Read an Excerpt
Stay Safe!
A Basic Guide to Information Technology Security
By Abdul B. Subhani, Christopher Walton Abbott Press
Copyright © 2016 Abdul B. Subhani
All rights reserved.
ISBN: 978-1-4582-2027-1
CHAPTER 1
Introduction to Security
Defining Security
What is security?
Is it a state of well-being for systems, organizations, or people? Can it be achieved through safety from criminal activity, such as terrorism, theft, or espionage? Does it include procedures followed or measures taken to ensure feelings of safety, stability, and freedom from fear or anxiety?
Security is all of these things and more. Specifically, in computer systems, security is expressed as the system's degree of resistance to, or protection from, harm.
Foundations of Security
Security is built on the following foundations:
Authentication
Put simply, authentication is the process of verifying the identity of a person or thing. It might involve confirming the identity of a person by validating identity documents, verifying the validity of a website with a digital certificate, tracing the age of an artifact by carbon dating, or ensuring that a product is what its packaging and labeling claim it is. Authentication often involves verifying the validity of at least one form of identification.
Authorization
Authorization is the function of specifying access rights to resources. More formally, to authorize is to define an access policy based on roles and permissions.
It is easy to confuse authentication with authorization. The two are frequently used interchangeably in conversation and are often tightly associated as key pieces of a secure system. But the two are very different concepts. Authentication is the process by which an individual's identity is confirmed. Authorization is the association of that identity with rights and permissions.
Auditing
Auditing is normally used as a finance-related term. However, in the realm of security, auditing is an unbiased examination and evaluation of an organization's security goals. It can be done internally (by employees of the organization) or externally (by an outside firm).
Confidentiality
Confidentiality involves a set of rules or a promise that limits access or places restrictions on certain types of information. In day-to-day life, people do not share all of their personal information with every person around. Information is shared on a need-to-know basis or it is protected, according to the requirements of its holder. All of this falls under the foundation of confidentiality.
Integrity
The commonly understood meaning of integrity is the quality of being honest, having strong moral principles, and sometimes, the state of being whole and undivided. In security, integrity is further defined as the state of a system performing its intended functions without being degraded or impaired by changes or disruptions in its internal or external environments.
Availability
In secure systems, availability is the degree to which a secured system resource, such as a system, a subsystem, or equipment, is in a specified operational and accessible state at the start of a task, when the task is called for at an unknown or random time.
Availability is linked to other security foundations as well. The availability of a resource to those accessing it should be according to their roles, permissions, and authorization.
Accountability
One goal of computer security is that anyone with access to a secured system should be held accountable for his or her actions within the system. For example, if a document has been amended by person X, and if later X denies having amended it, the system should be able to hold X accountable by showing evidence that the document was amended by X.
Security Terminology
When discussing security, it is important to be aware of these frequently used terms:
• Assurance: A guarantee or level of guarantee that a secure system will behave as expected when put to use.
• Risk: A possibility that something may go wrong. While working to make a system secure, one must consider the risks to the security.
• Threat: A method of triggering risk. Any action needed to make a system secure is based on preventing the threats posed to the system.
• Vulnerability: A weakness in a system that can be exploited by a security threat.
• Countermeasures: Ways and means to stop a threat from triggering a risk.
• Exploits: Vulnerabilities that have been triggered by a threat.
Different Kinds of Security
After becoming familiar with basic security terminology, the next stage is to understand the different types of computer security.
Internet security
Internet security is a set of rules and actions meant to protect against online attacks. The Internet has become part of our daily lives — a basic need for individuals, organizations, and systems. Internet security works to ensure confidentiality by protecting access to authorized resources and services. One example is an online system that prevents credit card details from being stolen on a shopping website.
Information security
Information security means defending information from attempts by unauthorized entities to use, disclose, disrupt, modify, peruse, inspect, record, or destroy a system. Information is a generic term for any form of data, whether physical or electronic.
Mobile security
Mobile security, as the name suggests, is the security of mobile devices like smartphones, tablets, laptops, and other portable computing devices. Because this type of security also includes securing the networks that mobile devices use to operate, it is sometimes referred to as wireless security.
Network security
Network security is a specialized field involving securing a computer or mobile network infrastructure against threats. Network security includes the policies and procedures implemented by a network administrator or manager to avoid and keep track of unauthorized access, modification, exploitation, or denial of the network and network resources.
CHAPTER 2
Introduction to Computer Security
What is Computer Security?
Computer security is designed to protect computer systems from theft or damage to the software, the hardware, and the information on them, as well as from disruption or usurpation of the services they provide.
Computer security has the following three major security objectives, based on several of the previously discussed security foundations:
• Confidentiality: Disclosure of information is on a need-to-know basis or per roles and permissions.
• Integrity: Data can be altered in authorized ways by authorized users only.
• Availability: Data should be accessible to those authorized to access it.
Why is Computer Security Important?
Prevention against data theft is essential. So much data, such as personal information, credit card information, bank account numbers, passwords, and work-related documents, is stored in computers used by people on a daily basis. Not securing a computer against breaches can lead to data becoming compromised by unauthorized and malicious parties.
Malicious intent can pose a vital threat to the security of a computer. An intruder can alter program source codes and use personal pictures or email accounts to create derogatory content, such as pornographic images or fake, misleading, and offensive social media accounts. Vengeful people might crash computer systems to cause data loss. Intruders may hack other computers, websites, or networks and then use them in denial-of-service or similar attacks to prevent access to other websites and servers.
It is important to keep data safe, secure, and confidential. This is only possible by understanding the threats to our computer systems, being aware of possible countermeasures, and paying necessary attention to the subject of computer security.
Types of Computer Security Threats
The computer security life cycle begins with ascertaining the threat environment. One can correctly guard systems only against known threats. Therefore, it is important to take note of the different types of threats posed to computer systems.
Malware
Malware is any malicious program or software designed to perform harmful or unwanted actions on a computer system. Some malware attacks computer applications and data, while other malware steal confidential data from systems. It is important to note that malicious intent is a requirement in deeming a code malware. Unintentional flaws, such as bugs or run-time errors, cannot be defined as malware. Typical types of malware include computer viruses, worms, Trojan horses, spyware, rootkits, and backdoors.
Grayware
It is important to talk about grayware while describing computer security threats. Grayware is a term coined for applications that are unwanted, annoying, and troublesome but cannot be termed malware. Grayware may degrade a system, but not as much as malware. It includes adware, fraudulent dialers, hoaxes, software bundlers, browser modifiers, some types of spyware, and more. Typical grayware activities include capturing keystrokes, bombarding a system with ads, stealing data, installing unwanted software, playing pranks or false warnings, modifying system settings, and modifying functionality.
Computer Security Best Practices
With so many different types of malware and grayware, computer systems require specific security measures to combat the dangerous threat environment. Although this book aims to explain all threats, vulnerabilities, and related defensive mechanisms and practices, this section looks at the best practices for computer security.
Use an antivirus program
In today's threat environment, use of an antivirus program is vital for protecting a computer's normal functioning capabilities. A good antivirus is usually bundled with Internet security, anti-spyware, and anti-adware features. Antivirus vendors keep making protection mechanisms for upcoming malware; therefore, antivirus programs must always be updated with new virus definitions.
Keep software updated
In addition to the operating system's core system software, which performs the computer system's primary tasks, computers use a host of application software for routine tasks, such as documentation, programming, watching movies, and web surfing. A system can be compromised through a vulnerability in any of the software, whether it is the system software or the application software.
Many times, software vendors identify a vulnerability in their software and then create and release patches in the form of software updates. These updates are offered through notifications to the clients who are already using the software. This aspect becomes much more important when the software is an antivirus program. Antivirus updates are new virus definitions. If an antivirus program is not updated with the new definitions, it will not be able to guard against the latest known malware.
When a vulnerability has been identified and an update has been released, the vulnerability becomes public. It is not very hard for attackers to exploit such known vulnerabilities, since half of their job — identifying the vulnerability — has already been done. Therefore, all users who do not update their software immediately after release of a patch are highly vulnerable to attacks. In summary, computer users should never delay in installing a security update.
Take care in installing new software
First and foremost, only install software when it is absolutely necessary. When there is a need to install new software, either through external media, like disks, or directly downloaded from Internet, make sure that the software is from a trusted source. If the software is downloaded directly, it should be obtained from the official website of that software.
Avoid pirated and cracked software at all costs. It is not very difficult to get allegedly free software (freeware) from peer-to-peer sites, but money saved in this way will very likely be wasted — along with much more money spent fixing the system later. Never underestimate the cost of hassle and trouble of losing data.
Utilize user account controls
Current operating systems provide elaborate user account controls for better system management. This feature is also useful in securing a system efficiently. There should not be any default accounts without a password. No one should be using the root or superuser account routinely. Routine and normal working users should not have permissions to install/uninstall software or change system settings. That creates less chance of compromising the system accidentally by a naïve user installing harmful software.
Use firewall software
Firewall software protects the system against unauthorized connections and traffic. This keeps the system protected from malware exploits unknowingly installed by harmful sites and software. Basic firewall software is typically bundled with the operating system. It is often easy to configure and works reasonably well in default configuration.
Be extremely cautious in giving out personal information
In the modern-day threat environment, one has to be careful about giving out personal information. Phishing and social engineering attacks are common ways of getting or stealing personal information from people around the world.
Use password protection
The importance of password protection cannot be overemphasized. Weak passwords, reusing passwords, custody/security of passwords, password leakage, etc. are part of the big issue of password protection.
People tend to use simple passwords that they can remember easily. Sometimes, with the same intentions, people reuse passwords with different websites and systems. But a reused password only makes the person more vulnerable. Attackers can use an email or username at one site along with the associated password from another site or system to gain access to both.
Best password practices include:
• Not reusing passwords for multiple websites and systems
• Keeping complex passwords with a variety of alphanumeric characters
• Not sharing passwords
• Not writing passwords down in obvious places
Minimize storage of sensitive data
A good way to remain secure is to not store any passwords. If that is not possible, minimize the location and the amount of sensitive data that is stored to make it easier to store in a safe place. If storing sensitive data electronically, use a removable media or tertiary storage; if writing it down in a journal or other book, make sure the document hidden from plain view while at the computer system.
Remember physical security
Last, but not least, on the list of best practices is physical security. Other security measures are rendered useless if the hardware is stolen. Physical security is less important for desktop computers and large servers, but it is more important for portable hardware like laptops, mobiles, removable media, etc. Keep electronic devices all under lock and key or with you while traveling or moving around.
CHAPTER 3
Access Centre!
What is Access Control?
Access control is the set of legitimate procedures to access a system. A person, a device, or a service, such as an application program or a web service, may want access to a system to use a service, read or write data, or utilize a resource. Simply put, access control can be understood as mechanisms for guarding entry to a system, similar to people implementing security in the form of guards, a photo ID verification system, keys, etc. to grant access to their property.
A good access control system should deny entry to unauthorized and malicious parties while allowing admission to legitimate users. It should have elaborate methods for adding to and excluding members from a list of allowed users. Its administrative procedures should be concise and comprehensive to avoid mistakes and ambiguity.
Subject and object in access control
Understanding the details of access control requires understanding the distinction between subject and object. The subject wants access to some information, resource, service, or application. The object is the information, resource, service, or application being accessed.
For example, if a user tries to open a file, then the user is the subject and file is an object. Whether the user will be allowed to open the file is a question of access rights. The entity or system with the power to grant access has the access control of that particular file.
Classification of Access Control
In the computer security world, access control is classified based on the controlling authority that decides the access permission of an object. There are four basic classifications of access control:
• Mandatory Access Control (MAC)
• Discretionary Access Control (DAC)
• Originator Controlled Access Control (ORCON or ORGCON)
• Role Based Access Control (RBAC)
Mandatory access control (MAC)
Mandatory access control (MAC) is when access to a system is controlled by the system's own mechanisms/tools. As the emphasis is on the rules and regulations of the system, which are not easily changed by the user, mandatory access control is also called Rule Based Access Control.
The access control mechanisms built into operating systems are examples of MAC; neither the subject accessing the system nor the objects being accessed by that subject have any role in determining grant of access. Usually, the operating system's routines themselves grant access based on the attributes associated with the subject needing access and the object being accessed.
Discretionary access control (DAC)
Discretionary access control (DAC) is when an individual user can set the access control rights and permissions of an object. As this type of access control is linked to the identity of individual users, it is also called Identity Based Access Control (IBAC).
(Continues...)
Excerpted from Stay Safe! by Abdul B. Subhani, Christopher Walton. Copyright © 2016 Abdul B. Subhani. Excerpted by permission of Abbott Press.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
