PC Technoids LLC

Security measures


A state of computer "security" is the conceptual ideal, attained by the use of the
three processes:

Prevention
Detection
Response


User account access controls and cryptography can protect systems files and data,
respectively.


Firewalls are by far the most common prevention systems from a network security
perspective as they can (if properly configured) shield access to internal network
services, and block certain kinds of attacks through packet filtering.


Intrusion Detection Systems (IDS's) are designed to detect network attacks in
progress and assist in post-attack forensics, while audit trails and logs serve a similar
function for individual systems.

Today, computer security comprises mainly "preventive" measures, like firewalls or
an Exit Procedure.

Firewalls

A firewall can be defined as a way of filtering network data between a host or a
network and another network, such as the Internet, and is normally implemented as
software running on the machine, hooking into the network stack (or, in the case of
most UNIX-based operating systems such as Linux, built into the operating system
kernel) to provide real-time filtering and blocking. Software firewalls offer basic
defense from outside and inside attacks. In addition, they let you move from
network to network

Another implementation is a so-called physical firewall, which consists of a separate
machine filtering network traffic. Firewalls are common amongst machines that are
permanently connected to the Internet (though not universal, as demonstrated by
the large numbers of machines "cracked" by worms like the Code Red worm which
would have been protected by a properly-configured firewall). However, relatively
few organizations maintain computer systems with effective detection systems, and
fewer still have organized response mechanisms in place.

Authentication and authorization


Authentication and authorization are the cornerstones of any well-implemented
security policy. Simple passwords are rarely sufficient, and as organizations grow,
control is quickly lost and administration and maintenance become a nightmare.
Developing a comprehensive strategy that includes biometric, token, and public key
infrastructure (PKI) technologies is imperative for assuring authentication and data
integrity.

The four principal forms of Authentication are:

"What you know" - password and pass phrases
"What you have" - tokens including physical keys and smart cards
"What you are" - static biometrics such as fingerprint, iris, and face recognition
"What you do" - dynamic biometrics such as voice and signature recognition
Whether it is through authentication technologies involving hardware such as tokens
or software-based certificates and biometric identification, I/O Software provides
clients with the appropriate authentication mechanism and technologies to meet their
needs.

Password

Passwords are the most common form of authenticating today. Conservative
estimates show that there are close to a billion password-based authentications per
day.

Today, users must remember too many identities and password combinations at an
ever-increasing rate.

Some problems with passwords include:

Access to user passwords by system administrators - System administrators
who keep assigned passwords written down for quick access when a user forgets
their own passwords. This destroys the whole element of nonrepudiation.

Risk of undetected theft - Passwords can be stolen without the knowledge of the
user. Similarly, a user can unknowingly disclose a password through eavesdropping,
persuasion, posing as a system administrator, etc. Loss of a password can only be
discovered by detecting its misuse or finding it in the possession of an unauthorized
user.

Risk of undetected sharing - Passwords can be easily shared. Current systems can
create situations where a secretary will use their boss's passwords to read e-mails.
However, reading the boss's e-mail should be possible without allowing the secretary
to send e-mail under the boss's identity. A proxy implementation would allow
secretaries to answer their boss's e-mail while signing the replies with their own
names.

Risk of weakest link - Users tend to repeat selecting the same password at
multiple sites. Exposure of a user password at a weak site can lead to the users
accounts being compromised at other sites. Unfortunately, there is also no technical
way to prevent users from selecting the same passwords at multiple sites.

Risk of guessing - If a password can be guessed via personal knowledge,
tendencies and other easily obtainable information will be compromised.

Risk of dictionary/brute force attack - Passwords can be exhaustively searched
by utilizing a dictionary or brute force attack to try every possible combination of
typeable letters.

Risk of password play - If a password is transmitted from client to server or even
keyboard to terminal, it is possible to intercept and record this information.

Risk of server spoofing - Web sites and applications can copy the look and feel for
use as a decoy to establish confidence and obtain passwords from a user.

Risk of password reuse - The requirement to change passwords with some
frequency is understood but the frequency to do so is not. Forcing users to change
passwords more frequently could actually lead to less security.

Biometrics Authentication

Biometric software and hardware allows users to access all of their software
applications with a single biometric logon or individual application logon. Marco
provides a suite of software programs that allows a person's fingerprint to be used to
authenticate their identity when accessing their workstation, network, applications,
or corporate data. Unlike passwords, a person's fingerprint is totally unique and will
never be changed, borrowed, lost or forgotten. The business benefit is faster, easier,
more secure access with auditable network logon and much lower administration
costs.

Data Encryption

In response to regulatory pressure and the dramatic rise in risks associated with
collecting, analyzing and sharing sensitive information, organizations have grown
concerned about securing the data they exchange with customers, partners, and
government agencies as well as data at rest within their networks.


Wireless (WEP) - It has been widely reported that the WEP (Wireless Equivalent
Privacy) protocol - the standard that outlines how data will be encrypted on the
802.11 wireless LAN - was implemented in a way that makes it vulnerable to attack.
This poses serious risks for businesses that have deployed wireless LANs because
any confidential data - financial transactions, credit card number, and a companys
proprietary information - that is flowing over these networks can be compromised or
exposed.

VPN (Virtual Private Network) - One should use data encryption to protect the data
that is sent between the VPN client and VPN server or the shared or public network,
where there is always a risk of unauthorized interception. Configure the VPN server
to force encrypted communications with Point-to-Point Tunneling Protocol (PPTP) and
Internet Protocol security (IPSec) encryption with the Layer Two Tunneling Protocol
(L2TP). Instead of using a dedicated, real-world connection, a VPN uses "virtual
connections routed through the Internet from the companys private network to the
remote site or employee.

Key Fobs

Key Fobs are lightweight and water-resistant tokens that allow users to access their
network from virtually any remote location imaginable, whether it be from home, a
hotel room, an airport terminal, or even outdoor locations. Key fobs work in
conjunction with an RSA Security server to authenticate a users identity, allowing
network access to authorized users and locking out hackers and would-be
trespassers. The key fob displays a randomly generated access code which changes
every 60 seconds. It provides two-factor authentication: the user logs in by entering
a secret personal identification number (PIN) followed by the current code displayed
on the token. The logon process is one simple and quick step, and processing of user
credentials is transparent to the user.


Telecommuters may also use an electronic device known as a key fob that provides
one part of a three way match to log in over an unsecured network connection to a
secure network. This kind of key fob may have a keypad on which the user must
enter a PIN into to retrieve an access code, or it could be a display-only device such
as a VPN token that algorithmically generates security codes as part of a
challenge/response authentication system. The most well known example of the
latter type is RSA's SecurID token.

Smart Card

Smart Card Readers examples of innovative smart card readers
Smart Card Readers also known as Smart Card Programmers, card terminals, card
acceptance device (CAD) or interface device (IFD), become more popular every day.

Smart card solutions have enjoyed a recent rise in popularity with administrators
who face the task of improving systems and network security

They are used to read data from and write data to the smartcard. Card readers can
easily be integrated into a PC running Windows 98/Me, 2000, XP. However, some
computer systems already come equipped with a built-in Smart Card Reader.

Some card readers already come with advanced security features such as secure PIN
entry, secure display or even integrated fingerprint scanners for the next-generation
of multi-layer security and three-factor authentication.


A smart card usually is credit card-sized, but rather than having a magnetic strip on
the back, the smart card has a microchip attached to the card face. The microchip
features some memory (usually between 4KB and 16KB) and an onboard OS that,
when placed into a compatible reader, loads and waits for input/output. Host
computers talk to the OS rather than access the card's memory directly, and the OS
controls what the host computer can read from and write to in memory. To further
protect stored data and to secure data that passes between the smart card OS and
the host OS, the smart card OS supports cryptography. Smart cards are PIN-
protected and support a user PIN and an administrator PIN. When a user supplies
the OS with the correct PIN, the OS unlocks the card for user or administrator
access. Depending on the application, users typically can read from the card and
administrators can write to it.

Perhaps the most common smart card use in Windows environments is to secure the
authentication or logon process. Rather than pressing Ctrl+Alt+Del and entering a
username and password, users place their smart card into a smart card reader and
enter their PIN-a process known as two-factor authentication. You can also use
smart cards to store email-signing certificates, client-authentication certificates for
Web sites, and certificates you use to establish VPN connections.

To support smart cards in Windows environments, you must have access to a public
key infrastructure (PKI). You can use Certificate Services, which is included with
Win2K Server, or a supported third-party product such as Baltimore Technologies'
Baltimore UniCERT. You can use smart cards with certain applications on earlier
platforms, but in those cases, you usually have to rely extensively on supporting
drivers and third-party software.

Contactless Cards

Contactless cards contain a small antenna so that the card reader detects the card
from a distance. The distance can vary from a fraction of an inch to several feet,
depending on the technology and hardware used. Contactless card are currently used
mostly to control physical access, such as access to a building or room. However, in
a multifactor PC authentication environment and in combination with a biometric
technology, these devices can provide a very convenient and secure method of
authentication.


USB Token

USB token devices are used for authenticating user identification, usually in
coordination with a personal identification number (PIN) or single password. USB
tokens contain a tiny computer chip for securely storing information. They are
technologically identical to smart cards, with the exception of their form factor and
interface. USB smart tokens are typically smaller than a house key and are designed
to interface with the universal standard bus (USB) ports found on millions of
computers and peripheral devices.

Advantages of USB tokens include that readers are not required-the token simply
plugs into a USB port; token device drivers are easily installed, unlike smart card
readers, which can be difficult to install and configure; the tokens are small and
designed to fit on a key chain. Furthermore, users are required only to remember a
single PIN (if required) as opposed to multiple passwords.

Disadvantages include that tokens can be lost as easily as a house key; tokens need
to be replaced every few years; and compared to other methods, it takes longer for
a user to authenticate using a token device since there are usually multiple steps in
the verification process.

Soft Token

Soft tokens refer to intangible software-based "tokens", which are theoretically
similar to single sign-on passwords, but offer the deployment advantages of a
software application. This technology solves the problem of providing a common
installation and user interface across a wide range of platforms, operating systems
and application environments. Token initialization binds the token to the user,
generating correct one-time passwords unique to the user for each logon. Soft
tokens are revocable at any time without recovery, making them ideal for large user
populations and external consultants requiring temporary network access. Once
revoked, they can be completely re-initialized and deployed to new users as
required.

Bio-Token

Bio-tokens, also known as pseudo-tokens, combine the functionality of a fingerprint
reader and a token authentication device, and are enhanced by the ability to store
data directly on the device. That is, a bio-token will store the authentication
credentials (i.e., fingerprint template used for comparison during the verification and
identification processes) on the card itself. This allows users to carry a bio-token card
to another machine and authenticate their identity without their template data being
stored on the machine or network. Hence, a user must not only provide their
fingerprint, but also have the appropriate bio-token in their possession. A single bio-
token has the ability to store multiple user data, so users can share the device. Users
can also store other data (such as documents) on their bio-token. If multiple users
are sharing one device and have stored data/documents on the device, the currently
logged on individual will only have access to their own data. Hence, data stored on a
bio-token is secure, accessible only to the person who is currently authenticated.



Hardening a System

Hardening is the process of protecting a system against unknown threats.

An intruder attack is only one aspect of security with which you should be concerned.
Viruses are another big security threat; the fact that they spread easily only
increases their infestations.


To protect the well-being or integrity of something, to ensure the safety of property
or interests in an object from intrusion, or to keep a concept or object private, youll
need to secure a system. In the hostile environment of the Internet, system
administrators need to restrict access to assets. To grant access to a selected group
of users, you need to know who to trust and how to verify the credentials of-
authenticate-those you allow to use your systems.


The cornerstones of any security policy include the following:

Privacy, or the ability to keep things private and confidential
Trust, or the question of whether you should take data or objects at face value


Authenticity, or verifying that contacts are made with people who are accurately
representing their identity


Integrity, or the process of ensuring a system hasnt yet been compromised and will
remain secure


Keep all machines on the network updated and check with the operating system and
application vendors on a regular basis for service releases and hotfix patches.

Any software downloaded from the Internet should be stored and installed on test
systems before any production deployment, and the system should be scanned for
viruses after the software has been tested.

Dont download software from unknown sources; a prominent violation of this policy
is the retrieval of programs from peer-to-peer file transfer services. This not only
endangers the host computer, but the entire network. Lately, viruses are beginning
spread after initial execution onto network shares and, depending on the strain of
virus, it can cause many hours of downtime, which results in a significant financial
liability.

One should configure your virus software to the most restrictive level, thereby
ensuring that any virus activity is contained to one computer without infecting the
network.

Block all potentially malicious file types, such as VBS, EXE, COM, and SCR, from your
mail server. These file types are rarely used for legitimate business purposes and can
accidentally be executed by unsuspecting users. This can compromise your entire
network.

Firewall suggestions:


Block TCP ports 135, 139, and 445, and UDP ports 135, 137, and 445. These are
Microsoft Windowss networking ports that have been traditionally vulnerable to a
great many distributed service attacks, and theres little use for them over the
Internet.

Block all other unused ports. Each time you open a port you create a hole in the wall
that youve built around your network, and you replace it with a window. The more
ports you open-the more windows you install in your wall-the more transparent
your network becomes to the outside.



Copyright2006 PC Technoids LLC All rights reserved.