impact of cyber war on information security development final

Upload: majid-shahgholi

Post on 06-Apr-2018

217 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/3/2019 Impact of Cyber War on Information Security Development Final

    1/12

    IMPACT OF CYBER WAR ON INFORMATION SECURITY DEVELOPMENT

    Abdolmajid Shahgholi M.Tech student of Computer Networks and Information Security,Jawaharlal Nehru Technological University, [email protected]

    Hamid Reza Barzegar M.Tech student of Computer Networks and Information Security

    Jawaharlal Nehru Technological University, [email protected]

    ABSTRACTNowadays, Network Security deals with some policies and technologies, defending against Cyber Attacks occurred

    due to different Internet-oriented Computer Networks as well as exchanging Information Technologies. This paper

    Presents both specific vulnerabilities of different Network-based Technologies such as Wireless LAN, Cellphone,

    Non-cryptography Protocols, Web Services and several Security Techniques including Access Control, IDS, IPS,

    Firewall, DNSSEC and Web Service Security. Finally, the specific result of availabilitys impact on NIDS versus

    NIPS is explained.

    KEY WORDS: FRAME SPOOFING, PHARMING ATTACKS, PHISHING, SAML, 2G, UMTS

    Introduction

    Computer security is unlike other forms of security.

    Products such as locks, safes, and steel doors give

    clear rating on what types of attacks they can

    withstand and how long they can withstand them.

    Security can be achieved in many ways, but its

    pretty well universally agreed that confidentiality,

    integrity, and availability (CIA) form the basic

    building blocks of any good security initiative.

    Attacks on an IT infrastructure and assets can disrupt

    availability of service resulting in the following: loss

    of productivity, violation of service level agreement,

    financial loss, loss of life, attacks against the integrity

    of a system, and information or data can be modified

    altered or destroyed. Who, from the perspective of an

    IT infrastructure, are internal attackers and external

    attackers? Internal attackers are commonly linked to

    disgruntled employees, contractors, or third-party

    users who, for whatever reason, have lost respect andintegrity for the organization, including IT

    infrastructure and its assets. External attackers are

    commonly linked to one of numerous attacker

    profiles or types.

    Cyber-Terrorists /Cyber-Criminal describe an

    individual or groups of individuals who are funded to

    conduct clandestine or espionage activities on

    governments, corporations, and individuals in an

    unlawful manner. These individuals typically

    engaged in sponsored acts of defacements,

    DoS/DDoS attacks, identity theft, financial theft, or

    worse compromising critical infrastructures in

    countries, such as nuclear power plants, electric

    plants, water plants, and so on.

    Wireless networks present formidable challenges inthe area of security. The open nature of such

    networks makes it relatively easy to sniff packets or

    even modify and inject malicious packets into the

    network.

    One of the most widely deployed cellular networks is

    the Global System for Mobile Communications

    (GSM). The designers of GSM or 2G (second-

    generation cellular networks) had several goals in

    mind. From a security viewpoint, it was also

    designed to protect against charge fraud and

    eavesdropping. The successor to GSM is UniversalMobile Telecommunications System (UMTS) or

    simply 3g. it promised advanced services such as

    mobile Internet, multimedia messaging,

    videoconferencing.

    Specific features in Internet protocols such as TCP,

    UDP, and ICMP are exploited to launch DoS attacks.

    While vulnerabilities lurk in specific features of the

  • 8/3/2019 Impact of Cyber War on Information Security Development Final

    2/12

    protocol, they may also be due to the way a certain

    protocol is implemented.

    There are many known vulnerabilities that make

    software in secure. Of these, buffer overflow

    vulnerability is the most common. In addition, web

    applications may be vulnerable to cross-site scriptingattacks, and database applications may be vulnerable

    to SQL injection attacks.

    Access control can be into the application or it can be

    implemented at the system level l. Access control

    may be enforced at different levels of granularity. At

    the first level of granularity, illegal access to memory

    needs to be prevented.

    An intrusion is the act of gaining unauthorized access

    to a system so as to cause loss or harm. Two ways of

    handling attempted intrusions are built intrusionpreventionand intrusion detection.

    A firewall acts as a security guard controlling access

    between an internal, protected network and an

    external, entrusted network based on a given security

    policy. A firewall may be implemented in hardware

    as stand-alone firewall appliance or in software on

    a PC. The promoters of Web services needed to

    figure out some way of securing Web services that

    can be potentially accessed by a complete stranger

    over the network. Without the proper security

    infrastructure in place, the adoption of web services

    would not have been possible.

    IEEE 802.11 Wireless LAN

    Securities

    A wireless LAN (or WLAN, for wireless local area

    network, sometimes referred to as LAWN, for local

    area wireless network) is one in which a mobile user

    can connect to a local area network(LAN) through

    a wireless (radio) connection.The IEEE 802.11 group of standards specifies the

    technologies for wireless LANs. 802.11 standards use

    Ethernet Mobile Basics

    protocol and CSMA/CA (carrier sense multiple

    access with collision avoidance) for path sharing and

    include an encryption method, the Wired Equivalent

    Privacy algorithm.

    Background

    There are two principal of types of WLANsad-hoc

    networks, where stations communicate directly with

    each other, and infrastructure WLAN, which use an

    access point (AP). A station first sends a frame to anAP and then AP deliver s it to its final destination.

    The station may be another wireless station or a

    station on the other wired network. The union of the

    basic service sets comprises an extended service set

    (ESS). As in wired LANs, each station and AP in the

    ESS is uniquely identified by a MAC addressa 48-

    bit quantity. In addition each AP is also identified by

    an SSID (service set id), which is a character string of

    length at most 32 characters. Special kind of frame

    called a beacon is periodically broadcast by the AP.

    A station, on power up, can discover an AP within its

    range by monitoring the wireless medium for a

    beacon. The bacon usually contains the SSID of the

    broadcasting AP. A station sends a Probe Request

    which probes for APs within its range. An AP , on

    hearing such a request , responds with a Probe

    Response frame contains the SSID of the AP and also

    information about its capabilities , supported data

    rates, etc. to become part of the WLAN, station will

    have to associate with an AP. A station that wishes

    to associate with an AP sends it an Associate Request

    frame. The AP replies with an Associate Response

    frame if it accepts the request for associating with it.

    Before association, 802.11 requires the station to

    authenticate Itself to the AP.

    WLAN vulnerabilities

    Wireless LANs (WLAN) are susceptible to the same

    protocol-based attacks that plague wired LAN, and

    also have their own set of unique vulnerabilities.

    Since wireless access points may proliferate in theorganization, unsecured wireless access points can be

    a danger to organizations because they offer the

    attacker a route around the company's firewall and

    into the network.

    SSID issues

    http://searchnetworking.techtarget.com/definition/local-area-network-LANhttp://searchnetworking.techtarget.com/definition/local-area-network-LAN
  • 8/3/2019 Impact of Cyber War on Information Security Development Final

    3/12

    The service set identifier (SSID) is an identification

    value programmed in the access point or group of

    access points to identify the local wireless subnet.

    This segmentation of the wireless network into

    multiple networks is a form of an authentication

    check. If a wireless station does not know the valueof the SSID, access is denied to the associated access

    point. When a client computer is connected to the

    access point, the SSID acts as a simple password,

    providing a measure of security.

    Authentication

    The wired network is often an Ethernet LAN with an

    existing security infrastructure that includes an

    Authentication Server (AS). In many organization,

    AAA ( authentication /Authorization/Accounting)

    functionality is provided by a RADIUS (Remote

    Authentication Dial In User Service) server, the

    challenge then is to develop protocols that seamlessly

    integrate the WLAN with the security infrastructure

    of wired network. 802.11i uses IEEE 82.1xa

    protocol that supports authentication at the link layer.

    Three entities are involved (i) supplicant (the wireless

    station). (ii) Authenticator (the AP in our case). (iii)

    Authentication server. Different authentication

    mechanism an message types are defined by IETFs

    extensible authentication protocol (EAP). EAP is not

    really an authentication protocol but rather a

    framework upon which various authentication

    protocols may be supported. EAP exchanges are

    mostly comprised of requests and responses. The AP

    broadcast its security capabilities in the bacon or

    Probe Response frame. The station uses the associate

    request frame to communicate its security

    capabilities. 802.11i authentication takes place after

    the station associates with an AP. This differs from

    earlier version of 802.11where authenticationprecedes association. The protocol used between

    the station and the AP is EAP. The main

    authentication methods supported by EAP include the

    following: EAP-MD5, EAP-TLS, EAP-TTLS, EAP-

    PEAP. EAP-MD5 lets a RADIUS server

    authenticate LAN stations by verifying an MD5 hash

    of each user's password. This is a simple and

    reasonable choice for trusted Ethernets where there is

    low risk of outsider sniffing or active attack.

    However, EAP-MD5 is not suitable for public

    Ethernets or wireless LANs because outsiders can

    easily sniff station identities and password hashes, or

    masquerade as access points to trick stations intoauthenticating with them instead of the real deal.

    EAP with Transport Layer Security (EAP-TLS) is

    the only standard secure option for wireless LANs at

    this time. EAP-TLS requires the station and RADIUS

    server to both prove their identities via public key

    cryptography (i.e., digital certificates or smart cards).

    This exchange is secured by an encrypted TLS

    tunnel, making EAP-TLS very resistant to dictionary

    or other MitM attacks. However, the station's identity

    -- the name bound to the certificate -- can still be

    sniffed by outsiders. EAP-TLS is most attractive to

    large enterprises that use only Windows

    XP/2000/2003 with deployed certificates. EAP with

    Tunneled TLS (EAP-TTLS) and Protected EAP

    (PEAP) are Internet Drafts that have been proposed

    to simplify 802.1X deployment. Both require

    certificate-based RADIUS server authentication, but

    support an extensible set of user authentication

    methods. Organizations that have not yet issued

    certificates to every station and don't want to just for

    802.1X can use Windows logins and passwords

    instead. RADIUS servers that support EAP-TTLS

    and PEAP can check LAN access requests with

    WindowsDomainControllers, Active Directories,

    and other existing user databases. From a sniffing

    perspective, these options are just as strong as EAP-

    TLS. However, user passwords are still more likely

    to be guessed, shared, or disclosed through social

    engineering than client-side certificates.

    Replacement of WEP

    802.11i supersedes the previous security

    specification, Wired Equivalent Privacy(WEP),

    which was shown to have severe security

    weaknesses. Wi-Fi Protected Access (WPA) had

    previously been introduced by the Wi-Fi Alliance as

    an intermediate solution to WEP insecurities. WPA

    implemented a subset of a draft of 802.11i. The Wi-

    http://www.wi-fiplanet.com/tutorials/article.php/3075481http://www.wi-fiplanet.com/tutorials/article.php/3075481http://www.wi-fiplanet.com/tutorials/article.php/3075481http://www.wi-fiplanet.com/tutorials/article.php/3075481
  • 8/3/2019 Impact of Cyber War on Information Security Development Final

    4/12

    Fi Alliance refers to their approved, interoperable

    implementation of the full 802.11i as WPA2, also

    called RSN (Robust Security Network). 802.11i

    makes use of the Advanced Encryption

    Standard (AES) block cipher, whereas WEP and

    WPA use the RC4 stream cipher. [1][2]

    Cellphone Security

    Secondgeneration cellular networks (2G):

    2g technology introduced the idea of subscriber

    Identity Module (SIM) card. this is basically a smart

    card that can be removed from one cellphone and

    placed in another. it stores three secrets and performs

    cryptographic operations involving some of the

    secrets. the secrets are : a unique 15-digit subscriber

    identification number called the International Mobile

    Subscriber Identity(IMSI); A 128-bit subscriber

    Authentication key denoted ki known only to the

    SIM and the HLR of the subscribers home network;

    a PIN known to the phones owner and used to

    unlock the SIM. This is intended to prevent stolen

    phones being used.[11]

    Threats: In order to understand the GSM security

    mechanism, you first must understand the threats that

    the GSM system is attempting to protect against.Two main motivations for attackers of mobile phone

    systems are theft of service and interception of data.

    Theft of service can come in many forms, but the

    most technically interesting is the cloning of a phone.

    When cloning a phone, an attacker steals the

    identifying information from a legitimate phone and

    loads it to another phone. This allows the attacker to

    masquerade as the legitimate phone causing charges

    to be assessed against the account holder of the

    legitimate phone. Data interception of mobile phone

    networks, another major concern, is a similar threat

    to other wireless networks. An attacker, using

    relatively unsophisticated tools can listen to the

    transmissions of the phone and the base station in an

    effort to eavesdrop on the voice and data

    transmissions occurring. The largest defense to this

    type of attack is encryption of the data in the air.

    Authentication:

    Authentication is dependent on SIM which hold the

    individual authentication key ki, the user

    identification IMSIA and the algorithm is utilized for

    authentication. Authentication make use ofchallenges-response method .access control (AC)

    produces a random number RAND as challenge and

    SIM inside the MS answer with SRES as replay.

    AUC carriers out the fundamental production of

    random values RAND, signed responses SRES and

    cipher keys for every IMSI and then forwards the

    information to HLR. The present VLR request the

    suitable values for RAND, SREs and kc from HLR,

    VLR transmits the random value RAND to SIM.

    Mobile station transmits back the SRES produced by

    the SIM. Both data values are compared by VLR, if

    the data values are similar VLR receives the

    subscriber otherwise subscriber is refused. System

    security is maintained by the algorithm such as A3

    for authentication, A5 for encryption and A8 for

    production of cipher key.

    Encryption: after authentication, MS and BSS can

    start encryption by using the cipher key (Kc). Kc is

    produce by individual key (Ki) and random value ,

    by algorithm A8 based on random value RAND, SIM

    in the MS and network calculates the similar Kc. By

    the algorithm A5 and cipher key Kc, MS and BTS

    encrypt and decrypt data. Kc should be a 64 bit key.

    Security enhancements in UMTS

    The security functions of UMTS are based on what

    was implemented in GSM. Some of the security

    functions have been added and some existing have

    been improved. Encryption algorithm is stronger and

    included in base station (NODE-B) to radio networkcontroller (RNC) interface, the application of

    authentication algorithms is stricter and subscriber

    confidentially is tighter.

    The main security elements that are from GSM:

    Authentication of subscribers, Subscriber identity

    confidentially, Subscriber Identity Module (SIM) to

    be removable from terminal hardware, Radio

  • 8/3/2019 Impact of Cyber War on Information Security Development Final

    5/12

    interface encryption.

    Additional UMTS security features: Security against

    using false base stations with mutual authentication,

    Encryption extended from air interface only to

    include Node-B to RNC connection, Security data in

    the network will be protected in data storages andwhile transmitting ciphering keys and authentication

    data in the system, Mechanism for upgrading security

    features.

    Core network traffic between RNCs, MSCs and other

    networks is not ciphered and operators can to

    implement protections for their core network

    transmission links, but that is unlike to happen.

    MSCs will have by design a lawful interception

    capabilities and access to Call Data Records (SDR),

    so all switches will have to have security measures

    against unlawful access.

    UMTS specification has five security feature groups:

    Network access security: the set of security features

    that provide users with secure access to 3G services,

    and which in particular protect against attacks on the

    (radio) access link; Network domain security: the

    set of security features that enable nodes in the

    provider domain to securely exchange signaling data,

    and protect against attacks on the wire line network;

    User domain security: the set of security features

    that secure access to mobile stations. Application

    domain security: the set of security features that

    enable applications in the user and in the provider

    domain to securely exchange messages. Visibility

    and configurability of security: the set of features

    that enables the user to inform himself whether a

    security feature is in operation or not and whether the

    use and provision of services should depend on the

    security feature.

    UMTS specification has the following user identity

    confidentiality security features:

    User identity confidentiality: the property that thepermanent user identity (IMSI) of a user to whom a

    services is delivered cannot be eavesdropped on the

    radio access link; User location confidentiality: the

    property that the presence or the arrival of a user in a

    certain area cannot be determined by eavesdropping

    on the radio access link; User intractability: the

    property that an intruder cannot deduce whether

    different services are delivered to the same user by

    eavesdropping on the radio access link. Air interface

    ciphering/deciphering in performed in RNC in the

    network side and in mobile terminals. Ciphering in

    function of air interface protocol Radio Link Control

    (RLC) layer or Medium Access control (MAC) layer.

    NoneCryptographic Protocol

    Vulnerabilities

    DoS AND DDoS

    Typically a victim is flooded with packets that elicit

    some kind of response by DoS attack scenarios. An

    attacker sends thousands of TCP packets to its victim

    with the SYN flag set. The victim thinks that these

    are legitimate requests for TCP connection

    establishment. In response to each request, the victim

    reserves buffer space

    (approximately 300 bytes). Eventually, the victims

    communication link and/or memory are exhausted.

    There are some other scenarios such as sending large

    number of UDP packets to nonlistening ports on

    victim via attacker , or sending a very large number

    of ICMP Echo Request message to the victims

    network. A distributed DoS (DDoS) is also harder todetect compared to DoS emanating from a single

    source. In a DDoS attack, the brain behind the attack

    scans the Internet to find multiple vulnerable hosts

    called handlers and compromises them. Each handler,

    in Turn, recruits many agents or zombies to lunch the

    attack.[4]

    ARP spoofing

    ARP poison routing (APR)or ARP cache poisoning,

    a method of attacking an EthernetLAN by updating

    the target computers ARPcache with both a forged

    ARP request and reply packets in an effort to change

    the Layer 2 Ethernet MAC address (i.e., the address

    of the network card) to one that the attacker can

    monitor. Because the ARP replies have been forged,

    the target computer sends frames that were meant for

    the original destination to the attackers computer

  • 8/3/2019 Impact of Cyber War on Information Security Development Final

    6/12

    first so the frames can be read. A successful APR

    attempt is invisible to the user.

    Remedies: Avoid using insecure protocols like Basic

    HTTP Authentication and Telnet. You should make

    it a practice to sniff your own network to see whatinformation is being passed and ensure youre not

    already sending sensitive information across the

    network. If you do have to use an insecure protocol,

    tunnel it through a secure channel (SSH, SSL,

    etc.)Look into using Static ARP tables between

    critical workstations and servers. Although a pain to

    maintain, they do limit the chances of ARP spoofing.

    You can run software like ARP Watchto detect

    changes in MAC addresses on the network. Try

    running tools that can detect if a NIC is running in

    promiscuous mode, this could be a sign of sniffing.

    (Sniffedand Sentinelare common tools)All mobile

    or guest access points should use a VPN to connect to

    the network. Better yet, keep public terminals on a

    separate LAN from workstations and servers.

    Lockdown workstations so that users cant install

    sniffing software or boot from live CDs (Backtrack).

    Attacks on DNS

    Consider a bank called A that has an internet

    presence. A allow its customers to perform banking

    transaction over the internet by visiting and logging

    on to its web site WWW.A.COM, on his browser.

    The web page that is downloaded has the look and

    feel the authentic one but is site owned by an

    attacker. The customer is unaware that the web site

    belongs to an attacker. He proceeds to enter his login

    name an password which are then captured by the

    attacker

    DNS security extension

    DNSSEC is a suite of extensions that add security to

    the DNS protocol. The core DNSSEC extensions are

    specified in RFCs 4033, 4034, and 4035 and add

    origin authority, data integrity, and authenticated

    denial of existence to DNS. In addition to several

    new concepts and operations for both the DNS server

    and the DNS client, DNSSEC introduces four new

    resource records (DNSKEY, RRSIG, NSEC, and DS)

    to DNS. In short, DNSSEC allows for a DNS zone

    and all the records in the zone to be cryptographically

    signed. When a DNS server hosting a signed zone

    receives a query, it returns the digital signatures in

    addition to the records queried for. A resolver or

    another server can obtain the public key of the

    public/private key pair and validate that the responses

    are authentic and have not been tampered with. In

    order to do so, the resolver or server must be

    configured with a trust anchor for the signed zone, or

    for a parent of the signed zone.

    Frame spoofing

    Two main types of this spoofing are both spoofed

    deauthentication frame and spoofing power

    management control frames. In first one, middle of

    delivering data between AP and station an attacker

    who has spoofed MAC address of the related station

    sends deauthentcation frame to AP. AP think this

    frame came from genuine station and it closes

    connection. Then remained packets will fail.

    Software Vulnerabilities

    Phishing

    Phishing, in its common form, is the process of luring

    a victim to a fake website by clicking on a link. The

    victim usually encounters the link in an e-mail

    message sent to him or on a webpage being browsed

    by him. Phishers can get user information target,

    PayPal, eBay site or online bank.

    CROSS-SITE SCRIPTING (XSS)

    In this, attack is wanted from user to login to his

    bank. It seems every things (website address, security

    certification ) are normal but link to that website is

    changed. It occurs because of some disadvantages or

    challenges in website script, programmer used it.

    Overcoming XSS: Using suitable web browsers;

    using no script tools; not clicking on unknown links.

    SQL INJECTION

    One type of hackers attacks is on websites that

    allows to hacker access to database with use of SQL

    language. SQL injection is a code injection technique

  • 8/3/2019 Impact of Cyber War on Information Security Development Final

    7/12

    that exploits security vulnerability in a website's

    software. The vulnerability happens when user input

    is either incorrectly filtered for string literal escape

    characters embedded in SQL statements or user input

    is not strongly typed and unexpectedly executed.

    SQL INJECTION REMEDIES: selecting object

    oriented structure of ASP.NET; avoiding +, &

    characters ; using custom error detection that hackers

    cannot use formal error to attack to site; instead of

    single quote using OlebbCommand in SQL codes;

    at the end of codes using CmndCheck.

    Access Control in the Operating

    System

    Access control is authority to control access to

    resources. User, group of user and a machine has a

    valid account on the system (UID, GID) are three key

    entities involved in access control. there are three

    access control policy as well as discretionary,

    mandatory and role base access control.

    Discretionary access control (DAC) is an access

    policy determined by the owner of an object (objects

    are resources that subject need to access to) that who

    allowed to access the object and what privileges they

    have. Two important example of DAC are UNIX andWINDOWS access control . UNIX based on a user

    who has an account on the system. Windows control

    operations, are on file system in objects, threads,

    sockets, semaphores, register key. Mandatory access

    control (MAC) is an access policy determined by the

    system not the owner.MAC is used in multilevel

    system that process highly sensitive data such as

    classified government and military information. Role

    base access control is an access policy determined by

    the system not the owner. Role base access control is

    used in commercial application and also military

    system. It is controlled at the system level outside of

    users control.[6]

    IPS AND IDS

    IPS forestalls various kinds of attacks and IDS is a

    device or software appliances that monitor system

    activities for malicious activities and make a report to

    a management station. For example in password

    strategy : (i) we should have eight character hard to

    guess, (ii) changing password at least once in twomounts , (iii) try to store password securely and

    dont inform it to others. Moreover; (iv) after three

    unsuccessful attempt to an account, account should

    be disable in twenty minutes. The first and second

    can be either user base or force by system. The third

    issue just involves user alone and the forth one

    involves system alone. These mentioned levels are

    belonged to IPS. IDS should monitor loggings such

    as a person for five years has never logged in outside

    of office hours when in 4 am logged in, IDS should

    alert.[9]

    Firewalls

    A firewall is a hardware device or software

    application that sits between your computer and the

    Internet and blocks all Internet traffic from reaching

    your computer that you have not specifically

    requested. What this means is that if you browse to a

    web site, the firewall will allow the traffic from that

    web site to reach your computer and thereforeyourself. On the other hand, if you did not request

    information from that web site, and the web site sent

    traffic to you, it would be denied from reaching your

    computer because you did not specifically ask for it.

    This behavior can be changed if you wish, and we

    will discuss that further in the document.[7]

    WS-SECURITY (web Service

    Security)

    As the use cases for our customer's application werebeing developed, a set of security-related, non-

    functional requirements were identified: The

    communication between our customer and his

    business partner should not be able to be viewed by a

    third party as it travels on the Internet. Our customer

    needed to be able to determine from whom the

    message was coming and be able to verify that the

    sender was who the sender claimed to be. Our

  • 8/3/2019 Impact of Cyber War on Information Security Development Final

    8/12

    customer needed to be able to ensure that the data

    being transmitted was not tampered with.

    SAML: Perhaps the biggest roadblocks to the long-

    term success of Web services are security issues. And

    one of the most important of those security issues is

    user authentication - specifically, allowing a user to

    sign on or use multiple Web services from separatebut affiliated sites, without having to authenticate

    himself at every step of the process. That's the job of

    SAML (Security Assertion Markup Language), an

    XML-based standard for authentication and

    authorization that provides a "single sign-on" so that

    people can be authenticated once and then be able to

    access multiple Web services. SAML allows each

    individual site to have its own mechanism for sign-on

    and authentication, but will allow sites to accept

    authenticated users from other sites.[15]

    Conclusion

    Computer security is all about studying Cyber

    Attacks with a view to defending against them.

    Understanding what makes systems vulnerable to

    these attacks is an important first step in avoiding or

    preventing them. Most hackers were young adults,

    often teens, who had dropped out of school but were

    otherwise intelligent and focused. Many of the

    traditional hackers seem to be obsessive

    programmers. They seem to be adept at

    circumventing limitation to achieve a challenging butoften forbidden objective.

    Remember that security is a process. You have to be

    vigilant, but the price of vigilance is secure data and

    no net loss of competitive advantage. Although no

    amount of negligence provides legitimate reasons for

    a third party to steal data, neither does that absolve

    system administrators of responsibilities to secure

    their networks. Working with open standards and

    setting organizational hardware and software

    standards are at the core of the network-growth

    process. Remember, too, that network management

    becomes increasingly important as the network grows

    larger; otherwise, the system administrators are

    overrun doing work that can easily be automated.

    The Internet is growing and changing at a rate

    beyond one persons comprehension. Its easy to

    figuring out why the network in and get physically

    connected. The difficult part of networking is

    figuring out why the network works (or alternatively,

    doesnt n work) and cause of various problems.

    Organizations must conduct a periodic risk and

    vulnerability assessment in an attempt to close the

    vulnerability window on the organizations ITinfrastructure and its assets. The gap in time from

    when an organization realizes it has a threat from a

    known vulnerability to when the organization

    actually implements the proper security controls and

    security countermeasures is known as the

    vulnerability window. Behind every attack is a

    vulnerability of some type or other. But what exactly

    is vulnerability? Vulnerability is a weakness or

    lacuna in a procedure, protocol, hardware, or

    software within an organization that has the potential

    to cause damage. The understanding of security

    vulnerabilities is the key in helping us understanding

    attacks better and, more importantly, in defending

    against them.

    This is important to remember that NIDS (Network-

    based Intrusion Detection System) is just a tool in

    your collection, not be-all and end-all security

    mechanism, despite what NIDS vendors tell to you.

    Deploying an IDS/IPS and tuning it to a point where

    the alerts generated are relevant is not an easy or

    quick project. False positives may plague an analyst

    for days or weeks to come but the only thing worsethan a false positive is a false negative. Knowledge

    of the environment is absolutely critical to save the

    analyst time in the long run and being comfortable

    with how the detection engines are set up. The

    proper time and resources must be allocated to

    maximize any return on investment an IDS/IPS

    provides. Web services involve a fundamental shift in

    how justice agencies will manage, access, and share

    information. Within the Web services architecture,

    security is key in justice implementations involving

    sensitive but unclassified information.

    However, with the sophistication of attacking

    methods and advancement of information

    technology, it is necessary for countermeasures to

    constantly evolve as well, and so as our recurrence

    prevention measures against new threats.

  • 8/3/2019 Impact of Cyber War on Information Security Development Final

    9/12

    Case study: Result for availabilitys

    impact on NIDS versus NIPS

    (Network-base Intrusion Prevention

    System) decision.

    Networked computers with exposed vulnerabilities

    may be disrupted or taken over by a hacker, or by

    automated malicious code. Should a terrorist group

    attempt to launch a coordinated cyber attack against

    computers that manage the critical infrastructure,

    they may find it useful to copy some of the tactics

    now commonly used by todays computer hacker

    groups to locate Internet-connected computers with

    vulnerabilities, and then systematically exploit those

    vulnerabilities.

    Availability is a time value calculated in terms ofMTBF (Mean Time Between Failures) and MTTR

    (Main time to Repair). The MTBF number is

    provided by the manufacturer and is expressed in

    hours. The MTTR number, variable and dependent

    upon the specific network, is also expressed in hours.

    Availability = MTBF/ (MTBF+MTTR). The most

    common way to express this availability calculation

    is by percentage. It is commonly referenced by

    network professionals using the term 9s, illustrated

    in following table to calculate annual availability,

    you can multiply your targeted 9s value by 525,600

    minutes per year.

    * Availability *Annual downtime

    * 90% (one 9) *36.5 days

    *99 % (two 9s) *3.65 days

    A device with a MTBF of 175,000 hours and an

    MTTR of 30 minutes has a calculated annual

    availability of 525,598 minutes, which equals 1.52

    minutes of downtime. Appendix C provides more

    detail and complex examples regarding thesecalculations. The real challenge in computing the

    availability of any system or network is in

    understanding the MTTR. This value is unique to

    your environment, affected by variables such as

    routing protocol convergence time and/or spanning

    tree convergence time, depending on your topology.

    You need to understand exactly what happens when

    an inline device fails to forward traffic properly. This

    can be due to power, hardware, or other

    environmental failure. Ideally you would build a full

    test environment with your intended NIPS design and

    then test the different scenarios. You should be able

    to estimate the impact of failure by analyzing a few

    key variables:

    Interface fail-open how long does it take for a set

    of inline interfaces to begin passing traffic after a

    failure? Will traffic be queued or dropped?

    Layer 3 (L3) environment failures when your

    NIPS is deployed on a routed network segment, how

    long does your routing protocol take to converge?

    Layer 2 (L2) environment failures when your

    NIPS is deployed on a physically redundant L2network segment, how quickly will the spanning tree

    converge?

    Non-hardware sources of downtime. Were doing

    these calculations based purely on hardware failure

    calculations, so you must also consider software

    failure, environmental considerations, and human

    error. Compared to other network devices, A NIPS

    has a much higher number of software updates

    (signatures, typically). Application of these software

    updates always introduces the possibility of software

    failure or human error that could result in an

    unexpected outage.

    Critical data center

    Data center

    Desktop LAN NIDS

    Remote access

    Extranet NIPS

    Lab

    Availability requirements

  • 8/3/2019 Impact of Cyber War on Information Security Development Final

    10/12

    References

    [1]. Schiller, j. mobile communications, 2nd

    Ed., Addison Wesley, 2003, Indian reprint Pearson educations, 2003

    [2]. Adelstein, F.,S.K.S. Gupa, G. G. Richard III, and L. Schwiebert, Fundamentals of Mobile and Pervasive

    Computing, McCGraw-Hill, 2005, Reprint, Tata McGraw-Hill 2005.

    [3]. B. Forouzan , Cryptography and Network Security, McGraw Hill, 2007.

    [4]. A. Hussain, j. Heidemann, and C. Papadopoulos, A framework for classifying denial of service attacks,

    proceedings of the ACM SIGCOMM Conference (KARLSRUHE, Germany), pp. 99-110, 2003.

    [5]. T. Gallagher, B. Jeffries, and L. Landauer, Hunting SecurityBugs, Microsoft Press, 2006.

    [6]. S. Govindavajhala and A. Apple, Windows access control demystified , Tech.report, Princeton University,

    2006.

    [7]. John Wack, Ken Cutler, and Jamie Pole, Guidelines on firewalls and firewall Policy, NIST Special

    Publication, pp. 800-841,January 2002.

    [8].www.sans.org

    [9].www.cert.org

    [10].www.mitre.org/work/cybersecurity.html

    [11].www.gsmworld.com

    [12].www.emvco.com

    [13].www.chpandspin.co.uk

    [14].www.w3,org/TR/xmlnec-core/

    [15].www.oasis-open.org/specs/#salmv2.0

    http://www.sans.org/http://www.sans.org/http://www.sans.org/http://www.cert.org/http://www.cert.org/http://www.cert.org/http://www.mitre.org/work/cybersecurity.htmlhttp://www.mitre.org/work/cybersecurity.htmlhttp://www.mitre.org/work/cybersecurity.htmlhttp://www.gsmworld.com/http://www.gsmworld.com/http://www.gsmworld.com/http://www.emvco.com/http://www.emvco.com/http://www.emvco.com/http://www.chpandspin.co.uk/http://www.chpandspin.co.uk/http://www.chpandspin.co.uk/http://www.w3%2Corg/TR/xmlnec-core/http://www.w3%2Corg/TR/xmlnec-core/http://www.w3%2Corg/TR/xmlnec-core/http://www.oasis-open.org/specs/#salmv2.0http://www.oasis-open.org/specs/#salmv2.0http://www.oasis-open.org/specs/#salmv2.0http://www.oasis-open.org/specs/#salmv2.0http://www.w3%2Corg/TR/xmlnec-core/http://www.chpandspin.co.uk/http://www.emvco.com/http://www.gsmworld.com/http://www.mitre.org/work/cybersecurity.htmlhttp://www.cert.org/http://www.sans.org/
  • 8/3/2019 Impact of Cyber War on Information Security Development Final

    11/12

  • 8/3/2019 Impact of Cyber War on Information Security Development Final

    12/12