Security & Professional Standards in IT
Any discussion of Software these days needs to start with the admonitions that security should be
_designed_ into systems, that it's not always feasible to _add_ security to a system without it,
and that a system's first security breach may result in the failure
of the system's owners' enterprise or organization.
IT Professionals have developed a legacy of standards and recommendations for
securing and operating information systems -- ignorance of them is no defence against
blame or liability claims when a system is robbed of 'sensitive' data or
it is otherwise lost or corrupted.
Most security breaches are the fault of application software, not operating systems.
For example: WordPress, the heart of more than 300,000 of the blogosphere's engines, has had a recent spate of
vulnerabilities in the add-on applications available for WordPress which made inappropriate disclosure
of personal information or allowed destruction or defacement of the stuff of blogs.
Windoze and the *ixes (Linux & proprietary unix) all
provide super-adequate capabilities for securing an application environment's OS, DBMS, EMail and Web servers.
But much of a typical application environment's security is provided by the application software.
Most of the 'vulnerability' in systems today
comes from poorly designed or detailed application software that
fails to provide 'access control', 'non-repudiation', 'version control', 'authentication & authorization' or
other key components of system security.
Recent & Current Issues in IT Security
This section, originally posted a few years back, introduces issues that continue to be hot today. We're waiting
on word from the Supreme Court about legality of tracking cell-phone movements using records from cell-towers...
Prism and Upstream are two continuing NSA projects to collect every shred of data
stored or transmitted on-line and phone calls overseas + what's 'tapped' onshore.
Massive Data Center in Utah is coming up in phases to keep it all indefinitely.
The NSA provides an excellent pdf, Defense In Depth, a practical guide to IT security.
The NSA's not the only outfit snooping your Web traffic.
What an Eavesdropper Sees when you use an unsecured WiFi.
Anybody with access to the Internet's routers or application servers is able to see and soak up
your packets as they fly by. I set up my elderly sister's email on earthlink, using an entirely
new and unique address and within a week she had so much spam in her inbox that it was hard to
see the few emails from me and my nephews and neices and somebody hijacked her account.
Insecure pop3 was the culprit here, easy for crackers to filter out packets carrying userids and passwords.
Way before email, texting, and Web 2's social networking
Microwave Spying was soaking
up trans-oceanic traffic, sometimes with satellites, others by sticking an antenna into the signal between the transceivers
on the roof or in the window of a building that just happens to be in the stream. It's more difficult to tap into fiber-optic
cables mid-ocean than the copper-wired, but it's possible. Spying on digital circuits may be legal through court orders, but
contractors and employees of long-line and local communications carriers can do it without any such order...
Here are some links about security issues in application code:
Top 25 Most Dangerous Software Errors;
SANS provides 20 Critical Security Controls.
CyberCiti suggests20 Linux Server Hardening Tips.
Study guides for Security+, Certified Ethical Hacker, and other IT Security related certificates provide more detail and
are heartily recommended for any student wanting a career in IT, along with setting up your own web and mail server,
securing it, studying its logs...
- The Pillars of Information Security: The old triad of
'CIA', Confidentiality, Integrity, and Availability was sufficient to secure
enterprise information way back before the _customers_ and _suppliers_ had
access to the system's domain, employees were the only persons to
touch a system, and most transactions originated on paper documents.
Nowadays, with on-line
systems handling all aspects of business transactions for customers and suppliers, and
most transactions originate in the system,
pillars for 'Authenticity' and 'Non-repudiation'
have been added to the information security framework.
- Confidentiality - Information is disclosed only to those with authority to use it
- Integrity - Data cannot be modified undetectibly
- Availability - Information is accessible to those with authority to see it when it is needed
- Authentication - The person logged into the system is who they claim to be, key to Confidentiality and Non-repudiation.
- Non-repudiation - All parties to a transaction are confident of the identities of the others involved,
the transaction is final, and none can subsequently deny the transaction
Access Control involving strong schemes for authenticating users' identities
and encryption of data is an essential element of information security.
Access control with robust & hidden userid and password
known only to the user is 'something you know',
is most often used and is enough for many situations.
This can be 'tightened' by having the authentication process generate and
send another code to another device, maybe a pager or text to a phone.
'Something you have' might be a smartcard or mag stripe or
some other 'token'.
'Something you are' could be a fingerprint, palmprint, iris
scan, face to recognize -- is expensive to get it right. A really robust
scheme can use all the above. Google 'cencon lock' for another twist on this.
Here's a CIO article where
PayPal Says it's Time to Ditch Passwords.
- AAA - Triple A - Authentication, Authorization, & Accounting is another
way of describing access control. It is one
of the seven, or thereabouts, basic functions of a modern multi-user operating system.
Most of our operating systems these days are multi-user, even if they're mostly
used by one user. Apps for our personal devices running on Windows, OS-X, Unices, Android, iOS can all
take advantage of their environment's AAA features to support the Confidentiality piece of the
Five Pointed Star: CIAAN.
Authentication may be simple with a user id and password or more complex involving multi-factors.
Authorization is usually associated with users' accounts or the location of an access point,
it's what the user is authorized to do on the system. Microsoft's Active Directory handles
Authorization with a system of Memberships and Roles, UNIX handles it with Groups, starting
directory, and startup script. Accounting may be a complete audit trail of every keystroke
in some application environments. Most operating systems log every command and app that's
accessed by the logged in user.
Protection is essential and must be pro-active and on-going to provide security for networked
resources. A common formula for protection is: Protection = Prevention + (Detection + Response).
- Prevention: Security Culture, Access Controls, Firewalls, Encryption, Transaction Logs, Backup
- Detection: Auditing Logs, Intrusion Detection Systems, Honeypots
- Responses: Incident Response Teams, Recovery, and Forensic Exams
B2B networking uses the EDI-Electronic Data Interchange protocols
ANSI X12 and United Nations EDIFact to exchange all kinds of business documents
for supply chain management,
shipping by ocean, air, or motor, service delivery, and almost any facet of business or enterprise.
Purchase orders, acknowledgements, shipping notices, manifests, bills of lading, insurances, claims,
health, medical and
every other kind of business document have all been built into the ANSI X12 standards.
EDI continues to increase in use and importance since it emerged in the late 1970s.
For EDI the Non-Repudiation part of CIAAN is key: If you transmit an EDI document you own it,
so it's incumbent on a company or an individual to protect their security keys
to maintain the security of their orders, invoices, and other EDI documents.
(Tale about two multi-million $$ loads of steel goes here...)
Originally EDI documents were transmitted on costly private networks, well into the '90s,
adding a dollar or two to the cost of every transaction.
These days, most X12 EDI documents are transmitted directly 'server-to-server' over The Internet,
at a negligible cost.
The Internet's HTTP with PKI-Public Key Infrastructure SSL-Secure Socket Layer
are used to
verify the identity of the parties involved in the transactions and encrypt them.
On private networks, transferring EDI documents adding about a dollar to the cost-per-transaction.
Over The Internet, these critical transactions are practically free!
At the outset of
an EDI relationship the trading partners exchange their PKI/SSL key files, and
have procedures in place to keep them updated and secure.
Since the keys are tied to each domain it is very difficult to
'spoof' the system. If anything is out of place, the SSL will not not allow the data to flow, similar to
the way your browser warns you when a site's SSL Certificate has expired.
For decades since the '70s 'trade associations' picked documents from
ANSI's ASC X12 Standards
for their members to use. More recently, X12 has been adopted
for more 'open' use as
OBI-Open Buying on the Internet, which is helping to reduce the expense of a
'Tower of Babel effect' as sellers and buyers were making up their own transactions.
HIPAA also uses X12 EDI for exchange of health and medical records.
Visual Survey of Information Security:
This Trilogy of Trilogies has appeared in textbooks and lectures
about security for decades. It can be used to guide a thorough
survey of information security:
Physical security, procedures, and personnel surround computing hardware, software, and
networks to ensure confidentiality, integrity, and authenticity of information.
It's also a good visual tool for organizing these 9 components of Information Security,
in case somebody handing out an IT job or points on a quiz asks about it...
- Threat Vectors to be considered in a security survey:
4 Types of Network Attacks is a good tute about what the blackhats are always trying: RADD -
Reconnaissance, Access, DoS, Data Manipulation...
- Remote - Network attacks over The Internet, may penetrate & compromise firewall, or use vulnerabilities
in the application environment gain unauthorized access to or destroy data
- Proximate - A cracker using Wifi at close range can quickly defeat encryption protocol.
Or they may install a device on a wired ethernet to probe and crack into systems,
or gain physical access to the system console and compromise it.
- Insider - Employee or contractor with credentials to access the network takes
what they can copy off the system to a competitor, or plants trojan, worm, bot or other malware
- Supply Chain - Compromise of hardware or software that is installed into the network,
the stuff of spy novels reflects reality, a disk drive that has spyware in addition
to SMART, or maybe a firewall with a 'back door' that can be opened at will.
'Firmware' is relatively easy to 'flash', may be corrupted in the supply chain, and it's incumbent on network
managers to audit their firmware for signs of corruption.
- Expect the un-expected:
Modern M2M-Machine to Machine connections in the IoT-Internet of Things open up more and more
potential vectors into our networks.
Unmanaged IT Assets
are a big issue as devices like vending machines, coffee makers, digital photo frames,
and refrigerators have networking capabilities, or when an office adds
its own SharePoint server -- these devices can be 'Trojaned' with malware
or otherwise exploited to gain access to a network.
Network managers must be aware of and protect against these devices and there
are more and more of them everywhere these days as the IoT - Internet of Things adds
IP to more and more devices. Anything with an IP address may be vulnerable to crackers...
A Pwn Plug
looks like the 'power monitor' some cracker in an electrician's suit claims it to be.
The advent of cheap, powerful, 'single board' computers like
Raspberry Pi makes the production and deployment of these devices very affordable.
FXI Cotton Candy , an entire computer on a USB, is even less obtrusive.
Somebody a mile away might have a clear line-of-sight to an office window and a
Long Range WiFi
- ICS-Industrial Control Systems, PLCs-Programmable Logic Controllers, SCADA-Supervisory Control
& Data Acquisition:
Security gets the spotlite in
New Era of Warfare.
Do you reckon we have any vulnerabilities in
SCADA protocols are used by ICS-Industrial Control Systems to control dams, HVAC, electrical plants,
industrial processes and other potentially lethal higher- and lower-level technologies.
are standardized components of these systems, which is great for reducing the costs involved in ICS,
but they also make it easier for crackers to gain control.
Recent developments in 'smart power grids' depend on SCADA to apply their intelligence,
and have beefed up standards for securing nodes on these networks. All this raises fears about
the vulnerability of our power grids to Crackers, whether they're script kiddies or government agents...
In the early '90s (I know for a fact) that anybody with an Atari and the phone # for the modem controlling the
Lake Merriweather Dam spillway in Rockbridge County, VA
could dial in and turn the Maury River into a class 6 rapid at an unscheduled time.
We can all hope this got secured before the end of the '90s. There are hundreds of
dams and barrages in the USA controlled using SCADA and PLCs.
One in New York, the Bowman Avenue Dam, was compromised in 2013, was a wakeup call.
Our 'smart grid' used to distribute electricity over large areas also uses SCADA
standards, and it requires extreme vigilance and security.
A compromise could damage huge components that cost hundreds of thousands of dollars
and may take months to replace.
In 2011, the malware Stuxnet did surveillance of Iran's nuke plants and
destroyed a lot of centrifuges operated with SCADA & PLCs.
- Information Security,
has evolved as access to enterprise systems has moved from punched cards
loaded into a hopper & greenbar reports to input at the point-of-transaction via WiFi and The Internet, and
real-time reports via web-browsers or smartphones.
Of course, there is lots of value into knowing how to wield malware and hack into systems and tap the dark web.
But there is more value in knowing how to apply best practices against threats as it is learning to
The wiki on Network Security
is a good place to start learning about diligence in surveying and securing networks from home through enterprise.
Carnegie Mellon's CERT-Computer Emergency Response Team
has this article on Internet Security
that discusses types of security incidents, vulnerabiliities of The Internet, and the policy and
technology to mitigate the risks.
The tech behind all these best practices is best practiced on your own equipment if you're wanting a career in network
security. Graduating without any hands-on experience in securing a server is just lame if you're interested
in a career in network security...
- If you're not going to secure it, don't collect it or keep it on a computer, write it down!
Security can't be an add-on, it must be integral in an organization's culture from the
top down, and pervasive in the organization's assets from locks on the doors thru its networks' firewalls,
computing hardware, operating systems, and application software.
Security needs to considered
very early in the selection or development of application software and every day that it operates.
Richard Clarke, presidential security advisor several years back, said: "If a company pays more for coffee
than network security they _deserve_ to be hacked!".
- IT Professionals
are guided by several standards for security and service delivery:
- CERT's GES - Governing for Enterprise Security
states clearly that today's Board Members and C-level executives might not know about the details of
their Information Systems' security,
but their diligence includes ensuring all aspects of the enterprise are secure.
Every attourney involved in a lawsuit or criminal action against an enterprise accused of
losing customer data or other valuable business data will be citing the following standards
as they sue for damages and punishment.
- COBIT - Control Objectives for IT
(.ppt) COBIT is not a detailed set of instructions or a 'how to',
it is an application of Quality Management to control of IT. Organizations that practice COBIT
mature quickly and have very secure systems and accurate accounting.
The ITIL - IT Infrastructure Library
is Quality Management applied to IT Management-- These UK-developed recommendations are freely available and represent
today's best practices for IT management. ITIL is another application of
Quality Management to IT, is not a detailed set of instructions about ensuring security or availability.
It might be helpful to consider COBIT as strategic stuff and ITIL tactical.
- For detailed 'how tos', look to the study guides for
technical certificates like CompTIA's
'general' Network+ or Security+, or 'technology specific' certs like Linux+ or
and other product-specific certificates. The
RedHat series of certificates was the top requested in 2012, followed by Cisco's
CCNA and other product-specific certs.
- SOX - Sarbanes - Oxley
is different from other IT standards in that it
carries the Force of Law. It was passed to prevent and to prosecute corporate malfeasance.
It involves standards of practice for IT
and Accounting professionals.
Similar laws have been written by dozens of other governments in the past few years following an exodus
of crooks from the USA to other countries who didn't enforce such standards.
Among other things for C-level executives, SOX says to the CIO:
Secure your systems and manage them according to standards like COBIT or ITIL;
Ensure all facets of security and non-repudiation; Use the systems to capture
_every_ transaction of value as close to real-time as practical;
Practice transaction logging, regularly verify the logs,
and always provide a clear audit trail from any reported figure back to the point of transaction;
Reconcile the system regularly with every external account: cash, brokerage, and other accounts or holdings;
Use the system to report financial data to stockholders and the IRS; Don't cook the books.
PCI - Payment Card Industry Data Security Standards
are important where customers' payment card data are transmitted or kept (more below)
The HIPA - Health Industry Portability Act
applies to anything health related (more below)
EDI - Electronic Data Interchange Standards
for B2B exchange -- standard ANSI X12 and UN EDIFact documents facilitate
and greatly reduce the cost of supply chain management and exchange of all
kinds of documents for business, shipping, and health care today.
- Start now on a career as an IT Security Professional.
An IS degree can lead along a career path as an
IT Security Professional.
All IT Pros must be security-conscious, need to be able to recognize and call out this or that
vulnerability and get it out of their employers' or customers' systems.
Here's is CA's Survival Guide for IT Pros,
outlines issues of business continuity and disaster avoidance & recovery when disaster strikes.
Dry stuff like the policy and procedures for Change Management,
aka configuration management, is good to consider as you set to the other courses of our technical core.
Diligence of the Configuration Manager mitigates the risk of making that change,
even a 'small change', that destroys enterprise data.
- PCI Compliance is required of any organization that processes their customers'
credit card data.
Banks manage the connection between a merchant's bank account and
one of the few credit card ACH-Automated Clearing Houses that instantly authorize or
deline a customer's card. An organization that has this type of credit card service
is subject to audits for compliance and severe penalties for breaches.
Here's a very practical
Check List put
up by the Better Business Bureau for compliance with PCI-Payment Card Industry standards for security.
The Winter of 2012 has some legislators campaigning to put the force of Law behind IT Security
where organizations are custodians of Credit Card #s and other personal data. A complete survey
of an application environment needs to explain how each of the checklisted items is met.
has good references about the many issues of compliance -- they list lots of
analysts and services for securing networks and servers handling and storing
CC and other private data. The cost of complying with PCI standards
must be considered in any application environment that handles credit card data -- makes PayPal rates look
- HIPAA-Health Insurance Portability and Accountability Act
drove down the costs of submitting insurance claims and other medical documents and
drives up fears our privacy may be vulnerable.
Through the '80s a physician's computer systems might have to produce a dozen or more forms via EDI
since each insurance company had their own set of EDI forms. It could cost thousands of dollars
of time to adapt a medical practices's systems to submit claims to a new insurance plan.
It was a Tower of Bable, expensive and ran on 'real private networks' that charged a fee
for every record. For every minute of
patient contact there was typically another minute or two of an insurance specialist to prepare the claim(s) for
the patient's insurance carrier(s).
replaced this mess of different protocols with ANSI X12 documents for all aspects of health
and medical care. The instructor and a business partner worked on 'medical accounting' for years,
but the last work we did in the field was to convert systems to HIPAA/X12.
HIPAA applied EDI standards for modern times, where X12 health, medical, and insurance documents are
routinely exchanged via The Internet.
HIPAA includes guidelines for Administrative, Physical, and Technical Safeguards on systems that
contain health data. The wiki also lists and describes the key documents exchanged among
healthcare providers and insurance companies. HIPAA adopted ANSI X12 documents which have been
used in B2B EDI since the 1970s. X12 was developed through the '90s to handle all aspects of eCommerce
from cataloging, bidding, and purchasing thru shipping by ocean, air, train, or truck and distribution
within large enterprises.
In the late '90s HIPAA adopted ANSI X12 EDI technology, working with DISA-Data Interchange Standards Association
to forge standards HIPAA adopted in 2003. This has resulted in _huge_ savings in
medical accounting, insurance claims submissions, and warehousing of all kinds of patient and medical data.
It's difficult to get security culture into a whole industry or bureaucracy and HIPAA
has had some spectacular breaches of security. Here's an article describing
Healthcare's Lax Security at the first decade of the new millenium...