Data security management

Ill INTERNATIONAL CONFERENCE

TRANSPORT SYSTEMS TELEMATICS TST'03

POLITECHNIKI ŚLĄSKIEJ 2003 TRANSPORT z.51, nr kol. 1608

I T secu rity, I T s e c u r ity m a n a g em en t, n o rm a liza tio n sta n d a rd s

Stanisław K R A W IEC 1 Jerzy M IKULSKI2

DATA SECURIT Y MANAGEMENT

T h e a rtic le p re sen ts m e th o d o lo g ic a l asp e c ts o f sec u rity p o lic y in th e te le in fo rm a tio n system s, n o rm a liz a tio n s ta n d a rd s fo r s e c u rity c la sses, p ro te c tio n to o ls and sh ap e o f d ata sec u rity m ark et.

Z ARZĄDZANIE BEZPIECZEŃSTWEM DANYCH

W a rty k u le p rz e d sta w io n o m e to d o lo g ic z n e a sp e k ty p o lity k i b e z p ie c z e ń stw a w system ach te le in fo rm a ty c z n y c h , sta n d a rd y n o rm a liz a cy jn e klas b e zp iec z eń stw a , n a rz ę d z ia o c h ro n y oraz k szta łto w a n ie s ię ry n k u u słu g o c h ro n y d an y ch .

1. INTRODUCTION

Economical units operating in the object structure o f transport system are enforced to establish contacts betw een their own information network and those o f other contractors, through w ide area networks. This m ay constitute a hazard for their operation. An important element o f counteracting such hazards is m anagem ent o f data security and w idely understood data m anagem ent policy.

2. M ETHODO LO GICA L SECURITY POLICY ASPECTS IN THE TELEM ATIC SYSTEMS

In the tim e o f dynam ic developm ent o f com puter networks and systems the issue of system security and protection against unauthorized access o f persons to the com puters and their resources take a special meaning. The information systems in the transport should contain elements ensuring protection o f data sent and kept therein against illegal modification or viewing by unauthorized persons.

1 F a c u lty o f T ra n s p o rt, Silesian U n iv e rsity o f T ec h n o lo g y , K rasiń sk ieg o 8, 4 0 -0 1 9 K a to w ice , P o la n d , 2 C h air o f A u to m a tic C o n tro l in T ra n sp o rt, F a c u lty o f T ran sp o rt, S ilesian U n iv e rsity o f T e c h n o lo g y ,

K ra siń sk ie g o 8 ,4 0 - 0 1 9 K a to w ice , P o la n d , jm ik @ p o lsl.k a to w ic e .p l

258 Stanisław KRAW IEC, Jerzy MIKULSKI Special hazards are related w ith developm ent o f global com puter network, not followed quickly enough by the im plem entation o f inform ation protection procedures and techniques in these networks. A w areness o f existence o f such hazards im poses system atic counteractions, which entails a necessity o f precise definitions o f such terms as security, security policy or security m anagem ent in the area o f inform ation protection and protection o f IT systems. The most often, IT security is treated as a collection o f all aspects related with definition, achievem ent and m aintaining o f the following security attributes (defined in PN-13335-1):

- confidentiality - a feature ensuring that inform ation is not revealed or m ade available to unauthorized persons, subjects or processes,

- authenticity - a feature ensuring that the identity o f the subject or resource is as declared; applies to the users, processes, systems or even institutions, authenticity is related with the verification w hether som eone/som ething is the one/thing he/it assures he/it is,

- system integrity - a property consisting in the fact that the system realizes its intended function in an unaffected w ay free o f unauthorized m anipulation, either purposeful or accidental; application integrity means that it is supplied by a reliable supplier, it is com plete and correct, in accordance with specifications, is identical as the initial one that has been built, tested accredited, it is cared for by authorized persons and it is not exposed to accidental or puiposeful destruction,

- integrity - data and system integrity; a feature ensuring that the inform ation comes from a reliable source, it is correct, intrinsically com pliant, and its modifications are perform ed by authorized persons and it is not exposed to accidental or purposeful destruction,

- accountability - a feature ensuring that the actions o f a subject (such as user) may be attributed solely to this user,

- reliability - a property m eaning consistent and intended behavior and results.

The institution security policy concerning IT systems - IT security policy - includes rules, ordinances and procedures that determine how the resources together with vital inform ation are m anaged, protected and distributed in the institution and its IT system. The information security m anagem ent covers the entirety o f processes aim ed at reaching and m aintaining a constant level o f security i.e. high level o f all attributes presented in the definition o f safety itself (PN -13335-1).

The safety policy is a key issue, but at the same tim e it is also very subjective. Every com pany has different requirem ents concerning security. Every com pany differently pictures the protection o f its resources, m otivating it with other reasons. Also the fact that different companies use different softw are and hardware as well as security procedures, is also not w ithout meaning, For nam ely these reasons tie security policy for every com pany has to be different and no versatile “device” exists for protection o f the com puter network and data transmission.

The policy o f a broadly understood IT system security has to contain such elem ent as inform ation security m anagem ent. It is a discipline bordering inform ation, law, organization and m anagem ent dom ains, dealing w ith definition o f aspects o f safety, its achieving and maintenance. The security m anagem ent is a continuous process occurring in the environment that changes in a continuous m anner, with appearance o f still new hazards and quick technological progress. A lthough together with development o f IT systems also security technologies are being developed, but the protection measures alone are insufficient, as they are to be properly selected, applied and m anaged in an optim um way.

Data security m anagem ent

The IT security m anagem ent should cover the following actions:

- determ ination o f objectives (what should be protected), strategies and security policy regulations in the institutions,

- identification and analysis o f hazards for resources, - identification and analysis o f risk,

- determ ination o f adequate protection,

- m onitoring o f im plem entation, operation (efficiency o f protection), - developm ent and im plem entation o f training and awareness program, - detection o f incidents and reaction,

- configuration m anagem ent i.e. following up o f system configuration changes for their effect on the already reached safety level,

- change m anagem ent i.e. identification o f new security requirem ents when changes in the IT system occur (hardware, software update, new procedures, new functions, new users, including external and anonymous user groups, additional network and inter­

netw ork connections),

- preparation o f contingency plans and restoration plans.

Information security m anagem ent will include the following areas:

- filtration (selection) o f packages (counteracting spoofing and SYN flood),

assurance o f proxy application operation (identification, ID confirm ation, and check o f user authorizations),

anti-virus diagnostics,

supervision o f FTP, W W W , SMTP services, JAVA applets control,

- load balancing for netw ork servers,

- translation o f network addresses (hidings o f private network structure), - router control,

- m onitoring o f user and adm inistrator operations and recording events im portant for the security.

The inform ation safety m anagem ent realized in the situation o f real threats cannot ignore costs and risk analysis The basic index should always be estim ation o f potential damages that are likely to occur as a result o f lack o f protection. Each action o f the com pany is related with a risk o f inform ation loss. It is necessary to restrict such risk to an acceptable level if only for economical reasons, but still one is to reckon with risk accom panying the processes occurring in the company. It is not profitable to establish com plicated and expensive protections w here revealing o f data is not likely to bring the com parable profits to anyone. Estimation o f possible hazards should be preceded by a detailed specification which ones o f the resources should be subject to particular protection.

Not all resources have to be protected to a similar degree. The password protection o f resources critical to the system operation, protection o f data o f particular im portance are o f course priorities. W e have to determine, what and how much is under hazard and how it has to be protected. In particular it is necessary to assure strong protection o f servers, physical protection o f active netw ork equipment, or protection against disloyal employee. H owever in order to avoid excess care, we have to estimate also what is the cost o f protection and what may be the real losses. W hat losses is the com pany likely to incur lacking adequate protection-m aterial, im age and trust, legal or financial consequences. The protection costs can be estimated with a sufficient precision. Then it is sufficient to compare the real losses with costs. How to protect oneself at large, moderate or really low expenses?

260 Stanisław KRAW IEC, Jerzy MIKULSKI A safe use o f such wide area network resources as inform ation requires validation of persons, com panies, transactions and documents. Variety o f inform ation techniques, their openness, scattering and anonym ity o f users results in a range o f hitherto unknown hazards for inform ation, and the m atter o f its protection becam e a m ust for the correct operation of a company. A m atter o f utm ost im portance for a com pany willing to operate correctly is then establishing an appropriate IT security. It involves principles, procedures and describing how to protect the resources, including inform ation that is vital and strategic and how to ensure transm ission security o f these inform ation resources.

The strategic issue o f security policy is selection o f one o f four basic safety models:

Model 1: lack o f protection - this model is observed in the organizations w hose authorities have recognized the risk level as incom parably low in relation with costs o f security policy im plem entation and in the institutions whose authorities have neglected the security aspect for one reason or other.

Model 2: safety due to the lack o f interest from the people - this model is based upon an assumption that the inform ation system is so unimportant for the com petition and so uninteresting for the intruders breaking in for sport or hackers, that the safety m ay be based upon a high probability o f no attack attempts.

Model 3: protection at the level o f single com puters - this model is a probably most w idespread m ethod o f protection, although in relation to the entire inform ation system o f the organization its basic drawback is such that it is not easily scalable and probably will not be efficient for large systems, how ever it can operate quite well for sm aller systems

Model 4: protection at a scale o f the entire system (entire netw orks o f corporate organization)-such model focuses on controlling o f access to all com puters or services through the netw ork and not protection o f single computers; tools used for operation f such model are powerful authorization procedures (such as kerberos, intelligent card procedures), separating architectures (firewall system s) or coding (software for coding o f mail or com munication sessions in the network).

M aintaining high level o f security in heterogeneous wide area com puter networks becomes a m ore and m ore com plicated task because o f technical com plexity and dynamic developm ent o f this environm ent. The large part o f contem porary corporate networks operates on the basis o f local private netw orks connected with each other using a public network. In the aw areness o f m ost people, fed constantly by sensation-seeking inform ation about daredevil actions o f hackers, the focus o f the highest hazard is public netw ork (internet). In practice, however, it becom es clear that the highest hazard is constituted by local users, having legal access to the assigned system resources, who for various reasons accept or make changes in the strategic inform ation. W hile building a corporate IT netw ork security we have to take onto account all dangers including those that result directly from the illegal actions of local organization em ployees.

The com plete security policy contains sections determining all aspects o f processing and preservation o f com puter data.

For instance, they m ay include:

U ser authentication policy,

Network resources access rights policy,

Personal data protection and correspondence confidentiality policy, System operation reporting policy,

Anti-virus policy,

Backup copy m aking policy,

- Policy o f reaction against dangerous situations,

Data security m anagem ent

Policy o f physical access to the com puter systems and data carriers, - Purchasing policy,

- Personnel training policy,

- Policy o f cooperation w ith m aintenance team.

The security policy has to fulfill four basic assumptions:

- It has to be feasible for the existing hardware platform or assume acceptable changes in the presently applied solutions,

- It has to be enforceable on the system users: it cannot contain recom m endations or orders that m ay be avoided in order to m ake the work easier,

- It has to describe in a clear and unam biguous w ay the scope o f responsibility o f each person w orking within the protected system,

- It has to be flexible enough and open to future solutions that the IT system developm ent is not blocked by its implementation.

The safety policy in respect to the data maintained in the computers and information sent through the netw ork determ ines the scope o f protection but not the methods o f achieving security in the network. W e have to rem em ber that we m ay get to selection o f software to meet the task o f im plem enting o f the assumed safety policy only at the m om ent o f approval o f the organization m anagem ent the protection system design.

Having in m ind a large quantity o f assumed solutions the selection o f an appropriate product is not easy. As a deciding criterion we may use: the degree o f technical complexity, scope o f realized tasks, transparency o f user’s interface and o f course the price. During establishing the safety rules we have to keep in m ind that i f sewage treatm ent disregard important facts or the assum ed protection concept proves incom plete, this m ay affect significantly the operation o f the further system operation. Introduction o f any modifications should be preceded by a detailed analysis o f resulting consequences, not only in term s o f security, but also in respect to the entire system operation. It is unacceptable that the implementation o f protective layer o f an IT system disturbs its correct operation.

3. N ORM ATIV E STANDARDS OF SECURITY CLASS

Because o f existence o f a variety o f hardware and software com ing from various manufacturers there have to be in place international standards enabling evaluation o f an IT system in terms o f its security. In order to determine levels (classes) o f security in an unified manner the IT systems security criteria have been developed. These standards should be observed by the users and m anufacturers especially when creating the systems whose confidentiality, integrity o f inform ation and reliability have special meaning.

In practice, tw o m ethods o f IT system security levels may be applicable. First o f then consists in assigning the system with a “security class” as defined within the widely used standard “The Orange Book” . This docum ent has been developed in the US Defense Department and contains the description o f criteria o f assignment for the systems under analysis to the appropriate security classes, information concerning the m ethod o f perform ing such security analysis as well as recom m endations concerning the assurance o f an IT system security. The second m ethod o f assessing the security level consists in perform ance o f expert analyses called risk analysis. The characteristic feature with the risk analysis is that the assessment perform ed takes strongly into account the probability o f occurrence o f such risk -

262 Stanislaw KRAW IEC, Jerzy MIKULSKI in line with the principle that to deal with a risk that is only slightly probable is unreasonable, while the potentially m ore costly risks are not dealt with.

The m ost w idely known organizations dealing with standardization in the IT security are:

ANSI - A m erican National Standards Institute, ISO - International O rganization for Standardization, NBS - National Bureau o f Standards, Dep. o f Commerce, NCSC - National Com puter Security Center, Dep. o f Defense,

The m ost popular o f these is the docum ent nam ed „The Orange Book” . Its first part defines basic concepts and term s discussed in the further part o f the docum ent, such as reference m onitor or reference correctness control m echanism. The reference m onitor is a m echanism for enforcing authorized access o f the system subjects to the facility, while the reference correctness control m echanism s is im plem entation o f reference m onitor concept.

This m echanism is used for checking the o f each data or program reference m ade by the user (or software) in term s o f its com pliance with the list o f authorized access types for the user in question. In relation with this, the reference correctness control m echanism s has to be:

Resistant to the attem pts o f incorrect use, Always starting up,

- Sufficiently small to be subject to analysis and tests in order to verify the protection reliability.

Earlier im plem entation o f reference correctness control m echanism are known as protection cores, protection core is a com bination o f hardware and software. The Orange Book standard uses a formal model o f security policy that defines the term o f security state and elem entary access m ode to the object, as well as determines the principles o f assigning the predefined types o f object access to the subjects. It contains also a Basic Security Theorem saying that application o f any sequence o f the aforesaid rules to the system being in a secure condition, will result in the system ’s transition to another condition, also secure.

In order to expand the criteria o f security assessm ent also to the systems not containing the protection core an idea o f T rusted Com puting Base (TCB) has been im plem ented. TCB is a „heart” o f secure IT system containing all elements responsible for realization o f security policy and supporting insulation o f system objects covered by the security. Thus the TCB contains hardware and softw are critical to the system protection and has to be designed and im plem ented in such a w ay as to ensure assum ed protection level The TCB should have the structure sim ple enough to m ake possible perform ance o f tests and analyses answering the question w hether the system is reliable.

„The Orange B ook” contains also the description o f requirem ents concerning IT system security assurance. These requirem ents are as follows:

Safety policy - there has to be a clear and well defined security policy and m echanism s enforcing its realization,

- Description o f objects - for each object o f the system there shall be determ ined such inform ation as protection level w here the object belongs and subject access rights for subjects that potentially may require access to the facility,

Identification - subjects have top be nam ed in such a w ay as to enable their identification,

- A udit - inform ation from audit has to be collected, recorded and m aintained in a safe w ay as to render possible perform ance o f analyses o f possible hazards,

Reliability - softw are and/or hardw are protection m echanism s that m ay be independently assessed from the point o f view o f fulfillment o f previous requirem ents

Data security m anagem ent

- Continuity o f protection against unauthorized access,

The docum ent „The O range Book” US Defense Department has defined four security levels D, C, B, A divided additionally into classes. Various levels determ ine various methods of hardware, softw are and data protection. Classification is o f inclusive character, which means that the higher levels have all features o f lower levels.

Level D - it is the low est security level, designed for the systems that have been assessed but did not com ply w ith the requirem ents for higher classes (this level does not require certification as it is system w ithout any protection whatsoever).

Class D1 - system o f this class is a system without protection (lack o f users and file protection) which m eans the entire lack o f reliability in the system.

Level C - classes o f this level means that the system ensures as needed protection, consisting in giving rights to the data only for those persons that need to have access; protections enable following up o f operations perform ed by the users.

Class C l - system o f this class com plies with the requirem ents concerning as needed security assurance isolating users and data; such a system enables im posing lim itations on single users enabling them to protect their private data and inform ation concerning tasks perform ed by them against accidental reading out or destruction by other users, m inim um requirem ents for a Cl class system are:

- determ ined and controlled access o f nam ed users to the nam ed objects,

- system that identifies and checks passwords, deciding about giving an user access to the inform ation in the com puter network.

Level C l is deprived o f event recording m echanism s (auditing, logging).

Class C2 - such systems enforce responsibility o f the user for network operations perform ed by him, by application o f logging procedures and detecting events related with security and isolating specific netw ork resources; class C2 requirem ents are:

- It is possible to decide about group and individual users accesses, - M echanism o f access control restricts replication o f access rights,

- The as needed access control m echanism s disables unauthorized access to the network by default or based upon the specific user’s request,

Access control m echanism s m ay enable or restrict access o f users to the certain objects,

- The identification system m ay recognize each user, that is logged in to the network, - The system perform s all operations ordered by the specific users in accordance with

the granted rights,

- The network m ay follow the access to the network objects.

Such system guarantees autom atic recording o f all data important from the safety point of view.

Level B - B level system has to ensure obligatory protections - each object has assigned a security level assessm ent and the system will not allow the user to write the object within such assessment.

Class B1 - system o f this class requires unofficial assurance about existence o f security principle model in the system as well as obligatory access control model covering all the users and facilities; besides this, the system has to fulfill the following requirem ents:

- Has to enable use o f “labels” m eaning validity o f all controlled objects (such as “low im portance”, “im portant” , “very im portant”),

Controls data access based on labels assigned,

- Before locating the im ported and yet not marked objects in the system they will be assigned labels; the system will not allow the use o f unmarked objects,

264 Stanisław KRAW IEC, Jerzy MIKULSKI The labels m ust correspond exactly to the im portance o f objects they are assigned to, During creation o f the system, addition o f new com m unication channels or new I/O equipm ent the adm inistrator has to m ark them as one- or m ulti-level; this assignation cannot be revised autom atically; it has to be m ade manually,

M ulti-level devices do not m odify the labeling o f im portance for data set in the network,

- One-level devices do not conserve such labeling,

Operation o f sending the output data to the user, in a non-durable form (for example onscreen) or durable form (printout) has to create a label establishing validity o f these data,

- The system has to use passw ords and identify the user in order to determ ine its access rights and m oreover, on the basis o f u ser’s rights, the system has to take decision about granting him access to the objects,

- The system has to register attem pts for unauthorized access.

Class B2 - system o f this class has to base the proven system installation on a clearly defined and docum ented model o f security principles, that has to develop the m echanism s of as needed and m andatory control o f the access present in the B1 class system in such a way that they encom pass all users and objects; B2 class system solves hidden problem s and it is divided into elem ents that are o f key significance for the security and the ones that are not.

Such system is relatively resistant to attacks and should fulfill the follow ing requirem ents:

- The system im m ediately notifies each user about the changes introduced in the security system that apply to this user,

- During the initial logging in and during the system validation the system uses a certain com m unication channel connecting it with the user, only the user m ay initiate the inform ation exchange through this channel,

The system creator will perform a detailed search for hidden channels and will determ ine the m axim um capacity o f each o f them,

The verified system installation enables use o f separate operator and administrator functions,

The design o f the system has to be assisted by a person whose obligation will be to inform appropriate authorities about all changes introduced to the system design and obtaining o f approval.

Class B3 - system o f this class enables access o f only those persons that have appropriate authorization and it is im m une to all attem pts o f intrusion, the system has to be sufficiently com pact the subm itted to analyses and tests, from the verified system installation has to be rem oved the entire code that is not o f key m eaning in terms o f security; the designers have to ensure a low com plexity o f the system w hich will enable its analysis; also adm inistrator of protection has to be assigned, provided with control m echanism s and procedures o f “raising”

the system after a failure; B3 class system is very resistant to the attacks and has the following requirem ents:

All objects use the u sers’ list w ho do not have access to the specific object, The system confirm s identity o f the user before m aking any operation,

- The system identifies the user not only internally, but also using the external security protocols, the system will not grant access to the users who do not fulfill requirem ents o f these protocols, even i f they fulfill al other requirem ents o f the system. Moreover, such attem pt to access the system will be recorded,

- The system designers have to isolate certain com munication channels from other channels,

Data security m anagem ent

- The verified system installation records all operations perform ed by the users on nam ed (labeled) objects,

- The system will “raise” from a failure without reduction o f security level.

The Class B3 systems expand the security policy upon the hardware.

Level A - is the highest security level and the class belonging to this level has to use verification m ethods guaranteeing that both m andatory and as needed control mechanisms efficiently protect the data collected and maintained in the system.

Class A1 - functionally system o f this class does not differ much from class B3 system, thus no additional functions or safety principles are required, but procedures have to be realized to verify w hether the system is com pliant with the security specification assum ptions; such system has to fulfill the following conditions:

- Adm inistrator o f system protections has to receive from the authors an official model o f safety principles that describes in detail all the security principles and that contains a mathematical proof com plying with the security assumptions and principles,

- All part o f the class A1 system have to have the protection administrator,

- The protection adm inistrator installs the A1 class system, docum ents each operation perform ed and shows that the system is in accordance with the safety principles and official model.

It is worth to add that presently in the world there are only few systems whose security protections are determ ined as category B3 and A 1.

A sim ilar protection system was developed for European Com munity. These are Information Technology Security Evaluation Criteria - ITSEC. In the docum ent o f June 1991 the following protection m echanism s are recommended:

user’s identification and authentication, - resource access control,

- possibility to account for operations - accountability, follow up o f events related w ith the safety (audit), - no possibility o f object reuse (object reuse), - integrity o f data (accuracy),

- reliability o f service, - secure data exchange.

The ITSEC criteria constitute an expansion o f „The Orange Book” In the evaluation o f systems two scopes are taken into account:

Efficiency o f safety function - answer to a question w hether the data creating security base give a basis for reaching objectives determined by the security policy o f evaluation subject,

Correctness o f safety function - seeking answer to a question w hether the security are really im plem ented by the hardware and software o f evaluation subject.

ITSEC defines 10 classes o f system functionality, where 5 has their counterparts in

„The Orange Book” and additional classes determine the increased requirem ents. It defines also 7 reliability classes. System functionality (when com pared to „The Orange Book”) in addition is described by the following features:

- Truth - expanded integrity function, covers detection and prevention, Operating reliability - guarantees the access to the system resources, - Data exchange - services related with protection o f transm ission systems.

The Canadian Criteria CTCPEC (Canada Trusted Com puter Product Evaluation Criteria) w ere issued in 1993 by the Canadian System Security Center and they are equivalent to “The O range Book” .

266 Stanisław KRAW IEC, Jerzy MIKULSKI A key docum ent covering the standards and recom m endations for IT security m anagem ent is technical report ISO/IEC/TR 13335, consisting o f the following five parts :

ISO/IEC/TR 13335 -1 /P N -I-13335-1 : guidelines for IT system security management:

term inology, relations between term s, basic models,

ISO/IEC/TR 13335-2: planning and m anagem ent o f IT system security; various approaches to the risk analysis, protection plans, role o f trainings and awareness-raising actions, work stations in the institutions related with safety,

ISO/IEC/TR 13335 - 3: IT system security m anagem ent techniques: formulation of three-level security policy, developm ent o f risk analysis issues, developm ent of protection plan im plem entation, reaction to the incidents,

ISO/IEC/TR 13335 - 4: selection o f protections : classification and characteristics of various protection forms, selection o f protections for type o f hazard and type o f the system,

ISO/IEC/W D 13335- 5: protection for connections with external networks; selection of protections used for protection o f system interface with the external network.

Criteria for IT system security assessm ent are contained in the standard ISO(ISO/IEC 15408). The presented norm alization standards enable classification o f IT systems and assess the security conditions o f these systems.

4. ADVANCED TECH N IQ U ES FOR DETECTION OF UNAUTHORIZED NETW ORK A TTEM PTS AND THE DATA PROTECTION SERVICE M ARKET

Presently there are m any tools available on the m arket and designed for protection of com puter systems. In a certain sense we have to do with a very fashionable m arket trend for protection o f the systems. This fashion is o f course a pressure o f the m om ent, than a pointless invention but both the m ost advanced program applications and hardware products dedicated to the protection o f our netw ork have to be in accordance with the assum ed security policy.

In the last tw enty years aw m ay observe a strong evolution o f protection tools - a sim ilar period o f tim e w as used for attempts o f breaking in into the com puter system s and for designing protection tools. Protection tools may affect various levels o f our netw ork and may use a variety o f protection systems.

A w idespread IT technology application introduces the hazards for security o f IT systems unknown to time: breaking into the systems, viruses, spam m ing, blocking of operation etc. Thus the significance o f data protection and validation o f objects circulating through the netw ork is growing. Breaking into the IT systems bring about significant financial losses and frequently loss o f trust in the institutions earlier entrusted with confidential inform ation. Protection m easures reducing the risk o f unauthorized access to the data m ay be generally divided into tw o categories:

Restriction o f access to the system resources in accordance with the predefined protection policy o f organization,

Encrypting o f inform ation using cryptographic methods.

The basic term s concerning data protection are: attack on data security, protection mechanism and data protection service.

The attacks m ay be perform ed in an active or passive manner, The passive attack includes eavesdropping (broadly understood) and m onitoring o f inform ation sent. The objective o f passive attack m ay be attem pts to reveal contents o f the m essage or obtaining inform ation about the inform ation m ovem ent itself. The active attack aims at m odification o f

Data security m anagem ent

information stream or creation o f false inform ation. These actions include: standing for an authorized person and denial o f service.

The protection m echanism s include such actions as: encrypting o f inform ation, authorization o f inform ation (digital signature) , anti-virus protection, identification and validation o f authorized persons.

The data protection services ensure obtaining certain guarantees w here the reliability o f computer systems is concerned and m ay take the following forms:

- confidentiality - protection against passive attack (prevention o f unauthorized revealing o f inform ation),

- authorization - assurance o f inform ation and persons authenticity; guaranteeing that the inform ation com es from the source that is nam ed beside it and the person is the one he/or she is standing for (verification o f identity confirmation),

infrangibility - assurance o f com m unication integrity i e. The fact that the information was received in the same foim as it was sent,

- undeniability - im possibility to deny the fact o f sending or receiving the inform ation, - access control - a possibility o f controlling the access to inform ation (system s) by way

o f verification and identification,

- availability - restriction o f effects o f an attack in the area o f inform ation availability integrity - prevention o f unauthorized information modification,

- accessibility - prevention o f unauthorized hiding o f information and refusal o f resources,

- non-refusal - no unit may refuse the engagem ent in a certain event for example, refusing acceptance o f the message.

Institutions and com panies deciding upon using wide area networks in the business operations have to be prepared to fight the threats brought about by connection o f a website to the com pany network. For protection the usual com monly accessible m easures are used, such as firewalls and intrusion detection system (IDS). They constitute the first line o f protection and are basic tools for web site or web server. However such solutions are not sufficient towards new techniques used by the todays’ crim inals and network terrorists.

The corporate netw ork protection system includes four basic, closely linked elements:

- com puter netw ork protection layer (firewall - network access control), - network server protection layer (IDS - server access control),

The layer o f protection o f data sent through public networks (VPN - data transmission encrypting),

Data and application protection layer (control o f access to the specific data and applications and encrypting o f inform ation being sent or stored).

The firewalls operate based on principles describing which ports have to be closed and which one open in the corporate network. The firewalls are not a sufficient protection system for web servers, as the necessary condition for operation o f e-business type systems is leaving some o f ports open in the firewall system, thus giving the hackers a possibility o f intrusion.

These ports ensure a passage channel through the firewall and a possibility o f breaking into the system.

The conventional firewalls are located between the protected internal networks and unprotected ones (Internet). In order to ensure safe access to and from internet the inbound and outbound traffic is m onitored.

268 Stanisław KRAW IEC, Jerzy MIKULSKI The access to the com pany network requires frequently an additional type o f firewall - a host-resident firewall. Firewalls o f this type include personal firewalls o f rem ote users, firewall agents for w orkstations and distributed firewalls located in the application servers

Sim ilarly as the conventional firewalls , the host-resident firewalls are based upon limitation o f traffic by the im plem entation o f access control rules. These rules are used for determination o f type o f traffic, location and tim e o f transfer. In the case o f firewalls located on the server and firewall agents on workstations the access is usually m uch m ore controlled that in the case o f personal firewalls.

The conventional firew alls depend o f netw ork topology where they operate. By restricting the traffic at certain points they ensure control and investigation o f inbound and outbound traffic, w hich m ay cause jam s in the active e-business environm ents. The firewalls located at the servers distribute the protection functions on a range o f processors, thus ensuring a theoretically unlim ited virtual operability. The host-resident firew alls ensure safety against users’ actions that dispose o f so-called access o f well inform ed persons and they allow for configuration o f protections taking into account the specific protection o f host. The most o f firewalls located in the hosts serve the purpose o f protection o f internet servers. Thus protected the servers m ay be located either before or behind the perim eter firewall.

Conventional firewall apply only to the traffic on netw ork’s perim eter. The main advantage of host-resident firew alls is the fact that they m ay filter the inter - netw ork traffic regardless of its origin.

The Intrusion Detection System s (IDS) are deemed to be the next defense line after the firewalls, supplem enting their operation, but in practice they able only to detect attacks. The main drawbacks o f netw ork IDS are:

Lack o f m ore possibilities to prevent real tim e attacks. These program s “investigate”

the packages circulating in the network, but do not stop their transm ission. Very often the package achieves its objective and is being processed before the IDS system interprets it; as a result, successful attacks post factum identified by IDS are a frequent phenom enon.

The intrusion detection system s generally are not able to recognize attacks that are yet unknown. Sim ilarly as any system based on signatures ( in this case attack signatures) it m ay serve only known attacks whose patterns exist in the IDS system database.

Reaction to the intrusion takes place generally after its identification, although there are systems, w here prediction analysis is used, serving the purpose o f foreseeing the events and prevent the effects o f their occurrence. In the reaction process it is possible to block the service, identify the aggressor exactly and eventually counterattack elim inating a possibility o f further actions o f the aggressor.

The intrusion detection system s m ay be divided in the follow ing way:

System operating in the host model (HIDS - Host Intrusion Detection System ) - protecting directly the operating systems, web servers or databases,

- System s m onitoring the web traffic for suspect activities in the netw ork model (N1DS - N etw ork Intrusion Detection System),

Hybrid solutions - so called. NNIDS (Netw ork Node Intrusion D etection System).

Solution o f type Host IDS (HIDS) are based upon sensor agent m odules, residing on all m onitored hosts. These m odules analyze event logs, critical system files and other verifiable resources, looking for unauthorized changes and suspect activities.

M ost o f hosts are reactive systems - w aiting appearance o f certain events before raising alarm. There are also, however, system o f proactive character, acting in advance, m onitoring and intercepting system core references or API, in order to prevent attacks and recording these

Data security m anagem ent

facts in the event log. The proactive actions may consist also in m onitoring o f data streams and environm ents specific for certain applications (for example location o f files and register settings for web servers) in order to protect these applications against new attacks for whose no signatures exist in the IDS databases. Such solutions are frequently called IPS - Intrusion Prevention System s, as they are directed to prevent attacks and not only sim ply inform ing about them.

Solutions o f Network IDS (NIDS) type m onitor the network traffic in real time, checking in detail the packages in order to zero on attacks o f DoS type or dangerous contents transported by them, before they reach their destination place. In their operation they base upon comparison o f packages with attack patterns - signatures, kept in the IDS database or on the protocol analysis aim ed at detection o f anomalies in their operation. The signature databases are regularly updated by the IDS package suppliers as the new forms o f attacks appear.

Solutions o f Network Node IDS (NNIDS) type are relatively new hybrid IDS agent free from certain netw ork IDS lim itations. The packages intercepted in the netw ork are compared with the attack signatures from database, however the agent is interested only in the packages addressed to the unit where it resides.

The host-based systems have the edge in the encrypted connections, such as SSL (Secure Socket Layer) w eb sessions, or in the VPN (Virtual Private Network) connections as they have access to the non-encrypted data. The network intrusion detection systems cannot decrypt the data, thus they have to leave encrypted packages and certain attack types make use o f this fact. W hereas IDS o f network nodes located in the critical netw ork points or at its input m ay ensure an additional protection level within the hybrid approach to the intrusion detection connecting various types o f products.

The layered solution o f intrusion detection systems in the network and model are still evolving. At the same tim e, the host type model developed in the network servers serves the key business resources.

The protection o f inform ation being sent via the public network m ay take place through establishing o f so-called virtual private networks. A VPN (Virtual Private Network) is a network o f bi-directional channels established on the basis o f public network, m ost often open for the tim e o f transfer between the gatew ay stations (router) o f private netw orks carrying the information transm ission in an encrypted form. Certain solutions allows also establishing o f VPN between gatew ay stations and rem ote users computers (PC, laptop).

Basically two m ethods o f VPN creation exist:

secure sleeve, secure tunnel.

The secure tunnel technique consists in encrypting toe package date field without header. In this case, routing o f packages is not changed, because the destination address located in the header field o f the package rem ains not coded and unchanged.

The secure sleeve technique consists in encrypting the entire contents o f package, jointly with the source (package origin location) and destination address fields. The encrypted package is com pressed and located in the data field o f a new package whose destination address takes the value o f IP address o f the router belonging to the network containing the proper package destination place. After receiving the package by the router a decompression takes place and decrypting o f data field. Based on information received, a new package is being created (identical to the one previously encrypted) that is sent to the appropriate addressee. The secure sleeve technique enables the hiding o f internal private network structure.

270 Stanisław KRAW IEC, Jerzy MIKULSKI Since several years advanced techniques o f unauthorized attem pts o f network penetration detection. First software o f this type was used in m ilitary applications in the mid­

nineties. Since this tim e, the com mercial products are available on the m arket able to detect hacker actions.

The basis for intrusion detection is m onitoring. Intrusion detection system base on information concerning the activeness o f the protected system. The m onitoring is related with m any technical and operational issues. The m ost im portant are am ong others a sufficiently early detection and perform ance o f the system - sufficient for m onitoring o f activity and realization o f norm al tasks. The degree o f fulfillm ent o f these criteria is decisive upon successful detection o f real intrusions.

The intrusion detection system s generate reports directed to the infrastructure o f system protection and security. This infrastructure m ay be built in into the intrusion m onitoring unit or be a standalone appliance. In both cases, the m ethod o f processing the inform ation, its storing, availability and use for the purpose o f risk reduction is one o f the m ost difficult aspects o f practical intrusion detection system im plementation.

The basis for system activity analysis are abnormal behavior signatures. Use of abnormal behavior signatures called also attack patterns or signatures is the m ost frequent in the im m ediate intrusion detection systems. The signatures appear m ainly in one o f two versions:

description o f known attacks - dynam ic descriptions o f known activity patterns that are likely to constitute a threat for security: databases on viruses, used in the anti-virus software,

patterns o f suspect text sequences - certain text sequences, such as “top secret” or

“confidential” discovered in the contents o f packages being sent and that m ay be deemed as suspect; such patterns are often determ ined locally by the system adm inistrators.

W hen m onitoring the flow o f packages there exists a possibility o f selection between one o f three options:

Inbound - checked are packages com ing from Internet part;

Outbound - checked are packages leaving the protected network;

Eitherbound - all packages are being checked.

O f course the m ost cautious approach is to use the latter options that will enable control o f all packages flow ing through the gatew ay and that is set as default value. In certain circumstances in order to increase the system operation efficiency (especially at high load on gateway) it is possible to w ithdraw from the control o f packages leaving the private network (the option to disregard lim itations for inbound packages). Reduction o f efficiency of protected com puter netw ork operation is one o f the m ost im portant drawbacks o f the

“firew all” software - control o f all packages significantly reduces the data transm ission rate.

In order to m onitor the netw ork environm ent additionally tw o basic anti-virus protection techniques are used usually: anti-virus gate and scanning o f files at the m om ent of access. The gate usually serves the purpose o f filtering the electronic mail being sent for dangerous attachm ents. Anti-virus scanning at the access ensures protection at w ork stations and consists in taking over the operation o f opening and closing files and control o f files before m aking them available or running. Access or run operations are blocked in the case of stated virus infection. E fficiency o f this m ethod depends only o f capacity o f the virus scanner - w hether the available virus patterns are updated.

As the cybernetic security becom es highly in demand, there exist a service market dealing with the netw ork safety o f several m illiard dollars’ yearly w orth (the annual value

Data security m anagem ent

growth o f the market is 400% ). There exist several specialized com panies m onitoring the computer systems o f other organization for 24 hours per day (Symantec SOC, F-Secure, Network Associates). For instance, the com pany Symantec Operation Center (SO C) employs 40 persons in 3 shifts for monitoring o f 600 companies worldwide and the team o f this company analyses m onthly 9,5 mln o f code lines retrieved from the client’s servers, wherefrom 1,3 thousands is qualified for further analysis and 340 in average are virus attacks, herein 3 very dangerous ones. Information specialists o f the a/m protection com panies analyze only the events occurring in firewalls (1000 pounds monthly per one device), inform the client about m easures to be taken in order to avoid the danger and inform the com pany about the published errors in the user software.

Symantec com pany specializes in production o f vaccines (from 43 seconds to several hours) using the elem ents o f artificial intelligence (90% o f threats is elim inated using automatically generated vaccine created by intelligent software based upon attack history).

Because o f the appearance o f a law (USA) ordering assurance o f data security, also the companies not exposed directly to the attack, use the security services o f the a/m companies which m ay result in further dynam ic development o f data protection services.

BIBLIOGRAPHY

[1] K IF N E R T .; P o lity k a b e z p ie c z e ń s tw a i o c h ro n y in fo rm acji (IT sec u rity in fo rm a tio n an d d e te c tio n p o lic y ), P u b licatio n H e lio n , G liw ic e , 1999.

[2] „ R z e c z p o sp o lita ” N o 73 d a te d 2 7 .0 3 .2 0 0 0 .

[3] K L E S Z Y Ń S K I K ., T W O R E K G .; W in d o w s N T - b e zp iec z n y se rw e r (W in d o w s N T - safe serv er), P u b lica tio n o f p ro fe ssio n a l in fo rm a tio n W ek a , W arsaw , 2000.

[4] S T R U Ż B .; A n a liz a w y stę p u ją c y c h i m o ż liw y c h z ag ro że ń w sy ste m a c h in fo rm a ty cz n y c h . K o n c ep c je b e zp iec z eń stw a in fo rm a ty c z n e g o i sto so w a n e ro z w ią za n ia (A n a ly sis o f h a za rd s o c c u rrin g an d lik e ly to o c cu r in th e in fo rm a tio n sy ste m s. C o n ce p ts o f in fo rm a tio n sec u rity and s o lu tio n s a p p lie d ), S tu d y N atio n al D efen se A c a d e m y , In fo rm a tio n C e n te r, W arsa w , 1995, s.6.

[5] G A R F IN K E L S., S A P F F O R D G .; B e z p ie c ze ń stw o w U n ix ie i In te rn e c ie (S ec u rity in U n ix a n d In tern et), P u b lica tio n R M , 1997.

[6] G A R F IN K E L S ., S A P F F O R D G .; W W W - b ezp iec z eń stw o i h an d el (W W W - sa fe ty and c o m m e rc e), P u b lica tio n H e lio n , 1999.

[7] G R E G O R B ., S T A W IS Z Y Ń S K I M ., E -C o m m erce , P u b lica tio n B ran ta, 2002.

[8] S T R O T H M A N N W illy -B ; K ry p to g rafia. T e o ria i p ra k ty k a z a b e z p ie cz e n ia s y ste m ó w k o m p u te ro w y c h (C ry p to g rap h y . T h e o ry an d p ra c tic e o f c o m p u te r sy stem p ro te c tio n ), P u b lica tio n R ead M e, 200 0 .

[9] L L O Y D S ., A D A M S C .; P o d p is elek tro n ic zn y : k lu c z p u b lic z n y (E le ctro n ic sig n atu re . P u b lic key), P u b lica tio n R o b o m a tic, 2 0 0 2 .

[10] B A U E R F. L.; S e k re ty k ry p to g rafii (S ec re ts o f cry p to g ra p h y ), P u b lica tio n H elio n , 2 0 0 3 .

[11] W . S ta llin g s; O c h ro n a d a n y c h w sieci i in te rsie ci (D ata p ro te c tio n in th e n e t and In tern et), W y d aw n ictw o N a u k o w o -T e c h n ic z n e , 1997.

[12] K O W A L C Z U K P ., D Ą B R O W S K I W .; P o d p is e le k tro n ic zn y (E le ctro n ic s ig n atu re ), M ik o m , 20 0 3 . [13] S C H E T IN A E ., G R E E N K ., C A R L S O N J.; B ez p ie c ze ń stw o w sieci (S afety in the n e tw o rk ), P u blication

H elio n , 200 2 .

[14] C O M E R D . E.; Sieci k o m p u te ro w e i in te rsie ci (C o m p u te r n etw o rk s and in te r-n e tw o rk s), W N T W arsaw 2000.

[15] S1LICK1 K ., N A S K ; R o la z e s p o łó w re a g u ją cy c h na z d a rz e n ia n a ru sza ją c e b e zp iec z eń stw o sieci (R o le ot' re a ctio n te a m s to th e ev en ts in frin g in g th e sa fe ty o f n e tw o rk ), C o n fe re n ce P a p e r “ P rze stęp c z o ść w sieciach k o m p u te ro w y c h ” (C rim e in th e c o m p u te r n e tw o rk s), L eg io n o w o ’96.

[16] D U D E K A .; N ie ty lk o w iru sy . H a ck in g , c rack in g , b e zp iec z eń stw o in te m e tu (N o t o n ly v iru ses. H acking, cra ck in g , in te rn e t s e c u rity ), P u b lica tio n H e lio n , 1998.

[17] A ct o f L aw d a te d 22 J a n u a ry 1999 o n p ro te c tio n o f c o n fid en tial in fo rm a tio n , D z. U . N r 11, item . 95.

272 Stanisław KRAW IEC, Jerzy MIKULSKI

[18] O rd in a n c e o f P re s id e n t o f R M d a te d 25 F e b ru a ry 1999 on b asic re q u ire m e n ts o f sy ste m s an d IT network sec u rity , Dz. U. N r 18 item . 162.

[19] R ec o m m e n d a tio n o f S ta te D e fe n se O ffic e o n T l se c u rity , v e rsio n 1.1, A u g u st 2 0 0 0 .

[20] J Ę D R Z E JE K C ., re d ; In te rn e t w P o lsc e - te c h n o lo g ie i ry n e k (In tern et in P o lan d - te c h n o lo g ies and m a rk e t), M o n o g ra p h y o f IT a n d In fo rm a tio n T e c h n o lo g y In stitu te , P o zn ań 2 0 0 0 .

[21] B S 77 9 9 : 1995 C o d e o f p ra c tic e fo r In fo rm a tio n S e c u rity M an a g e m e n t, B ritish S ta n d a rd Institu te.

[22] IS IS O /IE C 15408: 19 9 9 (E ) In fo rm a tio n te c h n o lo g y - S e c u rity T e c h n iq u e s - E v a lu a tio n criteria for in fo rm a tio n te c h n o lo g y s e c u rity , IT S e c u rity M ag a z in e n r 7 -8 (1 1 -1 2 ) J u ly /A u g u st 2 0 0 0 .

[23] P O H O R E C K I G .; S e c u re S o c k e ts L a y e r - b e z p ie c z n a k o m u n ik a c ja w sieci w w w (S e c u re S o c k e ts Layer - safe c o m m u n ic a tio n in th e w e b ), IT S e c u rity M a g a z in e , n r 4 (8 ) A p ril 20 0 0 .

[24] V a d em é c u m te le in fo rm a ty k a , p ra c a z b io ro w a (V a d e m éc u m o f IT sp e c ia list I, c o lle c tiv e w o rk ), ID G Poland S. A ., W a rsa w 1999.

[25] V a d em é c u m te le in fo rm a ty k a II, p ra c a z b io ro w a (V a d e m éc u m o f IT s p e c ia lis t II, c o lle c tiv e w o rk ), IDG P o lan d S. A ., W a rsa w 2 0 0 2 .

[26] D e p atrm e n t o f D e fe n c e T ru ste d C o m p u te r S y ste m E v a lu a tio n C rite ria . D O D 5 2 0 0 .2 8 -S T D , National C o m p u te r S e c u rity C e n tre , F o rt M ead . M D , D e ce m b e r 1985.

[27] S y m a n te c In te rn e t S e c u rity T h re a t R ep o rts 2 0 0 3 from H. Salik. S y m a n te c R e p o rt on v iru s h a za rd . Gazeta W y b o rc za 9 .X .2 0 0 3 . D o d a te k G o sp o d a rc z y a n d H. S a lik P o lo w a n ie na h a k e ró w (H a c k e r h u n t), Gazeta W y b o rc za 3 0 .III.2 0 0 3 . D o d a te k G o sp o d a rc z y .

Reviewer: Prof. Zbigniew Ginalski