Pages

Friday, August 26, 2011

INFORMATION ASSUARANCE & SECURITY CONCEPTS ( Part 03 )

Let us take an example for someone going to rob the bank.

Take a look at a bank. When was the last time you entered a bank to see a bank teller sitting on the floor in a huge room next to a massive pile of money. Never! To get to the big money in a bank requires that you get to the bank vault, which requires that you go through multiple layers of defense. Here are some examples of the defensive layers:

  •  Numerous closed-circuit cameras monitor the movements of every one in every corner of the bank.
  •  But if that person don't care about the cameras, There is often a guard at the bank's entrance.( security guard is there to physically defend the bank with a gun ) Two security guards provide even more protection.
  • Some banks have time-release doors. As you enter the bank, you walk into a bulletproof glass capsule. The door you entered closes, and after a few seconds the glass door to the bank opens. This means you cannot rush in and rush out. In fact, a teller can lock the doors remotely, trapping a thief as he attempts to exit.( But if both security guards get shot by masked bandits)
  •  Tellers do not have access to the vault. (This is an example of least privilege, which is covered next.) Hopefully, the vault is protected by several locks, and cannot be opened without two individuals who are rarely at the bank at the same time.
  •  The vault itself has multiple layers of defense, such as:
o    It opens only at certain controlled times.
o    It's made of very thick metal.
o    Multiple compartments in the vault require other access means.

There for robbers cannot get what they want very easily, because of the reason of using many security principles which are combination of above we discussed.

Of course, having all these security measures does not ensure that our bank will never be successfully robbed. Bank robberies do happen, even at banks with this much security. Nonetheless, it's pretty obvious that the sum total of all these defenses results in a far more effective security system than any one defense alone would.

Since we are essentially saying that defenses taken as a whole can be stronger than the weakest link. However, there is no difference security functionality that does not overlap. But when it comes to redundant security measures, it is indeed possible that the sum protection offered is far greater than the protection offered by any single component.

Firewalls For Networked Banking & Online Banking


A good real-world example where defense-in-depth can be useful, but is rarely applied, is in the protection of data that travel between various server components in enterprise systems. Most financial companies will throw up a corporate-wide firewall to keep intruders out. Then they'll assume that the firewall is good enough, and let their application server talk to their database in the clear. If the data are also encrypted, then the attacker won't be able to get at them without breaking the encryption, breaking onto one of the servers that stores the data in an unencrypted form. If they throw up another firewall, just around the application this time, then they can protect their selves from people who can get inside the corporate firewall. 

Now they'd have to find a flaw in some service that their application's sub-network explicitly exposes, something we're in a good position to control. Bank expects a firewall to protect bank Information System as though the firewall has been compromised.

Proxy-Based Firewalls


Problem: complex policy (Example: web server of bank) 

Solution: proxy


Design: transparent vs. classical
Limitations: attacks from within premises

Unfortunately, a great deal of software is designed and written in a way that leads to total compromise when a firewall is breached. This is not good enough today. Just because some defensive mechanism has been compromised doesn't give the right to concede defeat. This is the essence of defense in depth: at some stage bank has to defend. Don't rely on other systems to protect bank. Put up a fight because software fails, hardware fails, and people fail. People build software, people are flawed, and therefore software is flawed. Bank must assume that errors will occur that will lead to security vulnerabilities. That means the single layer of defense in front of bank will probably be compromised, so what are the plans if it is defeated? Defense in depth helps reduce the likelihood of a single point of failure in the system.

Implement layered security (ensure no single point of vulnerability). Security designs should consider a layered approach to address or protect against a specific threat or to reduce vulnerability. For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system. Adding good password controls and adequate user training improves the system's security posture even more.

The need for layered protections is especially important when commercial-off-the-shelf (COTS) products are used. Practical experience has shown that the current state-of-the-art for security quality in COTS products does not provide a high degree of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in series, requiring additional work by attackers to accomplish their goals.

Security architecture is a new concept to many computer users. Users are aware of security threats such as viruses, worms, spyware, and other malware. They have heard of, and most use, anti-virus programs and firewalls. Many use intrusion detection. Architectural security, though, remains a mystery to most computer users. 

The truth is, anti-virus software, firewalls, and intrusion detection are only the surface of security. They are all reactive measures that attempt to respond to active threats, rather than proactive measures that anticipate threats and try to make them harmless. These applications have a major role to play, but are not enough in themselves. There for HNB has their own Information System Department to overcome such a problems by their own.

Auditing the system: keep (and review) system logs

System logs of changes or errors are traditionally saved in by system applications. This system is not ideal, since altering logs to hide an intrusion is one of the first steps that an expert cracker makes.

However, since many attacks are by script-kiddies with little understanding of the system, a change in logs is often the first sign that a system has been compromised. Some intrusion detection programs, such as Tripwire, can automate the checking of logs and other key files.
 

     
It is safe to use eBanking. Bank provide self-service solutions with a very high level of security.




Compliance with customer three general security principles provides a level of security that meets the highest standards.

The eBanking security system is based on three general security principles.
  • No unauthorized person can gain access to customer’s personal data through eBanking. This is because of the way bank identify and transmit data. 
  • No unauthorized person can read data transmitted between customer’s browser and the bank. Bank protects customer data using SSL encryption.
  • Data cannot be altered during transmission between customer’s browser and the bank. Only customer can carry out account transfers and similar transactions. Bank system is based on the principle that financially binding transactions are verified electronically.

Access ID, e-Safekey and ActivCard


Hatton national Bank eBanking offers three security systems: Access ID, e-Safekey and ActivCard. The systems protect communications by SSL encryption and a control device. This ensures that:
    • Customer can see that you are communicating with the bank
    • The bank can identify you before transmitting confidential information
    • Unauthorized persons cannot access your communications

Access ID

Access ID is a security solution that consists of an eight digit User ID, a password (this is a 4 digit PIN) and a security card.

ActivCard

The ActivCard solution is based on a physical ActivCard that can generate codes according to your PIN.

e-Safekey

e-Safekey is a security software used to manage IDs, keys and passwords. It is installed on your computer.

Other features

·         Timeout Feature 

Farmers National Bank’s web sites have a timeout feature in those areas of the web sites requiring account login to access your financial information. This feature automatically logs you out of your financial services session after an extended period of inactivity on our site. Because someone else might obtain physical access to your system, it is better for privacy reasons for you to explicitly log off the financial services session after you finish accessing your personal financial information, rather than waiting for the timeout feature to occur. 


·         Cryptography 

The way the encryption process works is that first you send us a secure message from your browser. We respond by sending you a certificate that contains our "key" to lock and unlock the coded messages between us. Your browser uses this key so that the "conversations" between your browser and our server are coded in such a way that we both can encrypt and decode the conversations, preventing others from understanding them. Whenever possible, Farmers National Bank uses the strongest browser encryption technology available. Because this encryption technology is so strong, the U.S. government will generally not permit the export of browsers supporting this technology. Therefore, some of Farmers National Bank’s online financial services may not be available outside of the United States and Canada. 
 
·       Access Codes 

To obtain any financial services from the Farmers National Bank web sites, you must use your personal access codes, specifically, a User ID and a Password. No one can access the web site to find out about your personal financial dealings with Farmers National Bank unless they have both your User ID and Password. Treat both your User ID and Password with the same degree of care and secrecy as you treat your ATM personal identification number (PIN) and your other sensitive financial data. 

INFORMATION ASSUARANCE & SECURITY CONCEPTS ( Part 02 )


Layering security defenses in an application can reduce the chance of a successful attack. Incorporating redundant security mechanisms requires an attacker to circumvent each mechanism to gain access to a digital asset. For example, a software system with authentication checks may prevent an attacker that has subverted a firewall. Defending an application with multiple layers can prevent a single point of failure that compromises the security of the application

Not only that they implement many physical security principles to protect the information system and the physical equipment’s from theft and forge.

That’s why the typical bank more secure than the typical convenience store is? Because there are many redundant security measures protecting the bank, and the more measures there are, the more secure the place is.

Physical security of the bank data base

  • Use CCTV cameras for watch the customer behavior.
  • Security Guards and guns.
  • Bulletproof walls and glasses.
  • Keeping server rooms locked.
  • Keeping computers locked to a wall or table.
  • Keeping a combination of locks and alarms when emergency.
  • Computer hardware is protected from fire damage by smoke detectors and sprinkler systems just like any other equipment.
  • Prevent the loss of data by storing backup tapes in remote locations.
  • Uninterruptible power supplies are a low cost investment that can save very costly equipment damage, for that Use generator and UPS.

Data integrity
  • Periodically backing up data is the most important step in preventing data loss. Backups can be on removable disks, tapes, paper printouts or other computer systems.
  • Virus protection is a necessity for the bank database. Therefor install Virus guards and Internet Security guards. All the computers are run on legit operating systems with virus guards.
  • RAID systems are also being to ensure the integrity of data. 
  •  
RAID, acronym for Redundant Array of Independent Disks (originally Redundant Array of Inexpensive Disks), is a technology that provides increased storage functions and reliability through redundancy. This is achieved by combining multiple disk drive components into a logical unit, where data are distributed across the drives in one of several ways called "RAID levels". - Wikipedia 

Data security

  •  Accounts on both multi-user machines and personal computers protected by passwords.
  • Systems holding data belonging to multiple users set an owner for each file and permissions defining who is allowed to read or write to it there for Implement Authorization levels.
  •  Since most security attacks are now initiated from a remote location via the network, many organizations now separate their internal networks from the internet with a firewall. Data encryption provides a second layer of security. 

“In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as cipher text)”. - Wikipedia 

  •        There must always be someone able to fix a computer system by using a second password protected account called "system", "administrator", "root" or "super user" which bypasses the file permission system. 
  • Email is particularly insecure, use some sort of email encryption system, such as PGP.

“Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security of e-mail communications”


  • Periodically audit trails are a means for the system administrators to find out if security has been breached and how much damage was done. 

INFORMATION ASSUARANCE & SECURITY CONCEPTS ( Part 01 )


Information security

This means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

Information assurance 

This is the protection of data against unauthorized access. The technical measures designed to ensure the confidentiality, possession or control, integrity, authenticity, availability and utility of information and information system. 

The terms information security, computer security and  information assurance have similar meaning. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some small differences between them. Information security is concerned with the above goals and data regardless of the form the data may take: electronic, print, or other forms.

 

Two another main definitions we talk under information assurance and security are threat and vulnerability. 

Threat 

Capabilities, Intensions, and attack method of adversaries to exploit, in other words any circumstances or event with the potential to cause harm to information. 

Vulnerability 

A condition or weakness that can be exploited by one or more threats. A flaw that would allow authorized access to an information system by someone or something that should not be there. 

Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. Should confidential information about a business' customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement.

 

METHODS OF PROTECTING DATA OF THE INFORMATION SYSTEM

  •  Physical security
  •  Data integrity
  •  Data security
  •  Key Distribution
  •  Firewalls
  •  Security services in networks
  •  Encryption Algorithms
  •  Authentication Protocols
  •  Message Integrity Protocols