Corporate Network Security

Abstract
The headline is in fact misleading as no such thing as network security
exists! We can aim at security but we are only able to try to protect ourselVes
and our IT resources against the threats we know are around. And an urgent
message of this presentation shall be: What you don’t know CAN hurt you!
Therefore, for the non-military sector the conclusion is that corporate
management has to apply a close monitoring programme on possible security
weaknesses and flaws in all the new hardware and software that are pouring
into their organisations. To this end a recognition gradually is emerging on the
need for an IT Security Management System of the kind we know as ’’Quality
Management Systems” and ’’Environmental Management Systems”.
But be aware that involvement of management at all levels is very important
and an ongoing process to keep pace with the development of technology as
well as the threats. Management won’t get away with the delegation of
responsibility to others, e.g. to some security officers who are deemed to fail if
not receiving strong support from top management.

The basic security issues
Information Warfare is not a term normally used in the non-military sector.
Though, there is quite an awareness of many of its constituents such as hackers,
intruders, trojan horses, spamming, masquerading etc. At the same time several
types of counter measures are recognised, such as: Firewalls, encryption
methods, authentication mechanisms, and intrusion detection techniques.
All of these terms are related to the use of communication networks,
especially the Internet. And it might be discussed whether they are most related
to “Warfare” or to “Guerilla Tactics”. In fact most of the threats stems from
bright individuals who find a challenge to their expert IT knowledge penetrating
corporate networks.
First the companies had their huge mainframe computers and the staff had
finally after many years learned how to control these machines security wise. But
as this did not provide a user-friendly work environment many companies tried
to decentralise their computer operations to departments, divisions or production
plants, using interconnected local area networks.
When the PC appeared in its most basic form without easy communication
facilities the local managers as well as the individual users claimed their rights.
This way people obtained their independence from the IT department and
enjoyed doing their own programmes and spreadsheets. In fact they went
completely on their own performing as IT managers and IT security managers
themselves.
This solution may look nice to most users but they were not really aware that
they incurred some fundamental obligations at the same time, such as doing
backups, protecting the systems and data against manipulation and errors, and
keeping certain information confidential according to company requirements. In
other words this kind of restart to the computer era had to be followed by a
restart concerning security procedures and counter measures as well, which was
not that easy nor accepted.
 

New risks introduced through external networking
Concerning IT security new risks were introduced at different point in time. First
a more widespread use of dial-up connections made the corporate network more
vulnerable to hacking from outsiders.
Secondly Internet made itself a part of the corporate networks because of
bright and pro-active employees’ needs to keep themselves up-to-date on the
newest developments. These activities were often not known to management and
neither allowed nor disallowed, and this fact must be considered a serious threat
to corporate security because nobody really has responsibility or is prepared to
cope with what is seen to be outside management control.
Hacking in itself is a real threat only when no precautions are taken beforehand,
e.g. when no password is required for access or when a systematic search
for the right password is not prohibited. But when techniques for tapping the
communication lines developed and therefore a password no longer was a
guarantee for an authorised communication partner, new protection mechanisms
were needed.
Why is this then so important? Because intruders may be able to

- destroy systems, programmes, and data (even entire databases!)
- manipulate any of the above entities, tampering the integrity without
anyone knowing it
- steal the entities through copying
- disclose information which is considered “company confidential”
- disrupt the services by improperly prohibiting users to obtain legitimate
access, or by causing malfunction

So the threats are multifaceted, and have to be dealt with individually by
type. Furthermore, we have to remember that most of the threats can be caused
accidentally or as acts of omission as well!
Internet does not really add new threats to this list, but expand the range of
methods and techniques used for unauthorised purposes. Furthermore, the
number of people that potentially might try to obtain access is heavily increased.
Apart from hacking the most threatening event would be a virus attack
which as the term tells is a kind of induced systems disease that is able to
replicate and spread to all PC’s in a network. Fortunately we have now learned
how to protect ourselves against (known) viruses by means of anti-viral software
supplemented by systematic backup procedures.
But the threat is still there that the systems will “go out of order” or the data
will be erased. And you can imagine the business consequences for a large
company being unable to operate for one or two days because of missing IT
power, or for a much longer period because of missing data!
The most recent development in this area is the appearance of a virus
including a trojan horse! This combination called “Back Orifice” makes it
possible to obtain complete control over another PC in the network. In fact it
opens the doors for industrial espionage, disclosure of passwords and PIN codes,
and successive offences against company property. Only our imagination sets the
limits for which criminal activities that could be completed this way.
And because a part of the game is to trick people to “install” the trojan horse
themselves you can’t protect yourself through some fancy software product
alone. You must at the same time inform and train the employees and make them
conscious of their company being at risk if anyone is careless when receiving
programmes from unknown sources.
This kind of “trick attack” is in more general terms labelled “social
engineering” denoting the key point that someone pretending to be another
person, e.g. a technician, often will be able to persuade other users to lend out
their password for some more or less convincing reason. The only way to protect
against these attacks is to educate, train and motivate all employees and this is
certainly a managerial task at all levels. It may look out of proportion, but why
install an effective set of technical protection mechanisms when we know that
the weak point turns out to be based on human misbehaviour? Or on
programming bugs?
 

Network security services
Having recognised some of the threats to the corporate network it is obvious that
a coherent set of security services is needed. In principle they were specified
years ago (1989) in an ISO standard (ISO 7498-2). This document is based on
the fact that not only can the network be attacked but also its management. So
the most needed network security services are:

- Authentication of the communication parties
- Access control, i.e. prevention of unauthorised use of the network
- Confidentiality of the message
- Integrity of the message
- Non-repudiation with proof of origin and delivery
- Security audit trail

whereas “Traffic flow confidentiality” is seen as less important in the nonmilitary
sector.
As previously mentioned these security services have been known and taken
into consideration since 1988 where our firm made a study for the Danish
Ministry of Finance on how to establish network security in the central
government area. But the need for this kind of thorough security showed up to be
very limited or non-existent at that time.
Recently, however we have seen the Danish Ministry of Research launching
a series of pilot projects with clear intentions of utilizing up-to-date information
technology including the associated IT security hardware and software. And this
time standard hardware and software are actually on the market at a reasonable
cost!
 

Available security measures
The above mentioned security services requires a series of security mechanisms
installed as well as a security management system which will be able to keep the
mechanisms functioning over time. The mechanisms are for example the
following

- Encryption
- Hash totalling / message digesting
- Digital envelope
- Digital signature
- Certificates
- Firewalls
- Virus protection
- Monitoring tools (event logging, intrusion detection)

These mechanisms enables you to design a secure network solution, even if the
Internet is planned to be the transmission medium. At least in theory! What is not
covered yet is the human part of the supporting measures. In other words we
miss an IT security management system that supports correct human behaviour.
No errors or omissions should occur in connection with all the security related
work.
All our experience shows that the human element is the weakest link in the
total chain of security measures. If people find the rules, procedures, and
instructions too difficult to follow then they will find other ways! Perhaps
resulting in disastrous security breaches. But this is only part of the truth.
Usually it is the managers that cause the most severe harm to their own firm
because of lack of interest in spending time and resources on the establishment
and running of a seriously meant IT security management system.
Here it has to be remembered that a firewall in the physical world must be
solid to be efficient! You may choose to let a pipe go through the wall, but then
you have to recognize that the wall is weakened to a certain extent. Likewise a
“logic firewall” is only effective when no traffic is passing through! Whenever
an exception to this rule is specified, the wall is weakened a bit and it will be
necessary to evaluate whether the risk has reached an unacceptable level.
At this point it has to be emphasized that dispersed initiatives to strengthen
the security may be fine but that they have to be multilayered and strongly
coordinated. Partly because the weakest link determines the total strength, partly
because human mistakes or technical flaws will lead to security breaches
eventually. A simple example will shed light on this viewpoint:
If a hacker succeeds in passing through or circumventing a firewall and
installs a trojan horse in a computer behind the wall he may prefer to withdraw
from immediate action because he has now established a sleeping partner to be
activated at a later point in time. A trigger now going to decide when an attack
will be launched. You might find this situation easy to be prevented and it should
be so if a perfect access control system is installed at the perimeter of the
network. But nevertheless it could fail for several reasons.
The hacker is able to succeed because we often find software with default
settings that allow an easy backdoor entry for the technicians when on repair or
maintenance. Furthermore, the continuous flow of new releases from the firewall
supplier may introduce flaws at installation time because of unqualified or
inexperienced support programmers or because of a sloppy change management
procedure. Additionally, every single user located behind the firewall constitutes
a danger to the network in question as he unknowingly or deliberately breaks the
corporate rules by locally connecting to the Internet at the same time as he is
logged on to the corporate network and thereby lets a back entrance wide open.
Finally, the issue of correct authentication should be mentioned. To be sure
of the user identity at logon it is not satisfactory just to have a password presented
to the access control system as this password might have been ’’sniffed” by
another person. More sophisticated mechanisms are required such as one-time
passwords, challenge-response authentication, fingerprint recognition, or cryptographic
techniques.
The choice has to be made by management and should depend on a risk
assessment, i.e. an evaluation of the potential business risks versus the cost of
necessary protection measures.

Getting IT-security at the right level
There is little doubt that we now have the necessary technical security
mechanisms available. At the same time though, we are aware that compromises
are essential (for example “holes” through the firewall) and that employees /
users make mistakes, forget instructions, or even circumvent troublesome
security mechanisms. This situation is aggravated by the difficulties observed in
doing the necessary protection engineering to the constantly changing computing
environment.
How then do we obtain the right security level? First and foremost we have
to establish the above mentioned “Security Management System” which might
be the basis for effective handling of all security activities, whether proactive or
reactive. This basis includes a series of well known management disciplines in a
recurrent flow:

and repeat from 1 again in a recurring cycle of lA to 1 year. For further details see
appendix A. In this way management see to it that the right issues are handled,
the problems are observed, and the required investments are made.
But what is in fact “the right security level”? Nobody knows, either the
technicians or the managers. We have no international standards in place,
although a British standard (BS 7799) has been widely accepted and a
certification scheme for compliance to BS 7799 is planned.
Recently a technical report (ISO/IEC TR 13335, 1 - 5) emerged covering
“Information technology - Guidelines for the management of IT security”. The
first three parts look like a good supplement to BS 7799 but we'still have no
specifics about security levels within the entire IT environment including the
users.
What we do have is the different initiatives to provide secure building
blocks, i.e. software products, which hopefully in a few years time will lead to
certifiable systems based on an ISO standard called the “Common Criteria”
originally based on the “Orange book” from the US.
Neither of these proposals, standards nor reports considered individually
provide the ideal evaluation scheme, but considered as a whole they might lead
us a bold step in the right direction.
 

Conclusion
Until now we have primarily been focused on a traditional mix of preventive,
detective and responsive measures, based on human intervention. In the future
we will see automated defensive tools that detect attempted intrusions and act to
mitigate their effect in real-time. In military terms it could be phrased this way:
“The fortresses of old are not completely unimpregnable any more. Rather they
are designed for a running battle in which the attackers have their successes and
defenders have theirs as well” (ref. Fred Cohen, Network Security, October
1998)
But to cope with this new situation we have to assume that the underlying
security measures - both the technical and managerial - are in place and
systematically maintained. And for this purpose a “Security management
system” is an absolutely essential prerequisite, because this is the only way to
keep up with the technological developments and the “bright” ideas of the
hackers - as well as to train and motivate the employees / users to protect the
corporate assets.
As it may have appeared from the above the approach to the topic of
“Corporate Network Security” has gradually been developed into a more general
approach of “Corporate Security”. This is primarily because of the human
element in the protection efforts which demands a high level of security
consciousness throughout the whole organization. Only this way we will be able
to create an IT environment including the network appropriately protected -
remembering that it will never be “secure”.
 

APPENDIX: The elements of a Security Management System
DIRECTING
Direction and commitment are necessary conditions for obtaining IT security.
Direction is given through IT security policies, objectives and strategies - and
committed to through the setting up of an IT security programme
ORGANISING
A management structure is required to control the complete cycle of IT security
activities
ASSESSING RISKS
The business risks are to be analysed and managed to obtain a consistent and
acceptable security level
PLANNING
Security measures are to be planned according to the business needs defined
during the risk assessment
IMPLEMENTING
Security measures are implemented in the form of technical mechanisms and
administrative procedures
TRAINING
Awareness-raising and training programmes are offered to spread out
commitment for IT security throughout the organisation
OPERATING
Procedures are followed, incidents are handled, and data files are backed up
during operations. Especially the change management procedure is important
MONITORING
As a part of the IT security cycle monitoring gives management a clear view of
what has been achieved compared to the original targets
EVALUATING
The results of the monitoring process, especially the deviations, are reported to
management on a regular basis - and it is evaluated whether achievements have
been satisfactory or the IT security policy needs tuning
CORRECTION
If corrections are deemed necessary, initiatives are decided and prioritised by
management - to be included in a revised policy or strategy
and the sequence is repeated all over again in a recurring cycle of 6 months to 1
year.

 

PDF med originaludgaven af Militært Tidskrift hvor denne artikel er fra:
militaert_tidskrift_128_aargang_mar.pdf

 

 

Litteraturliste

Del: