^B00:00:05
>> Welcome to the security control section of our lectures. We have two sections. One is security controls on platforms, where we are going to discuss what kind of controls we've put on the network servers, web servers, et cetera. And the second section will be what kind of controls we look for in applications, specifically healthcare applications. Our learning objective in security controls on platforms is to cover three areas, natural protection, servers and [inaudible] and databases and web servers. In natural protection we want to see how the connections that happen to the Internet or when we do remote access over the Internet into our networks what kind of protections we should put in. and this is also what we do in the wireless, they're sort of similar. So that's to protect the network. Then we look at the servers on the desktops and what kind of protections we need to put at the operating system layer or whether we do anything different in the laptops and the mobile devices. And then finally we look in some detail how we protect the databases and web servers. Looking at the network it is instructive to see the boundaries that exist in various parts of the network. The obvious boundaries between the Internet and the entire local network, but you should also consider that within the local network there's a special place where we sorter our servers, the server file, so the boundary between the server from the local network may be another place where we may want to put some extra protection. Similar boundaries exist between the wireless worlds, where it then at some point connects the wired world and finally when our network is connecting to the remote or vendor sites over perhaps what your print networks or some other technologies. It may or may not be over the Internet. It may be directly connected to a vendor site or it could be over the Internet and those boundaries between one institution and another institution could be another place where network connections could be placed. Another example of where network protection placement could be if you recall when we discussed networks we had core routers, building routers and then floor routers and so you could consider that in each of those areas if you wanted more variety they present themselves as boundaries and we can put different kinds of protection in each of those areas, depending upon what importance each area has. When we consider such boundaries we basically get various zones of trust that we can look at the entire networks and make it up in multiple zones. And anytime we are going from a lower trust zone to a higher trust zone you could expect some sort of network protection control that is permitting transfer of access from the lower to the higher. The kinds of devices we use in network protection are typically the ones that sit on the network and monitor the network. And they could control traffic by injecting packets of their own, or instead of passively monitoring the network it can also be inline. So when there are two connections going on you insert a device within the connection so that every packet goes through that connection, through that device, and if that device doesn't like something to travel through it, it can stop. So in that case it not only monitors, it actively acts to stop traffic that it doesn't think is appropriate. Most common device that's used in network protection is a firewall, and most common place it's placed is between the Internet and the local network. So in the picture you see that on the right there is Internet and there's a firewall in the middle that looks at every traffic, all traffic that goes between the local network and the Internet. Additionally you'll see something called DMZ, demilitarized zone of a network. That is sort of part of the local network, but that's where one would place Internet web servers for the organization that are open to the Internet. So try to not open anything in the local network but open it into a demilitarized zone where the web servers that have to be public are placed. So what does a firewall do? A firewall blocks specific types of traffic at the network layer. It can block certain ports like it can say we will not permit any traffic on port 33, which happens to be Microsoft [inaudible] servers so there's no direct access to their database or the Internet. It can block certain IP addresses. It basically says no communication can happen to these IP addresses. So in this example no access to the servers forms [inaudible] to the Internet. You could do the reverse as well. You could also make it so that the local network is not allowed to go to IP addresses of a certain range, and you would call those the blacklisted IP addresses because they've been found to be doing bad things. And there are people who are collecting those things and you could actually define firewalls like that. They can also block certain protocols, although the examples of Internet and FTP are the same as the port examples. But you can also block streaming multicast media in which case you will not be able to use video conferencing across this firewall. So usually such firewalls are placed with routers that connect to the Internet so right in the middle. In fact they're sometimes part of the same chassis, companies like Cisco, Juniper make this firewalls. These can be placed also internally between server forms and the rest of the network, the kind of zones that we were discussing before. And DMZ network is where the Internet facing web servers are placed, with restricted communication with local network. It's an additional protection that the local network has that anything that is open to the Internet is not part of the local network. The second control we're going to discuss is called intrusion detection systems or intrusion detection and prevention systems. You can see the IDPS component, some sort of a spy, is tapping on the network between the firewall and the local network. You can again place this appliance in any part of your network and what IDPS is doing is that it's reading all traffic, network traffic content. And using its knowledge and logic to determine if this traffic is malicious or not. As long as it's detecting it it's part of the detection. It can then act to interfere with the malicious traffic to stop it. In some cases you can put in intrusion detection prevention system inline. That means they are sitting on the wire, nothing can go from one side of the wire to the other side of the wire without going through the IDPS or you can put it in the tap mode. That means it's passively listening. And if it finds something bad happening it interjects with additional packets that cannot stop the existing packets to flow, but it can interject other packets to perhaps close the session. Note that the placement of IDPS in this particular picture is inside the firewall. You could take the IDPS and connect it outside the firewall before the connection to the Internet. The difference in this case would be that you're not taking advantage of whatever firewall is blocking. There is really no need to look at the what kind of malicious activities are happening on the ports, such as the example we did last time, 1433, if someone is attacking port 1433 from the Internet we don't need to see it if our IDPS - we won't be able to see it if our IDPS is inside the firewall. Only reason to put IDPS outside is to claim to see everything that's being attacked versus if you put it inside you only see for the traffic that firewall has permitted. The specific technology used in intrusion detection and prevention systems, they all started with signature based. That means they're looking into the packet and looking for a specific sequence of bits and bytes which can then be considered typically as a signature of a [inaudible] of malware, and when it recognizes such signature it has to raise an alert or try to prevent it. There are all kinds of intrusion protection prevention systems. They are also called zero deductions, zero day detection mechanisms, is that they create a behavior pattern of what the normal traffic is, and if they see behavior that is significantly different from the past behavior it could raise an alert. Now it won't be able to tell you what the problem might be or it might actually be a false positive, but sufficient variation from the previous behavior could be a suspicious thing, and therefore should be checked out. Another example of anomaly based is a very simple example in which a particular attack from the Internet is going through IP addresses systematically one by one in sequence to probe them to see if they are opened on some port such as FTP. As such, one packet that goes and asks is FTP open itself is not a bad thing. But an intrusion protection mechanism would be smart enough to see that it finds the same source IP address is going to each IP address inside the local network one at a time, because your firewall is permitting that protocol, one at a time in a sequence and when two happens, three happens, four of them happens and any more happens, [inaudible] protection has to smartly decide that this is actually an attack. The simpler [inaudible] protection systems look at reconstituted packets. Complex ones can look at reconstructed sessions. In other words, there may be a computer on the Internet actually setting up a session such as a web session with a web server on the local network or on the DMZ, depending on wherever it's placed, and it looks at all the packets and all the transactions that are happening within that session, and overall looking at that session if it wants to make a decision whether this was an appropriate thing to do or if an alert should be generated on that. Note that intrusion detection systems may use dynamic information or malicious sites as we mentioned before there are lot of websites that are known to be bad, I mean, a lot of Internet sites that are known to be malicious sites because they collect information about other people that distribute malware and there's no reason for our computers on the local network to be talking to them. We could be blocking them with a firewall. You could also think that the intrusion detection prevention system is being dynamically updated from the vendor whom we have purchased the system and as they get updated daily they produce a behavior of detecting and preventing such access to malicious sites. We now come to proxy server. It's a different kind of a control. The purpose of the proxy server is to control what kind of web browsing occurs in the local network as well as what kind of web traffic we could expect from the Internet coming into our environments. It can actually do both directions, but it's primarily used to control what kind of web browsing occurs within the local network. The reason to control web browsing is that users inadvertently can go to malicious sites, download a malware by simply clinking on the links, by falling for it, and bring down a malware and a proxy server allows us a place to either block such sites or give controlled access to such sites as well as check the content similar to the intrusion detection prevention systems to look for how to manage traffic for the websites. Proxy servers also work with FTP and other protocols. So all Internet traffic are forced through a proxy server, specifically web, and the way you force it is to configure in the browsers of the clients that this proxy server has to be used. Now if the user has a choice of changing or reconfiguring the browsers, then they may set it so that it doesn't go through the proxy server. They can bypass the proxy server and that would penned upon whether the user has the right kind of administrative privilege and whether the local network allows, the administrators allow users to have that privilege. If the users have that privilege, setting up a proxy server is pretty much useless at some level unless the IP address of the local network is such that you cannot go to the Internet unless you have to go through the proxy server. The other way is to force proxy servers that can't configure into the routers of local networks that all web traffic has to go through the proxy servers in which case the users do not get any control in their browsers to say whether it should go through the proxy server or not. It happens automatically at the network level. So what proxy does is proxy limits the website that can be visited. It controls where users can spend time and this is a common complaint in a work space where people or management says that people are wasting their time on Facebook, that seems to be the number one item. Meanwhile they can also watch over the content that is being sent or received, and by putting a proxy server structure you can also hide what our network addresses are and what structures might be derivable by looking at the addresses to the Internet. Proxies can also be used to minor encrypted traffic so it's not only that it looks into the content of where it's going, it can actually manage the encryption itself. In other words, if there's an HDTP on a [inaudible] encryption, a proxy server can be a logical end point so that between a client and the local network to the proxy server that is not encrypted but between the proxy server and the Internet it is encrypted so those are the kinds of flexibilities proxy servers offer. Providing remote access to users who are stay at home or working at a conference and they need to get access to the local network, and their connection from their PC at home after a connection is set up preferably looks as it is connected to the network at work. There are variations to what I just said. The access could be complete access to the network or it could be much moderated, very controlled access only to specific applications. These kinds of controls are done by devices such as VP and Gateways or some sort of Citrix forms, and there are variations to the team that they're not always virtual private networks. They can be SSL gateways, based upon web services, but they're essentially providing access from resources on the local network to a user who is remotely located and is coming over the Internet. So what goes on here  is that remote access requires additional checks, something like what your private network gateway is one way to provide secure access. Almost always such gateways with require authentication. The user will have to put their user ID and password so that the system knows that this is a valid user who should be allowed to count into the network. Such authentication could be stricter than just user ID password, we could also require that they have a token card which is a two factor authentication, which is safer and better than just user ID and password. Gateways will always implement an encrypted session with the remote PC, which the remote user is using. In other words all traffic from the gateway to the remote PC would be completely encrypted so that nobody would be able to tap on it on the Internet. Gateway may additionally check the remote PC for its security posture or how good is its security before actually providing the access. This falls under the category of protection called network access control, which means that this particular VP in gateway could be smart to ask that a PC tell me what your version is. Tell me what version of antivirus/antispyware you're running, tell me whether your signatures are up to date, and as it checks those things if it finds something it doesn't like it may decide not to give access to this PC to the local network and all that falls under the rubric of network access control. And we'll try to leave the gateway as we discussed. [Inaudible] specific and limited access based on the user who signed on. Maybe if a system administer signs on it provides them with more access compare to simple user who all they want to do is check their emailor have access to their files, so that could be limited based upon what the user person actually does, what their role is. We'll move our discussion to servers and desktops but as we do so note that all the controls we talked about so far on the network can be placed between the various zones that we have discussed before. An example would be between wireless and wired connections and typically the wireless they are treated just like [inaudible] and remote access so that everything is encrypted, everything is authenticated, only the connection is [inaudible]. So to continue with servers and desktops, they basically have the same type of computers. They can have the following security controls and I'm reading ahead that the difference is really that the servers hold a large amount of important data and that actually provides a risk to many users, it's not a single user server typically and therefore they need additional protection. But in terms of the technology that's in them, the operating system and what databases you can run, et cetera, there's really not much difference between servers and desktops. So we find that there are examples of controls that can be put in, not necessarily all of them are put in, but let's say all of them are turned on because there's definitely a cost associated with the performance of the server or the desktops if every possible control is turned on. One turns on only the ones that one thinks is appropriate high-risk category. So we would always have an antivirus and an antispyware, particularly similar to our intrusion detection systems, thus are signature based, could be behavior based, and they protect against the malware that could be added, such as the Trojans and the virus. There is always a host-based firewall that is a server itself can run a firewall on all traffic that's trying to attack or come into its servers and its purpose would be to configure limited communication with the server to a predetermined set of other IP addresses or particular different specific ports. It's a very good idea to turn on firewall host level components on the servers as well. there are checks, there are patrols to find integrity checks, which where specific important files are identified and for those files it generates something called a hash, that means a signature, if you will, on that file, and saves it perhaps a different server so that every day as it is done, a vertical file is found to have a different significant one day. It can highlight the fact that this file actually got changed and if necessary someone could take an action to confirm that the change was appropriate and thus it protects the integrity of those files. The place these things came about is that in the unit systems there used to be something called root kits, that means a vertical set of files have been changed so that the intruder could then exploit those changed files and to get elevated privileges. They are not apparent if you just looked at it, but if you ran this file integrated checks every day you would see that a particular file that didn't have any reason to change had suddenly changed today and that would trigger an investigation and correction. The next control could be intrusion protection prevention so alert to the networks. In this particular case if a particular program is being started and it has not been defined before, has never been seen before then that could be detected and an intrusion alert could be placed and the program would never be started. some are different mechanisms of white listing accomplishes the same function, which says white listing says only these specific programs are allowed to execute if there's any other that's been started. I then have that privilege and inform somebody only when it's permitted formally, that's when this additional programs can be executed. The difference in one case in the previous cases there's a malware that I've been drawing in the white listing area the user himself may have downloaded some programs, such as a game, such as a different kind of a browsers, such as a [inaudible] to listen to music and white listing stops that kind of an activity. Next one encryption or data leakage perception, and we'll be talking about leakage prevention in section two in much more detail. These are very, very important controls, encrypts sensitive data and they're more important on the laptops than any other categories on the desktops are appropriate as well. Laptops walk, laptops go outside the institutions. Laptops go on subways and loss of a laptop with clinical data has a tremendous breach notification cost. As encryption is a must on the laptops and therefore we have listed encryption as an important control. Patching, network access control any system that is not patching its operating system will eventually get in trouble because there will be a malware that's going to exploit that particular part of things. Network access control as we just discussed before, that there might be a client running that network access servers as I want to know if your patching is up to date. I want to know if your line of signature is up to date before I allow your connection to a network. And then finally the network browser configuration themselves, such as the proxy server definitions that once added act as an appropriate control over the users and what websites they access. Looking at the desktops in a little bit more detail, the first thing we say is that the desktops undergo strict image control and image [inaudible] is not a fashion statement. It is associated with what their operating system looks like. So this includes the operating system and all of the programs, what versions are supposed to be part of that image in the collective image. Arbitrary installation of programs is not allowed, so a user who is not an administer is not allowed to add programs. And you want these images to be cookie cutter because the idea here is we have thousands and thousands of desktops and if some desktop is not working, a computer is not working you are easily able to replace it by another computer which is a cookie cutter desktop. Users are typically not given local administration rights, only rare justified and documented cases should the users be given access to local administration. The primary reason for this is that users can change the configuration on the operating system to make it less secure, whether accidently or knowingly because they want to get around some control. Or they go to the web and download programs and try to install them and they may not understand the security implications of such implementations, such downloads. Desktops are more likely to be infected because more web access happens on them as well as users do have external CDs or DVDs to put into the DVD player and run programs from there or use a USB and connect it and move data between the systems. And since more users are doing it, we believe that chances of desktops getting infected is higher because the external input is higher. Local data storage on the desktops are typically discouraged in large organizations. This is because one usually lacks an automatic backup on these data storages. It's preferable then for importing data to be sent over to the server under the control of the user in their directory, typically called the home directory, but if it's put into the server then they actually get backed up as opposed to if it's on the desktop then its users are supposedly to back it up which may or may not actually happen. Therefore the risk of availability as well as the fact that desktops are somewhat less secure because of the location they're in, therefore if you leave data in there it would be it's riskier than data sitting in the server. And finally one thing parenthetically, it has nothing to do with the desktops, that similar to the laptops if there's any USB [inaudible] that's carrying sensitive data, it must be encrypted in this day of breach [inaudible]. Servers on the other hand are important computers and keep crown jewels of data within them. So server forms themselves can have their internal firewalls and intrusion protection systems to provide a higher level of protection for the servers within the local network. Servers typically have managed as a group through a back office team and their management is through for efficiency of the management it is done through directory services. So if you have Windows machines and Windows systems you could probably use it through active directory implementation. If you have [inaudible] world then you may be doing some sort of [inaudible] directory. In either case important part is that they are managed as a group so you can appropriately put security policies defined in the directory and it's easily applied to the servers. Servers by definition have a lot of users coming to them and getting data using database services, using web services, et cetera, so the logs that are associated with the servers that says how things are going are important controls that are using the tool collected real-time and sent over to the separate system called security event/incident management systems. They are typically called SIMS. And once you take the logs, which are voluminous logs, not just coming from the server but also coming from the firewalls, the VPNs, and we'll discuss a little bit more on the platform logs. [inaudible] analysis, so that acts as a good control to find out what's going on and trigger something if necessary on the servers. So we're typically will be most typically will be monitored for not just security but they'll be monitored for performance, they'll be monitored for any error messages and they'll be monitored for capacity if the discs are filling up or the CPUs are so full that the system is not performing properly. Those are the kinds of things that affect availability component of the security and therefore servers are monitored for such things. Security of the servers are also checked periodically by scanning them from outside looking at every port that they opened checking for whether there are any [inaudible] in those ports or the services that are behind the ports. So checking of all the [inaudible] is a very important concept for the server world. And then finally servers have typically configured for high availability that can actually happen by putting two servers up at the same time with a heartbeat but them so that the second server tries to keep track of if the primary is alive or not and if the primary dies for some reason the secondary automatically takes the mantle of the primary by assenting the IP addresses of the primary for itself and thus provide high availability. That would be one example with which servers offer availability. Other methods are through load balances. They are devices that sit in front of multiple banks of servers and they distribute the load over to many different servers and therefore even if one or two servers are down for a reason, there are plenty of other servers who can handle the load. This provides sufficient backup across the servers so that even if they are down there's something else available to do that same function. So we move on next to a little higher level concept of the databases. The databases are servers they're a set of programs or processes running on a physical server and offering data that has been structured and stored into the discs of the server back to the clients who are asking for services through those ports. We reach the fact that data being on servers do not belong on desktops with the team that the desktops really shouldn't have data. Turns out the databases as they have evolved over time the most big commercial application databases are complex and typically bloated simply because there's so much feature creep that they have added and thus be able to charge more for such services, whether one uses 25 percent of the database as opposed to 75 percent of the database features. So databases are complex and often bloated software. If we have improperly trained or naïve administrators then because of the complexity and the bloatedness can leave many doors open to access the database. And one has to be very careful about how many ports and how many services the database wants to open and one has to be careful about closing all those ports that are not really necessary. So as we say here databases may open several ports and services that you may want to close. Database programs can use ways that can be exported to review more data than indented, so we find that the clients typically are given programs to execute, those programs are actually using some language such as SQL structured [inaudible] language to make queries into the database. Now if the queries that are made into the database take in some parameters, find all the roads in the United States that are greater than 10 miles long. That number 10 miles is an input that comes from the user, the user can make it 10, can make it 0, can make it 5 million. The question really is can the user put instead of 10 a number, a word like ABCD, and that exactly does the program do when it gets unexpected input. Does it ignore and keep sending the data in and thus have a cropped query going in? Can it actually recognize and stop such a query or does it just throw up an error message of some kind after it crashes and burns? By having technique like that, a lot of malicious users can try to figure out how to tweak the queries to get the data that they were not allowed to get before. Such things are called [inaudible] injection problems and we will talk more about them. But database programs can then be exploited and there has to be sufficient control of the program development to stop such things. Again there are database scanners that look for those kind of errors. Database user IDs and password that are loosely managed typically the system administrator ID of each of those database, each of the famous databases, such as DB2 or [inaudible], et cetera, are well known in the world that the default comes with a database user named SA and password being password. And it's amazing how many custodians do not change those user ID passwords and leave them as it is and thus are easily exploitable. Configuration management of security control is a key issue in databases besides obviously patching them regularly because those configurations reduce the complexity of the bloatedness and give you a simple straightforward system that one can then guarantee for its protection. There are database scanners that will try to attack the databases through various ports. They are sort of useful but they turn out to be quite [inaudible] because the kinds of conditions and details that talk about it sometimes doesn't seem to make any sense and you need high level data [inaudible] to understand them. So it's still an open question whether it's sufficient to do scanning of vulnerability on the servers, which includes some sort of database query checks, versus having dedicated database scanners that may be useful but you do not know what exactly they're telling you. That brings us to the final component in this section, the web servers. Everyone has noticed by now that almost all interactions on the Internet or even Internet are on web services, all kinds of fun things that we use. We can use blogs, Microsoft SharePoint or any of the social sites, they're all implemented on top of web servers, and they are web based applications. They have basically revolutionized the way people write programs and use data over the network. Examples like web servers come from open source system called apache, as well as for profit components such as Microsoft [inaudible] information server IAS. All of these web servers as they had started simply are now enhanced with many application services. They come under the names like java servers, doc net or active X services, new kinds of web services new kinds of whole set of subsystems called web logics or websphere. In other words they have become more complex and large if started from their humbled route of being a simple web server. To these web servers we have added specifically some cases content management systems, which is a way to manage all the documents that are versioned and use a port to clear a template or a format that is reflective of the company's presentation style and how they want to represent data and information about them. And this [inaudible] management systems by themselves could be sufficiently complex that they have security issues of their own to be looked at. In combination of web servers definitely any security of web server that carries accounted management system or [inaudible]. So all applications today as we said are developed basically over a web-based access and web services, creating a new computing platform essentially for being able to bring data and view data and manipulate data. So how do we improve security of web servers? Because of so much access that happens over the web servers they have the ones that are most attacked. So here are some suggestions and methods. First reduce complexity by strict configuration control. [Inaudible] all the options that one doesn't need. This is similar to databases which is to say as it gets bloated you get to shut off services, not leave them open. One needs strict management of authentication, which means signing on, and authorization which means what is they're allowed to do on a web server. Are they only allowed to change specific pages or are they allowed to change many pages in many places as well as change some data associated with it? So having who can sign on, whether they are authorized to sign on, what authorization they actually have, do we pay attention to who when the users go away, the authentication goes away et cetera all contribute to better security for the web servers. Monitoring usage logs are always important for the web servers to see if somebody is trying to attack you, and if so make a firewall adjustment to ignore or block that particular IPE address. Using an application load firewall to protect against web based attacks. Web based attacks are specific to the web technology and the fact that they may be database connected to the back of it and so they may be a [inaudible] kind of attacks and the applications of the firewalls which are exports and specialized in web-based communication and protection. One would typically put such application level firewalls on their server if most of their if not all web servers are actually on the servers [inaudible]. Similarly web vulnerability scanners, just like the other scanners we talked about before, they actually test for configuration errors in the web servers that look for common problems such as [inaudible] that we talked about as well as cross site scripting, and as these vulnerability scanners give you the result it's very important to [inaudible] so it is fixed. And similar to the simple servers load balances and proxy servers help improve availability and confidentiality of data within the web server. So in summary, we discussed several security controls for various lower level computing platform related things, such as the networks and the servers. Whenever we talk about security in depth or layered security, we do require that implementation of security controls are placed at various levels throughout the institutional infrastructure. So protecting the lower level at the network is as important if not more important than protecting resources at higher levels such as the applications. The controls help achieve a desired level of assurance for the CIA, of information of resources and finally what will they do next is to discuss how specific applications and look at some of the controls over there.