Security in Computing - Assignment Example

Heading: Security in computing Your name: Course name: Professors’ name: Date Questions 1 Selection of article This evaluation intends to evaluate the criterion from the security article ITSEC (Information Technology Security Evaluation Criteria) from IWS, TCS (Trusted Computer Systems) and NATO information security IA. The evaluation of security threat is meant to create the assurance to the company that issues related to security breach are handled conclusively and effectively (NATO IA, 2011). This creates confidence to the assets owners but also forms baseline for designing countermeasures to check, identify and recover information in case there is a breach or attack both internally or externally. The evaluation minimizes the effect and impacts of security risk and its consequence and thus asset protection is quarantined (Information Warfare Site, 2011). The ITSEC identifies the computer system security as a trusted organization resource which must be protected at all cost. According to the ITSEC, the key aspects evaluated in security are functionality and assurances of the software product. Functionality refers to the aspects of the system which guarantees and enforces the systems security such as logins. While assurances on the other hand deals with the effectiveness and correctness of the design to be implemented with the security features in mind such as environmental configuration to deal with security and computer resources (William, 2004). ITSEC also observed that systems must be evaluated as per the evaluation standards such as the concept that guarantees the best environment, validation of all avenues of security breach, creating a tamper proof environment and finally mediation of all the subject and objects. Overall perspective Information Technology (IT) has currently taken over vital roles in the organization that were previously conducted manually. As the IT is growing to take up these roles, concern of security is also taking shape in the same field causing drawbacks and challenges to the ever growing IT resources. IT stakeholders have found it necessary to culminate measures to counteract these threats posing a stampede to the vital roles taken by IT. Several IT specialists have come up with models that curb these vices with the aim of minimizing attacks and its impacts (Marcel, 2006).Several important contexts have been devised with the zeal of implementing security policies which includes confidentiality, data integrity and availability of the resources which can compromise IT operations. The overall perspective of the security evaluation must be based on the functionality of the products and how these functionality are configured to protect against security compromise which guarantee security to the entire systems(William, 2004). The other perspectives considered in the evaluation are the QA that guarantees the assurance of security protection to the systems environment. The assurance relates to the environmental awareness and security related values which must be configured to the system during system development life cycle. The following are analysis of the perspective of each functionality and assurance as used to enforce security of the information (Information Warfare Site, 2011). Functionality In case of security analysis, functionality of the systems plays an important role in creating avenues and gaps that are utilized by attackers and hackers to gain access for purposes of compromising the security information. It is also worth to note that security occurs as results of intentional and accidental operation by both the internal and external attacks (Bluetooth SIG, Inc, 2007). Therefore a good security plan must focus on various functionality elements that may create loopholes. To begin with, identification and authentication is very important functionality that must be implemented in the system to discourage anonymous access. This involves the creation and enforcement trusted path that must be traced by all valid user to eliminate hackers. It is also wise to implement some integration and customization that conform to specific security requirements. The software product must operate in an environment that does not support threat incubation by providing secure and free threat zone (Bluetooth SIG, Inc, 2007). The company should also perform periodic security audits to ascertain any uncaught threat existing since there is no mechanism to eliminate all threats. According to Schneier (2000), the most important functionality is the data entry prevention and user protection which guarantees that the data captured by the user is validated. These include SQL injection, invalid data, cross language scripts and other threats related to the user and others emanating from the user interface. The other aspect that relates to the functionality is availability, physical protections, privacy and communication which can compromise security if poorly handled. For example the means of communication can make a user reveal his credential to a potential hacker (Schneier, 2000). Assurance Levels The evaluation of security from the perspective of assurances relates to the quality assurance that is designed from the initial stage of the development life cycle all the way to deployment of the product. The aspects that are of concern to the assurances are testing of the product while still it is still being developed. During the life cycle of the product development, security assurance must be tested in all phases of the development to ascertain the strength of the software in relation to security threat. Assurance guarantee that gaps and loophole that can be utilized by the attackers are sealed off completely so that an attacker will find limited avenues to use in the process of hacking (Gallagher, Bryan and Lawrence, 2006). The other aspect of assurance relates to verification and validation of the design against the security threats. The validation and verification of the security normally takes place at the design phase before the process of coding begins. A semiformal design which is a design that awaits the verification against security threats in design so that once approved, it becomes formal design. The assurance is meant to ensure that the system is security compliant before the process of implementing the design so that the final product is secured (Gallagher, Bryan & Lawrence, 2006). Question 2: Mobile phones have grown sophistications to become the most indispensable tool in today’s day to day activities. Lourdhu and Alagan (2007) found that, both small and large inexpensive PDA is available in the market which can be used interchangeably with a basic computer to perform minor tasks. These tasks include storing data, capturing events, documentation of meetings, receiving electronic mails and remote accessing contents among others. Given its capabilities, attackers have identified potential loopholes and gaps in these hand held devices and are now using them effectively to breach information security of an organization (George, 2008). Ben (2006) observed that the limitation and challenges to the implementation of security policy with regard to the hand held device is very demanding and sometimes not applicable. For example, PDA devices is a personal garget and all the users within the organization posses and it would be impossible to ban all the users from using their PDA freely within the organization bearing in mind its essential communication functionality. Another issue is that PDAs and Smartphones are very small and with complex functionality and thus difficult to monitor using normal security policy. In case these devices get lost, they also increase vulnerability of the information that they contain since they can get into the hands of hackers (Jonathan, 2005). Attack tree The basic ideas behind the attack tree are the avenues used by the attacker to compromise the security of the companies’ information system. The attack tree is structured such that it has some root nodes, nodes and leave nodes each representing a form of attack achieved not only in hand held devices but also in general computing devices. The attack tree of a PDA generally is focused on the users’ negligence (Seth, 2004). Most of PDAs and Smartphones have no standard password strength. An attack tree is made up of OR and AND nodes each symbolizing each specific requirements to accomplish the task. That is, OR can be completed without inclusive of all requirements (leave nodes) but for the case of AND node all requirements (leave nodes) must be completed to its entirety (Seth, 2004). According to Seth (2004) for an attacker to achieve his/her mission in attacking Smartphones, he/she implements several strategies that are unchecked by the owner of PDA or Smartphones. Since PDA and Smartphones are now sophisticated, attackers know very well that employees of their target companies store the information in their phones. To begin with, the attacker will utilize all the available avenues to get access to the employee with an aim of getting this data. There are many avenues of exposing contents of a Smartphone (Seth, 2004). According to Bluetooth SIG Inc (2007) one can access the phone with the permission of owner and later steel the information directly or use other means such as Bluetooth link, MMS and internet download to access the information. The other strategy that an attacker can utilize is the relationship with the owner of the Smartphone. In this mechanism, the attacker tries to convince the owner to allow him access to the information through blackmail or social engineering the unsuspecting individual (Matthew, 2007). As stated by Patrick and Stephen (2009) the attacker can use the employee’s basic information to get vital information relevant for spamming. While spamming, the attacker can use the information to perform dictionary attacks into the owner’s Smartphone with an aim of revealing SIM pin, password that are normally weak in most Smartphone’s because they are not encrypted (Schneier, 2000). Finally, Patrick and Stephen (2009) said the attacker can obtain the basic and private information about a company from a negligent staff who is not keen of the confidentiality by using and accessing the information in public without being aware of the attackers with bad motives around him. An attacker can listen and record the information being disseminated by this employee or tap into an active port that streams information. Attack tree annotations (table) Concluding discussion: In conclusion, it is evident that the sophisticated growth of Smartphone technology has come up both with benefits and demerits which compromise information security. In essence most hacking occurs as a result of employee negligence in using their handheld devices. This demands that a good security policy must address the issue of training employee on the vulnerability introduced by the use of these devices. In addition, users must be advised to protect their PDAs and all their handheld devices apart from demonstrating to them ways through which hackers and attackers can take advantage of their negligence. The transfer of basic employee information between devices such as Smartphone’s and PDAs should be discouraged because of the loopholes present when these devices are connected and communicating with each other. References: Ben, G. (2006). How I stalked my Girlfriend, Retrieved September 28, 2011, from The Guardian: http://www.guardian.co.uk/technology/2006/feb/01/news.g2. Bluetooth SIG, Inc. (2007). Bluetooth Core Specifications, Version 2.1 + EDR, Volumes 0 to 4, Retrieved 28, September2011, from:http://www.bluetooth.com/NR/rdonlyres/F8E8276A- 3898- 4EC6-B7DA-E5535258B056/6545/Core_V21__EDR.zip. Gallagher, T., Bryan, J., & Lawrence, L. (2006). Hunting Security Bugs. Redmond, Microsoft. George, L. (2008). U.S. Cell Phone Industry Faces an Open Future, Industry Trends, Computer Magazine. IEEE Computer Society, 41(2), 1-5. Information Warfare Site. (2011). Information Technology Security Evaluation Criteria( ITSEC). Retrieved September 28, 2011, from: http://www.iwar.org.uk/comsec/resources/ standards/itsec.htm#top Jonathan, P. (2005). How to Track Any UK GSM Mobile Phone’, 2600 Magazine, 22(4), 34-39. Lourdhu, H., & Alagan, A. (2007). Trends and Challenges in Handheld Wireless Application Development. IEEE Canadian Review, 1(55), 23-34. Marcel, B. (2006). Forensic Imaging of Embedded Systems Using JTAG (Boundary-Scan). Digital Investigation, 3(1), 32-42. Matthew, B. (2007). Smartphone Trojans Discover Profit Motive. Retrieved September 28, 2011, from: http://www.techworld.com/security/news/index.cfm?newsid=8889 NATO IA. (2011). Best Practice & Common Criteria, Retrieved September 28, 2011, from http://www.ia.nato.int/guidance-more Patrick, M., & Stephen, M. (2009). Security and Privacy Challenges in the Smart Grid. IEEE Security & Privacy Magazine. Gladstone: Queensland Education press. Schneier, B. (2000). Secrets & Lies: Digital Security in a Networked World. New York, NY: John Wiley & Sons. Seth, F. (2004). Security Reference Guide: Windows Mobile Autorun. informIT, Retrieved September 28, 2011, from: http://www.informit.com/guides/content.aspx? g=security&seqNum=91. William, S. (2004). Trusted Computer Systems. Retrieved September 28, 2011, from: http://williamstallings.com/Extras/Security-Notes/lectures/trusted.html Read More

The overall perspective of the security evaluation must be based on the functionality of the products and how these functionality are configured to protect against security compromise which guarantee security to the entire systems(William, 2004). The other perspectives considered in the evaluation are the QA that guarantees the assurance of security protection to the systems environment. The assurance relates to the environmental awareness and security related values which must be configured to the system during system development life cycle.

The following are analysis of the perspective of each functionality and assurance as used to enforce security of the information (Information Warfare Site, 2011). Functionality In case of security analysis, functionality of the systems plays an important role in creating avenues and gaps that are utilized by attackers and hackers to gain access for purposes of compromising the security information. It is also worth to note that security occurs as results of intentional and accidental operation by both the internal and external attacks (Bluetooth SIG, Inc, 2007).

Therefore a good security plan must focus on various functionality elements that may create loopholes. To begin with, identification and authentication is very important functionality that must be implemented in the system to discourage anonymous access. This involves the creation and enforcement trusted path that must be traced by all valid user to eliminate hackers. It is also wise to implement some integration and customization that conform to specific security requirements. The software product must operate in an environment that does not support threat incubation by providing secure and free threat zone (Bluetooth SIG, Inc, 2007).

The company should also perform periodic security audits to ascertain any uncaught threat existing since there is no mechanism to eliminate all threats. According to Schneier (2000), the most important functionality is the data entry prevention and user protection which guarantees that the data captured by the user is validated. These include SQL injection, invalid data, cross language scripts and other threats related to the user and others emanating from the user interface. The other aspect that relates to the functionality is availability, physical protections, privacy and communication which can compromise security if poorly handled.

For example the means of communication can make a user reveal his credential to a potential hacker (Schneier, 2000). Assurance Levels The evaluation of security from the perspective of assurances relates to the quality assurance that is designed from the initial stage of the development life cycle all the way to deployment of the product. The aspects that are of concern to the assurances are testing of the product while still it is still being developed. During the life cycle of the product development, security assurance must be tested in all phases of the development to ascertain the strength of the software in relation to security threat.

Assurance guarantee that gaps and loophole that can be utilized by the attackers are sealed off completely so that an attacker will find limited avenues to use in the process of hacking (Gallagher, Bryan and Lawrence, 2006). The other aspect of assurance relates to verification and validation of the design against the security threats. The validation and verification of the security normally takes place at the design phase before the process of coding begins. A semiformal design which is a design that awaits the verification against security threats in design so that once approved, it becomes formal design.

The assurance is meant to ensure that the system is security compliant before the process of implementing the design so that the final product is secured (Gallagher, Bryan & Lawrence, 2006). Question 2: Mobile phones have grown sophistications to become the most indispensable tool in today’s day to day activities. Lourdhu and Alagan (2007) found that, both small and large inexpensive PDA is available in the market which can be used interchangeably with a basic computer to perform minor tasks.

Read More