c88f039c-6c09-42fa-884f-2f8697073c90_200x200

Understanding Basic IT Security Principles

ComputerGeek
ComputerGeek
Pentester, coffee maker and aspiring cyber security journalist.

Share This Post:

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Understanding basic IT and Cybersecurity Prinicples

Before diving into the inner workings of cybersecurity, you need to have an understanding of basic IT security principles.  In this article, Secur provide aspiring security geeks with:

  • A big picture view of security and risk concepts,
  • An introduction to different security control categories and how they reduce risks
  • An overview of virtualization

One continuous theme you will find no matter where you work is that organizations need to balance resource availability with security constraints.   As an example, using encryption to maintain the confidentiality of data increases data size by about 40 percent, so if a company  encrypts all of its data,  it will need approximately 40 percent more disk space to store the data as well as consuming more memory, processing time and processing power.  While security professionals can justify the additional resources, corporate executives have to minimize costs without sacrificing security by balancing resource costs and security needs.

Understanding Core Security Goals

Security starts with several principles that organizations include as core security goals and are used to drive many security-related decisions at multiple. levels. These principles are brought together in the easy to remember “CIA” triad, which stands for:

  • Confidentiality
  • Integrity
  • Availability

Each listed element is important to address in any security program.

Ensure Confidentiality

A common use case that any organization has is to support confidentiality in order to prevent the unauthorized disclosure of data and can acheived through a number of methods.

Encryption

Encryption renders data unreadable by unauthorized personnel with various encryption techniques; authorized personnel have the tools to decrypt the data but encryption techniques make it extremely difficult people to access this data without these tools. You would use these tools in situations where you want to transmit personally identifiable information (otherwise known as PII – get used to that acronym) across public networks.

Access Controls

Identification, authentication, and authorization combined provide access controls, ensuring only authorized personnel can access data. Imagine that you want to grant Maggie access to some data, but you don’t want Homer to be able to access the same data. You use access controls to grant and restrict access. The  key elements of access controls include:
Identification: Users claim an identity with a unique username. 
Authentication: Users prove their identity with authentication, such as with a password; users claim the identity of her account and proving her identity with the password.
Authorization: Granting/restricting access to resources using an authorization method, such as permissions.   

Steganography and Obfuscation

Another method of maintaining confidentiality is steganography, obscuring data by hiding it within other data in order to make it  unclear or difficult to understand and is often referred to as  security by obscurity but is rejected by security experts as it is unreliable.   Having given that warning, steganography can be done a few ways:

  • Embed a hidden message in an image by modifying certain bits within the file; if  people know what to look for, they will be able to retrieve the message.
  • Add a text file to an image file without the use of any special tools other than WinRAR and the Windows command line. 

Integrity of Data

Integrity provides assurances that data has not changed in any way (modification/tampered/corrupted); only authorized users should be modifying data, however unauthorized or unintended changes occur from:

  • Unauthorized users
  • Malicious software
  • System/human errors.

Which results in the data has lost integrity.  The main way to maintain integrity, or a least tell when it no longer exists is with hashing

Hashing

You can use hashing techniques to enforce integrity.  A hash is simply a number created by executing a hashing algorithm against data, such as a file or message; if the data never changes, the hash remains the same and by comparing hashes created at two different times, you can determine if the original data is still the same. If the hashes differ, something modified the data.

When you want to confirm the integrity of a file to a recipient,  you send them the file and a hash of the file.  The file recipient runs the file through the same hashing algorithm and if the output matches the hash sent to them, the file has maintained integrity.   If the hash output is different, integrity has been lost.

Hashing techniques can verify the integrity of downloaded files as well.   While you can do this manually with something like GPG, some programs  automatically check hashes and determine if a file hashes match up by detecting it by comparing the source hash with the destination hash.   Sometimes an application developer calculates and posts the hash of a file on a web site; users then manually calculate the hash of the file after downloading it and compare the calculated hash with the posted hash.

  • If a virus infects a file on the web server, the hash of the infected file would be different from the hash of the original file.
  • Data integrity can be lost through human error; if a database administrator write a faulty script to perform a bulk update, it can corrupt the database, resulting in a loss of integrity.

Digital Signatures, Certificates, and Non-Repudiation

Another tool aiding in verifying integrity are digital signatures.  In theory, a digital signature is similar to a handwritten signature;  after you sign a document you can’t modify the words in the contract unless they can reproduce the signature, which isn’t easy to do.  This tool provides:

  • Authentication: A digital signature prevents attackers from impersonating others and sending malicious emails.
  • Non-repudiation: Digital signatures prevent a person from denying sending an email.  Much like how when you buy something with a credit card and sign the receipt, you can’t later deny making the purchase.  Properly configured and secured audit logs that record details such as who, what, when, and where also provide non-repudiation. 

Another important item to know is that digital signatures require the use of certificates and a Public Key Infrastructure (PKI).

  • Certificates include keys used for encryption and the PKI provides the means to create, manage, and distribute certificates.  

Availability

Availability means that data and services can be accessed as needed. Availability is maintained through the implementation of redundancy and fault-tolerant technology as well as keeping up with patches to deal with bugs.

Fault Tolerancy and Redundancy

Fault tolerancy of a system is improved via redundancy, the  duplication to critical systems, so if a critical component has a fault,  the service continues to operate without interruption. 
Redundancy achieves fault tolerance by removing single point of failure (SPOF) as if an SPOF fails, the entire system can fail.   Fault tolerance is achieved through a number of techniques listed below:

  • Disk redundancies. Fault-tolerant disks, like RAIDs, allow a system to continue to operate even if a disk fails.
  • Server redundancies: Using failover clusters ensure a service continues to operate. 
    • If a server fails. In a failover cluster, the service switches from the failed server in a cluster to an operational server in the same cluster.  
  • Load balancing: Uses multiple servers to support a single service, such as a high-volume web site. It can increase the availability of web sites and web-based applications.
  • Site redundancies. If a site can no longer function due to a disaster, such as a fire, flood, hurricane, or earthquake, the organization can move critical systems to an alternate site.
    • Hot sites are ready and available 24/7
    • Cold sites are locations where equipment, data, and personnel can be moved to when needed)
    • Warm sites 
  • Backups: Used to restore data it if the original data is lost. Data can be lost due to corruption, deletion, application errors, human error, and even hungry gremlins that just randomly decide to eat your data.
  • Alternate power. Uninterruptible power supplies (UPSs) and power generators can provide power to key systems even if commercial power fails.
  • Cooling systems. Heating, ventilation, and air conditioning (HVAC) systems improve the availability of systems by reducing outages from overheating.

Patching Software

Software bugs cause a wide range of problems, including security issues and even random crashes and when software vendors discover the bugs, they develop and release code that patches or resolves these problems.

Basic Risk Concepts

The fundamental purpose of IT security is to reduce risk, so it is worth understanding what we mean when discussing the term risk and related concepts that define and impact risk.  These include: 

  • Risk: the possibility or likelihood of a threat exploiting a vulnerability resulting in a loss.
  • Threat: any circumstance or event that has the potential to compromise confidentiality, integrity, or availability.  Threats can come from inside an organization, such as from a disgruntled employee or a malicious insider. They can come from outside the organization, such as from an attacker anywhere in the world with access to the Internet. Threats can be natural, such as hurricanes, tsunamis, or tornadoes, or manmade, such as malware written by a criminal. Threats can be intentional, such as from attackers, or accidental, such as from employee mistakes or system errors.
  • Vulnerability: A weakness in the hardware, the software, the configuration, or even the users operating the system.
    If a threat (such as an attacker) exploits a vulnerability, it can result in a security incident.
  • Security incident: An event that can affect the confidentiality, integrity, or availability of an organization’s information technology (IT) systems and data. This includes intentional attacks, malicious software (malware) infections, accidental data loss, and much more.
  • Risk Mitigation: Reduces the chances a threat exploits a vulnerability.  Reduce risks by implementing controls, countermeasures and safeguards).  While you can’t prevent most threats, you can reduce risk by reducing vulnerabilities to the threat, or by reducing the impact of the threat with proper access controls and antivirus software.

Understanding Security Control Types

When it comes to understanding security controls, it is important separate the implementation method and the objectives of the control. Security controls can be implemented in three main ways:

  • Technical controls use technology.
  • Administrative controls use administrative or management methods.
  • Physical controls refer to controls you can physically touch.

The goals of security controls can be:

  • Preventive controls attempt to prevent an incident from occurring.
  • Detective controls attempt to detect incidents after they have occurred.
  • Corrective controls attempt to reverse the impact of an incident.
  • Deterrent controls attempt to discourage individuals from causing an incident.
  • Compensating controls are alternative controls used when a primary control is not feasible.

It’s important to realize that the control types (technical, administrative, and physical) and control goals (preventive, detective, corrective, deterrent, and compensating) are not mutually exclusive. In other words, you can describe most controls using more than one category.
As an example, encryption is a preventive technical control. It helps prevent the loss of data confidentiality, so it is a preventive control. You implement it with technology, so it is a technical control.

Technical Controls

Technical controls are technology based measures used to reduce vulnerabilities. These include:

  • Encryption. Used to protect the confidentiality of data. This includes data transferred over a network and data stored on devices, such as servers, desktop computers, and mobile devices.
  • Antivirus software. Once installed, the antivirus software provides protection against malware infection.
  • Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs): Monitor a network or host for intrusions and provide ongoing protection against various threats.
  • Firewalls. Network firewalls restrict network traffic going in and out of a network.
  • Least privilege. Individuals or processes are granted only the privileges, a combination of rights and permissions, they need to perform their assigned tasks or functions, but no more.
  • Technical physical security and environmental controls:  Motion detectors and fire suppression systems

Administrative Controls

Organizational policies typically dictate the specific administrative controls management must use to reduce/manage risk as a means to provide an ongoing review of an organization’s risk management capabilities.  These administrative controls include:

  • Risk assessments: Quantify/qualify risks within an organization to prioritize qualitative and quantitative risks using probabilities and costs
  • Vulnerability assessments: Discover current vulnerabilities or weaknesses.
  • Penetration tests:   Attempt to exploit vulnerabilities to test defence mechanisms

Most administrative controls are implemented into day to day  procedures as operational controls, ensuring that a company complies with the organization’s overall security plan. Operational controls include:

  • Awareness and training: Training involves explaining to employees the importance of password security, clean desk policy, understand threats such as phishing and malware, and much more.
  • Configuration and change management: Configuration management often uses baselines to ensure that systems start in a secure, hardened state. Change management helps ensure that changes don’t result in unintended configuration errors.
  • Contingency planning: Organizational planning and preparation for potential system outages to reduce the overall impact on the organization if an outage occurs.
  • Media protection. Media includes physical media such as USB flash drives, external and internal drives, and backup tapes.
  • Physical and environmental protection: This includes physical controls, such as cameras and door locks, and environmental controls, such as heating and ventilation systems.

Physical Controls

Physical controls are any controls that you can physically touch, including lighting, signs, fences, security guards, and more; many of these are also technical controls.

Control Goals

Another way of classifying security controls is based on their goals in relationship to security incidents. Some common classifications are preventive, detective, corrective, deterrent, and compensating.

  • A detective control can’t predict when an incident will occur and it can’t prevent it. In contrast, prevention controls stop the incident from occurring at all.

Preventative Controls

As the name suggests, preventive controls attempt to prevent security incidents before they happen and include:

  • Hardening: Involves making a system more secure than its default configuration and is a defence in depth strategy which includes:
    • Disabling unnecessary ports and services
    • Implementing secure protocols,
    • Using strong passwords along with a robust password policy, and
    • Disabling default and unnecessary accounts.
  • Security awareness and training. Ensures users are aware of social engineering vulnerabilities and threats helps prevent incidents. When users understand how social engineers operate, they are less likely to be tricked.
  • Security guards: Prevent and deter many attacks. 
  • Change management: Ensures that changes don’t result in unintended consequences and is both an operational control and a preventive control.
  • Account disablement policy: Ensures that user accounts are disabled when an employee leaves to prevent ex-employees from continuing to use these accounts.

Detective Controls

Detective controls detect when a vulnerability has been exploited, resulting in a security incident and include:

  • Log monitoringLogs record details of activity on systems and networks.  Firewall logs record details of all traffic that the firewall blocked.  Automated methods of log monitoring automatically detect potential incidents and report them right after they’ve occurred.
  • Trend analysis:  You should monitor logs to detect trends.  Intrusion detection system (IDS) attempts to detect attacks and raise alerts or alarms often by analyzing past alerts to identify trends, such as an increase of attacks on a specific system.
  • Security audits:  Can examine the security posture of an organization.
    • Password audits determine if the password policy is ensuring the use of strong passwords.
    • Reviews of user rights  detect if users have more permissions than they should.
  • Video surveillance: Also a deterrent control, closed-circuit television (CCTV) system can record activity and detect what occurred.
    • A simple camera without recording capabilities can prevent incidents because it acts as a deterrent. 
    • A CCTV system with recording abilities prevent and detects incidents. 
  • Motion detection: Many alarm systems can detect motion from potential intruders and raise alarms.

Corrective Controls

Attempt to reverse the impact of an incident or problem after it has occurred.
IPS: An intrusion prevention system (IPS) attempts to detect attacks and then modify the environment to block the attack from continuing. 
Backups and system recovery: Backups ensure that personnel can recover data if it is lost or corrupted. Similarly, system recovery procedures ensure administrators can recover a system after a failure.

Deterrent Controls

Deterrent controls attempt to discourage attacks and violations of security policies and can also describe many deterrent controls as preventive controls. For example, a security guard will deter most people from trying to sneak in simply by discouraging them from even trying which prevents security incidents related to unauthorized access. Some physical security controls used to deter threats:

  • Cable locks. Securing laptops to furniture with a cable lock deters thieves from stealing the laptops. 
  • Hardware locks: Other locks such as locked doors securing a wiring closet or a server room also deter attacks. Many server bay cabinets also include locking cabinet doors.

Compensating Controls

Compensating controls are alternative controls used instead of a primary control.

  • Smart Cards:   Organization might require employees to use smart cards when authenticating on a system. 
  • Time-based One-Time Password (TOTP): To allow new employees to access the network and still maintain a high level of security, the organization might choose to implement TOTP as a compensating control. The compensating control still provides a strong authentication solution.

Implementing Virtualization

Virtualization, while popular within large data centers, can also be used on a regular personal computer, it allows you to host one or more virtual systems, or virtual machines (VMs), on a single physical system. as well as an entire virtual network within a single physical system with the end result being a reduction in operating  costs.  Virtualization provides the best return on investment (ROI) when an organization has many highly under-utilized servers.   Because in addition to a reduction in hardware costs, fewer physical servers consume less electricity and require less heating and ventilation to maintain. 

When getting started with virtual machines you need to understand some basic terminology:

  • Hypervisor: Software that creates, runs, and manages the VMs.  Virtual machine packages usually have their own hypervisor software.
  • Host: The physical system hosting the VMs; requires more resources than a typical system, such as multiple processors, massive amounts of RAM, fast and abundant hard drive space, and one or more fast network cards.
    • While the additional resources increase the cost of the host, it is still less expensive than paying for multiple host systems and will require less electricity, cooling, and physical space on an ongoing basis
  • Guest: The operating systems running on the host system; most hypervisors support several different operating systems, including both 32- bit and 64-bit operating systems.
  • Elasticity/scalability: The ability to resize computing capacity based on the load.

Remember that virtual machines are simply files, albeit files with some complexity; as the VM is just a group of files, so it is relatively easy to:

  • Move VMs from one physical server to another.
  • Restore a failed virtual server. If you create a backup of the virtual server files and the original server fails, you simply restore the files. You can measure the amount of time it takes to restore a virtual server in minutes versus a physical server, which can take hours.
  • Manage multiple virtual systems on a single server, even when the virtual servers are running on separate physical hosts; you can manage all of them through a single management interface including taking snapshots, reverting snapshots, and moving the virtual servers from one physical host to another.

Risks Associated with Virtualization

As with every IT alternative, there are  some weaknesses.  These include:

  • VM Escape: The most serious threat to virtual system security is an attack that allows an attacker to access the host system from within the virtual system. As the host system runs an application or process called a hypervisor to manage the virtual systems. In some situations, an attacker can run code on the virtual system and get access to the hypervisor.  As most virtual systems run on a physical server with elevated privileges, if not administrator privileges, a VM escape attack often gives the attacker unlimited control over the host system and each virtual system within the host.
  • VM Sprawl:  Occurs when an organization has many VMs that aren’t managed properly. Most organizations have specific policies in place to ensure physical servers are kept up to date and personnel only make changes to these servers after going through a change management process. These same policies should also apply to virtual servers.
    Occurs when creating VMs to test a software application that get left running, but unknown to the change management system responsible for installing patches.  he IT department tests these patches and applies them to all of the known servers that need them.  Additionally with VM sprawl, each VM adds additional load onto a server. 
  • Loss of Confidentiality: As a reminder, each virtual system or virtual machine is just one or more files. Although this makes it easy to manage and move virtual machines, it also makes them easy to steal.  Anyone with access to the systems can copy the virtual machine, launch it on another physical server and have access to the system and the data.

Comparing Hypervisor Technology

When implementing virtualization on a local machine, you will use Type II hypervisor-based virtualization; virtualization in large-scale data centers typically uses Type I virtualization.
  • Type I Hypervisors: Often called bare-metal hypervisors, they run directly on the system hardware.
  • Type II Hypervisors: As seen in the diagram below, type II’s run as software within a host operating system. For example, the Microsoft Hyper-V hypervisor runs within a Microsoft operating system.
Understanding Basic IT Security Principles: Type II Hypervisor
A single computer hosting three guest operating systems using Type II hypervisor- based virtualization. Each guest has a full operating system.

Container Application Virtualization

As seen in the diagram below, application cell/container virtualization involves run applications in isolated application cells; as they are running in separate containers, none of the services or apps can interfere with services and apps in other container.

Application Containers: Understanding Basic IT Security Principles
Example of container virtualization; the containers don’t host an entire operating system. The host’s operating system and kernel run the service or app within each of the containers.

The benefit of container virtualization is that it uses fewer resources and is more efficient than a system using a traditional Type II hypervisor virtualization; often used by ISPs for customers who need specific applications.

Secure Network Architecture

Virtualization can for the basis of an overall secure network architecture as VMs segregate, segment, and isolate individual systems. An example of this is disabling the network interface card (NIC) in the VM to prevent it from transmitting any data in or out of the VM.

Virtual Machine Snapshots

A snapshot is a copy of the VM at a moment in time, which you can use as a backup. You are still able to use the VM just as you normally would. The hypervisor keeps a record of all changes to the VM after taking a snapshot, so if the VM develops a problem, you can revert the VM to the state it was in when you took the snapshot. Standard practice is to take snapshots of systems prior to performing any risky operation like applying patches or updates, testing security controls, and installing new applications. The snapshots allow for easy reversion of a system to a known good state with a known good configuration.

VDI/VDE and Non-Persistence

In a virtual desktop infrastructure (VDI) or virtual desktop environment (VDE), a user’s desktop operating system runs as a VM on a server with the benefit being that user PCs can have limited hardware resources.  As long as a the machine can connect to a server over a network, it can run a full-featured desktop operating system from the server.  The main consideration when running virtual desktops is whether support persistence or non-persistence.

  • Persistent virtual desktop:  Users have individual desktop images which users can customize and save their data within the desktop.
    • A drawback is the amount of disk space required on the server to support unique desktop images for all users.
  • Non-persistence virtual desktops:  All users get served the same desktop; users can make changes to the desktop as they’re using it, it reverts to the original snapshot when they log off. 

Share This Post:

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

Table of Contents

You May Like

Related Posts

Implementing Secure Hosting
Security
Linux Administrator

Implementing Secure Hosting

Knowing how to implement a secure network is pretty much useless if you suck at implementing secure hosting. The goal of this article from Secur

Read More »
April 16, 2021 No Comments
Linux Basics
Linux Administrator

IT Process Orchestration

Orchestration involves balancing and coordinated the multiple layers of overlapping IT processes critical to system and network administration.  These include: Application development Configuration management Disaster

Read More »
March 23, 2021 No Comments

Your Linux and Security Source

All Rights Reserved © 2020