Securing complex networks
One has only to watch a movie like Mission Impossible to recognise that there is no such thing as absolute security. New technologies capable of breaching secure systems are emerging all the time, if one has the resources needed to acquire them.
In the commercial world, security is relative. It is relative to perceived security threats. The quality of security that can be delivered not only depends on the technology but also on the time, money and resources an organisation is willing to invest.
A key determinant is the customer expectation and the level of residual risk with which they are willing to live.
Since commercial realities dictate that businesses will spend only what they must on security, this risk must be carefully weighed and understood within the context of the potential threats, the cost of addressing it, and the environment in which the company operates.
An IT manager faced with the challenge of securing corporate systems must understand the potential threats to the assets of the organisation and how security breaches will affect the organisation's reputation and standing and hence its share value. It is necessary to identify the threats and determine the technologies that will provide the required level of security that is adequate to meet the expectations of the organisation and its customers.
There are three key issues that must be considered when developing security solutions:
Adequate security. Provide appropriate technologies to address the business' security requirements as specified by the parameters laid down in its security policy. This policy document is key to determining what resources need to be protected and what security services, such as authentication, authorisation, confidentiality, integrity and non-repudiation, need to be adopted.
Simple security management. In many cases, weaknesses in security occur in security management. Sometimes security management is complex, which in turn means that it is not implemented properly. For instance, a common situation is that security information of staff leaving an organisation is not managed properly, still leaving them access to the organisation's resources (e.g. using passwords which remain in operation). This is particularly significant in the case of disenfranchised and disgruntled staff. Traditionally, the attacks from insiders have been the dominant form of threat. Also complex security management schemes discourage administrators against the enforcement of security functions.
Detection of violations. Fast response to addressing them is a critical need in the fast moving commercial world. In fact, given that security is a constant race between the designers and the penetrators, the need to detect violations and provide appropriate response is a high-priority customer requirement. There must be support mechanisms to achieve this.
Depending on the needs and expectations of the organisation and the complexity of its network, there are several core security technologies to be considered when planning a solution.
Authentication. This is whereby the identity the person requesting a service is verified. For instance, if some staff access the network remotely using their notebooks, it is important to ensure that the person accessing the server is who s/he claims to be. An authentication protocol can use a password, key or challenge response mechanism to confirm the identity of the user for that session online. These passwords and keys are secured when they are transferred over the network. In the case of the challenge response, the question being posed will change each time, making it difficult for hackers to meet the requirements. Some companies use SecureID type calculators/tokens to create a unique number for each session that can be verified by the server during login.
For staff within the organisation, the policy might be simpler depending on the trust assumptions. Simpler processes involving secure passwords and personal secrets such as PINs can be used to authenticate users. Conversely, in the case of mobile users moving from cell to cell while online, re-authentication procedure can be necessary, verifying their identity to ensure no change of user has occurred.
Authorisation. Also known as access control, this technology is used to manage the level of access individual users are allowed on the network. For example, if a user is talking to a bank server and wants to transfer $5000, the authorisation server will determine whether that user is allowed to perform that function, whether sufficient funds are available within their account, and whether the request contravenes any existing policies or limits.
Authentication is often a prerequisite for authorisation. While in the past, individual servers had their own access control lists, this service is increasingly being centralised, with authorisation servers providing services for an entire department or domain, supporting multiple applications. Not only is this more efficient, but it has eliminated many inconsistencies that occurred when control was fragmented across multiple servers and locations. It helps to simplify access control management.
Confidentiality and integrity. These services ensure the confidentiality and integrity of data moving over the network. Confidentiality is often achieved using encryption devices that encrypt information at the sender side and decrypt information at the receiver. The most important component of this service is the management of keys that are used to encrypt and decrypt the data.
There are currently two types of key services available. The Symmetric Key System (SKS) uses a single key at both ends of the communication, but requires both the sender and receiver to have access to the same key for the message decrypted properly at the receiver. This can lead to management issues in a large networked system, where a large number of users wish to communicate with each other over the network, as this will require the establishment and management of a different key for each pair of users.
The other type of system is a public key system where each user has two keys, a public key and a private key. The public key, as the name implies, is "public" and can be stored in some form of a directory. The private key is known only to a single user and can be used to create the user's digital signature. When user A wishes to send secure information to user B, he looks up the public key of user B in the directory and encrypts the information using B's public key. Only B can decrypt the information as B is the only one who has the corresponding private key. The Public Key Infrastructure (PKI) provides a framework for storing and managing the public keys. In fact, the public keys are stored in the form of a Certificate, which is signed by a trusted authority which provides a guarantee that a "public key belongs to a certain user". Different countries are at present defining such trusted authorities who can act as the guardians of public key certificates. The public key system is particularly useful for facilitating communications between people or organisations who don't know each other personally, and is proving increasingly popular for electronic commerce.
Non-repudiation. This service comes into play in the event of a dispute over the contents of a message or the actions arising as a result of a message. While these types of discussions are currently handled offline, either by telephone, written communications or even face-to-face, it is important for the future of e-commerce to have a reliable mechanism for dealing with them on the network.
If a dispute arises, both parties need to be able to refer to a trusted arbiter that can confirm what has happened, confirming both the contents of the communication and the identity of the sender and recipient. The use of a Trusted Third Party (TTP) server ensures that accurate records are maintained of all transactions to aid in the resolution of any disagreements.
A recent Computer Crime and Security Survey from the Computer Security Institute in the US has predicted continuing enormous growth in the market for security products. For instance, the survey forecasts that PKI related technology sales would reach $US1.3 billion in 2003, while the market for security devices, platforms and secure networks would grow to some $5 billion the same year.
The prevalence of the Internet has dramatically increased the incidence of network attacks, with a new survey published in Information Security magazine finding eight out of 10 US corporations have been attacked this year. This is despite the increase in spending on security products.
According to this survey, nearly twice as many companies experienced insider attacks, such as theft, sabotage or intentional destruction of computer property, compared to last year, while 41 per cent more companies had to deal with employees who intentionally disclosed or destroyed proprietary corporate information.
The study also showed that a layered defence, using a range of the above-mentioned technologies, provided more effective protection against security breaches. Companies that deployed multiple security measures detected a far greater number of attacks than those using fewer controls, enabling them to fight cybercrime more effectively.