Chapter 1. Introduction to Security

Welcome! Before we launch into heavy-duty security, I’d like to go over some foundation-level security concepts. I recommend that everyone read this chapter, but if you are a seasoned professional, you might opt to scan or skip it. For those of you new to the IT security field, this chapter (and the rest of the book) will act as the basis of your IT sleuthing career.

It is so important in today’s organizations to protect information from unauthorized access and to prevent the modification, disruption, or destruction of data unless it is approved by the organization. That in a nutshell is information security. Companies consider it so important that many IT directors have become full-fledged executives—chief information officers (CIO) or chief technology officers (CTO). But let’s not get ahead of ourselves! This book is for persons wanting to embark on, or continue along, the path as a network security administrator. Many other names are given to that particular position, but we’ll stick with that one for the sake of continuity throughout this book.

This entire book is all about locating risks and vulnerabilities to your information and eliminating those risks, or at least reducing them to a point acceptable to your organization.

This first chapter talks about some basic fundamental security concepts and teaches you to think like a hacker but act like an administrator.

Let’s begin!

Foundation Topics: Security 101

The first thing we need to get out of the way is that nothing is ever completely or truly secure. People might give clever definitions of something that could be completely secure, but it is a utopia—something that can be imagined but never achieved. There is always a way around or through any security precaution that we construct.

Now that it’s understood that there is no perfect scenario, we can move on to some security basics that can help to build a solid foundation upon which proper mitigating of security risks can begin.

The CIA of Computer Security

No, we’re not talking national security, but computers can be the victim of covert operations. To defend against the worst, IT people attempt to adhere to three core principles of information security: confidentiality, integrity, and availability.

Figure 1-1. The CIA of Computer Security

By employing the concepts of confidentiality, integrity, and availability to your data, an organization’s hardware, software, and communications can be secured properly. Let’s discuss each of the three items of the CIA triad in a little more depth.

• Confidentiality—Preventing the disclosure of information to unauthorized persons. For the public it signifies Social Security numbers (or other country-specific identification), driver license information, bank accounts and passwords, and so on. For organizations this can include all the preceding information, but it actually denotes the confidentiality of data. To make data confidential, the organization must work hard to make sure that it can be accessed only by authorized individuals. This book spends a good amount of time discussing and showing how to accomplish this. For example, when you use a credit card number at a store or online, the number should be encrypted with a strong cipher so that the card number cannot be compromised. Next time you buy something online, take a look at how the credit card number is being kept confidential. As a security professional, confidentiality should be your number one goal. In keeping data confidential, you remove threats, absorb vulnerabilities, and reduce risk.

• Integrity—Authorization is necessary before data can be modified. If a person were to delete a file, either maliciously or inadvertently, the integrity of that file will have been violated. Here’s a tip for you: Smart companies do not delete data!

• Availability—Securing computers and networks can be a strain on resources. Availability means that data is obtainable regardless of how information is stored, accessed, or protected. It also means that data should be available regardless of the malicious attack that might be perpetrated on it.

These three principles, known as the CIA triad, should be applied whenever dealing with the security of hardware, software, or communications.

Another acronym to live by is the AAA of computer security: authentication, authorization, and accounting.

• Authentication—When a person’s identity is established with proof and confirmed by a system. Typically, this requires a digital identity of some sort, username/password, or other authentication scheme.

• Authorization—When a user is given access to certain data or areas of a building. Authorization happens after authentication and can be determined in several ways including permissions, access control lists, time-of-day, and other login restrictions and physical restrictions.

• Accounting—The tracking of data, computer usage, and network resources. Often it means logging, auditing, and monitoring of the data and resources. Accountability is quickly becoming more important in today’s secure networks. Part of this concept is the burden of proof. You as the security person must provide proof if you believe that someone committed an unauthorized action. When you have indisputable proof of something users have done and they cannot deny it, it is known as nonrepudiation.

The Basics of Data Security

Data security is the act of protecting data from threats and possible corruption. You need to be aware of several types of threats to be an effective network security administrator:

• Malicious software—Known as malware, this includes computer viruses, worms, Trojan horses, spyware, rootkits, adware, and other types of unwanted software. Everyone has heard of a scenario in which a user’s computer was compromised to some extent due to malicious software.

• Unauthorized access—Access to computer resources and data without consent of the owner. It might include approaching the system, trespassing, communicating, storing and retrieving data, intercepting data, or any other methods that would interfere with a computer’s normal work. Access to data must be controlled to ensure privacy. Improper administrative access would fall into this category as well.

• System failure—Computer crashes or individual application failure. This can happen due to three reasons: user error, malicious activity, or hardware failure.

• Social engineering—The act of manipulating users into revealing confidential information or performing other actions detrimental to the user. Almost everyone gets e-mails nowadays from unknown entities making false claims or asking for personal information (or money!); this is one example of social engineering.

Many data security technologies and concepts can protect against, or help recover from, the preceding threats. Several common ones are listed here:

• User awareness—The wiser the user, the less chance of security breaches. Employee training and education, easily accessible and understandable policies, security-awareness e-mails and online security resources all help to provide user awareness. These methods can help to protect from all the threats mentioned previously. Educating the user is an excellent method when attempting to protect against security attacks.

• Authentication—The verification of a person’s identity that helps protect against unauthorized access. It is a preventative measure that can be broken down into three categories:

• Something the user knows, for example a password or PIN

• Something the user has, for example a smart card or other security token

• Something the user is, for example the biometric reading of a fingerprint or retina scan

• Antimalware software—Protects a computer from the various forms of malware, and if necessary, detects and removes them. Types include antivirus and antispyware software. Well-known examples include Norton AntiVirus, McAfee VirusScan, Windows Defender, and Spyware Doctor. Nowadays, a lot of the software named “antivirus” can protect against spyware as well.

• Data backups—Backups won’t stop damage to data, but they can enable you to recover data after an attack or other compromise, or system failure. From programs such as NTbackup and Bacula to enterprise-level programs such as Tivoli and Veritas, data backup is an important part of security. Note that fault-tolerant methods such as RAID 1 and 5 are good preventative measures against hardware failure but might not offer protection from data corruption or erasure. For more information on RAID, see Chapter 14, “Redundancy and Disaster Recovery.”

• Encryption—The act of changing information using an algorithm known as a cipher to make it unreadable to anyone except users who possess the proper “key” to the data. Examples of this include HTTPS, Kerberos, and PGP.

• Data removal—Proper data removal goes far beyond file deletion or the formatting of digital media. The problem with file deletion/formatting is data remanence, or the residue, that is left behind, from which re-creation of files can be accomplished by some less-than-reputable people with smart tools. Companies typically employ one of three options when met with the prospect of data removal: clearing, purging (also known as sanitizing) and destruction. We talk more about these in Chapter 15, “Policies, Procedures, and People.”

Think Like a Hacker

I’m not condoning any malicious activity, but to think like a hacker, you have to understand the hacker. So ask yourself, why do people decide to become hackers? Why take advantage of users? In the minds of some malicious individuals, it may simply be because they are there to be taken advantage of! One common answer is greed—the act of hacking for illegal monetary gain. Other attackers have an agenda, or believe in a cause, or just want to get free access to movies and music. Still others just want to cause mayhem and anarchy. Consider this when you secure your organization’s computers—they just might be a target!

Of course, people use different names to classify these types of individuals: hacker, cracker, cyber-criminal, and so on. It doesn’t matter what you call them, but the accepted term in most network security circles is hacker.

Now consider this: Not all hackers are malicious. That’s right! There are different types of hackers out there. Various names are used by different organizations, but some of the common labels include the following:

• White hats—These are nonmalicious; for example, an IT person who attempts to hack into a computer system before it goes live to test it. Generally, the person attempting the hack has a contractual agreement with the owner of the resource to be hacked. White hats will often be involved in something known as ethical hacking. An ethical hacker is an expert at breaking into systems and can attack systems on behalf of the system’s owner and with the owner’s consent. The ethical hacker will use penetration testing and intrusion testing to attempt to gain access to a target network or system.

• Black hats—These are malicious and attempt to break into computers and computer networks without authorization. Black hats are the ones who attempt identity theft, piracy, credit card fraud, and so on. Penalties for this type of activity are severe and black hats know it; keep this in mind if and when you come into contact with one of these seedy individuals—they can be brutal, especially when cornered. Of course, many vendors try to make the term “black hat” into something cuter and less dangerous. But for the purposes of this book and your job security, we need to call a spade a spade, or in this case, a black hat a malicious individual.

• Gray hats—These are possibly the most inexplicable people on the planet. They are individuals who do not have any affiliation with a company but risk breaking the law by attempting to hack a system and then notify the administrator of the system that they were successful in doing so—just to let them know! Not to do anything malicious (other than breaking in...). Some offer to fix security vulnerabilities at a price, but these types are also known as green hats or mercenaries.

• Blue hats—These are individuals who are asked to attempt to hack into a system by an organization, but the organization does not employ them. The organization relies on the fact that the person simply enjoys hacking into systems. Usually, this type of scenario occurs when testing systems.

• Elite—Elite hackers are the ones who first find out about vulnerabilities. Only 1 out of an estimated 10,000 hackers wears the Elite hat. The credit for their discoveries is usually appropriated by someone else more interested in fame. Many of these types of individuals don’t usually care about “credit due” and are more interested in anonymity—perhaps a wise choice. You do not want to get on an Elites’ bad side; they could crumple most networks within hours if they so desired.

We mentioned before that no system is truly secure. Hackers know this and count on it. It’s a constant battle in which administrators and attackers are consistently building and breaking down better and better mouse traps. The scales are always tipping back and forth; a hacker develops a way to break into a system, then an administrator finds a way to block that attack, then the hacker looks for an alternative method, and so on. This seems to reek of the chicken and the egg—which came first? Answer: You have to take it on a case-by-case basis. The last few sentences of banter are there for one reason—to convince you that you need to be on your toes; that you need to review logs often; that you need to employ as many security precautions as possible; that you need to keep abreast of the latest attacks and ways to mitigate your risk; and to never underestimate the power and resilience of a hacker.

Exam Preparation Tasks: Review Key Topics

Review the most important topics in the chapter, noted with the Key Topics icon in the outer margin of the page. Table 1-1 lists a reference of these key topics and the page numbers on which each is found.

Table 1-1. Key Topics for Chapter 1

Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary.

confidentiality,

integrity,

availability,

nonrepudiation,

authentication,

authorization,

accounting

Answer Review Questions

Answer the following review questions. You can find the answers at the end of this chapter.

1. In information security, what are the three main goals? (Select the three best answers.)

A. Auditing

B. Integrity

C. Nonrepudiation

D. Confidentiality

E. Risk Assessment

F. Availability

2. To protect against malicious attacks, what should you think like?

A. Hacker

B. Network admin

C. Spoofer

D. Auditor

3. Tom sends out many e-mails containing secure information to other companies. What concept should be implemented to prove that Tom did indeed send the e-mails?

A. Authenticity

B. Nonrepudiation

C. Confidentiality

D. Integrity

4. Which of the following does the A in CIA stand for when it comes to IT security? Select the best answer.

A. Accountability

B. Assessment

C. Availability

D. Auditing

5. Which of the following is the greatest risk when it comes to removable storage?

A. Integrity of data

B. Availability of data

C. Confidentiality of data

D. Accountability of data

6. When it comes to information security, what is the I in CIA?

A. Insurrection

B. Information

C. Indigestion

D. Integrity

7. When is a system completely secure?

A. When it is updated

B. When it is assessed for vulnerabilities

C. When all anomalies have been removed

D. Never

Answers and Explanations

1. B, D, and F. Confidentiality, integrity, and availability (known as CIA or the CIA triad) are the three main goals when it comes to information security. Another goal within information security is accountability.

2. A. To protect against malicious attacks, think like a hacker. Then, protect and secure like a network security administrator.

3. B. You should use nonrepudiation to prevent Tom from denying that he sent the e-mails.

4. C. Availability is what the “A” in “CIA” stands for, as in “the availability of data.” Together the acronym stands for confidentiality, integrity, and availability. Although accountability is important and is often included as a fourth component of the CIA triad, it is not the best answer. Assessment and auditing are both important concepts when checking for vulnerabilities and reviewing and logging, but they are not considered to be part of the CIA triad.

5. C. For removable storage, the confidentiality of data is the greatest risk because removable storage can easily be removed from the building and shared with others. Although the other factors of the CIA triad are important, any theft of removable storage can destroy the confidentiality of data, and that makes it the greatest risk.

6. D. The I in CIA stands for integrity. Together CIA stands for confidentiality, integrity, and availability. Accountability is also a core principle of information security.

7. D. A system can never truly be completely secure. The scales are always tipping back and forth; a hacker develops a way to break into a system, then an administrator finds a way to block that attack, and then the hacker looks for an alternative method. It goes on and on; be ready to wage the eternal battle!