- Internet & the Web
How to Improve Information Security using Simple Methods
Information security is a great concern for all organizations and the security risks involved with information technology are rising. “The total number of security incidents reported to the CERT (Computer Emergency Response Team) rose from 2,412 in 1995 to 82,094 in 2002” (Purser, 2004, pg. 1). Viruses, worms, SPAM, denial of services, and security incidents plague many organizations today. There are five easy measures that should be taken to help mitigate information security risks. Two of these measures are non-technical and three are technology-based. The non-technical steps to improve information security are the successful implementation of a sound information security policy and an effective employee education and training program. Technical measures to improve information security include an anomaly-based intrusion prevention system, the use of thin clients, and a properly configured application-layer firewall. When combined, these measures provide defense-in-depth. A defense-in-depth information security strategy incorporates many layers of information security protection. If an attacker makes it through one layer of defense, hopefully another layer will stop the attack. Each of these easy security measures is described in this article in terms of policy, procedure, and implementation.
Information Security Policy
An information security policy (ISP) lays the foundation for an organization’s stance on information security. The ISP is designed to formally document an organization’s information processing roles, responsibilities, and procedures. The ISP must have top-level management support and must be articulated to all employees. ISO (International Standards Organization) standard 17799 defines a formal process of creating an ISP and is a recognized international standard (ITRG, 2003).
Some of the main items an ISP should include are procedures to add users to the network, procedures to handle compromised computers, procedures for backing up data, procedures for employee termination, and computer use and abuse policies. The procedures to add users to the network include items such as validation of user employment, determining which data the user needs access to and what type of access the user needs, initial user training, and user remote access requirements. Procedures to handle compromised computers include a delineation of who is responsible for various steps in the process, what steps to take with the compromised computer, and how forensics should be performed. Data backup procedures should be outlined in an ISP to include how often the data is backed up, where the backed up data is stored, how the data is stored and transported off-site, and how often recovery procedures should be practiced. The ISP must include procedures for employee termination, such as access removal, identification card turn-in, notification of termination, procedures for employee escort off corporate facilities, and employee record updates. Computer use and abuse policies should cover employee computer and internet use and abuse such as authorized and unauthorized computer activities and authorized and unauthorized websites.
Employees and management must understand the ISP and agree to follow its guidance. ISP compliance must be enforced and the ISP must remain a dynamic document. The ISP should be comprehensive and tailored for each organization. Technological changes and procedural changes require the ISP to be continually revised and new procedures developed. A properly written and implemented ISP greatly increases information security for an organization and removes the typical guesswork associated with procedures.
Employee Education and Training
Employee education and training are vital for information security. “Properly trained and diligent people can become the strongest link in an organization’s security infrastructure” (Tipton, 2004, pg. 663). Many computer outages and compromises are caused unintentionally by employees. Educated employees on information security issues are less likely to fall for social engineering ploys, phishing scams, or violate security policies (Tipton, 2004). Social engineering is “simply the user of non-technical means to gain authorized access – for example, making phone calls or walking into a facility and pretending to be an employee. Social engineering attacks may be the most devastating” (Maiwald, 2002, pg. 16).
Employee education helps mitigate information security threats such as social engineering and phishing scams by educating employees on these types of commonly used tactics. Social engineering scams can be as simple as an attacker posing as a helpdesk administrator and calling an employee asking for the employee’s password. Employee awareness as a result of adequate training teaches the employee standard organizational procedures, such as there is no circumstance when the helpdesk would call and ask for a password. Phishing emails are commonly used by attackers to gain access to a system:
The tone and content of phishing emails are always the same. First, they warn that users must update their account by typing in some valuable information, often a credit card number. To lend a sense or urgency, the email also threatens that the account could be suspended if action isn’t taken. Finally, the email provides a convenient link that leads to a seemingly legitimate web page where the victim can type his credit card number. Victims enter their credit card numbers and unknowingly give that information to a con artist. (Wang, 2006, pg. 181)
Employee education should teach employees not to open emails from persons they do not know and to ask the helpdesk about any emails that seem suspicious.
Employee training not only educates employees on information security benefits, but the training also helps improve employee efficiency. Employee efficiency is improved due to the employee’s better understanding of the computer network and processes. Educated and trained employees are one of the best lines of defense against information security threats.
Anomaly-based Intrusion Prevention Systems (IPS)
An anomaly-based Intrusion Prevention System (IPS) is one of the most effective technologies for information security (Rash, 2005). Older IPS systems were signature-based. A signature-based IPS was only as good as its signatures. A signature-based IPS relied on attack signatures in order to block traffic or alert. The problem with signature-based intrusion detection systems is effectiveness. A signature-based IPS cannot block traffic that does not match a signature. This means all new or innovative attacks make it through a signature-based IPS. An IPS that is anomaly-based is utilized to block network traffic based on its level of irregularity. These IPS devices are typically implemented at the organization’s network boundary between the organization’s network and the Internet provider service delivery point.
Anomaly-based IPS devices are difficult to initially configure because they require legitimate network traffic for an organization to be defined. Defining legitimate network traffic is often a daunting task due to poor network documentation. One of the first steps of ensuring information security is to “know thyself” (Rash, 2005). It is difficult to defend what you are unaware of or to determine attacks from legitimate traffic without first knowing what traffic is legitimate for an organization. Once the legitimate traffic for an organization is defined, the IPS can be configured to alert or block traffic that does not fall within the legitimately defined traffic. For example, suppose a company only has one email server that communicates with the internet on TCP Port 25. TCP Port 25 traffic only from the email server to the Internet is legitimate traffic. If an attacker compromises the company DNS server and attempts to use it as a SPAM relay, the IPS would block this traffic. A SPAM relay communicates on TCP Port 25. The IPS blocks the traffic because the only authorized device to communicate on TCP Port 25 is the email server.
Traffic identification and definition on an IPS also includes defining legitimate traffic volume. For example, if the DNS queries leaving a DNS server within an organization average 500 Kilobytes of data per day and all the sudden the average DNS queries surges to seven Megabytes of data per day, an anomaly has occurred. The IPS should block DNS queries to the servers that are taking up the largest amount of bandwidth. A DNS exfiltration attack typically involves tunneling data off a corporate network via a legitimate DNS query to a bogus internet DNS server. An anomaly-based IPS is one of the only devices capable of detecting and preventing this sort of attack.
An anomaly-based IPS forces an organization to define legitimate traffic and develop a greater understanding of their network. This increased network traffic insight combined with the active blocking and alerting functions of the IPS, greatly increase information security.
Many information security compromises today are caused by infected client machines. Client computers are typically compromised when a user installs unauthorized software either from downloading it from the Internet or bringing it from home. A thin client does not contain a hard drive and has no storage capacity. It is a diskless computer with a network interface card, memory, a keyboard, mouse, and monitor. The thin client is used to run a session from a server. These sessions emulate a standard desktop computer environment for the user.
The thin client architecture improves management and security by enabling systems administrators to control an entire network from the server. This eliminates the need for end users to install software or makes changes to existing software, creating an endless array of software bugs, glitches, freezes, and crashes. (Muller, 1999, pg. 595)
Thin clients can be configured without floppy drives or even USB drives. This removes the opportunity for a user to bring unauthorized software or data into an organization. Thin clients also provide more extensive logging capability since all the session data is stored on a central server. Another benefit of a thin client is portability. With thin clients a user can use any client available and have the same desktop and tools available from any client.
Thin clients provide the capability to easily standardize the user environment and centrally manage every user session, plus floppy drives and USB drives can be eliminated. These capabilities make thin clients a smart choice for improving information security.
Application-layer firewalls enhance information security by providing intelligent monitoring and filtering of traffic in and out of an organization. Application-layer firewalls are intelligent enough to understand applications, such as HTTP, SMTP, and DNS. This intelligence allows application-layer firewalls to inspect packets entering and leaving an organization for content as well as header information.
Many firewalls or infrastructure devices only inspect packets based on the source and destination IP address and the destination port number. This is analogous to the postal service inspecting envelopes and packages for valid addressing and mailbox destination only – the contents remain un-inspected. This lack of content inspection allows malicious items, such as a bomb or Anthrax virus, to be routed through legitimate transport mechanisms. The postal system has been abused to route malicious content in the past, but now the postal service performs content inspection, like an application-layer firewall.
Many attackers today use tunnels to extract information or to communicate with remotely controlled bots. A bot is used by the attacker to carry out duties and the attacker typically communicates with the bot via a tunnel (Nazario, 2003). These tunnels typically use a legitimate IP address and destination port number. For example, an attacker may have knowledge that company employees are allowed to surf the Internet to almost any website via the HTTPS protocol. The attacker may compromise a host on the company network using social engineering or phishing techniques. This compromise may include the installation of a bot. In this case the attacker chooses to use HTTPS as the tunneling protocol. The content within the HTTPS packet, however, is not legitimate HTTPS traffic. The content consists of attacker commands to the bot and the bot’s response. An application-layer firewall can deny this traffic because the application-layer firewall is smart enough to understand what type of content is valid within HTTPS communications.
Application-layer firewalls stop attackers from using tunnels and can prevent users from accessing malicious websites. Application-layer firewalls are an effective component to a defense-in-depth strategy for obtaining a secure information environment.
A defense-in-depth strategy is vital for information security. Five easy information security measures should be implemented to maximize a defense-in-depth information security architecture. A well-developed, implemented, and enforced information security policy lays the foundation for a secure network. Employee education and training on the information security policy, computer and internet use, and information security procedures adds another line of defense in information security protection. An anomaly-based intrusion protection not only stops attacks and data exfiltration, but improves network documentation, knowledge, and understanding. Thin clients facilitate network administration, provide centralized management, and improve overall information security. Application-layer firewalls provide content level inspection and can prevent unauthorized traffic from entering or leaving an organization’s security perimeter. Successful implementation of these five security measures will send network intruders elsewhere.
ITRG. (2003). ISO 17799: a standard for information security management. London: ITRG.
Maiwald, E. (2002). Network security: a beginner’s guide. Blacklick, OH: McGraw-Hill Professional.
Muller, N. (1999). Desktop encyclopedia networking. Blacklick, OH: McGraw-Hill Companies.
Nazario, J. (2003). Defense and detection strategies against internet worms. Norwood, MA: Artech House, Incorporated.
Purser, S. (2004). A practical guide to managing information security. Norwood, MA: Artech House, Incorporated.
Rash, M. (2005). Intrusion prevention and active response: deploying network and host IPS. Rockland, MA: Syngress Publishing.
Tipton, H. (Ed.) (2003). Information Security Management Handbook. Boca Raton, FL: Auerbach Publishers, Inc.
Wang, W. (2006). Steal this computer book 4.0: what they won’t tell you about the internet. San Franciso, CA: No Starch Press, Incorporated.