Network Security


Assessing Needs.  The need for security in computer networks is as fundamental as the need for the networks themselves.  But how much and what kind of security is needed?  There needs to be some sort of cohesive effort that spans many different areas and expertise's.

In general, it is reasonable to start dealing with security issues by considering the three following aspects.

  • What is the type of activity engaged in by the organization developing the network?
    • is it the nature of the business/information to require security?
      • legal profession
      • health profession
      • financial institutions
      • law enforcement
      • personnel records
      • defense related developments
      • highly competitive industries
      • organizations connected to the Internet
  • What is the nature of the data stored on the network?
    • the data itself almost always needs to be alterable by a very few
    • even if data is accessible for viewing, how is this accomplished
      • payroll records
      • personal information
      • accounting information
      • tax data
      • trade secrets
  • What is the overall management philosophy of the organization?
    • degrees of openness and/or closedness
    • extent of interaction between organization members
    • who gets to know what

Assessing Security Threats.  After developing an understanding of certain basic issues related to the functioning of the organization, it is important to assess what are the likeliest threats to the network.  Unfortunately, it is fairly easy to lack appropriate awareness and/or lose one's sense of proportion when doing these assessments.  But regardless, security threats can be reasonably classified into the two following categories.

  • external threats
    • unauthorized use of passwords and keys
    • DoS - denial of service attacks
    • IP spoofing
    • viruses and worms
    • trojan horses
  • internal threats
    • corporate espionage
    • internal politics
    • disgruntled employees
    • accidental breaches
    • rebellious users

We will now work through the above list and discuss each.

External Threats.  First we will survey several of the more common external threats.

Unauthorized Use of Passwords and Keys.  First, some definitions and distinctions.

  • password - a sequence of characters used by a user to verify they really have particular authorizations
  • key - a number or cipher used to verify the integrity of a communication

Passwords and keys are security measures designed to help keep unauthorized persons from accessing particular resources or information.  But they are effective only if they are kept secret.

Hackers aren't usually as sophisticated as they are portrayed in the popular media.  They are more likely to gain access through someone else's error.  For example, if they know someone working for an organization and get their password, or know someone that knows someone and the same sort of thing happens. 

It can also be the case that many users create passwords that are easy to guess because they wanted to have a password that is easy to remember.  They might end up writing their password down in someplace that isn't as protected as they should want it to be.

Hackers also sometimes pose as technical support personnel or law enforcement personnel in order to gain access to a few salient pieces of information.  This sort of effort is often called a social engineering approach.  It is important for all users to be able to verify who they are interacting with before disclosing any information.

Hackers may also obtain passwords by brute force, exhaustive efforts.  They may find a way to go through a huge number of possible passwords undetected by the security system.

Truly technical hackers can find out passwords by intercepting packets of information on the network.  This isn't as hard a one might hope in far too many settings.

DoS - Denial of Service.  Denial of Service attacks are currently getting a fair amount of publicity.  This is in part due to the fact that if a popular website goes down, others are going to notice.  DoS attacks are usually orchestrated to overwhelm the resources of a particular network in order to cause it to fail.  This failure can be aimed at a network or at particular servers.

Some of the most common forms of DoS are the following.

  • Ping/ICMP - Internet Control Message Protocol Flood
    • this involves a flood of packets that overwhelm the system
  • Smurf Attack
    • this is an ICMP flood that is so widespread it affects the entire network for a service provider
  • Ping of Death
    • this is a more sophisticated variant of the earlier that sends packets that are also large enough to require the systems to break them apart in addition to other handling efforts
  • SYN Attacks
    • the attackers make use of TCP synchronization messages involved in the three way handshake to disrupt communications

In order to attain a volume that is sufficient to be adequately disruptive these attacks can be quite large and orchestrated.  Another way that hackers sometimes work is to take control of a powerful server someplace on the network and use it's processing capabilities to attack other sites.

IP Spoofing.  IP spoofing involves modifying the packet headers of messages being sent.  This makes it seem that the messages are coming from a different source.  This can end up being the basis of gaining not truly traceable access to resources on a network or Internet.

Computer Viruses and Worms.  Computer viruses are programs that can replicate themselves and spread from one computer to another without each user's consent.  Unfortunately, these programs are usually malicious to the operation of host computers when present.

Several of the most recent viruses have taken advantage of certain types of automatic processing on Microsoft clients and servers to cause themselves to be sent to every user in particular address books.  Then these receivers send the virus on and so on.  This sort of effort can bring networks and e-mail servers to a screeching halt.

Worms usually propagate in somewhat similar fashions, but they are usually more oriented towards damaging source files on host computers.

Trojan Horse Programs.  A trojan horse is a program that misrepresents itself in order to obtain particular information or access.  For example, there are trojan horse programs that emulate login screens in order to obtain user's login information.

Internal Threats.  Many security measures focus purely on external threats.  This sort of self protection through denial of some of the most real threats is not particularly intelligent or effective.  For example, it is usually much more likely for a retail firm's own employees to engage in theft than it is for external customers to be capable of stealing from a store floor.

There are many motives for such internal efforts.

Corporate Espionage.  Corporate espionage is usually the most sophisticated of efforts to intrude where one shouldn't be.

Employees can be approached by competitors or other firms and be offered considerable rewards for disclosing particular information.

There are also freelance corporate spies who engage in such efforts for personal financial gain.

These spies are usually intelligent and quite aware of what they are doing.  They can also be some of the most difficult to find.

Computer networks can be particularly vulnerable to such expertise.

I think of the recent hirings by the Homeland Security agencies in their efforts to thwart future 9-11 sorts of efforts.  I considered the mass hirings to have been some of the silliest attempts.  These agencies were demonstrating almost no capability to gain inside information on appropriate organizations in the past.  Their own infrastructures should be highly suspect in many ways for these and other reasons.  They clearly have had very little at least recent history of working very well within other cultures or employing people they trusted to gain such information.  Then they see themselves as being able to mass hire to solve these kinds of issues!  Who are they hiring?  What are their selection processes?  It seemed to me to also be an opportunity for mass infiltration by outside groups.

Well, I can go on about internal security efforts in a large number of organizations ...

Internal Politics.  Another difficult source of internal security breaches can come from internal politics.  Sometimes these breaches can be traced back to an employee willing to do just about anything to advance themselves.  They may try to gain access to particularly important information or to sabotage another's efforts.  Some can use computing to unfairly scrutinize or setup other people.  They might even go so far as to plant incriminating evidence if they have sufficient expertise.

Fortunately in most instances, because these perpetrators aren't likely to be all that computer network savvy, they can be thwarted and/or diminished through fairly standard network security.

Disgruntled Employees.  Employees or ex-employees with grudges against the company can also be a source of problems for computer security.  They might work to destroy data sources or disrupt basic communication processes.  This can be particularly troublesome if a technically capable employee has become disgruntled.

In particular, for terminated employees, it is important for their access rights to be quickly terminated.  It may also be the case that their physical access needs to be curtailed.

Accidental Breaches.  It is often the case that internal security problems are caused by inadvertent errors or lack of training.  Sometimes operating systems software can be destroyed by someone doing things in inappropriate places.  Some users may actually be trying to help when their efforts end in a mess up.

Rebellious Users.  This can develop in a variety of ways.  For example , it may be that a particular user wants to implement particular software.  They may do this after purchasing appropriate software or not.

Company policy needs to be intelligent and appropriate.  Some policies can actually be overly restrictive and truly diminish the capability of employees to do their assigned tasks.  On the other hand, some policies can be too lax.  There are far too many possibilities to discuss in such a brief survey.