By John M. Kennedy
Introduction
Different people code different types of software. Therefore, software security issues stem from much of the same humans traits that code them in the first place. We can state that software is like people, you can find all kinds of them, in everywhere at anytime. In this era of hacktivism and cyberterrorism, it seems that crackers, cyberpunks or black-hat and grey-hat hackers have been able to translate the mightiest worst from humanity into computing. They use “deadly” routines or sets of attacking instructions to cause havoc or commit crimes for fun and profit and not necessarily done in that order. Therefore, I am telling you, the “Scarface’s tale” is nothing when comparing it to the nightmarish realities of the software security threats, risks and vulnerabilities, that I am presenting in the following pages. Notwithstanding, and for the last time, I am warning the reader, á la Jack Nicholson, especially when he characterized the Coronel Jessep, in the film, “A Few Good Men” (1992), perhaps “You can’t handle the truth!” Incidentally, for those who study software security, there should be a banner to warn them about it too, something like the inscription that Dante, in his “Divine Comedy”, told us that he found, when he was invited to enter the his mere self into hell, at the top of its doors: “Abandon hope all ye who enter here”. No wonder anymore why programmers have used, all along, names like Daemons (not precisely the Terminate and State Residents or TSRs or MS DOS environment.) and SATAN, to label their programs. Whatever, the danger might be or seem to be, as the “Man of Mancha” would have sang while crossing the borders of devilish domains, I shall encourage you to enter and while singing with me: “ …. to fight for the right without question or pause, to be willing to march into hell for a heavenly cause! … And this is exactly our jobs and the whole reason why the information systems security teams have been created. To do the right thing, to protect the most valuable asset therein in Plow of the Sea, Inc, i.e., its information. (Fitzgerald, M. 2001)
Network Security the level or Risk of Software
As a whole the level of risk that software represents is extremely high for GCI’s eCommerce venture. Azaris (2003) explains that network security software is vital for network users, information Technology [IT] professionals, and network security specialists (p. 1), hence the researcher implies its importance and ubiquity in our lives. Software is what makes hardware to process data in useful information; embeds the rules of communication or protocols; likely, it is used to commit all kind of malicious attacks, and software is what has made many people richer than the Sultans of Brunei. Therefore, let us immerse in the subject …
Bruce Scheneier (2007), the creator of Blowfish, an algorithm used for encryption, stated that information security is costing millions of dollars mainly because the software is insecure, due to bad design, poor feature implementation, security vulnerabilities and/or lack of adequate testing (p. 1). Well, as we know software permeates almost everything nowadays, what is software; it is so intangible and only is measurable perhaps by the amount of lines of code put together to do something. How exactly we put these lines of code logically together so the machine [CPU –Central Processor Unit and then the system] can work by following these commands determines the speed, utility and the versatility of the programs. Yes by all means, software are programs; as a program, software can be as small as one routine with a “laconic” set of instructions whose only purpose could be only to print one or more times the sentence “hello World” at the standard output stream device or screen or monitor. For instance, in C language the screen was called stdout and by default the stream was outputted to the terminal (you can redirect the output as well by the Shell’s Command Line Interface CLI ), and software can be very complex as an Operating Systems Like UNIX or Linux, whose kernels consists of several millions of lines of code or instructions. These lines of code are what programmers called the source code. For instance, the total number of the Source Lines of Code [SLOC], for the Linux kernel version 2.6, has been calculated as more than four million (exactly 4,287,449) (Wheeler, 2004) very complex software. It is a matter of fact, software can be so “effluvious” and “ethereal” that can be “loaded” in the most subtle and thinnest of devices, like the RFID, which in spite of many experts written about they have found flaws and vulnerabilities, people are using more and more to track almost everything, for instance, some of these transponders, are specified by the standards ISO-11785 and ISO-11784 for Radio-frequency identification, aka FDX-B. The code by itself is software “running” or “saving and responding” data in 128 bits devices, 64 bits of which it is utilized only for the Identification or ID information tracking system purpose.
Another subject is the firmware, its security poised other considerations of the sorts, for example, Booting, I personally, I don’t like to boot my systems at all (if you would click on “Booting” then you would understand why, and one more thing, remember the melody and reading it by following its rhythm, would you?). The Basic Input Output System [BIOS] is the software that is loaded before the OS does. It main purpose is to locate the bootstrap loader in the defaulted booting device of the system. This small program resides in the CMOS-Complementary Metal-Oxide Semiconductors, a Non-volatile Random Access memory chip that uses very little amount of energy from a battery and that is connecting to a quartz that oscillates evenly, called the RTC just to save some information like the date and time and the booting devices and the defaulted partitions when the computer is off. Well, the fact is that without or if the CMOS-BIOS hybrid device malfunctions, then the computer would be worthless.
Nowadays Firmware or BIOS vulnerabilities are also a new cause of preoccupation amount information security practitioners, BIOS chips have been the normal components of Motherboards, Network Interface Cards [NIC], video cards, but at the beginning, users were not able to updated these chips, that is why they were called Read Only Memory [ROM]; however, for some time now, users and operators can updated the BIOS or their machines, as to improve the system’s interoperability and compatibility with new and larger hard disk drives or other input/output [I/0] devices that offer more functionality. This process is called, “to flash the BIOS or CMOS”, the problem is that there is software, virus that could install itself and reside in these EPROMs (electrical programmable ROMs). Lately, as expected, the scenario seems to have been worsened by the apparition of the iWarp Ethernet NIC Cards, which can facilitate the detection of packet processing right out from the CPU, creating backchannels for bypassing completely the OS as serious threat for the security of the information (Jackson , 2007).
Mitigation against Malware
It is practically impossible to be fully protected and this means that what realistically networking security engineers and practitioners should be hopping for is for outreaching an acceptable level of security. Software security entitles the protection against malware from all its known and unknown forms, by perusing different tools, methods, network appliances and specialized combination of software, like: Firewalls, cryptography, network security administration and security programming development tools. However, all these software, controls and countermeasures to reduce the risks, will not work effectively without the addition of a well thought out security education, training and awareness program addressing the participation of all GCI’s stock holders (Pflegeer & Pfleeger, 2003).
Malware
Göran, Kaj & Peik, (2003) indicated that malware exploits vulnerabilities, and pointed to the 1992 Bowels and Pelaez’s simple taxonomy, which classified all malware in just two types: Programs Needing a Host, and self-reproducing malware (p.1 ). Let us see the following table below:
Bowels & Pelaez’s Malware Taxonomy
| |
Programs Needing a Host
|
Self-reproducing
|
Trap Doors: Secret point of entrance to the system. This represents a serious threat.
|
Bacteria: self-replicating harmless program for only one detail that replicates so much that in the end could take all the capacity of the victim computer.
|
Logic Bomb: Waits for a date or and event to do their deeds. One of the earliest forms of Virus, very damaging in deed.
| |
Trojan Horse: A “Goodie” with maladies.
Very serious threat.
|
Worm: Infects computers through network connections, can behave like virus and bacteria or could install Trojans too. Its effects are devastating.
|
Virus or Retrovirus: Infect other programs by copying its code to them and continuously infecting others. Serious Threat. Retrovirus behaves like a virus with the detriment-added attribute of being able to attack anti-virus; Even more serious.
|
Table 1. – The Malware Taxonomy (Göran, Kaj & Peik, 2003).
The rest of software can be a combination of all of the above mentioned like the infamous rootkits, which are very difficult to detect. Thus we have collection, prevention, detection and response mechanisms to deal with these malware maladies; a series of “anti-thesis” have been created for the purpose of responding to the imminence of viruses and retroviruses exploits: Therefore, we have antivirus in their many flavors and varieties, e.g. we are in the four generation of antivirus, being the latest mechanisms used by them Generic Decryption [GD], Digital Immune System technology [DIS] (Propose by IBM), GD is employed to protect polymorphic Viruses (Pflegeer & Pflegeer, 2003, Göran, Kaj & Peik, 2003, Panko, 2004). Recently antivirus programs are classified accordingly to what they are geared to protect, there are antivirus to protect gateways and firewalls, and files and database servers, and as always end users programs, operating systems and files. Figure 1 below show the classification according to the level of security that antivirus offer:
Figure 1 - Defense lines in antivirus protection (Göran, Kaj & Peik, 2003)
Firewalls protect the enterprise network at the perimeter, i.e. at the border, thus is a mechanism of defense that separates the network from the rest of the world, there are three common types of Firewalls: Packet-filtering router, application-level gateway or proxy server and circuit-level gateway external network-based security threats (Basta, 2007, Panko, 2004).
There are main two implementation of cryptography for networking security at the network layer level the IPSec and the Transport layer the TLS/SSL, proposed by the Internet Engineering Task Force, [IETF]. At the moment, IPSec is used mainly for Virtual Private Networks [VPN] but this could change as Secure Domain Name System or DNSSEC is earning acceptance (Göran, Kaj & Peik, 2003). The IETF standard Transport Layer Security [TLS] and Secure Socket layer [SSL] is used primarily for securing data communication carried on Hypertext Transfer Protocol [HTTP]. This Lead us to Web security and eCommerce security, were there are two main types of services to ponder transaction and access level security: thus we have the following mechanisms: HTTPS, the SSL Secured HTTP Protocol, the S-HTTP, Secure Hypertext Transfer Protocol, and the PCT, Private Communication Technology. Security administration counts with many programs for alerting, collecting, preventing and responding to incidents or events, like the so-called Intrusion Detection Systems [IDS] and the Intrusion Prevention Systems [IPS] (Panko, 2004).
Conclusion
Software, in their many manifestations, whereas in RFID, as Operating Systems or Network Protocols or like applications, is the means to produce information and for such to increase our knowledge and skills to solve our problems. As information is centric for our survival, so it is software as well.
References
Azari, R. (2003). Current Security Management & Ethical Issues of Information Technology. Hershey , PA , USA : Idea Group Inc., 2003. Retrieved January 20, 2008, from, http://wf2dnvr5.webfeat.org:80/8i3HJ1828/url=http://site.ebrary.com/lib/cecybrary/Doc?id=10032091&ppg=18.
Basta, A. & Halton, W. (2007 August). Computer Security and Penetration Testing. Boston , Massachusetts : Course Technology, Thomson Learning, Inc.
Bellovin, S.M. (1989). Security Problems in the TCP/IP Protocol Suite. Murray Hill , New Jersey : AT&T Bell Laboratories. Retrieved January 20, 2008, from http://www.cs.columbia.edu/~smb/papers/ipext.pdf.
Birkholz, E. P. (2003). Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Rockland , MA , USA : Syngress Publishing Retrieved January 20, 2008, from http://wf2dnvr3.webfeat.org:80/nDEHJ1268/url=http://site.ebrary.com/lib/cecybrary/Doc?id=10023441&ppg=27.
Cisco IOS Security Configuration Guide Release 12.4. (2006 July 29). Corporate Headquarters. San Jose , CA : Cisco System, Inc. Retrieved January 20, 2008, from http://www.cisco.com/application/pdf/en/us/guest/products/ps6350/c2001/ccmigration_09186a00804f229a.pdf.
Coakes, E. (Editor). (2003). Knowledge Management: Current Issues and Challenges. Hershey , PA , USA : Idea Group Inc. Retrieved on January 13, 2008 from, http://http://wf2dnvr3.webfeat.org:80/nDEHJ1151/url=http://site.ebrary.com/lib/cecybrary/Doc?id=10032062&ppg=22.
Ciampa, M. (2005). Security + Guide to Network Security: Fundamentals, 2nd Edition. Boston , Massachusetts : Course Technology, Thomson Learning, Inc.
Course Materials. (2008). Network Security. Course: CS653-0801A-01. Colorado Technical University . Retrieved January 19, 2008, from https://campus.ctuonline.edu/classroom/MultimediaCourseMaterials.aspx?Class=92946&tid=44.
Current Malware Threats and Mitigation Strategies. (2005 May 16). Informational Whitepaper. Multi-State Information Sharing and Analysis Center & US-CERT - United States Computer Emergency Readiness Team. Retrieved January 20, 2008, from http://wf2dnvr3.webfeat.org:80/R2LHJ138/url=http://site.ebrary.com/lib/cecybrary/Doc?id=10158249&ppg=27.
Fitzgerald, M. (2001). Building B2B Applications with XML: A Resource Guide. New York, NY, USA: John Wiley & Sons. Retrieved January 21, 2008, from http://wf2dnvr3.webfeat.org:80/nDEHJ1195/url=http://site.ebrary.com/lib/cecybrary/Doc?id=10001744&ppg=32.
Göran P., Kaj J. G. , Peik Å, (2003). Network security software, Current security management & Ethical issues of information technology, Hershey, PA: Idea Group Publishing.
Hassing, K., Kent , A. K., & Johnson, G. (2003). CCNA 1 & 2 Companion Guide, 3rd Edition. Cisco Networking Academy Program Indianapolis , IN : 2003.
Jackson, J. (2007 March 3). Assessing firmware vulnerability. Tech Blog, Government Computers News [GCN]. Retrieved January 21, 2008, from http://www.gcn.com/blogs/tech/43212.html.
Khosrow-Pour, M. (Editor). (2004). Annals of Cases in Information Technology, Volume 6. Hershey , PA , USA : Idea Group Inc. Retrieved January 19, from, http://wf2dnvr3.webfeat.org:80/nDEHJ1158/url=http://site.ebrary.com/lib/cecybrary/Doc?id=10051156&ppg=113.
Maiwald, E. (2002). Security Planning and Disaster Recovery. Blacklick , OH , USA : McGraw-Hill Professional, 2002. Retrieve January 21, 2008, from http://http://wf2dnvr3.webfeat.org:80/R2LHJ12/url=http://site.ebrary.com/lib/cecybrary/Doc?id=10043872&ppg=30.
Nelson, B., Phillips, F. E., & Steuart, C. (2004). Guide to Computer Forensics and Investigations. Boston , Massachusetts : Course Technology, Thomson Learning, Inc.
Panko R. R. (2005). Business Data Networks and Telecommunications, 5th Edition. Upper Saddle River , NJ : Prentice Hall- Pearson Education, Inc.
Panko R. R. (2004). Corporate Computers and Network Security. Upper Saddle River , NJ : Prentice Hall- Pearson Education, Inc.
Pflegeer C. P., & Pflegeer, S. L. (2003). Security in Computing, 3rd Edition. Upper Saddle River, NJ: Prentice Hall Professional Technical Reference, Prentice Hall- Pearson Education, Inc.
Ratnasingam, P. (2003). Inter-Organizational Trust for Business To Business E-Commerce. Hershey, PA, USA: Idea Group Inc. Retrieved January 12, 2008, from http://wf2dnvr3.webfeat.org:80/nDEHJ1167/url=http://site.ebrary.com/lib/cecybrary/Doc?id=10032067&ppg=13.
Reuvid, J. (2006). Secure Online Business Handbook: A Practical Guide to Risk Management and Business Continuity (4th Edition). London , GBR: Kogan Page, Limited. Retrieved January 19, 2008, from http://wf2dnvr3.webfeat.org:80/R2LHJ138/url=http://site.ebrary.com/lib/cecybrary/Doc?id=10158249&ppg=27.
Russell, T. (2000). Telecommunications Pocket Reference. New York, NY: McGraw- Hill Companies.
SANS Top-20 2007 Security Risks (2007 November 28). Annual Update. SANS Institute. Retrieved January 20, 2008, from http://www.sans.org/top20/.
Scheneier, B. (January 18, 2007). Information Security and Externalities. Retrieved January21, 2008, from http://www.schneier.com/blog/archives/2007/01/information_sec_1.html.
No comments:
Post a Comment