Now these days most companies provide IT system for businesses all around the world. The organizations use IT systems to provide better services and information. So these days most issue on security of based on computer stuffs. This assignment is going to discuss about the State of information security: current challenges and potential solutions, Access control: multi-factor authentication and Firewalls.
2. Question1- State of information security: current challenges and potential solutions
-What is the key information security risks indentified in the survey?
2.1 Key information security risks
1) Spread the risk: Companies should spread out the critical application instances across physical machines as much as possible. This can be accomplished by combining them with different types of applications while maintaining an appropriate ratio between physical and virtual machines. This helps achieve higher application availability and reduce security risks.
2) Limit access: Inappropriate access to server administrative interfaces can expose numerous production applications at once in virtualized environments. Develop a checklist in accordance with leading practices for securing administrative interfaces, including strict password policies and file permissions.
3) Use secure networks: Secure networks should be utilized for data migrations involving virtualization software, since data is not typically encrypted in these migrations.
4) Monitor threats: Properly functioning applications on virtual machines can hide latent security vulnerabilities. Thus, it is critical to continuously monitor both the virtual machines and the underlying virtual machine monitor, for potential threats.
2.2 Ernst & Young�s 12th Annual Global Information Security Survey has changed the way many organizations use technology and information. Because of nowadays increasingly mobile and global workforce, coupled with the rapid adoption of broadband and over-the-air technologies. The organizations must now adjust their information security risk management approach from �keeping the bad guys out� to protecting information no matter where it resides. So they consider this to be a more �information-centric� view of security and a more effective approach. The key of information security risks identified in the survey are Information security risk management defined: Information security risk management is the ongoing process of (1) identifying and understanding the potential threats and risks; (2) assessing to determine the extent of the risk; (3) remediating the risks; and (4) continuing these activities over time. It also includes the necessary communication and risk reporting within the organization. There survey found that 41% of respondents noted an increase in external attacks but internal also within the organization has a threats or information security risks. In addition to the technology shift, the current economic environment is fueling an increase in the number of threats organizations are facing. More interesting than the rise in internal and external attacks is the fact that a full 75% of respondents revealed that they are concerned (33% are very concerned) with the possible reprisal from employees recently separated from their organizations. Its means most problems are within the organization.
2.3 How should these be managed?
: A structured and repeatable risk management approach is the core element of an information security management system (ISMS). It is also the approach chosen by a majority of companies to address their information security risks. It survey shows that the levels of internal and external risk continue to increase. Therefore there are fore types of managed.
1) Managing risks
- Develop a formal response aimed at dealing with employees likely to leave the organization as a result of workforce reductions or job elimination.
- Undertake a risk assessment exercise to identify potential exposure and put in place appropriate risk-based responses.
- Take an information-centric view of security, better aligned with the organization�s information flows.
- Continue to integrate information security with the business � becoming a flexible, responsible corporate citizen, rather than an �obstacle� to achieving business objectives.
2) Addressing challenges
- Adopt a risk-based security strategy to help prioritize initiatives, justify new investments and maximize the benefits from those investments which have already been committed.
- Investigate potential co-sourced security alternatives, which may help provide much-needed access to skilled resources, without turning over control to others.
3) Complying with regulations
- Formally detail the regulations an organization is required to meet in the various geographies and validate this position with appropriate legal and operational groups across the enterprise.
- Build an understanding of how compliance efforts can be integrated into wider change programs, delivering greater business benefit
- Implement a comprehensive information security program where regulatory compliance is considered a by-product rather than the primary driver.
- Gain an understanding of the scope of privacy within operations and identify effective business champions to help ensure that normal business processes and practices do not contribute to potential privacy violations.
4) Leveraging new technology
- Assess the potential impact of any new technology that is being considered, looking beyond any promised benefits to the evaluation of the potential impact upon the organization�s ability to protect its assets.
- Investigate the deployment of new security technologies to ensure that they are fit for purpose and will deliver the benefits required.
- Define a position on new IT delivery models, such as virtualization and cloud computing, to ensure alignment with the overall business strategy and information technology strategy. (Outpacing change Ernst & Young�s 12th Annual Global Information Security Survey 2010)
2.4 Data leakage and protection technologies for organizations
: While the loss or leakage of data has become a major problem that needs to be solved in all kinds of organizations, the routes along which data can be lost have become complicated and numerous, making data loss countermeasures all the more difficult.
Therefore the organization necessary technologies of secure work space and future developments.
2.4.1) Secure information environment
: Based on making it safe to carry data, so it has many types of way.
There have been many incidents of USB memory devices containing company data being lost outside the company or of data copied from a USB memory to a PC subsequently being leaked by some means. In response, some companies have prohibited the use of USB memories, but this provides only a superficial solution to the problem. It is natural for employees to want to use USB memories, which today are the simplest and most convenient way to carry files to a customer�s office that may lack network access. For this reason, a countermeasure that takes into account actual business conditions is needed. To make it safe to carry data outside the company on USB memories we have developed a USB memory device with an automatic data erase function and file redirect technology. One implementation of a �safe PC environment� a natural next step from the �safe data movement� described above is called �Your PC Anywhere�. The idea here is to safely reproduce the user�s personal work environment anywhere and to prevent that environment from being maliciously altered.
The other secure communication is E-mail. It has been reported that 66.2% of business users have sent E-mails erroneously. Most incidents of this type are caused by human error or negligence, which makes countermeasures somewhat difficult to develop. We have analyzed such incidents both inside and outside Fujitsu and have come up with eight original countermeasure levels. These cover in increasingly broader range as more levels are implemented from the top down, but the implementation burden on the user also increases. Sensitive information can be disclosed in text in the message body of an E-mail. A confidentiality check on text can detect general information like people�s names and addresses by a pattern-matching process, but preparing individual pattern-match rules for company-confidential information is impractical. In addition, document hash functions and fingerprint technology that establish the identity of certain text suffer from a drop in detection performance if there are many locations where text has been changed.
The other secure document management of protection across entire document lifecycle is an internal document must be protected across its entire lifecycle from its creation to its distribution and modification and its eventual disposal. Many document protection technologies based on the encryption of information achieve that protection in the distribution of read-only documents. Developed technology is to achieve document management and protection in a company, we have developed technology that can protect documents while they are being edited and that can be used in a variety of applications.
2.4.2) Future developments
From here on, the mechanism for procuring information technology resources will undergo dramatic changes as the era of Cloud computing arrives. For the corporate world, however, a major obstacle to adopting Cloud computing is security. Countermeasures against data loss in the Cloud are the next big security issue. (Data loss prevention technologies 2010)
References lists
Outpacing change Ernst & Young�s 12th Annual Global Information Security Survey http://www.ey.com/Publication/vwLUAssets/12th_annual_GISS/$FILE/12th_annual_GISS.pdf retrieved on 1 September 2010
Data loss prevention technologies http://www.fujitsu.com/downloads/MAG/vol46-1/paper13.pdf retrieved on 2 September 2010
3. Question2- Access control: multi-factor authentication
3.1 Two factor authentication which used by HSBC and CBA in regards to securing Internet banking transactions is term used to describe any authentication mechanism where more than one thins is required to authenticate a user. The two components of two factor authentication are something you know and something you have.
HSBC's "out of band" system relies on the customer's phone to keep their account secure. When making a payment, a pop-up appears asking which phone number they want to be contacted on and containing a Pin number generated by the computer. HSBC will then ring them and ask them for this number. The standard two-factor system, backed by industry body Apacs, requires customers to carry a card reader, which they insert their debit card into when making a payment. The reader then comes up with an eight-digit password, which they use to confirm the transaction on-screen when prompted. HSBC is in the preliminary stages of testing the system, but it is not yet being trialled with customers. It hopes to roll it out within a year. "The two-factor system works for our business customers," said personal internet banking manager Nick Staib, "because more than one employee often needs access to the business accounts. They can keep a card-reading device in a drawer. "But retail banking customers do not want to carry this device around, and are likely to make transactions in various different places." The out of band system also offers better security, said Staib."With the card reader system, a hacker can still take control of the computer no matter how the password is generated. "We are working on the basis that there is no way for them to take control of your phone. Plus, someone in another country cannot pretend to be you, because they are not on the end of your home phone." Online banking fraud jumped 44% in 2006, and banks are attempting to keep up with hackers, who are constantly finding new ways around security systems. Most other high street banks are rolling out the two-factor system. (HSBC develops new security authentication system 2007)
3.2 Two key advantage and disadvantage
<Advantage>
1) Enhanced Security
It enhances security by introducing an independent type of ID, one only the original person should be able to provide, such as a thumb print or a swipe card. No longer can a hacker hide behind an anonymous password. They must also provide physical proof to verify identity or they are denied access.
2) Reduced Risk
Single factor authenticating uses only one form of ID. With the technology available today, almost any single form of authentication can be falsified. In many cases, such as with brute force attacks where passwords are guessed, cases of hack are overlooked because a valid user might legitimately forget his password and might need several attempts to enter it correctly. When the company is incorporates a second level of authentication through two factor authentication, the authentication level of complexity increases. It�s greater the complexity, the higher the chance of the hacker getting caught. If the big chance of getting caught, the less likely that an attempt will be made to break in to a computer or network. This translates into a reduced risk of loss for the company.
3) Minimize Training and Help Desk Time
Passwords might seem like a simple concept, but when restricted and confidential resources are at risk, there is much more to a password than making a thief guess your pet's name. There must be complexity. The password complexity requirements outlined in your company's security policy might be common knowledge for your network administrators who manage the network, but few users are typically aware of these policies and requirements. This leads to weak passwords (those that can be easily guessed or cracked) and security risks. To prevent this, administrators will run classes and send out emails and post notices in an attempt to educate users. The sheer number of help desk calls of users who have forgotten their password is a testament to the futility of these endeavors. Having a strong, two factor authentication allows for a simple, automated, and intuitive process that users can get behind without getting bent out of shape from complex passwords. Instead of passwords, swipe cards can be used for the first authentication factor, and a thumb print for the second authentication factor. The help desk is then freed to do more than reset passwords and the network administrators can get back to working on the network. (The Advantages of Two Factor Authentication 2010)
<Disadvantage>
1) The mobile phone is not as good a second factor as a dedicated token
2) If you're caught in an area without a phone signal or a period of high network traffic then the token might not arrive
3) A one-time password is going to be more vulnerable to compromise through phishing attacks where the captured data is sought for immediate use
- USB token with both chip based authentication and flash memory for storage of files and document etc. would be more effective. The chip contains a small operating system and some memory for storing certificates, which is used for authentication. The OS on the chip differs from vendor to vendor, and therefore you have to ensure that you use a CSP (Cryptographic Service Provider) in Windows, which supports the OS on the chip. A chip based solution has some advantages compared to other multifactor authentication solutions, since it can used to store certificates for authentication, identification and signing. As we mentioned before, everything is protected by a PIN, which enables the user to access the data stored on the chip. Because an organization often maintains and issues their own smart cards or USB tokens, they can also define what policy is associated with the solution. For example, whether the card be locked or erased after x number of attempts. Because you can combine these polices with the PIN, the length of the PIN can be much shorter and thus easer to remember, without compromising security. All of these parameters are stored on the smart card when it is issued. A chip based solution is also tamper resistant, so without the correct PIN, the data (certificates and personal information) stored on the chip is not accessible and thus not usable. (Authentication, Access Control & Encryption 2008)
References lists
HSBC develops new security authentication system http://www.computerweekly.com/Articles/2007/09/06/226622/hsbc-develops-new-security-authentication-system.htm retrieved on 3 September 2010
The Advantages of Two Factor Authentication http://www.ehow.com/list_6682961_advantages-two-factor-authentication.html retrieved on 3 September 2010
Authentication, Access Control & Encryption http://www.windowsecurity.com/articles/Multifactor-authentication-Windows-Part1.html retrieved on 3 September 2010
4. Question3 � Firewalls
4.1 Static packet filter firewall operation: �Firewall filtering mechanism that looks at packets one at a time in isolation and that only looks at some fields in the internet and transport headers.� (Panko 2010, p.488)
4.2 Stateful firewall operation: a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) �Firewall filtering based on the state of the connection (connection opening, ongoing communication)� (Panko 2010, p.488)
4.3 Comparing two types of operations
1) Static
The packet filter is the traditional way, which is a packet comes in, its will be check the following. Source IP address, Destination IP address, TCP/UDP source port, and TCP/UDP destination port. Existing 'if IP source is xxx then pass. If the destination IP xxx pass. If the source port and defend xxx 'in the firewall and enter the information put, a firewall block packets based on this information passes.
Static packet filtering was the earliest firewall filtering mechanism. There are two limitations. Firstly inspects packets one at a time, in isolation. Secondly only looks at some fields in the internet and transport layer headers. However, static packet filtering can stop certain attacks very efficiently. (Static and stateful comparing 2004)
2) Stateful
Static method is defined in the based on existing rules and if the rules to pass on the right, if not prevent. It was simple method. Stateful approach is much more detailed and complex tests. The methods have packet�s origin, destination IP and port numbers to see, bet it means to check contents of the packet.
Delivered To take an example, static is the only parcel outside the envelope sender address and recipient address written report to determine fall away if you want to pass the parcel, stateful packet at all the thing to check is by looking up the contents.
Therefore, stateful approach is much more minuteness than the static tests are available. However, until all the packets it checks the contents of all opened slow process because it takes a load on the router so its might be a disadvantage. (Static and stateful comparing 2004)
References lists
Panko, R2010, p.256&488, Corporate computer and network security, second edition, Pearson Education, Upper Saddle River, New Jersey.
Static and stateful comparing http://blog.naver.com/03s?Redirect=Log&logNo=60003079886 retrieved on 3 September 2010.
4.4 Protection of stateful packet filtering
-Strong Security: �Stateful� Information Protects Network
Cisco�s PIX Firewall series ensures high security through its adaptive security algorithm (ASA) and the use of stateful information. Each time a TCP connection is established for inbound or outbound connections through the PIX Firewall, the information about the connection is logged in a stateful session flow table. The table contains the source and destination addresses, port numbers, TCP sequencing information, and additional flags for each TCP connection associated with that particular connection. This information creates a connection object in the PIX Firewall series. Thereafter, inbound and outbound packets are compared against session flows in the connection table and are permitted through the Cisco PIX Firewall only if an appropriate connection exists to validate their passage.
This connection object is temporarily set up until the connection is terminated. For security, the ASA takes the source and destination addresses and ports, TCP sequence numbers, and additional TCP flags and hashes the IP header information. The hashing acts like a fingerprint it creates a code that uniquely identifies the client initiating the inbound or outbound connection. In order for hackers to penetrate the firewall to an end client, they would have to obtain not only the IP address, but also the port number and the TCP sequence numbers and additional IP flags. This scenario is very unlikely because Cisco�s PIX Firewall series randomizes the TCP sequencing numbers for each session. Lastly, the connection object is terminated when the session is over. In fact, only two accesses can be made through Cisco�s PIX Firewall series: 1) Cut-through proxy authentication. 2) Specific servers designated as static conduits through the PIX Firewall, allowing access to a specific server on the inside private network��and that server alone Cisco�s PIX Firewall series logs all these connections, as well as other authorized and unauthorized attempts. It also provides detailed audit trails using the standard Berkeley UNIX logging mechanism (syslog).
1) VDONet VideoLive
VideoLive sends the client�s originating request to the server�s TCP port 7000. The server sends the response data from source port UDP 7001 to a solicited destination port on the client. Stateful Filtering Firewalls for this approach, the system administrator must configure the firewall to expect port 7001 for VideoLive to any destination port.
The PIX Firewall series differs from other stateful and proxy firewalls by transparently supporting VideoLive. When a client requests a connection to TCP port 7000, the PIX Firewall series expects an incoming connection from UDP 7001 to a solicited port specified in the control connection stream. The PIX Firewall series allows only that host to send on UDP 7001 to only the solicited destination port during the time that the security connection is maintained on TCP port 7000. If either end disconnects, the PIX Firewall series closes both UDP port 7001 and TCP port 7000.
2) CU-SeeMe
A CU-SeeMe client sends the originating request from TCP port 7649 to TCP port 7648 at the video server (the �reflector�). The CU-SeeMe datagram is unique in that it includes the legitimate IP address provided by the firewall in the header as well as a binary copy of the internal IP source address in the data portion of the datagram. Stateful Filtering Firewalls for this approach requires a legitimate, registered (Internet-routable) IP address on the inside. This represents a security breach. The PIX Firewall series provides transparent support for CU-SeeMe. The PIX Firewall series changes the IP address in the data section of the CU-SeeMe datagram to match the legitimate IP address that it assigned to this connection.
The reflector compares the addresses, finds that they match, and opens the UDP data connection to allow data to stream. Security is maintained by the security connection on UDP ports 1234 and 1558. This allows CU-SeeMe to be used with both registered and nonregistered IP addresses.
3) Progressive Network�s Real Audio
Real Audio sends the originating request to TCP port 7070. The Real Audio server replies with multiple UDP streams anywhere from UDP 6970 through UDP 7170 to solicited destination ports on the client. Stateful Filtering Firewalls for Proxies require the user to throttle down to TCP, decreasing sound quality. The PIX Firewall series monitors the TCP control connection to destination port 7070 and allows only the destination host to communicate to the global pool via UDP ports 6970 through 7070 while the TCP control connection is active. Because multiple UDP ports are available to handle high data rates, the PIX Firewall series connection maintains higher sound quality than the other firewall approaches. (Cisco�s PIX Firewall Series and Stateful Firewall Security 2010)
4.5 Application firewall protections
We have noted that application proxy firewalls filter the content of application messages. The specifics of this filtering vary by application. We will only mention a few filtering actions that HTTP application proxies can take. There are other filtering actions for HTTP, SMTP, and other types of applications.
1) Client protections: As noted earlier, many firms use application proxy firewalls to protect internal clients from malicious external servers. The HTTP proxy can also examine outgoing packets from the internal client to the external web server to detect client misbehavior.
2) Server protections: For servers, the HTTP proxy program attempts to protect the server from malicious clients.
3) Other protections: While filtering the content of the application layer message is important, there are three other protections that application proxy firewalls offer automatically by the very way in which they work. There are three types work. One is Internal IP address hiding. The other is header destruction, and protocol fidelity. (Panko 2010, p.273&274)
References lists
Panko, R2010, p.273&274, Corporate computer and network security, second edition, Pearson Education, Upper Saddle River, New Jersey.
Cisco�s PIX Firewall Series and Stateful Firewall Security http://www.onsiteaustin.com/whitepapers/Cisco%20FW%20and%20security%20nat_wp.pdf retrieved on 3 September 2010.
