Disseminating Organizational IT Security & Trouble Shooting

When we talk about the increase security with proper authentication policies; infrastructure security is more than just firewalls and security patches. Most IT environments have some type of remote access. VPN, e-mail, and many other services expose your user accounts to the world. This article will focus on how to deal with user accounts of your current and former employees.
Proper password aging policies will naturally take care of old or unused accounts. The idea behind password aging is that after a certain amount of time, a password expires. A password is less prone to compromise if it is changed frequently. Likewise, if an account is compromised, its usefulness will be limited to the amount of time left before the expiry timer concludes. Aging account passwords can reduce exposure if brute-force, social engineering, or sniffing attempts are successful. The strength of the password itself is also extremely important. It is imperative that the systems requiring users to change their passwords also enforce some level of strictness with regards to what passwords are accepted. An un-guessable password makes brute-force attacks the premiere method by which accounts are compromised mostly ineffective. An exhaustive brute-force attack will eventually discover all passwords, given enough time, but the idea is to use a password of sufficient length, so that it can’t be guessed in a reasonable amount of attempts. The successful guessing attempts normally find extremely inconsequential passwords, such as ones that are the same as the username. In next week’s article we’ll explore the password strength issue in more detail, when we dispel many myths about password security. For now, just know that password strength is quite important.
Account aging, that is the disabling of unused accounts, is just as important as having a decent password policy. Unused accounts are probably the second most commonly compromised. If you don’t have a password aging policy, at least be certain to disable old or unused accounts. Ideally, though, password aging should be your priority. There’s a few different ways to implement password aging. The aging of a password will naturally disable unused accounts. A since a user must login to be given notice that their password has expired, and if they fail to do so within a certain amount of time, the account itself can be disabled. The question is then, “how do we implement this enterprise-wide?” In practical terms, Windows Active Directory and various Unix-based LDAP servers support the setting of password policies. Unfortunately, simply enabling password expiry will be problematic. Services that use LDAP may not implement the necessary “goo” to talk about expired accounts. They simply get an authentication failure, and the user won’t know why. This also happens with Active Directory, for example a VPN user will not be able to authenticate with an expired password until they first login to an actual Windows machine and set a new password.
There are two viable solutions. Well, one that “works,” and one that is truly practicable. It would work to require that all systems that authenticate users implement password aging. Each system would have to keep track of these policies, possibly previously used passwords, and of course they would have to implement the mechanism by which a user can be notified and subsequently change their password. Not likely. The only viable solution, then, is to use a central authentication system. CAS, a central authentication system for Web-based applications, is the ideal solution. CAS is extremely popular, and it provides an extremely effective and secure method by which users can be centrally authenticated, complete with a method to support changing passwords on expired accounts. Kerberos-based services like AD in Windows or a Kerberos-enabled LDAP server in Unix provide authentication for workstations and other site-local applications, but with the drawbacks previously mentioned.

Fascinatingly enough, it should be noted that improving security through account aging requires central authentication, which provides the added benefit of single sign-on. Now, don’t forget that single sign-on can mean two things: having the same password everywhere, or using a ticket (or cookie, when talking about Web applications) to only need to sign on to one service, but gain access to many. Synchronizing passwords between services isn’t usually done for security reasons; instead it’s for user convenience. In the rare instances where a password change on one system, not a central system, propagates to all others, it is possible to implement a password aging policy. Commonly, these types of setups are geographically grown because a diverse set of applications don’t support a coherent set of protocols, and password aging is impossible.
As contrary as it may sound, central authentication is the only way to ensure proper security. Administrators can instantly disable access to all services at the same time with central authentication, and they can also ensure that password policies are enforced. The fact that a user is supplying the same password for all services isn’t as much of a concern as one might think. Indeed, there will always be multiple levels of security requirements. The most critical and secure financial systems, for example, can still be kept separate to alleviate concerns about a password compromise, but only if it also implements appropriate password strictness and aging policies. One should be sure to pay close attention to how your chosen systems will handle passwords set before your change in policy. Some systems may continue to allow old users with weak password to continue using them after you’ve turned on password involvedness necessities. Likewise, be sure to verify that new aging policies apply to all existing user accounts, not just new ones. Properly managed accounts, that is, accounts that are automatically disabled after too much idle time, will shut down the main vehicle of attack used today. Of course, disabling ex-employee accounts is just as important. Leaving an account open so that people can have access to an ex-employee’s e-mail is hazardous, and should be carefully considered. It’s generally best to make a copy of all existing e-mail, and then configure an e-mail forward to their supervisor. Merge constant user education about social engineering tactics, sysadmin education about security best practices, and observation in account policies; now your venture can be much more secure and easier to manage.
Security is concerned with the ability of a system to prevent unauthorized access to information or services. Traditionally, security issues have been associated with large databases. Over the past few years, security issues have also become important in embedded real-time systems, e.g. a cryptographic theft-avoidance system that locks the ignition of a car if the user cannot present the specific access code. Especially, the expansion of internet has also led to Web-Based control (Rodney98) of devices and embedded systems. This poses severe security concern for these devices. Figure 1 shows the growth of the Internet and the corresponding growth of reported security incidents (CERT97).

Three basic security concepts important to computer systems are confidentiality, integrity, and availability: Confidentiality: When information is read or copied by someone not authorized to do so, the result is known as loss of confidentiality. For some types of information, confidentiality is a very important attribute. Examples include research data, medical and insurance records, new product specifications, and corporate investment strategies. In some locations, there may be a legal obligation to protect the privacy of individuals. This is particularly true for banks and loan companies; debt collectors; businesses that extend credit to their customers or issue credit cards; hospitals, doctors' offices, and medical testing laboratories; individuals or agencies that offer services such as psychological counseling or drug treatment; and agencies that collect taxes. Information can be corrupted when it is available on an insecure network. When information is modified in unexpected ways, the result is known as loss of integrity. This means that unauthorized changes are made to information, whether by human error or intentional tampering. Authentication and access control techniques are used to achieve Confidentiality and are mentioned in the section security practices. Integrity: Integrity is particularly important for critical safety and financial data used for activities such as electronic funds transfers, air traffic control, and financial accounting. Information can be erased or become inaccessible, resulting in loss of availability. This means that people who are authorized to get information cannot get what they need. Availability: Availability is often the most important attribute in service-oriented businesses that depend on information (e.g., airline schedules and online inventory systems). Availability of the network itself is important to anyone whose business or education relies on a network connection. When a user cannot get access to the network or specific services provided on the network, they experience a denial of service.
In the face of the vulnerabilities and incident trends discussed above, a robust defense requires a flexible strategy that allows variation to the changing environment, well-defined policies and procedures, the use of robust tools, and constant vigilance. It is helpful to begin a security improvement program by determining the current state of security at the site. Methods for making this determination in a consistent way are becoming available. Integral to a security program are documented policies and procedures, and technology that support their accomplishment. This section gives some techniques and procedures to build security into systems.
One may ask, what is the purpose of cryptography? The purpose of cryptography is to secure the confidentiality, integrity, and authenticity of data resources. One of the primary reasons that intruders can be successful is that most of the information they acquire from a system is in a form that they can read and comprehend. When you consider the millions of electronic messages that traverse the Internet each day, it is easy to see how a well-placed network sniffer might capture a wealth of information that users would not like to have disclosed to unintended readers. Intruders may reveal the information to others, modify it to misrepresent an individual or organization, or use it to launch an attack. One solution to this problem is, through the use of cryptography, to prevent intruders from being able to use the information that they capture.
Encryption is the process of translating information from its original form (called plaintext) into an encoded, incomprehensible form (called cipher text). Decryption refers to the process of taking cipher text and translating it back into plaintext. Any type of data may be encrypted, including digitized images and sounds. Cryptography secures information by protecting its confidentiality. Cryptography can also be used to protect information about the integrity and authenticity of data. For example, checksums are often used to verify the integrity of a block of information. A checksum, which is a number calculated from the contents of a file, can be used to determine if the contents are correct. An intruder, however, may be able to forget the checksum after modifying the block of information. Unless the checksum is protected, such modification might not be detected. Cryptographic checksums (also called message digests) help prevent undetected modification of information by encrypting the checksum in a way that makes the checksum unique.
The genuineness of data can be protected in a similar way. For example, to transmit information to a coworker by E-mail, the sender first encrypts the information to protect its confidentiality and then attaches an encrypted digital signature to the message. When the coworker receives the message, he or she checks the origin of the message by using a key to verify the sender's digital signature and decrypts the information using the corresponding decryption key. To protect against the chance of intruders modifying or forging the information in transit, digital signatures are formed by encrypting a amalgamation of a checksum of the information and the author's unique private key. A side effect of such authentication is the concept of no repudiation. A person who places their cryptographic digital signature on an electronic document cannot later claim that they did not sign it, since in theory they are the only one who could have created the correct signature.
The Data Encryption Standard (DES) has been in use worldwide as a standard for more than a decade. DES uses an algorithm to encrypt and decrypt blocks Of data consisting of 64 bits using a 64-bit key. The same key used for both The encryption and decryption processes. One benefit of this algorithm is that The same process can be used for both encryption and decryption (with the exception of the key, which must be used in reverse order for decryption). The algorithm also has the advantage that it only uses logical operations Resulting in a fast process whether implemented in hardware or software. An ongoing debate has been exactly how secure is DES? There has been much Suspicion that when NSA got involved, a "trap door" was inserted so they Could decrypt any DES encrypted messages. An unclassified report cleared the suspicion of any improper manipulation of the algorithm. Debate also surrounds the issue of the DES key length. Also one known weakness in DES surrounds the selection of the initial key. Now let’s talk a little about Security Policy, Procedures, and Practices. A security policy is concerned with the following Issues: High-level description of the technical environment of the site, the legal environment (governing laws), the authority of the policy, and the basic philosophy to be used when interpreting the policy Risk analysis that identifies the site's assets, the threats that exist against those assets, and the costs of asset loss Guidelines for system administrators on how to manage systems Definition of acceptable use for users Guidelines for reacting to a site compromise (e.g., how to deal with the media and law enforcement, and whether to trace the intruder or shutdown and rebuild the system)
Security-Related Procedures: Procedures are specific steps to follow that are based on the computer security policy. Procedures address such topics as retrieving programs from the network, connecting to the site's system from home or while traveling, using encryption, authentication for issuing accounts, configuration, and monitoring.
Security Practices: Checklists and general advice on good security practices are readily available. Below are examples of commonly recommended practices: Ensure all accounts have a password and that the passwords are difficult to guess. A one-time password system is preferable. Use tools such as MD5 checksums (8), a strong cryptographic technique, to ensure the integrity of system software on a regular basis. Use secure programming techniques when writing software. These can be found at security-related sites on the World Wide Web. Be observant in network use and configuration, making changes as vulnerabilities become known. Regularly check with vendors for the latest available fixes and keep systems current with upgrades and patches. Regularly check on-line security archives, such as those maintained by incident response teams, for security alerts and technical advice. Audit systems and networks, and regularly check logs. Many sites that suffer computer security incidents report that unsatisfactory audit data is collected, so detecting and tracing an intrusion is difficult.
Intrusion Detection Research is underway to improve the ability of networked systems and their managers to determine that they are, or have been, under attack. Intrusion detection is recognized as a problematic area of research that is still in its infancy. There are two major areas of research in intrusion detection: anomaly detection and pattern recognition. Research in anomaly detection is based on determining patterns of "normal" behavior for networks, hosts, and users and then detecting behavior that is appreciably different (anomalous). Patterns of normal behavior are frequently determined through data collection over a period of time sufficient to obtain a good sample of the typical behavior of authorized users and processes. The basic difficulty facing researchers is that normal behavior is highly variable based on a wide variety of harmless factors. Many of the activities of intruders are impossible to differentiate from the benign actions of an authorized user.
The second major area of intrusion detection research is pattern recognition. The goal here is to detect patterns of network, host, and user activity that match known intruder attack scenarios. One problem with this approach is the variability that is possible within a single overall attack strategy. A second problem is that new attacks, with new attack patterns, cannot be detected by this approach. Finally, to support the needs of the future Internet, intrusion detection tools and techniques that can identify coordinated distributed attacks are critically needed.
Continuous monitoring of network activity is required if a site is to maintain confidence in the security of its network and data resources. Network monitors may be installed at strategic locations to collect and examine information continuously that may indicate suspicious activity. It is possible to have automatic notifications alert system administrators when the monitor detects anomalous readings, such as a burst of activity that may indicate a denial-of-service attempt. Such notifications may use a variety of channels, including electronic mail and mobile paging. Sophisticated systems capable of reacting to questionable network activity may be implemented to disconnect and block suspect connections, limit or disable affected services, isolate affected systems, and collect evidence for subsequent analysis.
Tools to scan, monitor, and eradicate viruses can identify and destroy malicious programs that may have inadvertently been transmitted onto host systems. The damage potential of viruses ranges from mere annoyance (e.g., an unexpected "Happy Holidays" jingle without further effect) to the obliteration of critical data resources. To ensure continued protection, the virus identification data on which such tools depend must be kept up to date. Most virus tool vendors provide subscription services or other distribution facilities to help customers keep up to date with the latest viral strains.
Because of the increasing sophistication of intruder methods and the vulnerabilities present in commonly used applications, it is essential to assess periodically network susceptibility to compromise. A variety of vulnerability identification tools are available, which have garnered both praise and criticism. System administrators find these tools useful in identifying weaknesses in their systems. Critics argue that such tools, especially those freely available to the Internet community, pose a threat if acquired and misused by intruders.
With the rapid expansion of the Internet and the proliferation of distributed computing, new interest is now focused on the security aspects of both personal and enterprise computing systems, and with good reason. Millions of computer users are downloading files and applications of unknown origin every day-directly onto their PCs and workstations. This poses serious concern for security of the computer systems. The security concerns expand to embedded systems as we have more and more embedded devices on the Internet. I believe all the above mentioned techniques can be applied for embedded system security.

References
Fritzinger, Steven, Marianne Mueller, Java Security, Whitepaper, Sun Microsystems, Inc., 1996.
OmniTraining Real Information for Real IT http://omnitraining.net/security/198-increase-security-with-proper-authentication-policies Snell, Rodney. Web-Based Device Monitoring and Control, Embedded Systems Conference, Spring98
Thomas A. Longstaff, James T. Ellis Shawn V. Hernan, Howard F. Lipson, Robert D. Mcmillan, Linda Hutz Pesante and Derek Simmelj. Security of the Internet, Published in The Froehlich/Kent Encyclopedia of Telecommunications vol. 15, Marcel Dekker, New York, 1997, pp. 231-255.