Computer security technologies

Transcription

1 4 Computer security technologies 4.1 Introduction Determining the risk that a vulnerability poses to a computer system and also its vulnerability risk status forms part of the information security field of study and research. When searching for an aid for resolving the issue of VRS, the information security technologies currently on the information security market should be examined and assessed. There are two security technologies currently dominating the information security market. Vulnerability assessment (VA) and intrusion detection systems (IDS) are seen as essential elements in creating a secure environment for computer use in an organization. The object of this chapter is to discuss these security technologies. Through the discussions, it should become apparent which security technology, if either, will be of help in determining a computer s VRS. 4.2 Vulnerability assessment and intrusion detection security technologies The revolution of VA and IDS came about as a result of the inadequacy of computer security tools such as basic firewalls. A computer security tool can be seen as a practical instrument or apparatus that enhances computer security [MERR 02]. In other words, the security tool helps protect information assets. In the case of a firewall, a computer system is loaded with certain configured software that regulates network traffic in and between different computer systems and networks of computer systems [RANU 94]. It is therefore a tool that enhances computer security.

2 Computer vulnerability risk analysis Firewalls, while being far from obsolete in their implementation, are not enough to secure modern networks from all intrusions. They are susceptible to attack themselves and modern security threats do not always come from the outside world, but may also come from within the organization itself [RANU 94]. Fig. 4.1 is a graphical representation of the security tools and technologies in the information security market. IDS and VA are placed in the assessment section [GART 97]. Management & administration Firewalls Anti-virus Enhanced user authentication Access control and user authentication Cryptography Assessment (IDS/VA) Logging, reporting, alerting Secure, consolidating user authentication Certification Physical security Consulting Fig. 4.1 Information security market The discussion of VA and IDS in the following sections will be structured according to the areas of importance listed below. A definition of each technology will be given. A discussion of the nature of each technology will be supplied. A discussion of each technology, in connection with anti-intrusion techniques they employ, will be supplied. A conclusion as to the applicability of the technology to the VRS problem will be discussed. 40

3 Computer security technologies The comparison of the security technologies should reveal their potential application to the VRS problem. In the list mentioned above, anti-intrusion techniques are mentioned. This concept should be addressed before continuing. Since the reason for implementing security measures on a computer system is to deter unauthorized access or intrusions, through time, anti-intrusion techniques have been formulated to discourage intrusions. Anti-intrusion techniques are accepted good practices for securing the computing environment within an organization. Some accepted anti-intrusion techniques are pre-emption, prevention, deterrence, deflection, detection and countermeasures [HALM 00]. In the discussion of IDS and VA, the antiintrusion techniques they employ will be discussed further Intrusion detection systems (IDS) Some definitions of IDS include the following: An IDS is the real-time monitoring of network/system activity and the analyzing of data for attacks in progress. [OGUT 00] An IDS is a security technology attempting to identify and isolate computer system intrusions. [BIER 01] Intrusion-detection systems aim at detecting attacks against computer systems to monitor the usage of such systems and to detect the apparition of insecure states. [DEBA 99] According to the definitions of IDS listed above, it would appear that IDS monitor system and network activity to detect and identify any misuses of a computer system and system resources that may constitute an attack or intrusion. 41

4 Computer vulnerability risk analysis Nature of intrusion detection systems There are different approaches to which IDS monitoring may be applied. These approaches range from the network-based level, host-based, targetbased to application-based implementations [ICSA 98]. The basic monitoring and analysis characteristics of the IDS do not change in the different approaches to implementation, but rather focus on different aspects of importance. For example, an IDS in a network-based approach monitors the traffic on a network in promiscuous mode for any suspicious activity, while a host-based IDS monitors any attempted intrusions on a single host on which it has been installed. An additional way of implementing an IDS is the examination of the scene of the crime after an intrusion has taken place to determine the intrusion methods used and examine the possibility of tracing the origin of the intruder [LUNN 01]. In this instance the IDS is not monitoring for attempted intrusions, but rather searches for clues that relate to the intrusion. Elements, such as the points of entry into the compromised system and base of attack, are examined. Identifying these points may stop the intrusion from happening in the future and the origin of the attacker could be traced from there. This examination requires the total involvement of the IDS administrator in the process Anti-intrusion technique utilized by IDS a) Detection The anti-intrusion technique of detection forms the backbone of IDS. As shown in the definition of IDS, detection is a process of identification and in this case, intrusions are identified. Within this anti-intrusion technique different detection approaches can be identified. They are the anomaly, misuse and continuous system health monitoring approaches. Anomaly detection: This detection approach monitors system activities and compares these to activities that may be considered normal. These normal activities are established through the information gathered from 42

5 Computer security technologies the audit trails of users, groups of users, application and system resource usage and are used as a basis for expected activities. If certain user activities fall outside the normal range of activities, this approach will identify them as a possible intrusion taking place [GHOS 99]. Misuse detection: Misuse detection determines whether activity that is taking place on a system or network of systems is considered to be wrong enough to warrant an alarm. In contrast to the anomaly detection approach, misuse detection does not try to compare activities to normal activities, but rather to known wrongful behaviour. The rules of wrongful behaviour are created from earlier incident scenarios and knowledge of exploitable vulnerabilities. The validity and comprehensiveness of the rules depend upon the administrator s knowledge and experience of computer misuse and intrusions [VERW 02]. Continuous system health monitoring: Lastly, the continuous monitoring of key system factors to determine whether they are functioning properly is another detection approach. The key system factors may include general performance, registry settings and a user account s utilization of a system resource. This detection method would usually run in the background with other system processes and continually monitor the key areas mentioned for any abnormalities [PAGU 00]. Abnormalities in key system factors, such as the registry settings in the Microsoft Windows operating system [MICR 03], could suggest attempted intrusions. b) Countermeasures Countermeasure anti-intrusion techniques can be seen as the steps taken to react to intrusions that have been identified. When discussing countermeasure techniques, the reaction time and the degree of involvement of the IDS administrator in the reaction process are of interest. An administrator, within this scope, is the term used to describe the user 43

6 Computer vulnerability risk analysis responsible for the implementation of the IDS. The reaction time refers to the time it takes the IDS to retaliate against a detected intrusion attempt. There are two time frames for reacting to identified intrusions, namely: Real time The IDS system detects intrusions and reacts to them automatically while they are occurring. No involvement of the administrator is necessary to apply the countermeasures to the intrusion [GHOS 00]. Near-real time The administrator manually reacts to an intrusion after the IDS warns of an intrusion in progress [NETW 97]. The IDS detects the intrusion attempts, but it is the responsibility of the administrator to react to the threat and implement the necessary countermeasures. It would be ideal if all IDS functioned in real time, since the computer s reaction time to an intrusion is much quicker than that of any administrator. The problem is that IDS record many false alarms during the monitoring process and the reaction to false alarms on the part of the IDS could have a detrimental effect on the performance of the system it is supposed to protect. Also, the development of technology for the automatic identification of intrusions has not advanced far enough Applicability of IDS technology to VRS The discussion concerning IDS revealed some important points of interest. IDS are defined as systems actively attempting to detect intrusions. Ideally the monitoring for intrusions and reactions to intrusions should occur in real time, but this is not always possible. IDS, per definition do not identify the degree of risk a computer system faces through the vulnerabilities it possesses at a certain point in time. IDS focus more on the intrusion, which is usually a vulnerability that has already been exploited, rather than on the vulnerability before exploitation occurs. It would be ideal for the resolution of the VRS problem if the IDS s focus were on the vulnerability itself. If IDS technology could be altered slightly to examine a target system for vulnerabilities in real time it might be more applicable to the VRS problem. As is, it seems that IDS will not be able to help 44

7 Computer security technologies determine the VRS of a computer system as it is utilized at the moment. The possibility of using vulnerability assessment security technology to solve the VRS problem will now be examined Vulnerability assessment (VA) The following are possible definitions of VA: Vulnerability Assessment (VA) is the ability to determine the security status of the information technology (IT) infrastructure. [SYMA 01] To protect an organization completely, it is necessary to audit the network on a regular basis, and in order to achieve this, a whole new category of software has emerged in the last few years: Vulnerability Assessment (VA). [FARM 01] The technology concerned with scanning computer systems and networks in order to find security vulnerabilities. [BACE 99] It is possible to formulate a definition by combining the literature referred to above. VA may be seen as the regular auditing and diagnostics of company computers and networks and the overall company security implementations for vulnerabilities. From the definition it seems that VA is divided into two parts: 1) The VA tools, which scan the company computer systems and networks for vulnerabilities and 2) the analytic approach to assessing the overall security flaws within a company [MIKS 01]. The VA tools referred to in this instance are the software applications or products that search for vulnerabilities on a computer system Nature of vulnerability assessment As in the case of IDS, VA can be applied to different computing approaches. These approaches range from the network-based VA, host-based VA and target-based VA to application-based VA, much the same as IDS [ICSA 98]. 45

8 Computer vulnerability risk analysis For example, VA tools scan for vulnerabilities at network level in the networkbased vulnerability assessment, and at application-based level vulnerabilities are detected in specific software applications. The time frame of the implementation of VA is of interest. VA tools are implemented on a scheduled basis, which means that VA tools, which scan for vulnerabilities, reveal vulnerabilities found at the time of the scan. In other words, VA tools give a snapshot of the vulnerabilities on a computer system at a certain point in time. This means that vulnerability assessment of the company computer systems or the company s overall security occurs only when an administrator or company policy deems it necessary. This is different from an IDS, because as defined earlier, an IDS monitors intrusions continuously after activation Anti-intrusion techniques utilized by VA a) Prevention Prevention anti-intrusion techniques are the preventative steps taken within a company to minimize the likelihood of the success of an intrusion, through the correct design, implementation, configuration and operation of a computer system. The prevention anti-intrusion technique seeks to avert intrusion before any unauthorized access to the computer system has been achieved. If prevention were implemented flawlessly, then in a perfect world, the other techniques such as detection and countermeasures would be unnecessary. In reality, total intrusion prevention is virtually impossible. An example of a VA tool that implements the prevention anti-intrusion technique is a vulnerability scanning tool. Vulnerability scanning tools are security tools that examine systems and networks to determine whether they are vulnerable to attack because of vulnerabilities that are resident in their configuration, settings or implementation [CONR 01]. b) Countermeasures The countermeasure techniques implemented by VA tools rely totally on the involvement of the administrator. VA tools only identify vulnerabilities, but do 46

9 Computer security technologies not automatically take steps to eliminate the vulnerabilities that have been detected. Vulnerabilities are not automatically eliminated for good reason. The VA tool s settings determine the specific areas of the vulnerability detection that will be applied; therefore, some of the vulnerabilities that the VA tool detects may be non-critical and acceptable to the administrator and the average user. The automatic elimination of the vulnerabilities may cause problems in the performance of the computer system and it is also very problematic to create software tools that will eliminate all computer vulnerabilities automatically. In addition, new vulnerabilities are discovered annually, which increases the complexity of automatic vulnerability elimination. In the past it was the responsibility of the administrator to address the vulnerabilities detected by the VA tools and implement countermeasure techniques. For example, if the VA tool detects an account with security settings that allow too much access, it was the administrator s responsibility to decide if the account s privileges should be decreased or if they may stay as they are. Currently the decision of which vulnerabilities to eliminate involves different entities, including the person(s) who own or are responsible for the threatened computer system as well as the relevant business unit the system resides in. Through consultation with these different entities, the identified vulnerabilities may be resolved in a responsible manner Applicability of VA technology to VRS VA technology may be quite useful to the VRS problem. As discussed, VA products detect vulnerabilities in computer systems and suggest ways of rectifying the problems they find. They do this in a scheduled manner, giving a kind of snapshot of the vulnerabilities resident on a computer system at a certain moment in time. The problem with the VA tools or products, however, is that they do not relay VRS, as preferred by the researcher. They only give a list of the vulnerabilities found and this reveals nothing of the areas within the computer system that 47

10 Computer vulnerability risk analysis the vulnerabilities influence. Also, the risk the vulnerabilities pose to the computer system is not quite obvious. 4.3 Conclusion This chapter has dealt with the evaluation of existing computer security technologies, which show potential in assisting in the creation of a computer s VRS at certain point in time. From the discussions of VA and IDS, some differences between the two computer security technologies have become apparent. These differences are the reasons for the choice of VA technology over IDS to determine a computer s vulnerability risk status. The reasons are as follows: VA tools detect and report vulnerabilities in the computer system, while IDS detect intrusions taking place. This means that IDS do not focus on the vulnerability, but rather on the intrusion that may have resulted from the exploitation of the vulnerability. The security technology that aids VRS creation should focus on vulnerability identification rather than exploited vulnerabilities. The different time bases of VA and IDS implementation reveal that the scheduled approach adopted by VA is of greater value in solving the computer VRS problem than the ongoing monitoring employed by IDS. The VA tools give a snapshot of the vulnerabilities that are resident at the time of the scan and this will simplify the determination of VRS. IDS monitor continually and this makes VRS creation problematic, because time intervals will have to be used to determine VRS. Deciding on an appropriate interval to use could become overly complex. It would be ideal if the monitoring and resolution of vulnerabilities occurred in real time or near-real time in the same way that IDS technology monitors for intrusions. A combination of the two technologies might be a step in the right direction, but it seems that continuously monitoring for vulnerabilities on target systems may create huge overhead. Even though new 48

11 Computer security technologies vulnerabilities are found almost every day, this may not warrant the constant monitoring of systems for vulnerabilities to resolve. Also, the latest updates of the newest vulnerabilities identified must be immediately available for download and incorporation otherwise the monitoring process would become obsolete. Lastly, the decision as to whether a vulnerability is considered dangerous enough to eliminate has to be discussed among a number of individuals, including the owner/user of the system, the administrator as well as the business unit the system forms a part of. The productivity of the department may be lower and time and money may be wasted through endless meetings and discussions. It has been established that VA is the pre-eminent security technology to employ for determining a computer s VRS. A study of an applicable VA tool in this security technology and its implementation will be the next step. The next chapter will discuss VA tools that may be useful in resolving the computer VRS problem. 49