Executive Summary
Information Systems Security: Past, Present, & Future
Today’s
global economy thrives on accurate, timely, and secure electronic data and
voice communications. Since the mid
1980’s, the trend to network and in turn, the need to secure computer
workstations and networks became evident in order to securely share information
as the demand to process higher amounts and different types of information in
tandem with ensuring the integrity of the information became paramount. Currently, wireless networks are still more
common in residential households than in business organizations. However, business organizations are beginning
to implement numerous types of wireless technologies to augment and extend
their more secured wired networks in order to facilitate the ease of sharing
information. “Wireless networks extend
the range of traditional wired networks by using radio waves to transmit data
to wireless-enabled devices such as laptops, personal digital assistants, and
many other wireless enabled devices.”(3)
In comparison to the cost of wired local area networks (LAN’s), wireless
LAN’s are very appealing and the ease of installing wireless LAN’s in
comparison to wired LAN’s is also appealing.
However, there is always a balance for gaining mobility and the ease of
access. The counter weight is the
accuracy and security of the voice and data communications obtained over the
wireless networks. That forces
organizations to become reluctant to implement wireless networks because of the
many security concerns and vulnerabilities that we
have discovered during the research of this project.
We
have taken interest in these information security issues due to the scope and
ramifications of combining wireless computer technologies into existing voice
and data networks and/or replacing entire legacy voice and data networks with
wireless technology. These modern
wireless computer voice and data network solutions integrate past, present, and
future computer technologies in ways that affect all methods of conducting
business and revolutionize the way the global economy, nations, societies,
businesses, governments, and consumers conduct their business and personal
affairs. The knowledge worker and the mobile information society concepts
regarding voice and data communications and the information made available at
our fingertips through wireless technology throughout our daily lives as we
know it is a major change to the paradigm of how we conduct our business and
personal daily lives forever. We need to ensure that we conduct our business
and personal lives in the information economy through safe and secure
technological channels. The comprehension of current and future wireless
computer technologies is paramount to safely integrating and utilizing the
potential of these technologies within the confines of e-commerce and our
global economy.
Our
goal as a research group is to reveal to you, the reader, that before you can
protect any information system or voice and data network, you must understand
the whole technological information infrastructure. Training of users and information technology
professionals is critical. In tandem,
updating and implementing existing and new security policies respectively are
integral to planning and overcoming the new threats associated with integrating
current and future computer technologies into existing voice and data networks
with highly secure wireless computer information technologies.
TABLE OF CONTENTS
Information System Security: Past,
Present, & Future
Executive Summary ………………………………………………………………....... 01
Table of Contents ……………………………………………………………………… 02
Project Report …………………………………………………………………….. 03 – 14
References ………………………………………………………………………… 15 – 16
Examples of Management Information
System Policies and Procedures ………………… Packet
Copies of Internet and Paper Based
Sources ……………………………………………… Packet
Information
Systems Security: Past, Present, &
Future
Past
Today’s global economy thrives
on accurate and timely secure electronic data, information, and voice
communications. Since the mid 1980’s,
the trend to network computer workstations became evident in order to share
information as the demand to process higher amounts of data and different types
of information, in combination with ensuring the integrity of the information
became paramount. Decentralized local
area networks (LANs) consisted of servers, hubs, and category 3 Ethernet cable
plants to connect computer workstations to the servers at speeds of up to 10
megabits per second. Servers at that
time consisted of Novell or Windows NT network operating systems as well as
DOS, Windows, and Windows NT workstations.
The prevalent threats at the time were viruses contracted by infected
boot sectors on hard drives or floppy disks.
Starting at the local area
network level from the mid 1980’s forward, LAN’s consisted of file servers,
print servers, and database servers that computer users would utilize by
mapping permanent drives. Other
computer platforms and technologies consisted of connecting midrange and
mainframe computer systems, dumb terminals, and computer workstations with
emulation software via cable plants, such as Twin Ax or Shielded Twisted Pair
cables (STP) with ohm resistance based loop wire concentrators and other types
of cable plants. These centralized
computer platforms could also be connected into LAN’s at speeds of 1 megabit up
to 10 megabits per second in order to share information and data across
different networked hardware and software technologies. Users could also share directories, files,
and printers via the network that were made shareable through the network
operating system. The user’s
authenticated to the server via their computer workstation with a user name and
password. Based upon each user’s access
rights, login scripts, and group membership, various applications and network
resources were made available to the logged in user throughout the
network. Unfortunately, the code that
was written for network operating systems and workstations, provided by Novell,
Microsoft, and other vendors, contained numerous coding flaws that required
constant software patches and upgrades.(9) In comparison, the centralized mainframe
computer systems and networks did not contain the same high amount of security
flaws and problems inherent within the decentralized computer networks software
code. Concurrently, the administrators
who were responsible for sharing the decentralized LAN’s resources were either
not properly trained and/or did not properly implement the security settings in
sharing the networked resources securely which led to additional security
flaws, instability, and other paths for viruses and security threats to spread.
Bulletin Board Services (BBS)
and Internet Service Providers (ISPs) allowed computer users at home, on a
corporate network, or on a government network to remotely dial in via a modem
with a dedicated telephone line to upload and download data, transfer e-mail, and
file or messages. However, viruses and
other threats were easily transmitted via Internet Service Providers (ISP’s)
such as America Online, Prodigy, and various BBS providers.
The aforementioned remote
access services allowed computer users to browse or search for information and
connect in ways never before possible for the purpose of sharing data on a
government or commercial level down to a personal level at home. The desktop and command line based antivirus
applications such as McAfee and Norton Antivirus mitigated these threats with
reasonable success. Depending on how
well code was written for midrange and main frame computers, viruses were not
readily designed to attack or impair these types of centralized computer system
networks, such as the IBM AS/400 and IBM RS6000.
Wide Area Networks (WAN’s)
connected multiple LAN sites within an organization. Decentralized and
centralized networks were connected to form a WAN via T-1’s, T-3’s, analog or
digital modems, and Channel Service Unit/Data Service Unit’s (CSU/DSU’s). AT&T, Bell South, Sprint, and other data
communication vendors provided the various dedicated bandwidth’s over a
frame-relay cloud or other WAN technology to provide remote network access for
a monthly fee. The bandwidth providers
vertically integrated and became BBS and ISP providers since they already were
providing the commercial hardware and software necessary to form the backbone
of the internet, which was originally developed by the government sponsored
ARPANET project. The voice and data
communication providers were the sole providers of bandwidth regulated by the
Federal Communications Commission (FCC) and other governmental regulatory
bodies for use by end users, private and public organizations, and other
government entities. All of the
commercial WAN and LAN networks interconnected and converged through these BBS
and ISP providers over time to form the largest global network available for
government, education, commercial, and personal use today – the Internet.
As all of the
commercial, governmental, educational, and home based computerized growth was
transpiring to give life to the Internet, the realization of the necessity of
information systems security emerged.
Due to the huge increase in the number of households with access to the
now public Internet, the need to secure computers beyond an antivirus program,
or authentication with a user name and password, became very apparent in the
time between the mid 1980’s and mid 1990’s.
From the mid 1990’s forward,
the introduction of wireless technologies, internet service providers (ISPs),
Bulletin Board Services (BBS), and new LAN/WAN/internet based remote access
options brought a host of new services and vulnerabilities. A few of these new
network services are listed as follows:
• Hypertext Transport Protocol (HTTP): internet servers
or web servers that host almost unlimited information over the Internet
• Simple Mail Transfer Protocol (SMTP): servers that
send and receive e-mail
• File Transfer Protocol (FTP): servers with which users
can upload and download data and/or information
• Database servers such as Microsoft Sequel (SQL):
servers that archive data and query the archived data to generate reports along
with a host of many other decentralized services
The more recent network
operating systems, workstation operating systems, and hardware appliances also
changed the physical and logical designs of our wide area networks and local area
networks, not to mention how each organization connects to and utilizes the
Internet. These changes again, brought
about another change in how we think about and implement security to our
computer networks, while carrying forward the security issues from prior
network designs, to creating new security issues.
In the early to mid 1990’s,
there was a huge shift away from centralized networks towards decentralized
networks. The processing of data was
required to be shared between the workstation and server (decentralized) versus
all of the data being processed within one large, powerful computer with the
results displayed on the dumb terminal (centralized). Data processing and Management Information
System departments assisted in making this possible by introducing new LAN
technologies into our computerized work environments such as the
following: wired 100 megabit networks
with switches replacing hubs, category 5 Ethernet cable plants replacing
slower, outdated category 3 Ethernet cable plants, and the introduction of 1 to
2 megabit wireless LAN’s.
Present
During this time from the mid
1990’s until now, we secured the perimeter of our local and wide area networks
with hardware and software appliances such as switches, routers, and firewalls. Network Administrators began implementing
layered security by applying the same security options at most layers of the
network such as anti-virus, anti-spyware, e-mail filtration, and firewalls from
the gateway (ISP router) down through the demilitarized zone (DMZ). From there, additional security was applied
at the firewall(s), down through the ACL’s of the internal router(s) performing
Internet Protocol (IP) filtering and Network and Port address translation (NAT
& PAT), into the Switches performing Media Access Control (MAC) filtering
and Virtual Local Area Network (VLAN) services, and finally to the server and
desktop level of centralized services.
Some of these centralized services were Mcafee
Antivirus EPO servers on a server that install a desktop firewall, antivirus
clients and agents, and anti-spyware, and Windows Update Services (WSUS) at the
desktop level. These application
services monitor and update the clients and allow the desktop services to
protect each computer and server within the internal local area or wide area
network from the Internet or extranet networks.(1,
9) Today and into the future, new
network perimeter security options such as Intrusion Detection Systems (IDS)
will continue to secure our networks.
Wireless LAN’s are now becoming
more common since networking became a normal computing paradigm from the early
to mid 1990’s. This paradigm shift in
how we communicate and process data via wireless computers and devices from
wired computers and devices is mostly attributable to the lesser amount of
hardware required to implement and maintain a wireless network. Another reason is the ease of access that
wireless LAN’s provide as the newest data communication medium for computer users
to share information. A prominent reason
wireless LAN’s became popular is due to the constant drop in the price of
wireless hardware over time via the fact that the cost of cabling is eliminated
and that less hardware is necessary to create a local area network.
In comparison to the cost of
wired LANs, the lower cost of establishing wireless LANs and/or WANs are very
appealing due to their ease of installation and reduced amount of hardware to
achieve the same network capability.
However, there is always a balance to be addressed concerning the ease
of access and flexibility that wireless LAN’s provide. The counter weight is the instability and
weak security regarding voice and data communications sent over the wireless
LAN and WAN connections that make organizations reluctant to implement wireless
networks.
Today, wireless networks are
more common in residential households than in business organizations. But business organizations are now
implementing numerous types of wireless technologies to augment and extend
their more secured wired networks in order to facilitate the ease of sharing
information at the expense of the security and accuracy of that same
information. “Wireless networks extend the range of traditional wired networks
by using radio waves to transmit data to wireless-enabled devices such as
laptops, personal digital assistants, and many other wireless enabled
devices.”(3) “IEEE 802.11 is a wireless
network standard developed in 1990 by the Institute of Electrical and
Electronics Engineers, Inc. In September
of 1999, a new 802.11b high rate was amended to the 802.11 standard. At the same time 802.11b was released, the
802.11a standard was released and by late 2001, 802.11g standard was
released.”(2)
The speed of these wireless
networks increased from 1 and 2 megabits, up to 54 megabits and will continue
to increase. However, the security of
these wireless technologies has not been improved until recent times. Included in these wireless standards are
security features designed to provide wireless communications with a level of
privacy equivalent to wired networks.
These privacy features are known as Wired Equivalent Privacy (WEP), WiFi Protected Access (WPA), and WPA version 2. “Shortly
after the 802.11 standard was released, WEP was released, but doubts began to
rise over the security of WEP.”(2) WPA
was developed to address the shortcomings of WEP. (7, 14, 18, 19, 20) However, we have found through our research
that WEP and WPA are not enough to securely protect any critical information
being transmitted over a wireless network.
Securing wireless networks
beyond common wireless attacks is essential even if the data traversing the
network is not mission critical or highly confidential. Wireless signals tend to reach beyond an
organization’s physical walls. An unauthorized
user may be able to authenticate to a wireless network and perform a Denial of
Service (DOS) attack on the network resources to use up all available
bandwidth. (4) An attacker can also
channel thousands of unsolicited e-mails through an organization’s e-mail
server, an open e-mail relay server attack, making the spam appear as though
the spam was coming from the organization. (14, 15, 18) “Physical security vulnerabilities allow an
attacker to tap into an access point, bridge, switch, or antenna on the outside
of a building if these components are not properly secured.”(18) Also, there is not a standard network
authentication that prevents a wireless client from authenticating to a rogue
access point. There are serious flaws in
relying on WEP encryption. The
encryption mechanisms in WEP were not implemented properly. WEP uses a shared key or symmetric encryption
that requires the administrator to manually generate and configure encryption
keys in all devices on the wireless segment. (7)
Shared key encryption uses the
same key to encrypt and decrypt data communications. Due to the encryption keys static existence,
the keys must be rotated manually. This static key environment introduces
vulnerability in that every device has the same key, increasing the chances of
the keys exposure within a matter of hours.
Once the key is discovered the encryption can be broken since the
mathematical algorithm is published and therefore, the data communications can
be compromised. (14, 15, 18)
A new Wi-Fi Protected Access
(WPA) encryption was introduced to harden the wireless network. The new WPA standard uses Temporal Key
Integrity Protocol (TKIP). TKIP
addresses the known vulnerabilities of WEP as follows: WPA offers encryption key mixing for each
packet sent (asymmetric encryption that uses a different key to encrypt and
decrypt data communications (7)), extended initialization vector (IV) with
sequencing rules, message integrity check (MIC) a function called Michael, and
a re-keying mechanism for periodic changing of encryption keys. WPA also involves deploying the Extensible
Authentication Protocol (EAP) with the IEEE 802.1x standard to offer the
following security features: mandatory
128 bit encryption keys, strong user authentication, data confidentiality, data
integrity, and all network activity is blocked until the user authentication is
successful.(18)
Advanced Encryption Standards (AES) will be reinforced in the future
IEEE 802.11i standard which will not be backwards compatible to today’s
wireless networks. The new AES
encryption standards will employ centralized login management, secure
de-authentication, and disassociation. (18)
WPA and WPA2 are based on the
802.11i standard. WPA uses the 128 bit
(TKIP) encryption key. WPA2 uses AES
encryption which supports 128, 192, and 256 bit keys. (20) Regardless of the wireless encryption
standard employed within an organization, if the recommendations to follow are
not implemented, attackers can launch passive and active attacks against an
organization wireless network and therein gain access to the “secured” intranet
by listening or sniffing IP traffic and then capture this data to footprint or
develop a configuration of an organization’s entire network. (14)
MAC address spoofing, access point spoofing, DOS and distributed DOS
(DDOS) attacks, generation of static or noisy signals to disrupt wireless
communications, and spoofing numerous associations by creating more connections
beyond the maximum amount of connections allowed by the wireless access
point. (14)
The following recommendations
are “best practices” to harden wireless systems:
• Change default access point passwords and service set
identifiers (SSID)
• Do not broadcast SSIDs
• Terminate access points within your LAN segment and
place them on a separate IP network segment or in the DMZ
• Use virtual private networks (VPNs) to eliminate
encryption spoofing vulnerabilities
• Use an encrypted link to administer the wireless
access point
• Apply the latest vendor specified patches for the
access point
• Disable remote updates of the access point
• Enable MAC address filtration
• Physically secure access points
• Require firewall and antivirus use on all wireless
equipment, and enforce strong passwords
Education of wireless users,
information technology (IT) staff, and the implementation of security policies
with support for enforcement sanctioned by the entire organization are vital to
the stability and security of the entire organization. (4, 18, 22)
In conclusion of these recommendations, wireless networks are here to
stay. Secure utilization of wireless technology
requires a multilayer approach that integrates vulnerability assessment,
policies and procedures, user and IT support education, and an overall security
management strategy. (20)
The past, present, and possibly
future security paradigm problems still exist; we continue to implement new
technologies into our networks such as wireless capabilities without considering
the new incoming security issues related to augmenting or totaling replacing
our existing networks with new technologies.
The advent of these new servers, application services, software,
hardware, and wireless technologies present new vulnerabilities and security
issues that must be addressed from the standpoint of modifying existing or
implementing new policies and procedures, from an LAN/WAN/internet operational
continuity and security perspective,
from consideration of physical and logical network security issues, down to training the end
users and Management Information Systems staff, and from ensuring that the
general security recommendations and baselines are met or exceeded for the
benefit of the entire organization.
Before you can protect any
information system or network, you must understand the whole information
infrastructure. The training of users
and Information Technology professionals is critical. In tandem, updating and implementing existing
and new security policies respectively are integral to planning and overcoming
the new threats associated with integrating current and future computer
technologies into existing data networks with highly secure wireless computer
information technologies. There are many
other past and present computer security concerns that we found worthy of
discussing during the research of this project which have been propagated to
the present to add to the insecurity of our modern computer systems.
Because of operational
challenges and staff expectations, operational continuity is more difficult
than ever to ensure. “At a time when
organizations, staff, and the public have high expectations for operational
continuity, departments are faced with mounting threats to that continuity,
making the entire concept of operations continuity more complex and more
difficult to achieve.” (16) The primary
components to consider in operations continuity are planning, technologies,
redundancy, software, hardware, and services.
Planning involves determining what sorts of failures might occur. Be sure to factor in natural disasters,
security breaches, and utility power failures.
Then, figure out how much that will cost per hour, day, week, or any
other necessary measurement over time.
Finally, you use those statistics to develop a business case with which
you can generate a return on investment.
Planning also involves building
a complete business case, working with staff, and outsourcing. (16)
Operations continuity in regards to technology involves document
management, data recovery, monitoring and alerting, computer imaging, and patch
management. (16) Redundancy involves duplication of services
at many levels such as agreements with utility providers to provide backup
power, maintaining redundant servers, applications with load balanced
redundancy, and redundant application storage.
Other factors of redundancy are data replication, cross training
personnel, branch facility for backup space, and duplicate copies of important
materials: manuals, software, and backup
media. (16) Software, hardware, and services continuity
involves license management, vendor support, and assistance technology. Data security is an obvious concern. A layer network designed for data security
includes firewalls between major network segments, scanning software
implemented at multiple levels, firewalls, servers, client computers, email,
and email gateways. Other operations
contingencies are as follows: storage
strategies such as Raid 1 for mirroring and Raid 5 or disk stripping with
parity, power protection strategies such as uninterruptible power supplies
(UPS’s) and power filtering. (16) We have deduced through our research that
planning for the worst in advance is a good contingency plan, ensuring that
there is not a single point of failure via redundancy throughout the network
infrastructure, requiring multiple backups and approaches to access agency data
with a strategy on how to keep track of all management information system
assets are prudent guidelines to follow.
All of the above options are essential in being on guard with a disaster
recovery plan. (17)
According to the 2006 CSI/FBI
Computer Crime and Security Survey, “virus attacks continue to be the source of
the greatest financial losses.
Unauthorized access continues to be the second greatest source of
financial loss.” (13) The survey reports that the outsourcing of
computer security functions has not changed from the past few years and 61
percent of respondents do not outsource any security activities related to
their computer or networks. The use of
cyber crime insurance remains low. Over
80 percent of the organizations conduct security audits. Security awareness
training is viewed as important and 25 percent of all respondents reported
computer intrusions to law enforcement.
(13) The table below according to
the Computer Security Institute reveals a slow decline in the frequency of
attacks on computer systems. (13)
CSI/FBI 2006 Computer Crime and
Security Survey 2006: 341 Respondents
Source: Computer Security Institute
This chart reveals that the
total number of incidents reported by respondents regardless of their rate of
frequency has been relatively unchanged for 8 years. The Computer Security Institute’s claim that
a slow decline in the frequency of attacks on computer systems is valid does
not seem to be supported by graphical analysis of their raw statistics. We believe the number of computer security
breaches has remained constant over the 8 year period. Furthermore, the unexpected threat that is
usually overlooked derives from the inside of an organization, not from outside
sources, such as extranets and the internet.
The end user is the source of attacks that is the most difficult to
defend against. These intranet computer
users exist within the soft core of any network. Security is generally not as strong or
layered in comparison to a secured network perimeter utilized to thwart
external attacks. The end users within
an organization should be monitored by IT staff and in fact, IT staff should
also be monitored too. Employees with
various levels of network access and computer skills are susceptible to social
engineering, especially if they become disgruntled, these types of employees
are even more dangerous. “Social
engineering is one of the most successful attacks because; these attacks
exploit the weakest link in any organizations security infrastructure – the human
element.” (23) Social engineering is an attack that takes
less time and knowledge compared to a brute force attack such as password
guessing or breaking an encryption algorithm with a fast computer. This basic
attack from the inside includes network intrusion, unauthorized access to systems
and information, identity theft, and espionage.
Social engineering attacks are
active attacks that occur on the physical and psychological level. Dumpster diving, the telephone, e-mail, the
Internet (Phishing), and the work place are all possible places of attack. The methods of psychological attack are
persuasion, impersonation, ingratiation, conformity, and friendliness. Again, end user and IT staff education and
training are the most effective preventative strategies against a social
engineering attack. (23)
Other top security concerns
identified by IT professionals are as follows:
policy and regulatory compliance, identity theft and leakage of private
information, viruses, worms, Trojan horses, resources
for security funding and training, and access control.
“Phishing is a form of online identity
theft that employs both social engineering and technical subterfuge to steal
consumer’s personal identity data and financial account credentials.” (11)
Social engineering uses a spoofed e-mail message to lead computer users
to counterfeit websites designed to trick users into divulging personal and
financial data, usernames, and passwords.
Technical subterfuge involves installing “crimeware”
onto the unsuspecting user’s computer to steal online usernames, passwords, and
digitally stored personal and financial information. (11)
Every planned, implemented, and
secured network is worthless if a proper disaster recovery plan is not
documented and in operation. Information
systems security should also include disaster recovery planning and preparedness. A disaster recovery plan can be daunting, but
the following best practices can mitigate the overwhelming effects of
developing a strong disaster recovery policy.
Backup mission critical systems offsite or have a plan to do so in an
emergency. Backup data daily, in
addition to sending system tape backup’s offsite each week or month.
Create an information systems
roadmap that is stored offsite. Identify
the potential points of failure in the recovery plan and have contingency plans
and redundancy options offsite. Place an
enormous priority on maintaining and reestablishing communications. Prioritize systems and operations in order of
importance and functionality. Test and
refine the disaster recovery system and plan every month. When disaster strikes, the recommendation is
to be concerned about employees and people first. The organization should develop strong
relationships with its vendors. Keep
redundant and extra equipment on hand.
On an annual basis, the organization should calculate and adequately
insure the organization’s equipment and resources. Hire the best chief technology officer and
network administrator the organization can afford. Finally, make sure the organization’s ISP has
diverse routing or consider purchasing internet access and bandwidth from
multiple ISP’s. (15)
There is not a single
technology, written policy and procedure, consultant, or security professional
that can solely provide adequate network security. Information systems security is built layer
upon layer using multiple approaches in an attempt to limit vulnerabilities
while balancing the realities of time and budgetary resources. (24)
Today and into the distant
future, there will be a need to identify various security levels required for
various organizational assets in order to know how to secure those respectfully
identified assets. The recommended
levels to classify organizational assets are public, private, proprietary, and
sensitive.
Future
Please keep in mind that there
is an information systems security life cycle and procedures that need to be
implemented to manage the security life cycle.
An organization should also consider how much data and physical
information systems assets are acceptable to lose and then, still be able to
recover from in the event of a security breach or natural disaster. Can the organization financially and by other
standards survive the loss of a day or more worth of data or being totally
offline? Are hours, days, or weeks
acceptable?
The answer will dictate the
level of upfront investment and preparedness necessary to assist in
guaranteeing the minimization of those losses to the desired level that is
acceptable to maintain operations continuity for the entire organization. Some other policies and procedures that are
recommended for implementation within an organization are an acceptable usage
policy, remote access policy, a continuity policy, system configuration
baseline policy, password policy, mobile device usage policy, firewall and DMZ
policy, encryption policy, VPN policy, antivirus policy, and a patch management
policy. (24) The defense life cycle or
the information systems security life cycle is comprised of assessing the value
of IT assets and the security controls in place in order to develop policies
and implement procedures to protect your data and network assets, process and
manage your policies and network respectively by continually attempting to
detect weaknesses within any part of the information security system lifecycle
as it applies to an organizational network.
Then, the organization needs to
respond to those issues and incorporate the changed issues throughout the
defense life cycle to update the life cycle and improve its effectiveness and
therefore, improve the overall security of an organization’s computer and
network resources.(25)
The ultimate responsibility
rests with IT professionals in regards to securing the information systems
infrastructure. Internet access, e-mail,
and web servers are the greatest external threats facing any organization’s
information systems security. Securing
e-mail and securing instant messaging (IM) are critical. Organizations can protect e-mail messages by
implementing Secure Multipurpose Internet Mail Extensions (S/MIME) or Pretty
Good Privacy (PGP) to encrypt e-mail messages. (2) Also, e-mail messages can be secured by using
filtration software such as Group Technologies, Inc. software to filter e-mails
for spyware, spam, malware, crimeware, ad-ware,
malicious and inappropriate content, and malicious attachments via leveraging
antivirus software to scan e-mails for threats such as viruses, worms, and
Trojan horses. An added benefit is the
ability to archive all incoming and outgoing e-mail messages for permanent
storage and record. Other security
recommendations regarding e-mail are to educate end users to never respond to
spam, do not post organizational e-mail addresses on a public web site, use a
second e-mail address for news group correspondence, do not provide your e-mail
address without knowing how it will be utilized, never buy anything advertised
in spam, and finally instruct organizational users to avoid and to not forward
hoaxes. Domain Name Service (DNS)
reverse lookups can be implemented and used to determine if senders of e-mail
messages are whom they say they are – spoofing e-mails. DNS blacklists and white lists can be
utilized within the e-mail server to filter for Fully Qualified Domain Names
(FQDN) associated to the e-mail addresses that are identified as spammers in
those lists and effectively block those e-mails from being received.
The success rate of these
various e-mail security measures to filter e-mail is normally about 70%
effective and at optimal efficiency about 80% effective. Therefore, 2 to 3 unwanted e-mails out of 10
unwanted e-mails will still be forwarded and passed through the mailbox to the
end user. Installing and properly
setting up the e-mail server will ensure that the e-mail server will not be
utilized as an SMTP mail relay agent, will prevent network bandwidth
saturation, prevent the organization’s FQDN from becoming listed on DNS black
and white lists so that outgoing e-mails will be received by the intended
recipients, and properly setting up the e-mail server will secure the
organization’s network from becoming compromised by the relayed e-mails or
spam. (21)
There is not anywhere else in
the modern world of computers and networking where the balance of convenience
versus security is more difficult to obtain than within the realm of Instant
Messaging (IM) communications.
Basically, convenience always has its price. IM is a communications tool that is bringing
a new class of IT security challenges.
The utilization of current IM software could expose the organization to
eavesdropping, breached internal security, and malicious code issues. While IT departments are spending time and
budgetary resources to secure e-mail and the organization’s network perimeter,
the back door is open to a host of new threats once IM is implemented within a
secure information systems infrastructure.
Without the right IM security
solution in place, external and internal network threats have a direct channel
into the organization’s network.
External threats include IM viruses, worms, Trojan horses, and spam. Internal threats due to insufficient IM
security expose the organization’s information systems resources to data and
network corruption, loss of intellectual property, and exposure of proprietary
information. (19) The recommendation to
date is to avoid implementing IM within an organization that is sensitive to
security issues. If IM is sanctioned for
use within the organization then, the organization should use a consumer-grade
IM solution, communication data must be logged and archived like e-mail, and it
is recommended to link IM accounts to Active Directory services. (19) There are a number of IM security products
available to assist with securing IM.
Web security involves locking
down all computer based web browsers via enabling the Secure Sockets Layer
(SSL)/Transport Layer Security (TLS) options throughout the organization.
(7) When possible, utilizing the Secure
Hypertext Transport Protocol (HTTPS) between a computer’s web browser and a web
server, locking down the Java Applet and Active X browser settings, and
limiting the use of cookies via the web browser settings will help ensure a
secure web browsing environment with the organization’s network. (2, 21) Pressure needs to be applied towards the
software developers of web servers, browsers, and web content creator’s to
secure their coding practices to have a good defense against buffer overflows.
(21) Since web servers are one of the
greatest external threats to network security, outsourcing web server services
is the best solution to eliminate that threat.
This solution ensures that any web server based vulnerability will not
affect the organization’s information systems infrastructure. The next best solution is to locate any web
server within the organization’s DMZ, placing the web server(s) outside of the
organizations intranet for relatively secure public access and to protect the
organization’s intranet.
Information systems security
involves the internet, web servers, e-mail, LAN (Intranet), WAN (Extranet), wireless technologies, applications, physical and logical
design, hardware, software, operating systems, and access control. Encryption and VPN’s also apply to all of the
security areas of concern mentioned throughout this document. The Microsoft Windows server operating systems
since Windows NT have been evaluated by the National Computer Security Center
(NCSC) within the National Security Agency (NSA). The grading levels ranged from the highest
(A) to the lowest (D).
The Microsoft Windows server
operating has been graded by NCSC at the C2 level. (6) Network appliances, networked computers, and
the operating systems within computers have been utilizing the TCP/IP protocol
stack as their primary network communications protocol since 1969. A secure network is non-existent if the
network administrators of the organization’s network do not know how to secure
TCP/IP functions. The current TCP/IP
protocol stack used by today’s computers and networks is IPv4. Due to the growth of Ethernet networks,
wireless devices, and the internet, the IP scope of limitations of IPv4 will
eventually become exhausted even with the advents of subnetting
to efficiently use IP addresses, Network Address Translation (NAT) used to mask
many private IP addresses into a few public addresses, and Port Address
Translation (PAT) used to allow one public IP address with various port numbers
to translate inbound and outbound IP communications.
The network security protocol,
IP Security (IPSEC) was designed to protect data by digitally signing and
encrypting the data before transmission.
IPSEC protects IPv4 based networks against many network threats and attacks.
(7) IPSEC operates at the network layer
of the TCP/IP protocol as an extension to the IP protocol and IPSEC provides
end to end encryption. (5, 8) IPv4 is a
32 bit TCP/IP protocol; a newer TCP/IP architecture is IPv6, a 128 bit TCP/IP
protocol. IPv6 contains many new
features that enhance IP security beyond IPv4 with IPSEC. IPv6 provides more than enough globally
unique IP addresses for every IP enabled network device in existence and for
well into the future. The future of
information systems technology and security will be closely related to the new
security capabilities that IPv6 will provide such as new generations of more
secure wireless technology as follows:
3G, WiFi, and WiMax
with native end to end security and quality of service (QOS). Security of IPv6 will be enhanced by the
mandatory implementation of IPSEC for all IPv6 devices. IPv6 is backwards compatible with IPv4 and
these TCP/IP protocol versions can coexist for migration purposes from IPv4 to
IPv6. (10, 12)
Conclusion
In conclusion, it is necessary
for IT professionals to become more security conscious, acquire security
oriented computer knowledge, gain security implementation and maintenance
experience, acquire security based computer certifications, implement the knowledge
and maintain the security standards set forth by policy and law, train users on
computer use related to security issues, and continually keep current with
computer and network technology related to security in order to be effective
against information system security issues within an organization. We believe the information contained within
this document will help solve the organizational information systems security
issues. We believe our research will
help to enable a paradigm shift from just haphazardly implementing new network
technologies for functionality purposes to implementing new network
technologies with a security focus in tandem with functionality to thwart the
threats posed against information systems from the past, to the present, and into
the future.
References
(1) Albanese, Jason and Sonnereich, Wes, Network Security Illustrated,
McGraw-Hill 2004.
(2) Ciampa,
Mark, Security + Guide to Network Security Fundamentals, 2nd Edition, Thompson Course Technology 2005.
(3) Clay, Report to the
Honorable Wm. Lacy,
House of Representatives, “Information Security”, May 2005.
(4) Held, Gilbert, Securing
Wireless LANs, Wiley 2003.
(5) Holme,
Dan and Thomas, Orin, Windows Server 2003: Training Kit, Microsoft Press
2004.
(6) Rutstein,
Charles B., National Computer Security Association: Guide to Windows NT Security, McGraw-Hill
1997.
(7) Scafer,
Gunter, Security: In Fixed and Wireless Networks, Wiley 2003.
(8) Smith, Ben and Komar, Brian, Microsoft Windows Security: Resources Kit for Windows 2003 Server,
Microsoft Press 2005.
(9) Strebe,
Matthew, “Network Security Foundations”, Sybex, Inc.
2004.
(10) Warfield, Michael H.,
“Security Implications of IPv6”, Internet Security Systems, 2003.
(11) Anti-Phishing Working Group,
“Phishing Activity Trends Report”, URL: www.antiphishing.org
, retrieved October 2006.
(12) Cisco Systems, “Cisco IPv6
Solutions”, Cisco Systems, Inc., 2006.
(13) Computer Security
Institute Publications, “2006 CSI/FBI Computer Crime and Security Survey”,
URL: www.gocsi.com , retrieved October 2006.
(14) CDW-G, “Wireless Security
Reference Guide”, CDW-G Corporation, Ch. 1-4, 2006.
(15) CDW-G, “Security Risk –
Mobile Security & Disaster Preparedness”, CDW-G Corporation, 2006.
(16) CDW-G, “Operations
Continuity”, CDW-G Corporation, 2006.
(17) CDW-G, “Focus On Federal, On Guard”, CDW-G Corporation, 2006.
(18) CDW-G, “Wireless
Networking”, CDW-G Corporation, 2006.
(19) CDW-G, “Make your
Department’s Security a Priority”, CDW-G Corporation, 2006.
(20) Internet Security Systems,
“Active Wireless Protection”, X-Force White Paper, September 2002.
(21) Microsoft Corporation,
Ruth, Andy, and Hudson, Kurt, Microsoft Security Plus
Certification: CompTIA
Exam SYO-101, Microsoft 2003.
(22) National Infrastructure
Protection Center, “Best Practices for Wireless Fidelity (802.11b) Network Vulnerabilities”,
URL: www.Wi-Fi.com/pdf/20011015_WEP_Security.pdf ., 2002.
(23) Skillport
Corporation, “Social Engineering”, Security + Curriculum, URL: www.ircc.skillport.com , retrieved September 12,
2006.
(24) CDW-G, “Security,
Reference Guide”, CDW-G Corporation, 2006.
(25) CDW-G, “Network Security,
Reference Guide”, CDW-G Corporation, 2006.