CSM660 Information Security Management Assignment 2

MICT Management AeU
Semester 06/09 Assignment 2

Part A: Short Questions [20 Marks]

1. In the software environment, it includes the stage of design, development and operation. Please kindly determine and elaborate the threats to the software environment.

Answer:

Stage : Design

Threat 1: Error in Assumptions - Incorrect assumptions by the engineer, including assumptions about the capabilities, outputs, and behavioral states of the software's execution environment or about expected inputs from external entities (users, software processes). Such assumptions took the consideration of need of flexibility to end user in realistic day-to-day operation, and thus giving an option of 'bypassing' the system during critical time. This assumptions, though remain useful, post a threat to the integrity of the system. Also, sometimes the engineers designed authorized system overrides, kind of exception handling in their systems, and they didn't think about the fact that they were giving end users a way to get around the rules.

Threat 2: Flawed Design - The software's interfaces with external entities. Development mistakes of this type include inadequate (or nonexistent) input validation, error handling, and exception handling. In this multi-application system, software are designed to work with other softwares – especially in the current market of multi-operating systems. Threat of allowing other softwares to modify or add on to its source code can be used as a way to launch an attack by others.

Threat 3: Insider Threat – Software engineers who designed the software may intentionally leave 'hole' for shortcuts and future exploitations. Threat like this is usually from insiders who inserted 'backdoors' into the source code that they could then use later. So once past the design phases the vulnerabilities will be there, unless uncovered by someone else. Once the software is launch into market, the insider or people who have grievances against the firm which uses the software, could make use of this vulnerabilities to get back into the organization's network. Then, the attacker could send very malicious email to the organization's customers, alter files, alter applications, initiate a denial of service attack, and the organization could end up with massive problem.

Stage : Development

Threat 1: Insider Threat – A software engineer can sabotage the software at any point in its development life cycle through intentional exclusions from, inclusions in, or modifications of the requirements specification, the threat models, the design documents, the source code, the assembly and integration framework, the test cases and test results, or the installation and configuration instructions and tools.

Threat 2: Flawed Source Code – The software's interfaces with external entities. Development mistakes of this type include inadequate (or nonexistent) input validation, error handling, and exception handling. Unintended interactions between software components, including those provided by a third party could post threat to the software when it is deployed in actual use.

Stage : Operation

Threat 1: Insider and External threats – Any software system that runs on a network-connected platform is likely to have its vulnerabilities exposed to attackers during its operation. Attacks may take advantage of publicly known but unpatched vulnerabilities, leading to memory corruption, execution of arbitrary exploit scripts, remote code execution, and buffer overflows. For example, one insider was able to deliberately plant a virus on all of the organization's customers' systems, because he was responsible for deploying any new releases to those customer systems.

Threat 2: Flawed Software & Implementation – Software flaws, either left by software engineers during the development phase or discovered by user, can be exploited to install spyware, adware, and other malware on users' systems, on site or remote through the Internet. This software flaws or 'holes' could be made like a 'time bomb' to lie dormant until it is triggered to execute. Like in the case of Threat 1 under Design, error under assumptions, it may be discovered by accident when it is used by end customer. Such 'overwrite' is exploited for personal benefit of the system user and if there was no two-person rule or anything like audit involved, he could do whatever he wants when he accesses the system. In fact, he could manipulate and execute any application or data without anyone's knowing.

Threat 3: Proper Backup – It is like when an article is been written and modified through time, and suddenly, it is infected by a deadly virus and not retrievable. This kind of threat occurs when there is no proper backup for the software before it is deployed to the operational phase for implementation. The separation of software development and deployment, although able to mitigate the risk of software being corrupted at later stage, need to have proper access control in place. The software engineers in the operational phase of software should be restricted to access certain part of the source code only, and monitored for any modifications to the source code. In the same context, the developers should not be involved anymore with the deployment of the software during this phase. Next, a proper backup procedures should be stringently enforced, so that the insider risk for corrupting the software can be mitigated.

REF:

1. Software Security Engineering A Guide for Project Managers, Julia H. Allen; Sean Barnum; Robert J. Ellison; Gary McGraw; Nancy R. Mead. Addison Wesley Professional.
2. How to Start a Secure Software Development Program, CERT's Podcast Series: Security for Business Leaders. Carnegie Mellon University, in Pittsburgh, Pennsylvania. Interview with Gary McGraw.
3. Insider Threat and the Software Development Life Cycle, CERT's Podcast Series: Security for Business Leaders. Carnegie Mellon University, in Pittsburgh, Pennsylvania. Interview with Dawn Cappelli.

2. In an organization, there should be the operation security policies whereby it controls over the hardware, media, and the operators and administrators with access privileges to the resources. Meanwhile, according to Patricia AP Fisher, she has defined three (3) critical requirements for operation controls. Please kindly find and explain the three (3) critical requirements.

Answer:

Resource protection, privileged-entity control, and hardware control are the three critical requirements of operation control.

1. Resource Protection

This is the control of the how resources of an organisation, mainly the hard wares and the peripherals, are being used by their users within the organisation. Its aim is to safeguard all of the organisation's computing resources from loss or being compromised due to malicious attacks. In the networking environment, this is usually done by access control switches and specific domain or IP allocations and firewalls so that only those with such access (by authenticated entry) are allowed to use the resources. By enforcing such access control of resources, accessibility to data is monitored and thus, ensures accountability of data retrievable by the any authorized personnel. Hence, resource protection reduces the possibility of damage due to unauthorized access which could put Confidentiality and Integrity to a detriment. Of course, certain data should be guard due to certain legal requirement, for example, MEDICAL RECORDS PRIVACY and PRIVACY DATA PROTECTION ACT and hence, by having resource protection in place, such data leakage and litigation risk can be mitigated or prevented.

2. Privileged-entity control

Privilege-individuals are those who deal with systems programming, operations, and systems monitoring who are accessible to systems that general users are restricted. Such privilege can be for the entire system or certain function centered. When privileged individual makes alteration, or in case of insider who make use of certain backdoor, the total system is compromised. This means the lower-level controls and all resources are exposed regardless of any lower-level controls that may have been in place for security control. For example, if the system administrator switches on the wireless router which connects the broadband cable to allow his/her own personal use of laptop mobile browsing despite the normal accessibility solely by network cables, everyone who has the wireless connection may then access the network irrespective of authentication unless such authentication process is put in place.

Extended access can be divided into various segments, called classes, with each succeeding class more powerful than those preceding it. The class into which general system users are grouped is the lowest, most restrictive class; a class that permits someone to change the computing operating system is the least restrictive, or most powerful. Users must be specifically assigned to a class; users within one class should not be able to complete functions assigned to users in other classes. This can be accomplished by specifically defining class designations according to job functions and not permitting access ability to any lower classes except those specifically needed (e.g., all users need general user access to log on to the system). All other system support functions fall somewhere between these two.

3. Hardware Control

Hardwares themselves can have security vulnerabilities and exposures that need to be controlled. The hardware access control mechanism is supported by operating system software. However, hardware capabilities can be used to obtain access to system resources. Software-based control mechanisms, including audit trail maintenance, are ineffective against hardware-related access. Manual control procedures should be implemented to ensure that any hardware vulnerability is adequately protected. Such scenario can be illustrated below.

In the operating system of WINDOWS, all storage hard-disks are accessible as long as they are connected to the main processor. However, in the Linux system - Ubuntu, accessibility of any hard-disk within the same machine still requires authentication. Thus, when a Ubuntu operated computer falls into the hand of a data thief, by changing the OS to WINDOWS, all the hard-disks are accessible by a few simple clicks. The safeguard would be manually implement a locking system, or storage of hardware in secured place to prevent theft.

Some equipment provides hardware maintenance functions that allow main storage display and modification in addition to the ability to trace all program instructions while the system is running. Although it is possible to access business information directly from main storage, the information may be encrypted. It is simpler to obtain privileges and run programs that can turn encrypted data into understandable information. Another hardware-related exposure is the unauthorized connection of a device or communications line to a processor that can access information without interfacing with the required controls. The example of switching on the wireless function of a multi-purpose router as illustrated in 'Privileged-entity Control' section is a common pitfall.

REF:

1. Patricia AP Fisher, Information Security Management Handbook 6th Ed, Chapter 199: page 2629 - 2639

3. Give five (5) types of operational environment controls with short description.

Answer:

They are ways to achieve operation control which include methods to achieve resources protection, privileged-entity control and hardware control.

I. Preventive and Administrative Control - Policies and procedures that describe what actions privileged entities can do, and audit logs and monitoring processes (detective/technical) to check their actions. Segregation of duties also serves as preventive control to deter the privileged to have absolute control of the operational environment.

II. Preventive and Physical Control - Hardware security controls keep unauthorized hardware out of the environment and control access and modification to authorized hardware. Examples are server rack locks (preventive/physical), configuration management (preventive/administrative), and rouge wireless access point monitoring (detective/technical).

III. Software security controls - Software includes the system operating system, applications programs, database management system, and network software. Software security controls are implemented to keep unauthorized software out and to control the installation and modification of authorized software. Antivirus systems are an example of a preventive technical control to prevent the installation of malicious code on to a system. A policy requiring a software change control process is a preventive administrative control. File integrity checking systems are detective technical controls that detect unauthorized changes to system files. Backup and Restore software and processes are recovery controls. (Backup process is administrative; backup system hardware and software is technical).

IV. Input, Processing, Output Controls - All information systems take some input and process it to produce output. Security controls are put into place to ensure that as data moves through the system it is processed correctly according to the rules of the system. An example of input security controls is to have a policy to allow only authorized users to input data. Another input security control is to have the system validate all input. For example, if a name is put into the system, it should not contain special characters, or if a month number is entered, it should be between 1 and 12 (bounds checking). Processing controls ensure that transactions are completed correctly. If processing is interrupted, processing controls ensure the system recovers and transactions are not left hanging. Output security controls guard who has access to the output and also guards the integrity of the output. An example output control is to allow printing only to certain printers in secure locations. Marking and numbering output copies is another control used to track and control distribution of sensitive output.

V. Media Controls - Media controls are concerned with protecting sensitive information while it is stored outside the information system. Media is generally considered to be tapes. Other types of media are floppy, CD, DVD, USB device, or any other removable media. Examples of media security controls are to log (or catalog) all media, control access to media by locking it up and logging use, and to control reuse and destruction of media. Media protection is the job of the Media Librarian (or Tape Librarian).

REF:

1. James E. Purcell, Security Control Types and Operational Security

4. Define the meaning of Cryptology and it relation to the Confidentiality, Integrity and Availability?

Answer:

Cryptology refers to the mathematical science and field of study that comprises both cryptography and cryptanalysis.

• Cryptography is the study of mathematical techniques related to aspects of information security such as confidentiality, data integrity, entity authentication, and data origin authentication.
• Cryptanalysis is the study of mathematical techniques for attempting to defeat cryptographic techniques, and, more generally, information security services.

Hence, cryptology is both coding and decoding of information to enable such information be hidden from third party. The relation to Confidentiality, Integrity and Availability is explained below.

• Confidentiality – the focus of cryptology has been on the use of symmetric encryption to provide confidentiality. In fact, this is the core existence of cryptography in the ancient days so that only few are able know the real information for power maneuver.
• Integrity – meaning that the recipient of a message must be able to verify its authenticity and origin. In this case, one can add an authentication tag like digital signature to a message and have the recipient verify the tag before he or she accepts the message as being genuine.
• Availability – availability of information as required by the users at any time and through relative ease. In such case, cryptography allows availability of secured information to be transacted through the Internet or other electronic means, to wide geographical area and almost instantly, provided that the receiver has the key to open the message.

REF:

1. Cryptography and Network Security Principles and Practices, Fourth Edition by William Stallings.
2. Contemporary cryptography by Rolf Oppliger.
3. Handbook of Applied Cryptography by Menezes, Van Oorschot & Vanstone,, page 1-15.

5. What is the difference between a block cipher and a stream cipher?

Answer:

A block cipher is an encryption scheme which breaks up the plain text messages to be transmitted into strings (called blocks) of a fixed length t over an alphabet A, and encrypts one block at a time.

A stream cipher applies simple encryption transformations according to the keystream being used. The keystream could be generated at random, or by an algorithm which generates the keystream from an initial small keystream (called a seed), or from a seed and previous ciphertext symbols. It processes the message bit by bit (as a stream) and simply add bits of message to random key bits. The drawback is that it requires as many key bits as message, and hence double the amount of information to be transmitted. It is difficult in practice however, more secure than block cipher, provided that the key is truly random.

Generally speaking, a stream cipher is more secured and faster than block cipher. However, block cipher is more practical and more commonly be used.

REF:

1. Menezes, Van Oorschot & Vanstone, Handbook of Applied Cryptography, page 15.

6. List the types of cryptanalytic attacks.

Answer:

Types of cryptanalytic attacks are listed below.

1. Reverse Engineering
2. Guessing
3. Frequency Analysis
4. Brute Force
5. Ciphertext-Only Attack
6. Known Plaintext Attack
7. Attack Random Number Generators
8. Chosen Plaintext Attack
9. Birthday Attack
10. Factoring Attack
11. Replay Attack
12. Man-in-the-middle Attack
13. Dictionary Attacks
14. Inference

REF:

1. Information Security Management Handbook 6th Ed. Page 1260 – 1265.

Part B: Case Study [10 Marks]

Read and understand the attached article. From your understanding, write an essay to describe how the story could illustrates the benefits of using PKI into that organization in managing information and security requirements.

Attachment Title: Deploying and Using Public Key Technology: Lessons Learned in Real Life

Answer:

The Johnson & Johnson (J&J) deployment of a Public Key Infrastructure (PKI) in its IT security system is in fact a state of the art in its implementation. In such circumstances, J&J benefited greatly the advantages of the PKI in its IT communication within its internal management, its immediate business partners and the government authorities, and to a greater community of the public, who rely on its information for decision making. The effect of such communication can be confined to internal organization, inter-organisation or even global in its effect, for example, in a pandemic of the H1N1 flu or a bio-terrorism.

A PKI is especially important for a diversified company like J&J. People from different divisions and regions or among sister companies do not usually know each other, and yet may share the same information source from the top management. This is especially the case when they share the scientific discoveries from a few research centres around the world in the same platform to speedup the process of drug discovery. Amidst, it is already a daunting task to communicate high level scientific findings to ensure flawless information transfer, and yet the concern of a secured telephone line or who’s really who at the other end of the Internet. Furthermore, certain decisions from the top management are to be executed at the regional or even local level, where co-operation and coordination from the ground level are crucial for its ultimate success. Such activities entail communications at personal level and may then, require verification of who's who for assurance of disclosure of information which may have detrimental economic effect to the entire division of the organisation or the whole J&J in the eyes of the public.

This is the core area of how PKI could benefit the organization. PKI in a nutshell, is an identity reference point, which is able to reference the who's who for the users to ensure the rightful person an email or communication is directed at. The reference point is the Certificate Authority (CA) which issues Digital Certificate to everyone in the community and keeps a record of who's who. Therefore, anyone in the J&J community or outsiders who require ascertaining who's who in the J&J organisation refers to this authority for identity verification. If MrNazri is really the MrNazri of J&J Malaysia as verified by CA J&J, it is taken as nonrepundiable that MrNazri is the MrNazri that is.

The process of such verification is the job of the CA, and much of its work is certifying who's who by referencing to a third party, by both electronic and non-electronic means for example, viewing of original copies of certificates or identity cards, passport or driving license, membership qualifications by government authorities or academic organisations. Such activities is called establishing the Root CA, in which case, is independently carried out by a department inside J&J. This segregation of duty by the CA to Root CA benefits the CA in ensuring the authenticity of the identity.

Here-in-after, the identity certificate (Digital Certificate) issued by the CA is thus authenticating the origins of all the users of the PKI, making sure that he who receive the information is the correct identity rather than a hacker or a passerby. This benefit of PKI takes away the worries of error in sending classified information to the wrong person or visiting a webpage of J&J which is in actual face, a bogus website to cheat ignorant employee or public for LoginID and Passwords as part of the tactic of social engineering.

The mechanism of PKI in closer detail is that the staff can encrypt and/or digitally sign documents. Much of the job is done by the server and the desktop which the employee uses in the organisation. In this manner, it keeps the documents safe, limits who can change them, and gives nonrepundiation to its users. Nonrepudiation is a way to guarantee that the creator of a document cannot later deny having created it. It also means that user can prove who sent and received messages.

For the good of communication via the Internet, by using a PKI system, users can encrypt and/or digitally sign e-mails. PKI can also be used for access control and authentication as well. The Digital Certificates are linked to specific individuals (or computers), and users can tell CA to configure Digital Certificates so that the individual can only use them for certain tasks. All in all, PKI is a quite sophisticated system.

PKI is an infrastructure. Therefore, it is not an easy system to maintain and operate. For small businesses which run on limited geographical area, it is advisable to outsource PKI to a professional third party because it doesn’t serve the purpose and cost is high. For the scale of Johnson & Johnson, this is definitely not the case. Conversely, it would be in fact a master piece of PKI execution to its fullest potential when given such a scale of geographical presence and the magnitude of J&J business nature. Being a major player in the medical industry, it has the most highly technical business in the world and findings in research and development are vulnerable to sabotage. All this posts tremendous financial risk not just to the company in terms of share prices but also general concerns of the public who are customers to their medical equipments and drug.

The deployment of the PKI in Johnson & Johnson chose to go with Certificate Authority (CA) fully internal, rather than some third party professional CA outside. This being the case, was explained in the case study for 3 reasons, one being which the failure of outside vendor. For the size of Johnson & Johnson which is gigantic, fully internal CA is may be more acceptable than if it is smaller. Some how, this may be compromised if the CA is given too much autonomy, in which case, it was not. The separation of the CA from the Enterprise Directory, and the involvement of separate departments of HR and IT- Microsoft Exchange Directory for Email, and the procedures of WWID and supervisor inspection of application of Digital Certificate, may provide watchdog role in the architecture integrity of CA.

From the integrity point of view, at first glance, the segregation of identity verification mentioned above almost has the CA in an irrefutable position. However, for the regulatory body who engage public trust like FDA, indeed it needs to put the whole trust in Johnson’s internal CA management. Inevitably, FDA is taking everything that is fed by Johnson & Johnson to be the truth of all truth. FDA being an independent third party may need to audit Johnson & Johnson for such an infrastructure, or else how can a theft call the police to trust his judgment? If an outside CA is engaged in this situation, such a concern may be reduced.

The biggest challenge in such a huge scale of deployment of PKI is no doubt the human inadequacy of knowledge and willingness to change. As machines are in higher level of efficiency than human, there is a difficulty of matching the two together. Therefore, the illustrated challenges of failed keys and certificate-revocation list, immense stress on the help desks, language issues and others, making such a deployment something not really meaningful for a small business, or where information is no such critical matter in sustaining the business.

It is however, interesting to mention that although Johnson & Johnson is such a diversified organization, the deployment of PKI in this organization is excitingly straight forward, both politically and financially. Imagine the polarized view of top managements and the rivalry among different IT managers from different countries and regions; the different stages of IT infrastructures across different continent, and the different types of operating system that may be running for years. It is unimaginable that a PKI of such magnitude could be implemented even.

Think of the cost of replacing the old computers, changing the hardware and upgrades, the incompatibility of operating systems, the different language used, and the different IT stage of the different geographical area and people. It is indeed a nightmare!

REF:

1. Cryptography for Dummies by Chey Cobb. Part II – Public Key Infrastructure, Chapters 5-7.