impact of cyber war on information security development final

8/3/2019 Impact of Cyber War on Information Security Development Final

1/12

IMPACT OF CYBER WAR ON INFORMATION SECURITY DEVELOPMENT

Abdolmajid Shahgholi M.Tech student of Computer Networks and Information Security,Jawaharlal Nehru Technological University, [email protected]

Hamid Reza Barzegar M.Tech student of Computer Networks and Information Security

Jawaharlal Nehru Technological University, [email protected]

ABSTRACTNowadays, Network Security deals with some policies and technologies, defending against Cyber Attacks occurred

due to different Internet-oriented Computer Networks as well as exchanging Information Technologies. This paper

Presents both specific vulnerabilities of different Network-based Technologies such as Wireless LAN, Cellphone,

Non-cryptography Protocols, Web Services and several Security Techniques including Access Control, IDS, IPS,

Firewall, DNSSEC and Web Service Security. Finally, the specific result of availabilitys impact on NIDS versus

NIPS is explained.

KEY WORDS: FRAME SPOOFING, PHARMING ATTACKS, PHISHING, SAML, 2G, UMTS

Introduction

Computer security is unlike other forms of security.

Products such as locks, safes, and steel doors give

clear rating on what types of attacks they can

withstand and how long they can withstand them.

Security can be achieved in many ways, but its

pretty well universally agreed that confidentiality,

integrity, and availability (CIA) form the basic

building blocks of any good security initiative.

Attacks on an IT infrastructure and assets can disrupt

availability of service resulting in the following: loss

of productivity, violation of service level agreement,

financial loss, loss of life, attacks against the integrity

of a system, and information or data can be modified

altered or destroyed. Who, from the perspective of an

IT infrastructure, are internal attackers and external

attackers? Internal attackers are commonly linked to

disgruntled employees, contractors, or third-party

users who, for whatever reason, have lost respect andintegrity for the organization, including IT

infrastructure and its assets. External attackers are

commonly linked to one of numerous attacker

profiles or types.

Cyber-Terrorists /Cyber-Criminal describe an

individual or groups of individuals who are funded to

conduct clandestine or espionage activities on

governments, corporations, and individuals in an

unlawful manner. These individuals typically

engaged in sponsored acts of defacements,

DoS/DDoS attacks, identity theft, financial theft, or

worse compromising critical infrastructures in

countries, such as nuclear power plants, electric

plants, water plants, and so on.

Wireless networks present formidable challenges inthe area of security. The open nature of such

networks makes it relatively easy to sniff packets or

even modify and inject malicious packets into the

network.

One of the most widely deployed cellular networks is

the Global System for Mobile Communications

(GSM). The designers of GSM or 2G (second-

generation cellular networks) had several goals in

mind. From a security viewpoint, it was also

designed to protect against charge fraud and

eavesdropping. The successor to GSM is UniversalMobile Telecommunications System (UMTS) or

simply 3g. it promised advanced services such as

mobile Internet, multimedia messaging,

videoconferencing.

Specific features in Internet protocols such as TCP,

UDP, and ICMP are exploited to launch DoS attacks.

While vulnerabilities lurk in specific features of the


2/12

protocol, they may also be due to the way a certain

protocol is implemented.

There are many known vulnerabilities that make

software in secure. Of these, buffer overflow

vulnerability is the most common. In addition, web

applications may be vulnerable to cross-site scriptingattacks, and database applications may be vulnerable

to SQL injection attacks.

Access control can be into the application or it can be

implemented at the system level l. Access control

may be enforced at different levels of granularity. At

the first level of granularity, illegal access to memory

needs to be prevented.

An intrusion is the act of gaining unauthorized access

to a system so as to cause loss or harm. Two ways of

handling attempted intrusions are built intrusionpreventionand intrusion detection.

A firewall acts as a security guard controlling access

between an internal, protected network and an

external, entrusted network based on a given security

policy. A firewall may be implemented in hardware

as stand-alone firewall appliance or in software on

a PC. The promoters of Web services needed to

figure out some way of securing Web services that

can be potentially accessed by a complete stranger

over the network. Without the proper security

infrastructure in place, the adoption of web services

would not have been possible.

IEEE 802.11 Wireless LAN

Securities

A wireless LAN (or WLAN, for wireless local area

network, sometimes referred to as LAWN, for local

area wireless network) is one in which a mobile user

can connect to a local area network(LAN) through

a wireless (radio) connection.The IEEE 802.11 group of standards specifies the

technologies for wireless LANs. 802.11 standards use

Ethernet Mobile Basics

protocol and CSMA/CA (carrier sense multiple

access with collision avoidance) for path sharing and

include an encryption method, the Wired Equivalent

Privacy algorithm.

Background

There are two principal of types of WLANsad-hoc

networks, where stations communicate directly with

each other, and infrastructure WLAN, which use an

access point (AP). A station first sends a frame to anAP and then AP deliver s it to its final destination.

The station may be another wireless station or a

station on the other wired network. The union of the

basic service sets comprises an extended service set

(ESS). As in wired LANs, each station and AP in the

ESS is uniquely identified by a MAC addressa 48-

bit quantity. In addition each AP is also identified by

an SSID (service set id), which is a character string of

length at most 32 characters. Special kind of frame

called a beacon is periodically broadcast by the AP.

A station, on power up, can discover an AP within its

range by monitoring the wireless medium for a

beacon. The bacon usually contains the SSID of the

broadcasting AP. A station sends a Probe Request

which probes for APs within its range. An AP , on

hearing such a request , responds with a Probe

Response frame contains the SSID of the AP and also

information about its capabilities , supported data

rates, etc. to become part of the WLAN, station will

have to associate with an AP. A station that wishes

to associate with an AP sends it an Associate Request

frame. The AP replies with an Associate Response

frame if it accepts the request for associating with it.

Before association, 802.11 requires the station to

authenticate Itself to the AP.

WLAN vulnerabilities

Wireless LANs (WLAN) are susceptible to the same

protocol-based attacks that plague wired LAN, and

also have their own set of unique vulnerabilities.

Since wireless access points may proliferate in theorganization, unsecured wireless access points can be

a danger to organizations because they offer the

attacker a route around the company's firewall and

into the network.

SSID issues
http://searchnetworking.techtarget.com/definition/local-area-network-LANhttp://searchnetworking.techtarget.com/definition/local-area-network-LAN


3/12

The service set identifier (SSID) is an identification

value programmed in the access point or group of

access points to identify the local wireless subnet.

This segmentation of the wireless network into

multiple networks is a form of an authentication

check. If a wireless station does not know the valueof the SSID, access is denied to the associated access

point. When a client computer is connected to the

access point, the SSID acts as a simple password,

providing a measure of security.

Authentication

The wired network is often an Ethernet LAN with an

existing security infrastructure that includes an

Authentication Server (AS). In many organization,

AAA ( authentication /Authorization/Accounting)

functionality is provided by a RADIUS (Remote

Authentication Dial In User Service) server, the

challenge then is to develop protocols that seamlessly

integrate the WLAN with the security infrastructure

of wired network. 802.11i uses IEEE 82.1xa

protocol that supports authentication at the link layer.

Three entities are involved (i) supplicant (the wireless

station). (ii) Authenticator (the AP in our case). (iii)

Authentication server. Different authentication

mechanism an message types are defined by IETFs

extensible authentication protocol (EAP). EAP is not

really an authentication protocol but rather a

framework upon which various authentication

protocols may be supported. EAP exchanges are

mostly comprised of requests and responses. The AP

broadcast its security capabilities in the bacon or

Probe Response frame. The station uses the associate

request frame to communicate its security

capabilities. 802.11i authentication takes place after

the station associates with an AP. This differs from

earlier version of 802.11where authenticationprecedes association. The protocol used between

the station and the AP is EAP. The main

authentication methods supported by EAP include the

following: EAP-MD5, EAP-TLS, EAP-TTLS, EAP-

PEAP. EAP-MD5 lets a RADIUS server

authenticate LAN stations by verifying an MD5 hash

of each user's password. This is a simple and

reasonable choice for trusted Ethernets where there is

low risk of outsider sniffing or active attack.

However, EAP-MD5 is not suitable for public

Ethernets or wireless LANs because outsiders can

easily sniff station identities and password hashes, or

masquerade as access points to trick stations intoauthenticating with them instead of the real deal.

EAP with Transport Layer Security (EAP-TLS) is

the only standard secure option for wireless LANs at

this time. EAP-TLS requires the station and RADIUS

server to both prove their identities via public key

cryptography (i.e., digital certificates or smart cards).

This exchange is secured by an encrypted TLS

tunnel, making EAP-TLS very resistant to dictionary

or other MitM attacks. However, the station's identity

-- the name bound to the certificate -- can still be

sniffed by outsiders. EAP-TLS is most attractive to

large enterprises that use only Windows

XP/2000/2003 with deployed certificates. EAP with

Tunneled TLS (EAP-TTLS) and Protected EAP

(PEAP) are Internet Drafts that have been proposed

to simplify 802.1X deployment. Both require

certificate-based RADIUS server authentication, but

support an extensible set of user authentication

methods. Organizations that have not yet issued

certificates to every station and don't want to just for

802.1X can use Windows logins and passwords

instead. RADIUS servers that support EAP-TTLS

and PEAP can check LAN access requests with

WindowsDomainControllers, Active Directories,

and other existing user databases. From a sniffing

perspective, these options are just as strong as EAP-

TLS. However, user passwords are still more likely

to be guessed, shared, or disclosed through social

engineering than client-side certificates.

Replacement of WEP

802.11i supersedes the previous security

specification, Wired Equivalent Privacy(WEP),

which was shown to have severe security

weaknesses. Wi-Fi Protected Access (WPA) had

previously been introduced by the Wi-Fi Alliance as

an intermediate solution to WEP insecurities. WPA

implemented a subset of a draft of 802.11i. The Wi-
http://www.wi-fiplanet.com/tutorials/article.php/3075481http://www.wi-fiplanet.com/tutorials/article.php/3075481http://www.wi-fiplanet.com/tutorials/article.php/3075481http://www.wi-fiplanet.com/tutorials/article.php/3075481


4/12

Fi Alliance refers to their approved, interoperable

implementation of the full 802.11i as WPA2, also

called RSN (Robust Security Network). 802.11i

makes use of the Advanced Encryption

Standard (AES) block cipher, whereas WEP and

WPA use the RC4 stream cipher. [1][2]

Cellphone Security

Secondgeneration cellular networks (2G):

2g technology introduced the idea of subscriber

Identity Module (SIM) card. this is basically a smart

card that can be removed from one cellphone and

placed in another. it stores three secrets and performs

cryptographic operations involving some of the

secrets. the secrets are : a unique 15-digit subscriber

identification number called the International Mobile

Subscriber Identity(IMSI); A 128-bit subscriber

Authentication key denoted ki known only to the

SIM and the HLR of the subscribers home network;

a PIN known to the phones owner and used to

unlock the SIM. This is intended to prevent stolen

phones being used.[11]

Threats: In order to understand the GSM security

mechanism, you first must understand the threats that

the GSM system is attempting to protect against.Two main motivations for attackers of mobile phone

systems are theft of service and interception of data.

Theft of service can come in many forms, but the

most technically interesting is the cloning of a phone.

When cloning a phone, an attacker steals the

identifying information from a legitimate phone and

loads it to another phone. This allows the attacker to

masquerade as the legitimate phone causing charges

to be assessed against the account holder of the

legitimate phone. Data interception of mobile phone

networks, another major concern, is a similar threat

to other wireless networks. An attacker, using

relatively unsophisticated tools can listen to the

transmissions of the phone and the base station in an

effort to eavesdrop on the voice and data

transmissions occurring. The largest defense to this

type of attack is encryption of the data in the air.

Authentication:

Authentication is dependent on SIM which hold the

individual authentication key ki, the user

identification IMSIA and the algorithm is utilized for

authentication. Authentication make use ofchallenges-response method .access control (AC)

produces a random number RAND as challenge and

SIM inside the MS answer with SRES as replay.

AUC carriers out the fundamental production of

random values RAND, signed responses SRES and

cipher keys for every IMSI and then forwards the

information to HLR. The present VLR request the

suitable values for RAND, SREs and kc from HLR,

VLR transmits the random value RAND to SIM.

Mobile station transmits back the SRES produced by

the SIM. Both data values are compared by VLR, if

the data values are similar VLR receives the

subscriber otherwise subscriber is refused. System

security is maintained by the algorithm such as A3

for authentication, A5 for encryption and A8 for

production of cipher key.

Encryption: after authentication, MS and BSS can

start encryption by using the cipher key (Kc). Kc is

produce by individual key (Ki) and random value ,

by algorithm A8 based on random value RAND, SIM

in the MS and network calculates the similar Kc. By

the algorithm A5 and cipher key Kc, MS and BTS

encrypt and decrypt data. Kc should be a 64 bit key.

Security enhancements in UMTS

The security functions of UMTS are based on what

was implemented in GSM. Some of the security

functions have been added and some existing have

been improved. Encryption algorithm is stronger and

included in base station (NODE-B) to radio networkcontroller (RNC) interface, the application of

authentication algorithms is stricter and subscriber

confidentially is tighter.

The main security elements that are from GSM:

Authentication of subscribers, Subscriber identity

confidentially, Subscriber Identity Module (SIM) to

be removable from terminal hardware, Radio


5/12

interface encryption.

Additional UMTS security features: Security against

using false base stations with mutual authentication,

Encryption extended from air interface only to

include Node-B to RNC connection, Security data in

the network will be protected in data storages andwhile transmitting ciphering keys and authentication

data in the system, Mechanism for upgrading security

features.

Core network traffic between RNCs, MSCs and other

networks is not ciphered and operators can to

implement protections for their core network

transmission links, but that is unlike to happen.

MSCs will have by design a lawful interception

capabilities and access to Call Data Records (SDR),

so all switches will have to have security measures

against unlawful access.

UMTS specification has five security feature groups:

Network access security: the set of security features

that provide users with secure access to 3G services,

and which in particular protect against attacks on the

(radio) access link; Network domain security: the

set of security features that enable nodes in the

provider domain to securely exchange signaling data,

and protect against attacks on the wire line network;

User domain security: the set of security features

that secure access to mobile stations. Application

domain security: the set of security features that

enable applications in the user and in the provider

domain to securely exchange messages. Visibility

and configurability of security: the set of features

that enables the user to inform himself whether a

security feature is in operation or not and whether the

use and provision of services should depend on the

security feature.

UMTS specification has the following user identity

confidentiality security features:

User identity confidentiality: the property that thepermanent user identity (IMSI) of a user to whom a

services is delivered cannot be eavesdropped on the

radio access link; User location confidentiality: the

property that the presence or the arrival of a user in a

certain area cannot be determined by eavesdropping

on the radio access link; User intractability: the

property that an intruder cannot deduce whether

different services are delivered to the same user by

eavesdropping on the radio access link. Air interface

ciphering/deciphering in performed in RNC in the

network side and in mobile terminals. Ciphering in

function of air interface protocol Radio Link Control

(RLC) layer or Medium Access control (MAC) layer.

NoneCryptographic Protocol

Vulnerabilities

DoS AND DDoS

Typically a victim is flooded with packets that elicit

some kind of response by DoS attack scenarios. An

attacker sends thousands of TCP packets to its victim

with the SYN flag set. The victim thinks that these

are legitimate requests for TCP connection

establishment. In response to each request, the victim

reserves buffer space

(approximately 300 bytes). Eventually, the victims

communication link and/or memory are exhausted.

There are some other scenarios such as sending large

number of UDP packets to nonlistening ports on

victim via attacker , or sending a very large number

of ICMP Echo Request message to the victims

network. A distributed DoS (DDoS) is also harder todetect compared to DoS emanating from a single

source. In a DDoS attack, the brain behind the attack

scans the Internet to find multiple vulnerable hosts

called handlers and compromises them. Each handler,

in Turn, recruits many agents or zombies to lunch the

attack.[4]

ARP spoofing

ARP poison routing (APR)or ARP cache poisoning,

a method of attacking an EthernetLAN by updating

the target computers ARPcache with both a forged

ARP request and reply packets in an effort to change

the Layer 2 Ethernet MAC address (i.e., the address

of the network card) to one that the attacker can

monitor. Because the ARP replies have been forged,

the target computer sends frames that were meant for

the original destination to the attackers computer


6/12

first so the frames can be read. A successful APR

attempt is invisible to the user.

Remedies: Avoid using insecure protocols like Basic

HTTP Authentication and Telnet. You should make

it a practice to sniff your own network to see whatinformation is being passed and ensure youre not

already sending sensitive information across the

network. If you do have to use an insecure protocol,

tunnel it through a secure channel (SSH, SSL,

etc.)Look into using Static ARP tables between

critical workstations and servers. Although a pain to

maintain, they do limit the chances of ARP spoofing.

You can run software like ARP Watchto detect

changes in MAC addresses on the network. Try

running tools that can detect if a NIC is running in

promiscuous mode, this could be a sign of sniffing.

(Sniffedand Sentinelare common tools)All mobile

or guest access points should use a VPN to connect to

the network. Better yet, keep public terminals on a

separate LAN from workstations and servers.

Lockdown workstations so that users cant install

sniffing software or boot from live CDs (Backtrack).

Attacks on DNS

Consider a bank called A that has an internet

presence. A allow its customers to perform banking

transaction over the internet by visiting and logging

on to its web site WWW.A.COM, on his browser.

The web page that is downloaded has the look and

feel the authentic one but is site owned by an

attacker. The customer is unaware that the web site

belongs to an attacker. He proceeds to enter his login

name an password which are then captured by the

attacker

DNS security extension

DNSSEC is a suite of extensions that add security to

the DNS protocol. The core DNSSEC extensions are

specified in RFCs 4033, 4034, and 4035 and add

origin authority, data integrity, and authenticated

denial of existence to DNS. In addition to several

new concepts and operations for both the DNS server

and the DNS client, DNSSEC introduces four new

resource records (DNSKEY, RRSIG, NSEC, and DS)

to DNS. In short, DNSSEC allows for a DNS zone

and all the records in the zone to be cryptographically

signed. When a DNS server hosting a signed zone

receives a query, it returns the digital signatures in

addition to the records queried for. A resolver or

another server can obtain the public key of the

public/private key pair and validate that the responses

are authentic and have not been tampered with. In

order to do so, the resolver or server must be

configured with a trust anchor for the signed zone, or

for a parent of the signed zone.

Frame spoofing

Two main types of this spoofing are both spoofed

deauthentication frame and spoofing power

management control frames. In first one, middle of

delivering data between AP and station an attacker

who has spoofed MAC address of the related station

sends deauthentcation frame to AP. AP think this

frame came from genuine station and it closes

connection. Then remained packets will fail.

Software Vulnerabilities

Phishing

Phishing, in its common form, is the process of luring

a victim to a fake website by clicking on a link. The

victim usually encounters the link in an e-mail

message sent to him or on a webpage being browsed

by him. Phishers can get user information target,

PayPal, eBay site or online bank.

CROSS-SITE SCRIPTING (XSS)

In this, attack is wanted from user to login to his

bank. It seems every things (website address, security

certification ) are normal but link to that website is

changed. It occurs because of some disadvantages or

challenges in website script, programmer used it.

Overcoming XSS: Using suitable web browsers;

using no script tools; not clicking on unknown links.

SQL INJECTION

One type of hackers attacks is on websites that

allows to hacker access to database with use of SQL

language. SQL injection is a code injection technique


7/12

that exploits security vulnerability in a website's

software. The vulnerability happens when user input

is either incorrectly filtered for string literal escape

characters embedded in SQL statements or user input

is not strongly typed and unexpectedly executed.

SQL INJECTION REMEDIES: selecting object

oriented structure of ASP.NET; avoiding +, &

characters ; using custom error detection that hackers

cannot use formal error to attack to site; instead of

single quote using OlebbCommand in SQL codes;

at the end of codes using CmndCheck.

Access Control in the Operating

System

Access control is authority to control access to

resources. User, group of user and a machine has a

valid account on the system (UID, GID) are three key

entities involved in access control. there are three

access control policy as well as discretionary,

mandatory and role base access control.

Discretionary access control (DAC) is an access

policy determined by the owner of an object (objects

are resources that subject need to access to) that who

allowed to access the object and what privileges they

have. Two important example of DAC are UNIX andWINDOWS access control . UNIX based on a user

who has an account on the system. Windows control

operations, are on file system in objects, threads,

sockets, semaphores, register key. Mandatory access

control (MAC) is an access policy determined by the

system not the owner.MAC is used in multilevel

system that process highly sensitive data such as

classified government and military information. Role

base access control is an access policy determined by

the system not the owner. Role base access control is

used in commercial application and also military

system. It is controlled at the system level outside of

users control.[6]

IPS AND IDS

IPS forestalls various kinds of attacks and IDS is a

device or software appliances that monitor system

activities for malicious activities and make a report to

a management station. For example in password

strategy : (i) we should have eight character hard to

guess, (ii) changing password at least once in twomounts , (iii) try to store password securely and

dont inform it to others. Moreover; (iv) after three

unsuccessful attempt to an account, account should

be disable in twenty minutes. The first and second

can be either user base or force by system. The third

issue just involves user alone and the forth one

involves system alone. These mentioned levels are

belonged to IPS. IDS should monitor loggings such

as a person for five years has never logged in outside

of office hours when in 4 am logged in, IDS should

alert.[9]

Firewalls

A firewall is a hardware device or software

application that sits between your computer and the

Internet and blocks all Internet traffic from reaching

your computer that you have not specifically

requested. What this means is that if you browse to a

web site, the firewall will allow the traffic from that

web site to reach your computer and thereforeyourself. On the other hand, if you did not request

information from that web site, and the web site sent

traffic to you, it would be denied from reaching your

computer because you did not specifically ask for it.

This behavior can be changed if you wish, and we

will discuss that further in the document.[7]

WS-SECURITY (web Service

Security)

As the use cases for our customer's application werebeing developed, a set of security-related, non-

functional requirements were identified: The

communication between our customer and his

business partner should not be able to be viewed by a

third party as it travels on the Internet. Our customer

needed to be able to determine from whom the

message was coming and be able to verify that the

sender was who the sender claimed to be. Our


8/12

customer needed to be able to ensure that the data

being transmitted was not tampered with.

SAML: Perhaps the biggest roadblocks to the long-

term success of Web services are security issues. And

one of the most important of those security issues is

user authentication - specifically, allowing a user to

sign on or use multiple Web services from separatebut affiliated sites, without having to authenticate

himself at every step of the process. That's the job of

SAML (Security Assertion Markup Language), an

XML-based standard for authentication and

authorization that provides a "single sign-on" so that

people can be authenticated once and then be able to

access multiple Web services. SAML allows each

individual site to have its own mechanism for sign-on

and authentication, but will allow sites to accept

authenticated users from other sites.[15]

Conclusion

Computer security is all about studying Cyber

Attacks with a view to defending against them.

Understanding what makes systems vulnerable to

these attacks is an important first step in avoiding or

preventing them. Most hackers were young adults,

often teens, who had dropped out of school but were

otherwise intelligent and focused. Many of the

traditional hackers seem to be obsessive

programmers. They seem to be adept at

circumventing limitation to achieve a challenging butoften forbidden objective.

Remember that security is a process. You have to be

vigilant, but the price of vigilance is secure data and

no net loss of competitive advantage. Although no

amount of negligence provides legitimate reasons for

a third party to steal data, neither does that absolve

system administrators of responsibilities to secure

their networks. Working with open standards and

setting organizational hardware and software

standards are at the core of the network-growth

process. Remember, too, that network management

becomes increasingly important as the network grows

larger; otherwise, the system administrators are

overrun doing work that can easily be automated.

The Internet is growing and changing at a rate

beyond one persons comprehension. Its easy to

figuring out why the network in and get physically

connected. The difficult part of networking is

figuring out why the network works (or alternatively,

doesnt n work) and cause of various problems.

Organizations must conduct a periodic risk and

vulnerability assessment in an attempt to close the

vulnerability window on the organizations ITinfrastructure and its assets. The gap in time from

when an organization realizes it has a threat from a

known vulnerability to when the organization

actually implements the proper security controls and

security countermeasures is known as the

vulnerability window. Behind every attack is a

vulnerability of some type or other. But what exactly

is vulnerability? Vulnerability is a weakness or

lacuna in a procedure, protocol, hardware, or

software within an organization that has the potential

to cause damage. The understanding of security

vulnerabilities is the key in helping us understanding

attacks better and, more importantly, in defending

against them.

This is important to remember that NIDS (Network-

based Intrusion Detection System) is just a tool in

your collection, not be-all and end-all security

mechanism, despite what NIDS vendors tell to you.

Deploying an IDS/IPS and tuning it to a point where

the alerts generated are relevant is not an easy or

quick project. False positives may plague an analyst

for days or weeks to come but the only thing worsethan a false positive is a false negative. Knowledge

of the environment is absolutely critical to save the

analyst time in the long run and being comfortable

with how the detection engines are set up. The

proper time and resources must be allocated to

maximize any return on investment an IDS/IPS

provides. Web services involve a fundamental shift in

how justice agencies will manage, access, and share

information. Within the Web services architecture,

security is key in justice implementations involving

sensitive but unclassified information.

However, with the sophistication of attacking

methods and advancement of information

technology, it is necessary for countermeasures to

constantly evolve as well, and so as our recurrence

prevention measures against new threats.


9/12

Case study: Result for availabilitys

impact on NIDS versus NIPS

(Network-base Intrusion Prevention

System) decision.

Networked computers with exposed vulnerabilities

may be disrupted or taken over by a hacker, or by

automated malicious code. Should a terrorist group

attempt to launch a coordinated cyber attack against

computers that manage the critical infrastructure,

they may find it useful to copy some of the tactics

now commonly used by todays computer hacker

groups to locate Internet-connected computers with

vulnerabilities, and then systematically exploit those

vulnerabilities.

Availability is a time value calculated in terms ofMTBF (Mean Time Between Failures) and MTTR

(Main time to Repair). The MTBF number is

provided by the manufacturer and is expressed in

hours. The MTTR number, variable and dependent

upon the specific network, is also expressed in hours.

Availability = MTBF/ (MTBF+MTTR). The most

common way to express this availability calculation

is by percentage. It is commonly referenced by

network professionals using the term 9s, illustrated

in following table to calculate annual availability,

you can multiply your targeted 9s value by 525,600

minutes per year.

* Availability *Annual downtime

* 90% (one 9) *36.5 days

*99 % (two 9s) *3.65 days

A device with a MTBF of 175,000 hours and an

MTTR of 30 minutes has a calculated annual

availability of 525,598 minutes, which equals 1.52

minutes of downtime. Appendix C provides more

detail and complex examples regarding thesecalculations. The real challenge in computing the

availability of any system or network is in

understanding the MTTR. This value is unique to

your environment, affected by variables such as

routing protocol convergence time and/or spanning

tree convergence time, depending on your topology.

You need to understand exactly what happens when

an inline device fails to forward traffic properly. This

can be due to power, hardware, or other

environmental failure. Ideally you would build a full

test environment with your intended NIPS design and

then test the different scenarios. You should be able

to estimate the impact of failure by analyzing a few

key variables:

Interface fail-open how long does it take for a set

of inline interfaces to begin passing traffic after a

failure? Will traffic be queued or dropped?

Layer 3 (L3) environment failures when your

NIPS is deployed on a routed network segment, how

long does your routing protocol take to converge?

Layer 2 (L2) environment failures when your

NIPS is deployed on a physically redundant L2network segment, how quickly will the spanning tree

converge?

Non-hardware sources of downtime. Were doing

these calculations based purely on hardware failure

calculations, so you must also consider software

failure, environmental considerations, and human

error. Compared to other network devices, A NIPS

has a much higher number of software updates

(signatures, typically). Application of these software

updates always introduces the possibility of software

failure or human error that could result in an

unexpected outage.

Critical data center

Data center

Desktop LAN NIDS

Remote access

Extranet NIPS

Lab

Availability requirements


10/12

References

[1]. Schiller, j. mobile communications, 2nd

Ed., Addison Wesley, 2003, Indian reprint Pearson educations, 2003

[2]. Adelstein, F.,S.K.S. Gupa, G. G. Richard III, and L. Schwiebert, Fundamentals of Mobile and Pervasive

Computing, McCGraw-Hill, 2005, Reprint, Tata McGraw-Hill 2005.

[3]. B. Forouzan , Cryptography and Network Security, McGraw Hill, 2007.

[4]. A. Hussain, j. Heidemann, and C. Papadopoulos, A framework for classifying denial of service attacks,

proceedings of the ACM SIGCOMM Conference (KARLSRUHE, Germany), pp. 99-110, 2003.

[5]. T. Gallagher, B. Jeffries, and L. Landauer, Hunting SecurityBugs, Microsoft Press, 2006.

[6]. S. Govindavajhala and A. Apple, Windows access control demystified , Tech.report, Princeton University,

2006.

[7]. John Wack, Ken Cutler, and Jamie Pole, Guidelines on firewalls and firewall Policy, NIST Special

Publication, pp. 800-841,January 2002.

[8].www.sans.org

[9].www.cert.org

[10].www.mitre.org/work/cybersecurity.html

[11].www.gsmworld.com

[12].www.emvco.com

[13].www.chpandspin.co.uk

[14].www.w3,org/TR/xmlnec-core/

[15].www.oasis-open.org/specs/#salmv2.0
http://www.sans.org/http://www.sans.org/http://www.sans.org/http://www.cert.org/http://www.cert.org/http://www.cert.org/http://www.mitre.org/work/cybersecurity.htmlhttp://www.mitre.org/work/cybersecurity.htmlhttp://www.mitre.org/work/cybersecurity.htmlhttp://www.gsmworld.com/http://www.gsmworld.com/http://www.gsmworld.com/http://www.emvco.com/http://www.emvco.com/http://www.emvco.com/http://www.chpandspin.co.uk/http://www.chpandspin.co.uk/http://www.chpandspin.co.uk/http://www.w3%2Corg/TR/xmlnec-core/http://www.w3%2Corg/TR/xmlnec-core/http://www.w3%2Corg/TR/xmlnec-core/http://www.oasis-open.org/specs/#salmv2.0http://www.oasis-open.org/specs/#salmv2.0http://www.oasis-open.org/specs/#salmv2.0http://www.oasis-open.org/specs/#salmv2.0http://www.w3%2Corg/TR/xmlnec-core/http://www.chpandspin.co.uk/http://www.emvco.com/http://www.gsmworld.com/http://www.mitre.org/work/cybersecurity.htmlhttp://www.cert.org/http://www.sans.org/


11/12


12/12

impact of cyber war on information security development final

Documents