Cyber security may be defined as:
A series of processes, procedures, tasks, and
activities implemented together with information technology (IT) and
telecommunication elements with a view to controling and protecting
from threat, as regards their integrity, availability, confidentiality,
and authenticity, IT resources (data, equipment, etc.) located at
specific sites, during the storage or transmission thereof.
[1]
Note the following elements of the above definition:
-
A series of processes, procedures, tasks, and
activities: This indicates that security is a complex system
involving many interrelated elements.
-
Implemented together with information
technology (IT) and telecommunication elements: Technological
support is very important but is not the only element. Many
organizations or individuals within organizations believe that
merely purchasing a technological tool to support security is
sufficient for security to be obtained. For example, they buy
firewalls or anti-virus software and think that their networks will
now be secure. However, if they do not configure the firewall or
anti-virus software and no procedures to check such elements or
security policies are in place, or if regular efforts are not made
to update these, neither the firewall nor the anti-virus software
will support the security of IT resources.
-
Protecting from
threat ... IT resources: Information is
today of the highest importance to organizations, which is why
information security has taken on such importance. However, it is
not the only thing to be protected: physical IT resources, such as
servers, computers, printers, etc. and, of course, human resources,
also need to be protected. Cyber security must concern itself with
all such “resources.”
-
Clear definitions of integrity, availability,
confidentiality, and authenticity are provided below.
Why is cyber security so important today?
With that explanation of cyber security, it is
relevant to underscore its importance today. Therefore, we will
briefly discuss its history and evolution.
When information technology was first developed,
companies that made extensive use of computers always had a mainframe
computer, housed in a computer center and administered by experts,
who were the only ones
with access to it. Here, security essentially involved ensuring that
the experts were
trustworthy and that the site of the computer
had proper environmental conditions and conditions of physical access.
After this first stage, "dumb"
terminals appeared. These were merely extensions of the server’s
screen (initially, very close to the mainframe and later, up to
several kilometers away, through the use of communications lines) that
could be used by more than one person. In this situation, in addition
to the environment of and access to the mainframe, security had to
address the individuals able to use the terminals, generally a small
and select group, and to ensure that the mainframe had multi-user
capacity. However, it did not yet address complex problems of user
authentication and permission to use resources.
The next stage arrived with the appearance of
personal computers and the ability to store data in client computers.
Now security began to be a more complicated affair, as IT resources (information,
computers, etc.) were not located at an enclosed site that was easy to
guard and control, but instead were distributed throughout the office,
with many more users.
Next was the emergence of local area networks (LANs),
in which computers are interconnected and each is also connected to
the server, thereby permitting information to move readily and simply
from one place to another. The topic of security then became highly
relevant, as anyone with access to a network computer potentially
could obtain information from other computers or the server or send
viruses or software over the network, thereby compromising the
availability of services and data stored in computers or servers.
Lastly, with the emergence of WAN networks,
particularly the Internet, and of today’s interconnection philosophy,
wherein one’s location and/or the type of system no longer matters,
other computers and servers may be accessed. This new philosophy has
many well-known advantages, but it also creates major problems, or
rather challenges, in connection with IT resource security. It is now
possible to be attacked (illegal access attempts, service refusals,
viruses, etc.) inside organizations, but also from anywhere in the
world.
It is also important to take account of the
evolution of the use of computers as, over time, changes have occurred.
Formerly, computers were only used for very particular and specific
applications, while today they are used for nearly every activity and,
owing to interconnection, a wide array of data may be transmitted and
accessed from anywhere. One particular and perhaps very clear example
is the evolution of banks and the handling of money. Originally,
everything had to be done in the branch where the account was held or,
subsequently, via the bank’s offices. But today, all banks are only a
click away and any type of transaction may be carried out via
computers and networks.
Lastly, people have also changed. Initially, only a
small number understood and could handle computers. However, this is
no longer the case. We now also have another problem, which is that
although a small number know how to violate the security of a
particular system, they are publishing step-by-step manuals on how to
violate it and you no longer need to be an expert – you only need to
be good at following another’s instructions.
Such developments may justify today’s ever-growing
concern with cyber security, as protection of information and IT
resources is generally a more complex issue and more careful and
formal treatment is required. So much so that it is generating
complete IT projects, specialties in particular security areas,
companies devoted to these types of activities, and jobs within
companies in this area.
Three times when security measures may be
implemented
Cyber security measures may be implemented at three
different times. These are not mutually exclusive, but rather
complementary, and sometimes depend on the resources allocated by the
organization to the protection and availability of information and IT
resources in general. These are:
Prevention
This involves preventing a successful attack. This
category includes all actions carried out within an organization to
prevent a security incident. Examples are mechanisms to authenticate a
system’s users. Such mechanisms seek to prevent unauthorized users
from accessing the system and employ user/password techniques,
biometrics, smart cards, etc.
Detection
When an attack “cannot be prevented or one does not
wish to prevent one,” the objective may be to realize at the moment it
occurs that an attack is under way. In this case, the objective is to
detect the attack so that the corresponding actions may be taken. One
example is blocking user accounts when illegal access attempts have
been made, for example, three erroneous attempts. In excess of this
number, the account is blocked because it is assumed that an attacker
is seeking to access the system.
By way of clarification of the first sentence of
the preceding paragraph, it is not always possible to prevent an
attack, but instead one must wait until it happens to take the
corresponding actions. Or it may be the case that the tools to detect
an attack or particular type of attack are extremely expensive and the
organization decides that, when the attack occurs, action will be
taken and that it will not seek to prevent the attack.
Recovery
The third and final alternative is recovery. In
this case, the attack has already occurred and possibly ended. What
must now be done is to find out what happened and to seek to restore
the operations of all affected system. Two options are available for
this:
Security requirements
The basic security requirements are availability,
integrity, confidentiality or privacy, and authenticity. Short
definitions of these are provided below.
-
Availability: The guarantee that
information may be accessed at the time required by users of network
services, in accordance with their “profile” and without “degradations.”
(The profile depends on what is needed for job performance within
the company)
-
Integrity: The protection given to
IT assets so that they may only be modified by authorized persons:
Data written, data changed, status changed, data erased, and data
created. Differs for each company.
-
Confidentiality or privacy: “An
ownership or security requirement that means that information may be
accessed by each user based on what he/she should see depending on
his/her area of the business.” [2]
-
Authenticity: Basic ownership of
information, for comparison at any time in its life cycle against
its true origin (true/false). Especially important in financial
systems (banking, e-business, stock market, gambling, etc.).
[3]
Other security requirements are:
-
Non-deniability: Clear knowledge of
the players participating in a transaction or communication, and
their inability to deny such participation at any time. Example: an
individual making a withdrawal from a savings account via the
Internet or an ATM machine and later denying that he/she did so.
-
Consistency: A requirement
typically made of applications (although not of them alone), that
there be equal treatment in all cases, that is, that, in a given
situation, an application always behaves the same way and not
sometimes in one way and sometimes another.
-
Recording: The ability to track all
actions taking place within an IT system (applications, networks,
computers, etc.), i.e., the ability to know what is done in the
system and who does it.
Security roles
There are essentially five parts to be played in IT
security:
-
Security administrator: the person within an
organization with responsibility for analyzing, designing,
developing, implementing, testing, and improving security mechanisms
required to protect the organization’s IT assets. Has responsibility
for ensuring that security is effective and for reviewing it on an
ongoing basis with a view to its continuous enhancement. Sometimes
does his work with the support of consultants or support advisors
and with a group of security experts subordinate to him within the
organization
-
Auditor, advisor, consultant: In general, persons
from outside the organization who check the security implemented and
make recommendations for its improvement. These are individuals who
provide support to security administrators, as they are able to
provide advice on security elements to be introduced, bring security
lapses to the administrator’s attention, and provide him/her with
support for the corresponding new designs and changes.
-
Forensic scientist: An expert with responsibility
for analyzing breaches of security that have occurred within the
organization in order to establish what happened and who did it and,
in the event, to contribute to criminal proceedings brought against
attackers.
-
Attackers: Individuals seeking illegal access to
an organization’s IT assets. There are three types:
-
Hackers: Systems experts with knowledge of
security who seek to access IT resources, generally in order to
demonstrate to themselves and others that they could do it and to
gain prestige as security experts.
-
Crackers: Also systems experts with knowledge
of security who seek to access IT resources in order to harm
organizations and obtain some type of compensation. Example:
stealing data from a company in order to sell it to the
competition, damage the organization’s reputation, steal money,
etc.
-
Lamers: A new category. Individuals who do not
know much about security systems and devote themselves to
utilizing tools or applications developed by others (hackers or
crackers) to harm organizations. Lamers do not know the technique
behind the attack or mechanism used to violate a system. They
merely follow instructions regarding the use of tools and use them
to make mischief. These types of attackers may act out of the mere
pleasure of doing so or in order to obtain some type of
compensation for their actions.
Engineer Claudia Santiago C.
Center of Telecommunication and Information
Studies
Colombian Engineering School
Julio Garavito
[1] Adapted from class materials, Jaime Rubio:
Seguridad en redes de computadores. Diplomate in Telematics and E-Business,
Colombian School of Engineering, 1999.
[2] Idem
[3] Idem
Additional Information:
This document is part of the material of the distance course "Network
Security" that will
be held, November 7 to December 9, 2005,
through the Regional Training Center and Node of the
Center of Excellence of the ITU: Colombian Engineering School.
CITEL/OAS
offers 30 complete fellowships of the
registration fee of US$ 160. The
deadline to submit applications in Washington, DC, United States
of America is, October 21, 2005. These
fellowships are subject to the availability of funds corresponding
to the 2005 OAS Regular Budget.
|
|