Security through Obscurity

The idea of not informing a subject about an object being present and hoping that the subject will not discover the object. This is the overall idea of Security through Obscurity. There is no actual implementation of protection measure in Security through Obscurity. That is to say, the object is not protected instead hoped that something important is not discovered by hiding its information. Keeping knowledge of the information a secret (Obscured).

Example:
Developer is aware of a known issue/bug in their code but still releases the product hoping that no one will discover the issue and exploits it.

Cryptography: Security through Obscurity

 
 
The aphorism "security through obscurity" suggests that hiding information provides some level of security. Give an example of a situation in which hiding information does not add appreciably to the security of a system. Then give an example of a situation in which it does.

Answer

•Hiding an algorithm that protects your password might not necessarily add apreciably to the security of the system becuase the algorithm can be found within the source code of the library.

•However, hiding the password field within a form will add appreciably to the system. This way only the rightful user will have access to the account.

 

CyberSecurity and X-Factor

Security Education: Training and Awareness Quiz
[if you are looking for an answer comment in the post and we can discuss]





1.
SETA programs are intended to:

• Identify bad actors in an organization
• Communicate to employees the consequences of failing to comply with security rules
• Improve employee behavior, communicate a structure for reporting violations, and hold employees accountable
• Protect organizations against hackers

   

2.
What does it mean to make employees complicit in security management?

• Employees are often complicit (knowingly or unknowingly) in successful hacks.
• Employees must follow the rules in order to keep organizational assets secure.
• Employees need to master the know-what, know-how, and know-why of security so that they can adapt to new situations.

   

3.
What is the best method for delivering security awareness?

• Emails
• Posters
• Some combination of posters, email, other informal channels
• Formal meetings

   

4.
Why do different user groups (i.e., novice versus experienced, technical versus managerial) benefit from different training?

• Because their jobs require them to use different systems
• Because their system knowledge is different
• Because they could be differentially targeted by hackers
• These answers are all so good, I can’t pick just one

   

5.
From a security perspective what is know-what?

• Know what is awareness of security concerns within an organization and your role in them
• Know what includes training is security practices
• Know what is the contextualized understanding of your organization’s security needs
• Know what means knowing what to do in the event of a security breach.

Cyber Security: Honeypots

Honeypots
Sometimes network administrators want to study attacks, either so the attackers’ methods can be understood more fully and countermeasures prepared, or as part of an investigation that might lead to civil or criminal prosecutions.



One method of safely studying an attack is to deflect attackers towards an isolated computer or network which appears to be completely legitimate, but is in fact a closely-monitored trap known as a honeypot. There, every action performed by the attacker can be recorded and analysed without risking important data.



Honeypots are also used by researchers to identify new attacks that are circulating in the hacking community, as well as by anti-spam organisations which use them to identify the location and identities of spam email senders.

Cyber Security: VPN - Security Risks of VPN

VPNs might sound like a panacea to a number of problems as they can extend, in our example, a corporate network across a wide geographic area via the internet. However, in doing so, they raise a number of new problems.



Security of remote machines
When a remote machine is part of a VPN it effectively creates a new frontier between the ‘secure’ corporate network and the internet. This remote machine now offers a direct route into a corporate network. Previously, it had been relatively simple to secure machines within a corporate network; now the remote user might be using their own computer, network connection, operating system and software – none of which are controlled by the organisation. Worse still, they might be sharing the machine with a number of other users, some of which might not be employed by the organisation. Perhaps the same PC is used to manage corporate documents, as well as downloading pirated music from the internet and playing video games!

The remote machines must themselves be secured from abuse. That may mean enforcing certain minimum standards with regards to operating system, antivirus software, firewalls and so on. Employers may have to stipulate that antivirus software is kept up to date, and that all patches and service packs are installed.

Security of the VPN implementation
As you learned earlier, the security of various VPN implementations has come under scrutiny. Protocols themselves might be well-designed and apparently secure, but the method of implementation, where programmers have taken shortcuts or offered ‘additional convenience’ to the user, may compromise the protection offered.



For instance, there are no major problems with the PPTP protocol, but Microsoft’s implementation of PPTP was found to have a number of serious defects. Microsoft’s implementation of PPTP was introduced in 1996, and hacker software exploiting weaknesses began circulating the following year. Papers describing the weaknesses appeared in 1998, it was only after publication that Microsoft addressed the most serious weaknesses in PPTP by releasing a patch (DUN 1.3), even then some issues remained unresolved.

In addition to errors in protocol implementations, security vulnerabilities can be introduced if the design or configuration of the overall VPN solution is done incorrectly.

Security of interoperation
VPN is still a relatively immature technology with a number of competing standards, often supported by different vendors. Mixing and matching hardware and software might cause problems. Until technology matures (which is happening at a rapid rate), it might be necessary to use a single technology provider.



Security of network availability
Since VPNs typically rely on the internet for delivering information there are no guarantees about the reliability. The internet cannot guarantee delivery of information from one location to another.  

Cyber Security: Firewall - VPN

VPN basics
In some ways, our local networks resemble forts sitting in the Wild West of a Hollywood movie. Inside strong walls, life goes on as normal, with data being exchanged freely between trusted machines. Meanwhile, beyond the firewall there is the lawless frontier of the internet; traffic crossing the internet must make a risky journey largely unprotected.

The problem of secure data transmission is especially acute for organisations based in several physical locations, such as those who need to exchange information with sub-contractors or those with a dispersed workforce such as sales teams or home workers.



Traditionally, companies invested in private communications links (usually called leased lines) whose cost might run to thousands of pounds per month. Most organisations cannot justify such an investment and in any case, leased lines cannot serve a mobile or highly dispersed workforce. So the lawless frontier of the internet is our only choice – this is where VPNs come to the rescue!

A VPN, as the name implies, is a means of creating a private network across an untrusted network such as the internet. VPNs can be used for a number of different purposes such as:

• to securely connect isolated Local Area Networks (LANs) across the internet
• to allow mobile users remote access to a corporate network using the internet
• to control access within an intranet environment.

VPN concepts
VPNs are typically implemented using dedicated network devices (sometimes this might be a firewall), and software. There are two parts to the software; the first, called a VPN client, is installed on the computer of anyone who wants to be part of the VPN. The client is responsible for connecting users to the VPN so that it can send and receive information in a secure manner with, in this example, a corporate network. The second part is the VPN server which is part of a dedicated network device, usually located on the perimeter of an organisation’s network. The server software typically performs the authentication of users and route traffic to the corporate network.

The VPN software creates a path known as a ‘tunnel’ between the VPN client and the VPN server. It can establish this ‘tunnel’ by using any third party or untrusted network such as the internet. Unlike other paths through the internet, information which passes through this ‘tunnel’ can be encrypted to protect it from inspection or modification. So we can use these tunnels to protect our data while it crosses the lawless frontier of the internet back to the safety of our forts!

Securing the tunnels
The VPN path or tunnel between the VPN client and the VPN server relies on encryption to protect the data from interception or modification as it travels across the internet.



Encryption
In a VPN, encryption and decryption is typically performed by the client and server software. Early VPN solutions used proprietary encryption techniques, but shortcomings in many of these methods has forced a switch to public encryption standards.

Authenticity and integrity
It is vital to ensure that information can be trusted – that it is coming from an authenticated user and that it has not been altered in transit. VPNs use a number of methods to ensure authenticity:

• hashes (see Week 5)
• digital signatures (see Week 5)
• message authentication codes (MACs).

MACs are appended to messages and act as an authenticator. They are similar in principle to digital signatures, but the hash is encrypted and decrypted using the same secret key, (symmetric encryption).

VPN protocols
There are three main forms of VPN protocol currently in use, these are:

• PPTP (Point to Point Tunnelling Protocol)

PPTP was designed in a consortium led by Microsoft, which included an implementation of the protocol as a standard component of Windows NT 4. Microsoft also released PPTP as a free add-on to Windows 95 and Windows 98, allowing users of (at the time) the most popular version of Windows to access corporate networks.



PPTP proved unsuited to large companies (being limited to 255 connections per server), but more seriously, the PPTP standard did not settle on a single form of user authentication or encryption; therefore two companies could offer software supporting PPTP, yet each product would be incompatible with the other! From Windows 2000 onwards, Microsoft replaced PPTP with L2TP (see below).

• L2TP (Layer 2 Tunnelling Protocol)

This is an adaptation of a VPN protocol known as L2F originally developed by Cisco to compete with PPTP. In an attempt to improve L2F, a successor was devised by a group composed of the PPTP Forum, Cisco and the Internet Engineering Task Force (IETF). L2TP combines features of both PPTP and L2F.

• IPSec (Internet Protocol Security)

IPSec was designed by an international committee (The Internet Engineering Task Force (IETF)) between 1992 with a first draft standard published in 1995, the revised standard was published in 1998. IPSec is now the most widely supported protocol with backing from Intel, IBM, HP/Compaq and Microsoft (among others).

                               

IPSec has gained a reputation for security thanks to its use of well-known and trusted technologies. Rather than invent new techniques for encryption, the designers of the protocol built their system on top of existing encryption technologies, which had, in themselves been subjected to intense scrutiny.   

Talking Security: The Basics

In any discussion of security, there are some basic terms that will be used a lot. This step will introduce you to the basic terminology of information security.

 

CIA
The guiding principles behind information security are summed up in the acronym CIA (and we’re pretty sure there’s a joke in there somewhere), standing for confidentiality, integrity and availability.

We want our information to:

• be read by only the right people (confidentiality)
• only be changed by authorised people or processes (integrity)
• be available to read and use whenever we want (availability).

It is important to be able to distinguish between these three aspects of security. So let’s look at an example.

Case study: PlayStation Network
In April 2011, Sony revealed that the PlayStation Network, used by millions of consumers worldwide, had been breached by hackers. The breach went unnoticed by Sony for several days and ultimately resulted in the theft of up to 70 million customer records. The records included customer names, addresses, emails, dates of birth and account password details. Information which could have enabled additional attacks or identity theft.

In order to assess the scale of the damage and repair the vulnerabilities that led to the attack Sony took the PlayStation Network offline, a move which cost the company, and merchants who offered services via the network, significant amounts of revenue.

In addition to the cost of fixing the breach, Sony was fined £250,000 by the Information Commissioner’s Office as a result of a ‘serious breach’ of the Data Protection Act, stating that ‘The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.’


The precise financial cost to Sony is unclear but estimates place it at approximately £105 million, excluding the revenue loss by partner companies, damage to its reputation and potential damage to its customers.

Analysis
So how do the principles of CIA apply to the PlayStation case? Quite obviously, confidentiality was violated: there was a chance that unauthorised people could read the data. However, authorised users still had full access to the data, so it remained available; and the data was not changed, so its integrity was preserved.



Information assets
Time for another definition. When talking about valuable data we use the term ‘information assets’. In the PlayStation case, the information assets were the data about Sony’s customers.

When we consider security of online communications and services, we also need two additional concepts: ‘authentication’ and ‘non-repudiation’.

When we receive a message, we want to be confident that it really came from the person we think it came from. Similarly, before an online service allows a user to access their data, it is necessary to verify the identity of the user. This is known as authentication.

Non-repudiation is about ensuring that users cannot deny knowledge of sending a message or performing some online activity at some later point in time. For example, in an online banking system the user cannot be allowed to claim that they didn’t send a payment to a recipient after the bank has transferred the funds to the recipient’s account.

https://www.futurelearn.com/courses/introduction-to-cyber-security/8/steps/83026

Information Security - Evolution

An Introduction to Information Security

• Information Security in an enterprise is a “well-informed sense of assurance that the information risks and controls are in balance”
• Aligning information security needs with business objectives must be the top priority.

The History of Information Security

• The history of information security begins with Computer Security.
• The need for computer security - that is, the need to secure physical locations, hardware, and software from threats - arose during WWII when the first mainframes, developed to aid computations for communication code breaking, were put to use.
• Multiple levels of security were implemented to protect these mainframes and maintain the integrity of their data.
• Access to sensitive military locations, for example, was controlled by means of badges, keys, and facial recognition of authorized personnel by security guards.
• The growing need to maintain national security eventually led to more complex and more technologically sophisticated computer security safeguards.
• During these early years, information security was a straightforward process composed pre-dominantly of physical security and simple document classification schemes.
• The primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage.
• One of the first documented security problems that fell outside these categories occurred in the early 1960s, when a system administrators was working on an MOTD (message of the day) file, and another administrator was editing the password file. A software glitch mixed the two files, and the entire password file was printed on every output file.

Outsourcing/Offshoring and Cyber Threat - Why and How?

Outsourcing/Offshoring are solutions for lot of issues that businesses face, for example: - Cheaper human resources, - Infrastructure convenience, - Knowledge & skills and - Higher growth potential of businesses. By outsourcing the day to day back-office tasks, the business owner has more time to focus on generating income. However, taking into consideration today’s cyber threats, if cyber security standards are not uniformly upheld by the third party, the outsourcing/offshoring of business processes and supply does not come without risks. Risks of: - Identity theft, - Loss or destruction of sensible information and intellectual property, - Unauthorized access to the network service, - Infection with malicious code etc. Moreover, key risk that many businesses face when outsourcing/offshoring is that they themselves are not aware of what controls and policies should be adhered to by the third party. The real question ponder upon is: - Are financial saving the sole aim of outsourcing or has cyber security been factored into the third party considerations? - Even if cyber security has been taken into account, is it purely from a technical perspective, or has the effect on the overall business value chain been considered?

Outsourcing/offshoring are the realities of today’s businesses and it is essential for the decision makers to do the diligence in terms of risk assessment. Remember, there is always an answer to a problem, and threats to cyber security from outsourcing/offshoring can also be reduced, if not fully mitigated, by implementing various countermeasures. So what is the answer to the Cyber Security risk posed by Outsourcing/Offshoring? - Implement cyber security policies, procedures and guidelines for outsourcing / offshoring arrangements in accordance with the industry best practices i.e. NIST Cyber Security Frameworks, ISO 27K series and also includes risk assessment, threat profiling with respect to vendor / geographical locations respectively. - Ensure to contractually embed the necessary information security, business continuity and privacy controls to ensure continued compliance with internal policy and regulatory burdens. - Consider non-sensitive operational areas to be outsourced/offshored. Don't outsource something just because you don't want to do it. Sometimes there are things you don't want to do but they are important to your core business." Even experienced optimists accept that an information security incident is inevitable as 100% security is unachievable and there is no silver bullet; recognition of a long-term risk based approach is necessary. An example of outsourcing might be the IT support for your network. You may not be able to afford or need a full-time IT person, and it is easier to change to an outsourced provider with the right skill set as your IT needs change.

Information Security

• Information Security is an art, not a science, and the mastery of information security requires multi-disciplinary knowledge of a huge quantity of information, experience and skill.
• Security controls and practices include logging on, using passwords, encrypting vital information, locking doors and drawers, motivating stakeholders to support security, and installing pipes to spray water down on your fragile computers in case of fire.
• These are means of protection that have no benefits except rarely when adversities occur. Good security is when nothing bad happens, and when nothing bad happens, who needs security.
• So why do we engage in security?
  Now-a-days we do it because the law says that we must do it; especially if we deal with the personal information of others, electronic money, intellectual property, and keeping ahead of the competition.
• Information security is no job for perfectionists, because you will almost never be fully successful, and there will always be vulnerabilities that you aren't aware of or that you haven't fixed yet.
• Therefore, enemy has great advantage over us. It is because he has to find only one vulnerability and one target to attack in a known place, electronically or physically while we must defend from potentially millions of enemies' attacks against all of our assets and vulnerabilities that are no longer in one computer room but are spread all over the world by wire and now by air.
• It's like playing a game in which you don't know your opponents and where they are, what they are doing, why they are doing it, and are changing the rules as they play.
• So, you must be highly ethical, defensive, secretive, and cautious about bragging about the great security that you are employing that might tip off the enemy.
• When working in security, you are in a virtual army defending your employer and stakeholders from their enemies, and from your point of view they will probably think and act irrationally, but from their perspective they are perfectly rational with serious personal problems to solve and gains to be made by violating your security.
• Most of your work, now, should be assisting potential victims to protect themselves from information adversities and dealing with your smart but often irrational enemies even though you rarely see or even get close to them.
• Be trustworthy and develop mutual trust among your peers. Your most important objectives are not risk reduction and increased security; they are diligence to avoid negligence, exceeding compliance with all of the laws and standards and auditors, and enablement when security becomes a competitive or a budget issue.
• To achieve these objectives, you must develop a trusting exchange of the most sensitive security intelligence among your peers in your and other security people's organizations so that you know where your organization stands in protection relative to them.
• Your personal and ethical performance must be spotless, and you must protect your reputation at all costs.

Information Security - Security Attacks

1.      Security Attacks

X.800 and RFC 2828, classified security attacks in terms of passive and active. A passive attack attempts to learn or make use of information from the system but does not affect system resources. An active attack attempts to alter system resources or affect their operation.

1.1.     Passive Attacks

Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are the release of message contents and traffic analysis.

Release of message contents: A telephone conversation, an electronic mail message, and a transferred file may contain sensitive or confidential information. We would like to prevent an opponent from learning the contents of these transmissions.

Traffic analysis: Suppose that we had a way of masking the contents of messages or other information traffic so that opponents, even if they captured the message, could not extract the information from the message. The common technique for masking contents is encryption. If we had encryption protection in place, an opponent still might be able to observe the pattern of these messages. The opponent could determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged. This information might be useful in guessing the nature of the communication that was taking place.

Passive attacks are very difficult to detect, because they do not involve any alteration of the data. Typically, the message traffic is sent and received in an apparently normal fashion, and neither the sender nor the receiver is aware that a third party has read the messages or observed the traffic pattern. However, it is feasible to prevent the success of these attacks, usually by means of encryption. Thus, the emphasis in dealing with passive attacks is on prevention rather than detection.

1.2.     Active Attacks

Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service.

Masquerade takes place when one entity pretends to be a different entity. A masquerade attack usually includes one of the other forms of active attack. For example, authentication sequences can be captured and replayed after a valid authentication sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges.

Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.

Modification of messages simply means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect. For example, a message meaning “Allow John Smith to read confidential file accounts” is modified to mean “Allow Fred Brown to read confidential file accounts."

 

The denial of service prevents or inhibits the normal use or management of communications facilities. This attack may have a specific target; for example, an entity may suppress all messages directed to a particular destination (e.g., the security audit service). Another form of service denial is the disruption of an entire network either by disabling the network or by overloading it with messages so as to degrade performance.

Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely because of the wide variety of potential physical, software, and network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them. If the detection has a deterrent effect, it also may contribute to prevention

 

Information Security - Threat and Attack

Threat: A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit vulnerability.

Attack: An assault on system security that derives from an intelligent threat. That is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violates the security policy of a system.

Computer Security - Challenges

The Challenges of Computer Security

Computer and network security is both fascinating and complex. Some of the reasons include:

·      Security is not as simple as it might first appear to the novice. The requirements seem to be straightforward; indeed, most of the major requirements for security services can be given self-explanatory, one-word labels: confidentiality, authentication, nonrepudiation, and integrity. But the mechanisms used to meet those requirements can be quite complex, and understanding them may involve rather subtle reasoning.

·      In developing a particular security mechanism or algorithm, one must always consider potential attacks on those security features. In many cases, successful attacks are designed by looking at the problem in a completely different way, therefore exploiting an unexpected weakness in the mechanism.

·      Because of point 2, the procedures used to provide particular services are often counterintuitive. Typically, a security mechanism is complex, and it is not obvious from the statement of a particular requirement that such elaborate measures are needed. It is only when the various aspects of the threat are considered that elaborate security mechanisms make sense.

·      Having designed various security mechanisms, it is necessary to decide where to use them. This is true both in terms of physical placement (e.g., at what points in a network are certain security mechanisms needed) and in a logical sense [e.g., at what layer or layers of an architecture such as TCP/IP (Transmission Control Protocol/Internet Protocol) should mechanisms be placed].

·      Security mechanisms typically involve more than a particular algorithm or protocol. They also require that participants be in possession of some secret information (e.g., an encryption key), which raises questions about the creation, distribution, and protection of that secret information. There also may be a reliance on communications protocols whose behavior may complicate the task of developing the security mechanism. For example, if the proper functioning of the security mechanism requires setting time limits on the transit time of a message from sender to receiver, then any protocol or network that introduces variable, unpredictable delays may render such time limits meaningless.

·      Computer and network security is essentially a battle of wits between a perpetrator who tries to find holes and the designer or administrator who tries to close them. The great advantage that the attacker has is that he or she need only find a single weakness, while the designer must find and eliminate all weaknesses to achieve perfect security.

·      There is a natural tendency on the part of users and system managers to perceive little benefit from security investment until a security failure occurs.

·      Security requires regular, even constant, monitoring, and this is difficult in today’s short-term, overloaded environment.

·      Security is still too often an afterthought to be incorporated into a system after the design is complete rather than being an integral part of the design process.

·      Many users (and even security administrators) view strong security as an impediment to efficient and user-friendly operation of an information system or use of information.

Lecture Reference:

W. Stallings, “Network Security Essentials: Applications and Standards, Fourth Edition.”