Base One - Network security and building secure applications

.NET database and distributed computing tools

Network Security and Building Secure Applications

Introduction
Why security systems fail
The elements of security
Security resources on the web

Security is about protecting your assets

Any computer application may pose a risk to a company's information assets and its good name, as well as its tangible property. Important data could be lost or falsified, essential services rendered unavailable, or confidential information revealed, with potentially disastrous consequences. The problem of security is not new, but it has gotten worse, and there is reason to expect this trend to continue.

Inattention to security also carries legal risks, with a growing body of regulations mandating compliance to accepted standards of accountability, safeguarding the integrity of important information, protecting privacy, and making information available to authorized agencies. These regulations impose an additional burden, on top of the considerable technical challenges of creating secure applications, but they also encourage companies to do something in their own interest: understand security and plan for it from the outset.

Why security systems fail

Computer systems are complex, invariably having some bugs.
Information is vulnerable, especially in transit across the Internet.
People are involved, adding unpredictable human factors.
Security is inherently difficult to engineer and test (because it pertains to negative functionality).
Determined attackers really are out to get you!

With ever-increasing reliance on pervasive information technology and no immediate prospect of a less hostile world, the prognosis doesn't look good. Nevertheless, countermeasures can be cost-effective in a well designed system. The key to successful security is taking the whole system into account, because a single weakness can break the entire chain.

The elements of security

Consider the requirements of a secure system and how those requirements might be threatened, whether by deliberate attack or otherwise. The following table briefly summarizes each basic aspect of security, its vulnerabilities, and the kinds of security practices that help to mitigate those risks.

Element / Threat	Vulnerabilities	Countermeasures
Availability maintaining timely access to information and services Threat: Customers are deprived of service - you might as well be out of business.	application crash due to software error (i.e., a bug) system hangs instead of degrading gracefully under heavy usage distributed denial of service (DDOS) attack power outage diverse types of hardware failure natural disaster riot or terrorist attack inability to restore data promptly after a system failure	robust application design with comprehensive exception handling provision for ample peak capacity and built-in overload protection limits on request execution times firewall and router configuration with network traffic monitoring and adaptive filtering segmented network topology hardening the TCP/IP stack UPS and redundant hardware, ready to swap into service automated transaction logging and recovery mechanisms
Authentication ensuring legitimate identification of users and their agents Threat: An anonymous or bogus identity enters a restricted area, opening the door to further mischief.	Passwords and keys can be misappropriated in any of these ways: phishing and other email-based social engineering scams spyware infection acquired from any of a variety of web browsing exploits, such as cross-site scripting and pharming breaking weak passwords by brute force packet sniffing on insecure network traffic physical eavesdropping theft of keys and computers discarded computers and media Or authentication could be bypassed altogether, through: holes in application design or system configuration that provide an avenue for circumventing normal perimeter defenses Trojan "back door" planted by a virus or worm man-in-the-middle attacks and other variations of session hijacking	education on common security threats and safe practices policies encouraging use of strong passwords with periodic expiration operating system lockdown, updates, and patch management malware scanning, blocking, and removal tools biometrics, smart cards, and two factor authentication technologies cryptographically secure storage and transmission of passwords, keys, and session state information strongly encrypted communications protocols, such as SSL and IPSec cryptographic hashing for secure password storage, session control, and proxy authentication multiple authentication, session timeouts, and logout functionality automatic lockout after repeated failed login attempts independent penetration testing preparing for rapid incident response
Authorization restricting the actions a user is permitted to take Threat: An attacker gains access to restricted resources without proper approval, setting the stage for breach of confidentiality or data tampering.	exposed system files and resources for which access has not been sufficiently restricted buffer overruns, SQL injection, cross-site scripting, and other forms of parameter manipulation, gaining access to more capabilities than intended escalation of privileges by exploiting known operating system vulnerabilities abuse of administrative privileges insider knowledge about details of application design, network configuration, file names, or database structure	configuration of network components, databases, workstations, and servers according to best practice guidelines employing all available access control mechanisms, including those at the application level thorough input validation and other defensive coding practices principles of least privilege and constrained I/O compartmentalized architecture to limit damage activity monitoring and intrusion detection systems deterrence through secure audit trails
Accountability preserving a record of what was done and by whom Threat: A transaction becomes untraceable and refutable, because of failure to capture and retain data proving its source.	inadequate logging due to design oversight or insufficient security requirements planning log files lost, damaged, or simply not adequately secured to comply with legal evidentiary standards	Facilities for automated, secure logging, which provide the basis for a number of essential functions: audit trails that guarantee non-repudiation automatic database recovery following interrupted operations diagnosing unexplained failures intrusion detection and forensic analysis tracking down and prosecuting cyber-criminals
Confidentiality hiding sensitive information from unauthorized viewers Threat: News of a breach of confidential information causes embarrassment and legal liability.	Sensitive information may be exposed because of failure to adequately restrict access, due to: hastily constructed applications ignorance of regulatory requirements	Application designers must be educated and adhere to policies regarding the use of encryption and access controls for compliance with applicable privacy laws and regulations, such as: Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) Cardholder Information Security Program (CISP) Data Protection Act (in the UK)
Integrity guaranteeing that information remains accurate and complete Threat: Data is missing or falsified, casting a shadow over the entire system's credibility.	physical loss or damage due to failure of hardware or storage medium malicious tampering by an attacker who has penetrated defenses error in application program logic (bug), e.g. due to improper synchronization of multi-user access, race conditions, etc.	backup storage physical security effective access controls checksums and hashed message authentication codes safe coding practices: defense in depth, peer design review, diligent testing and quality assurance rigorous transaction processing techniques compliance with legislation safeguarding the accuracy of financial data, e.g. Sarbanes-Oxley Act (SOX).

Security resources on the web

CACI International
CACI is a prime contractor to the U.S. Government, providing enterprise-level IT and network services to the defense industry. Their table of Computer Security Threats presents a concise overview of various categories of threats, vulnerabilities, techniques of prevention and detection, and countermeasures.
CCCure.Org
Devoted to helping people achieve CISSP, SSCP, CISM, and GCFW security certifications, this site has study guides, links, and a library of security-related documents. In particular, the Handbook of Information Security Management is an open study guide whose organization corresponds to the 10 domains of the CISSP (Certified Information Systems Security Professional) certification examination. This online book is composed of a series of short, informative articles by a number of experts on a range of security topics.
CERT Coordination Center (CERT/CC)
A part of Carnegie Mellon University's federally funded Software Engineering Institute (SEI), CERT/CC was instigated by the Defense Advanced Research Projects Agency (DARPA) in response to the Morris worm incident of 1988, which brought 10 percent of Internet systems to a halt. Since its inception, CERT/CC has become a major reporting center for security incidents and vulnerabilities. CERT/CC performs research and provides guidance on evaluating and improving security, including courses, certification programs, and numerous articles and reports. In late 2003 CERT/CC and the Department of Homeland Security (DHS) announced a partnership to create US-CERT, which now oversees the primary database of vulnerability notes and alerts about current threats. While there is some overlap between CERT/CC and US-CERT, CERT/CC contains archival content not found elsewhere, such as its Advisories and Tech Tips, many of which are still relevant. For example CERT's Tip on Denial of Service and its Advisory on TCP SYN Flooding and IP Spoofing Attacks are representative.
Cisco - Security
As one of the world's largest manufacturers of networking equipment, Cisco is a source of in-depth information about secure networking products and technologies. Cisco's SAFE Blueprint white papers include VPN IPSec Virtual Private Networks in Depth, Wireless LAN Security in Depth, and IDS Deployment, Tuning, and Logging in Depth, which provide detailed best-practice information on VPNs, WLANs, and intrusion detection systems, along with a primer on each of these general topics as an appendix. (Cisco also participated in creating a popular introductory article on How Virtual Private Networks Work.) Another informative white paper, DDOS Threats - Risks, Mitigation and Best Practices, describes Cisco's multilayered strategy for defending against distributed denial-of-service attacks.
Google Directory - Computer Security
The Google Directory is an extensive (but far from exhaustive), categorized compilation of links to notable sites, ranked within each category by Google's proprietary measure of importance (PageRank). The categories, sites, and descriptions originate from volunteer human editors of the Open Directory Project, whose corresponding computer security heading covers more than 3500 references, listed under about 30 major security topics, with further sub-topics beneath them.
IBM - Security
IBM provides both hardware and software security products, with an emphasis on high-end solutions built around its Tivoli line of enterprise management software. The Security Resource Center includes a substantial collection of "Redbooks" in downloadable PDF format (some also available as Java-assisted web pages), for example Enterprise Security Architecture Using IBM Tivoli Security Solutions, which presents a comprehensive overview of IBM's vision of end-to-end security. WebSphere Security Fundamentals contains a basic general introduction to IT security, followed by specific details about J2SE, J2EE, and the Java-oriented WebSphere application infrastructure. Multilevel Security and DB2 Row-Level Security Revealed provides a glimpse of advanced features for building highly secure data repositories using DB2 and RACF in a z/OS environment.
Microsoft - Security
Security has become a central consideration in Microsoft's latest major offerings, notably the new security features in Windows XP SP2, the .NET Framework, SQL Server 2005, and the forthcoming Windows Vista operating system. In addition to providing extensive information geared toward Microsoft's own products, the MSDN Security Developer Center contains in-depth articles of general interest, for example Improving Web Application Security: Threats and Countermeasures.
Oracle - Security
Not surprisingly, Oracle Corporation's perspective revolves around security features of the Oracle DBMS, the company's flagship product. Oracle also sells an extensive line of integrated middleware, Java (J2EE) development tools, and consolidated Identity Management facilities for enterprise applications. Oracle's Advanced Security option adds strong cryptography for transparent database encryption, encrypting network traffic (via RC4, DES, 3DES, or AES) and assuring its data integrity (with MD5 or SHA-1), and supporting strong authentication technologies (Kerberos, RADIUS, SSL, and PKI). A downloadable PDF, Oracle Database 10g R2 Security, provides a comprehensive overview that also covers Virtual Private Databases, data sensitivity labels, secure application roles, fine-grained auditing, proxy authorization, and secure JDBC.
SANS Institute
The SANS Institute is a preeminent resource for information security training and certification, with an extensive collection of publicly accessible security research documents (downloadable PDFs) in their Information Security Reading Room. SANS operates the Internet Storm Center, which monitors potential Internet threats in real time, coordinates expert analysis, and disseminates alerts and postings to the public. SANS also maintains a Top Twenty List of the most well-known, often-exploited vulnerabilities, including step-by-step instructions and pointers to additional information useful for correcting the flaws. Among many other useful SANS Resources, there are sample security policies, and the SCORE project to develop a consensus among security professionals as to minimum standards and best practices.
Schneier
Bruce Schneier is one of the foremost authors on security technology, and an original researcher in the field of cryptography. In addition to several best-selling books, he has published numerous very readable computer security articles, including a number on common misconceptions, such as Two-Factor Authentication: Too Little, Too Late, The Fallacy of Trusted Client Software, Risks of Relying on Cryptography, and Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure.
SecurityFocus
A highly regarded source of security information, SecurityFocus was acquired by Symantec in 2002 under an agreement to keep the site independent and vendor-neutral. One of the site's major resources is its vulnerabilities database, which you can search by vendor, title, and version for known product vulnerabilities. They also maintain a catalog of security tools, with provision for user comments. Having a staff of columnists, news writers, and feature authors, SecurityFocus is both a security news portal and a source of in-depth reference material. For example, IP Spoofing: An Introduction and Penetration Testing IPsec VPNs are representative of their library of Infocus articles. SecurityFocus operates BugTraq and several other active public mailing lists (mostly moderated), and they publish free weekly newsletters.
Symantec
Having concluded its merger with VERITAS in 2005, Symantec Corporation has grown to become a dominant vendor of security, systems management, and storage management products, covering the spectrum from anti-virus software for home users to a full line of enterprise security products and services. Through its Security Response Center, Symantec provides information about the latest virus threats and security advisories, virus removal tools, and a searchable online database describing over 60,000 Internet security-related threats.
University of Edinburgh - School of Informatics
Edinburgh's School of Informatics is a world-class institution of higher education in computer science. Their course in computer security is accompanied by a series of David Aspinall's lecture slides (downloadable PDFs), which offer a quick overview of security topics.
US-CERT - United States Computer Emergency Reading team
Established in 2003 in collaboration with CERT/CC, US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS). US-CERT maintains a regularly updated summary of current activity, i.e. the most frequent and highest impact security incidents, exploits, and threats, with references to detailed vulnerability notes and applicable tech alerts. In addition to highly technical content, US-CERT maintains a collection of resources for non-technical users, including its library of Cyber Security Tips and basic Cyber Security Alerts. In October 2005, US-CERT (in collaboration with SEI) launched the Build Security In portal, aimed at helping software developers, architects, and security practitioners create more secure and reliable software.

Base One develops tools and provides consulting services for building secure distributed applications.

Visual Studio | Database Technology | Distributed Computing | BFC


Home	Products	Consulting	Case Studies	Order	Contents	Contact	About Us

Copyright © 2012, Base One International Corporation