats in Internet

• Information Browsing Unauthorised viewing of sensitive information by intruders or legitimate users may occur through a variety of mechanisms

• Misuse The use of information assets for other than authorised purposes can result in denial of service, increased cost, or damage to reputations.

• Component FailureFailure due to design flaws or hardware/software faults can lead to denial of service or security compromises through the malfunction of a system component.


Threats in Internet

• Unauthorised deletion, modification or disclosure Intentional damage to information assets that result in the loss of integrity or confidentiality of business functions and information.

• Penetration Attacks by unauthorised persons or systems that may result in denial of service or significant increases in incident handling costs.

• Misrepresentation Attempts to masquerade as a legitimate user to steal services or information, or to initiate transactions that result in financial loss or embarrassment to the organisation.


Internet Security Riscs:

• The advantages provided by the Internet come with a significantly greater element of risk to the confidentiality and integrity of information (open environment, uncontrolled platforms, etc.).

• The very nature of the Internet means that security risks cannot be totally eliminated.


!!!

• Because of these security risks and the need to research security requirements vis-a-vis the Internet, in the past some organizations (e.g. HCFA) had even prohibited until recently the use of the Internet for the transmission of sensitive data.


• There is a growing demand for using the Internet for fast and inexpensive

transmission of information.

On the other hand:


• It is therefore necessary to accommodate this need, provided that it can be assured that proper steps are being taken to maintain an acceptable level of security for the information involved.


Solving the problem requires:

A. To activate the necessary security tools

B. To have an adequate Internet Security Policy in place


A.Activate the necessary security tools


Levels of Internet security:

1. Security at the Application Layer

2. Security at the Transport Layer

3. Security at the Physical Layer


SHTTP HTTP SMTP FTP

S.S.L. (Transport Layer)

TCP / IP (Physical layer)

The 3 Layers of protocols:

Hierarchical Layers of Internet Security:

((ApplicationApplication LayerLayer))


Security at level 1: (Aplication Layer)

Tools available:

a. Use of a ‘Secure’ Transfer Protocol (e.g. S-HTTP)

b. Use of end-to-end Encryption

c. Use of Digital Signatures and user Certificates

……….


Security at level 2: (Transport Layer)

Method: Activate an SSL connection

• Set up a PKI / TTP infrastructure

• Provide SERVER / CLIENT / USER certificates

• Use them to activate an SSL / https connection

between client / server


B.Have an adequate Internet

Security Policy in place


That is ….

• To establish the basic security requirements that must be satisfied in order to use the

Internet to safely transmit sensitive information.


What is needed:

• To define a suitable Internet Security Policy,

and

• To describe the set of technical measures that are needed for its implementation.


A. Development of an

Internet Security Policy:

Acceptable Security ApproachesAcceptable Security Approaches


I.

Basic Security Principles

for the transmission of sensitive data over the Internet


1. Access and modification of information:

Sensitive information sent over the Internet must be accessed and modified

only by authorized parties


2. Use of Acceptable technologies

• Appropriate technologies must be used to ensure that data travels safely over the Internet and is only disclosed to authorised parties.

• These technologies should:

– allow users to prove they are who they say they are (identification and authentication), and

– allow the organized scrambling of data (encryption) to avoid inappropriate disclosure or modification


As seen later:

The Internet can be used for the safe transmission of sensitive data, provided that:

1. a suitable Internet Security Policy is in place,

2. an acceptable method of encryption is utilized to provide for confidentiality and integrity of the data, and

3. Suitable identification and authentication procedures are employed to assure that both the sender and recipient of the data are known to each other and are authorized to receive and decrypt such information.


II. Acceptable Security Methods


Acceptable Security Methods:

• In order to safely use the internet for the transmission of sensitive data, the method(s) employed by all users must

come under one of the acceptable approaches to security described below.


These approaches: …...

• Are as genericgeneric as possible and as openopen to specific implementations as possible, to provide maximum user flexibilityflexibility within the allowable limits of security and manageability

• Have been based on a detailed study of the existing security framework and guidelines in the EU countries, USA and Canada.


Major sources:

• Development of a H.L. Security Policy for the processing and transmission of data through the INTERNET, Medical informatics and internet applications Journal, 1999.

• The Intranet Health Clinic project, WP6 report: security, The IHC project, EU, 2000.

• European prestandard CEN/TC 251/SEC-COM “Security for Healthcare Communication”, 1999

• Recommendation No. R (99)5 ‘for the protection of privacy on the Internet’,1999.

• Directive 95/46/EC ‘on the protection of individuals with regard to the processing of personal data and on the free movement of such data’.


• Recommendation N° R(95)4 ‘on the protection of personal data in the area of telecommunication services’.

• Recommendation N° R(97)5 ‘protection of medical data’. February 1997.

• CEN/TC 251 technical report N98-110, “framework for security protection of healthcare communication”, 1998

• CSA standard CAN/CSA –Q830, ‘Model Code for the Protection of Personal Information’, 1995

• Canadian Organisation for the Advancement of Computers in Health (COACH), Security and Privacy Guidelines for Health Information Systems, Canada’s Health Informatics Association, 1995.


• TrusthHelath1, Examination of the Implications of the EU Data Protection Directive to a TrustHealth Information System, Deliverable D6.2, INFOSEC/TrustHealth Project, 1996.

• Department of Health and Human Services, “Security and electronic Signature standards”, Federal Register/Vol. 63, No. 155, 1998

• HCFA, “Internet Communications Security and Appropriate Use Policy and Guidelines”, 1998.

• Report and Recommendations from the Provincial Steering Committee on the Health Information protection Act, 1998.

• FOIP Policy and Practices, USA, 1998.


0. Acceptable Approaches to

Internet Usage


I. General statement

It is permissible to use the Internet for the transmission of sensitive information, as long as:

• an acceptable method of encryption is utilised to provide for confidentiality and integrity of this data, and

• adequate identification and authentication procedures are employed to assure that both the sender and recipient of the data are known to each other and are authorised to receive and decrypt such information.


II. Acceptable Technical Measures (to achieve those objectives)


ACCEPTABLE TECHNICAL MEASURES:

1. Acceptable Identification and Authentication approaches

2. Acceptable WEB server usage

3. Acceptable mail usage

4. Acceptable protection from virus and Interactive software

5. Acceptable Intrusion Detection methods

6. Acceptable Encryption approaches


1.

Acceptable Identification and Authentication

approaches


The problem:

• Authentication over the Internet presents several problems.

e.g. It is relatively easy to capture identification and authentication data (or any data) and replay it in order to impersonate a user.


Acceptable Identification and Authentication approaches:


1. use of digital certificates:

• Any site must use digital certificates to validate the identity of both the user and the server.

• Certificates at the user end must be used in conjunction with standard technologies such as Secure Sockets Layer (SSL).


• Only the use of Formal Certificate Authority - based digital certificates is acceptable.

• Certificates can be issued only by the organization or by a Trusted Third Party.

• Access to digital Certificates stored on PCs should be protected by passwords.


2. Use of passwords:

• Passwords may be sent over the Internet only when encrypted

• Passwords and user logon IDs must be unique to each authorized user.

• Passwords must be changed at a suitable period (eg 90 days).


3. Logon procedures:

• User accounts will be frozen after 3 failed logon attempts.

• All erroneous password entries will be recorded in an audit log for later inspection and action, as necessary.

• Sessions will be suspended after 15 minutes (or other specified period) of inactivity and require the password to be re-entered.


• Successful logons should display the date and time of the last logon and logoff.

• Logon IDs and passwords should be suspended after a specified period of disuse.

• Each site would be required to be able to prove that data in its possession has not been altered or destroyed in an unauthorised manner.


2.

Acceptable approaches for

WEB server usage


• There shall be no remote control of the Web server.

• All administrator operations (e.g., security changes) shall be done from the console.

• Supervisor-level logon shall not be done at any device other than the console.

• The Web server software, and the software of the underlying operating system, shall contain all manufacturer recommended patches for the version in use.


• The Web server must be located internal to the firewall.

• The Web servers shall be configured so that users cannot install CGI scripts.

• All network applications other than HTTP should be disabled from the WEB server (e.g., SMTP, ftp, etc.)


Acceptable usage of UNIX WEB servers:

• Unix Web servers shall not be run as root.• The implementation and use of CGI scripts shall

be monitored and controlled.

• CGI scripts shall not accept unchecked input.


• Any programs that run externally with arguments should not contain metacharacters.

• The developer is responsible for devising the proper regular expression to scan for shell metacharacters and shall strip out special characters before passing external input to the server software or the underlying operating system.


3.

Acceptable approaches to

mail usage


Objective:

Implement suitable policies for e-mail usage to help users:– use electronic mail properly, – reduce the risk of intentional or unintentional

misuse, and – assure that sensitive records transferred via

electronic mail are properly handled.


acceptable approaches for

e-mail usage:


• If confidential or proprietary information must be sent via email, it must be encrypted so that it is only readable by the intended recipient, using digital signatures.


• All incoming messages will be scanned for viruses and other malign content.

• The mail server, or other mail server which is servicing users, will be configured to accept only encrypted passwords from local machines using SSL 3.0 or other encrypted channel.


• e-mail servers shall be configured to refuse e-mail addressed to non-organizational systems.

• E-mail clients will be configured so that every message is signed using the digital signature of the sender.


4.

Acceptable approaches for

protection from virus and interactive software


The problem:

• Internet provides another channel for virus infections, one that can often bypass traditional virus controls.


• The security service policy for viruses:– has to prevent the introduction of viruses into a

computing environment, and – must be able to determine that an executable,

boot record, or data file is contaminated with a virus.


i. acceptable approaches for virus protection:


• Anti-virus software should be installed in the servers to limit the spread of viruses within the network.

• Scanning of all files and executables will occur daily (or weekly) on the servers.

• Workstations will have memory resident anti-virus software installed and configured to scan data as it enters the computer.

• Programs will not be executed, nor files opened by applications prone to macro viruses without prior scanning.


• All incoming mail and files received from the Internet must be scanned for viruses as they are received.

•

• Virus checking will be performed if applicable at firewalls that control access to networks. – This will allow centralised virus scanning for the entire

organisation.– It also allows for centralised administration of the virus

scanning software.


• All data imported on a computer (e-mail, or file transfer) will be scanned before being used.

• Use off-the-shelf scanning software should be enhanced by state of the art virtual machine emulation for polymorphic virus detection.

• All other new virus detection methods will be incorporated into the detection test bed.

• To keep abreast of the latest viruses which have been identified, scanning software will be updated monthly or as updates arrive.


• Users will inform the system administrator of any virus that is detected, configuration change, or different behaviour of a computer or application.

• When informed that a virus has been detected, the system administrator will inform all users that a virus may have also infected their system.

• The users will be informed of the steps necessary to determine if their system is infected and the steps to take to remove the virus.


ii. acceptable approaches for using

Interactive Software


Use of Interactive Software:

In an Interactive Software environment a user accesses a server across a network. The server downloads an application (applet) onto the user’s computer that is then executed.

• There are significant risks involved in this strategy. • Fundamentally, one must trust that what is downloaded

will do what has been promised.


• Users should configure their browsers to accept applets only from the servers.

•

• If this is not possible, then browsers should be configured not to accept applets.


5.

Acceptable

Intrusion Detection methods


• Intrusion detection plays an important role in implementing the Internet

Security Policy.


acceptable approaches for Intrusion detection :


i. Normal logging processes:

• Normal logging processes shall be enabled on all systems.

• Alarm and alert functions, as well as logging, of any firewalls and other network perimeter access control systems shall be enabled.


ii. additional monitoring tools:

• In addition to the activity logging process provided by the operating system,

All servers shall have additional monitoring tools (eg. tripwire or appropriate software wrappers) installed.


iii. perimeter access control:

• System integrity checks of the firewalls and other network perimeter access control systems must be performed on a routine basis.


iv. Review:

• Audit logs from the perimeter access control systems shall be reviewed daily.

• Audit logs for servers shall be reviewed on a daily basis.

• User education shall be provided in order to train users to report any anomalies in system performance to their system administration staff.


6.

Acceptable

encryption approaches


i. Level of Encryption:

A level of encryption protection equivalent to that provided by an algorithm as follows, is recognised as minimally acceptable:– Triple 56 bit DES (defined as 112 bit equivalent) for

symmetric encryption, – 1024 bit algorithms for asymmetric systems, and – 160 bits for the emerging Elliptical Curve systems


• The organization will have however to increase these minimum levels when deemed necessary by advances in techniques and capabilities associated with the processes used by attackers to break encryption.


ii. Hardware-Based Encryption:

• Hardware encryptors are acceptable

(While likely to be reserved for the largest traffic volumes to a very limited number of Internet sites).

symmetric password "private" key devices (such as link encryptors)


iii. Acceptable Software-Based Encryption:

• Secure Sockets Layer (SSL) implementations at a minimum SSL level of Version 3.0,

• standard commercial implementations of PKI, or some variation of, implemented in the SSL.

• S-MIME - Standard commercial implementations of encryption in the e-mail layer


Acceptable Software-Based Encryption-2:

• In-stream - Encryption implementations in the transport layer, such as pre-agreed passwords

• Offline - Encryption/decryption of files at the user sites before entering the data

• communications process


III. Basic Security Principles

for the transmission of sensitive (database) data

over the Internet


Basic Security Principle :

Sensitive information sent over the Internet must be accessed and modified

only by authorized parties


Basic Security Guidelines for the transmission of sensitive data over the Internet:

The Internet can be used for the transmission of sensitive data, provided that:

1. a suitable Internet Security Policy is in place, 2. an acceptable method of encryption is utilized to

provide for confidentiality and integrity of the data, and

3. suitable authentication or identification procedures are employed to assure that both the sender and recipient of the data are known to each other and are authorized to receive and decrypt such information.


Related Security Guidelines:


G7.1 Acceptable technologies

• Appropriate technologies must be used to insure that data travels safely over the Internet and is only disclosed to authorised parties.

• These technologies should:

– allow users to prove they are who they say they are (identification and authentication), and

– allow the organized scrambling of data (encryption) to avoid inappropriate disclosure or modification


G7.2 Encryption

• In order to make the Internet adequately safe, a complete Internet communications implementation must include adequate encryption

• Encryption must be at a sufficient level of security to protect against the cipher being readily broken and the data compromised.

• The length of the key and the quality of the encryption framework and algorithm must be increased over time as new weaknesses are discovered and processing power increases.


G7.4 Authentication and Identification

• In order to make the Internet adequately safe, a complete Internet communications implementation must include employment of sufficient authentication or identification of communications partners.


G7.5 Password/key management systems

• In order to make the Internet adequately safe, a complete Internet communications implementation must include a management scheme which incorporates effective password/key management systems

Documents

G. Pangalos,IPICS, Brno, 2004 Information Systems Security (Security of Distributed and Internet Based Information Systems) IPICS2004 Information Systems