System Security Threats and Vulnerabilities - Assignment Example

Question A A1 Ethics are guiding principles that govern the conduct of groups or individuals within a population. Computer ethics have interpretations within the broader definition. In the absence of policy vacuum about the use of computer technology problems arise in the interpretation of computer ethics. As computers offer new capabilities that provide new choices for action, there exists no policies for conduct in such situations or existing policies seem inadequate. Computer ethics seeks to determine what could be done in such cases and formulate policies to guide our actions. Some standards and legal obligations that exist include Rules of Engagement, IEEE/ACM standards, the Belmont Report, and Institutional Review Boards (IRBs). Rules of Engagement include ethical considerations in the use of force while responding to a computer attack. The Code of Ethics and Professional Conduct by ACM include contribution to society and human well-being; avoiding harm to others; and accessing computing and communication resources only under authorization. The IEEE Code of Ethics commits members to high ethical and professional conduct; and includes mandates to understand technology, its application and consequences, and avoid injury to others, their property, or reputation, or false or malicious action. Ethical principles described in the Belmont Report include Respect for Persons; Beneficence; and Justice. Respect for Persons includes treatment of individuals as autonomous agents with the rights to decide about their own interests. Individuals with diminished autonomy were entitles for protection. Beneficence involved doing no harm; maximizing benefits and minimizing harms, and systematically assessing risk and benefit. Each person had equal share in treatments and benefit based on need, contribution, and merit (Dittrich et al., 2009). It is evident that the Lamers group had violated principles of conduct, and were not respectful of computer ethics or ethics in general. The SecureThink Company was based on violation of principles for computer ethics, and it continued after the formation of the Company. There are valid and legal methods of demonstrating vulnerabilities that exist in systems. The decision by MoneyBags Company to hire SecureThink could be considered meek and giving into intimidation, and cannot be justified ethically. A2 Computer security is based on the following elements: Computer security supports the organization’s mission; Computer security is an integral element of management; Computer security is cost effective; Computer security responsibilities and accountability are well defined; Systems have responsibilities outside their own organizations; Computer security is based on comprehensive and integrated approach; Computer security is reassessed periodically; and the understanding that computer security is constrained by societal factors. Understanding these elements enables determine how the security controls support the overall computer security program. Roles and responsibilities of officials within an organization include the following groups: senior management; program/functional managers/application owners; computer security management; technology providers; supporting organizations; and users (Guttman and Roback, 1995). Officers responsible for computer systems operating the elevators at the Washington, DC City Hall and air traffic control systems at Chicago International Airport should be held responsible for the incidents. The management had overall responsibility, and specifically officers responsible for computer security were responsible. Adequate risk assessment had not been carried out and vulnerabilities addressed, and the lack of adequate control measures to deal with the situation effectively and immediately. The Lamers group should be held responsible for violation of computer ethics, causing loss of business, and putting lives of innocent citizens at risk. The network provider should be held responsible for existence of vulnerabilities that could gravely compromise systems. A3 Loss of infrastructure support, malicious code, malicious hackers, and threat to privacy were security threats and vulnerabilities involved during the incidents. Loss of supporting infrastructure includes power failures, loss of communications, lacks of services, etc. Loss of infrastructure results in downtime in unexpected ways. Malicious hackers or crackers break into systems without authorization. Hacker activity has been attributed to increase in connectivity. The US Department of Justice Computer Crime Unit has warned that hacker threat is recent and disciplinary measures are ineffective against outsiders, hacker attacks could have no limitations as their purposes are unknown, and hacker attacks made people feel vulnerable. Malicious code includes viruses, worms, Trojan horses, logic bombs, and other software. Viruses include code segments that replicate by attaching copies to existing executables, and the new copy of the virus is executed when a user executes the new host program. Types of viruses include variants, overwriting, resident, stealth, and polymorphic. Trojan horses are programs that perform desired tasks, but include unexpected and undesirable functions. Worms are self-replicating programs that are self-contained and do not require host programs. The program creates copies of itself causing it to execute without user intervention. Network services are used by worms to propagate to host systems. Threats to individual privacy arise from accumulation of electronic information about individuals Guttman and Roback, 1995). In the Washington, DC City Hall case security patches had not been installed allowing malicious hackers, worms, and viruses to infiltrate the system. In the Chicago International Airport air traffic control system, the encryption system had been compromised exposing the system to hackers. Infrastructure associated with the systems in both cases was compromised including other systems that could be in the network. Loss of property, business, and human life were risks associated with such vulnerabilities. A4 Caballero (2009) has suggested practices for computer and information security. Plans, procedures, personnel, technology and guidelines should be integrated to develop measures to minimize damages and losses. Protection of mission-critical systems include: information assurance; information risk management; defence; and contingency planning including incident response plan and business continuity planning. Security controls that would be most effective to prevent losses in the incidents described above include: 1. Physical security and data security; 2. Systems and network security; 3. Business communications security; 4. Web and application security; and 5. Security monitoring and effectiveness. Physical security includes facility requirements; and administrative, technical, and physical controls. Data security includes data classification; and access control models. Systems and network security include host-based security; and network based security including intrusion detection and intrusion prevention. Business communications security includes rules and guidelines for self-protection, and handling protection resources and business communications. Web and application security includes controls and checks while online. Security monitoring and effectiveness include security monitoring effectiveness; incident response and forensic investigations; validating security effectiveness including vulnerability assessments and penetration tests. These measures provide several layers of control, plans for dealing with incidents, and planning for business continuity. A5 McNurlin et al. (2008) reviewed several case studies and identified critical technology challenges including internet and organizational intranets; security technology; electronic data interchange; data warehousing; distributed computing; client/server computing; workflow; groupware; executive information systems or decision support systems; and relational databases. Often, these challenges are aggravated by the massive changes in technology occurring at an alarming rate. The lack of adequate computer ethics regulations or guidelines made it difficult to deploy adequate policies. Thus, the lack of adequate controls to effectively deal with such incidents could be attributed to human factors, technological challenges, and societal factors. Question B B 1 & B2 Peer-to-peer (P2P) systems allow rich connectivity to a large number of users. The P2P model has been considered an alternative to the traditional client-server model for distributed systems. P2P systems have nodes owned by independent entities, which form self-organizing, and self-maintaining networks without central authority. Performance of P2P systems depend on the voluntary resource contribution from each node. Rational users include users acting to maximize their own utility, including deviation from specification. Rational users could refuse to contribute their fair share of resources. “Free-riders” are users attempting to benefit from resources of others without offering their own resources. Networks such as Gnutella have approximately 70% peers providing no files, while top 1% of peers provided approximately 37% of files provided (Adar and Huberman, 2000). Networks such as Gnutella and Napster have seen an increase in free-riders. High degree of free riding is a serious threat to P2P systems. Memberships that are dynamic, lack of central authority, use of cheap identities and untraceable or hidden actions, or collusive behaviour are challenges posed by such networks. Adverse effects of P2P networks could be reduced by distributed frameworks. This includes location of free riders and taking appropriate action. Each peer could monitor its neighbour to identify free riders for appropriate action, reducing the effects of free riding and increasing performance of the P2P network (Karakaya et al., 2008). Major threats to such systems are active worms, which have the ability to automatically propagate themselves and compromise hosts in the internet. P2P systems could be a vehicle for attackers to achieve rapid worm propagation in the internet. P2P worm attacks could actively enhance worm propagation, and worm spread is affected by system size; topology, host vulnerability, etc. Effective defence strategies include rapid detection and immunization of infected hosts (Yu et al., 2008). P2P applications have been widely adopted in environments requiring fulfilment of several security demands. Existing approaches lack flexibility in the absence of mechanisms to tackle wide range of requirements in an integrated manner. Users or applications are required to manipulate a complex programming interface including a cumbersome configuration process. P2P Security Layer is a software architecture allowing gradual and flexible integration of security functionality into P2P applications (Gaspary et al., 2007). Question C C1 Despite the use of strong encryption algorithm used with single-key encryption, there is a need to transfer the single known key to the recipient of the message, or establish a method for alternating random key selections. Interception of data was a simple matter of determining the single key. Key transfer problem existed with AES, DES or any other single-key encryption algorithm. Methods for exchange of secret key such as courier could be expensive, and such a manner of exchanging keys is not a consideration for smaller businesses or individuals. Single-key encryption is also known as symmetric encryption. The Public-key encryption was developed to overcome this limitation, which made distributing keys mush simpler (Mueller and Ogletree, 2004). C2 Public-key cryptography was developed by Whitfield Diffle and Martin Hellman in 1975. Two keys, known as key pair, are used in Public-key cryptography. The two keys are mathematically related. One key is used to encrypt the data and the other key is used to decrypt the data. The key used to encrypt the data is the public key that could be shared with many people. The public key could be posted at several locations on the internet for making it available for anyone willing to send a message in encrypted format. A common practice is to attach a copy of public key to emails for recipients to encrypt a response to the email. Key ring is a file that is used to store a set of public keys for others. Pretty Good Privacy (PGP) includes products that use such key rings. This type of encryption using more than one key is known as asymmetric encryption. Using the public key anyone could send a message in encrypted format. The public key allows encryption of the message. The difference between asymmetric and symmetric encryption is that the public key encrypting the data cannot be used for the reverse process of decrypting the data that it was used to encode. A pair of keys are used instead; the public key that could be distributed freely, and a secret key. As the keys are mathematically related, only the secret key could be used to decrypt the message that was encrypted using the public key (Mueller and Ogletree, 2004). C3 A business or person’s name or identity and public key are bound by digital certificates. Certificates must come from a trusted authority, and a certificate is determined to be valid by a digital signature (Mueller and Ogletree, 2004). Question D There has been an increase in knowledge based systems, and the trend is expected to continue. I envisage a business in the e-learning environment. The rapid rise in internet connectivity world over, dynamism in technology, and availability of resources has made e-learning business an exciting prospect. The internet makes deployment of such a knowledge based system widely accessible by users synchronously and asynchronously. Web services technology is being adopted by many organizations, or being evaluated for incorporation into their enterprise information architectures. Service-oriented architecture (SOA) for distributed computing is being used by web services. Adoption of strategies requires assessment of needs and capabilities (An et al., 2008). Web, Grid, and CORBA are implementation and support platforms for service-oriented architectures. Development of service oriented solutions requires architecture centric model. Architecture properties of SOA, and development based on model driven architecture (MDA) allows separation of development processes in abstraction levels, making MDA suitable for the development of service-oriented systems (López-Sanz et al., 2008). The architecture would be used in the development of a web based collaborative learning system. E-learning includes collaborative learning allowing for increased interactivity and accessibility to various learning resources, which could be synchronous or asynchronous. The web based service would be achieved through distributed interactivity. SOA, distributed infrastructure, and business process management (BPM) would be integrated for achieving meaningful and collaborative leaning processes. The SOA approach enhances interoperability, flexibility, and reusability of the e-learning content within a collaborative learning environment (Fang and Sing, 2009). References Adar, E. & Huberman, B. (2000). Free Riding on Gnutella. First Monday. 5(10). An, L., Yan, J. & Tong, L. (2008). Methodology for web services adoption based on technology adoption theory and business process analyses. Tsinghua Science & Technology, 13(3), 383-389. Caballero, A. (2009). Chapter 14: Information Security Essentials for IT Managers: Protecting Mission-Critical Systems [Computer and Information Security Handbook]. Retrieved from http://www.sciencedirect.com/ Dittrich, D., Bailey, M. & Dietrich, S. (2009, 04 20). Towards Community Standards for Ethical Behavior in Computer Security Research. Retrieved from http://www.cs.stevens.edu/~spock/pubs/dbd2009tr1.pdf Fang, C. & Sing, L. (2009). Collaborative learning using service-oriented architecture: a framework design. Knowledge-Based Systems, 22(4), 271-274. Gaspary, L., Barcellos, M., Detsch, A. & Antunes, R. (2007). Flexible security in peer-to-peer applications: enabling new opportunities beyond file sharing. Computer Networks, 51(17), 4797-4815. Guttman, B. & Roback, E. (1995). An Introduction to Computer Security: The NIST Handbook [pp. 1-19]. (Computer Security), Retrieved from http://books.google.co.uk/ Caballero, A. (2009). Chapter 14: information security essentials for IT managers: protecting mission-critical systems [Computer and Information Security Handbook]. Retrieved from http://www.sciencedirect.com/ Karakaya, M., Körpeoğlu, I., Ulusoy, O. (2008). Counteracting free riding in peer-to-peer networks. Computer Networks, 52(3), 675-694. López-Sanz, M., Acuña, C., Cuesta, C. & Marcos, E. (2008). Modelling of service-oriented architectures with uml. Electronic Notes in Theoretical Computer Science, 81(4), 23-37. McNurlin, B., Sprague, R. & Bui , T. (2008). Information Systems Management. USA: Prentice Hall; 8 edition. Mueller, S. & Ogletree, T. (2004). Upgrading and repairing networks [Edition: 4 - 1224 pages ]. (Encryption), Retrieved from http://books.google.co.uk Yu, W., Chellappan, S., Wang, X. & Xuan, D.(2008). Peer-to-peer system-based active worm attacks: modeling, analysis and defense. Computer Communications, 31(17), 4005-4017. Read More