Enterprise Information Security - Essay Example

?Running head: Enterprise Info Security Enterprise Info Security Insert Insert Grade Insert 22 November Enterprise InfoSecurity Question 4.1 How can the ability to distinguish between programs and data help to construct a defense against buffer overrun/overflow attacks? Buffer overflow/overrun is a form of interference where a program overruns the buffer's boundary and overwrites adjacent memory, while writing data to a buffer. Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. They are thus the basis of many software vulnerabilities and can be maliciously exploited Understanding the difference between data and programs is a very important element of avoiding various overflow attacks. When one understands that data is just computer information while a program is the software screen, he or she can be able to apply new defense systems. It’s easy for someone to understand how to use the modern security features like Data Execution Prevention (DEP) can be applied in modern operating system like Mac OSX, Linus and Microsoft Windows. For example DEP works in two different ways; either its hardware encoded or software encoded. Software-encoded DEP do not protect data pages from execution of codes, but from another type of attack. Knowledge about this security features and operating systems is very important when one is looking for the best defense against overflow attacks. Question 4.2 Consider a system that writes event numbers to its audit log and uses a table to translate these numbers into messages. What is the potential advantage of using this level of indirection in log file entries? What are the potential dangers? This system is the Computer Aided Dispatch System (CAD System). Potential advantage CAD system is a greater boost to public communication. These include providing instant and reliable communication through alarm connections, mobile data systems, and time and records management systems. Potential Dangers The design, development, purchase, and installation of CAD systems can be a complicated for both a medium or large-size public safety agency. It involves not only the installation of computers and the CAD software, but usually connection to a wide variety of other systems: alarm inputs, mobile data systems, time synchronization sources, records management systems. This process is therefore very expensive and complicated to handle (Computer-Aided Dispatch Software Resource, Para 2). Question 4.3 How spoofing can be performed When a particular machine claims to own a particular IP address and the first machine sends all its messages to that machine. Using this attack, a machine can listen to all the traffic that a machine wants to send out. This happens when two machines are on the same network. Normally one machine sends a packet to the other machine IP address and the network routes back to its destination. This kind of attack is called ARP spoofing. RP doesn't have any way to check if a particular responding machine does in fact own a particular IP address. This can be exploited by having other machines claim to be certain IP addresses. Defenses against spoofing Some of the defense mechanism against spoofing includes; Guarding algorithm for ARP spoofing Updating ARP cache method Checking the ARP cache each and every time Information encryption Controlling by the use of switching equipments Configuration of static ARP cache (Li, B., Dong, K., Dong, L. & Yang L.) Question 5.1 Explain the concept of dual signature used in SET (Secure Electronic Transfer) Protocol and its Components. Secure Electronic Transaction (SET) is system of protecting electronic transaction using credit cards online. This process uses the concept of dual signature. Dual signature concept operates in the following procedure; The owner of the card will take the cards payment information (P.I) which includes the number of the card and probably its expiry date and digest it to give out payment information message digest. (PIMD).The owner of the card then digests the Order information to give out order information message digest (OIMD). The holder of the card combines now PIMD and OIMD to produce Payment and Order Message Digest (POMD).The cardholder encrypts the POMD with its private key. The output of this process is the Dual Signature (DS). It is called dual, because it has inputs coming from PI as well as OI. The next is to send DS, OI and PIMD to the merchant and DS, PI and OIMD to the payment gateway. The merchant cannot access the PI, meaning it cannot identify the holder’s credit number (Kahate, 2008) This diagram shows how the concept of dual signature operates; Question 5.2 Firewalls are usually configured to examine incoming traffic. Give one reason why a firewall may be configured to inspect outgoing traffic. Firewall normally creates checkpoints that restrict the outgoing and incoming packets to and from the private networks. These checkpoints are referred to as “choke points”. This means that all the outgoing traffic must pass through the firewall “choke points” and only authorized traffic will be allowed to pass through (Bessis, Vijay, and Ashwin 169). Question 6 Please document 20 detailed security requirements for inclusion in an RFP. These requirements should focus specifically on security of the login process (authentication) of users into a networked application. For each requirement you provide, you must also identify the method that will be used to test application compliance with these requirements. The security concerns about authentication process have been raised in a number of times. This is because various authentication and identification process has led to multiple logons process. Therefore several requirements are needed to cater for the security of these aunthetication processes. They include the following; > Cost or expenses- the cost and expenses here include both to software and hardware components. Some of the costs associated include implementation, client, users and back end costs. The whole process requires one to spend money in order to meet the need of the whole process. >Authentication details; Username and Passwords- authentications and login is all about discussion of username and passwords, however passwords are the least desirable authentications tokens. The chief weakness of passwords is that they are easily compromised, through user abuse, neglect, or mismanagement, and from deliberate attack through spoofing, sniffing or cracking. >They should not be difficult to access by the original users. This means that they should be easy to access, use and maintained by the end users and the administrators. The logon details should be known by the immediate users of these accounts, and kept a secret not to be disclosed to other people. >the authentication process should be Extensible. This means that other security capabilities and functions that meet the specific needs of a given organization must be able to be added on to the authentication service without affecting interoperability. > It should have the ability and capability of being or likely to be accepted and agreed by all the platforms. This refers to the ability of being portable in the sense that it’s accessible no matter the machine type you are using. > It should have the capability of providing support to smart tokens, passwords, biometrics, and other authentication mechanism. In this way the mechanism of authentication becomes independent with the correct login details. > Any login process must be secure in terms of both storage and communications. After getting and setting up your login details it’s necessary that one keep secret these details in a way other unauthorized people cannot be able to find easily. Any communication that is concerned with how to login into the account should only be shared by the people authorized or the administrators. >Any login process should be able to support legacy applications. The process must legal to the governing body and accepted by the rules and regulations of the government. This means it must be approved certified and a go ahead given by the authority in order for the process to go on. The security considerations, however, are still relevant to these legacy systems, and should be applied and documented to ensure security controls are in place and functioning effectively to provide adequate protections for the information and the information system. > Authentification process should have distributed client-server architecture. The functions of the authentication process itself should be exposed through programming interface. The client server architecture is supposed to be designed in a special way to that people can understand better through certain computer application and programming. Usually, the security architecture is supplemented with an integrated schedule of tasks that identifies expected outcomes (indications and triggers for further review/alignment), establishes project timelines, provides estimates of resource requirements, and identifies key project dependencies. > API- It’s recommended that one should publish his own API for security, messaging and directory. This will improve the quality of the APIs and make a convincing case that they provide all the functionality required to build production applications. > Infrastructure – as one the requirements one should include full life-cycle costs of infrastructure (including security) in RFPs and purchase decisions .That is, do not overlook the long-term costs of selecting proprietary authentication implementations. > Technical policies - Technical Policies will be used by technical custodians as they carry out their security responsibilities for the system they work with. They describe what must be done, but not how to do it - this is reserved for procedural documents which are the next detail level down from Governing and Technical Policy. >Use of proper login scripts, model, and strategies- One should choose the best login model and scripts that authenticate easily without larger burden on the system. Repeated use of security strategies and tools definitely reduces the development cost and improves security postures. Scripts are very important as they reduce the number of logons for end users and thereby reducing security risk. Use of scripts also reduces implementation costs and they are faster to deploy (Obeid, 2). >One should make sure there is proper facilitation- Authentication facilities are very necessary in the implementation of proper login security features since it helps one to make informed decision through comprehensive risk management in a timely manner. >One should also be able to know the challenges that are very crucial and potential to the engineering section of the system. This probably improves the nature of security controls. Engineering is one sensitive requirement because it’s what determines the overall functioning of the whole system of authentication and login process. > An authentication service must scaleable to the entire enterprise and considerate to cost to make management and administration easy. It’s very appropriate and easy for an organization to use an authentication system that is very scaleable that fits the financial and management capabilities of the entire organization. > An authentication system must be capable of implementing and enforcing security policies regarding password parameters (password aging, alphanumeric characters, character length, limitations, non-dictionary passwords, and so on). > It should also be mechanism independent and have the ability of authorize interfacing activities of the user and administration logins. This means that they should be able to authorize activities of the user after authentication or interfacing through a managing service provider. > The system should also be able to be used by the user and other clients as well as other services. This means that that the system should avoid server limitation. This might reduce number of clients of the organization as well as reducing business scale. This can be extended to re-verifying users to subsequent process like in the case of a child-parent spawning process. > It should be able to manage encryption keys- Any authentication process should be able to manage encryption keys that are utilized in interfacing through user’s authorizations service. In this case interface keys and encryption keys link together to give out a reliable login process that agree with administration or users activities and secure details. (Obeid, 28) Works Cited Bessis, Thierry, Vijay K. Gurbani, and Ashwin Rana. "Session Initiation Protocol Firewall for the IP Multimedia Subsystem Core." Bell Labs Technical Journal, 15.4 (2011): 169-187. “Computer-Aided Dispatch Software Resource.” Dispatch Magazine. N.d. http://www.911dispatch.com/info/cad/index.html19 November 2011. Kahate, Atul. Security and Threat Models: Secure Electronic Transaction (SET) Protocol. 2008. http://www.indicthreads.com/1496/security-and-threat-models-secure-electronic-transaction-set-protocol/19 November 2011. Liu, Young, et al. “Research of the ARP Spoofing Principle and a Defensive Algorithm”. International Journal of Communications, Vol. 4, Issue 1, pp.143-147. http://www.naun.org/journals/communications/c-24.pdf 19 November 2011. Obeid, Doug. Enterprise-wide security: authentication and single sign. July 14, 1996. http://alameda-tech-lab.com/portfolio/samples/Old_Papers/NACSEC02.pdf 19 November 21, 2011. Read More