Services Winn Schwartau InfosecGate Home Site Map Contact
Interpact Security Awareness For Today's Business
   

Check out our FREE security awareness promotional art.  Download your copies today!

Security Awareness Promotional Art

 

 

Integrity:
The Forgotten Leg of Security
The Basics Remain The Basics

by Winn Schwartau, President and CEO Interpact Inc.

The more I live and breathe in the security world, the more I realize that people forget the basics either because they are so wrapped up in day to day operations or they never knew them in the first place. With the incredible spate of web-graffiti occurring globally, it totally escapes me why more people haven't returned to the basics to solve a fairly elementary information security problem: web graffiti and illicit data modification.

The basics of Information security have long been represented by a simple triad:

Confidentiality: Keeping secrets a secret; making sure prying eyes cannot read information in storage or transmission.

Availability: Systems must be 'up and running' at all times, especially Mission Critical applications.

Integrity: Insuring that data is not accidentally or intentionally modified or corrupted.

From that security triad other important security issues emerge such as Access Control, Usability, Non-Repudiation and Accountability.

The security community has paid vast attention to confidentiality issues, which are solved through encryption of data transmissions such as email or encrypting files in storage. While encryption has been possible for decades, until key management problems were solved with the advent of public key encryption in 1976, this security technique lagged in implementation due to complex management. The issue of denial of service attacks began to be solved through better intrusion detection, high-speed reaction mechanisms, redundancy, fault tolerance, better disaster planning and system reconstitution.

But what about hacking web sites - graffiti - the most prevalent form of annoying and meddlesome hacking we see today?

Hacking a web page generally entails replacing the words or pictures on the home page with a political, pornographic or merely juvenile message of some sort. The common hacker message "U R Owned" seemingly refers to the complete takeover of your network, when in fact it more often refers to poor web server configuration or unpatched vulnerabilities. A web page hack is simply an integrity attack against the site's contents.

Integrity attacks modify content without the knowledge or permission of the owner as in the case of the New York Times hack or the countless NATO, FBI, CIA and Chinese web-hacks we read about. For an entertaining evening, head on over to your favorite hacker site and look at the thousands of archived hacked web pages. (Definitely R-rated, though.)

For the life of me I couldn't figure out why all of these hacks continued when since the late 1970s, we security folks have had many integrity protection methods to protect the contents of files from illicit modification. Integrity mechanisms have been part of the computer security professional's arsenal in many forms.

The simplest method is called CRC or a Cyclic Redundancy Check. The contents of the file are X-or'd with another set of (random) data and the results create an integrity key. When the reverse CRC process is run, and if the integrity key doesn't match the original, the file has been corrupted in some form and cannot be trusted.

A stronger integrity method is called MAC, or Message Authentication Code, a cryptographic technique that is based on the Data Encryption Standard. Again, a key is generated when the file is 'sealed'. Upon decoding, the key must match if the files are to be trusted. MAC was designed for use in electronic financial transactions (EFT) to make sure that a $1,000 wire transfer doesn't become $1,000,000 to my account.

Fast forward to the web. When we go to eBay, we want our bids and product descriptions to be accurate. Airlines and service industries want the correct hotel rooms or flights, billed at the right price to the right customer. News outlets want to make sure that an item is not subtly changed to completely alter its meaning. ("Bill Clinton said 'I DO know that woman'", or "Bill Clinton 'said I DO NOT know that woman'".) Subtle, but important, and how many people will pick up an error in the vast resources of millions of web sites? Embarrassment is least of their worries in an e-commerce world where integrity means everything.

Why hasn't the industry picked up on the importance of data integrity not only in Internet applications but for Intranet usage as well? Part of the reason is that vendors have not created decent tools and made them readily available to customers.

However, in 1992, Professor Gene Spafford and Gene Kim of Coast at Purdue University re-opened the integrity issue with the first comprehensive file integrity checker, Tripwire. Originally it was focused on Unix systems, but now, Tripwire Security, Inc. offers a complete range of platform support for integrity checking systems. Systems such as Tripwire can be configured to check for integrity violations (unauthorized file modifications) on a periodic basis (hourly, daily, etc.) and will check only those files chosen by the administrator. Perhaps only system files are deemed of importance, or perhaps entire file contents are so important that any alteration could cause severe damage to the company. Your choice.

Integrity checkers address many security needs: integrity based virus protection looks at file and system modifications (behavior), not signatures, which is an improvement for many new-breed attacks including Trojan Horses. Accidental system and file corruption can be detected early with integrity checkers, preventing additional damage as errors compound themselves. System upgrades, revision control, file and program management are all applications for the more sophisticated integrity mechanisms.

But don't forget that Web sites still are the most visible and vulnerable targets of integrity attacks - and also, incredibly easy to solve. Please don't make me repeat this article next year: take a look at the currently available integrity solutions that can certainly make your life a whole lot easier.

Let me know what you think!

Resources:

Tripwire www.tripwiresecurity.com
AVAST32 www.anet.cz/alwil/avast32.htm
CRC www.mindworkshop.com/alchemy/crc.html
Integrity Master www.stiller.com

Winn Schwartau's Writing and Publications
Interpact's Security Services and Solutions
Interpact's Security Awareness Brochure
Online Information Security Library
Learn more about Interpact, Inc. Learn More About Interpact:
E-mail
Phone
Fax
727.393.6600
727.393.6361
727.796.8484
727.393.6361

CORPORATE OVERVIEWSERVICES & SOLUTIONSWINN SCHWARTAU
INFOSEC GATEWAYCONTACTHOME

Copyright © 2000-2001 Interpact, Inc. All Rights Reserved
For comments about this page, contact: Kelley Walker, Interpact, Inc.
Copyright PolicyPrivacy Policy

Interpact Inc Security Awareness

eRibbons are courtesy of Alon Cohen and are available at http://people.bu.edu/xrpnt/ribbons/ribbon.html/ CURRENT EVENTS READING: Asymmetrical Adversarialism by Winn Schwartau NEW: Internet and Computer Ethics for Kids by Winn Schwartau Free! Download the 1st edition of Schwartau's classic: Information Warfare Cybershock: Schwartau's guide to protecting yourself on the Internet