Challenges of Internet Security

The primary challenges of Internet security have everything to do with balancing accessibility and functionality with the three pillars of information security: confidentiality, integrity and availability.

The Internet has become an in disposable tool for research, commerce, art, education and virtually every part of modern life. It was the inquisitive, intelligent, intuitive and creative nature of humanity that created the Internet and its those same qualities that put individual systems linked directly to the Internet in peril. The three pillars of information security are at stake for all systems with connectivity to the Internet. The challenge is in the implementation of the necessary security controls to achieve those three pillars.

Confidentiality:

Confidentiality pertains to protecting sensitive information. Sensitive information can be anything from private user information to classified defense data. Many organization live and die by the protection of proprietary information from competitors. During wartime, the armed services literally LIVE or DIE based on how well certain sensitive information is guarded. In the US Department of Defense is called Operational Security. Since the Internet is a critical part of the DoD (and defense organizations around the world) the confidentiality is a HUGE challenge for their Information systems exposed to the Internet. Some of the threats to there systems include: social engineering, leaks of information and accidental release of sensitive data. All of these threats can be enabled via the Internet.

Organizations must educate their user who have access to sensitive information. I’ve heard some security professionals say that educating users is bad.

But if your users have access to sensitive information (and need to have that access to do their jobs) it is imperative that they not only know WHAT is sensitive, but WHO it can be give to, WHEN it can be shared, HOW it can be share and WHY it can be shared.

Integrity:

Data integrity is very important to all systems passing data on the Internet. Integrity has to do with whether or not the message on the other end of your connection is the same one you actually sent. Whether its your passwords being passed to your bank or the DoD passing data over the Internet, the integrity of the data is imperative. Its often taken for granted until, we are sending an email and the receiver says they got the email but the message can’t be read. Sometimes if the messages integrity is garbled or malformed it simply won’t reach its destination. If the integrity of a message can not be protected in some way or verified and checked, it is possible for someone to intercept your message, alter it, and send it on its way. Integrity is especially critical in banking and financial transactions which is why encryption and authentication take on such an important role for sensitive transactions such as ATM withdrawals, and online banking.

The challenge to maintaining Internet integrity is to ensure that link is encrypted when necessary.

Availability:

If there is no availability there is no mission, no business, no functionality. One of the major challenges of Internet security has been Denial of Services attacks. A Denial of Service attack is when your system on the Internet (or within a network) is flooded with useless traffic such that no one else (not even you) can use it. With a misconfiguration, a denial of service can happen by accident. Its important to test the availability of an online system. Its also a good practice to see what kind of availability and access you are giving. After all, too much availability can compromise the security of your system.

Most challenges of Internet security can tie into one or more of the big three: confidentiality, confidentiality or availability. With those in mind most challenges can be overcome. But the double edged sword of security.. the very nature of it on the Internet is to constantly change and evolve with the Internet. The constant change of threats to those three aspects of security is perhaps the biggest over arching challenge.

Popularity: 3% [?]

Dangers on the Internet

This is a follow up to my post Why is Internet Safety Important

Dangers of the Internet are relative to the perspective of those accessing it. That is to say, on the Internet “dangers” are completely dependent on who is accessing what data from where and what their intentions are for accessing it. For example, researching a list of poisons could be a considered “dangers to the Internet” if a seriously disturbed person intends to kill his or her spouse. On the other hand, if a parent is just wondering what house hold products are poisonous with the intention of protecting her children, can that be considered a danger?

So protection from dangers on the Internet should be proactive and involve human judgment at some level. Policies must be written, planned and implemented in advanced or ad hoc to suit the environment and the users accessing the Internet. Children at a school with access from the classroom will more than likely be different from employees at a skating rink.

Even the items commonly considered dangers on the Internet relate directly to how much access individuals and organizations allow to and from the web. Common “dangers” may include (but should not be limited to) the following:

Accessibility to personal - applies to educating users on the dangers of putting personal information on the Internet and protecting organizational data bases

Sensitive data - For a school sensitive data is likely linked to the grades and personal information of staff and student, but for a business sensitive information could include proprietary information that would hurt the bottom line if it were leaked to competition.

Financial fraud & criminal hackers/scammers- This applies to educating users about criminal hacker techniques such as malware, social engineering, email and website phishing

The access of impressionable and/or psychologically disturbed individuals to potentially harmful and destructive information - This is rather subjective however it should be a concern to schools from elementary - colleges, rehabilitation facilities and mental institutions. There are ways to block certain obvious material with web-blocker type applications, but no one can stop them all. Monitoring is a must if this danger is to be handled seriously.

The risks and damage of these dangers are dependent on the environment & the users involved. It is up to the system owners to ensure that the policies are properly planned, implemented and maintained as exposure to any Internet danger can disrupt the safety, mission and/or values of an organization or individual.

Popularity: 3% [?]

Certification & Accreditation Change

Standard-issue security
Certification and accreditation process for national security systems to extend to the rest of government. A two-year-old effort to standardize processes for certifying and accrediting government IT systems could soon bear fruit, according to officials from several agencies.

The Committee on National Security Systems is preparing instructions for implementing a unified certification and accreditation (C&A) process that could be used on all national security systems, including those in the Defense Department and intelligence community, said Tony Cornish, chairman of the CNSS’ C&A working group.

At the same time, the National Institute of Standards and Technology plans to update its C&A guidance for systems covered by the Federal Information Security Management Act, said Ron Ross, a senior computer scientist and FISMA implementation lead at NIST.

“We are very close to producing a unified C&A process for the entire federal government,” Ross said in July at a government security symposium hosted by Symantec. “Within the next six to eight months, you are going to see a plethora of new things coming out” from CNSS and NIST.

CNSS’ instructions will be incorporated into NIST guidelines in its 800 series of special publications. Ross said a major update of SP 800-53 Rev. 2, “Recommended Security Controls for Federal Information Systems,” is expected in December, and a draft of the first revision of SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” is expected to be released for comment soon.

A single, governmentwide approach would make it easier for agencies to share data and cooperate with one another and with states, foreign allies and the private sector.

It could enable reciprocity, or the acceptance of other agencies’ C&A processes, without requiring recertification, and also could streamline acquisition processes by making it easier for vendors and developers to meet one set of standards.

C&A is a process for ensuring that IT systems are operating with an appropriate level of security. In the certification phase, the security of the system is documented; for accreditation, a designated authority signs off on the system’s fitness to go into operation. The concept has been around for some time, but there has been little standardization.

“In the past, we each had our own set of policies, and we didn’t look at each other’s,” said Sherrill Nicely, deputy associate director of national intelligence at the Office of the Director of National Intelligence.

FISMA requires C&A of information technology systems, but that does not apply to national security systems. And within the national security community, the military and intelligence sectors each have had their own way of doing things.

“Since about 1993, the Defense Department had its program, the Defense IT Security Certification and Accreditation Process,” said Eustace King, DOD chief of acquisition and technology oversight. “It worked pretty well” in a time before DOD’s emphasis on network- centric systems and information sharing, but it lacked enterprise visibility.

That C&A program was replaced with the Defense Information Assurance Certification and Accreditation Process. DOD was moving to the program in 2006 to harmonize military and intelligence processes when, a year later, it was expanded to include the rest of the national security community by bringing in the CNSS.

Through NIST, C&A procedures eventually will be standardized across all of government. However, policies do not change mind-sets, and old habits still remain one of the primary challenges to a standardized process. At DOD, there is a reluctance to accept reciprocity — that is, to give full credit to another agency’s C&A process without recertification, King said.

The intelligence community faces a similar hurdle, said Sharon Ehlers, an assistant deputy associate director of national intelligence.

“The cultural change has been the biggest challenge,” Ehlers said. “When it is not invented here, people don’t want to look at it.”

Popularity: 3% [?]

Standard Desktop Configuration (SDC) everywhere

For the last year I’ve been working on the DoD’s SDC implementation.  Standardizing ALL common use desktops is a very good idea for security.  But the problem I have with it, is that they are forcing SDC on mission systems as well.  They allow extension for some systems. 

This is a problem because mission systems are NOT standard.  Each mission system is different with different requirements.  Also, common desktops are in giant homogenous networks that can keep up with the changes in SDC with relative ease with applications like SMS.  Mission system are often controlled by a different entity than host so they must be updated manually.

So bottom line: SDC - great for desktops, VERY bad for many mission systems. 

Now SDC will be pushed to ALL government systems.

Popularity: 5% [?]