What is cyber security?

Cyber security may be defined as:

A series of processes, procedures, tasks, and activities implemented together with information technology (IT) and telecommunication elements with a view to controling and protecting from threat, as regards their integrity, availability, confidentiality, and authenticity, IT resources (data, equipment, etc.) located at specific sites, during the storage or transmission thereof. [1]

Note the following elements of the above definition:

• A series of processes, procedures, tasks, and activities: This indicates that security is a complex system involving many interrelated elements.

• Implemented together with information technology (IT) and telecommunication elements: Technological support is very important but is not the only element. Many organizations or individuals within organizations believe that merely purchasing a technological tool to support security is sufficient for security to be obtained. For example, they buy firewalls or anti-virus software and think that their networks will now be secure. However, if they do not configure the firewall or anti-virus software and no procedures to check such elements or security policies are in place, or if regular efforts are not made to update these, neither the firewall nor the anti-virus software will support the security of IT resources.

• Protecting from threat ... IT resources: Information is today of the highest importance to organizations, which is why information security has taken on such importance. However, it is not the only thing to be protected: physical IT resources, such as servers, computers, printers, etc. and, of course, human resources, also need to be protected. Cyber security must concern itself with all such “resources.”

• Clear definitions of integrity, availability, confidentiality, and authenticity are provided below.

Why is cyber security so important today?

With that explanation of cyber security, it is relevant to underscore its importance today. Therefore, we will briefly discuss its history and evolution.

When information technology was first developed, companies that made extensive use of computers always had a mainframe computer, housed in a computer center and administered by experts, who were the only ones with access to it. Here, security essentially involved ensuring that the experts were trustworthy and that the site of the computer had proper environmental conditions and conditions of physical access.

After this first stage, "dumb" terminals appeared. These were merely extensions of the server’s screen (initially, very close to the mainframe and later, up to several kilometers away, through the use of communications lines) that could be used by more than one person. In this situation, in addition to the environment of and access to the mainframe, security had to address the individuals able to use the terminals, generally a small and select group, and to ensure that the mainframe had multi-user capacity. However, it did not yet address complex problems of user authentication and permission to use resources.

The next stage arrived with the appearance of personal computers and the ability to store data in client computers. Now security began to be a more complicated affair, as IT resources (information, computers, etc.) were not located at an enclosed site that was easy to guard and control, but instead were distributed throughout the office, with many more users.

Next was the emergence of local area networks (LANs), in which computers are interconnected and each is also connected to the server, thereby permitting information to move readily and simply from one place to another. The topic of security then became highly relevant, as anyone with access to a network computer potentially could obtain information from other computers or the server or send viruses or software over the network, thereby compromising the availability of services and data stored in computers or servers.

Lastly, with the emergence of WAN networks, particularly the Internet, and of today’s interconnection philosophy, wherein one’s location and/or the type of system no longer matters, other computers and servers may be accessed. This new philosophy has many well-known advantages, but it also creates major problems, or rather challenges, in connection with IT resource security. It is now possible to be attacked (illegal access attempts, service refusals, viruses, etc.) inside organizations, but also from anywhere in the world.

It is also important to take account of the evolution of the use of computers as, over time, changes have occurred. Formerly, computers were only used for very particular and specific applications, while today they are used for nearly every activity and, owing to interconnection, a wide array of data may be transmitted and accessed from anywhere. One particular and perhaps very clear example is the evolution of banks and the handling of money. Originally, everything had to be done in the branch where the account was held or, subsequently, via the bank’s offices. But today, all banks are only a click away and any type of transaction may be carried out via computers and networks.

Lastly, people have also changed. Initially, only a small number understood and could handle computers. However, this is no longer the case. We now also have another problem, which is that although a small number know how to violate the security of a particular system, they are publishing step-by-step manuals on how to violate it and you no longer need to be an expert – you only need to be good at following another’s instructions.

Such developments may justify today’s ever-growing concern with cyber security, as protection of information and IT resources is generally a more complex issue and more careful and formal treatment is required. So much so that it is generating complete IT projects, specialties in particular security areas, companies devoted to these types of activities, and jobs within companies in this area.

Three times when security measures may be implemented

Cyber security measures may be implemented at three different times. These are not mutually exclusive, but rather complementary, and sometimes depend on the resources allocated by the organization to the protection and availability of information and IT resources in general. These are:

Prevention

This involves preventing a successful attack. This category includes all actions carried out within an organization to prevent a security incident. Examples are mechanisms to authenticate a system’s users. Such mechanisms seek to prevent unauthorized users from accessing the system and employ user/password techniques, biometrics, smart cards, etc.

Detection

When an attack “cannot be prevented or one does not wish to prevent one,” the objective may be to realize at the moment it occurs that an attack is under way. In this case, the objective is to detect the attack so that the corresponding actions may be taken. One example is blocking user accounts when illegal access attempts have been made, for example, three erroneous attempts. In excess of this number, the account is blocked because it is assumed that an attacker is seeking to access the system.

By way of clarification of the first sentence of the preceding paragraph, it is not always possible to prevent an attack, but instead one must wait until it happens to take the corresponding actions. Or it may be the case that the tools to detect an attack or particular type of attack are extremely expensive and the organization decides that, when the attack occurs, action will be taken and that it will not seek to prevent the attack.

Recovery

The third and final alternative is recovery. In this case, the attack has already occurred and possibly ended. What must now be done is to find out what happened and to seek to restore the operations of all affected system. Two options are available for this:

• Stopping the attack (prevent it from continuing) and beginning to repair any damage caused by it;

• Continuing normal operations and “defending yourself” from the attack.

Security requirements

The basic security requirements are availability, integrity, confidentiality or privacy, and authenticity. Short definitions of these are provided below.

• Availability: The guarantee that information may be accessed at the time required by users of network services, in accordance with their “profile” and without “degradations.” (The profile depends on what is needed for job performance within the company)

• Integrity: The protection given to IT assets so that they may only be modified by authorized persons: Data written, data changed, status changed, data erased, and data created. Differs for each company.

• Confidentiality or privacy: “An ownership or security requirement that means that information may be accessed by each user based on what he/she should see depending on his/her area of the business.” [2]

• Authenticity: Basic ownership of information, for comparison at any time in its life cycle against its true origin (true/false). Especially important in financial systems (banking, e-business, stock market, gambling, etc.). [3]

Other security requirements are:

• Non-deniability: Clear knowledge of the players participating in a transaction or communication, and their inability to deny such participation at any time. Example: an individual making a withdrawal from a savings account via the Internet or an ATM machine and later denying that he/she did so.

• Consistency: A requirement typically made of applications (although not of them alone), that there be equal treatment in all cases, that is, that, in a given situation, an application always behaves the same way and not sometimes in one way and sometimes another.

• Recording: The ability to track all actions taking place within an IT system (applications, networks, computers, etc.), i.e., the ability to know what is done in the system and who does it.

Security roles

There are essentially five parts to be played in IT security:

• Security administrator: the person within an organization with responsibility for analyzing, designing, developing, implementing, testing, and improving security mechanisms required to protect the organization’s IT assets. Has responsibility for ensuring that security is effective and for reviewing it on an ongoing basis with a view to its continuous enhancement. Sometimes does his work with the support of consultants or support advisors and with a group of security experts subordinate to him within the organization

• Auditor, advisor, consultant: In general, persons from outside the organization who check the security implemented and make recommendations for its improvement. These are individuals who provide support to security administrators, as they are able to provide advice on security elements to be introduced, bring security lapses to the administrator’s attention, and provide him/her with support for the corresponding new designs and changes.

• Forensic scientist: An expert with responsibility for analyzing breaches of security that have occurred within the organization in order to establish what happened and who did it and, in the event, to contribute to criminal proceedings brought against attackers.

• Attackers: Individuals seeking illegal access to an organization’s IT assets. There are three types:

  • Hackers: Systems experts with knowledge of security who seek to access IT resources, generally in order to demonstrate to themselves and others that they could do it and to gain prestige as security experts.

  • Crackers: Also systems experts with knowledge of security who seek to access IT resources in order to harm organizations and obtain some type of compensation. Example: stealing data from a company in order to sell it to the competition, damage the organization’s reputation, steal money, etc.

  • Lamers: A new category. Individuals who do not know much about security systems and devote themselves to utilizing tools or applications developed by others (hackers or crackers) to harm organizations. Lamers do not know the technique behind the attack or mechanism used to violate a system. They merely follow instructions regarding the use of tools and use them to make mischief. These types of attackers may act out of the mere pleasure of doing so or in order to obtain some type of compensation for their actions.

Engineer Claudia Santiago C.
Center of Telecommunication and Information Studies
Colombian Engineering School
Julio Garavito

[1] Adapted from class materials, Jaime Rubio:  Seguridad en redes de computadores.  Diplomate in Telematics and E-Business, Colombian School of Engineering, 1999.

[2] Idem

[3] Idem