-
8/3/2019 Impact of Cyber War on Information Security Development Final
1/12
IMPACT OF CYBER WAR ON INFORMATION SECURITY DEVELOPMENT
Abdolmajid Shahgholi M.Tech student of Computer Networks and Information Security,Jawaharlal Nehru Technological University, [email protected]
Hamid Reza Barzegar M.Tech student of Computer Networks and Information Security
Jawaharlal Nehru Technological University, [email protected]
ABSTRACTNowadays, Network Security deals with some policies and technologies, defending against Cyber Attacks occurred
due to different Internet-oriented Computer Networks as well as exchanging Information Technologies. This paper
Presents both specific vulnerabilities of different Network-based Technologies such as Wireless LAN, Cellphone,
Non-cryptography Protocols, Web Services and several Security Techniques including Access Control, IDS, IPS,
Firewall, DNSSEC and Web Service Security. Finally, the specific result of availabilitys impact on NIDS versus
NIPS is explained.
KEY WORDS: FRAME SPOOFING, PHARMING ATTACKS, PHISHING, SAML, 2G, UMTS
Introduction
Computer security is unlike other forms of security.
Products such as locks, safes, and steel doors give
clear rating on what types of attacks they can
withstand and how long they can withstand them.
Security can be achieved in many ways, but its
pretty well universally agreed that confidentiality,
integrity, and availability (CIA) form the basic
building blocks of any good security initiative.
Attacks on an IT infrastructure and assets can disrupt
availability of service resulting in the following: loss
of productivity, violation of service level agreement,
financial loss, loss of life, attacks against the integrity
of a system, and information or data can be modified
altered or destroyed. Who, from the perspective of an
IT infrastructure, are internal attackers and external
attackers? Internal attackers are commonly linked to
disgruntled employees, contractors, or third-party
users who, for whatever reason, have lost respect andintegrity for the organization, including IT
infrastructure and its assets. External attackers are
commonly linked to one of numerous attacker
profiles or types.
Cyber-Terrorists /Cyber-Criminal describe an
individual or groups of individuals who are funded to
conduct clandestine or espionage activities on
governments, corporations, and individuals in an
unlawful manner. These individuals typically
engaged in sponsored acts of defacements,
DoS/DDoS attacks, identity theft, financial theft, or
worse compromising critical infrastructures in
countries, such as nuclear power plants, electric
plants, water plants, and so on.
Wireless networks present formidable challenges inthe area of security. The open nature of such
networks makes it relatively easy to sniff packets or
even modify and inject malicious packets into the
network.
One of the most widely deployed cellular networks is
the Global System for Mobile Communications
(GSM). The designers of GSM or 2G (second-
generation cellular networks) had several goals in
mind. From a security viewpoint, it was also
designed to protect against charge fraud and
eavesdropping. The successor to GSM is UniversalMobile Telecommunications System (UMTS) or
simply 3g. it promised advanced services such as
mobile Internet, multimedia messaging,
videoconferencing.
Specific features in Internet protocols such as TCP,
UDP, and ICMP are exploited to launch DoS attacks.
While vulnerabilities lurk in specific features of the
-
8/3/2019 Impact of Cyber War on Information Security Development Final
2/12
protocol, they may also be due to the way a certain
protocol is implemented.
There are many known vulnerabilities that make
software in secure. Of these, buffer overflow
vulnerability is the most common. In addition, web
applications may be vulnerable to cross-site scriptingattacks, and database applications may be vulnerable
to SQL injection attacks.
Access control can be into the application or it can be
implemented at the system level l. Access control
may be enforced at different levels of granularity. At
the first level of granularity, illegal access to memory
needs to be prevented.
An intrusion is the act of gaining unauthorized access
to a system so as to cause loss or harm. Two ways of
handling attempted intrusions are built intrusionpreventionand intrusion detection.
A firewall acts as a security guard controlling access
between an internal, protected network and an
external, entrusted network based on a given security
policy. A firewall may be implemented in hardware
as stand-alone firewall appliance or in software on
a PC. The promoters of Web services needed to
figure out some way of securing Web services that
can be potentially accessed by a complete stranger
over the network. Without the proper security
infrastructure in place, the adoption of web services
would not have been possible.
IEEE 802.11 Wireless LAN
Securities
A wireless LAN (or WLAN, for wireless local area
network, sometimes referred to as LAWN, for local
area wireless network) is one in which a mobile user
can connect to a local area network(LAN) through
a wireless (radio) connection.The IEEE 802.11 group of standards specifies the
technologies for wireless LANs. 802.11 standards use
Ethernet Mobile Basics
protocol and CSMA/CA (carrier sense multiple
access with collision avoidance) for path sharing and
include an encryption method, the Wired Equivalent
Privacy algorithm.
Background
There are two principal of types of WLANsad-hoc
networks, where stations communicate directly with
each other, and infrastructure WLAN, which use an
access point (AP). A station first sends a frame to anAP and then AP deliver s it to its final destination.
The station may be another wireless station or a
station on the other wired network. The union of the
basic service sets comprises an extended service set
(ESS). As in wired LANs, each station and AP in the
ESS is uniquely identified by a MAC addressa 48-
bit quantity. In addition each AP is also identified by
an SSID (service set id), which is a character string of
length at most 32 characters. Special kind of frame
called a beacon is periodically broadcast by the AP.
A station, on power up, can discover an AP within its
range by monitoring the wireless medium for a
beacon. The bacon usually contains the SSID of the
broadcasting AP. A station sends a Probe Request
which probes for APs within its range. An AP , on
hearing such a request , responds with a Probe
Response frame contains the SSID of the AP and also
information about its capabilities , supported data
rates, etc. to become part of the WLAN, station will
have to associate with an AP. A station that wishes
to associate with an AP sends it an Associate Request
frame. The AP replies with an Associate Response
frame if it accepts the request for associating with it.
Before association, 802.11 requires the station to
authenticate Itself to the AP.
WLAN vulnerabilities
Wireless LANs (WLAN) are susceptible to the same
protocol-based attacks that plague wired LAN, and
also have their own set of unique vulnerabilities.
Since wireless access points may proliferate in theorganization, unsecured wireless access points can be
a danger to organizations because they offer the
attacker a route around the company's firewall and
into the network.
SSID issues
http://searchnetworking.techtarget.com/definition/local-area-network-LANhttp://searchnetworking.techtarget.com/definition/local-area-network-LAN -
8/3/2019 Impact of Cyber War on Information Security Development Final
3/12
The service set identifier (SSID) is an identification
value programmed in the access point or group of
access points to identify the local wireless subnet.
This segmentation of the wireless network into
multiple networks is a form of an authentication
check. If a wireless station does not know the valueof the SSID, access is denied to the associated access
point. When a client computer is connected to the
access point, the SSID acts as a simple password,
providing a measure of security.
Authentication
The wired network is often an Ethernet LAN with an
existing security infrastructure that includes an
Authentication Server (AS). In many organization,
AAA ( authentication /Authorization/Accounting)
functionality is provided by a RADIUS (Remote
Authentication Dial In User Service) server, the
challenge then is to develop protocols that seamlessly
integrate the WLAN with the security infrastructure
of wired network. 802.11i uses IEEE 82.1xa
protocol that supports authentication at the link layer.
Three entities are involved (i) supplicant (the wireless
station). (ii) Authenticator (the AP in our case). (iii)
Authentication server. Different authentication
mechanism an message types are defined by IETFs
extensible authentication protocol (EAP). EAP is not
really an authentication protocol but rather a
framework upon which various authentication
protocols may be supported. EAP exchanges are
mostly comprised of requests and responses. The AP
broadcast its security capabilities in the bacon or
Probe Response frame. The station uses the associate
request frame to communicate its security
capabilities. 802.11i authentication takes place after
the station associates with an AP. This differs from
earlier version of 802.11where authenticationprecedes association. The protocol used between
the station and the AP is EAP. The main
authentication methods supported by EAP include the
following: EAP-MD5, EAP-TLS, EAP-TTLS, EAP-
PEAP. EAP-MD5 lets a RADIUS server
authenticate LAN stations by verifying an MD5 hash
of each user's password. This is a simple and
reasonable choice for trusted Ethernets where there is
low risk of outsider sniffing or active attack.
However, EAP-MD5 is not suitable for public
Ethernets or wireless LANs because outsiders can
easily sniff station identities and password hashes, or
masquerade as access points to trick stations intoauthenticating with them instead of the real deal.
EAP with Transport Layer Security (EAP-TLS) is
the only standard secure option for wireless LANs at
this time. EAP-TLS requires the station and RADIUS
server to both prove their identities via public key
cryptography (i.e., digital certificates or smart cards).
This exchange is secured by an encrypted TLS
tunnel, making EAP-TLS very resistant to dictionary
or other MitM attacks. However, the station's identity
-- the name bound to the certificate -- can still be
sniffed by outsiders. EAP-TLS is most attractive to
large enterprises that use only Windows
XP/2000/2003 with deployed certificates. EAP with
Tunneled TLS (EAP-TTLS) and Protected EAP
(PEAP) are Internet Drafts that have been proposed
to simplify 802.1X deployment. Both require
certificate-based RADIUS server authentication, but
support an extensible set of user authentication
methods. Organizations that have not yet issued
certificates to every station and don't want to just for
802.1X can use Windows logins and passwords
instead. RADIUS servers that support EAP-TTLS
and PEAP can check LAN access requests with
WindowsDomainControllers, Active Directories,
and other existing user databases. From a sniffing
perspective, these options are just as strong as EAP-
TLS. However, user passwords are still more likely
to be guessed, shared, or disclosed through social
engineering than client-side certificates.
Replacement of WEP
802.11i supersedes the previous security
specification, Wired Equivalent Privacy(WEP),
which was shown to have severe security
weaknesses. Wi-Fi Protected Access (WPA) had
previously been introduced by the Wi-Fi Alliance as
an intermediate solution to WEP insecurities. WPA
implemented a subset of a draft of 802.11i. The Wi-
http://www.wi-fiplanet.com/tutorials/article.php/3075481http://www.wi-fiplanet.com/tutorials/article.php/3075481http://www.wi-fiplanet.com/tutorials/article.php/3075481http://www.wi-fiplanet.com/tutorials/article.php/3075481 -
8/3/2019 Impact of Cyber War on Information Security Development Final
4/12
Fi Alliance refers to their approved, interoperable
implementation of the full 802.11i as WPA2, also
called RSN (Robust Security Network). 802.11i
makes use of the Advanced Encryption
Standard (AES) block cipher, whereas WEP and
WPA use the RC4 stream cipher. [1][2]
Cellphone Security
Secondgeneration cellular networks (2G):
2g technology introduced the idea of subscriber
Identity Module (SIM) card. this is basically a smart
card that can be removed from one cellphone and
placed in another. it stores three secrets and performs
cryptographic operations involving some of the
secrets. the secrets are : a unique 15-digit subscriber
identification number called the International Mobile
Subscriber Identity(IMSI); A 128-bit subscriber
Authentication key denoted ki known only to the
SIM and the HLR of the subscribers home network;
a PIN known to the phones owner and used to
unlock the SIM. This is intended to prevent stolen
phones being used.[11]
Threats: In order to understand the GSM security
mechanism, you first must understand the threats that
the GSM system is attempting to protect against.Two main motivations for attackers of mobile phone
systems are theft of service and interception of data.
Theft of service can come in many forms, but the
most technically interesting is the cloning of a phone.
When cloning a phone, an attacker steals the
identifying information from a legitimate phone and
loads it to another phone. This allows the attacker to
masquerade as the legitimate phone causing charges
to be assessed against the account holder of the
legitimate phone. Data interception of mobile phone
networks, another major concern, is a similar threat
to other wireless networks. An attacker, using
relatively unsophisticated tools can listen to the
transmissions of the phone and the base station in an
effort to eavesdrop on the voice and data
transmissions occurring. The largest defense to this
type of attack is encryption of the data in the air.
Authentication:
Authentication is dependent on SIM which hold the
individual authentication key ki, the user
identification IMSIA and the algorithm is utilized for
authentication. Authentication make use ofchallenges-response method .access control (AC)
produces a random number RAND as challenge and
SIM inside the MS answer with SRES as replay.
AUC carriers out the fundamental production of
random values RAND, signed responses SRES and
cipher keys for every IMSI and then forwards the
information to HLR. The present VLR request the
suitable values for RAND, SREs and kc from HLR,
VLR transmits the random value RAND to SIM.
Mobile station transmits back the SRES produced by
the SIM. Both data values are compared by VLR, if
the data values are similar VLR receives the
subscriber otherwise subscriber is refused. System
security is maintained by the algorithm such as A3
for authentication, A5 for encryption and A8 for
production of cipher key.
Encryption: after authentication, MS and BSS can
start encryption by using the cipher key (Kc). Kc is
produce by individual key (Ki) and random value ,
by algorithm A8 based on random value RAND, SIM
in the MS and network calculates the similar Kc. By
the algorithm A5 and cipher key Kc, MS and BTS
encrypt and decrypt data. Kc should be a 64 bit key.
Security enhancements in UMTS
The security functions of UMTS are based on what
was implemented in GSM. Some of the security
functions have been added and some existing have
been improved. Encryption algorithm is stronger and
included in base station (NODE-B) to radio networkcontroller (RNC) interface, the application of
authentication algorithms is stricter and subscriber
confidentially is tighter.
The main security elements that are from GSM:
Authentication of subscribers, Subscriber identity
confidentially, Subscriber Identity Module (SIM) to
be removable from terminal hardware, Radio
-
8/3/2019 Impact of Cyber War on Information Security Development Final
5/12
interface encryption.
Additional UMTS security features: Security against
using false base stations with mutual authentication,
Encryption extended from air interface only to
include Node-B to RNC connection, Security data in
the network will be protected in data storages andwhile transmitting ciphering keys and authentication
data in the system, Mechanism for upgrading security
features.
Core network traffic between RNCs, MSCs and other
networks is not ciphered and operators can to
implement protections for their core network
transmission links, but that is unlike to happen.
MSCs will have by design a lawful interception
capabilities and access to Call Data Records (SDR),
so all switches will have to have security measures
against unlawful access.
UMTS specification has five security feature groups:
Network access security: the set of security features
that provide users with secure access to 3G services,
and which in particular protect against attacks on the
(radio) access link; Network domain security: the
set of security features that enable nodes in the
provider domain to securely exchange signaling data,
and protect against attacks on the wire line network;
User domain security: the set of security features
that secure access to mobile stations. Application
domain security: the set of security features that
enable applications in the user and in the provider
domain to securely exchange messages. Visibility
and configurability of security: the set of features
that enables the user to inform himself whether a
security feature is in operation or not and whether the
use and provision of services should depend on the
security feature.
UMTS specification has the following user identity
confidentiality security features:
User identity confidentiality: the property that thepermanent user identity (IMSI) of a user to whom a
services is delivered cannot be eavesdropped on the
radio access link; User location confidentiality: the
property that the presence or the arrival of a user in a
certain area cannot be determined by eavesdropping
on the radio access link; User intractability: the
property that an intruder cannot deduce whether
different services are delivered to the same user by
eavesdropping on the radio access link. Air interface
ciphering/deciphering in performed in RNC in the
network side and in mobile terminals. Ciphering in
function of air interface protocol Radio Link Control
(RLC) layer or Medium Access control (MAC) layer.
NoneCryptographic Protocol
Vulnerabilities
DoS AND DDoS
Typically a victim is flooded with packets that elicit
some kind of response by DoS attack scenarios. An
attacker sends thousands of TCP packets to its victim
with the SYN flag set. The victim thinks that these
are legitimate requests for TCP connection
establishment. In response to each request, the victim
reserves buffer space
(approximately 300 bytes). Eventually, the victims
communication link and/or memory are exhausted.
There are some other scenarios such as sending large
number of UDP packets to nonlistening ports on
victim via attacker , or sending a very large number
of ICMP Echo Request message to the victims
network. A distributed DoS (DDoS) is also harder todetect compared to DoS emanating from a single
source. In a DDoS attack, the brain behind the attack
scans the Internet to find multiple vulnerable hosts
called handlers and compromises them. Each handler,
in Turn, recruits many agents or zombies to lunch the
attack.[4]
ARP spoofing
ARP poison routing (APR)or ARP cache poisoning,
a method of attacking an EthernetLAN by updating
the target computers ARPcache with both a forged
ARP request and reply packets in an effort to change
the Layer 2 Ethernet MAC address (i.e., the address
of the network card) to one that the attacker can
monitor. Because the ARP replies have been forged,
the target computer sends frames that were meant for
the original destination to the attackers computer
-
8/3/2019 Impact of Cyber War on Information Security Development Final
6/12
first so the frames can be read. A successful APR
attempt is invisible to the user.
Remedies: Avoid using insecure protocols like Basic
HTTP Authentication and Telnet. You should make
it a practice to sniff your own network to see whatinformation is being passed and ensure youre not
already sending sensitive information across the
network. If you do have to use an insecure protocol,
tunnel it through a secure channel (SSH, SSL,
etc.)Look into using Static ARP tables between
critical workstations and servers. Although a pain to
maintain, they do limit the chances of ARP spoofing.
You can run software like ARP Watchto detect
changes in MAC addresses on the network. Try
running tools that can detect if a NIC is running in
promiscuous mode, this could be a sign of sniffing.
(Sniffedand Sentinelare common tools)All mobile
or guest access points should use a VPN to connect to
the network. Better yet, keep public terminals on a
separate LAN from workstations and servers.
Lockdown workstations so that users cant install
sniffing software or boot from live CDs (Backtrack).
Attacks on DNS
Consider a bank called A that has an internet
presence. A allow its customers to perform banking
transaction over the internet by visiting and logging
on to its web site WWW.A.COM, on his browser.
The web page that is downloaded has the look and
feel the authentic one but is site owned by an
attacker. The customer is unaware that the web site
belongs to an attacker. He proceeds to enter his login
name an password which are then captured by the
attacker
DNS security extension
DNSSEC is a suite of extensions that add security to
the DNS protocol. The core DNSSEC extensions are
specified in RFCs 4033, 4034, and 4035 and add
origin authority, data integrity, and authenticated
denial of existence to DNS. In addition to several
new concepts and operations for both the DNS server
and the DNS client, DNSSEC introduces four new
resource records (DNSKEY, RRSIG, NSEC, and DS)
to DNS. In short, DNSSEC allows for a DNS zone
and all the records in the zone to be cryptographically
signed. When a DNS server hosting a signed zone
receives a query, it returns the digital signatures in
addition to the records queried for. A resolver or
another server can obtain the public key of the
public/private key pair and validate that the responses
are authentic and have not been tampered with. In
order to do so, the resolver or server must be
configured with a trust anchor for the signed zone, or
for a parent of the signed zone.
Frame spoofing
Two main types of this spoofing are both spoofed
deauthentication frame and spoofing power
management control frames. In first one, middle of
delivering data between AP and station an attacker
who has spoofed MAC address of the related station
sends deauthentcation frame to AP. AP think this
frame came from genuine station and it closes
connection. Then remained packets will fail.
Software Vulnerabilities
Phishing
Phishing, in its common form, is the process of luring
a victim to a fake website by clicking on a link. The
victim usually encounters the link in an e-mail
message sent to him or on a webpage being browsed
by him. Phishers can get user information target,
PayPal, eBay site or online bank.
CROSS-SITE SCRIPTING (XSS)
In this, attack is wanted from user to login to his
bank. It seems every things (website address, security
certification ) are normal but link to that website is
changed. It occurs because of some disadvantages or
challenges in website script, programmer used it.
Overcoming XSS: Using suitable web browsers;
using no script tools; not clicking on unknown links.
SQL INJECTION
One type of hackers attacks is on websites that
allows to hacker access to database with use of SQL
language. SQL injection is a code injection technique
-
8/3/2019 Impact of Cyber War on Information Security Development Final
7/12
that exploits security vulnerability in a website's
software. The vulnerability happens when user input
is either incorrectly filtered for string literal escape
characters embedded in SQL statements or user input
is not strongly typed and unexpectedly executed.
SQL INJECTION REMEDIES: selecting object
oriented structure of ASP.NET; avoiding +, &
characters ; using custom error detection that hackers
cannot use formal error to attack to site; instead of
single quote using OlebbCommand in SQL codes;
at the end of codes using CmndCheck.
Access Control in the Operating
System
Access control is authority to control access to
resources. User, group of user and a machine has a
valid account on the system (UID, GID) are three key
entities involved in access control. there are three
access control policy as well as discretionary,
mandatory and role base access control.
Discretionary access control (DAC) is an access
policy determined by the owner of an object (objects
are resources that subject need to access to) that who
allowed to access the object and what privileges they
have. Two important example of DAC are UNIX andWINDOWS access control . UNIX based on a user
who has an account on the system. Windows control
operations, are on file system in objects, threads,
sockets, semaphores, register key. Mandatory access
control (MAC) is an access policy determined by the
system not the owner.MAC is used in multilevel
system that process highly sensitive data such as
classified government and military information. Role
base access control is an access policy determined by
the system not the owner. Role base access control is
used in commercial application and also military
system. It is controlled at the system level outside of
users control.[6]
IPS AND IDS
IPS forestalls various kinds of attacks and IDS is a
device or software appliances that monitor system
activities for malicious activities and make a report to
a management station. For example in password
strategy : (i) we should have eight character hard to
guess, (ii) changing password at least once in twomounts , (iii) try to store password securely and
dont inform it to others. Moreover; (iv) after three
unsuccessful attempt to an account, account should
be disable in twenty minutes. The first and second
can be either user base or force by system. The third
issue just involves user alone and the forth one
involves system alone. These mentioned levels are
belonged to IPS. IDS should monitor loggings such
as a person for five years has never logged in outside
of office hours when in 4 am logged in, IDS should
alert.[9]
Firewalls
A firewall is a hardware device or software
application that sits between your computer and the
Internet and blocks all Internet traffic from reaching
your computer that you have not specifically
requested. What this means is that if you browse to a
web site, the firewall will allow the traffic from that
web site to reach your computer and thereforeyourself. On the other hand, if you did not request
information from that web site, and the web site sent
traffic to you, it would be denied from reaching your
computer because you did not specifically ask for it.
This behavior can be changed if you wish, and we
will discuss that further in the document.[7]
WS-SECURITY (web Service
Security)
As the use cases for our customer's application werebeing developed, a set of security-related, non-
functional requirements were identified: The
communication between our customer and his
business partner should not be able to be viewed by a
third party as it travels on the Internet. Our customer
needed to be able to determine from whom the
message was coming and be able to verify that the
sender was who the sender claimed to be. Our
-
8/3/2019 Impact of Cyber War on Information Security Development Final
8/12
customer needed to be able to ensure that the data
being transmitted was not tampered with.
SAML: Perhaps the biggest roadblocks to the long-
term success of Web services are security issues. And
one of the most important of those security issues is
user authentication - specifically, allowing a user to
sign on or use multiple Web services from separatebut affiliated sites, without having to authenticate
himself at every step of the process. That's the job of
SAML (Security Assertion Markup Language), an
XML-based standard for authentication and
authorization that provides a "single sign-on" so that
people can be authenticated once and then be able to
access multiple Web services. SAML allows each
individual site to have its own mechanism for sign-on
and authentication, but will allow sites to accept
authenticated users from other sites.[15]
Conclusion
Computer security is all about studying Cyber
Attacks with a view to defending against them.
Understanding what makes systems vulnerable to
these attacks is an important first step in avoiding or
preventing them. Most hackers were young adults,
often teens, who had dropped out of school but were
otherwise intelligent and focused. Many of the
traditional hackers seem to be obsessive
programmers. They seem to be adept at
circumventing limitation to achieve a challenging butoften forbidden objective.
Remember that security is a process. You have to be
vigilant, but the price of vigilance is secure data and
no net loss of competitive advantage. Although no
amount of negligence provides legitimate reasons for
a third party to steal data, neither does that absolve
system administrators of responsibilities to secure
their networks. Working with open standards and
setting organizational hardware and software
standards are at the core of the network-growth
process. Remember, too, that network management
becomes increasingly important as the network grows
larger; otherwise, the system administrators are
overrun doing work that can easily be automated.
The Internet is growing and changing at a rate
beyond one persons comprehension. Its easy to
figuring out why the network in and get physically
connected. The difficult part of networking is
figuring out why the network works (or alternatively,
doesnt n work) and cause of various problems.
Organizations must conduct a periodic risk and
vulnerability assessment in an attempt to close the
vulnerability window on the organizations ITinfrastructure and its assets. The gap in time from
when an organization realizes it has a threat from a
known vulnerability to when the organization
actually implements the proper security controls and
security countermeasures is known as the
vulnerability window. Behind every attack is a
vulnerability of some type or other. But what exactly
is vulnerability? Vulnerability is a weakness or
lacuna in a procedure, protocol, hardware, or
software within an organization that has the potential
to cause damage. The understanding of security
vulnerabilities is the key in helping us understanding
attacks better and, more importantly, in defending
against them.
This is important to remember that NIDS (Network-
based Intrusion Detection System) is just a tool in
your collection, not be-all and end-all security
mechanism, despite what NIDS vendors tell to you.
Deploying an IDS/IPS and tuning it to a point where
the alerts generated are relevant is not an easy or
quick project. False positives may plague an analyst
for days or weeks to come but the only thing worsethan a false positive is a false negative. Knowledge
of the environment is absolutely critical to save the
analyst time in the long run and being comfortable
with how the detection engines are set up. The
proper time and resources must be allocated to
maximize any return on investment an IDS/IPS
provides. Web services involve a fundamental shift in
how justice agencies will manage, access, and share
information. Within the Web services architecture,
security is key in justice implementations involving
sensitive but unclassified information.
However, with the sophistication of attacking
methods and advancement of information
technology, it is necessary for countermeasures to
constantly evolve as well, and so as our recurrence
prevention measures against new threats.
-
8/3/2019 Impact of Cyber War on Information Security Development Final
9/12
Case study: Result for availabilitys
impact on NIDS versus NIPS
(Network-base Intrusion Prevention
System) decision.
Networked computers with exposed vulnerabilities
may be disrupted or taken over by a hacker, or by
automated malicious code. Should a terrorist group
attempt to launch a coordinated cyber attack against
computers that manage the critical infrastructure,
they may find it useful to copy some of the tactics
now commonly used by todays computer hacker
groups to locate Internet-connected computers with
vulnerabilities, and then systematically exploit those
vulnerabilities.
Availability is a time value calculated in terms ofMTBF (Mean Time Between Failures) and MTTR
(Main time to Repair). The MTBF number is
provided by the manufacturer and is expressed in
hours. The MTTR number, variable and dependent
upon the specific network, is also expressed in hours.
Availability = MTBF/ (MTBF+MTTR). The most
common way to express this availability calculation
is by percentage. It is commonly referenced by
network professionals using the term 9s, illustrated
in following table to calculate annual availability,
you can multiply your targeted 9s value by 525,600
minutes per year.
* Availability *Annual downtime
* 90% (one 9) *36.5 days
*99 % (two 9s) *3.65 days
A device with a MTBF of 175,000 hours and an
MTTR of 30 minutes has a calculated annual
availability of 525,598 minutes, which equals 1.52
minutes of downtime. Appendix C provides more
detail and complex examples regarding thesecalculations. The real challenge in computing the
availability of any system or network is in
understanding the MTTR. This value is unique to
your environment, affected by variables such as
routing protocol convergence time and/or spanning
tree convergence time, depending on your topology.
You need to understand exactly what happens when
an inline device fails to forward traffic properly. This
can be due to power, hardware, or other
environmental failure. Ideally you would build a full
test environment with your intended NIPS design and
then test the different scenarios. You should be able
to estimate the impact of failure by analyzing a few
key variables:
Interface fail-open how long does it take for a set
of inline interfaces to begin passing traffic after a
failure? Will traffic be queued or dropped?
Layer 3 (L3) environment failures when your
NIPS is deployed on a routed network segment, how
long does your routing protocol take to converge?
Layer 2 (L2) environment failures when your
NIPS is deployed on a physically redundant L2network segment, how quickly will the spanning tree
converge?
Non-hardware sources of downtime. Were doing
these calculations based purely on hardware failure
calculations, so you must also consider software
failure, environmental considerations, and human
error. Compared to other network devices, A NIPS
has a much higher number of software updates
(signatures, typically). Application of these software
updates always introduces the possibility of software
failure or human error that could result in an
unexpected outage.
Critical data center
Data center
Desktop LAN NIDS
Remote access
Extranet NIPS
Lab
Availability requirements
-
8/3/2019 Impact of Cyber War on Information Security Development Final
10/12
References
[1]. Schiller, j. mobile communications, 2nd
Ed., Addison Wesley, 2003, Indian reprint Pearson educations, 2003
[2]. Adelstein, F.,S.K.S. Gupa, G. G. Richard III, and L. Schwiebert, Fundamentals of Mobile and Pervasive
Computing, McCGraw-Hill, 2005, Reprint, Tata McGraw-Hill 2005.
[3]. B. Forouzan , Cryptography and Network Security, McGraw Hill, 2007.
[4]. A. Hussain, j. Heidemann, and C. Papadopoulos, A framework for classifying denial of service attacks,
proceedings of the ACM SIGCOMM Conference (KARLSRUHE, Germany), pp. 99-110, 2003.
[5]. T. Gallagher, B. Jeffries, and L. Landauer, Hunting SecurityBugs, Microsoft Press, 2006.
[6]. S. Govindavajhala and A. Apple, Windows access control demystified , Tech.report, Princeton University,
2006.
[7]. John Wack, Ken Cutler, and Jamie Pole, Guidelines on firewalls and firewall Policy, NIST Special
Publication, pp. 800-841,January 2002.
[8].www.sans.org
[9].www.cert.org
[10].www.mitre.org/work/cybersecurity.html
[11].www.gsmworld.com
[12].www.emvco.com
[13].www.chpandspin.co.uk
[14].www.w3,org/TR/xmlnec-core/
[15].www.oasis-open.org/specs/#salmv2.0
http://www.sans.org/http://www.sans.org/http://www.sans.org/http://www.cert.org/http://www.cert.org/http://www.cert.org/http://www.mitre.org/work/cybersecurity.htmlhttp://www.mitre.org/work/cybersecurity.htmlhttp://www.mitre.org/work/cybersecurity.htmlhttp://www.gsmworld.com/http://www.gsmworld.com/http://www.gsmworld.com/http://www.emvco.com/http://www.emvco.com/http://www.emvco.com/http://www.chpandspin.co.uk/http://www.chpandspin.co.uk/http://www.chpandspin.co.uk/http://www.w3%2Corg/TR/xmlnec-core/http://www.w3%2Corg/TR/xmlnec-core/http://www.w3%2Corg/TR/xmlnec-core/http://www.oasis-open.org/specs/#salmv2.0http://www.oasis-open.org/specs/#salmv2.0http://www.oasis-open.org/specs/#salmv2.0http://www.oasis-open.org/specs/#salmv2.0http://www.w3%2Corg/TR/xmlnec-core/http://www.chpandspin.co.uk/http://www.emvco.com/http://www.gsmworld.com/http://www.mitre.org/work/cybersecurity.htmlhttp://www.cert.org/http://www.sans.org/ -
8/3/2019 Impact of Cyber War on Information Security Development Final
11/12
-
8/3/2019 Impact of Cyber War on Information Security Development Final
12/12