hledat:

Security incidents and their prevention

CESNET technical report number 7/2006
also available in PDF, PostScript, and XML formats.

Czech version of this report.

Andrea Kropacova
7. 11. 2006

1   Abstract

Computer security is an important field of computer science concerned with the control of risks related to use of computers. This technical report speaks about basic rules and describes how these can be applied to achieve network and computer security. Most of the report is dedicated to end-users, their most frequent mistakes and lack of knowledge as the end-user is crucial for computer security.

2   Introduction

The Internet security has been repeatedly compromised ever since it was born. This is partly due to the fact that at the beginning there was no requirement to keep it secure; it was designed for playing games and testing science theories. No one in the 70s when TCP/IP protocols were created gave any consideration to security. There were other requirements at the beginning - robustness and effectiveness that would ensure that the networks would function even if a war broke up and a part of it was destroyed. The first problems occurred in the moment when first users accessed the Internet. In 1980, the first virus put out the whole ARPANET; in 1981 Ian Murphy (alias Captain Zap) changed a part of the AT&T internal system so that daily phone calls were charged as night phone calls and vice versa, and in 1990 Kevin Poulsen broke into the telephone network of the U.S. KIIS-FM radio and made sure that he was the caller who won Porsche 944 S2. A little later John Draper discovered the frequency which AT&T used to connect long-distance calls. There is no need to introduce Kevin Mitnick and his social engineering ("socio-technique") based on user manipulation. Since the beginning of 90s when the Internet became available for the public, security incidents are on the agenda daily.

3   Security incidents

End users frequently ask why anybody would want to compromise security of computers. The answer is not encouraging: it is above all about money. Most attacks focus on obtaining personal user information that would reveal e.g. his bank account access information or obtaining private company information (client contracts, contacts) that could be converted to cash or otherwise abused, etc. Efforts to hurt somebody or cause damage to him in his private or professional life do not lag behind the efforts to gain profit.

Academic networks which may seem uninteresting for hackers at the first sight offer other lures than money - powerful network, large number of PCs or large number of inexperienced users among students and staff, powerful network components etc. Where money cannot be stolen, powerful network machines can be misused as a transition point for other acts of piracy, e.g. spamming (unsolicited mail), violation of copyright by publishing data protected by the copyright law on the attacked server with a large capacity, disrupting the personal data integrity, etc.

In general, security incident can be defined as compromising IS/IT security and breaching the rules designed to ensure its protection (security policy). Users may compromise security of a computer willingly or by their lack of knowledge or by neglect.

The effects of security incidents may be different and with a different degree of seriousness - ranging from using the compromised computer as a transition point for further attacks to obtain confidential data and their misuse; deliberate damage to collected data up to misuse of identity.

4   Solutions for prevention of security incidents

Discovered security incidents or deficiencies must be reported to persons responsible for the security of the given network, documented and reports on them archived. The incidents are examined and removed. Their root causes are analysed in order to remedy them. The administrator and the user must be prepared for such a situation and be able to respond quickly and effectively. You can read about solutions to security incidents and basic security rules in an article published here. This article does not deal with them. We will focus solely on the prevention of security incidents.

When it comes to security incident prevention, the first step is the protection of network, protection of local computers and services running in the network. When designing security strategies, one must realize that most attacks are made by local users. Attacks from outside are less common and where the network is well designed and the network elements that are used are of high-quality and well configured they are even more difficult to make. The protection against local users is supported by the network security policy ("SP") that defines the relationship with between the user and local resources, rules for the access to the network and sanctions for violation of the SP.

4.1   Local protection of computers

The following bullet points may help inexperienced administrators to implement the security strategy of any work station. These are only the most important issues and the list is definitely not exhaustive:

• Good choice of operation system ("OS"). The administrator should choose such OS that he is well acquainted with; experiments with new distributions should not be carried out on a station that is designed for routine operations. It is advisable to choose up-to-date distribution that ensures that the system is not prone to known mistakes for which exploits¹ have been created that do not require a deep understanding of IT issues and that can be run by any beginner.
• A regular update of the OS is a must. Most operating systems contain tools for automative security maintenance. These tools should be set so as the maintenance is carried out automatically and regularly at least once a day!
• Antivirus and antispyware protection should form an inherent part of the OS. As with the OS, the regular update is very important.
• Correct configuration of services. It is advisable to permit only services that the users really need and to switch off any other. An ordinary workstation does not need any running service (accessible from outside), except maybe for a remote access (secure shell).
• Regular control of system integrity. Most OS have their own tools to check system's integrity. Alternatively, external tools (Tripwire) can be used. System's integrity is usually checked using access rights and a trial sum of system's files.
• Regular backup outside the workstation. Protects the user from loosing data whenever the system is compromised or when there is a hardware issue (e.g. disc breakdown).
• Logging services and regular check up of logs. For this purpose, it is advisable to use a central logging server in a network with a high number of workstations and to set them to log online on this server. This enables the administrator to learn how a computer was compromised even when the attacker deletes the logs and other data on the compromised computer, the logs had been duplicated on the logging server using the online transfer.
• Personal firewalls - it is very advisable to install them on portable PCs. They are used to protect the system when the users connect into a network about the security of which and its users he does not know anything or during business trips outside the workplace.
• User education - the end user is key for computer security and therefore also network security. We will discuss this topic in a separate chapter.

4.2   Network protection

Network protection starts with a high-quality network HW and topology. The network components must be password protected. The efficient and effective use of firewalls. A firewall separates the local network from the public Internet or one local network from another. Firewalls do not protect against insider attacks but only against external attacks, or rather they make them more difficult.

A firewall is typically used as follows - all user workstations in the local network are covered by the component which performs the function of a firewall. Workstations are not accessible from outside (from the public Internet) but their operation outside (into the public Internet) is not limited. It is also possible to limit operation of workstations outside and to enable only certain services - mail, www, etc. This model is used to protect the network name and reduces the risk that the workstation may cause damage elsewhere, e.g. after it has been infected by a virus. (Commercial companies use these limitations also to prevent their employees from dedicating to their private matters during the working hours.)

The question is where to place servers - sources of services and data used by all users at the same time, e.g. mail server, IS server, web server, etc. - in a firewall protected network. The crucial fact is whether these servers are used for public service or not. If not, it is advisable to place them behind the firewall. If they are used by the public, they can be left in front of the firewall or they can be place in a so called demilitarized zone (DMZ). DMZ is also protected by a firewall but it is separated from the local network containing workstations. Another network interface of the used firewall or another firewall can be used to create a DMZ.

4.3   Protection of provided network services

Placing local computers into a firewall protected network and servers with running services into the DMZ (behind firewall) is not a sufficient security measure. Rules described in section Local computer protection apply also to servers providing services accessible via the network. However, servers are much more specific network components and require stricter security measures. One of the reasons is that most of them must be accessible to users from anywhere and that any network service represents a potential leak in the system. I will therefore mention a few more recommendations:

• The cornerstone of the server security and security of the services is password protection. It should go without saying that only such authentication mechanisms that use a sound encrypting method, such as RSA (named after their authors - Ron Rivest, Adi Shamir and Len Adleman) should be used.
• Regular maintenance and control of operated services, log checking, antivirus protection of OS and antivirus and anti-spam protection of mail.
• In a network with more than one user, it is advisable to introduce a unique user authentication within the organisation (network). It is suitable that all users with an organisation should have a unique identifier - login name, personal certificate that will be used to sign into the system and to access the services.
• Do not support anonymous use of the network or services - access to the network and to operated services should only be granted after the user authentifies. Using a login name and password that everyone knows or which the administrator provides on request may backfire. "Lending" user names and passwords to the forgetful can sometimes be seen in student's laboratories. This kind of a shared access should not be used.
• Logging user accesses to services and the network. This relates to the previous two points. When a security incident occurs, it is good to have a tool which can identify who worked on the relevant computer at the time of the incident.
• Archiving and backing up important data - configuration of the system and services, user data, logs etc. Backups of important data must be stored separately from the backed-up system.
• Intrusion Detection System (IDS) - detects disruptions or attempts to compromise computer system. The IDS system may either only ensure security of the workstation on which it is running (Tripwire, Medusa etc.) or it can also monitor a whole network segment and its operation.

Protection of the local computers and servers is an additional network protection and the network protection is an additional protection of any workstation. None of them is sufficient on its own and one must realise that even when used together, they increase the protection but are not entirely bullet-proof. Computer security is not something that can be bought readymade, installed and one does not need to bother with it anymore. It is rather a complex package that requires an active approach of the administrator and all users.

4.4   User and computer security

In general, the user has always been the weakest chain link of computer security. That is why the users need to be trained regularly and should be regularly reminded of basic rules for the secure use of computers and services. The following paragraphs do not provide a guideline on how to ensure security of the whole network or a computer or their secure configuration. They focus on basic risks that the users should be aware of and the rules they should follow so as not to compromise the security of own data or the whole system.

4.4.1   Basic rules

Each user should know that he is an inherent part of computer security and that he must be active in assuring security of his own station and the network and not to leave it solely on the administrator. Each compromised end station may be used as a transition point to attack other computers in the network. As such, computer security concerns all network components, each workstation and not only central servers and data storage facilities. Each system is the most vulnerable from inside.

4.4.2   Choice of suitable password and its regular change

Automated tools may try hundreds of passwords in several minutes, this is the so called dictionary attack. Ordinary words (contained in dictionaries) such as cat, car or tree are not suitable as passwords. Names of favourite movie or book characters, substitution of characters by numbers on the same key or using data identifying the user (residential address, numbers of IDs, birth numbers ...) are not advisable either. Passwords should contain other symbols apart from alphanumeric characters (such as ,.:;-=+_) and should be of a proper length - let's say at least 8 characters. The regular change of password is disputable. In the ideal case, the change should increase security but a number of administrators claim that forcing users to change their password regularly may be counterproductive as users with a feeble memory will tend to scribble them down on a piece of paper or choose simple passwords. An optimum compromise on how often the password should be changed does not exist.

4.4.3   Password and key protection

It is not advisable to note down the password anywhere - in a diary, on a piece of paper, on IDs, on a wall board, on table, on screen... - in its clear-text form. If the user is not sure that he will remember the password, it should be protected by another encryption and stored using external memory media (diskette, CDROM, DVD, CF, Palm) that are adequately protected against stealth. The password should not be told to anyone (including colleagues, boss and administrator) and conversely - do not let anyone to tell you his password! This ensures that when a password is disclosed and misused, you are be above suspicion.

If you access more services or computers that are not centrally authenticated, it is not advisable to use the same password. Although it may be a little difficult to remember different passwords for different services, the lower user comfort should definitely pay off. It is also advisable to use different passwords for different systems and avoid using a single universal password. It is in particular advisable to choose different passwords for working and private activities (it is not good to have the same password into the employer's IS and to the email account with one of the free-mail providers - such as seznam.cz, yahoo.com).

Furthermore, the password must be used correctly. The password for accessing email should not be used for other services, in particular not those you are not familiar with or those that are in principle not encrypted (FTP). In general, it is advisable to ask the administrator who created the password for which services you can use a particular login name and the relevant password.

Many users access the remote servers using the ssh keys, in particular when they need to work with more than one remote server that are not authenticated centrally and whose passwords are administered individually. In these cases, one must carefully think of where to store the private ssh key. The ideal would be to have the privates ssh key only on own workstation despite the fact that it may complicate the transfer of data between the remote servers.

4.4.4   Protection of the content of electronic message and own identity

Often, the users do not realise how individual services function and in what form the data are transmitted through the network. As a result, they tend to create false ideas about who and how can get to their data. The most illustrative example is the electronic mail. Most average users are shocked when they learn:

• That anybody who has the necessary knowledge and means can get the content of their electronic messages, e.g. by tapping the network communication or directly the mail server. The only reliable protection of the content of the electronic message is encrypting the message.
• That anybody anywhere around the world can send an e-mail from the same sender address as their own. Users usually realise that anybody can fill what they want in the Sender line when they receive a nonsensical email from their own address and they know they have not sent it. There is a solution to this issue, and that is the electronic signature.

The electronic signature and the protection of the content of transmitted messages is provided by methods based on asymmetric cryptography, such as PGP keys and X.509 certificates. The electronic signature is also the solution that protects the message integrity; it can be used to detect whether the message has been changed on its way from the sender to the recipient. You can read more about secure electronic communication in this article.

4.4.5   Protection of certificates and revocation keys

The wish to protect own data, their integrity and own identity forces us to use the electronic signature and to encrypt the content of the messages. It is, however, necessary to protect the private key (PGP, X.509 certificates) and to be prepared for the fact that is can be stolen or destroyed. If that is the case, it is important to revoke the PGP key (or X.509 certificate) as soon as possible. By revoking (invalidating) the PGP key (or the X.509 certificate) the owner says that his electronic signature is no longer to be trusted. It is advisable that the user be prepared that his private key may be destroyed, e.g. generates the so called revocation key together with the public/private key. The revocation key can then be used to invalidate the PGP key. If the X.509 certificate is destroyed, the certificating authority which can invalidate it should be informed as soon as possible.

Electronic signatures and encryption of messages needs to be reviewed regularly to find out whether some of the keys (or certificates) that we store in our mail client (public keys of those with whom we exchange emails) have not been invalidated. Certificating authorities that issue the certificates usually somehow publish a list of invalidated certificates, e.g. on their web sites or via emails. These lists should be updated regularly in users' systems (mail clients, www browsers, ...).

4.4.6   Vigilance and attention

The users should at all times lock their computer when they leave their workplace (even for a short while) and to close all applications such as the mail client before they go home, etc. The same applies to internet cafes or in general to any computer on which the user signs as a guest: all applications should be closes when the user ends his work. One should also be careful when sharing transfer media for example with a colleague. In general the users should be vigilant at all times.

4.4.7   Transfer media

The users should be aware of the fact that regular antivirus protection of their workstation is not the ultimate solution and that transfers of data for example from the home computer to the computer at work by means of external media must be carried out carefully. These media should also be regularly checked up for viruses. The same applies to notebooks or laptops. An infected laptop brought from home and connected into the company's network can do a lot of damage.

4.4.8   Archiving and encrypting sensitive data

Where the result of our work consists of data that should not be publicly accessible and their disclosure may cause problems, it is advisable to encrypt the data before they are stored and to archive them only encrypted. The above mentioned PGP keys or X.509 certificates can be used to encrypt the data, or any other sufficient encrypting method based on asymmetric cryptography. An encrypted file system is also a good tool to increase the security of own data.

4.4.9   Knowledge of functionality of used tools and OS

This is the biggest weakness of existing technologies - their increasing user-friendliness reduces the user awareness on how an application works and what it can cause. Users often wonder how it is possible that their private e-mails can be read by persons other than its addressees and that data they themselves erased from the hard disk can be tracked on the computer long after they have done or that they violated copyright, that their email is flooded with spam, their computer infected with a virus, etc. It is advisable to know and to observe the following:

• Not to use the seemingly useful function remember my password for next login that is offered by browsers or mail clients. The user will have to do a little it more but it is worth the security of data and electronic communication.
• To delete files using sophisticated methods that ensure that the data are physically deleted and not to delete only information about them. Sensitive data should be taken care of before a faulty hard disk or any other media is returned to the seller. The fact that the medium does not work does not mean that the data on it are illegible. One solution is to use the encrypted file system or to encrypt at least selected files.
• To use encrypt messages for electronic communication, e.g. using private X.509 certificate or PGP keys. In order to protect own identity, electronic messages should be signed.
• Not to open suspect e-mails and above all their attachments.
• E-mail addresses are also added to spam databases if these rules are breached:
  • Do not make you e-mail address publicly available on websites in a format that enables its automated processing. If you want to make your address publicly available, make it into a picture or write it in a different format, e.g. instead of somebody@somewhere.cz use somebody at somewhere dot cz.
  • Use message forwarding reasonably. Many e-mail addresses are taken from messages that are meant for entertainment and the user wants to share them with colleagues and friends. When the message has been forwarded several times, it usually contains a number of addresses. If such an e-mail gets, even unintentionally, into a web mail archive, it is very likely to get into the spam address database.
  • Do not answer the invitation to unsubscribe from address databases. If you do answer, you will confirm that your address is working.
• Cooperating with the administrator and connection provider is an efficient tool in fighting spam.

• If data sharing clients (such as the BitTorrent protocol) are used incorrectly or are badly configured, data may be automatically offered for download when downloading the messages. The user is not aware of this and believes that as he is downloading data protected by copyright and he does not intend to distribute them but only to use them for own purposes (which does not constitute a copyright infringement) he is not doing anything wrong. He is not at all aware that his client automatically makes the data accessible to other users as early as during their download and makes him responsible for a copyright infringement.

  The copyright infringement has become a global issue. Many companies are thus stripped off considerable profits and therefore invest large sums into fighting against such piracy, both into technological and legal solutions. As regards technology, this involves designing and developing systems for discovering and monitoring sources of illegal data and relating activities. The owner of such a source may not even be aware of these activities, or rather may not be able to recognise them. In the best case scenario, the provider which was contacted by the damaged party disconnects the user. In the extreme case, such user may be sued for damages.

• Most services and tools have their secured versions. These include IMAPS, POPS and SMTPS protocols for electronic mail, SSH and SCP utilities for access to remote servers and for data transfer (secured versions of telnet and FTP).
• Install only programmes obtained from reliable, well known and verified sources! Pornographic and other similar sites often offer downloads of files whose real objective is to gain control over user's computer. Users may verify the integrity of software packages with their producers. It does not apply to all software producers, but most of them sign their data and these signatures can be verified. If the user is not confident, he should ask the administrator to install new software!

4.4.10   Psychological pressure

Each user should be aware that he can become a target of psychological pressure. He should know that nobody - colleague, administrator or his boss - has any right to ask him to provide his password. Such request is illegal, raises suspicion and should be acted upon. The administrator of the computer does not need his password because he has other means how to authenticate himself in the system when he needs to access any computers. Bosses usually have formal procedures that can be applied in accordance with internal guidelines. No one has the right to ask a colleague to disclose him the password to his account, key etc. There is a parallel example in the ordinary life - we do not teach our neighbour or our boss how to sign according to the signature specimen to our bank account. Fresh students and new employees should be informed about the possibility and risks of psychological pressure.

This category also includes hoax e-mails saying "change your password immediately to 'zbcdef' or your account will be misused". The account will indeed be misused but only if you follow the prompt. Users should remember that where the security of the system in which he works has been compromised, the administrator will come and ask him to change the password in person and is definitely not going to order him what password to choose.

4.4.11   Ignorance of basic rights, duties and risks

Users can get into serious troubles even by means of a seemingly innocent activity because they are not familiar with basic rights and duties. Typically, users breach copyright when they place data (movies, music, software) that are protected by copyright law for example on their WWW pages or they make it available by means of a shared client and thus the data can be freely downloaded. By this, the users illegally distribute data protected by copyright law. In the extreme case, the damaged person may file an action and ask for financial compensation. Some users think that nothing can happen to them in respect of copyright. They think "What can a US company do to me? It cannot reach to the Czech Republic." This is an illusion, most countries including the Czech Republic, have laws that sanction illegal distribution of data protected by copyright and anyone (including foreign persons) can invoke them to enforce protection of own data.

Another widespread phenomenon is spamming. By sending out advertising information to a large number of recipients, the user not only breaches the rules of proper behaviour and network ethics but also in some cases breaks the law of the particular country.

And yet another issue is the misuse of personal data. The so called phishing has gained popularity in recent years. In general, phishing is a spam that directs the users onto a false WWW page that and tricks them into giving their personal data. The false page usually impersonates a bank or an internet agent. The principle behind it is quite simple - the users receive a hoax saying that their bank accounts are in danger of being misused and they may loose their deposits. It suggests that this can be prevented if they immediately change for example the access code using the link contained in the message. The link does not take them to the web page of the bank but to the hacker's page. The design of the page is very similar to that of the bank and seems trustworthy. The user is asked to fill in confidential information. Once he does it, his fate, or rather the fate of his savings, is sealed. In order to avoid being tricked by phishing, one should be aware of the following:

• Hoax phishing e-mails tend to be of general character, with no concrete name; recipient's e-mail address is not displayed in the heading or there are more than one address, etc. Serious organisations such as banks do not usually send bulk e-mails to their customers, but send targeted messages including concrete name, title and other additional information. Nowadays, these messages are frequently electronically signed.
• Hoax e-mail contains a reference to the web page whose URL "resembles" that of an existing bank, e.g. www.citybank.cz.23cz34.hosting.yahoo.com.
• The e-mail contains suspicious information - threatens by cancellation or misuse of the account, etc.

There two possible ways to protect against exploiting user's ignorance - educating the users and using common sense. It is useful to be aware of a parallel from everyday life - you are not likely to trust a stranger who claims that your bank account will be misused in five minutes and that only he can save it should you give him your IDs and show him your signature specimen. You will probably go into your bank and inform yourself instead.

In terms of technology, the protection is to verify the other party's authenticity. This leads us to the area of strengthening authenticating mechanisms - private phrases, tokens, certificates and keys.

4.4.12   Cooperation between the administrator and the user

Communication between the administrator and the user is a very important feature of security. The user should know that the administrator is there to help him as much as possible, in particular with security issues. Users are frequently ashamed of admitting that they did something which may result in a security incident (e.g. compromised password) and hide this fact, albeit for fear of the administrator or bosses or because they are afraid of loosing their personal prestige. This is a huge mistake. The timely and adequate intervention of the administrator may often help to save a great deal; the longer the user delays in notifying the administrator the worse the situation can turn out in the end.

It is also helpful to realise that the administrator is a human being and is not omniscient. Thus, if the user suspects that there is something wrong with his computer or with a particular service, he should notify the administrator, even if the suspicion should prove groundless.

4.5   Consequence of compromised network/computer security

Often, the users think that the security of their data, computer and of the network in general does not concern them, in particular those who are only "passive" users, and that the computer they use for their work is taken care of by an administrator. This view of computer security is most widespread with fresh students and new employees and in general with young, inexperienced users. These users tend to think that the administrator is responsible for the security of "their" workstation and if it is compromised, they can suffer no damage and will not be responsible for anything. This idea is wrong - even a passive user may actively contribute to compromising security of own computer. For example by lending his computer or disclosing his password to a colleague or by using an infected transfer media or simply by his innocence and ignorance (violation of copyright, spamming). This does not remove their responsibility. Another illusion which some users have is that when the security is compromised, it is not possible to discover how the incident happened and who is responsible for it. Most experienced administrators can find out why the security has been compromised. Data recovery systems or central log servers that record key operations such as logins into the system, etc., are a major help when looking for the weakness of a compromised system. Users should be aware of these technologies (and the fact that administrators are inquisitive and take security incidents as an opportunity to learn something new). This increases their sense of responsibility - when they realise that nothing disappears irrevocably in the world of computers, they become more security-conscious. In addition, it is advisable to inform them on potential consequences of compromised computers and data which can be very serious - for example misusing user's identity and his personal data to access other confidential data or to trick others (electronically signed messages or stolen identity) or channelling out money from a bank account using trapped passwords, etc.

All this can result in privacy intrusion, loss of personal status, good name or funds, troubles in family or relationship, troubles in job and ultimately in loosing the job or in expulsion from school, etc.

5   Conclusion

There probably is no universal recipe as how to achieve full security, so what should we say in conclusion? The most appropriate it to "look out" and where prevention fails and security is compromised, address the problem fast and effectively and remove it with the least possible consequences. Moreover one must remember that the end user is crucial for computer and application security and time invested into their continuous education will certainly pay off.

 

Footnotes:

1. Exploit is a single-purpose programme that uses a fault in the system (network application, web application, etc.) to attack it.