Information Security Strategies And Policies

Published Date: 02 Nov 2017

and Policies

Answering to the question how Logical Access Controls help in protecting the assets and how its problems lay guidelines in improving the Information security policy, the very first valuable guidelines is that organizations should never assume that internal users are good guys instead it should be drafted with assumption that every user is potential threat and access control reviews must be done when drafting IS security policy.

A process by which access to resources or services is granted or denied is refer to access control that broadly categorized into physical access controls and logical access controls. Since question is asked regarding logical access controls also refer to technical controls. These are software that restricts access to object from subject.

Main objective of logical access controls is to attain goals of preserving confidentiality, availability and integrity of resources as defined in organization security policy by preventing disclosure to unauthorized subjects. Following is list of some of logical access controls:-

ACLs

Firewalls

Audit trail

Routers

Encryption

Intrusion Detection System

Alarms and alerts

Dial-up call-back systems

Antivirus software

Smart cards

Logical security controls helps organization to identify legitimate users and computers that are authorized to access resources. These controls also help organization to restrict access to specific resources. These controls generate audit trails of resources usage which in turn helps in accountability and tracing of intrusion while preventing unauthorized users to access resources.

Key components of all logical access controls consist of:-

System Access where access is based on the clearance level of users, sensitivity of information, and user’s permissions.

Network Access identifies and controls the access to different network resources like the switches, firewalls and routers etc

Encryption and protocols protect and hide information as it passes throughout the network and stored somewhere with a aim to preserve the confidentiality and integrity of data.

Auditing logs every activity within a network and network device or on specific machine and are also helpful in security reviews while pointing out weakness of other technical controls.

Network Architecture defines the logical and physical outline of the network.

Access control software

These controls limit and control access to resources and make sure that only registered user with an authorized user ID and password can gain access to the computer system.

Antivirus software

These controls detect and respond to viruses which corrupt and disrupt the functionality of resources. Worms also fall under this category which tries to replicate throughout network. Viruses are one of major malicious elements that affect organizations and cause a lot of havoc.

Passwords

Passwords are normally encrypted characters that help in the authentication process and works with user ID. Passwords are secret key that helps in deciding the legitimacy of users and are kept complex in order to achieve goals set in organization security policy.

Dial-up access control and callback systems

Dial-up access controls enable only authorize and legitimate access to the secured environment remotely. For example making sure that link is permitted only if the caller is from valid phone number.

Intrusion detection systems

Intrusion detection systems detect and identify security breaches on network or computer by gathering data and then analyzing it based on some rule and raise alarms. Although these security breaches include insiders and outsider attacks but is more useful against very dangerous insiders’ attacks by tracking user policy violation.

Discuss the operation of Intrusion Detection Systems. Also discuss what types of attacks it can stop and the type of attacks it can’t stop.

Intrusion detection systems are considered second line of defense after authentication and access control facilities and firewall in intrusion countering. There are two kinds of IDS network based and host based, and these can further be either be based on signature or statistical response types.

There are three main components to the Intrusion detection system.

Sensors: This part of IDS is responsible for collecting data. Sensors collect data from all part of system where intrusion is possible and includes log files, system call traces and network packets. After collecting data sensor pass on information to analyzer.

Analyzers: Analyzer is most important part of any IDS system where information received from one or more sensors is processed based on policies and determines the possibility of intrusion as output. Analyzer also provides way forward how to tackle the intrusion and its output would be evidence of intrusion.

User Interface: As name suggest, user interface is the point where user applies policies and monitor the operation of IDS system. Different IDS systems come with different user interface with identical feature to manage direct and monitor the IDS operation.

Types of attacks stopped by IDS:

While answering to query what types of attacks are stopped by IDS, it is important is mention that IDS systems have only mandate to detect intrusion not to stop the attacks. However, most dangerous Attacks launched by both Unintentional and deliberate insiders or trusted users along with following list of attacks are detected by IDS systems.

Denial-of-service (DOS) attacks where adversary disrupts services or resources e.g exploits Aimed at Resource Exhaustion ping of the death, TCP SYN Floods attacks.

Buffer overflow attacks where adversary goal is to gain access to the operating system and memory to execute intended code.

Privilege Escalations attacks:  a situation in which adversary using various means gains more access to the system resources than was intended for.

Back Doors and sweepers attacks

Stealth Diagnostics attacks

Packet Forging / Spoofing

Disabling audits attacks

Exploiting known vulnerabilities attacks

Sessions Hijacking and Sniffing attacks

Types of attacks that IDS can’t stop:

While answering to question what types of attacks that IDS can’t stop is none since IDS systems have only mandate to detect intrusion not to stop the attacks. However, attacks that bypass detection from IDS systems are:

Loose configuration for detecting intruders leads to false positives and enable intruder not to be detected by IDS system.

Packet level attacks.

Network protocols attacks due to weakness.

Character mode attacks.

Attacks as a result of weak identification and authentication mechanisms.

Social engineering attacks.

Using tools like Whisker and Fragrouter etc

Generic DOS attacks e.g IP bomb and Port bomb

IP Fragmentation attacks

Although RFID holds promise for easing security by not requiring individuals to scan or swipe their ID cards, there are also concerns that unauthorized users could intercept signals.

Research RFID security concerns.

What is the current state of RFID security?

What issues have arisen because of vulnerabilities?

What are the recommendations regarding RFID security?

Solution:-

With the use of tiny radio frequency identification (RFID) tags, RFID superseded barcode and swipe technologies while making swipe and scan unnecessary. RFID technology enabled automatic identification of objects which resulted in increasing efficiency and convenience. However, this technology like other information systems came with certain loopholes and vulnerabilities that anyone could pickup RFID tags in the form of signals by employing RFID transceiver. Since the amendment in the ISO 18000-6 RFID and adoption of Gen 2, regress research is being conducted to make RFID reliable and more secure.

RFID security concerns:

Most of these loopholes and vulnerabilities came with initial implementation of RFID technology and are being remedied or at least improved with the passage of time e.g using encryption. While investigating and delving into RFID technology security concerns since its inception, following are found and are listed.

RFID systems are considered insecure because of no authentication. Due to this exposure it is difficult to make distinction between foes and legitimate.

There is no logical and physical access control mechanism which can be exploited by rogue reader by employing transceiver to read tags or messing up reader tags database or even the reader itself.

Systems with encryption missing, tag eavesdropping is likely to be achieved. Besides this it is also susceptible to man-in-the-middle and denial of service attacks are also termed as transmission and power attack.

With none of protocols standardized and secret, RFID came with vulnerability for reverse engineering.

RFID based worms and viruses

There are also two types of risks pertaining to privacy of individuals.

Tracking – Privacy issue arises since monitoring the signal patterns tracking of individual is possible happens in spite of encryption in place.

Information Leakage – RFID tag contains sensitive information that could be read which is the violation of privacy.

Current state of RFID security:

Due to automated identification nature of RFID technology, it has gained ever rising use over the past several years especially in the asset and supply chain management. RFID technology has evolved in the way and countermeasure against most of its loopholes has been developed but security and attacks have also been advanced so security issues and privacy concerns are still among the key factors.

The Generation 2 protocol which is an improved version has been adopted which includes key capabilities in ensuring security. For instance Kill command which helps in proper dumping of tags along with use of Disguised EPC numbers in Generation 2 protocol. Answering the current state of RFID security, Generation 2 protocol is providing ample security but it won’t be consider secure for future. Moreover, Gen 2 has certain shortcomings which are given by:

Breakable data encryption

Weaker password protection means

Least stronger / No authentication means for tag and reader

RFID Security remained in the news and new security flaws and exploits have taken the attention. Recent ExxonMobilSpeedPass Hack alerts and demands for the need for stronger password protection within any RFID system. Furthermore, Cell Phone Side Channel Attack and RFID virus and worm are also in news. All this calls for the development of EPC Gen 3 protocol with better technology and higher security level.

Issues arisen because of RFID vulnerabilities:-

RFID system consisting of RFID reader, tag signal and network servers all are vulnerable and susceptible to certain attacks at various stages. These attacks are categories as attacks on attacks on availability, confidentiality, authenticity and integrity of RFID system as well information transmitted by them. Following bullets list the RFID Vulnerabilities.

RFID Card Skimming. A major RFID system vulnerability is the reality that anyone with RFID reader can capture the information stored on tag or ID. Grabbing personal information from card or RFID ID is also refer to "electronic pick pocketing". By this way Confidentiality of the system is threatened since reading tags or ID convey precious information and not just a privacy issue. So RFID systems are vulnerable to information leakage.

Tag Killing. RFID systems are also vulnerable to unauthorized tag killings using specially configured readers and this can be achieved from distances. Such alteration threatens the integrity of RFID systems by changing tag memory content without the holder’s knowledge.

Denial of Service attack. By thwarting wireless link between RFID tag or ID and RFID link cause unavailability of RFID service. Moreover, different buffer overflow and virus also threaten the availability since RFID tags could be compromised by infection. For example ugly programmed readers can crash when its transmission rate changed.

Reverse engineering attack. By discovering how RFID works, attackers can gain access to chip and memory contents. Although method is thrice a complex than knowledgeable adversary but most of time attackers are highly skilled and technical sound.

Power analysis attack. Also refer to side-channel attack that is aimed to retrieve information by analyzing how device changes its power consumption since it is proven fact that emission patterns are different for correct and incorrect PIN. This helps in retrieving encryption keys. Surprisingly this all can also be achieving using cell phone.

Eavesdropping and Man in Middle Attack. These types of attacks are actualized when RFID tag emits data that is read by authorized reader and due to cost and memory capacity issues, most of time information is in clear text form. Now attackers while in between intercepts data using RFID reader. Information retrieved by these means have serious implication.

Spoofing and Cloning. Spoofing attacks are achieved when RFID forged tag masquerades as a genuine whereas tag cloning is a variant of spoofing attack where the adversary captures the information from a original tag and creates a non legitimate copy of it.

Replay attacks. In these attacks, a valid RFID signals are maliciously or fraudulently repeated or delayed after sometime while intercepting the communication between a reader and a tag. This replayed information is accepted by system since it is legitimate.

Another issue with the use of RFID system is possible tracking of individual since it generate precise movement pattern by using messages transmitted and determine location history of individual.

Corporate Espionage. Last but not least is the corporate espionage issue that is arisen due to vulnerable use of RFID systems. Recently organizations have moved from static password into the smart card system since the card contain sensitive information vulnerable RFID use could lead to corporate espionage.

Recommendations regarding RFID security:-

NIST released some guidelines for secure use of RFID system. Below is the glimpse of NIST recommendations:

To prevent information leakage and unauthorized reading of information there must be authentication mechanism to approve legitimate use of RFID system.

There should be strong input validation and auditing procedures in practice.

Albeit cost and space issues with RFID systems, tag information must be encrypted whenever viable.

There should be logging and monitoring in practice in order to detect security violation.

First line of defence tools like firewalls should also be implemented in order to separate RFID access database traffic from other databases and critical systems. Proper filtering rules should also be configured to control access to the middleware and end user applications.

To prevent physical attacks on RFID tags which threaten the availability of RFID system, strong shielding of RFID tags areas with solid metals like Faraday cages or meshes should be ensured.

There should be proper mechanism in practice for tag dumping so that sensitive information cannot be reproduced.

Limiting access only to privilege users and disabling scripts on the backend system.

To prevent unauthorized eavesdropping, the transmission range of the tag should be reduced.