Advances in Enterprise Information Technology Security

In fact, today’s information systems are widely spread and connected over the networks, but also heterogeneous, which involves more complexity. This situation has a dramatic drawback regarding threats, which are now occurring on such networks. Indeed, the drawback of being open and interconnected is that they are more and more vulnerable as a wide range of threats and attacks. These attacks have appeared during the last few years and are growing continuously with IP emergence and with all new technologies exploiting it (SIP vulnerabilities, phishing attacks, etc.) and also due to the threats exposing operators (DDOS) and end user (phishing attacks, worms, etc.). The Slammer and SoBig attacks are some of the examples that were widely covered in the media and broadcast into the average citizen home.

From the enterprise perspective, information about customers, competitors, products and processes is a key issue for its success. The increasing importance of information technology for production, providing and maintaining consistent security of this information on servers and across networks becomes one of the major enterprise business activities. This means that it requires a high flexibility of the organizational infrastructure and on the introduction of new ways of information usage.

In such a complex world, there is a strong need of security to ensure system protection in order to maintain the enterprise activities operational. However, this book gathers some essays that will stimulate a greater awareness of the whole range of security issues facing the modern enterprise. It mainly shows how important to have a strong interaction that is required between enterprise goals and security solutions.

Objectives

It is the purpose of this book to provide a practical survey of the principals and practice of IT security with respect to enterprise business systems. It also offers a broad working knowledge of all the major security issues affecting today’s enterprise IT activities, giving readers the tools to address opportunities in the field. This is mainly because the security factors provide to the enterprise a high potential in order to provide trusted services to their customers. This book shows also to readers how to apply a number of security techniques to the enterprise environment with its complex and various applications. It covers the many domains related to the enterprise security, including: communication networks and multimedia, applications and operating system software, social engineering and styles of attacks, privacy and authorisation and enterprise security risk management.

This book gathers a best collection of papers written by many authors instead of a book that focuses on a specific approach or methodology.

Intended Audience

Aimed at the information technology practitioner, the book is valuable to CIO’s, operations managers, network managers, database managers, software architects, application integrators, programmers, and analysts. The book is also suitable for graduate, master and postgraduate course in computer science as well as for computers in business courses.

Structure of the Book

The book chapters are organized in logical groupings that are akin to appropriate levels in an enterprise IT security. Each section of the actual book is devoted to carefully chosen papers, some of which reflect individual authors’ experience. The strength of this approach is that it gives a benefit from a rich diversity of viewpoints and deep subject matter knowledge.

The book is organized into eighteen chapters. A brief description of each of the chapters follows:

Chapter I proposes three different realistic security-level network architectures that may be currently deployed within companies. For more realistic analysis and illustration, two examples of companies with different size and profile are given. A number of advices, explanations and guidelines are provided in this chapter so readers are able to adapt those architectures to their own companies and both security and network needs.

Chapter II is dedicated to the security requirements detailing various secured middleware systems, such as GRID computing, which implies sharing heterogeneous resources, located in different places belonging to different administrative domains over a heterogeneous network. It shows that there is a great similarity between GRID security and classical network security. Moreover, additional requirements specific to grid environments exist. At the end, the chapter gives some examples of companies using such systems.

Chapter III describes in detail the fundamental security requirements of a Symbian based mobile device such as physical protection, device access control, storage protection, network access control, network service access control, and network connection security. Symbian security is also evaluated by discussing its weaknesses and by comparing it to other mobile operating systems.

Chapter IV describes in its first part the security features of IEEE 802.11 wireless local area networks, and shows their weaknesses. A practical guideline for choosing the preferred WLAN configuration is given. The second part of this chapter is dedicated to the wireless radio network by presenting the associated threats with some practical defence strategies.

Chapter V presents first a classification and a brief description of intrusion detection systems, taking into account several issues such as information sources, analysis of intrusion detection systems, response options for intrusion detection systems, analysis timing, control strategy, and architecture of intrusion detection systems. It is then discussed the problem of information exchange among intrusion detection systems, being addressed the intrusion detection exchange protocol and a format for the exchange of information among intrusion detection systems. The lack of a format of the answers or countermeasures interchanged between the components of intrusion detection systems is also discussed as well as some future trends in this area.

Chapter VI presents security solutions in integrated patient-centric Web based healthcare information systems, also known as electronic healthcare record (EHCR). Security solutions in several projects have been presented and in particular a solution for EHCR integration from scratch. Implementations of , privilege management infrastructure, role based access control and rule based access control in EHCR have been presented. Regarding EHCR integration from scratch architecture and security have been proposed and discussed.

Chapter VII proposes a novel interactive access control model: servers should be able to interact with clients asking for missing or excessing credentials whereas clients my decided to comply or not with the requested credentials. The process iterates until a final agreement is reached or denied. Further the chapter shows how to model a trust negotiation protocol that allows two entities in a network to automatically negotiate requirements needed to access a service. A practical implementation of the access control model is given using X.509 and SAML standards.

Chapter VIII aims to put into perspective the delegation implications, issues and concepts that are derived from a selected group of authorization schemes which have been proposed during recent years as solutions to the distributed authorization problem. It is also the analysis of some of the most interesting federation solutions that have been developed by different consortiums or companies, representing both educational and enterprise points of view. The final part of this chapter focuses on different formalisms specifically developed to support delegation services and which can be integrated into a multiplicity of applications.

Chapter IX introduces digital rights management (DRM) in the perspective of digital policy management (DPM) focusing on the enterprise and corporate sector. DRM has become a domain in full expansion with many stakes, which are by far not only technological. They also touch legal aspects as well as business and economic. Information is a strategic resource and as such requires a responsible approach of its management almost to the extent of being patrimonial. This chapter mainly focuses on the latter introducing DRM concepts, standards and the underlying technologies from its origins to its most recent developments in order to assess the challenges and opportunities of enterprise digital policy management.

Chapter X describes common attacks on antivirus tools and a few obfuscation techniques applied to recent viruses that were used to thwart commercial grade antivirus tools. Similarities among different malware and their variants are also presented in this chapter. The signature used in this method is the percentage of APIs (application programming interface) appearing in the malware type.

Chapter XI describes the various ways in which phishing can take place. This is followed by a description of key strategies that can be adopted for protection of end users and organizations. The end user protection strategies include desktop protection agents, password management tools, secure email, simple and trusted browser setting, and digital signature. Some of the commercially available and popular antiphishing products are also described in this chapter.

Chapter XII describes the threat of phishing in which attackers generally sent a fraudulent email to their victims in an attempt to trick them into revealing private information. This chapter starts defining the phishing threat and its impact on the financial industry. Next, it reviews different types of hardware and software attacks and their countermeasures. Finally, it discusses policies that can protect an organization against phishing attacks. An understanding of how phishers elicit confidential information along with technology and policy-based countermeasures will empower managers and end-users to better protect their information systems.

Chapter XIII provides a wide spectrum of end users with a complete reference on malicious code or malware. End users include researchers, students, as well as information technology and security professionals in their daily activities. First, the author provides an overview of malicious code, its past, present, and future. Second, he presents methodologies, guidelines and recommendation on how an organization can enhance its prevention of malicious code, how it should respond to the occurrence of a malware incident, and how it should learn from such an incident to be better prepared in the future. Finally, the author addresses the issue of the current research as well as future trends of malicious code and the new and future means of malware prevention.

Chapter XIV provides a wide spectrum of existing security risk management methodologies. The chapter starts presenting the concept and the objectives of enterprise risk management. Some exiting security risk management methods are then presented by sowing the way to enhance their applications to enterprise needs.

Chapter XV presents a system life cycle and suggests which aspects of security should be covered at which life cycle stage of the system. Based on this it is presented a process framework that due to its iteratively and detailed ness accommodates the needs for life cycle oriented security management.

Chapter XVI presents a study on the classification of software specification languages discussing the current state of the art regarding attack languages. Specification languages are categorized based on their features and their main purposes. A detailed comparison among attack languages is provided. We show the example extensions of the two software specification languages to include some features of the attack languages. We believe that extending certain types of software specification languages to express security aspects like attack descriptions is a major step towards unifying software and security engineering.

Chapter XVII qualifies and treats the security associated with the transfer of the content, as a quality of service parameter. The user is free to select the parameter depending up on the content being transferred. As dictated by the demanding situations, a minimum agreed security would be assured for the data at the expense of the appropriate resources over the network.

Chapter XVIII gives an introduction to the CORAS approach for model-based security risk analysis. It presents a guided walkthrough of the CORAS risk analysis process based on examples from risk analysis of security, trust and legal issues in a collaborative engineering virtual organisation. CORAS makes use of structured brainstorming to identify risks and treatments. To get a good picture of the risks, it is important to involve people with different insight into the target being analysed, such as end users, developers and managers. One challenge in this setting is to bridge the communication gap between the participants, who typically have widely different backgrounds and expertise. The use of graphical models supports communication and understanding between these participants. The CORAS graphical language for threat modelling has been developed especially with this goal in mind.