NETWORK SECURITY

Transcription

NETWORK SECURITY

NETWORK SECURITY
From risk analysis
to protection strategies
Istituto Superiore delle Comunicazioni
e delle Tecnologie dell’Informazione
Ministero delle Comunicazioni
NETWORK SECURITY
From risk analysis
The present document was written by:
Fabio Battelli
Danilo Bruschi
Roberta Bruzzone
Giuseppe Carducci Artenisio
Sebastiano D'Amore
Luisa Franchina
(Innovia Tech S.p.A.)
Salvatore Leotta
Paolino Madotto
Antonio Menghini
Simona Napoli
Gian Luca Petrillo
Daniele Perucchini
Massimo Piccirilli
Francesco Pirro
Gianfranco Pontevolpe
Andrea Rigoni
Marco Strano
Andrea Valboni
(Electronic Data Systems Italia S.p.A.)
(Università degli Studi di Milano)
(Innovia Tech S.p.A.)
(Securteam S.r.l.-Elsag [Gruppo Finmeccanica])
(PricewaterhouseCoopers Advisory S.r.l.)
(Istituto Superiore delle Comunicazioni
e delle Tecnologie dell’Informazione)
(Proge-Software S.r.l.)
(Electronic Data Systems Italia S.p.A.)
(KPMG S.p.A.)
(Consigliere del Ministro delle Comunicazioni)
(Fondazione “Ugo Bordoni”)
(Ministero delle Comunicazioni)
(CNIPA)
(CNIPA)
(Symantec S.r.l.)
(Polizia di Stato)
(Microsoft S.r.l.)
Cover and graphic project
Roberto Piraino (Graphics Lab - Istituto Superiore
delle Comunicazioni e delle Tecnologie dell’Informazione)
Editing Fonema S.p.A.
The present document has been reviewed
by Alessandro Di Nepi PhD
I
SECURITY NETWORK
from risk analysis to protection strategies
The opinions and considerations expressed in the present volume, in addition to the proposals set forth, are to be considered personal views of the
individual participants and do not necessarily reflect the positions of the
respective Bodies and Companies they belong to.
The contents of the present volume are to be considered merely as a technical/scientific study orientating to the problems inherent to the network security and communication protection.
Therefore, no responsibilities may be attributed to the authors or to the
Istituto Superiore delle Comunicazioni e delle Tecnologie dell'Informazione
that has published the volume, arising from any form of use of the contents
of the present text.
Mention of specific brands or product names present in the document are
quoted purely as examples, do not exhaust the number of possible commercial products and in no case represent evaluation elements or recommendations for the use of the same products.
The present volume is distributed free of charge and the authors have freely and with no time limit granted copyrights to the Istituto Superiore delle
Comunicazioni e delle Tecnologie dell'Informazione.
II
NETWORK SECURITY
From risk analysis
Index
Introduction
7
Reading guide
13
1 Networks and Society
1.1 The network concept
1.2 ICT as a tool for the social and economic
development
1.3 The various types of network as premise
for Internet
1.4 The main subjects involved in network management
1.5 Security and privacy: two key aspects
1.6 The importance of the human factor for security
17
17
1
18
22
25
30
33
SECURITY NETWORK
2 Network infrastructures and security issues
2.1 The network concept: physical and virtual
components
2.2 The network and its subjects
2.3 Network security
2.3.1 General overview of threats to security
2.4 An example of a secure network: the PA Unified Network
2.4.1 Technological infrastructure: network design
2.4.2 Security management
2.4.3 Network evolutions
37
37
39
41
56
3 3 The relevant legislation
3.1 The Reference General Legal Framework
3.1.1 Generalities
3.1.2 OECD And United Nations documents
3.1.3 EU Directives and other documents
3.1.4 Italian Laws and related rules
3.1.5 Ministerial documents, AIPA, CNIPA
65
65
3.2 Individuals And Rule Compliance
3.2.1 Generalities
3.2.2 Major liabilities for individuals: rights,
duties and accomplishments
3.2.3 The relationship with the judiciary
and inquiring authority
77
3.3 Cases Of Rules Violation
3.3.1 Information crimes
3.3.2 Non-compliance
3.4 Main Requirements of outsourcing contracts
3.5 Areas of possible normative integration
3.6 Conclusions
3.6.1 Users’ awareness and initiative
3.6.2 Legislative framework
82
2
83
86
86
Index
4 Risk Analysis and management: principles and methods
4.1 Security Management System
4.2 4.2 Risk Analysis
4.2.1 The importance of risk analysis
4.2.2 General notes about the different risk
analysis methodologies
4.2.3 Common elements among the main methodologies
4.2.4 Risk Management
4.2.5 Risk Analysis Support to the Privacy
Management System
91
91
93
5 Network Protection Measures
5.1 Technological measures
5.1.1 Firewall and VPN
5.1.2 Network/Host IDS
5.1.3 Access Server (RADIUS/TACACS)
5.1.4 Wireless Security
5.1.5 Antivirus
5.1.6 URL Filtering
5.1.7 Patch Management
5.1.8 Cryptography and Public Key Infrastructure
5.1.9 Single Sign-On (SSO)
5.1.10 Strong Authentication
5.1.11 User Provisioning
113
113
5.2 Organisational and process measures
5.2.1 Disaster Recovery and Business Continuity
5.2.2 Identity Management
5.2.3 Operational Security Management
137
3
SECURITY NETWORK
6 Security Governance in the Public Administration
and Private Companies
6.1 Security governance as a factor of social
Guarantee for the networks use
6.2 Implementation of security governance
in the organisations
6.3 Network security, a national and
european asset to be promoted
Appendix 1
Appendix 2
Appendix 3
157
157
160
162
165
171
199
4
Index
NETWORK SECURITY
From risk analysis
Index of Figures and Tables
INDEX OF FIGURES
Figure 2-1
Figure 2-2
Figure 2-3
Figure 2-4
Figure 2-5
Figure 2-6
Figure 2-7
Figure 4-1
Figure 4-2
Figure 5-1
Figure 5-2
Diagram of the ISO/OSI stack model
Servers equipped with protection measures
Use of security products within EU
Virus occurrences in the EU between
October 2000 and February 2001
RUPA general architecture
CG-I and services categories – CG-I
connects all the Central Administrations
and allows them the Internet access
through a high speed and secure link
SPC: Infrastructure, Rules
and Organizational Model
The most common vulnerability categories
Risk Management Life Cycle
ISO/OSI Levels and Protection Technologies
Firewall and Networks
5
39
43
46
50
57
59
63
104
108
114
115
SECURITY NETWORK
Figure 5-3
Figure 5-4
Figure 5-5
Figure 5-6
Figure 5-7
Figure 5-8
Figure 5-9
Figure 5-10
Figure 5-11
Figure 5-12
Figure 5-13
Figure 5-14
Remote Access Server
Wireless Network equipped with
a RADIUS Authentication Server
Architecture of a URL Filtering Solution
Typical Patch Management Architecture
Typical Single Sign-On Architecture
Authentication Techniques
OTP Devices
Digital Certificates
Smart Card and USB Token
Biometric Technologies
Provisioning Architecture
for an Identity Management System
Alternative Solutions Diagram,
Costs vs. Implementation Time
119
122
124
126
130
132
133
134
135
135
136
141
INDEX OF TABLE
Table 3-1
Table 4-1
Table 5-1
Table 5-2
A Comparison between the OECD
document and the UN Resolution
Relation among threats,
attacks and vulnerabilities
Predominant Firewall Technologies
Synoptic Table of Strong Authentication
Technologies
6
69
106
116
132
NETWORK SECURITY
From risk analysis
Introduction
The present volume arises from an initiative by the Istituto
Superiore delle Comunicazioni e delle Tecnologie dell'Informazione
and of the Observatory for the Security and Protection of Networks
and Communications, with the collaboration of authors that belong to
various public and private bodies.
The Istituto Superiore delle Comunicazioni e delle Tecnologie
dell'Informazione (Institute in the document’s remaining), constituted
in 1907, operates within the Ministry of Communications as a technical-scientific body. Its activities, which are specifically aimed at companies that operate in the ICT sector, to public administrations and users,
mainly relates to the regulation, experimentation and basic and applied
research, and to specialist training and instruction in the field of telecommunications.
The national and international technical regulations bear an
important role to ensure greater transparency and access to services, in
favour of users, producers and network providers, and within which
the Institute is active and propositional.
In this field the Institute has a double action: through CONCIT (Coordinating committee with European recognition, and made
up by CEI (Italian electronic committee), UNI (Italian national unification body and by the same Institute) conducts the transposition into
the national regulations of European norms and, at the same time,
represents the Administration in addressing and supporting national
7
SECURITY NETWORK
groups within the various technical commissions and study groups of
the ITU (International Communications Union), of the CEPT
(Conférence Européenne des Postes et des Télécommunications) and
of ETSI (European Telecommunications Standard Institute).
The Institute manages the Scuola Superiore di
Specializzazione in Telecomunicazioni (active since 1923), which
manages the post-graduate specialisation in the field of electronic
communication and information technologies, and releases the related
diploma. In agreement with the faculty of Engineering of the Rome
Sapienza University, the School organises yearly courses the curricula
of which include laboratory work, seminars and stages.
The Institute also provides upgrade training for Ministry and
other public administration personnel in the field of electronic communication and information technologies, security, multimedia and
Quality of Service, by planning and realising training aimed at acquiring specialist know-how. In this view the Institute has set up a Test
Centre, credited with AICA for the issuing of European Computer
Driving Licence - ECDL.
Moreover, the Centre for the training of PA personnel in the
field of ICT security is currently being constituted.
The training Centre will implement large scale training and
sensitisation activities for PA employees on matters concerning ICT
security, through the centralised and coordinated preparation of a
Training and Sensitisation Plan that will spread the principles and
methods of security throughout the Public Administration.
Moreover, the Institute promotes divulging activities through
external communication events and publicises the activities and research conducted.
The Institute's research activities are oriented to the development and improvement of telecommunication services and of those
connected to information technologies. In pursuing these aims, activities cover all the areas in the sector, from telephone to television, from
signal processing and treatment, from network architecture to services
8
Introduction
implementation.
In view of the know-how and instrumental resources it has
available, the role of the Institute is relevant in taking part in European
projects for technological development for a more diffuse employment of European funding. These activities are both directly conducted, and through agreements with other Research Bodies, Universities
and International Study Centres.
Within the Information Society context, the actions being conducted in collaboration with the Fondazione Ugo Bordoni (FUB) in
the fields of telework, information security, remote-teaching and
access to communication services for the aged and disabled.
Thanks to the Institute's support, in the last years, the Ministry
has also been able to support a series of initiatives for the introduction, on communication networks, of new technologies and new
systems. Among these, we should highlight the feasibility studies for
the application of techniques and new television and multimedia services, the feasibility study for the macro-regional provisioning of digital satellite television services, the study for a European satellite system
for the provisioning of broadband multimedia and interactive services,
and the participation in the IST (Information Society Technologies)
research and technological development project of the European
Community called ATLAS.
Considering its role as an impartial public body, the added value
of the Institute, in terms of guarantee and competence, is the aspect
that distinguishes the technical support and counselling services provided to companies and subjects involved in the telecommunications sector. These services are made substantial not only by the traditional certification activities, realised thanks to the competence and instruments
of the Institute's laboratories that allow to verify the compliance of all
telematic systems to the various norms and reference recommendations, but also with specialist measurement campaigns for verifying the
Quality of Service (QoS), of network security and for assessing the
specific techniques of inter-operativeness of services within the scope
of inter-connection of the networks of various operators.
9
SECURITY NETWORK
The Institute manages the database relative to the number
assignment of the national telecommunication network and the portability of numbers in GSM and UMTS technology, moreover, it manages the National Reference Clock (ONR) for the synchronisation of
the Italian Numerical Telecommunications Network and provides an
institutional support to those taking part in tender bids for the E-TEN
(Trans European Network for TLC). The Institute collaborates with
Certification Bodies for activities of verification and control of
Company Quality Systems in compliance with the UNI EN ISO 9000
rules, and is committed in control activities on Credited Laboratories
on the basis of the UNI CEI EN ISO/IEC 17025 rules and is a
Registered Body for activities conducted on the basis of the Law
Decree n° 269 of the 9th May 2001. The Institute has the role of
Certification Body for systems and commercial information products
security (OCSI) and is an evaluation centre (Ce.Va.) of ICT systems
and products that process classified data. Moreover, it is a Registered
Body in compliance with the Directive concerning radio devices and
terminal equipment for telecommunications and is Competent Body
and Registered Body relatively to electromagnetic compatibility. In
2002 it became international Certification Body on behalf of TETRA
MoU.
The present text was also realised with the contribution of
experts from the Observatory for the Security and Protection of
Networks and Communications.
The Observatory for the Security and Protection of Networks
and Communications is chaired by the Secretary General of the
Ministry of Communications and is made up of representatives from
the Ministry of Communications, of Justice, of the Interior, of
Defence, of Productive Activities, and the Presidency of the Council
of Ministers - department of Public Functions and department for
Innovation and Technologies, nominated with a specific inter-ministerial decree.
The present volume falls within the scope of activities conducted by the Communications Ministry during 2004 related to the
realisation of guidelines for:
10
Introduction
• Network security - risk analysis and protection strategies
• Network security in critical infrastructures
• Quality of Service in ICT networks
The purpose of the document, as detailed further in the following reading guide, is to provide an updated overview of the security
problems and related solutions in the use of the Internet and of connected geographical and local networks.
This volume is aimed at business users: professionals and professional firms, small and medium enterprises, and corporations. In the
case of professional firms and small and medium enterprises, there is
often no position dedicated to security: at best there is an ICT manager. Many of the chapters of the present volume are dedicated to this
position. For corporations the volume is aimed at the manager in charge of security. In all cases we hope that some parts will also be read by
top management in order to make them sensitive to the problems and
to distinctly perceive that the solutions do exist and can be sustained.
Further on, in the Reading Guide, there is a map that can
address readers to the paragraphs that they may be interested in.
The management of security starts from the knowledge of the
internal set up, critical issues and vulnerabilities. Through the proper
knowledge of one's structures and characteristics the investments in
security can be optimised, targeting the objectives and obtaining the
best results in terms of efficiency and effectiveness.
We want to thank all those, who with enthusiasm and professionalism, collaborated in the writing of the present document: Fabio
Battelli (Innovia Tech SpA), Danilo Bruschi (Università degli Studi di
Milano), Roberta Bruzzone (Innovia Tech SpA), Giuseppe Carducci
Artenisio (Securteam Srl - Elsag [Finmeccanica group]), Sebastiano
D'Amore (PriceWaterhouseCoopers Advisory Srl), Salvatore Leotta
(Electronic Data Systems Italia SpA), Paolino Madotto (Proge
Software Srl), Antonio Menghini (Electronic Data Systems Italia SpA),
Simona Napoli (KPMG SpA), Gian Luca Petrillo (Counsellor of the
Ministry of Communications), Daniele Perucchini (Ugo Bordoni
11
SECURITY NETWORK
Foundation), Massimo Piccirilli (Ministry of Communications),
Francesco Pirro (CNIPA), Gianfranco Pontevolpe (CNIPA), Andrea
Rigoni (Symantec Srl), Marco Strano (Polizia di Stato), Andrea Valboni
(Microsoft Srl).
We also want to thank, for their contributions and suggestions:
Michele Boccadoro (Consorzio Thyraeus), Maurizio Bonanni
(Ministry of Communications), Stefania Caporalini Ajello (Consorzio
Thyraeus), Andrew Christian Dell (Consorzio Thyraeus), Renzo
Dell'Agnello (Elea SpA), Andrea Mariotti (KPMG SpA), Dario Nasca
(Symantec Srl), Claudio Petricca (Istituto Superiore delle
Comunicazioni e delle Tecnologie dell'Informazione), Giampaolo
Scafuro (Sicurezza e Sistemi Srl), Mario Terranova (CNIPA).
Rome, March 2005
Luisa Franchina, PhD
General Director
of Istituto Superiore delle Comunicazioni
e delle Tecnologie dell'Informazione.
12
NETWORK SECURITY
From risk analysis
Reading Guide
The present document intends providing readers with a full
range framework relative to the process required for network security.
Modern ICT architectures are characterised by the quality of being a
network themselves that are in turn connected to wider networks and
to the Internet itself. These infrastructure features that have caused a
revolution in the information society during the past decade, leads to
high vulnerability that needs to be confronted through appropriate
protection systems.
This great interconnected system features the participation of
heterogeneous subjects: corporations, small-medium companies, organisations, government bodies, and private citizens. Each of these, that
exploit the network services, has an important role in ensuring the
security of the infrastructures, of the information and of related processing.
The first chapter - “The social structure of networks” - describes the current society and its features of dependency on information.
The birth and development of the Internet, the peculiar management
system that characterises it and the more general security and privacy
requirements that the citizen of the information society feels the need
of are recall.
13
SECURITY NETWORK
The second chapter - “Network infrastructures and
security issues” - more technically describes the features of a network,
the correlated security criteria and concludes with an example of a safe
network identified in the Unit Network for the Public Administration.
Such a socially useful technology, which is also intrinsically critical, like ICT has obviously attracted the attention of legislators during the past decade. Justified by the large number of sectors of
social, economic, cultural and administrative life involved in the processing of electronic data, and prompted by EU regulations, a number
of directives have been issued to regulate and, in many cases, prescribe the use of protection mechanisms based on technologies and organisations aspects. An overview of the official documents issued by our
country and at EU level regarding information security is outlined in
the third chapter “Pertinent legal rules”.
The fourth chapter, “Risk analysis”, is dedicated to an
aspect that has recently been considered by experts and also by the
legislators, both European and Italian. The proliferation and rapid
evolution in time of the threats has led to the need to identify the
actual critical aspects of the assets to be protected, through a consistent approach, in order to appropriately address resources focusing
them on the more critical areas both from an economic and ethical
viewpoint. Risk analysis is also the basis for a modern way of approaching security, based on proactivity and a periodic review of risk levels
and critical assets. It is, in fact, through the analysis and management
of risks that countermeasures are identified and monitored in time.
The fifth chapter - “Technologies and tools for the protection
of networks” - illustrates the ingredients required to design a protection system, downstream from the previous risk analysis and management of risks. It is divided into two parts: the first deals with the hardware and software technologies and components, while the second
deals with services, which may be in-house or third party.
Lastly, the sixth chapter - “Governing security in PA
and the private world” - puts together all the topics dealt with within
14
Reading Guide
the scope of an ethical-political view of network protection, considered as one of the basic components of the more general concept of
Corporate Governance, a subject that, as is known, has become of
great relevance for all, including legislators, during the past years.
The present document, a picture of the current scenario, includes hypotheses and prompts for future improvements as a
useful resource for those who wish to confront and check their knowhow, in addition to being a source of stimulus and promotion for the
sensitisation for network security for the various subjects involved and
to identify improvement and progress opportunities from the technological and organisational viewpoint.
The following table addresses the various kinds of readers to the chapters that potentially feature the greatest interest for
their activities.
15
SECURITY NETWORK
Top
management
ICT
Manager
Security
Manager
S/M Enterprises
& Professionals
PA
1.1
1.2
1.3
1.4
1.5
1.6
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
2.1
2.2
2.3.1
2.4.1
2.4.2
2.4.3
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.2.1
3.2.2
3.2.3
3.3.1
3.3.2
3.4
3.5
3.6.1
3.6.2
3.6.3
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
Legislators Legal Office
1
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
2
3
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
4
4.1
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
5
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.2.1
5.2.2
5.2.3
6
H
H
16
NETWORK SECURITY
From risk analysis
1 - Networks and Society
1.1 THE NETWORK CONCEPT
The term network, considering the great increase in the interconnections among computers during the past decade, has taken on a
rather broad significance that, in some contexts, has replaced the
acronym ICT (Information and Communication Technology).
With this meaning (that is extensively adopted within the present document and, especially, in the present chapter) networks are
interconnection structures (with the various wired and wireless technologies) and also the diverse machines, both hardware and software,
which are the objects of the interconnection between systems that
support the very interconnection. By extension, and to confirm the
title of this chapter, users are consistently a part of the network.
On the other hand, next to the holistic definition of the term,
in this case singular, there is also a practical and operative definition
that indicates a more limited portion of the system, normally characterised by the fact that it is the property and is managed by a specific
and identified subject. When we consider the issue in further detail, we
find local networks and small personal ones, which, in some rare
cases, are not interconnected to the wide network but constitute
closed systems.
17
SECURITY NETWORK
Networks, whether large or small, are therefore made up of
static transmission components (copper wire, optical fibre, radio signals, etc.) and by a large number of components that we may define as
active, hardware and software.
The multiple and complex set-up of the components, to
which one must add the human users and operators, represent the
main reason for the high intrinsic vulnerability of the systems, and, on
the other hand, thanks to their mission in processing information, are
the elements to which security measures are addressed, in terms of
organizational, physical and logical, as will be dealt with further.
1.2 ICT AS A TOOL FOR SOCIAL AND ECONOMIC
DEVELOPMENT
“Knowledge is the new basis for wealth. This has never been before. In the
past, when capitalists spoke of their wealth, they referred to their properties in
terms of machines, equipment and natural resources. In the future, when capitalists will speak of their wealth they will mean their ability to control knowledge.” 1
These are the words that Lester Thurow2 effectively uses to
highlight the role taken on by informatics (or, ICT, intended as information and communications technologies) in economy and our every
day lives.
Just a decade ago, it was impossible to think of making a bank
remittance, a financial investment, or to buy and sell, from one’s home.
In these ten years the acceleration of technologies has determined a
historical change in the way of working and of spending one’s leisure
time.
It is now possible to face the challenges of globalisation in an
economy that is increasingly linked to the exchange of data and infor-
1
Lester C. Thurow, “The building of wealth”, 2000, Ed. Sole 24 Ore
2
Lecturer in Management and Economy at the MIT
18
1. Network and Society
mation because networks became the true nervous system around
which the vanguard western economies operate (not only western).
Many companies, nowadays, have become world-wide. There
are an increasing number of products that, thought of and created in
one location, are realised at thousands of kilometres from there. The
thread that connects the creative location to the productive one is
often optical fibre, a copper wire or a satellite link.
At the end of the 18th century, production locations were built
alongside water courses, in which boats could carry the goods produced, and where it was possible to draw water and discharge, rather
polluting, wastes; at the end of the 19th century the production locations were mainly close to electrical sources and railways. Nowadays,
modern service centres are located close to wired area, through which
great quantities of bandwidth along which to transfer data are available.
Another model that is emerging is based on the increasing
outsourcing of non-core services of the companies. It is increasingly common that pay-sheet management, accounting and logistics are
managed by external companies. A growing number of functions are
assigned to companies that offer a complete package of services. Once
again, networks are the link to these external activities.
Moreover, companies are increasingly employing ICT applications located with service companies that avoid their having to daily
manage the information systems. Without mentioning e-government
services that, even now, allow us to submit our income declaration,
view our tax position, request certificates from townships and the PA,
conduct estate checks, and more. Once again, networks are what make
this possible.
Europe has this scenario quite clear in mind, and the EU
Commission’s opinion is that “by favouring economy, information and communication technologies can create new and improved jobs and increase wealth. The
European governments want these advantages to be available to all and not only to
19
SECURITY NETWORK
a minority. A new society based on knowledge must be open to all. Internet offers
enormous opportunities: any person who knows how to use a computer can take
part in the social life by clicking on a mouse. e-Europe and its programs (eLearning, e-Health, e-Government and e-Business) aim at fully exploiting this
potential in favour of social development”3
Knowledge, meant as a peculiar feature of our era, is made up
of four distinctive characteristics. The first is the extension of the
phenomenon: the knowledge acquired during the past twenty years are
greater in quantity than all the knowledge acquired in previous years.
Most of the products we use nowadays didn’t exist just twenty years
ago.
The second characteristic is a greater integration of the
knowledge used in realising products that is far more than ever
before. A modern car is a composite product of knowledge that
ranges from design to psychology, from marketing to electronics and
informatics, to aerodynamics, mechanics, chemistry and so on.
The third characteristic is represented by the de-materialisation of products. The weight of raw materials and direct labour has
progressively decreased in comparison with the immaterial components. Design, technology, know-how, patents and communication
have progressively taken on greater relevance.
The role assumed by knowledge modifies the traditional production model based on a sequence of theoretic research that leads to
a discovery, application research that leads to an invention and, lastly,
to the industrial development that leads to a prototype and the engineering of the production process that leads to mass production.
Finally, the last characteristic is the time contraction between
the discovery and the realisation of the product. For example, large
pharmaceutics or informatics companies, continue to invest in theo-
“Towards a Europe based on knowledge - The European Union and the information society” European Commission 2002.
3
20
retic research with the aim to identify scientific discoveries to patent
and sell. Patents, therefore, take on a new role: the exclusive rights to
exploit them set new questions, at an ethical level, to the citizens and
Society as a whole.
In an economy of knowledge the networks and information
become the lifeblood of economy. Internet is the great interconnection system that allows the diffusion of information world-wide.
The Internet, nowadays, transports everybody’s data, including
sensitive economic information: it is therefore necessary to acknowledge the new problems that the network opportunity sets.
“Internet is changing our way of life. Europe must enter the digital era
and base its economy on knowledge. The way in which the European Union will
manage this transition will affect the quality of life, work conditions and in general the competitiveness of European industry and services”4 This is how Europe
is preparing for the challenge.
A challenge that the European Union considers an ambition:
“The general objectives set by the leaders of the Union in Lisbon aim to making
the EU the knowledge based society the most competitive in the world within
2010”5
Internet is configured as high sea in which the information’s
navigate planet wide. As occur in the real sea it is necessary to take the
necessary safety measures. Nobody would ship his freight via the sea
if he were not aware of the possibility to track their route through the
satellite system, constantly monitor their position through the radio
and have the necessary protection offered by the military fleet.
During World War II, what was worrying Great Britain was the
continuous attacks by German submarines on the freight convoys
between the US and UK. The solution adopted was to protect them
within military escorts that could make the access safer. This is similar
4 ibid.
5 ibid.
21
SECURITY NETWORK
to what is done with the data sent from one location to another
through a safe protocol that protects their integrity.
Within this context network security becomes increasingly
important, a neologism compared to the word insurance, which, in its
more common sense means getting an insurance policy that guarantees the possible damages caused by an unexpected event. Data security means to adopt those measures that protect the operations and
business of a company.
Within this framework, the European Union, in the quoted
document, continues: “The more networks and computers become a central element in trade and daily life, the more the need to protect data increases. Make networks and information systems safe is therefore the preliminary requisite in promoting e-trade and protecting privacy. To this purpose the EU has launched a
strategy based on its communications, on security and cyber-criminality and on the
directive concerning data protection”.
In recent months, ENISA (European Network Information
Security Agency) has become operative as the European Agency the
specific duty of which is the government of network security issues,
the birth of which was a major contribution of the Ministry of
Communications.
Knowledge, therefore, is the true stimulus of the economy we
are living, a knowledge that is increasingly encoded in computers, that
have taken over much of the processing work that done manually up
to just a few years ago.
1.3 THE VARIOUS TYPES OF NETWORK AS THE
PREMISE FOR INTERNET6
Before examining the genesis of the Internet in some detail,
The paragraph contains contributions from “Telecommunications networks in Italy” by the Ugo
Bordoni Foundation (2003)
6
22
and the various subjects that manage its functioning, it is interesting to
rapidly consider the characteristics of various types of network so far
developed and currently vastly used: the telephone network, the TV
network and the mobile phone network.
Built and developed during long decades, telephone and TV
networks (or rather, radio-TV networks) hardly resemble one another. The first, founded on connectivity, are networks with no contents,
because the contents are provided by the users at the two ends of the
line, with no involvement by the provider of the phone service. The
second, based on broadcasting, have always been content networks,
without which radio and TV would have been empty boxes. Moreover,
until recently, there was a sharp distinction, at company level, between
the property/management of phone networks and TV networks.
As a consequence, phone networks and TV networks have
never shared transmission resources. Both TV networks and phone
networks have, for years, been managed as monopolies, protected by
national boundaries and national and continental standards.
The third large network, the mobile phone one, was born
within this context, but since the so-called second generation (mid
Nineties) avoided the barriers of monopolistic management, while it
could not count on global standards, essentially because of competition between the parties involved.
The mobile phone network is technically an appendix of the
fixed network, to which it adds a new essential valence, that of continuous tracking, of mobility and the possibility of allowing personal
communications every time and everywhere.
Nowadays the development of mobile networks is the only
sector of telecommunications in which the rate of penetration in Italy
is not less than that of the leader countries. These rates are not only
higher than those in the USA but also are in line (in percentage) with
that of Scandinavian countries, pioneers and leaders in this field.
23
SECURITY NETWORK
Thanks to the existence of the above networks (especially the
first two) and to its intrinsically distributed nature, the Internet has
developed over the past three decades with growth rates hitherto
unknown in the history of human kind, from the origins of Arpanet,
in the USA at the beginning of the Seventies, to the current web.
Internet and its applications are diffusing information and
knowledge with an extension that had never been experienced before
in the history of human kind. In practice, an irreversible democratisation of the flow of data process has been activated featuring an
enormous social impact.
From a logical viewpoint, Internet is configured as a network
which through millions of exchange nodes (routers) interconnects
hundreds of millions of computers, including not only the servers, but
also the devices owned by users (workstations, PCs, palm computers,
mobile phones with advanced processing and data communication
features).
The physical connections required for the transferral of data
between routers and computers is ensured locally (buildings, university campuses, industrial sites) by networks appropriately conceived as
LANs (Local Area Networks), while the coverage for metropolitan or
geographical distances are handled by infrastructures that belong to
phone companies, mobile phone companies or cable TV companies
(in the form of resources that are permanently assigned by contract or
allocated on the basis of single use).
The fact that Internet, relatively to the transmission functions,
does not have an independent infrastructure is basic in analysing the
current situation. In fact, one might say that it is only thanks to the systematic recourse to pre-existing transmission resources or that in any
case can be activated by those connectivity providers with a longstanding history that Internet has developed at the incredible rate mentioned above. In strictly economic terms, it is sufficient to say that
investments for Internet, at least in terms of transmission resources,
24
world-wide, have been mainly marginal, and do not imply laying ad hoc
cables or the realisation of costly civil structural works.
1.4 THE MAIN SUBJECTS INVOLVED IN NETWORK
MANAGEMENT
The birth of Internet has been dated 1st September 1969, with
the advent of ARPANET. This network connected the US State
Department and the universities with which it collaborated. It was
used both to share research but also for personal communication.
Soon it became necessary to split the two activities and in 1983
it was decided to separate the military aspects by creating a specific
network called MILNET, and assigning ARPANET (renamed
Internet) to the scientific aspects and collaboration among universities.
Between 1990 and 1995 the increasing diffusion of Internet led to an
explosion of connections between the first nucleus and others, both
public and private, that progressively form what we now call the
Network of Networks.
Internet developed with no surveillance authority but through
the agreement and collaboration between the various bodies that took
part in it. Often the authority of some universities and research centres was de facto acknowledged and the indications they provided were
adopted by the other bodies connected, both private and public.
However, in January 1992, the Internet Society7 is founded,
featuring the people who had created the basic technology among the
founders and animators. The Internet Society was assigned the respon-
www.isoc.org - www.isoc.it in Italy
www.iab.org
9
www.ietf.org
7
8
25
SECURITY NETWORK
sibility for the coordination structures that had been formed in the
meantime such as the Internet Activity Board8 and the Internet
Engineering Task Force9.
The Internet Society (ISOC) is a non governmental international organisation for global cooperation and coordination for the
Internet network and its technologies and applications.
In 1999, the Internet Corporation for Assigned Names
and Numbers (ICANN)10 was founded, as a non profit organisation
for the management of the allocation of the address space on the
Internet and the domain name system and root server system functions.
In 1998 the Council of European National Top Level
Domain Registries – CENTR – is founded, with the purpose of supporting the exchange of information and guarantee the development
of best practice procedures among European registries for the coordination of first level domain names (e.g. those that end in “.it”).
Among other international bodies that deal with Internet and
the Domain Name System, the RIPE Network Coordination
Centre, which acts as a European Internet Regional Registry and deals
with coordinating the activities of organisations that are part of and
the Governmental Advisory Committee11 that gathers together representatives of all governments with the objective of supporting the
public-private relationship in managing the Network are especially
notable.
Within this web of competence there is also W3C (World
Wide Web Consortium)12 that has the objective of standardising the
technologies used in the Web that are essential for the Internet.
These bodies are often constituted through independent initiawww.icann.org
www.gac.org
12
www.w3c.org
10
11
26
tives by privates, universities and institutions and feature different
fields of activity. In many cases an affiliation process is not required, it
is sufficient to prove one has the required competence to be able to
contribute and propose one’s availability.
In order that all this functions shared and accepted rules are
required. The main basis for civil social relationships in the Network is
provided by a self-regulatory code termed netiquette13. This code,
which has been in existence for decades with periodic updates, states
the bases for civil relationships in the Network. Any breaches may be
denounced either to one’s provider or to the Italian Naming
Authority14. Such breaches may be punished with an exclusion from
the Network.
At a national level, in compliance with what has already happened in other countries, during the early 90s the creation of a group
for the Italian Naming Authority15 was formed. The Naming
Authority ITA-PE was established in October 1994 and since then
has formed an open work structure, basing its operative procedures on
the de-structured model of the groups in the Internet Engineering
Task Force (IETF).
Participation in the group was therefore free and work was
conducted both during periodic meetings of the same group and via
e-mail. Decisions were made on the basis of the widest consensus.
Later, the need to have a structure that could rapidly make
operative decisions and the difficulty in reaching full consensus at
times have led to a revision process at the work model and to the formal constitution of the Italian Naming Authority.
13
the official Italian translation of which is www.nic.it/NA/netiquette.txt
14
see below
15
www.nic.it
27
SECURITY NETWORK
To this purpose its operative procedures have been modified
so as to provide greater organisation features. The Registration
Authority, the executive structure of the Naming Authority, is in
charge of assigning domain names with the .it suffix.
The Italian RA therefore has the task of managing the operative registries of Top Level Domains .it. The general operative methods and rules (Naming Rules) on the basis of which the Italian RA
operates are defined by the Italian Naming Authority. In addition to
managing .it, the RA is responsible for the assigning of names defined
by other standards. The activities of RA are conducted by the Istituto
di Informatica e Telematica of the Consiglio Nazionale delle
Ricerche (IIT-CNR).
Its role as Registration Authority is assigned to the CNR owing
to its position within the national and international scientific community as a public research body. Related activities are managed by technicians of the Istituto di Informatica e Telematica with the agreement
of IANA (Internet Assigned Number Authority16), on the basis of
acknowledged competence acquired.
The Italian Registration Authority holds a highly relevant role,
also at global level, for the development of the Domain Name System
and associated policies. Among the bodies of which RA is an active
member there are the CENTR17 and ICANN.
In conclusion, Internet has a confused history and yet, at the
same time, organised, that arises from the people who shared competence and responsibilities in giving life to this extraordinary phenomenon. The media and common sense often confuse these aspects with
computer piracy, hackers, viruses and whatever else. As a matter of
fact many of the people who made the Internet, such as Vinton Cerf
16
www.iana.org
17
www.centr.org
28
and Joseph Licklider (among the founders of ARPANET and
Internet), Tim Berners-Lee (inventor of the World Wide Web), Ray
Tomlinson (inventor of e-mail), Marc Andressen (inventor of the
Web Browser and later founder of Netscape), Bill Joy (inventor of Java
18 and of UNIX BSD), just to name a few, are all, in the best sense of
the word, hackers19.
This partial overview of the subjects that created and manage
the Network of Networks should lead to understanding that out
there, that is, out of our personal or company computer, there is a
diversified world of companies that provide network connections,
users (well or ill meaning), bodies, government and non, for management and control, etc..
This galaxy from which this extremely powerful tool arose that
requires a delicate balance between rules and freedom, sets us the challenge of security.
It is a common belief that one can assign one’s security to the
phone company or the well-known Service Provider to feel safe. As a
matter of fact it must be understood that security is a continuous culture and constant practice to be assigned to professionals who are able
A widespread technology for the distribution of applications on the network
The term hacker, which later took on a negative sense owing to a misunderstanding by the
media, was, in fact, originally a positive one that defined a model for work and knowledge sharing. A Hacker, in its initial meaning, is an enthusiast of his job, who is ready to share it in
order to increase common competence receiving a satisfactory compensation.
Since their origin, hackers follow a sort of code of honour that implies a challenge of intelligence
conducted through technologies. The term derives from the verb to hack: that is to build the products one needs with one’s work.
It is the term cracker that hackers use to define computer pirate-vandals. These are people who,
possessing technical know-how, use the tools of hackers to destroy the security of a system for theft
or vandalism. The word was coined in 85 by hackers to defend themselves by the mistaken use of
the word hacker by journalists.
18
19
29
SECURITY NETWORK
to adequately support the companies and of which, in any case, a considerable portion remains assigned to the sense of responsibility and
know-how of the users. Security on the Internet is nor more no less
than like security on the roads. It is possible to circulate freely because
most citizens are honest and ready to denounce another who has committed a crime, but nobody can ensure that these may take place in
everyday life, such as a theft or a more serious crime.
1.5 SECURITY AND PRIVACY: TWO KEY ASPECTS
Nowadays any private or public organisation assigns most of
their processes, whether business or institutional, to information systems and hence to the information processed. When a damaging
event, whether natural or criminal, strikes the systems that manage the
information which an organisation requires (including networks), this
nearly always turns into a sudden interruption of the production
processes that can endanger the continuity of the organisation.
Today, more than before, being secure means confronting
any event, whether natural disasters (floods, fires, earthquakes) or
computer attacks, ensuring the integrity and continuity of the most
intimate and vital processes of an organisation.
In order to fully understand the basic principles on which to
base the meaning of security, and hence the protection strategies, it is
useful to make clear the following concepts.
A telecommunications network, and more in general, along
with it the information it carries, must satisfy at least the following requisites to be considered secure:
G
G
Confidentiality of the information, intended as the assurance that the data are accessed, known and treated exclusively by
who has the right to so.
Availability of the information, intended as the possibility of
30
accessing the data when required. The systems should have
sufficient capacities to satisfy the requests for access by users.
G
Integrity of the information, intended as the assurance that
the data are accurate and exempt from tampering, loss or
damage.
These three requisites (specifically the first) hold a primary role
in the concrete implementation of a juridical principle that has powerfully emerged during the past years: the protection of personal data of
individuals or entities, so as to ensure their privacy. Adequate security
measures must be foreseen, also by law, to this purpose.
More in general, essentially we must note that the overall vulnerability of networks and information systems throughout the world
depends on a new way of intending and managing the processes within the organisations.
Up to a few decades ago organisations were governed by internal collaboration flows and were scarcely communicative towards the
outside. Substantially, networks had not yet entered the world of ICT,
but the connections were mainly dedicated with centralised systems
(mainframes).
Therefore, security at that time was based on isolation and was
intended as a prevalently static and passive fact. Moreover, it is also
useful to stress that the use of data took place in a rather limited manner and the independence of the employee using the information system was virtually non-existent.
Essentially, the information system and the human resources it
consisted of were the catalyst of all the information requests arriving
from the rest of the company. Although also in similar scenarios, at the
time it was frequent to encounter procedures that were scarcely attentive to security, the threats were relatively low, because the same communication infrastructure did not feature the same vulnerability as
today.
31
SECURITY NETWORK
With respect to these paradigms today’s organisations have
radically changed. They tend to externalise both sub-processes and
entire processes; they tend to distribute functions across the territory
because they are increasingly part of multinational realities; they dialogue in real time with their suppliers, customers and clients and,
above all, at different levels; they allow single users to directly dialogue
with most applications so as to rapidly find information.
The core of this important change is telecommunication networks. Thanks to the introduction and development of networks
today we can effectively speak of information sharing.
This greater aperture implies a greater usability of the data,
which exposes organisations to considerable risks. Compared to the
past, security becomes a dynamic fact to be faced in an active way. The
internal users of the organisation acquire an essential role with respect
to the information system and networks. The internal user – information system – network relationship is by far more critical than the
external user – information system – network relationship. The
reason is easily understood. Most of the operations required in the
management of the organisation are conducted with internal applications, which with the information and the network, make up the
Company Information System (CIS). It is natural to think that, differently from external users, who have access to a limited and controlled
number of services, internal users are involved in the exclusive and
privileged use of the CIS and therefore represent one of the main risk
factors for the information and network security.
Within this context, a further issue that contributes to the
requirement for security is the need to ensure privacy in the treatment
of information. Although this topic will be thoroughly dealt with further on, some basic aspects need to be understood.
The bases for privacy laws issued by the single governments of
the European Union contain some essential principles, which are
32
widely accepted, for the protection of personal data. Among these
there are:
G
G
G
G
G
G
G
Data must be collected in compliance with the laws
The information collected on single individuals may not be
diffused to other organisations or other individuals without an
explicit law permission or the approval of the individual concerned
The information collected must be accurate and updated
The use of the information must be related to the aim for
which data have been gathered and just for the necessary time
frame
Individuals have the right to correct and update their personal
information
The individuals to whom the information refer have the right
to receive a report on the personal information collected
and/or managed by the organisations
The transmission of personal data to locations different from
the original ones is prohibited if the existing security measures
are not at least equivalent.
During the past years, the need to comply with these principles
has strongly contributed to creating a growing interest and sensitivity
for the protection of network data.
1.6 THE IMPORTANCE OF THE HUMAN FACTOR
FOR SECURITY
In line with the statement by Philippe Queau, the cyberphilosopher: “we are faced with a new way of living this world, of thinking of
the world and of acting on it”, various international studies conducted
have undeniably highlighted that the wide scale introduction of ICT
33
SECURITY NETWORK
has affected individuals’ learning schemes, actually inducing perception disturbances that, in various ways, affect the levels of awareness
of the subjects and the overall learning path that will lead, or not,
towards a choice of rules.
Having stated this, it has to be observed that behind each security technology there is a person that must use it and that even the
more sophisticated and apparently armoured security system, both
physical and logical, may be made vain by non trained users or scarcely convinced of its necessity.
The more advanced psychological research20 concerning computer crimes have in fact highlighted the existence of perceptive
changes induced by digital technologies, especially when such a technology mediates a relationship between the author of a crime and its
victim: performing an illegal action from one’s familiar and reassuring work station and, above all, without looking one’s victim in the
eyes is a less anxiety inducing scenario for an individual.
Human psychology is therefore a factor that must be considered when designing and managing information security. On the other
hand, in the more developed and modern work contexts psychology
Bruzzone R. “The importance of the human factor in information security policies” (Published
in ICT Security (February 2004)
Galdieri P, Giustozzi C., Strano M., “Sicurezza e privacy in azienda”, Apogeo Editore,
Milano, 2001.
Rogers M. “A social learning theory and moral disengagement analysis of criminal computer
behaviour: An explanatory study”. Unpublished dissertation, 2001
Rogers M,, “Psychological Theories of Crime and Hacking”, Department of Psychology,
University of Manitoba, Telematic Journal of Clincal Criminology; www.criminology.org, 2003
Strano M., “Computer crime”, Edizioni Apogeo, Milano 2000
Strano M., “Computer crimes in companies” in BYTE January 1999
Strano M., Bruzzone R., “Computer crimes in companies: insiders”, in: M. Strano, editor
“Manual of Clinical Criminology”, See Edizioni, Firenze 2003
Strano M., Battelli F., Bruzzone R., Giustozzi C., Boccardi M., “Inside attack: techniques for
intervention and prevention strategies”, In press, 2005
20
34
has already affected security procedures for a number of years.
Especially in the USA and UK the human factor is, for example, specially cared in the field of the security of people on their work
place. The function of psychologists in these environments is to convince people, beyond what is prescribed, to behave in a secure way,
also levering on their motivational sphere.
The workers of some vanguard work-sites, for example,
undergo psychological actions (training courses, focus groups, individual interviews) so as to instil the habit of using individual and collective protection tools in order to reduce casualties, and workers performing dangerous tasks are trained to comply with the security rules
under the supervision of a psychologist.
In terms of information security and the prevention of crimes
within organisations, the experiences of research and psychological
intervention seem to be more greatly aimed at assessing the level of
perception of the crime (in order to evaluate the risks related to internal users) and the perception of the risks of an attack (for the assessment of the vulnerability of security systems linked to the human factor).
The main aspects related to the human factor, to be considered relatively to information security, are the following:
G
G
Knowledge of the consequences of possible illegal actions,
because people, when they commit an illegal action, assess the
pros and cons also in terms of the damages caused and, in this
perspective, obtaining correct information allows to have an
exact perception of the consequences of one’s action increasing the level of awareness and diminishing the risks of underestimating the action
The knowledge and perception of risk, that is at the base of
superficial/non functional behaviour in some people because they consider that their work group or organisation does
not represent a target for an attack, hence showing a scarce
perception of the risks
35
SECURITY NETWORK
G
Motivation to compliance with security procedures, because
often they are tiring/boring to be applied and hence it is
essential to motivate people to respect these procedures which
would otherwise not be systematically applied, jeopardising the
security of the overall organisation.
36
NETWORK SECURITY
From risk analysis
2 - Network infrastructures and
security issues
2.1 THE NETWORK CONCEPT: PHYSICAL AND VIRTUAL COMPONENTS
The idea of a network connection is generally that of a wire
that connects two points. Along this wire information in the form of
bits travel, sent and received according to given rules that allow their
interpretation.
At the basis of this idea we have telegraph, on which, at the
beginning of the 20th century, an expert operator tapped a single key
sending Morse coded signals.
In the 70s the packet technology is born, which allowed sending a number of contemporary transmission flows along the same
wire. The more recent birth and diffusion of the Internet complicates
the basic concepts.
First of all, nowadays a network consists of very different
physical supports: there are satellite link, radio, GSM, GPRS and
UMTS based, copper, optical fibre, wireless, etc. Each of these physical supports feature different characteristics in terms of latency, transmission capacity, security, connection reliability, etc.
The modern complexity of networks can be managed thanks
to the TCP/IP protocol, the protocol used by Internet. This is a network protocol that allows two systems to share a dictionary, which is
37
SECURITY NETWORK
able to translate the signals into information and ensure that these are
transmitted and received correctly. The protocol continues to transmit
for a certain period, also using alternate route, until it obtains an
acknowledge message.
Another important function of modern networks is routing,
performed by special devices (routers). These devices read the various
packages transmitted in the TCP/IP format and route them along the
various connections.
There is also the NAT/PAT (Network Address
Translation/Port Address Translation) protocol that allows using a
single IP address for an entire network. This technology allows having
a private network, invisible to the Internet. A network node takes care
of keeping track of the sender and the receiver so as to establish the
communication, from a point within the private network towards an
external point, as if they were directly connected.
Lastly, tunnelling allows creating virtual connections on conventional TCP/IP connections. Within these virtual connections
information is transferred ciphered, avoiding possible intruders to
intercept the data exchanged between sender and receiver. The information deciphering is performed at special network access points that
can consist of firewalls, routers, servers and even clients, according to
requirements.
Considering the above, it is obvious that it is now difficult to
track a physical connection. The network connections are increasingly
virtual, our information travels on segments of networks that we are
unable to know and are only ensured by the level of protection foreseen.
In this sense the MPLS (Multi Protocol Label Switching)
technology is especially interesting, because it allows senders to put
their information into a virtual envelope and by applying a label the
envelope travels within the network without being able to be seen by
intermediate nodes. MPLS represents an important novelty in the field
of networks because it allows sharing just about any physical support.
38
2. Network infrastructures and security issues
2.2 THE NETWORK AND ITS SUBJECTS
The paradigm that normally represents a network is represented by the ISO/OSI model. The ISO/OSI stack model consists of
seven levels and is shown in figure 2.1
ers
Us
r
ide
v
o
Pr
Figure 2.1 – Diagram of the ISO/OSI stack model
Each level of the stack is managed by different subjects that
offer specific services. Let us go through the stack to describe the different subjects.
Levels 1 and 2 (starting from the bottom) are the domain of
the telephone carrier that owns the physical connection, installs the
39
SECURITY NETWORK
various segment planning its investments on the basis of traffic forecasts. The carrier owns both the backbones that connect two junction points with high capacity link, and the last mile, that represents
the final and more costly segment, from the telephone exchange to the
final users.
The risks connected to this level arise from operators that are
unable to offer secure and reliable services.
Levels from 3 to 5 are managed by the Internet Service
Providers (ISP) that provide the Internet connection by buying
access to the carrier infrastructures and then retail selling, so as to say,
the connection. The ISP also supplies a series of accessory services
that allow users to concentrate only on the communication content.
Usually, among these there is the management of the email server, registration of Internet domains, web and ftp servers management, video
streaming, video conference, and also security services such as the
configuration of secure networks through tunnelling techniques.
The risks deriving from the service providers arise from the
scarce presence of specific competence in this field. They are a type of
operator that recently appeared and that often does not offer the professionalism required to support the needs of the client organisations.
Another risk is an excessive assignment by companies that in this way
tend to free themselves from the technical competence. In fact, the
network asset should always be controlled by the customers, if necessary referring to third parties that are able to monitor the providers of
the services.
Levels 6 and 7 normally develop with the final users. Parts
can be assigned to consulting firms, system integrators or outsourcers.
The risks in this field are centred on the way in which the applications
are designed. Often the system integrators concentrate on the functional aspects of the applications, assigning security issues to the lower
operative levels.
40
2.3 NETWORK SECURITY
1
Threats to security are all those events that may cause the loss
of generic requisites, inter-dependent from one another, for information security (confidentiality, availability and integrity, as defined in
the previous paragraph 1.5).
All threats to security must be considered, not only those featuring a criminal intent. From the users’ viewpoint risks such as environmental disasters or human error that cause the crash of a network
are potentially just as damaging as a criminal attack.
The security of a network or an information system must
therefore be intended as the ability to resist unforeseen events or criminal actions that may endanger the availability, integrity or confidentiality of the data contained or transmitted as well as the services provided and accessed by means of the aforementioned network or system.
The purpose of the following paragraphs is to describe the
various types of threat.
2.3.1 General overview of threats to security
Interception of communications
Electronic communications may be intercepted and the data
they contain can be copied or modified. Interception may take on different forms, from the physical access to network lines (e.g. telephone
interception), to radio-transmission surveillance. The more vulnerable
and sensitive points to an interception of traffic are the management
and concentration points of the network such as, in the case of Internet
communications, routers, gateways, switches and network servers.
1 The paragraph contains contributions from “Communications of the Commission to the
European Parliament, to the Council, to the Economic and Social Committee, and to the RegionsCommittee – Networks and information security: proposal for a European strategic approach”,
available at: www.privacy.it/com2001-298.html
41
SECURITY NETWORK
Illegal or criminal interceptions must be kept separate from
interception activities allowed by the laws. All the EU member states
permit, in special cases, the interception of communications for reasons
of public safety or enacting orders by the judiciary authorities.
An illicit interception may represent a breach of the right to privacy of a person or could be the premise for an illegal use of the intercepted data, such as a password or credit card data, either for looting or
sabotage. The diffuse perception of this kind of risk constitutes one of
the main obstacles to a more marked diffusion of electronic commerce
in Europe.
The defences against interceptions may be implemented by the
providers (network protection), as foreseen by directive 97/66/CE, or
by the users themselves (ciphering of the data transmitted via the network).
For the providers, protecting the network from possible interceptions is a complex and costly task.
In the past, telecommunication network operators used to protect the networks by setting physical devices to control accesses and by
giving appropriate security directives to the personnel. Traffic was only
occasionally ciphered.
Nowadays, for wireless networks, providing an adequate ciphering of radio-transmissions is costly. Mobile network operators cipher
the communications between the mobile device and the base stations.
Users can decide whether or not to cipher the data and voice
signals apart from the security measures foreseen by the network. An
adequate ciphering makes the data incomprehensible for anybody
except the authorised receiver, even in the case of an interception.
There is a wide range of ciphering software and hardware available for all kinds of communication. There are specific products aimed
at ciphering telephone conversations or fax transmissions. Also e-mail
can be ciphered by means of dedicated software, ciphering modules integrated in the word processors or in the e-mail client software.
42
The problem is that if the user ciphers an e-mail or a voice communication the receiver must be able to decipher it. It is therefore essential that the software and hardware must be inter-operative. In the same
way, the receiver must possess the ciphering key, which means that the
device must be able to receive and authenticate the key. The cost of
ciphering, in terms of time and costs, is high and users, who do not
always have knowledge of the necessary information concerning risks
and advantages, have problems in making the best choice.
One of the more diffuse security systems on the Internet is the
Secure Socket Layer (SSL) protocol, a system that ciphers communications between the web server and the users’ browsers. The diffusion of
this technology, and especially its more powerful 128 bit version, has
been limited by the United States restrictive regulations concerning
export control.
The US rules have recently been modified following a liberalisation of the control on exports of ciphering products and technologies.
Statistics show that the number of protected web servers in
Europe is largely lower than those in the USA (see figure).
Protected web server
(up to 100.000 users)
Source: OCSE (“Netcraft” Survey, July 2002)
Figure 2.2 – Servers equipped with protection measures
43
SECURITY NETWORK
Operators, users and producers must face the problem of
competition and of the non inter-operative regulations that exist. For
example, concerning the email protection there are two standards that
compete for market supremacy. Europe’s importance in this field is
rather limited.
The result is a flood of non European products that apply
these standards and that the use of which by European users is subordinated to US policies concerning exports control. Some member
states are evaluating the possibility of employing open source software.
However, these activities are still in a pilot stage, with no coordination, and the will of the market may prevail over the isolated
efforts of public authorities. In order to confront the problem in the
best way it is necessary to conduct a global evaluation of the commercial off the shelf products available and of open source solutions.
Non authorised access to computers and networks
Access to computers and networks is normally authorised only
to those subjects who pass a user authentication process, which means
that the declared identity is clearly recognised.
For many applications and services adequate authentication
procedures are required: for example, this is the case for on-line contracts, the control and access to certain data or services (e.g. telework) or
for the authentication of web sites (e.g. for home banking services).
The authentication modes must contemplate the possibility of
anonymity because many services do not require knowledge of the
identity of the user but simply a reliable confirmation of certain criteria (anonymous credentials), such as, for example, the ability to pay.
Non authorised access to a computer or a network of computers generally has criminal intentions aimed at copying, modifying or
destroying data. From a technical viewpoint this is an intrusion and
can take place in various ways: the use of internal confidential information, deciphering passwords by means of so-called dictionary
44
attacks, front attacks (exploiting the users tendency to choose predictable passwords), social engineering (exploiting the tendency people have of diffusing information to apparently reliable people), or the
interception of passwords. Often, this type of attack is conducted
within an organisation.
Unauthorised access is often motivated by an intellectual challenge rather than the perspective of obtaining an economic gain,
although a phenomenon born as a simple disturbance has highlighted
the vulnerability of information networks and prompted computer
pirates with criminal intentions to exploit these weaknesses. The protection from unauthorised access to one’s personal data, for example
financial or health, is a subjective right. In the public sector or for companies the risk ranges from industrial espionage to the alteration of
public or company data up to the corruption of web sites.
Installing a password and/or a firewall are the most common
methods to protect oneself from unauthorised access. Nevertheless,
both methods offer a limited protection and must be integrated with
other security devices such as the device for attack recognition and
application intrusion detection (for instance those using the smart
card) The effectiveness of these systems depends on the way their
characteristics face the risks to a given environment. It is necessary to
reach a balance between network protection and free-access related
advantages.
The rapid technological evolution and the consequential new
threats for the networks make it necessary to perform a revision
which is continuous and independent from the security devices. Until
users and providers are not fully aware of the vulnerability of their
networks, potential solutions will remain unexplored. The following
picture shows the use of network protection products in the
European Union (the reported statistics are based on an investigation carried out in 2001 within the framework of the eEurope 2002
initiative).
45
SECURITY NETWORK
Use of security products
(% of UE internet users)
Anti-virus
software
smart-cart or
other reader
encrypting
software
firewall
software
e-signature
software
Source: Eurobarometro (February 2001)
figure 2-3 Use of security products within EU
Network failure
Most of the networks are by now computerized or computer
controlled. In the past, network failures were often due to a malfunction of the control information system and attacks were often brought
to these computers. On the contrary, attacks causing today the most
serious interruptions exploit the weaknesses and the vulnerabilities of
the network components (operating system, router, switches, name
servers, etc.).
Similar aggressions carried out through the telephone network
did not result in significant problems in the past, but they are rather
frequent in the Internet. This is due to the fact that control telephone
signals are separate from traffic and may be protected. On the contrary
Internet users may directly contact the main computers that manage
the traffic.
46
However in the future, telephone networks could become
more vulnerable to these attacks because they will contain Internet
integrated elements and their control plans will be revealed to other
providers.
Similar attacks may be of different forms:
• attacks to domain name severs: Internet operation is based
on a domain name system (Domain Name System – DNS)
through which network addresses meaningful to the user (i.e.
europa.eu.int) are translated into abstract names (i.e.
IP:147.67.36.16) and vice-versa. If part of DNS does not
work, some web sites cannot be localized and the e-mail delivery system may stop working. The root server corruption of
the DNS system or other first level name servers could paralyze the network. Early in 2004 some failures have been identified in the software used by most of domain name severs.
• Attacks to routers: internet routing is extremely decentralised
and each router regularly communicates near routers which
networks they know and how to reach them. Vulnerability
means that this information cannot be verified because, due
to design reasons, each router has only a minimum knowledge
of the network topology. Thus each router may declare it as
the best way to a given destination so to intercept, block or
modify the traffic to that destination.
• Denial-of-Service attacks (DoS): those attacks paralyse the
network overcharging it with artificial messages that reduce or
prevent users’ legitimate access possibilities. These phenomena are similar to the block of facsimile devices caused by long
and repeated messages. Flooding in particular consists in
trying to overcharge web servers or the ability to process
Internet service providers with automatically produced messages.
• Interruptions damaged a number of prestigious web sites.
According to some estimates, damages from the most recent
47
SECURITY NETWORK
attacks amount to several hundreds of millions euros, not
considering the intangible image-related damage. Companies
make more and more use of web sites to promote their own
activities and those depending on Internet for just in time
deliveries are particularly vulnerable to this kind of attacks.
• To defend oneself from attacks to DNS servers one must
expand DNS protocols by using for instance DNS extensions,
protected with a public key encryption. But this solution
requires the installation of new software on client devices and
it has not been adopted very often. Moreover, the effectiveness of the necessary administrative procedure to enlarge
confidence among DNS domains must still be improved.
• Attacks to the routing system on the contrary are much
more difficult to counter. Internet has been conceived in the
name of a flexible routing to reduce the possibilities of a
service interruption in case part of the network infrastructure
would fail. There are no efficient means to protect the routing protocols, especially the backbone ones.
• The volume of the transmitted data hinders an accurate traffic filter because such a check would result in a network block.
For the same reason, the network performs only not very
sophisticated filter and access control functions. More specific security functions (authentication, integrity, and encryption)
are implemented to the ends of the network, that is on terminals and servers working as endpoint. Thus this is where one
has to defend against Denial of Service-like attacks.
Execution of malicious software that modifies or
destroys data
Computers work with software applications, but such
applications may be also used to disable a computer, erase or modify
data it contains. As previously said, if the computer belongs to the network management system, an abnormal operation may reflect on
48
many other components of the network itself.
The virus is a kind of malicious software reproducing its own
code by joining other software so to the viral code is executed each
time the infected information software is launched.
Nevertheless malicious software may assume other forms:
some damage only the computer on which they are copied while others propagate to other network computers. There are software (dangerously called logic bombs) that remain unarmed until they are triggered by a given event, i.e. a date (very often like Friday 13). Other
software are apparently benign, but, once they are active they start a
destructive attack (this is why they are called Troy horses, or
Trojans). Others, so-called worms, do not infect other software but
self-duplicate in copies that reproduce again, and end up saturating the
system.
Viruses may by extremely destructive, as demonstrated from
the very serious damages caused by recent I love you, Melissa and
Kournikova viruses. The following picture shows the increase in computer viruses registered by Internet users between October 2000 and
February 2001 for each EU member state, almost 11% of Internet
European users have suffered an information virus-related infection in
their home PC.
The best defence are anti virus software, available in various
forms. Software working as virus scanner and cleaner may identify and
destroy all known viruses. Their main weakness is that they do not easily identify new viruses, even if they are regularly updated.
Integrity checker software constitutes another countermeasure. To infect a computer the virus must modify one element of the
system and the integrity check allows identifying any structural change,
even if it has been caused by the unknown virus.
Despite antivirus products are highly advanced, malign software-related problems increases for two major reasons: first of all the
Internet open structure allows hackers to inform each other and
design strategies to bypass security barriers. Secondarily, internet
49
SECURITY NETWORK
expands and touches new users, and many of them are not aware of
the necessity to protect them. Security level depends on the effective
and generalized use of the anti-virus software.
Virus
% of internet users victims of virus
Source Eurobarometro
Oct. 2000
Feb 2001
Figure 2-4 Virus occurrences in the EU between October 2000 and February2001
50
Identity usurpation
When a link to the network is established or data are received,
the user infers the interlocutor’s identity according to the context of
the communication. The network presents a number of indicators to
assess that but the main risk of an attack is represented by the initiated, or those who are familiar with the communication context. By
composing a number or an e-mail address on the computer keyboard
the user must reach that given destination. If this is enough for many
applications, this is not so for the important commercial transactions
or the medical, financial or official communications, requiring a higher level of authentication, integrity and confidentiality.
Identity usurpation of persons or organisations may cause
different accidents. Costumers could unload malicious software from
a web site that claims to be a reliable source and could also reveal confidential information to the wrong person. Identity usurpation may
result in a null contract etc. As major damage, failed authentications
hinder new economic initiatives. Many studies affirm that the main
reason preventing companies from operating on Internet are just fears
on security. Would the identity of the interlocutor be certain, confidence level in Internet economic operation will increase.
The introduction of an authentication subjected to the adoption of the SSL system is a significant step forward in the matter of
network confidential data. Virtual Private Networks (VPN) use SSL
system and IPSec protocol to transmit on non-protected Internet networks and open links with a pre-defined protection level. Nevertheless
these solutions have a limited usage since they rely on electronic certificates which do not fully guarantee to be un-modified.
It is a third party, often called Certification Authority, or in
the EU directive on e-signature (see Att. 1-B), Certification Service
Provider, that grants such guarantees. The problem of this solution
diffusion is similar to that of encryption: the necessity of a key interoperability and management system.
51
SECURITY NETWORK
PN networks do not have this problem, for which it is possible to develop some proprietary solutions while for public networks it
remains a major obstacle.
The e-signature directive sets rules aiming to facilitate e-signature recognition within the EU. It offers a framework enabling the
market to grow but it envisages also incentives for companies with
safer signatures for a legal recognition. The directive is actually being
transposed in the Member States and Italy is in the front row.
Environmental accidents and unexpected events
Many security accidents result from unexpected and non voluntary events such as:
• Natural catastrophes (hurricanes, floods, fires, earthquakes)
• Third parties alien to any contract with the operator or the
user (i.e. interruption for construction works)
• Third parties having a contract with the operator or the
user (i.e. failures of hardware, software components or delivered programs)
• Human error of the operator (including service provider) or
the user (i.e. problems in the network management, wrong
software installation)
Natural catastrophes may interrupt the network availability.
Unfortunately during these events the operation of all communication
lines is absolutely indispensable. Hardware failures or an incorrect
software design may cause vulnerabilities followed by an immediate
interruption of the network or may be exploited by computer pirates.
Even a non-accurate management of the network capacity may result
in congested traffic and slow down or paralyse communication links.
Within such context responsibility sharing among the interested parties is of crucial importance. In most of the cases, users shall
not bear liability for the situation but their chances of claiming compensation will be very scarce if not null.
52
Telecommunication network operators are well aware of the
risks of environmental accidents and for long time they have built
redundant networks and security devices for their infrastructures. A
stronger competition pressure could bear ambivalent consequences on
operator’s behaviour. On one side prices could push operators to
reduce such redundancies, but on the other side, a greater number of
operators on the market due to liberalization, makes it possible for
users to move to another operator if the used network is no more
available.
Relevant provisions of the Common Law force Member
States to take all necessary measures to assure available public networks in case of a catastrophic failure or of a natural catastrophe (ref.
interconnectivity directive 97/33/CE and vocal telephony directive
98/10/CE, Telecommunication Code). The growing number of interconnected networks makes one unaware of the security level of this
sector.
Competition should push hardware and software producers
to improve the security level of their products. But competition pressure does not allow for security-related investments especially because
security not always is the key element in deciding to buy. Security-related failures appear too late, once the damage has already occurred. With
a fair competitive behaviour on the information technology market,
there will be better conditions for the security development.
Human and technical error risks could be reduced through
training and awareness raising actions. Carrying out a proper security
policy in each single company could contribute to limit the risks.
The new challenges
Network and information security is bound to become a determining factor of the information society development since networks
play an ever important role in the economic and social life. In this context two main factors should be taken into consideration: potential
damage increase and new emerging technologies.
53
SECURITY NETWORK
Networks and information systems contain more and more
often sensitive data and precious commercial information, making
computer pirates attacks more attracting. Attacks may occur at low
level with minor consequences at national level (corruption of a personal web site or hard disk re-formatted by a virus). But the interruption may occur on a much wider scale and interfere with very sensitive
communications, cause severe power interruption and cause serious
damages to companies through denial of service-like attacks or confidence violation.
It is difficult to assess real or potential damages of a networks
security violation. There is no systematic signalling system on the matter, even because many companies prefer not to disclosure that they
have been victim of computer attacks to avoid image-related damage.
Evidences collected to date are essentially story-based and costs
include not only direct costs (profit loss, loss of useful information,
and reinstatement of network) but also intangible costs in particular in
terms of image, difficult to assess.
Network and information security is an evolving problem.
Quickly technological changes present continuously new challenges;
yesterday problems are solved but today solutions are already overcame. The market produces new applications, new services and new
products every day. Nevertheless there are some developments that
will certainly represent important challenges for the security managers
of public and private sector.
• Digital works will be transmitted on the network (multimedia
works, downloadable software, mobile agents) with integrated
security characteristics. The notion of availability, considered
today as the possibility of network use, will be closer to that
of authorized use, just like the right of using a videogame for
a given period of time, the right of creating a single copy of
a software, etc.
• In the future, IP network operators will try to improve the
54
security level by means of a systematic supervision of the
communications that will allow just authorized traffic. These
measures should be anyway compatible with the relevant provisions concerning personal data protection.
• Users will choose permanent connections to internet and this
will multiply possible attacks and non protected terminals vulnerability allowing computer pirates to hide them to the identification devices.
• Domestic networks with a lot of devices will be very common
on large scale. This will increase users’ piracy and vulnerability (i.e. alarm systems could be remotely switched off).
• Large scale diffusion of wireless networks (i.e. wireless local
network or wireless local area network, third generation
mobile services) will raise the problem of an effective radio
transmitted data encryption. Hence, it will be ever more difficult to impose by law a low level encryption of signals.
• Network and information systems will be all over, in a mixed
wired and mobile configuration and they will represent the
environment intelligence, that is a number of independent
ad automatically activated functions which will take decisions
previously set by the users. The challenge will consist in avoiding an unacceptable vulnerability level and in integrating the
security element in the system architecture.
55
SECURITY NETWORK
2.4 AN EXAMPLE OF SECURE NETWORK: THE PA
UNIFIED NETWORK2
Since the early 90s in Public Administration no system was targeted to a standard telecommunication system, hence there were many
data networks stemming from the different arising needs. In 1997 such
scenario was rationalized into one single network, which was homogeneous in terms of quality, security and costs. For Central
Administrations such network was the platform to develop applications.
Today R.U.P.A. (Rete Unitaria della Pubblica Amministrazione,
Public Administration Unified Network) connects all central public
administration offices with almost 20,000 accesses. All Regional up-todate active networks, for a global amount of 90 interconnected institutions between Central Public Administrations and Local Public
Administration, are connected to its backbone.
2.4.1. Technological infrastructure: network design
RUPA architectural design was conceived, in its designing and
implementation phases, in the respect of some principles that were
thought to be the requirements to assure adequate security standards to
the network. RUPA design has been based on two fundamental criteria:
• Use of the guidelines drawn from previous experiences of
structures with similar characteristics
• Adoption of a risk analysis model that macroscopically highlights
the potentially risky areas and the appropriate countermeasures.
2 The paragraph contains contributions from:
- “CNIPA – Sistema Pubblico di Connettività – Organizzazione della Sicurezza” (Issued
by gdl Organizzazione e Qualificazione – Coordinator Maria Terranova – Edizione 1.4
del 26/11/2003)
- “CNIPA – Sistema Pubblico di Connettività – Seminario Introduttivo” (Issued by gdl
SPC – coordinator Francesco Pirro – Edizione 3.2 07/04/2004)
- “Autorità per l’Informatica nella Pubblica Amministrazione – La sicurezza dei servizi in
rete – requisiti, modelli, metodi e strumenti” – Version 1.0 24/11/2001
56
Domain
network
Adm. 1
Inter-domain
network
Domain
network
Adm. 2
Figure 2 –5 RUPA general architecture
The guidelines used in designing the infrastructure of the
Management Centre, main control and management body, were meant to
stress the availability characteristics of the whole system, in particular:
• The redundant installation of all major components to guarantee the proper operation in case of failure
• Components have been selected on the basis of their intrinsic
fault resiliency characteristics
• The internal network is based on a matrix-like structure
• For all the components standard conformity (de jure and de
facto) criteria have been adopted to assure interoperability.
• The operational status of all used components has been measured
57
SECURITY NETWORK
• Apart the above mentioned characteristics, a Risk Analysis
process has been used for the management part. It allowed
identifying actions able to damage the system integrity
(threats), the system vulnerabilities to threats and the impact
of any violation on the system.
2.4.2 Security management
It is particular important to underline the security infrastructure potential implemented for the services component monitoring.
The Management Centre has a very high level of control of messages
exchanged among Administrations and has highly performing security
characteristics for what concerns confidentiality, cryptography and
anti-intrusion aspects.
Network access and use conditions (on RUPA circulate every
day 37 gigabyte of data distributed in thousands of e-mail messages
and 5 millions WEB pages visited every day by the network users) are
constantly controlled by two concurrent monitor and verification
strategies:
• Monitor and verification activities include a periodical number
of tests of the network vulnerability and its devices. Tests
emulate known intrusion techniques and test the adopted
configuration according to ad hoc defined attack schemes
• Vulnerability test is part of the certification procedure of the
changes of the network infrastructure and of the system performance maintaining process.
Monitor activities constantly control the use of the infrastructure and alert the onset of abnormal behaviours through the use of
sensors installed in various network segments (reaction to the events).
The vulnerability test is performed through a set of procedures which automatically analyze the network and the Centre connected segments by setting a catalogue of components (IP addresses)
and available services (gates). Then, other procedures apply to the cat-
58
Figure 2-6 SPC: Infrastructure, Rules and Organizational Model
alogue components a number of actions belonging to a ruled set,
which check the behaviour of the same component after a service
request.
The two strategies are complementary to each other: the constant monitoring controls the network status while vulnerability tests
asses the sensor action threshold and supply the guidelines to configure each single sensor. Sensor signals identify the attack place and
address specific tests to particular components.
Such measures turned real effective and made it possible for
RUPA network, since its creation, to successfully reject virus attacks
that represent a considerable loss both in financial and image terms, to
other realities.
In the year 2001 RUPA has been subject to over 99 million
hostile activities, out of which 95 million (rejected) addressed to Web
59
SECURITY NETWORK
sites hosted on RUPA; 79 million, until September 2002; in 2003, until
march only, over 15 million attacks to Web sites hosted on RUPA were
rejected.
Nimda attacks started on September 14 2001 on Internet. The
network records the first severe alarm at the end of September 18; the
peak occurs on September 19 with 9 million attacks, all of them were
rejected.
SQL SLAMMER worm attacks, detected in January 2003,
caused no impacts due to the correct and prompt implementation of
technological and architectural countermeasures.
In April 2003, the blocked attempt of Denial of Service
against an important Central Administration (mail of over 100,000
packages per minute) has been recorded.
2.4.3 Network evolutions
The Unified Network, as it is structured and used today, will
soon evolve and be included within the new PA infrastructure: the
SPC - Sistema Pubblico di Connettività - (Connectivity Public System) created by the Legislative Decree n. 42 of February 28, 2005.
The SPC system stems from the necessity to enable the many
stakeholders acting in a competitive market, such as the telematic service supply, to contribute to the technological innovation by implementing a confidence based system, with common interconnection rules,
allowing all PA to be interconnected each other with the appropriate
quality and security standards and assuring an integrate and homogeneous development of telematic services in line with the technological
evolution.
SPC system presents architectural characteristics that include a
multi-supplier network model in which each operator, SPC services
provider, has a given number of Administrations as costumers. Each
supplier’s quality and security will be guarantee through a qualification
process based on pre-established and agreed rules.
60
The following are the main targets of the SPC implementation:
• Provides interconnection services
whose fundamental
principles in terms of homogeneity, security and quality are
clearly defined, and, thanks to these characteristics, are widely configurable and adaptable to the characteristics and the
specific needs of each interconnected Institution Bodies
• Guarantees the expanded interconnection possibility and
allow all Internet subjects the interaction with Institutions and
Public Administrations.
• Provide, even safeguarding investment afforded until today, an
infrastructure of shared and homogeneous connection
among all PA networks.
• Provides services and infrastructures, to the interested
Administrations, that allow also interconnection within the
Domain of the same Administration.
• Implements a multi-provider service model in line and
consistent with the current market scenarios
• Guarantees, even through service provider operators’ qualification, a quality system in term of both performance and
availability and implements a data collecting and analyzing system for a constant monitoring of the Quality of Service provided.
• Guarantees security measures able to ensure the services
continuity and availability between the same Administrations
and toward citizens in order to minimize possible malfunctioning.
This last target (security guarantee and quality of service guarantee) is the key element characterizing the SPC.
61
SECURITY NETWORK
The need to implement a System in which the communication
among the different Administration occurs with quality and security
characteristics assured end to end, within a multi-provider context,
implies the interconnection and control infrastructure and the definition of proper rules all involved players must observe. As a matter of
fact, due to the peculiarities of the architecture of a distributed network within which operate, organisations and structures different by
service typology and organisation processes, it is required the creation
of central and local government level, able to orient, harmonize and
coordinate the operation structures so to implement and operate as
one single virtual organisation.
The SPC Security System organization, which takes its inspiration from the International Standard Organisation (ISO) models, will
be articulated on several levels and will distinguish responsibilities and
fields of action in two main areas:
• A government area to identify policies and directives
• An operational area to implement and control measures and
procedures aiming to assure communication quality and security.
These areas will include the following groups:
The Coordination Structure is the main responsible for the
system security. It is a federal body chaired by CNIPA chairman, made
up of thirteen members six of which represent Central
Administrations and six local Administrations. It defines, according to
service users and providers requirements, security policies and issues
the relevant directives and recommendations to safeguard both the
interconnection system security and that of other connected networks.
The Coordination structure shall also run service provider qualification procedures.
62
QUALIFIED PROVIDERS SERVICE LIST
Qualified Internet
Local ISP
Regional ISP
National ISP
Security management
Structure
Citizens and
Enterprises
Quality Management
Structure
Figure 2-7 CG-I and services categories – CG-I connects all the Central Administrations and allows
them the Internet access through a high speed and secure link.
The Strategic Committee is a common structure dealing
with the global strategic orientation of security and distributes the
related funds. The Committee is made up of security and telecommunication experts and of representatives of the Ministry for Innovation
and Technologies and of users.
The Security Management Centre is in charge of the implementation of what has been issued by the Coordination Structure in
terms of implementation and application of the directives and recommendations for the safeguard of security. It also identifies the guidelines for the redaction of the security plan of all SPC subjects.
The Security Local Unit is a local structure, one per each network connected to the system that manages its security aspects. All
Security Units must be connected with service providers and the
CERT, to allow the best possible efficiency of secure information
exchange in case of reaction to attacks and/or abnormal events.
63
SECURITY NETWORK
CERT SPC plays a fundamental role in preventing and reacting to security accidents. It makes available to all other structures
warnings, guidelines, check-list and all may turn useful for the correct
system management and operation.
Within SPC digital certificates are widely used for different
purposes. The PKI Technical Operator is a Certification Authority
in charge of the certificate issuing, of the management of the various
repositories in which they are stored and of what it is necessary to
guarantee the availability and accessibility of the users and system
authentication information.
64
NETWORK SECURITY
From risk analysis
3 - The relevant legislation
3.1 THE REFERENCE GENERAL LEGAL FRAMEWORK
3.1.1 Generalities
The legislation framework of the ICT system is at once simple and complicate. In fact the legislative tools actually issued by the
Italian State for companies and private users are quite few while those
concerning the public sector, together with additional elements such
as the European directives, some documents issued by prestigious
international organizations (i.e. OECD) and especially documents
and circular letters issued by the Ministry for Innovation and
Technologies, by AIPA and CNIPA (that replaced AIPA), are rather
numerous.
Generally speaking, we may observe that, while for public sector laws aiming to promote the use of the network and to rule their
security, in particular during the last years, have been quite numerous
and able to promote, together with the technological progress, the
awareness of the security and their solutions, in the private sector the
way to go is still long. But, what has been done in the public sector
could turn a stimulus and a guide to companies and, with the due proportions, to private users.
In this document the illustration of the legislation framework
is divided into two parts. The first highlights so called legal value of
the document distinguishing between documents of non strictly government bodies even if of a sound reputation, organizations, EU rec65
SECURITY NETWORK
ommendations, State laws, and documents meaningful for their
authoritative sources (AIPA, CNIPA, etc.). The second part identifies
the addressees of different documents and rules and makes the distinction between Public Administration, private companies and individual citizens.
In the following paragraph we tries to take out of the different legislative sources what could be useful to define a mandatory profile of protection measures as referred to the different subjects protagonists of the national system networks scenario. In this context we
have to observe that even with a legislative framework that in the last
decade has registered a remarkable increase in number and consistency of the foreseen countermeasures, both on the organisational and
technical level, subjects should not limit themselves to these suggestions that should be considered as a compulsory ground, to integrate
according to an appropriate risk analysis process.
The source list is reported in appendix 1 and includes, for sake
of completeness, what concerns the electronic and digital signature
field, that due to the peculiar functional case, is not to be considered
as a real structural network protection element. Since the informative
and practical characteristic of the document, these rules included in
more recent measures (this is the case of the rules preceding the legislative decree n. 196 of the 30 June 2003 – Code of personal data protection – included in the latter) have not been reported.
3.1.2 OECD and United Nations documents
The documents issued by the Organisations for Cooperation
and Economic Development (OECD in English, OCDE in French)
are a source of reference of the highest value for their credit to the
EU legislative bodies.
The Recommendation of the Council of July 25 is important
for the purposes of this document. The title of the document summarized hereunder is “OECD guidelines on system and information
structures security: toward a security culture”.
Under the common denominator of the security culture pro-
66
3.The relevant legislation
motion the following nine principle are enlisted:
1. Awareness – The interested parties shall be aware of the
necessity to protect the system and information network security and of the need for actions thy may undertake to strengthen security.
2. Responsibility – The interested parties are responsible for the
system information network security.
3. Response – The interested parties shall operate timely and in
a spirit of cooperation to prevent, identify and respond to
security incidents.
4. Ethics – The interested parties shall respect other parties’ legitimate interests.
5. Democracy – System and information networks security shall
be compatible with the fundamental values of a democratic
society.
6. Risk assessment – The interested parties shall proceed to
assess risks.
7. Notion and implementation of security – The interested
parties shall integrate security as essential element of systems
and information networks.
8. Security management – The interested parties shall adopt a
global approach to the management of security.
9. Security re-assessment – The interested parties shall examine
and re-assess system and information network security and
introduce appropriate changes in their security-related policies,
practices, actions and procedures.
It is also important to observe that (we are in the year 2002)
the subtitle of the document reads: “Towards a security culture” !
On the same line as OECD document ranges the UN resolution A/RES/58/199 of 23 December 2003, under the title: “Creation
of a global culture of cyber-security and the protection of critical
information infrastructures”.
67
SECURITY NETWORK
The resolution invites States to consider 11 security principles
widely based on those adopted by March 2003 G8 meeting.
NISCC (National Infrastructure Security Information Centre)
Table 3-1 shows the principles of the U.N. resolution with the references to those proposed in the OECD document previously shown.
As we may see, with respect to the OECD document, widely oriented
to society, operators and users (principles 2, 4, 5), the U.N. resolution
is more specifically targeted to Governments and security forces (principle 6, 7, 9).
3.1.3 EU Directives and other documents
During the last years the Italian Government has timely implemented the EU directive on networks and information security. Worth of
note is the Council resolution (Transportations/Telecommunications) of
11 December 2001 “Resolution on network and information security”.
With the document Member States are asked by the end of 2002 to:
• Promote security culture through educational campaigns to
be carried out in administrations, private companies, ISP, etc.
• Promote security best practices based on international standards even and above all in medium and small enterprises.
• Promote security within ICT courses
• Enhance the computer emergency response teams
• Promote the knowledge and the adoption of the Common
Criteria Security Standard (CC) transposed in ISO 15408.
• Promote the study and the adoption of biometrical devices
• Promote information exchange and the cooperation among
members.
68
Topics
Principles of UN Resolution 58/199
Reference to OECD
principles
1. Having network facilities to issue warnings about inforWarnings and mation vulnerabilities, threats and accidents.
reaction to 5. Establishing and maintaining communication networks
3. Response
accidents
for crisis situations, testing them periodically to ensure their
efficiency in times of emergency.
Awareness
-raising and
training
2. Raising awareness so that all interested parties can more
easily appreciate the extent and nature of their critical information infrastructures and the role that each party has in
their protection.
1. Awareness-raising
8. Organizing training initiatives and drills to increase
responsiveness as well as testing continuity and crisis plans
in case of attacks against information infrastructures,
encouraging peers to carry out similar activities.
6. Risk assessment
Risk analysis
3. Examining infrastructures to identify their interdependen- 8. Security management
cies in order to improve their protection.
9. Security reassessment
Security
Technology
11. Promoting national and international research and deve7. Security awareness
lopment and favoring the introduction of security technoloand implementation
gies that are consistent with international standards.
Information
sharing and
international
cooperation
10. Embarking upon appropriate international cooperation
initiatives to enhance critical information system security,
also through the development and coordination of warning
and alert systems, through the sharing and dissemination of
information regarding vulnerabilities, threats and accidents
and coordinating investigations on attacks against informa3. Response
tion systems, in accordance with local legislation.
4. Promoting cooperation between both private and
public partners to share and analyze information referring
to critical infrastructures in order to prevent, investigate
on and react to attacks against infrastructures and possible damage.
Legal and
criminal
investigation
issues
9. Having adequate laws, both under the formal and substantial
viewpoint, and adequately trained staff to allow States to investigate and prosecute attacks against critical information
systems and coordinate such activities with other States when
necessary.
6. Making sure that laws regarding data availability take into
account the need to protect critical information systems.
7. Facilitating the tracking down of attacks against critical
information systems and, whenever appropriate, communicating information on such tracking activities to other States.
2. Responsibilities
Social and
political considerations
4. Ethics
5. Democracy
Table 3.1 – A Comparison between the OECD document and the UN Resolution
69
SECURITY NETWORK
Noteworthy is also the Commission Communication to the
European Parliament, to the Council, to the economic and social
Committee, to the Committee of the Regions of June 2001, under the
title “Network and Information Security: proposals of an European
strategic approach”.
In this document the different threats and attacks (then
known, today others should be added) that may concern the networks
are examined as well as the related remedies. It is a useful document of
security planning, kept into consideration even for the drawing of the
following paragraphs of the section.
The 12th of July 2002 the “Directive 2002/58/CE on personal data treatment and the protection of private life in the sector of electronic communications” was issued. This rule, that fully
replaces the previous directive 97/66/CE, reflects the needs of regulation updating due to the technological evolution of the last five years,
and consequently of the greater risks of privacy violation in charge of
users. The rule also introduces the terms of electronic communication network and service as a consequence of the convergence of
voice and data services.
Such directive was widely accepted and became compulsory in
the Italian territory with the “Legislative decree n. 196 of the 30th
of June 2003 – Code of personal data protection” as mentioned in
the following paragraph explaining the Italian laws.
3.1.4 Italian Laws and related rules
Let us consider now the national legislative sources.
The first act showing the attention of the Italian legislator in
the field of ICT is the Law n. 547 of the 23rd of December 1963
“Amended and integrated provisions of the criminal code and
the code of criminal procedure on computer crimes”. This introduced the computer crime, which was not previously foreseen in our
law.
The law, in its context, introduced also the principle under
which the crime of undue intrusion into a system was meant as really
70
perpetrated only if the violated system was protected by security measures. Just to know, the law introduced also, for the first time, the notion
of computer document.
In 1996 the first regulation on privacy came to life; it was the
law n. 675/96 “Protection of people and other subjects with
respect to personal data processing”. This law introduced for the
first time compulsory protection measures for systems and networks
involved in personal data processing. The real specification of such a
minimum base of protection was issued with an ad hoc regulation on
July 27 1999. The two laws have been integrally included, enhanced
and re-elaborated in the recent legislative Decree n.196 on the 30th of
June 2003 which will be commented later on this document.
Through the law n.59 of the 15th march 1997 the Public
Administration Unified Network was established. This result represents one example of excellence for the Italian networks as a whole
and specifically for security.
In 2001 the legislative Decree n. 231/2001 was issued “Discipline of legal entity, company and association with no
legal entity according to article 11 of the law n. 300 of September
29 2000.” to be mentioned, for our use, for some reference that the
text include in law 547/93 at the beginning of the paragraph.
The decree applies to all legal entities and companies and associations with no legal entity, with the exclusion of the State, of territorial public institutions, of non economic public institutions and to
institution with constitutional functions.
Such decree introduces in the Italian constitution the notion of
corporate liability when physical persons commit a crime even in the
interest or to the advantage of the same company. For what concerns
this document, article 24 of the decree explicitly recalls such liability in
case of computer-related fraud damaging the State or a public institution.
As to the accomplishment context the above mentioned discipline does not define the technical specifications, but it rather identifies general principles: corporate liabilities for crimes perpetrated by its
employees it to be excluded if the same company has adopted before
71
SECURITY NETWORK
the crime was committed an organisational, operational and control
model able to prevent crimes similar to that occurred. The result is an
obligation by the company to provide itself with a control system able
to prevent the possibilities to perpetrate computer-related frauds by
using its own systems and its own networks.
Under the pressure of an ever growing requirement for security certification in the information systems, on April 11 2002 was
issued the DPCM “National scheme for the evaluation and certification of security of information technology, for the protection
of classified information concerning the internal and external
State security” that provided to update and enhance the legislative
framework in the matter of information processing security certification within the context of the State secret: the extension to private
subjects would follow, as known, the next year.
In fact with the DPCM of the 30th of October 2003 (G.U. n.
98 of the 27th of April 2004), prepared by the Minister for Innovation
and Technology together with the Ministers for Communications,
Ministers for Productive Activities and Ministers for Economics and
Ministers for Finances, was set up the National Scheme for the evaluation and the certification of security of systems and products in the
sector of technology and information. The national scheme defines
the procedures and national rules necessary for the evaluation and certification of ICT systems and products, in compliance with the ITSEC
European criteria and the related ITSEM application methodology of
the international standards ISO/IEC IS-15408 (Common
Criteria).Within the framework of the National Scheme of evaluation
and certification it was created the Institution for the Information
Security Certification (O.C.S.I. Organismo per la Certificazione della
Sicurezza Informatica), mainly in charge of the National Scheme operation. The Higher Institute of Communication and Information
Technology (ISCOM Istituto Superiore delle Comunicazioni e delle
Tecnologie dell’Informazione) of the Communication Ministry is the
Body in charge of the Information Security Certification (OCSI) in
the field of Information Technology. The OCSI is fully operational
since February 17 2005, when the Decree of the Minister for
Innovation and Technology and of the Minister of Communication
bearing the “provisional guidelines for the application of the national
72
scheme for security evaluation and certification in the field of the
information technology. “
From a different but complementary viewpoint, of contents
rather than of infrastructures, on April 9 2003 it was issued the
Legislative Decree n. 68 “Implementation of the directive
2001/29/CE on the harmonization of some aspects of royalties
and related rights in the information society”.
The new decree provide also the extension of sanctions to illegal acts not provided before, such as the avoidance of technological
measures for data protection and their on-line diffusion (art. 23).
On July 29 2003 on the National Journal (Gazzetta Ufficiale)
it was issued the only source of the legislative scenario presented in
this work, that prescribes concrete, logical and physical organizational
security measures for the protection of networks and systems in the
private sector: it is the Legislative Decree n. 196 of the 30th of June
2003 – “Code in the matter of personal data protection”, that
includes, integrates and widens the entire Italian previous legislation
and implements the emanated European directives.
In fact this rule though refers to personal data and specifically
to personal data related cases, constitutes the only source that obliges
institutions and private companies to implement a consistent protection profile, leaving aside what has been independently implemented
by major companies.
The Decree strongly targets networks and integrates in the two
notions of network and electronic communication service both
aspects of voice and data in a perspective of technological neutrality
that makes it possible to apply measures to analogical, digital and wireless technologies. It includes and implements the European directive
2002/58/CE (Directive privacy in electronic communications)
which belongs to a fundamental group of five directives (2000 package), mentioned in appendix 1 ruling the different aspects of networks
and electronic communication services.
The implementation of the rule offers specifically to medium
and small companies an new opportunity to thoroughly face ICT protection issues since it is quite uncomfortable, except for some particu-
73
SECURITY NETWORK
lar situations, to operate separate protection profile for personal and
not personal data (protection is designed and realized more easily if it
is targeted to the entire ICT infrastructure).
The Law provides the following security functions (art. 34):
• User’s authentication
• Adoption of the authentication credential management procedures.
• Use of Authorisation system.
• Periodic update of the identification of the processing range
allowed to individual in charge of and dedicated to the operation or the maintenance of the electronic tools.
• Protection of the electronic tools and data in respect with illegal treatment, not allowed accesses, and certain information
programs.
• Adoption of procedures for the custody of security copies
and the recovery of available data and systems.
• Update a programmatic document on security.
• Adoption of encryption techniques or identification codes for
the treatment of certain data suited to reveal the health conditions or the sexual life performed by heath institutions.
The adoption of the above mentioned security measures concerns personal data in general and in some cases only particular types
or situations (sensitive data, judicial data). In other cases the strength
of the adopted mechanism depends on the importance of the
processed information.
Apart the above-mentioned, the rule specifically provides several rules referred to as security organisational measures, specific for
the Electronic Communication sector, distributed in various articles
namely under Chapter X, Part II.
With the aim to extend to private sector the possibility of issuing security certifications of products and systems in a ITSEC and
74
Common Criteria perspective, on October 30th 2003 it was emanated
the DPCM “Definition of a National Scheme for the assessment
and certification of products and systems in the ICT sector”
This rule confers to the Istituto Superiore delle Comunicazioni
e delle Tecnologie dell’Informazione the ITSEC and Common Criteria
certification scheme management for the private sector. By doing so,
as soon as the Institute will complete the procedures to obtain the
mutual recognition with the Countries which have implemented the
above-mentioned schemes long time ago, the gap forcing Italian constructors to go abroad to obtain such certifications will be filled.
3.1.5 Ministerial documents, AIPA, CNIPA
The following documents constitute authoritative sources of
prescription (this is the case of the following DPCM) and the legislative and operational orientation.
On January 16th 2002 the Presidency of the Council of
Ministers, Department for Innovation and Technologies issued the
important Directive “Information and Telecommunication
Security in State Public Administration”
The directive covers two aspects: the census of the security
infrastructure existing within Public Administrations (implemented by
means of an attached questionnaire) and the prescription for PA to
conform to a minimum profile of protection, remarkably articulate
and detailed, also mentioned in an attached document
The rule also announced the creation, within a joint initiative
with the Ministry of Communications, of a National Technical
Committee on Information and Telecommunication Security within
Public Administrations, set up in the following months.
In march 2004 the concerned committee in line with its own
mission, produced a document entitled “Proposals in the matter of
information and telecommunication security for public administration”.
After an historical initial framework of the information security laws into force for Public Administrations, the document, part 1,
75
SECURITY NETWORK
proposes a model for a governmental system of ICT security within
PA, based on the creation of a National Centre for Information
Security (CNSI) for prevention, identification, response and orientation.
It is suggested to create a CSIRT (Computer Security Incident
Response Team), which is being setting up today at CNIPA and it is
underlined the importance of the risk analysis, training of specialized
staff and users and the institution of security certification activities.
Part II examines back in more operative terms, the risk analysis aspect and defines the conformity criteria of a methodology to be
standardized with Public Administrations while it concludes by examining Business Continuity and Disaster Recovery processes.
In May 2004 CNIPA published the document “Guidelines for the
use of digital signature” with the aim to support users and companies in
the use of the digital signature. The document is very interesting and
really useful to the user (citizen, company and PA), it clarifies the situation (strong and weak signature) and explains how to obtain and
operate kit for the digital signature.
76
3.2. INDIVIDUALS AND RULE COMPLIANCE
3.2.1 Generalities
The wide production of legislative and orientation documents
on network protection, whose list we tried to synthetically but thoroughly reproduce in the first part of this chapter, fully covers the public sector by leaving space for reflection and improvement for private
users that could take advantage from the experience acquired by Public
Administration in this matter.
In fact obligations whose not observation is sanctioned concern substantially the Legislative decree 196/2003 (art. 33-36) which
anyway targets a specific type of information and not an infrastructural vision.
Law 547/93, from its side, has introduced the computer crime
without envisaging preventive compulsory measures, but only those
necessary to justify the crime hypothesis and the effectively criminal
nature of intrusive actions.
3.2.2 Major liabilities for individuals: rights, duties and
accomplishments
Electronic communication network operators
Both the Privacy Code (L.D. 196/2003) and the Electronic
Communication Code (D.L.259/2003) give a common definition of
electronic communication network: “transmission systems and, if it is
the case, switching or routing devices and other resources that make it possible to
transmit signals by cable, radio, by optical fibres or by other electromagnetic media
including satellite networks, terrestrial mobile and wired networks, circuit commutation and packet commutation networks, Internet included, the networks used for
the broadcasting of sound and television programmes, systems for electric power
transportation, as far as they are used to transmit signals, cable television networks
independently on the kind of transported information.”
Subjects operating these networks, which cannot be easily distinguished from electronic communication service operators, in addition to what provided for by articles 33-36 of Privacy Code, must
77
SECURITY NETWORK
comply with the following measures provided for by articles 121-133
of the same rule:
(a) forbidden access to information contained in users’ and subscribers’ terminal
(a) drastic time limitations for storing transmitted messages in
one’s own memory
(b) time limitations for storing traffic data for billing or judicial
needs
(c) transparency and clarity obligations for subscriber as to traffic
data
(d) availability and flexibility of the caller identification service
(e) limitations and guarantees as to the use of user’s localisation
data
(f) availability of the block for call transfer service
(g) Guarantees and limitations of the inclusion of names in
provider repositories.
(h) Limitation of the spamming activity from the user side (no
control is envisaged for the electronic communication network
operator)
(i) Wish of the drawing of ethics and good conduct codes
(j) It is interesting to observe that among the above mentioned
points, sanctions are contemplate only for points (a) (by Law
547/1993), (b), (f), (h) and (i).
As we may notice once again the rule tends to force individuals to maintain given specific behaviours rather than propose infrastructural security measures, independent on the type of the processed
and transmitted data.
78
Electronic communication service providers
The privacy code in its art.4 defines electronic communication
services as follows: “any information exchanged or transmitted between a finite
number of individuals though an electronic communication service public accessible”
with the exception of radio broadcasting service.
The category of operators of these services, as we may understand, is hardly distinguished from the previous one considering the
strong functional and operational integration of the network and the
services. It is reasonable to think that all obligations described in the
previous paragraph may be also refer to this category.
Company users
Companies are obliged to implement minimal security measures by virtue of articles 33-36 of the Privacy Code, so exclusively in
relation to the owning and the treatment of data covered by the rule.
On the other side, Laws 547/1993 does not oblige but it simply envisages the need for appropriate security measures to identity and pursue the crime of undue intrusion.
Also in this case we may affirm that the structural approach
is null at least as far as the mandatory character is concerned.
Actually at least major companies and organizations of the
Italian landscape have prepared infrastructural security measures of a
certain importance. Nevertheless, in the last years resounding cases
indicating security related failures occurred.
The most important weakness we may identify is not related
with the purchase of protection hardware and software components,
but rather to human resources dedicated to the operation and the optimization of such components (organisational structure). The awareness that most of the effectiveness of installed hardware and software
protection measures depends on a correct and daily organization operation connected to suitably professionalized personals is not yet rooted in budget and company leaders.
79
SECURITY NETWORK
Private users
Dangerous for the society represented by the lack of security
know-how of private users seems under evaluated. Private user’s universe, now massively connected to the net very often in an always-on
fashion since the rapid spreading of high speed connections, is not
even included in the scope of application of the privacy rule, which,
as we see, is the only one that imposes some obligations, even if within a peculiar data typology.
Private user’s liability in the (usually unaware) spreading of
worms is the most relevant aspect to consider; nevertheless it is not
the only one. Most of personal computers contain, apart owner’s
information, also correspondents’ data and similar. Moreover, a non
protected personal computer in the net constitutes an easy shore for
attacks to third parties.
3.2.3 The relationship with the judiciary and inquiring
authority
The relationship with the judiciary authority
For its own investigation needs the Judicial Authority is assisted by network and service operators. Their effective collaboration is
normally fruitful for Justice purposes and it is provided by law and the
companies are compensated for such activity.
With this aim, companies set up a quite complex, technical and
organizational apparatus, to show that with the proper motivations
even companies become sensitive to security organisational requirements.
The relationship with the investigation authority
Very often company leaders having suffered a computer crime
show a sceptical attitude to the real possibility of a Police action in
highly technological crimes. In addition to that, generally companies
are not very willing to denounce computer crimes against them to
avoid a possible consequent image damages.
80
Italian structures became significantly effective and reliable
showing a great commitment in the technical and professional updating implemented even by using know-how external to the institution.
Investigation actions are now performed with slightly intrusive
modes and generally they do cause no slowing in the normal operational and productive activities of the company. Certainly such investigative qualities may be highlighted and exploited by citizens only
when these special corps are get involved by a claim or by simply asking for an advice to try to prevent possible crimes.
The Postal and Communication Police provides the following
behavioural indications for those individuals that notice real or suspicious abuses:
• For each suspected abuse immediately call1 a specialized
police corp. It is necessary to facilitate the action of the information investigators called by the company, by helping them
to perform the internal preliminary investigation aiming at
assessing the real crime perpetration.
• Do not undertake any initiative before the arrival of the investigators to reduce to the minimum the incidental elimination/contamination of evidences.
• Set up an investigation support team made up of highly trusted persons. Investigators must be help to identify the elements of the concerned crime in order to identify the present
criminal case.
• Reduce to the minimum risks of further losses but at the same
time try to acquire useful elements to find out the offender.
These two activities are often logical antagonists between
them since the best system to interrupt an attack is switch off
the system and proceed to recharge cleaned system copies and
1 To consult the list of the territorial sections of the Communication Police look under the same
name at the web site www.poliziadistato.it
81
SECURITY NETWORK
application programs. But in most of the cases this operation
reduces the possibilities of identifying the intruder.
• Keep the investigation highly confidential. Company structures should cooperate with the investigation bodies but
information on the ongoing investigation should be transmitted to the minimum number of persons to limit information
leakage within and outside the organisation. Thus information should be given only to those persons who will have to
know it.
• All communications (those indispensable) connected with the
ongoing investigation should be placed without information
systems (e-mail, internet etc.) to avoid whatever interception
by the insider or the intruder.
• In case of suspects on possible insider authors neither the
investigator nor the company employees should face or talk to
with these suspects not to give them the opportunity to
destroy the evidences.
3.3 CASES OF RULES VIOLATION
3.3.1 Information crimes
During the years the notion of computer crime has acquired a
very or even too wide meaning: today by computer crime we mean all
kind of crime perpetrated with the help of ICT means and hence of
the networks.
Certainly with such a wide meaning of the crime it is difficult
to identify solutions and draw rules. If the definition of information
crime seems to be legitimate in the case of a non authorised introduction in others’ system, the same definition is less acceptable for a commercial fraud or a paedophilia crime perpetrated with the help of the
network. It would be like classifying as a crime under the street law a
theft perpetrated with the help of a car.
82
It is worth saying that this so called wide meaning of the word
coincides with a non structured vision of the system network, but
with a vision of contents and behaviours supported by the same network.
For our purposes and more generally in line with the substance
of the Law 547/1993 that sets this kind of crime, the computer crime
is the crime that damages the information system as a whole or one
of its components (including the stored data). For physical persons
and legal entities information crimes according to the above-mentioned restricted meaning, are those envisaged by the above mentioned
Law 547/1993 that also establishes the conditions under which these
crimes may be pursued.
3.3.2 Non-compliance
To date possible non-compliance by legal entities (companies)
as referred to as omission of network protection, are limited to the
violation of the rules of the Legislative Decree 196/2003. Related
sanctions are included in article 169 of the rule. To date no possible
non-compliance may be attributed by physical persons.
3.4 MAIN REQUIREMENTS OF OUTSOURCING CONTRACTS
Nowadays, companies have to adapt rapidly to meet the
requirements of the specific competitive environment in which they
operate. As a consequence, their products/services have increasingly
shorter life cycles. In the past, the same car model, for example a Ford
“T”, could remain on the market for as much as 30 years and all it
needed was just small changes, while today each model has to undergo a comprehensive restyling after 2 or 3 years unless the manufacturer decides to stop its production. This ongoing adaptation to the
changing needs of their customers implies an ongoing adaptation of
the business activities involved in the production of a product/service. The companies are faced with continuous changes which they have
to address if they want to survive.
83
SECURITY NETWORK
In such competitive environment, companies had to redesign
the way they operate, disregarding previous analysis of structures and
organization charts and focusing more and more on processes, that is
all the structured and focused activities designed to produce a specific output for a
specific market or customer2. Activities are re-classified based on the company’s specific Value Chain3 and the potentials for improvement of
each identified process or the technologies and roles needed to ensure
their functioning needs to be properly designed. Now companies plan
and make all the appropriate investments to make sure that they
achieve their own objectives.
In most processes, the main component of a comprehensive
business re-definition is represented by Information Technology,
which acts as the ‘nervous system’ of the new business models.
Flexibility and specialization become the pillars of a business organization in which both suppliers and customers are increasingly involved
in the Value Chain, which, as a consequence, turns into an inter-company chain. That is possible by outsourcing those business components which sometimes can affect the correct functioning of the
whole company. An example is given by the outsourcing of business
services on which the ICT management directly depends (ICT
Outsourcing).
The current tendency to outsource an increasing number of
business processes poses significant problems to companies with
regard to the security of the information they handle. Such problems
include the definition of adequate strategies to protect the information
and the need to comply with the legislation in force, especially the privacy code.
An ICT Outsourcing contract may be either full or selective.
For both types of outsourcing, it is essential to define adequate
requirements and criteria for the management of the security and con-
2 Davemport, T.H. “Innovazione dei Processi”, Franco Angeli, Milano, 1994, p.25
3 Porter, M.E. “Competitive Advantage”, Free Press, New York, 1985
84
fidentiality issues related to the information and the fixed assets transferred to the outsourcer. Such requirements and criteria have to be
characterised by levels of service consistent with the security policies
of the company outsourcing the product/service.
• Each security management service transferred to the outsourcer requires the definition of both parties’ obligations
without compromising the flexibility of the contract. The
types of security management services will be discussed in
details further on and be summarised as follows:
• Identity and Access Management (management of the users
who are allowed access to the ICT services available on the
infrastructure)
• Secure Content Management (operational processes which
makes it possible to prevent spam in e-mails, examine and filter their contents and protect outgoing messages against
viruses)
• Security Monitoring and Management
• Physical Security Management
• Secure Communication Services (identifying the processes and
tools which are necessary to spot false identities, attempts to
access confidential messages, unauthorised re-use of transmitted messages, falsification of sender’s name or address,
changes to the message contents, failure to deliver a message)
• Auditing and Reporting
• Compliance Management Services (verification of the actual
compliance with the established requirements)
• Security Training
In the most recent ICT Outsourcing contracts, the levels of
service associated with each one of the above listed services are measured taking into account not only the single components or the specific nature of each process, but above all the end user’s overall perception in terms of functionality and ergonomics.
85
SECURITY NETWORK
However, in general, the companies those choose to outsource
their products/services seldom lay down, in their outsourcing contracts, the minimum security criteria (including inspections and controls) to be adopted by their partners.
3.5 AREAS OF POSSIBLE NORMATIVE INTEGRATION
In previous paragraphs, we saw that, in the last few years, the
regulations governing the functioning of the Public Administration
have been gradually integrated to address the new security needs especially after the recent approval of the Legislative Decree on the implementation of the Public Connectivity System. The same is not true in
the private sector (businesses and private users) where binding regulations are limited to specific types of handled information (Legislative
Decree 196/2003) and specific behaviours (Law 547/2003).
Preventive regulatory provisions specifically designed for network
infrastructures are lacking.
Such provisions should be introduced to affect network developers, network managers and network users alike according to criteria
of competence (role) and economic relevance (users), which is in line
with the fully connected topology which characterises networks.
The Legislative Decree on the implementation of the Public
Connectivity System requires the Public Administration to use only
those providers which comply with specific regulations ensuring the
security of IT transactions. Hopefully, these regulations will be adapted to form the basis for an ethical code shared by all providers of data
transmission services. That would represent a major guarantee for all
users: citizens, businesses, and private individuals in general.
3.6 CONCLUSIONS
The systematic and effective implementation of an adequate
level of protection for data networks (considered in their different
components) depends on a number of factors, not just the legal or
normative ones that we want to identify. Further on, we will discuss,
86
for some of them, the possible potentials for improvements with special regard to the normative framework.
Such factors include first of all, users’ initiative and awareness
levels; then, any awareness-raising programme developed by government bodies and, finally, the normative framework and any supportive
structure as well as shared and standardised methodologies.
All these factors are acknowledged not only at a national level,
but also by a European framework which is currently being developed
and consolidated.
3.6.1 Users’ awareness and initiative
At first, it is important to point out that, at this stage, we have
no scientific study of sufficient level and hence reliability (either at a
national or European level) offering a comprehensive picture of the
awareness level reached by institutions, businesses, public bodies and
private individuals on issues of network security.
Indeed, all the work published in the last few years are based
on generalizations and extrapolations of data collected from specific
sectors or on indirect evaluations, such as the recruitment of staff in
charge of business security, reports of virus-related attacks and other
attacks or telephone surveys conducted on insignificant samples.
The information provided here has no scientific value, either,
but at least is based on the experience of businesses which operate on
the market on a daily basis.
The EU recently announced its intention to conduct, in the
next few months and in all Member States, a fact-finding survey aimed
at assessing the awareness level of businesses and organizations with
regard to issues of network security and especially risk management
and operation continuity. However, this survey will focus only on the
private sector, thus excluding the Public Administration.
The general impression is that, for all the parties concerned,
initiative and awareness levels are still low and should be raised in
87
SECURITY NETWORK
order to guarantee efficient and concrete results.
Low awareness levels translate into a general reluctance to
comply with existing regulations (whose number, in the private sector,
is still limited). Another major obstacle derives from the tendency of
most executives in both public and private sectors to consider network
security-related costs as unjustified and unlikely to prove rentable in
the long run either functionally or ethically.
It might be useful to make a comparison between network
security and similar concepts, such as road safety and public health
which, although well-established in our society, still pose major problems in terms of strategy and implementation.
Today, we are deeply aware of the impact that an epidemic
might have on a certain community both from an ethical perspective
(protection of human life) and in terms of social costs. That leads to
an adequate response in terms of awareness-raising, definition of specific regulations and sanctions and political and administrative organization.
The situation is completely different in the field of network
security. Indeed, professional associations, in the private sector, should
join their efforts to catch up with the achievements reached by government bodies in the public sector.
3.6.2 Legislative framework
In the present chapter, we explained that in Italy (see paragraph 3.1.4), the legislative framework concerning network security
obligations for the private sector consists of a small number of provisions contained in Legislative Decree 196/2003. In this regard, it is
important to note that:
Legislative Decree 196/2003 refers only to privacy policies and
the protection of personal data
this decree affects only businesses and private agencies, but
not private individuals
88
the high number and limited skills of private users, due to the
growing availability of high-speed always-on Internet connections,
represent a highly critical element.
It wouldn’t be strange to come up with a new specific legislative tool which, drawing on the provisions of articles 31-36 of
Legislative Decree 196/2003, could be extended and integrated so as
to include issues other than personal data envisaging:
minimum security measures affecting the whole infrastructure
rather than specific critical aspects of the data (which might form the
basis for a higher protection level)
minimum security measures designed for specific users: private
individuals, connectivity and application providers, businesses, agencies, Public Administration, etc.
On the other hand, the legislative decree that led to the development of the Public Connectivity System might be a valuable source
of network security measures and criteria also in the case of private
users (businesses, organizations and private individuals).
Indeed, a growing number of companies are either in favour
of ICT security certifications or have adopted them in their own working environment. In this regard, the reference provision is standard BS
7799, whose part 1 was converted into ISO/IEC standard 17799:2000.
89
SECURITY NETWORK
90
NETWORK SECURITY
From risk analysis
4 - Risk Analysis and management:
principles and methods
4.1 SECURITY MANAGEMENT SYSTEM
Before exposing the risk analysis and management and
networks protection measures, it is advisable to underline how hard
it is to adopt an effective protection system without considering the
most important elements of the security management system.
There are several standards and guidelines about the elements
of a proper security management system:
• OECD’s nine principles (see paragraph 3.1.2)
• The ISO 17799/BS7799 standards, including the BS7799:2000
part 2 document.
• The “Standard of Good Practice” of the Information Security
Forum (see the appendix 2.2).
It is important to consider also all the other standards and
guidelines about this topic, such as: the COSO Report on the
“Enterprise Risk Management”; the ISACA methodology for the ITT
Audit, also called Cobit; the ITSEC and “Common Criteria” standards, i.e. the guidelines of the CNIPA etc.
All these directives present several common parts that we can
summarize as follows.
91
SECURITY NETWORK
Awareness
All the elements of a company must be aware of the need to
protect their resources starting from the top management to the whole
organization and different roles. A proper training level is needed to
reach the target.
Rules and organisation
It is necessary to define an organization model aimed to security by defying tasks and responsibilities. Security rules will be effective
only if maintained at high level, including, among their tasks, the
search of the best strategy, particular society targets and their performance assessment systems.
Risk analysis
As described in the paragraph 4.2, the risk analysis is crucial to
know threats and problems of the organisation as well as efforts and
resources (limited by definition) needed to protect the most threatened
areas.
Policy and procedures
Once explained the risk analysis, it is important to define policies and their procedures. They are characterised by three levels: general, describing the organisation, the government system, its goals and
principles; users, i.e. the daily user behaviour with respect of technologies; and technical, by which the ICT staff learns how to manage
the stages of technology implementation and maintenance.
Continuous monitoring and tuning of the protection system
The security management system must be designed in order to
guarantee the best monitoring, both operational and management,
allowing the organisation to react and adapt the whole system to the
changes of the risk domain.
92
4. Risk Analysis and management: principles and methods
4.2 RISK ANALYSIS
4.2.1 The importance of risk analysis
Nowadays, economic and social life cannot be separated by the
corresponding information resources and its communication networks.
Unlike the physical world, information and networks are vulnerable to risks of wide nature, often hidden and constantly evolving.
Furthermore it can be observed that:
• networks are more and more sophisticated and their changes
create new risks
• a complete protection leads to a limited and slowed down
usage of network resources
• the protection technique strictly depends on the considered
risk
• the costs of a high security system, that goes far beyond the
needs or extended to the lower impact elements, are often too
high.
Hence it is important to carry out a risk analysis in order to:
• define information threats against the organization
• Assess their impact in case of occurrence
• Define and implement countermeasures in order to mitigate
the risk with a commiserate effort to the potential impacts
The risk analysis is then crucial in order to choose the best
countermeasures without guessing them, balancing these countermeasures with respect of their costs and risks.
The risk analysis is one of the most important elements of the
security management system. It is furthermore required directly or
indirectly by EU, national laws (see chapter 3) and by the main reference standards such as:
• the ISO 17799 – BS7799 standard
93
SECURITY NETWORK
• ISF Standard of Good Practice
• CobiT (ISACA “Control Objectives of IT Governance”)
• GMITS (“Guidelines for the management of IT Security”;
parts of these documents are also known as ISO 13335 standards).
The risk analysis assumes even more importance in wider context of corporate risk analysis and management such as the Corporate
Governance and the Basilea II document.
The latter is targeted to market and credit institutions and
provide for a management programme of all risks related to business
(from credit risk to market and financial risk) and operative, including
those related to the information systems (information risk).
The growing importance of the information risk analysis with
respect of the more general context of the corporate risks management is based on the growing support that Information Technologies
provide to the business and the corresponding corporate process.
So, the information risk (that is the risk related to the lack of
information system protection) influences and conditions more and
more the other risks categories (financial, market, operational risks,
etc.).
The risk analysis must be carried out a priori, periodically and
in a continuous/dynamical way (see paragraph 4.2.3), in order to
updates the protection system to the effective and real identified need,
allowing at the same time the best use of available resources.
4.2.2 General notes about the different risk analysis
methodologies
There are several risk analysis methodologies, with different
targets and features but most of them share some common concepts,
elements and procedures.
There is no best methodology: it is important to understand
which approach could be the best considering its feature with respect of:
94
• a more in-depth analysis
• risk measurement system
• repeatability and frequency of the analysis process.
A more in-depth analysis
Considering the broadening of the risk analysis executed it
allows to classify the implemented approach as a conceptual
approach, i.e. related to the management and addressed to the organisation and its processes, or as an operational approach, i.e. related to
the person in charge of the information systems and addressed to
technologies and the operative context.
The conceptual high level risk assessment allows:
• to define the risk profile at a strategic and organizing level
• to define the organization threats and the critical macro areas
or the risk context to address over time
• to define a plan of immediate enterprise interventions
• to define the general security policy.
Such an evaluation attains the importance of enhance the perception and awareness of the corporate top management about the
importance of the security management plan definition and implementation. It achieves also the commitment to guarantee the security plan and above all allows addressing the effort towards the most
critical areas (technological sites, simple systems, business networks) in
order to create a deeper risk analysis.
The operational risk analysis is target to a detailed and indepth security assessment of the single technologies, systems and specific network environment and aims the following macro targets:
• comprehension of vulnerabilities, threats and risk to which the
single technologies are exposed (application platform, systems, networks, etc.) and the processed information
95
SECURITY NETWORK
• Define security architectures and technological standards
• check policies and system management procedures
• propose operational measures for the identified weakness corresponding to necessary security controls
• Achieve the compliance to the security technologies best practice.
Value quantification modes
In order to choose the best methodology it is important to
consider the metrics system used by the methodology itself for the different model elements with respect to the defined targets.
A quantitative measurement system, based on statistics and
monetary elements, allows the definition of an investment budget in a
more immediate way, but it could be too complex to elaborate and
could not entirely avoid subjective evaluations.
In order to use this approach all risks elements must be quantified (resource recovery cost, image damages for the company, etc.).
To achieve this it is necessary to have access to high quality information not easily available.
There are two variants inside this approach that could be
defined (other than a quantitative approach): the truth and the appearance. The first includes cases in which numbers that represent real
quantities are used. This is the case of the damage directly estimable
with the monetary unit.
The second case, which has been defined as apparent quantitative, i.e semi-quantitative, has been created to address the cases
where there is a need (related to a computer use) to convert qualitative
measures into numerical values.
For example, a criticality value, initially expressed with qualitative terms as: high, medium, low and void can be expressed with a
correspondent set of numeric values (i.e. 3, 2, 1, and 0) in order to
allow a logic product with another measure (i.e. the exposure risk
level).
96
The pure-quantitative approach, certainly more precise than
the qualitative one, is not easy to apply, mainly for two reasons.
The first is that often the values are not available (who can precisely define the value of a material good, for example an investment
fund, not managed by a bookkeeping procedure at the necessary analytical level and how to behave in case of image damage?).
The second is that, considering the lack of objectivity for such
values, the risk is to wrong estimate goods, assigning a numeric values
to something that express a qualitative evaluation.
Qualitative methodologies do not require statistical data
expressing values in terms such as low, medium, high, crucial and
critical.
Such approaches may seem superficial and less precise, but in
the reality it turns to be more honest also because generally the risk
analysis logical model ends with the countermeasures identification
which are expressible in discontinuous terms, vanishing the quantitative approach, assuming that it is possible to attribute affordable values to the different entities.
The main aspect the designer has to face with is the metric
balance, in terms of excursion, of the possible values for the different concepts and for the different metrics systems used, being qualitative based or quantitative based systems.
As a matter of fact, it is clear the relations and functions that
imply concepts measured according different scales which are not congruent could lead to inconsistent results.
The identification of a verification system for the consistency
assessment of the different metrics systems is an open issue up today.
The conclusion could be that the quantitative system is more indicated to the conceptual business context analysis, while the qualitative
one targetes the operative analysis where the countermeasure efficiency dominates the cost justification.
97
SECURITY NETWORK
Repeatability and frequency of the analysis process
With respect of the repeatability/frequency of the risk
analysis process two different existing methodologies could be distinguished: the static approach and the dynamic/continuative
approach.
The static approaches:
• Provide a picture the actual security status;
• Require periodic revision, with different expiration date,
according to the deepness analysis level:
- Once a year in case of conceptual/organizational analyses;
- Every 3-4 months in case of operative/technological analyses.
• Have different targets according to the deepness analysis level:
- Definition of Security management policies and organizational infrastructure, in case of conceptual/organizational
analyses;
- Definition of Security architectures and technological/controls standard after the assessment of the vulnerabilities and
threats to which technologies are exposed (technological
analysis level).
• Involve all the organization, despite their dimension, and
specifically in the case of a first risk assessment analysis
• Usually are managed under specific corporate functions
responsibilities, generally in the ICT range (ICT manager,
Security Officer, Security Committee, etc.); thus the other corporate functions are passively involved.
The dynamic/continuative approaches:
• Do not evaluate security situation in a precise moment but
they offer the elements to analyse and manage the risk contin98
uously and dynamically.
• Risk evaluation and management are crucial parts in the
processes of implementation, maintenance and monitoring of
information systems.
• Are mainly based on quantitative risk measures (using tools
such as the Balance Scorecard and Key Performance indicators).
• Integrate the information risk management within the one of
all business risks and, particularly, into the one of ordinary
operational activities (implementation, change management
and operability).
• Lead to the decentralisation of risk management, involving all
business functions, furthermore, they require the commitment of all the members of the organization, including the
top management.
• Cover any analysis level and carry out both conceptual and
operative/technological analysis.
The current trend shows the more and more growing diffusion of approaches, and models of analysis and management of
dynamic and continuous risks, addressed to corporate business and
integrated with all the other analysis of corporate risks (operational,
credit and financial risks).
For further information about the best national and international methods, see the appendix n.2.
99
SECURITY NETWORK
4.2.3 Common elements among the main methodologies
Apart from methodology in use, there are many elements and
stages of risk analysis common to all the methodologies. As a matter
of fact a risk assessment, independently from the used methodology
must allow to:
• Define the agreement for the carrying out of the analysis,
defying what to defend against the risk.
• Locate and evaluate hostile agents, threats, attacks and vulnerability.
• Define which the threats to face are.
• Calculate the final risk, evaluating the acceptable levels, and
define the countermeasures to keep the risk within them.
Most of today’s analysis methodologies include all the elements listed above, but they have different concepts and terms, often
not well defined and far from the prevailing meaning, which is defined
by the reference standards. This is the case of terms and concepts of
protection, danger, threat, attack, damage and, hence, risk.
This paragraph is important to pinpoint the prevailing meaning of the following concepts and their definitions:
• Boundary of intervention
• Information resources (census and classification)
• Protection attributes
• Threat census
• Vulnerability census
• Occurrence probability (Threat exposure)
• Impacts evaluation
• Countermeasures definition
• Risk reduction after the countermeasures implementation
100
Boundary of intervention and information resources
First of all we have to define the Boundary of intervention
and hence the interested society and the managed information.
Afterwards, we must proceed to an analytic census of information included into the border of intervention. The details of the
census depend on goals and types (conceptual/operative) of the risk
analysis to carry out.
In order to create a conceptual analysis, it’s enough to take a
census of the process data (billing, payments and staff) or the application system, while the operative analysis needs to consider even reference technologies (communication networks and hardwares/softwares used for the process).
Anyway, we must compare the single elements that made up
the information, such as data, software, technologies and all the
processes needed to locate the proper methods for information access.
All these elements must be classified for homogeneous categories in
order to evaluate threats and vulnerability.
Information networks characterize the communication and
processing systems (input, output and updating) of all the information, and hence it may be noted that they could be protected apart
from information they process. This could be true in some circumstances (for instance the back-bones of a telecommunication society).
Anyway, we must be aware of what it has to be protected and
how many resources are needed to protect all the elements of the
information asset, according to their criticality.
Goals and protection attributes
Before proceed it is important to define the goals of protection systems. It influences all the activities since business goals of a
profit society cannot be compared to the missions of no profit or
government organizations and thus the protection goals.
According to these goals there are some other features to
define and evaluate one by one. These influence the process of risk
assessment and the corresponding protection technique choiceness.
101
SECURITY NETWORK
As underlined before (see paragraph 1.5), the current best
practice is characterised by three security attributes: confidentiality,
availability and integrity.
It is advisable to evaluate one by one these three attributes,
since they present different risk scenarios.
Threat census
The risk strictly depends on the concept of threat, which constitutes an equivalent concept without the two features of probability
and consequential damage. Furthermore, the risk can be considered as
a negative event that causes damage to someone or something. Threat
is as a matter of fact such event.
The threat can be thus defined as anything that causes lose of
the attributes of security, confidentiality, availability and integrity.
The threat is often an undesired event that can be a priori
potentially identified. It could be classified as an internal or external
event. A threat is actualized by attacks of different actuation.
There is a tendency to protect the boundary of intervention
mainly against external threats, maybe because of their exposure, with
respect of the internal ones. The reality is that internal risks are the
most frequent, so they can’t be underestimated. For instance, the survey CSI/FBI of 2003 underlines the importance of internal threats
(77% of partecipants).
Internal threats and the corresponding countermeasures strictly depend on the organization and the nature of the process of the
information, while external threats can be influenced by the technologies used, apart from people or processes.
The determination of internal threats must consider the specific organization environment while, the external ones can be treated
by more standardised solutions belonging to the mainly adopted technologies.
102
Vulnerability Census
Another important concept is that of subject exposure to a
defined threat. We must treat this concept together with another one
belonging to the list of the qualities of subject, that is the vulnerability.
The vulnerability is an organizational or technological condition that allows the threat actuation. Threats are present anyway but
vanish, ideally, in absence of threats. On the contrary, threats has a
greater chance to actuate in presence of numerous and important vulnerabilities.
The vulnerability can be organizational or procedural (for
instance, due to a lack of a vital corporate function, i.e. monitoring) or
a technological (technical weakness of BIOS, operating system, database, etc.).
Technical vulnerabilities can be located by means of special
scanners, i.e. automated products for the continuous scanning of
technical weaknesses, or by the activities of attack and penetration.
The figure 4-1 summarizes the most common vulnerability
categories as classified by a security survey carried out, in the year
2003, by Pricewaterhouse Coopers and CIO Magazine.
The main factors leading to vulnerability proliferations are:
• Faulty components
• Geographical distribution
• Dimensions and complexity
• Technological evolution
• Limited security problems know-how.
The level of vulnerability can be reduced through the implementation of proper security countermeasures, listed in the chapter 5.
The vulnerability cannot ever be totally eliminated, because even the
countermeasures present weakness.
103
SECURITY NETWORK
Figure 4-1 – The most common vulnerability categories1
Occurrence probability
As indicated somewhere else in the document, the risk can be
identified as the product (logical or arithmetical) of the impact
(caused damage) and the occurrence probability of a particular
threat. The determination of this probability can be expressed by a
judgment or considering, when available, the statistics of accidents and
attacks or both of them.
All the elements that contributes to the risk and hence, threats,
attacks and vulnerabilities have to be analyzed in this phase. The table
4-1 relates some examples of threats with the corresponding attacks
and vulnerabilities.
1
Taken from “Information security: a strategic guide for buisiness” © PricewaterhouseCoopers 2003.
104
Impact evaluation
One of the most important aspects of the risk analysis process
is the determination of the impact upon the resources to be protected
and upon the enterprise as a whole when a threat is successfully actuated. The impact, as described in the previous, is the second component of the risk after the threat probability occurrence.
The condition for which a metric system (i.e. conceived to
measure) could be applied to a concept is that such concept can be
measured. That always happens for qualities, while for entities two
cases exist. The first is the one in which the entity itself is measurable
by means of its nature (i.e. damage); the second is the case when the
entity is not measurable by itself but it becomes so by means of its
qualities (it is the case of the subject, of which we measure the criticality).
For further information about quantitative and qualitative
approaches see the paragraph 4.2.2
Measurement and risk reduction
In formal terms, the risk is defined as the product (logical or
mathematic) between the event occurrence probability and the
damage (R=Pa*D). If, at least, one of the two terms of the product
goes to zero, the risk is very low.
For qualitative measurements it is necessary to identify a system measuring that allows the two components of the risk to be measured homogenously, through a properly set system of degrees.
In practice, it is useful to consider two aspects of the risk. The
first, called absolute or intrinsic risk and the second defined as
residual risk; this latter concept contrary to the first one takes into
account of the identified countermeasures effects.
105
SECURITY NETWORK
Threat
An outsider
accesses
the private
network
of the
organization.
Attack
Vulnerability
The outsider accesses the
system through a backdoor
using a Wireless Local Area
Network (Wlan)
- Network Service Set Identifier (SSID) has not
been properly masked.
- The unauthorised access point has been
installed by an internal employee.
- Wired Equivalency Protocol (WEP) is weak
and the corresponding cryptography session
has been interrupted.
The outsider accesses acting a
password brute force attack
- Inadequate length of the password
- Weak passwords subjected to dictionary attack.
The outsider steals an authorised password
- The sequence of non cryptographic identification leads to intrusions
- Low level of monitoring
- Trojan Horse installed on the network
A disappointed ex employee
access to the systems in order
to obtain classified information
- Non deleted accounts and passwords after
the resignation
- The passwords for dial-in servers or WLan
access points have not been deleted after the
resignation
Financial
losses due to
fraudulent
operations
The attacker simulates a real
web operation
- Inadequate cryptography and identification in
communication application channels
The intruder accesses
the client’s credit cards records
- Access controls compromised on a critical
database
Loss of
critical data
A terrorist attack destroys a
database
- Inadequate backup and redundancy procedures
A “Troy Horse” program
deletes an hard drive
- The employees have not been sensitized to
the risk of downloading software from
unknown sources
- Not-updated antivirus software
“Denial of Service” attack
through the “ping” technique
overcharges servers paralyzing
them
- The router badly configured cannot detect
badly formatted packets
- The server operating system is not updated to
the most recent security standards
- Inadequate antivirus defences
An intruder re-configure the
router in order to block the
legitimate traffic
- Impossibility of resetting the default
administrative password on the system
Continuous demands
of applications saturates
the server resources
- Inadequate application development
- Inadequate identification controls allows
fraudulent calls to be accepted as genuine
Internet not
available,
causing loss
of revenues
due to
network
inactivity
Table 4-1 – Relation among threats, attacks and vulnerabilities 2
2
See note 1
106
Countermeasures definition
During the process of risk assessment an acceptable level of
risk needs to be identified and compared with the available budget.
The countermeasures indicate the organizational and technological measures able to face and reduce risks to a pre-defined
acceptable level.
Within the risk analysis process the countermeasures can be
defined generically, to be subjected to a deeper investigation and further analysis and definition in a more operative viewpoint. It is very
important to define acting modes, times and responsibilities in a proper implementation operative plan.
Final notes
In this section, we wanted to identify all the components of a
general model of risk analysis. Our goal is to identify a clear map of all
the elements of a generic model, in order to better understand the
schemes of the different models today available on the market. Some
of them are described in the appendix n.2
4.2.4 Risk Management
The previously described risk analysis makes it possible to
define the most adequate countermeasures to implement. The adoption, in other words implementation, of countermeasures, as well as
the management and long-term monitoring of the actual security status, all belong to the risk management environment.
Controllable and effective security measures must be adopted to effectively counter the risks identified and associated with the use
of infrastructures for data management, processing and exchange.
Information security must therefore be considered as a global
characteristic, able to meet the desired level of privacy, integrity and
availability of information and services, in keeping with the evolution
in time of needs and technologies.
An illustration of the activities involved in a complete risk
107
SECURITY NETWORK
risk awareness
risk
control
risk
analysis
risk mitigation
Figure 4-2 – Risk Management Life Cycle
management process is presented under figure 4-2 below.
The illustration clearly shows that the risk management
process must be continuative and replicable.
To actually safeguard information security by means of
careful risk management, an adequate Security Management System
(SMS) must be integrated within the organisation responsible for creating, updating, deleting and maintaining information, and organised
according to the three dimensions of the problem:
• Processes
• Organisation
• Technologies.
Failure to analyse one of the three above-mentioned dimensions, or a fragmentary and limited approach without a homogeneous
overall assessment framework for the current state of information
security, entails the potential ineffectiveness of any corrective actions
undertaken because of the limited or incomplete assessment of an
identified problem.
108
Generally speaking, the issues to address are the following:
• Identification and definition of corporate processes and associated risk environments
• Compliance with national and international security standards
and provisions (e.g. Italian Law Decree 196/2003)
• Definition of a security management strategy
• Decision as to the guidelines a company intends to adopt in
terms of security management
• Preservation of investments previously or about to be made
on the security of IT systems.
Risk management essentially depends on:
• The corporate mission
• Compliance with laws and standards
• Economic availability.
One of the fundamental purposes of a Security Management
System is to reach a reasonable compromise between the cost of
security and the costs of non-security; the main objective is to
ensure a long-term, stable and optimum protection level.
According to the considerations made so far, risk analysis cannot be considered the only relevant element for comprehensive risk
management, but it is important to:
• Effectively implement adequate countermeasures and establish an interactive efficiency monitoring cycle
• Continuously update risk evaluation by periodically repeating
the process or implementing dynamic risk management systems
• Consider the entire security management context (see 4.1).
109
SECURITY NETWORK
The global perception of the problem has led to the current
trend of converging risks analysis models and risk management systems, essentially by means of modern analytic methodologies and
dynamic evaluations. Such methodologies also take into account
changes that have an impact on information resources, and the outcome of the incidents/attacks monitoring which will influence the
updating of risk assessment criteria.
4.2.5 Risk Analysis Support to the Privacy Management
System
In Italy, Law Decree 196/2003 regulates the privacy management system (generally known as the Codice della Privacy (privacy law)).
This law guarantees that personal data is processed in compliance with the fundamental rights and freedoms, and with respect for
the dignity of the party concerned, especially in relation to privacy,
personal identity and the personal data protection right.
Consequently, companies have had to perform a series of both regulatory and technical-organisational accomplishments, including the
adoption of specific security measures.
One of the requested fulfilments is the adoption of the
Programmatic Security Document for the electronic processing of
sensitive personal data.
To prepare the document – one of the minimum security
measures provided for by art. 34 of the Code and point 19 of the
Technical Requirements, appendix B of the very Code – it is requested, among other activities, to perform a risk analysis on the personal
data processing system managed by companies or organisations.
On the basis of the above, especially with reference to the
principles and ratio of the law, it appears that the emphasis in the
application of risk analysis within the privacy management system differs from the general risk analysis supporting a corporate security
management system performed within the entire corporate information heritage.
It is interesting to pinpoint the differences between the two cases.
110
One difference lies in the objective that is to be reached: risk
analysis does not so much aim at identifying – thereby reducing – the
consequences of events that are potentially harmful for companies
that process their own data/business processes, but rather at identifying the consequences of harmful events for the subjects the data pertain to; in other words, the objective is to protect the processing of the
personal data of the subjects protected by the privacy law.
The object of analysis is different: when performing risk
analysis for a company, the objects of protection are the corporate
resources and information. Instead for risk analysis in a privacy context, only the data pertaining to the private sphere of the subjects concerned are examined (i.e. database or repositories containing such
data) and correlated to their processing within the company or the
organisation responsible for the processing.
• Thus, the very modus operandi of the risk analysis process is
different:
• Impact evaluation is no longer required
- It is no longer necessary to classify information according to
their criticality level, for the provisions supply a classification and make a two-level distinction of personal data:
- Sensitive
- Not sensitive (also referred as common or ordinary personal data)3.
Companies and organisations nevertheless still have the
uncommon task of having to identify the existence of ordinary and
sensitive data, both internally and with any outsourcing partners, and
correlating them to pertinent processes and applications.
3 The provisions indirectly identify a third data category: those that do not fall within the range of
application of the provisions.
111
SECURITY NETWORK
112
NETWORK SECURITY
From risk analysis
5 - Network Protection
Measures
5.1 TECHNOLOGICAL MEASURES
Current ICT technology is the direct product of the standardization activity launched in the eighties, when the international body
ISO/OSI defined a network reference model organised in seven different layers with a specific task each: Physical, Data Link,
Network, Transport, Session and Presentation.
With the exception of the first (Physical) layer, a protocol is
usually adopted for each layer of the ISO/OSI stack to enable communication and data transfer among users belonging to the same network, following pre-defined rules. When at least two systems need to
communicate, all the ISO/OSI stack layers are involved, from the
application layer, from which the information to be transmitted is
usually generated, to the physical layer, where the information is converted into digital signals that enable transmission to the final destination.
Information can be compromised as its transits through one
of the aforementioned layers, which is why network equipment must
be secured with specific countermeasures for each layers of the
ISO/OSI stack.
113
SECURITY NETWORK
Data
Application
Internal Network
Perimeter
Figure 5-1 – ISO/OSI Levels and Protection Technologies
Figure 5-1 represents the main protection technologies and the
different assets they are able to protect. Technologies are actually quite
often able to secure several levels (from the network to applications),
though for an effective security strategy, it is important to fully understand the intervention range of each technology, and especially the
risks they are able to mitigate throughout the information life-cycle.
5.1.1 Firewall and VPN
A firewall is generally the privileged tool for protecting and
monitoring communications among the different networks of an
organisation. A firewall is a hardware and/or software system able to
control the traffic flow from untrusted networks whose security level
cannot be determined, towards trusted networks with known security
level that are equipped with the necessary protective measures.
114
5. Network Protection Measures
The market offers a large variety of firewall technologies that
have been designed specifically for the networks they are intended to
protect: from WAN (ADSL, ISDN, Frame Relay) to LAN (Ethernet,
Token Ring, etc.) networks. Modern firewall technologies are able to
check communication protocols from the lowest (physical level) to the
highest (applicative level) layer, while most controls are performed
on the layers that have a direct implication with the network.
Untrusted Network
Trusted Network
Figure 5-2 – Firewall and Networks
For the function to be effective, all traffic requiring protection
must pass through the firewall system that will apply the pre-defined
security policies to grant or deny access to the requested resources.
In the typical network equipment of a sufficiently computerized organisation, one usually talks about boundary protection and
internal protection when using a firewall system.
The former means securing communications between the
external boundary of the network (typically Internet/Extranet) and
the rest of the infrastructure. Instead, the latter refers to the necessary
countermeasures for protecting communication within the organisa-
115
SECURITY NETWORK
tion. In this case a firewall can be adopted to further segment the internal network and protect particularly critical corporate networks.
The following table summarises firewall technologies of the
main products on the market.
Firewall Technology
OSI Layer
Characteristics
Packet Filtering
Network (3)
Limited security, high
performance, Network Address
Translation (NAT)
Application-Level Proxy
Application (7)
High security, low performance
Circuit-level Proxy
Session (5)
Stateful Inspection
From Network to
Application (2-7)
Medium security, medium
performance
Compromise between security
and performance
Table 5-1 – Predominant Firewall Technologies
VPNs (Virtual Private Network) are designed with technologies that enable the implementation on public physical connections of
protected, therefore private, virtual links. These technologies resort
to specific transaction secure protocols, for instance IPSec, that use
cryptographic algorithms both to identify users and guarantee the privacy of the information exchanged. The functions provided for
include key management that is performed transparently for the users.
For the system to be globally efficient traffic between the router and
the corporate router is usually encrypted, thereby excluding any local
networks within the company. In other words, the VPN function is
implemented on so-called enforced routers, as an addition to the ordinary routing function. VPNs can also be implemented between one
client and another.
5.1.2 Network/Host IDS
The Intrusion Detection System (IDS) is another piece of
technological protection equipment for systems and networks. Unlike
a firewall, considered an active protection system, an IDS is usually
116
perceived as a passive measure, able to monitor and analyse network
events without interfering directly to prevent them.
An IDS collects information from hosts and network segments (DMZ, Internet backbones, LAN segments, etc.) to identify
potential violations (external or internal attacks). The technologies
adopted by modern IDS systems can be divided into two main categories:
• Pattern matching. The system analyses the package flow to
find sequences that can be associated to known attacks; these
sequences are stored in a regularly updated database. In this
sense, it is similar to an antivirus service that only identifies
known attacks.
• Statistical/Traffic anomaly based. Unlike the above, violations are identified thanks to the analysis of differences
between traffic quantity and typology, and the pre-established
thresholds considered normal or standard for the situation
examined. This approach makes it possible to identify
unknown attacks, though it is highly vulnerable to transitory
traffic variations that are in most cases not related to an attack.
Such systems are therefore considered less reliable than those
mentioned previously.
Despite the analysis technology implemented by IDS, one
tends to distinguish two common setups, depending on the nature of
the assets monitored: network based (analysis of network segments)
and host based (analysis of the single hosts).
• Network IDS. A NIDS (Network IDS) performs real time
analysis of the packages passing through the network they act
upon, searching for sequences that could derive from violations, attacks to the network, or simply the suspicious use of
resources. When a potential attack is identified, the IDS notifies administrators or security managers who will decide if
further preventive actions are to be taken.
117
SECURITY NETWORK
• Host Based IDS. A HIDS (Host IDS) performs real time
analysis of the traffic destined to one specific host, to unveil
malicious or suspicious activity. These IDS systems are implemented directly on the monitored host. The approach also
makes it possible to analyse the intrinsic data of the host, such
as main system and log files.
Though the two systems seem similar, the following factors
must be considered carefully before deciding upon an IDS system:
• Network architecture (number and typology of network segments)
• Complexity level and security requirements
• Number and typology of hosts/servers to be protected
• Existing technologies characteristics
To achieve maximum benefits from an IDS system, the policies/parameters that regulate how the system works must be optimised (tuning), thus ensuring a minimum number of false positives
(notification of non-existing attacks) and false negatives (failure to
notify real attacks).
Lastly, in view of the huge quantity of data monitored by IDS
systems, it is important to carefully assess the hardware/software performances making up the IDS solution. Generally speaking, best performances are achieved by dedicated security appliances, which are
able to analyse large traffic quantities within the time unit.
5.1.3 Access Server (RADIUS/TACACS)
Generally speaking, any access from without the corporate
network is a potential threat for the organisation. However, need for
constant access to corporate data, even when access to the information system from the inside the organization is physically impossible,
requires technologies enabling direct access to the internal systems, for
118
instance by means of a telephone connection from anywhere in the
world, despite the local time.
The infrastructure that allows for the above is commonly
known as remote access and is made up of a set of technologies that
transparently connect a remote computer to the internal corporate
network. Such infrastructure is especially useful to connect the laptop
of a staff member to the organisation network, allowing him/her to
use corporate services (e-mail, file server, intranet, etc.).
To prevent such access from becoming vulnerability factor for
the organisation, adequate protection technologies must absolutely be
adopted. Two among the most widespread standards for remote access
protection are: RADIUS (Remote Authentication Dial-In User
Service) and TACACS (Terminal Access Controller Access Control
System).
Integrated in access servers, the two above-mentioned technologies check the credentials of users who log-in from the outside,
through a user name and password pair, or, in the most advanced
versions, by means of strong authentication technologies (smart card,
token, digital ID, etc.).
User authentication
by means of
RADIUS/TACACS
Remote User
Headquarters with
Access server
Figure 5-3- Remote Access Server
119
SECURITY NETWORK
RADIUS technology is used by many ISPs for user authentication. A user establishing a connection on a dial-in line will enter
his/her username and password; the RADIUS server will then make
sure the latter are correct and grant the user access to the system.
Lately, RADIUS technology is often used also within organisations, by means of a centralised authentication system for the management of network appliances or access via wireless devices.
The TACACS protocol is very popular in UNIX networks. It
enables remote access servers to communicate with an authentication server where authentication credentials for accessing the network
are verified.
To prevent credentials theft, both technologies usually encrypt
authentication information prior to introducing it onto the network.
5.1.4 Wireless Security
Wireless networks are those networks where all connections
occur via radio connections instead of wire connections. Basically,
in a wireless network, mobile devices (typically work stations, but
sometimes printers or other peripherals) communicate by radio signals, while wires connect fixed elements (network appliances, system
servers).
Compared to a wired network, wireless networks are potentially more vulnerable due to their intrinsically open nature. Thus, a set of
protection mechanisms have been defined with the purpose of ensuring comparable security on wireless and wired networks.
The security protocols are listed below, in the increasing order
of their protection level:
• Wired Equivalent Privacy (WEP): this is the first standard
protection mechanism for networks based on IEEE 802.11
protocol, which defines methodologies both for the encryption of data exchanged between a mobile client and an Access
Point (AP), and the authentication of mobile devices. The
120
WEP protocol soon revealed weaknesses such as:
- The authentication protocol is not bi-directional (the AP
identifies the client, but the opposite does not apply).
- Only devices are identified, not users.
- There is no keys management, the keys are static, and can
therefore only be managed by means of manual configuration
operations.
To increase security levels, some APs implement a control
function for device authentication, based upon the identification of the network address of the device through which connection occurs; this technique is known as MAC Address
Authentication and uses a list of addresses configured on the
AP.
• IEEE 802.1X: to overcome the intrinsic limits of WEP protocol, IEEE 802.1x standards were defined, x being the letter
identifying its features. The family of 802.1x protocols
enables the authentication of a user on a wireless network
thanks to a central authentication system. The Extensible
Authentication Protocol (EAP), also used in point-to-point
networks, makes it possible to adopt different authentication
schemes that can be negotiated between mobile clients and
the AP during connection phase.
The most famous of such schemes is the Transport Layer
Security (EAP-TLS) used in environments that use certificates, usually stored on electronic cards, for remote authentication.
The Protected EAP (PEAP) was introduced to enhance the
security of the EAP protocol: encrypting credentials when
user log in to the network.
It is common to associate an authentication server using
RADIUS technology to the networks based on 802.1x and
121
SECURITY NETWORK
EAP protocols. The advantage of such a solution is that it
becomes possible to identify any wireless device connected to
a network.
The figure illustrates a wireless network, equipped with a
RADIUS authentication server:
RADIUS
RADIUS
RADIUS
Figure 5-4- Wireless Network equipped with a RADIUS Authentication Server.
5.1.5 Antivirus
Computer viruses, like biological ones, have evolved considerably in time, especially in terms of the damages caused (known as virus
payload). Until recently, viruses were commonly considered as software that in the worst cases could alter the standard use of PCs.
The entity of the damage incurred has ranged from the simple
visualisation of messages or more or less ironical pictures, to the
122
impossibility of using or even starting the system correctly, with the
consequence of requiring expert assistance. At that time, files were
principally exchanged on floppy disks that therefore represented the
main media for propagating viruses.
The global diffusion of the Internet and related communications technologies has made it possible for any Net user to exchange
files and software, thus de facto cancelling physical mediation. Though
the phenomenon on the one hand undeniably represents an advantage,
on the other, it has led to a huge increase in infection possibilities, both
in terms of propagation speed and the number of users affected at
once.
The first viruses able to fully exploit such an important innovation were soon to appear, generating new and worrying threats.
Remember the damage caused by the virus Melissa that literally
brought the world e-mail systems to their knees, at an incredible speed,
also thanks to the possibility of finding new victims in the addressbooks of infected PCs. Melissa was actually just a drop in the ocean;
indeed, the same process was used by viruses such as SirCam, Klez,
Sobig, which have introduced disquieting new methods to increase the
global nature and payload destructiveness of viruses, ranging from the
cancellation to the unauthorised diffusion of confidential documents.
In theory, antiviruses are of several kinds (scanner, integrity
checker, immunisers, etc.). In practice, those used predominantly
belong to the scanner typology and are based on the software capacity to identify particular suspicious patterns (signatures), within the
periodically explored and monitored media, listed in a database of
known patterns. Of course, the signature databases of such antiviruses must be periodically and promptly updated. The update distribution
procedure is a very important, though often neglected, operational
aspect of security equipment.
5.1.6 URL Filtering
Though the widespread use of the Internet in organisations
does indeed represent an extraordinary opportunity for improving
internal and external processes, thereby increasing individual produc-
123
SECURITY NETWORK
tiveness, it can also entail intrinsic risks for individual users and organisations as a whole.
Here are some of the most common consequences of the
improper use of the Internet:
• Reduction of individual productiveness
• Waste of computer resources (connectivity, server, etc.)
• Increase in the probability of being infected by malicious
codes
• Increase in the risks of internal/external intrusions
• Risk of being involved in legal disputes, for instance following
the unscrupulous use of Internet services (pornography,
copyright infringements, etc.)
A solution to the above-mentioned problems lies in the use of
URL Filtering technologies. These are hardware/software solutions
that make it possible to filter the Internet contents requested by the
users, according to pre-established policies.
Request approved
Request denied
Figure 5-5 – Architecture of a URL Filtering Solution
124
Two methods are most commonly adopted among these tools:
• Black list. The address requested by the user is looked up on
a list of previously introduced unauthorised addresses. If the
outcome is positive, access to the resource is denied.
• URL database. This is the most sophisticated technique; it consists in a periodically updated database of Web addresses that
classify Internet content into special groups. Users are either
assigned to one or several groups or configured so as to be
excluded from some. It is thus possible to apply restrictions to
site categories, preventing the manual census of each address.
5.1.7 Patch Management
One of the most difficult aspects of information security
guarantee lies in the constant management of vulnerabilities that
affect most software programs.
It is actually extremely unlikely for a system to be devoid of
any development failures that to different extents could affect organisations’ security. The challenge nowadays for any security expert is to
intervene rapidly to solve any new vulnerability.
The battle can be won only with the commitment of software
producers who have the task of issuing security updates (patch) in the
shortest time possible.
Nevertheless, the greater the number of systems, the greater
the effort organisations must make to manage such issues. The difficulties are such that the problem is often not even considered, thus
opening a privileged channel for the violation of system security.
An automated vulnerability solution makes it possible to considerably reduce the effort, by significantly increasing the timeliness of
patch applications.
Such solutions are commonly referred to as patch management applications: they supply advanced functionalities for the analysis, collection and distribution of security updates for applications and
operative systems.
125
SECURITY NETWORK
Patch
release
Patch distribution
Figure 5-6- Typical Patch Management Architecture
The typical architecture of a patch management system consists in a central server, a repository of patches that are automatically
downloaded from the producers of operative systems and applications, and a centralised console for the automatic management of
updates throughout the corporate network. The patch management
platform distributes the patches to the different systems.
The use of a patch management solution improves the security of corporate services, remarkably reducing vulnerability risks, and
streamlining protection processes.
5.1.8 Cryptography and Public Key Infrastructure
A Public Key Infrastructure (PKI) is a system of digital
certificates, certification authority (CA) and registration authorities (RA) that uses public key cryptography to control the legitimate
nature of the parties involved in an electronic transaction. PKI standards are still in evolution, though they are widely implemented as a
126
necessary element for the diffusion of electronic commerce.
Several reasons underlie the choice of an organisation to setup
a public key infrastructure, even only internally:
• Advanced protection. Smart cards enable an advanced
authentication level. The privacy and integrity of the data
transmitted on the public networks is guaranteed by IP protection (IPSec) and the encryption of file management systems guarantees the privacy of stored data (for instance, EFS
– Encrypting File System for Windows 2000 and other
Microsoft operative systems).
• Simplified administration. The organisation can issue certificates instead of passwords. If necessary, certificates can be
revoked and their list can be published (CRL, Certificate
Revocation List).
• Encryption function. It is possible to safely exchange files
and data on public networks such as the Internet. A protected e-mail system can be implemented thanks to S/MIME
(Secure Multipurpose Internet Mail Extensions) extensions,
while Web connections are generally protected by SSL (Secure
Sockets Layer) or TLS (Transport Layer Security).
The following are some of the elements that enable an organisation to implement a public key infrastructure:
• Certificates. A certificate is essentially a digital credential
issued by an authority that guarantees the identity of the certificate owner. A certificate associates a public key with the
identity of a user, computer or service that detains the corresponding private key. Certificates are used by different public
key protection services and applications that ensure the
authentication and integrity of the data and secure communication services in the context of public networks such as the
Internet.
The standard certificate format is described under regulation
X.509v3. A X.509 certificate contains information on the per127
SECURITY NETWORK
son or entity receiving the certificate, information on the certificate itself, as well as optional information on the issuing
certification authority. Information on the subject can include
the name of the entity, the public key, the public key algorithm
and an optional univocal ID of the subject. Standard extensions for version 3 certificates contain information on key
identifiers, the key use, certificate criteria, the names and alternative attributes, the constraints of the certification process
and information on credit revocation, including reasons for
revocation.
• Certified Services. A certification authority must establish
and guarantee the identity of certificate holders. The certification authority even revokes certificates if they are no longer
considered valid, and publishes Certificate Revocation Lists
(CRL) that will be used by certificate verifiers. The PKI is
made up of one main CA. However, most companies that
manage a public key infrastructure resort to several certification authorities, divided into trusted groups known as certification hierarchies.
One distinctive element of certified services is the CA Web
registration pages. The pages are displayed when a CA is
selected and allow users to send certificate requests by means
of a Web browser. Furthermore, CA Web pages can be
installed in servers where no certification authority has been
installed.
In this case, the Web pages are used to forward certificate
requests to a CA whose direct access is, for some reason, to be
denied to applicants.
• Certificates and Smart Cards. Certificates can be stored on
smart cards to facilitate access to a system, for authentication
via Web, the protection of e-mail messages and other security functions using public key cryptography.
• Public Key Criteria. Group criteria can be used in some systems for automatic certificate distribution to computers, to
128
establish common lists of reliable certificates and trusted certification authorities, as well as to manage recovery criteria for
encrypted file management systems (as for instance EFS –
Encrypting File System).
5.1.9 Single Sign-On (SSO)
The proliferation of applications, sometimes also for temporary reasons, often makes it mandatory to follow several authentication
procedures. Thus, as shown below, in the case of Identity
Management, password management can become complicated, not
only for administrators, but also for users.
Ease of use is one of the conditions in designing security. The
more complicated the access to data and applications, the greater the
risk of losing privacy and integrity. This is the case for instance when
users who have to remember several passwords to access different
applications write then down, which no longer ensures privacy.
The solution of adopting a unified process for access to several applications is commonly referred to as Single Sign-On (SSO).
The technology supporting a SSO system consists of a user and credentials database, a variable number of interfaces towards applications
and systems (agents) and a series of functionalities enabling the perfect synchronisation of authentication processes (password synchronisation) for each system.
In very heterogeneous contexts, with very different operative
systems and applications, the setup of the SSO solution can be highly
complex. Furthermore, it is not always possible to adopt a single solution, thus making it advisable to customize and integrate different
technologies.
The combination between the SSO and the Identity
Management (see paragraph 5.2.2 below) ensures perfect effectiveness
of the user/application association, thus notably reducing the daily
work of ICT staff in addressing such issues. Also, thanks to additional
control and precision, the two systems consistently increase the security level, while at the same time reducing the human error incidence.
129
SECURITY NETWORK
Authentication
Username
A
Password
G
E
Credentials Send
N
Credentials or
Users database
T
S
Figure 5-7- Single Sign-On typical architecture
5.1.10 Strong Authentication
The identity of a remote user is generally verified using two
main security functions: identification and authentication. The former is the stage at which users declare their identity to the system,
while the latter enables identity verification. The security of the asset
accessed by a user strictly depends on authentication. Weak systems
that are not able to guarantee the identity of remote users expose the
target to numerous risks. The most widespread authentication system
is the password. The username/password pair authenticates the
system user.
Nevertheless, several problems entail that the security offered
by such technology is very limited. A password can be written down
and stolen, lost, inferred, shared and forgotten; it is therefore unsuitable for systems requiring reasonable certainty as to the actual identity of users requesting access. Such limits can be overcome and the
security limits can be increased thanks to the Strong Authentication
or two-factor authentication technology. In this case, users have two
elements in addition to the ID: one to be remembered (password or
pin) and the other to be possessed (physical device).
130
Authentication is only successful in the presence of both elements.
Authenticated users can be local or remote. The former can
connect to the system through a personal or corporate workstation by
means of a local network (LAN), or a network managed by the entity
hosting the accessed system. Instead, a remote user is any kind of user
that logs into the system via a connection outside the corporate network (Internet, VPN, extranet, dial-up, etc.)
The market offers several solutions that implement the Strong
Authentication technology, characterised by different user range and
security levels. Various factors must be considered before choosing the
most adequate system, such as the following:
• Value of the asset requiring protection
• Required security level
• Type of user requiring authentication (local or remote)
• Technical impact on user systems and on the target infrastructure
• Type of remote access (Internet, VPN, RAS, Extranet, etc.)
• Systems ease of use.
The typology of users accessing the system is a fundamental
parameter to consider carefully when choosing a strong authentication
solution. Some technologies are in fact more suitable for remote users
(especially mobile users), while others are more adequate for internal
corporate users (desktop or server).
The table below summarises the main strong authentication
technologies available on the market.
An overview of the different technologies able to ensure high
security level upon authentication is given below.
131
SECURITY NETWORK
Method
Examples
Ownership
User/Password
Can be shared
Easy to identify
What you have
Smart Card
Digital ID
Token
Can be shared
Can be lost
Can be stolen
What you know
and what you have
Smart Card
+ Pin
Can be shared
Biometrics
Cannnot be shared
Unlikely repudiation
Difficult to duplicate
Cannot be lost or stolen
What you know
Individual
authentication
Fig 5-8 – Authentication Techniques
Solution
One Time
Password
Hardware
(OTP)
One Time
Password
Software
(OTP)
Digital ID
VPN
Suggested
Compatibility Utilisation range
Security
Level
Technical
Technical
Impact on Impact on
Workstations
Users
Yes
Remote user with
access to Web/VPN High
applications
Yes
Mobile remote user
with corporate
Medium-High High
Notebook, PDA,
SmartPhone, Palm
High
Yes
Local or Remote
user with Web/VPN Medium
applications access
Low
Smart
Yes
Card/Token
Local user with
corporate
workstation. Remote
user with corporate
desktop/notebook
Biometrics
Local user at corporate
High
workstation
Infrequent
None*
Medium-High
Medium-High High
High
*Provided use is limited to Web applications or compatible solutions
Table 5-2- Synoptic Table of Strong Authentication Technologies
132
Medium
Medium
High
One Time Password (OTP)
OTP systems are based upon the generation of a dynamic
password – usually every 60 seconds – associated to a PIN known
by the user. The algorithm that produces the password is random,
which makes it highly unlikely for the produced numbers to be
repeated more than once. The user generally brings a pocketsize
device equipped with password-generating software. An authentication server, synchronised with the user device, verifies the credentials by applying the same algorithm. The authentication
process requires connectivity with the server. When such systems
are used for access to Web applications, or in combination with a
RAS, the client does not need any software, which means they are
particularly suitable when it is not possible to control the configuration of the accessing PC (third parties workstations). These systems ensure high security levels, though they can be defeated by
sophisticated technologies.
Figure 5-9- OTP Devices
Digital Certificates
Digital certificates for user authentication are usually associated to VPN clients (IpSec or SSL), or to Web browsers by means of the
SSL 3 protocol. A digital certificate must be issued by a private or public CA (Certification Authority) (see paragraph 5.1.8 above). During
access, the signature on the certificate is compared to the certificate of
the CA root that signed it, to guarantee its validity. In some cases, it is
possible to check other parameters contained in the certificate. For this
133
SECURITY NETWORK
Figure 5-10 – Digital Certificate
reason, both certificates must be client-resident (the client requesting
access). The user certificate can alternatively also be smart card-resident (in compliance with protocol PKCS11) and be removed when the
latter is withdrawn. Security levels are high, though digital certificates
must be kept carefully. The technical impact on workstations is quite
high, since the certificate must be handed to the user and installed in
the client (browser, or any other client requesting access) together with
that of the issuing CA. In the presence of a large number of users, a
Public Key Infrastructure (PKI) must be implemented and may need
to be managed by qualified personnel.
Smart Card/Token
The use of Smart Cards and Tokens usually depends on the
utilisation of other technologies, such as dynamic passwords or digital
134
certificates, which they store. Their use requires the presence of specific technical conditions, such as dedicated readers or USB peripherals,
which is why they are commonly adopted for corporate workstations
(desktop or notebook) whose configuration is fully controllable. They
can be used in different environments, from authentication to digital signatures, and data encryption. The technological impact is high and the
security level depends a lot on the market solution chosen.
Figure 5-11 – Smart Card and USB Token
Biometrics
Biometrics uses biological parameters or specific behaviour,
for user identification. Whatever technology is selected, from fingerprint reading to face recognition, retina scanning, full collaboration is
needed from the user submitted to authentication. Furthermore, in
order to complete the initial registration stage (enrolment), all users
must be involved at the beginning. Biometrics is generally limited to
corporate workstations and is rarely suitable for remote users. The
technical impact is high due to the use of specific appliances and readers, thus making integration with remote access solutions difficult.
Figure 5-12 – Biometric Technologies
135
SECURITY NETWORK
5.1.11 User Provisioning
User management process has been made much more complicated by the constant increase of access to corporate assets by ever
more heterogeneous users.
In especially vast and complex environments, operations to
create, cancel or modify users may require a remarkable effort in
terms of human and time resources. Furthermore, bearing in mind
that the authentication process is fundamental to ensure information
security, often supporting all the others processes, it is fundamental to
manage the electronic identity of users in an effectively and timely
manner.
Identity Management (IdM) models will be discussed further
on, under paragraph 5.2.2. We will now refer to two key support functions that are part of an IdM solution, provisioning and de-provisioning.
Internal and External Users
Auditing
Service
Remote Access
Operative
Services
Directory
Database
Applications
Mainframe
Figure 5-13 – Provisioning Architecture for an Identity Management System
136
The former deals with all aspects linked to the creation and
management of user profiles, while the latter has to do with user
divestment or suspension. Of course, when we refer to profiles, we
mean them as associated to different systems and applications users
need to access, for which manual and punctual management would
require unacceptable efforts. Nowadays, the market offers specific
software platforms that automate and rationalise both processes.
5.2 ORGANISATIONAL AND PROCESS MEASURES
5.2.1 Disaster Recovery and Business Continuity
Introduction and Terminology
This chapter presents the main aspects pertaining to the network-enabled continuity of ICT services, in relation to benefits,
opportunities, costs and applicability range.
The definition formulated by the British Standards Institute
(BSI©) for the Business Continuity Management concept is the following: “Holistic management process that identifies potential impacts threatening
an organization and provides a framework for building resilience and the capability for an effective response to safeguard the interests of its key stakeholders1, reputation, brand and value-creating activities”2.
Within the context of the Business Continuity Management
process, the planning and management of Disaster Recovery is the
technological component of the entire process, and is the specific subject of this chapter.
1 I.e. any physical or juridical person (shareholders, but not only) related to the corporate, and
therefore concerned with its performances, as well as correct and transparent management.
2 "holistic management process that identifies potential impacts that threaten an organization and
provides a framework for building resilience and the capability for an effective response that safeguards interests of its key stakeholders, reputation, brand and value-creating activities".
137
SECURITY NETWORK
The Disaster Recovery Plan Stages
A Disaster Recovery plan is usually developed according to the
following stages.
Stage 1 – Classification of Critical Processes
The starting point for developing a Disaster Recovery plan
must be included in the early stages of the more general Business
Continuity Management process. This is the stage in which the
boundary of application of the business continuity management
process is defined, and the different processes contained in the
boundary are classified in the decreasing order of their criticalness.
Processes are classified according to their maximum tolerable suspension time (RTO, Recovery Time Objective concept). The principle,
according to which it is impossible to guarantee continuity for all
processes, is normally considered acceptable for economical reasons.
The objective is therefore to identify those processes whose operational continuity must be guaranteed.
Stage 2 – Definition of the Plan Criteria and Parameters.
At this stage, starting from the study of classified corporate
processes, by correlating the processes entailed in the plan with the relative software applications, a list is made of all the computer applications that are to be included in the Disaster Recovery plan.
Stage 3 – Definition of the Plan Requirements for a Disaster Recovery.
This is the stage at which the plan feasibility requirements are
established in relation to the objectives and defined intervention
boundary. The criteria and structural elements of the plan are supplied; after having been submitted to discussion and to the approval of
the management, it is possible to move on to the subsequent implementation stages on a solid basis, both in terms of the technical and
organisational context to be considered, and of the economic benefit.
The following topics must be defined at this stage:
• Mode and usage extent of systems at the Disaster Recovery
138
stage, both in terms of the use and management of processing resources, and at a user level.
• Alternative system and network architectures
• Sources and solutions for the identification and availability of
alternative systems and networks
• Possible insurance policies
• Interfaces, exchanges and/or interconnections among the different procedure systems
• Verification of backup procedures for the applications included in the plan
• Definition of the organisational crisis management structure.
Stage 4 – Preparation of the Plan Details
This stage provides for the detailed definition of behavioural procedures and rules that must be followed by the personnel
involved, both during usual management and upon the declaration of
a crisis, and consequently, the implementation of the plan.
Stage 5 – Plan Implementation
This stage contains the final procedural draft, the necessary
organisational consolidation to implement procedures, and the purchase of the necessary software, hardware and logistic resources.
Stage 6 – Pre-operational Test
At this stage, the entire plan and relative training activity is
tested prior to reaching operational level.
Stage 7 – Periodic Operational Tests and Updates
This stage concerns the periodic tests for the partial and/or
total implementation of the plan, as well as the definition and applica-
139
SECURITY NETWORK
tion of ordinary and extraordinary plan maintenance criteria.
Choosing Alternative Resources
Besides the definition of process criticalities, the most difficult
aspect in the definition of a Disaster Recovery plan lies in the choice
of the most suitable alternative solutions for the network and for the
system as a whole.
As far as the network is concerned, the most practical
approach is to ask your usual provider for an alternative solution, generally able to manage less traffic compared to the usual flow. The
nodes and routes of the new solution must of course be truly independent from the original ones so as not to be submitted to the events
that could jeopardise the original network.
As for the other system components (host, server, workstation, etc.) and their logistics, there are different solutions whose costs
generally increase with the decrease of the necessary implementation
time.
The figure below (Fig. 5-14) offers an overview of the available systems, and an explanation of the most commonly used terminology.
Cold Sites are areas containing basic equipment, though no
network appliances and connections. A Warm Site is a partially
equipped context: for example, connections to an external network,
though without any server or workstation. Hot Sites are fully
equipped areas, with an internal and external network. Mirroring is a
hot site where archives are updated in near real-time – with a few minutes delay at the most – compared to the main processing site.
The above shows that for finding optimal alternative
resources, the criticalities of the processes included in the Disaster
Recovery plan must be carefully analysed, also bearing in mind the
extensive cost range. The definition of disaster recovery solutions
should be supported by an adequate strategy, followed by feasibility
studies, to identify the best solutions for cost-benefit optimisation.
140
Mirroring
C
o
s
t
Hot site
Warm site
Cold site
Implementation speed
Figure 5-14 – Alternative Solutions Diagram, Costs vs. Implementation Time
5.2.2 Identity Management
It is often believed that the main objective of an information
security management system is only to exclude unauthorised external
accesses to information systems, thus concentrating efforts on the
protection of the network boundaries and relevant information
devices.
Actually, the risk level coming from inside the organisations is
the same as the one from outside, though through the application
environment within organisations. There is at the same time an
increased request for new applications to extend access to a greater
and varied number of often unknown users such as business partners,
providers, agents, customers and personnel.
A solution for managing information risks can be found in
Identity Management (IdM) concepts, a nowadays widely-used
expression defined for the first time in a white paper prepared jointly
141
SECURITY NETWORK
by the PricewaterhouseCoopers and Gartner Group3. IdM is a convergence of business technologies and processes. There is no one single
approach, since a strategy must respond to specific requests within the
technological and business context of each specific organisation. The
overall objective is to supply valid access to the right people at the
right time.
The function categories entailed in the IdM for the classification of all the technological, organisational and process elements are
the following: authentication, access control, user management,
and directory services.
Authentication is a mechanism enabling transactions, at different security levels, with certainty as to the identity of the parties
involved.
• Authentication mechanisms are for instance:
• Username and password
• Personal Identification Number (PIN)
• Digital certificates
• Token
• Biometrics
• Smart card.
From an organisational and process viewpoint, it is necessary
to define roles and analyse risks so as to identify who is to be allowed
access to what.
Access control ensures that users can only access the applications or resources they are entitled to use. This infrastructure is known
as Privileged Management Infrastructure (PMI).
3 “Identity Management: The business Context of Security.” Whitepaper © 2001
PricewaterhouseCoopers LLP, Interviews & case studies © 2001 Gartner, Inc.
142
• The main features of the infrastructure are:
• Common structure for authentication and access authorisation to several applications
• A Single Sign On platform for information access
• Roles Definition (role-based access control)
• Access monitoring.
User management is the expression that defines technologies and processes to manage a large number of users. User
Provisioning is another term to define this environment (see paragraph 5.1.11).
The main functions of user management technologies and
processes are:
Automation of workflow processes to create participants and
grant them access to all the applications needed for their work (provisioning)
• Automatic removal of no longer existing users (de-provisioning)
• Users are given a high degree of controlled autonomy
• Delegation of access administration functions.
Directory Services make it possible to manage access to
directories. A directory is a software element that stores information.
Access generally occurs by means of the protocol known as
Lightweight Directory Access Protocol (LDAP). Technological
evolution has extended the concept to Meta Directories and Virtual
Directories, which tend to avoid duplication thanks to pointers that
find information without creating copies.
The main features of service directories are the following:
• Centralised, flexible and secure archive for user profiles
• Scalability to several million users
• Rapid response capability to hundreds of questions per second
143
SECURITY NETWORK
• Integration based on main application standards.
The benefits entailed in the correct and complete implementation of an Identity Management solution include:
• Integration of technologies
• Lower management costs
• Productivity increase
• Process automation
• Greater overall efficiency
• Controlled autonomy granted to clients, personnel,
providers and partners
• Higher corporate data protection
• Integration of conformity rules (privacy, etc.)
• Active and conscious security
• Rational and organised definition of access profiles
• Constant auditing.
5.2.3 Operational Security Management
Generalities
The effectiveness of any countermeasure has always been
considered limited in time, either because of problems arising within
protection mechanisms, or the discovery of new vulnerabilities and
threats; however, such a concept has only recently become part of
security definitions and objectives.
Any countermeasure system must therefore be supported by
awareness capacity in terms of new vulnerabilities and threats.
Furthermore, if incidents were unfortunately to occur notwithstanding the existence of an effective protection infrastructure, quick identification and correct management are crucial.
The two aspects mentioned above are often known as Real
Time Security Monitoring and Incident Handling. In such a con-
144
text, monitoring means incident identification, which is not to be mistaken with the monitoring of systems and networks to control correct
operativeness.
Indications of such an approach can be found in many national and international security documents of the past years, though it is
only lately, with the increase in the number of attacks and security incidents, that the indispensable nature of such functions has been
acknowledged.
The concepts of incident management and security control and monitoring already appeared in the Italian Prime Minister’s
Directive dated 16/1/2002, better known as the Stanca Directive.
The Ministry of Technological Innovation and the Ministry of
Communications, issued the previously-mentioned document “Strategy
Proposals on Information and Telecommunications Security for the
Administration”, published in March 2004, on the concepts of incident
monitoring and management to promote the survey of security activities through active monitoring and management of information incidents and early warning of threats.
Furthermore, CNIPA is preparing the implementation plan of
govcert.it, a body for the coordination and support of the Incident
Response Teams that will be created within the Administration.
As for international indications, The Information Security
Forum adopted the previously-described approach, supported by a
risk management methodology, known as FIRM, that since the first
pages defines security as a set of three areas: incident prevention,
incident detection and response4.
Today real-time security monitoring cannot be achieved by
simply purchasing technological devices, though the market does offer
a wide range of products to this end. The capability to correctly
launch some key processes of the security cycle is also necessary. The
components that determine the quality and effectiveness of such
processes are the following:
4 See Appendix 2.2
145
SECURITY NETWORK
• Time coverage: new threats spread within a few minutes, what-
ever the time and geographical area. Monitoring must be
ensured 24 hours a day, 365 days a year, continuously and in real
time. Indicatively, 6 to 10 people are necessary to cover 24 hours.
• Knowledge: the analysis of security events requires a very
high level of competence that must be maintained in time.
The analysis of new threats, as well as the choice of adequate
procedures to manage the incident, requires very specific
knowledge of the technologies used in the organisation, as
well as consolidated experience in security analysis.
• Knowledge base: access to a security knowledge base is fundamental to enable incident analysis activity and to determine
incident management procedures.
• Identification and response to incidents: since people
manage identification and response activities, it is crucial to
have the support of correct management processes and technological platforms. It is advisable that processes pertaining
to the identification and response to incidents be compliant
with acknowledged internal standards such as BS 7799.
• Technology: several hardware/software platforms support
the functions of monitoring and response to incidents:
- Log centralisation systems
- Incident tracking systems
- Trouble ticketing systems
- Systems for the realisation of security portals
- Centralised systems for security control and management.
The market offers several services to support the knowledge
of new threats and vulnerabilities, as well as the launching and management of identification and response processes to the incidents
describes below:
146
Managed Security Services
• Managed Security Services (or MSS) include two categories of
very different services:
• Security Management
• Real Time Security Monitoring
Security Management
The management services offered by a Managed Security
Service Provider (MSSP) have the purpose of supplying ordinary and
extraordinary management of security devices, in the form of outsource services. In particular, the security deivces are managed according to the three following aspects:
- Fault management
- Configuration management
- Performance management
Fault management manages client security devices to make
sure they always operate properly. This is usually, though not always,
achieved through an extended service on the 24h. Some of the typical
fault management services include:
- The periodic check-up of security devices to identify possible
problems
- The notification to customers every time that, for any reason,
the security devices ceases to function, and assistance/guidelines concerning appropriate measures to solve the problem
- Periodic reports to customers that summarizes the operational situation of their security devices over a pre-determined period of time.
147
SECURITY NETWORK
Configuration management is used by the customer to outsource to the MSSP the configuration of his/her security devices. The
expert responsible for configuration management usually deals with
the following aspects:
- Modification and upgrading of the applications supporting
security devices, and of the operative systems
- Modification of the policies and signatures applied to the
security devices
- Daily, weekly or monthly reports listing all the new upgrades
and modifications to the clients’ security devices.
Performance management involves the collection and presentation of statistics on the performance recorded on the clients’ security devices. The reports include the following:
- Statistics on the speed and efficiency of the client network
- Identification of internal bottlenecks penalising network
performance
- Reports on overall performance, consolidating all the log data
generated by the clients’ security devices.
Real Time Security Management
Security monitoring requires a high degree of competence in
the security environment, as well as sophisticated architecture to support data analysis on different devices through a global organisation.
In the context of the monitoring services offered by the
MSSP, the word outsourcing must be taken cautiously: services
offered from the outside do not replace internal control, and the security control room remains within the organisation. External services
are to be considered as a useful support in identifying incidents.
• Real Time Security Monitoring services are made up of the
following functions:
• Data collection and standardization
148
• Data mining
• Automatic correlation of security-related events
• Response to events
• Event report
Data collection and standardization is a process in which
data related to security devices (firewall log, IDS alert, etc.) are collected and transformed into a standard format, despite of the device
nature and provider. Data standardisation is essential for efficient security monitoring, since this enables the MSSP to use a set of standard
queries to analyse the security device data and to isolate traces of dangerous activity.
The data mining process is made up of an automated system
that constantly queries security devices to identify any sign of dangerous activity, thus separating suspicious from legitimate network traffic.
It is probably the central technological element in monitoring processes: a client has to make sure that an MSSP is able to scale down its
capacity in terms of data mining as the devices connected to the backend architecture increase. In other words, the MSSP must be capable
of developing ever-more sophisticated queries as new devices are
added to the network. Nevertheless, increasing the number of queries
does not necessarily mean improving the data mining process. In this
sector, the quality and constant fine-tuning of queries are extremely
important, as well as the timely creation of new queries able to constantly reveal evolving harmful activity. It is only thanks to highly
sophisticated data mining that an MSSP can ensure efficient correlations between data and attacks.
Another essential component for a truly effective monitoring
service is the automated correlation of security-related events, in
other words, the automatic grouping of specific harmful activity
traces, using logical criteria such as source, nature and destination of
the attack. Thanks to this process, attacks are rapidly reconstructed,
and analysts can view the entire attack. Without automatic correlation,
security analysts would be obliged to reconstruct the attack sequences
by manually going through millions of lines of data recorded by the
149
SECURITY NETWORK
security appliances. Needless to say that such an operation is too
expensive in terms of the time involved and too complex at any scalability level, even on networks with low traffic volumes.
The response to events that have repercussions on security
follows and depends on the security analyst’s examination of the data
generated by the correlation process. According to the nature of the
event, the range of actions can vary from simple client notification to
immediate communication of the event to the competent police
authorities. The availability of a service enabling the analysis of security events by experts over the entire time arch (24x7) is decisive for
the management of any security service.
Event reporting is the process adopted to notify clients about
events identified on their network that have an impact on security.
According to the nature of the event, the reports can be transmitted
immediately by voice, e-mail, or by real-time notifications published on
the Web portal, or even, by means of periodic reports.
Monitoring services are usually offered for security platforms
that supply significant information on events (firewall, host and network intrusion detection system, etc.).
To enable effective real time security monitoring, a MSSP must
have all the above-mentioned features. Protection against vulnerabilities, real-time risk identification and management for network security
are impossible to achieve in the absence of just one of these services.
The difference between security management and simple
monitoring lies both in the availability of top level professional knowhow and a complex technical architecture able to perform global data
analysis on several platforms. This aspect was stressed in the article
“Top Guns” published in the Information Security review: “Security
software has made great progress in the capacity to consolidate, correlate and
analyse events and data logs on several appliances such as firewalls, IDS and
routers. However, according to experts at the control stations of the SOC (Security
Options Centre) of MSSPs, when analysing events with security impacts, the most
reliable, though oldest, tool is intuition”5.
5 R. Thieme, A. Briney - "Top Guns" in "Information Security", August 2002.
150
Early Warning
The most numerous and frequent security incidents having
affected organisations worldwide derive from external threats such as
viruses, worms and other forms of malicious codes. Such threats are
global, since they indiscriminately affect organisations anywhere in
the world, and have not been devised to attack one specific organisation, even though they have lately become a means for perpetrating
targeted attacks by exploiting the technical vulnerabilities and weakened defence of organisations during emergencies.
In all recent famous cases (Blaster, My Doom, Sasser, etc.),
only a few hours passed between the first attack and the moment of
maximum diffusion.
This data, together with the fact that no environment is nowadays completely protected against any vulnerability, stresses the importance of adopting preventive and proactive strategies.
So-called early warning services, or preventive notification,
help organisations learn in advance about emerging vulnerabilities and
threats, and adopt correct countermeasures to prevent the phenomenon before it affects the organisation.
Early warning services can be divided into two categories:
• Vulnerability Notification: this is the service that warns an
organisation any time a new vulnerability is revealed.
However, since a consistent number of vulnerabilities are discovered every day, the most advanced services make it possible to receive notification only for vulnerabilities concerning
the technology and products installed in the organisation.
Free services also exist, in the form of mailing lists; nevertheless, they do not guarantee timely notifications, nor do they
allow any choice as to the kind of notification one wishes to
receive.
• Threat notification: vulnerability in itself is insufficient to
represent a risk for an organisation. It is the existence of technologies and methods that exploit vulnerabilities that make
them possible vectors for attacks and violations. Threat notification services are able to rapidly identify the existence of
151
SECURITY NETWORK
activities that could exploit vulnerability and to send a notification to member organisations. There are currently not many
threat notification services, since they require a large, real-time
analysis and intelligence network of the provider, able to
immediately reveal the early signs of vulnerability exploitation.
Together with the notification of new threats, early warning
service providers supply a detailed description of the phenomenon, a list of vulnerable systems, possible impacts, propagation methods and actions suggested for risk mitigation or cancellation.
Incident Handling
Not all security infrastructures, even the best, are able to supply absolute protection guarantees for the IT system.
Notwithstanding the huge progress achieved in the past years by security enhancing devices, their effectiveness is still limited, and in no case
absolute. Adequate structures to manage all the events (incidents,
frauds, attacks, malfunctioning, etc) that threaten service and information continuity are therefore necessary.
This organisational structure is usually known as CERT
(Computer Emergency Response Team), and is responsible for
receiving, analysing and managing incidents pertaining to information
security. Furthermore, it also has the task of coordinating and monitoring several activities that are fundamental for ensuring an organisation with the most adequate security levels.
In the presence of a CERT, an organisation will be able to
manage all incidents centrally. The activation of a CERT will namely
enable an organisation to:
• Optimise resources, time, costs and incident management
tools thanks to the centralisation and coordination of activities
152
• Safeguard its information heritage, preserving privacy, integrity and availability, even in compliance with the privacy protection measures
• Limit the incident occurrence and probability through monitoring and prevention activity
• Constantly monitor the security status of its information system.
Since the activation of a CERT is very complex and time-consuming activity, it is advisable to resort to a specialised company that
can offer advice as to the following:
• Definition of an organisational model
• Definition of the technological architecture of the security
operations centre that will host the CERT
• Launch the CERT, define processes and procedures
• Specialised resources for personnel training and incident management
• Support services (real-time security monitoring, early warning).
Specialised Help Desk
Specialised help desk services are very useful; whenever needed, they supply necessary support and expertise for problem/incident
solving. The range of specialised help desk and support services is
vast. Often, it is the security technology producers themselves that
supply support services, though they are in most cases limited to their
own platforms.
Below is a list of some factors to consider upon the purchase
of a help desk service:
• Hours covered (working hours or 24h)
• Typology of support (basic or specialised)
153
SECURITY NETWORK
• Required expertise
• Presence of personnel specialised in the products used by the
organisation
• Ticket management modality in relation to the level of seriousness of the call
• Security procedures
• Service levels
• Existence of a portal (informative or interactive).
Periodic Security Assessment
The periodic security level assessment supplied by the information system is a good practice recommended by almost all national
and international security guidelines.
There are currently no consolidated assessment standards and
methodologies: each provider has developed its own methodology
based on market, open source or internally developed tools.
This explains the remarkable differences in the products existing on the market, whatever their name may be.
Here is a list of the most common activities:
• Vulnerability Assessment: the vulnerabilities existing in the
examined systems are assessed with the help of tools, known
as scanners that through a system by system analysis search
for known vulnerabilities. The outcome of such activity is a
list of the vulnerabilities identified in the system, divided
according to their level of seriousness.
• Penetration Test: the purpose of the Penetration Test, also
referred to as Ethical Hacking, is to analyse the vulnerabilities
of a system, trying to use them to assess its violability. This
activity is performed by a group of security experts often
known as the Tiger Team, which resorts to hacking techniques to reveal every vulnerable point in the system.
Penetration Tests can be performed in the following modalities:
154
Blind: the Tiger Team receives no information on the system
submitted to its analysis; it will be up to the team to find all the necessary information for performing the analysis
Overt: the Tiger Team receives as much information as possible on the system it is to analyse, thus enabling a very detailed analysis.
Penetration Tests can be performed remotely, though only on
servers visible on Internet connections. Instead the analysis of internal systems must be performed inside the organisation.
• Policy Assessment: the activity has the purpose of verifying
organisation policies, controlling their correct implementation
on systems and applications. Special tools are normally used
to read and analyse the policies configured on systems and
applications. Policies found on the systems are compared with
corporate policies and standard international guidelines, as
well as with best practices.
• Security Assessment: Has the purpose of assessing an
organisation’s security plan, using different references, such as
BS7799, and the best practices produced by international bodies such as the Information Security Forum. The objective of
security assessment is to identify the areas most at risk and to
supply guidelines for the application of adequate corrective
actions.
• Application Assessment: assesses the security level offered
by some applications, especially Web applications. Such activity is extremely useful for any organisation with critical (i.e.
trans-national) Web applications that needs to assess its security level. The method is very similar to that of penetration
tests, and must be performed by highly qualified personnel
with thorough expertise in the field.
Since such assessment systems have no standard models, it is
important to consider the following aspects upon weighing the different market offers:
• Final results: outcome and presentation of final results (documents, discussion meetings, etc.)
155
SECURITY NETWORK
• Know-how: service quality depends a lot on the know-how
and expertise of the consultants performing the assessment.
• Methodology: since most companies offering assessment
services have developed their own methodology, it is important to understand the underlying principles
• Best practice: when evaluating management processes and
modalities, it is necessary to preventively identify indications,
guidelines, internal policies or best practices
• Security: security assessment services require that the provider
be allowed access to confidential information of an organisation. It is important to check with the provider what procedures and security tools are adopted to ensure the protection
of any such information.
• Tools: sometimes tools are used for assessment activities. Ask
the provider to explain what tools will be used, and their invasiveness and impact levels on the infrastructure of the organisation. Furthermore, find out if the tools can be installed permanently within the infrastructure to facilitate any future
assessments.
156
NETWORK SECURITY
From risk analysis
6 – Security Governance
in the Public Administration
and Private Companies
6.1 SECURITY GOVERNANCE AS A FACTOR OF
SOCIAL GUARANTEE FOR THE NETWORKS USE
Since a few years, the word governance has been introduced
to define any activity aimed at ensuring the correct management of a
specific process, or even the entire corporate process, not only to guarantee corporate efficiency and compliance with the law, but also to
defend shareholders and, more generally, stakeholders. The term also
has a strong ethical implication, in addition to creativeness and commonsense.
The requirement of codifying governance likely meets
two necessities:
• The need for a formal and shared framework to address the
current complexities rooted in business processes
• The need for a rigorous conceptual model making the imple-
mentation criteria of the governance process transparent,
even for stakeholders1 that are not directly involved in corporate management.
Of course, in an abstract descending order, security governance derives from the governance of ICT systems, which in turn is
1
See note 1, chapter 5.
157
SECURITY NETWORK
part of the more extensive scope of corporate governance.
One of the first initiatives that introduced and developed such
concepts was the COSO project that recently supported and produced
a document entitled: “Enterprise Risk Management – Integrated
Framework”, in collaboration with Pricewaterhouse-Coopers. The document defines and illustrates the elements that together make up a corporate governance structure, with special emphasis on risk analysis. At
the beginning of the nineties, the COSO2 Committee issued a first
document on the same theme, entitled “Internal Control – Integrated
Framework”.
In the past years, the USA and Europe – and Italy as well –
suffered sensational cases of bad and fraudulent administrative business management, justifying specific law making initiatives, in addition
to private initiatives such as the one mentioned above, such as the
2002 “Sarbanes-Oxley Act” in the USA, and the “Legge Draghi” in Italy
(Law by decree 58/1998), and the more recent piece of legislation on
the reform of corporate law, enforced on January 1st 2004.
In some specific sectors, corporate governance objectives have
been emphasised by the code of self-discipline drafted by the
Committee of Public Companies listed on the Italian stock-market
(known as the “Preda Code”, amended in 2002); within the banking sector, the “Basel II” protocol has a European scope.
It is now interesting and constructive to analyse the concrete
and tangible components underlying the security governance concept,
even from a feasibility viewpoint.
We will now suggest a list, according to a scheme offering a
general overview of security governance3:
• Strategic security control
- Security promotion within an organisation – corporate man2
COSO – Committee of Sponsoring Organisations of the Treadway Commission – is a committee setup in 1985 that still exists thanks to the initiative of the five main US professional
financial organizations, to support the production of documents and methodologies to ensure ethicality, correctness and transparency in corporate administrative management.
3 The “capability model” © by KPMG for security governance
158
6 – Security Governance in the Public Administration and Private Companies
agement must be involved directly in supporting the implementation of a security management system; the commitment must be clear and visible from within and without the
organisation
- Security strategy – an overall strategic view to support individual activities pertaining to the implementation, maintenance and upgrading of the security management system
- ROI/Performance indicators – an indicator system for corporate management to assess the success of activities
undertaken and the system installed.
• Security plan
- Definition of a management plan for the different activities
within the context of a synergic initiatives programme
- Evaluation of resource and expertise availability.
• Security guidelines
- Directives, ranging from the ones issued by the management, to the operational ones, guidelines, procedures for
security implementation.
• Security management
- User and infrastructure management – processes and procedures to ensure operational management and security
administration
- Security monitoring – incident monitoring and management
to ensure the maintenance of security
- Privacy – protection of information privacy.
• Coordination with business functions
- Participation of final users – final users implication in the
assessment of business aspects
159
SECURITY NETWORK
- User awareness – awareness level of final users concerning
existing responsibility, and the guarantees offered by the different systems.
• Security of the information assets
- Applicative security
- Database and repository security
- Server, workstation, desktop, etc. security
- Internal/external network security
- Antivirus
- System development.
• Technology protection and continuity
- Physical security and environmental protection
- Disaster recovery – procedures and plans for availability and
system recovery.
Good security governance depends on the presence of all the
previously mentioned components: a weakness in just one of the
abovementioned topic can entail the poor efficiency of the other components (for example, the lack of a strategic guide can cause incoherence between guidelines and/or management procedures, thus an
incorrect system configuration). In other words, there is a kind of hierarchic interrelation of cause and effect between each level of the proposed model and the following level.
It is also important to stress that the above-mentioned components are only partially technological: good security governance is a
management problem that can be solved thanks to the synergic
approach of people, processes and technologies.
6.2 IMPLEMENTATION OF SECURITY GOVERNANCE
IN THE ORGANISATIONS
The degree of formalisation and extension of each of
the above-mentioned components can of course vary from one situa-
160
tion to another. The so-called maturity model4 can be applied to each
situation, in other words, a conceptual model largely used in the context of the more general sense of governance systems assessment. The
model makes it possible to assess the degree of maturity of a given
process, according to the following scale from 0 to 5:
• Inexistent activity – 0
• Occasional and non-replicable activity – 1
• Regular activity with constant modalities – 2
• Documented activity of a widespread procedure within the
organisation, sometimes in compliance with the procedure – 3
• Documented activity of a procedure entailing the definition of
indicators enabling efficiency monitoring and performance
assessment – 4
• Automatically performed and monitored activity, in compliance with the highest standards available on the market – 5
The use of such a model, as well as the practical application of
security governance concepts, must be based on criteria that could be
defined of common sense, finding a balance between the desired
degree of maturity and the level of risk or complexity that the organisation wishes to assume. In other words, simple organisations that are
not exposed to high risk levels could be recommended to opt for quite
a low level of maturity (for example, in the above-mentioned scale,
level 2 or even 1, for some processes); instead, complex organisations
exposed to high risk levels should have a maturity level of 4 or 5 on
the indicated scale.
Another useful guide for implementing security governance
can be found in the often-mentioned BS779. Such standard has the
purpose of supporting the requirement of information protection
4
The content of this paragraph is explained in depth in the IT Governance Institute publication,
“CobiT® Management Guidelines”
161
SECURITY NETWORK
(processed with electronic tools, but also kept on non-electronic supports, such as written paper documents) within a given organisation,
including interrelations with the outside.
The requirement can be met by implementing what is referred
to as an Information Security Management System (ISMS). An
ISMS is made up of the following:
• A security policy, supplying corporate directives on information security
• An organisation enabling correct information security management within the organisation itself
• Asset classification and control, ensuring the identification of
corporate assets – whereby assets also include information –,
definition and application of protection measures suited to
their value
• Personnel security, to reduce risks of errors, thefts, frauds, etc.
• Physical and environmental security to prevent unauthorised
access, damage and incidents
• Operational and communications management, ensuring the
correct and secure operational management of processes and
appliances
• Information access control
• Application development and upkeep, to make sure security is
incorporated in the information systems
• Operational continuity management, ensuring timely reaction
and operational interruption, and the protection of critical
activities from disasters and relevant incidents
• Compliance with the law, ensuring compliance with pertinent
laws and regulations.
6.3 NETWORK SECURITY, A NATIONAL AND EUROPEAN ASSET TO BE PROMOTED
IT security has ever more often taken on the meaning of corporate and individual security of knowledge, which must necessarily be guaranteed in a knowledge economy, in line with the recommendations of the European Commission and the commitments taken on
162
by the E.U at the Lisbon conference. The security of knowledge
concept focuses on persons (individual or legal) and on how they protect information that is crucial for competitiveness, or preserve the privacy right.
In preparing this document, the authors made a useful comparison of experiences and observations within the international and
European scenarios, assessing the best use practices, and re-examining
how companies today can address the issue of network and information protection.
The overall impression is that progress has been made in the
past years, with greater sensitiveness towards the problem, though
there is all in all still a long way to go.
In such a context, the creation of ENISA appears to be a great
opportunity, even for Italy, to define and implement shared policies
within the European Union and to develop security sensitivity and
awareness in Society.
Nevertheless, to prevent ENISA from appearing as a structure
that is far away from everyday problems and life, the creation of the
agency must go hand in hand with the commitment of all stakeholders. It would certainly be very useful to this end to continue the work
undertaken in this document, recording the indications supplied by
ENISA and promoting them at a national level, and vice-versa, submitting specific national requirements to the agency.
Institutions, security experts, users and companies can draw
great benefit from finding a common place of exchange to share experiences and requirements, and to propose information, training initiatives and recommendations. The need for security is on an upward
trend, opening the way to new realities aimed at meeting such a
demand. However, the requirement must be met with efficient
responses, expertise and know-how, so that security investments are
not turned into placebo drugs whose effects are only to reassure
investors while risk exposure remains unchanged.
In statistical surveys, the problem of security, which always
ranks first in the attention of citizens, is seen as a common requirement of Society. Public, road, and financial security are the most widely debated issues and the most needed. Knowledge security is gain163
SECURITY NETWORK
ing ground in public attention, though not yet enough, but more so
than a few years ago, namely thanks to recent norms, such as for example the Consolidation Act on privacy, and the Basel II protocol concerning bank credits.
The authors of this document, together with the Ministry of
Communications and the Ministry for Innovation, wish it to be a first
concrete step towards an ongoing commitment towards the establishment of a security culture, thanks to an active and dialectic connection with the institutions and the implementation of a driving belt
with civil society, the corporate world and citizens. A commitment
intended in the sense expressed by de Toqueville of well-known
interest, the interest of individual citizens coinciding with the common interest of society, when pursued correctly.
An important part of such a commitment lies in the willingness to offer the Country shared interpretations of the recommendations of ENISA and the many international bodies/associations dealing with security, to pursue common policies for the diffusion of a
security culture, adopt approaches and methodologies suited to the
specific requirements of the Italian productive system -bearing in
mind the specificity of the Italian legal system and culture-, supply the
outcome of such activity also to lawmakers.
All the institutions, professionals, users and corporate associations must be involved in pursuing a project that was launched thanks
to the sensitivity of institutions, aimed at creating a new, concrete,
knowledge security tool.
164
NETWORK SECURITY
From risk analysis
APPENDIX 1
Normative, Regulatory
and Best Practice References
A – Documents issued by OECD and the United Nations
Guidelines “Security of Systems and Information Networks: Towards
a Security Culture” – July 2002
www.innovazione.gov.it
Guidelines “Protecting Consumers from Fraudulent and Deceptive
Commercial Practices Across Borders” – June 2003
UN Resolution A/RES/58/199 dated 23.12.2003 “Creation
of a Global Culture of Cyber-Security and the Protection of
Critical Information Infrastructures”
www.apectel29.gov.hk/download/estg-13.pdf
B – E.U. Directives and other Documents
Directive 1999/93/EC of the European Parliament and the
Council data December 13 1999, concerning a community framework for electronic signatures.
“Resolution on Network and Information Security” (December 11
2001).
165
SECURITY NETWORK
Communication of the Commission to the European
Parliament, the Council, the Economic and Social Committee
and the committee of Regions, Network Security and
Information Security: proposal for a European strategic
approach – (June 2001).
Directive 2002/19/EC – “Access to, and interconnection of, electronic communications networks and associated facilities” (Access
Directive).
Directive 2002/20/EC – “Authorisation of electronic communications networks and services” (Authorisation Directive).
Directive 2002/21/EC – “Common regulatory framework for electronic communications networks and services” (Framework Directive)
Directive 2002/22/EC – “Universal service and users’ rights relating
to electronic communications networks and services” (Universal Service
Directive)
Directive 2002/58/EC – “Processing of personal data and the protection of privacy in the electronic communications sector” (Directive on
Privacy…).
C – Italian Laws and Correlated Normative
Law n°547 dated December 23 1993: “Amendments and integrations to the penal code regulations and the penal procedure code on computer crime”.
Law n°59 dated March 15 1997: “Delegation to the government for
the conferral of functions and tasks to the regions and local authorities,
for the reform of the Public Administration and Administrative simplification” Art. 15 of the law has instituted the RUPA.
www.parlamento.it/parlam/leggi
166
APPENDIX 1
Law by decree dated May 13 1998, n°171, amended by Law by
decree n°28 December 2001, n°467 (Official Gazette June 3rd
1998, n°127).
“Disposition on the protection of privacy in the telecommunications sector, implementing directive 97/66/EC of the European Parliament and
Council and on journalistic activity”.
(Law modified by Law Decree n°467 dated December
2001)
www.interlex.it
Prime Minister’s Decree, February 8 1999, Official Gazette
n°87 dated April 15 1999, “Technical rules for the creation, transmission, conservation, duplication, reproduction and validation, even temporarily, of computer documents, in compliance with art. 3, paragraph 1, of
the Presidential Decree n°513 dated November 10 1997”.
“Consolidation Act on the provisions of the law and regulations on administrative documentation”, Presidential Decree n°445/2000,
December 28 2000, Heading II, Section I, Article 6 – 7,
Section II, Article 8 - 10, Section III, Article 14 – 17, Section
IV, Article 20, Section V, Article 22 – 29, Heading III, Article
38, Section III, Article 43, paragraph 6.
“Technical Rules for IT documents in the Public Administration”
November 23 2000, Resolution n°51/2000 dated November
23 2000. Defines the technical rules for the creation and conservation of IT documents in public administrations, in compliance with art. 18, paragraph 3, of the Presidential Decree n°
513, November 10 1997. The Authority for IT in the public
administration periodically adapts these rules to institutional,
organisational, scientific and technological requirements.
167
SECURITY NETWORK
Prime Minister’s Decree, April 11 2002 – “National scheme for IT
security assessment and certification, to protect classified information on
national and foreign State security”.
Law Decree n°10, dated February 15 2002 – “Acknowledgement
of the Directive 1999/93/EC on electronic signatures”.
Presidential Decree, April 7 2003 – “Regulation bearing coordination measures on electronic signatures in compliance with article 13 of law
by decree n°10, January 23 2002”. April 7 2003.
Amends the “Consolidation Act of legislative measures and
regulations on administrative documentation”, Presidential
Decree 445/2000 (Text A).
Law Decree n°68, April 9 2003 “Implementation of Directive
2001/29/EC on the standardisation of some aspects of copyright and
IT-connected rights”.
The new regulations among other things provide for the
extension of sanctions to offences previously not provided
for, such as the avoidance of technological measures for data
protection and transmission on-line.
“Rules for the correct e-mailing of publicity” – May 29 2003
General measure of the Authority for the Protection of
Personal Data dated May 29 2003.
Law Decree n°196 dated June 30 2003 – “Code on the Personal
Data Protection”.
Published on the Official Gazette date July 29 2003, General
Series n°174, ordinary supplement n°123/L.
168
APPENDIX 1
Prime Minister’s Decree dated October 30 2003 – “Definition of
a national Scheme for the assessment and certification of the security of
IT systems and products”.
Prime Minister’s Decree January 13 2004 – “Technical Rules on
the creation, transmission, conservation, duplication , reproduction and
validation, even temporarily, of IT documents”.
Interdepartmental Decree, February 17 2005 – “Provisional guidelines for the application of the national scheme for the ICT security
assessment and certification”.
Law Decree n°42, February 28 2005 – “Institution of the public
system of connectivity and the international network of the public administration, in compliance with article 10, law n°229, dated July 29
2003”
www.innovation.gov.it
D – Ministerial Documents and AIPA/CNIPA
AIPA/CR/27 Circular, February 16 2001.
“Use of the digital signature in the Public Administrations”.
In the light of the prescriptive measures on the issue, the
AIPA/CR/27 Circular offers a synthesis and guidelines on the
operational indications and usage extent of the digital signature in the Public Administrations.
In compliance with Art. 17 of Presidential Decree n°513, date
November 10 1997.
“Guidelines on PA digitalisation for 2002”.
Directive of the Minister for Innovation and Technology,
169
SECURITY NETWORK
December 21 2001.
Directive dated January 16 2002 of the Prime Minister –
Department for Innovation and Technology “Information
and Telecommunications Security in State Public
Administrations”.
Appendix 1 – Security Level Self-Assessment.
Self-assessment – The questionnaire has the purpose of guiding the Administration in the self-assessment process of the
internal security level, in relation to the minimum recommended basis.
Appendix 2 – Minimum Security Basis.
Indications to help the Ministries to identify the protection
measures that must be set-up and managed in absolute priority, to support Administrations both in the application of the
reference normative fulfilments (e.g. Legislative Decree 675
and 318), and in preventing any potential threat.
“Proposals on IT security for the Public Administration” (March
2004)
Book drafted by the National Technical Committee on IT
security in the Public Administrations.
“Guidelines for the use of digital signatures”.
Document drafted by the CNIPA (May 2004) to guide users
and companies on the use of the digital signature.
170
NETWORK SECURITY
From risk analysis
APPENDIX 2
Examples of Risk Analysis
Methodologies and Approaches
This appendix contains the summary of some of the risk
analysis methodologies in the ICT sector, offering an overview of the
practical application of the different principles indicated in chapter 4.
The methodologies and the relative software applications presented in this appendix are examples of only some of the used
methodologies and products; their presence in this appendix does not
mean there are no other solutions, nor is it our intention to offer any
indication or recommendation.
The contributions have been supplied by the people and companies indicated in the chapters below.
Appendix 2.1 – Defender Manager
Information supplied by Giuseppe Carducci Artenisio from Securteam srl
– Elsag (Finmeccanica group)
Definition
Defender Manager® is an appliance created by Securteam
(Finmeccanica group), which implements a risk analysis model supporting decision-making in the field of security, in other words a computer system for information security management, supplying assistance at the following stages:
171
SECURITY NETWORK
• Description of the intervention range and scope of interest
• Information ranking
• Threat identification and risk analysis
• Choice of protection measures proportionate to the outcome
of risk analysis
• Verification of the capability to meet the requirements of corporate security policy in the long term
• Definition of the protection measures that are to be implemented
• Documentation of implemented protection measures.
Defender Manager® is part of the cyclic security management
process, recording and documenting any intervention, upgrading existing risk levels and, generally speaking, for the management and stakeholders, giving visibility to the progress achieved in terms of protection.
To whom is it addressed?
Defender Manager® is suitable for medium/large companies,
including complex contexts such as large industrial groups made up of
several companies. It can be implemented in different areas/scenarios,
even belonging to one or several companies, but can also manage several protection interventions, according to different strategies and in
compliance with the different criteria chosen by each company.
The security management process involves several figures
within an organisation, at various levels and with different responsibilities (security expert, auditor, data owners, process owners, application
and infrastructure managers, etc.). It is therefore transversal to corporate processes and functions.
To encourage the participation of all those involved in the
security management process, Defender Manager® has been developed according to the WEB architecture: a detailed authorisation control system enables access to the functions of interest by simply using
a browser.
172
APPENDIX 2
Basic principles
The basic principles underlying Defender Manger® can be
summarised as follows:
• Data is the central element in the risk analysis process
• Privacy, integrity and availability are the security parameters
used for risk assessment
• Risk is the combination of the probability of a harmful event
occurring and the seriousness of its relative consequences
• The measures defined for achieving the security objectives are
proportionate with the relative risk levels of the three security parameters.
Structure of the Information Database
The information database of Defender Manager® is structured into three areas containing models of intervention boundaries,
the risk processing Policy and security documentation.
“Intervention Boundary Model” Database
For each parameter a security analysis model is defined
within Defender Manager®.
“Risk Processing Policy” Database
Defender Manager® has a database containing threats
against information security, the relative attacks and security measures considered suitable for fighting the afore-mentioned threats and attacks. The basic database version,
which can be personalised, is supplied with a risk processing Policy, in compliance with the ISO/IEC 17799 standard
for the risk analysis assessment for the BS 7799
Certification of the Information Security Management
System (ISMS).
173
SECURITY NETWORK
“Security Documentation” Database
Defender Manager® provide for a public documentation
area with general information supporting the security management process (legal and corporate provisions, reference
standards and technical norms, guidelines, procedures,
operational instructions, etc.).
Risk Analysis and Processing
The risk level of each component is assessed in relation to pertinent threats. The assessment is made according to the threat exposure level (frequency of even unsuccessful attacks performed to perpetrate risk) and the asset value (criticality level of information in
terms of privacy, integrity and availability).
Depending on risk levels, countermeasures are selected from
the risk processing policy, at a level considered suitable for risk mitigation.
The process is performed for all components and involves the
definition of an optimal protection profile, in other words all protection measures for adequate risk mitigation.
The residual risk, i.e. the measurement of the difference with
the optimal protection profile, is calculated by comparing the protection measures with those defined in the optimal protection profile (gap
analysis). The gap analysis leads to the production of a plan that indicates (stressing the priorities) what interventions are necessary to
bridge the gap and approach the optimal protection profile.
The use of Defender Manager® within the context of structured security management makes it possible to:
• Highlight the compliance of implemented or planned protection measures with established security objectives
• Assess the suitability of implemented or planned measures in
relation to identified risks
• Assess implemented or planned measures in the light of security best practices
174
APPENDIX 2
• Indicate what measures must be implemented and/or
enhanced, and according to what priorities (Intervention
plans)
• Ensure the necessary transparency by documenting the rationale underlying the choices made
• Ensure constant process efficiency monitoring
• Facilitate the formulation of several indicative and operational
reports, and automatically supply the documentation foreseen
by BS 7799 – 2:2002, among which the Risk Assessment
Report, Risk Treatment Plan and Statement of Applicability.
Intervention
boundary
- Systems
- Components
Level of exposure
Asset value
(information criticality
class)
Implemented or
planned measures
Risk Processing
Intervention
Boundary Model
Risk Treatment
Policy
Vulnerability
Calculation
Intrinsic Risk Level
Calculation
Protection
Measures
Calculation
Optimal
Protection
Measures
Risk Analysis
Intrinsic Risk
Level
Boundary
Model
175
Residual Risk
Level Calculation
Residual Risk
Levels
Intervention
Plan
SECURITY NETWORK
Appendix 2.2 – Information Security Forum
Methodologies and Analysis of Risks Specific to
Information Networks
Information
supplied
by
PricewaterhouseCoopers Advisory
Sebastiano
d’Amore,
from
The Information Security Forum (ISF) is an international,
independent and non-profit organisation, working exclusively in the
field of Information Security. It is supported by over 250 among the
largest world companies and organisations, and performs the following main activities:
• Publishes and updates the “Standard of Good Practice”
(SoGP, version 4.0 2003) that was created on the basis of the
experiences shared by its members and the principal international standards (BS 7799)
• Regularly organises an Information Security Survey to supply
benchmarks for members, and updates the overview of the
state of the art
• Develops projects, studies, guidelines and publications on
issues such as: Corporate Governance, Internet & Network
Security, Communication Security, Technical Architectures,
Cryptography, etc.
In the field of risk analysis, the ISF has three methodologies
that support the following features:
• SPRINT: High level Static Method
• SARA: More in-depth Static Method
• FIRM: Complete dynamic risk management system, with a
risk measurement system based on scorecards.
SPRINT
The system was developed with the intent of meeting a growing request for simplification in risk analysis activity, to enable business managers to also become an active part of the process. In fact,
176
APPENDIX 2
the methodology is business-oriented and can be used even by people
with limited specific experience. The methodology is fast to apply and
produces short reports that pinpoint key risks and action plans to scale
them down to acceptable levels.
In more detail, SPRINT is operational for the following three
macro-phases:
1 – Business Impact Assessment (BIA) & Overall
Classification: enables the calculation of consequences for
businesses of the loss of privacy, integrity and availability of
process-correlated information, using a qualitative scale of values for business impact rating.
Depending on the outcome of the special questionnaires (BIA
forms on privacy, integrity and availability respectively), the
analysed systems and applications are classified on a scale of
values representing different criticality levels (regular, important though not critical, critical).
In the event of a regular, in other words not critical, system
(lowest risk level), the SPRINT process end here; it is then sufficient to control the actual presence of the basic controls necessary for maintaining an optimal protection level for the system.
In the event of a system considered important though not
critical (average risk level), the remaining stages of the
SPRINT methodology are followed.
The approach provided by SARA (described below), a complementary methodology to SPRINT, is resorted to in the case
of a critical system (high risk level); its approach is more analytical and therefore requires specialised personnel.
2 – Threats, Vulnerabilities and Control Assessment: the
relative questionnaire makes it possible to:
•
Estimate and correlate threats and vulnerabilities
177
SECURITY NETWORK
against the security parameters (privacy, integrity and
availability), according to a vulnerability rating scale
•
•
Calculate risk exposure levels
Identify the controls (security requisites) necessary for
opposing the calculated risks.
3 – Action Plan: enables an intervention plan to be defined
for the implementation of the controls identified at the previous stage.
SARA
This methodology is associated to SPRINT and targeted to
highly critical systems. In short, it uses the results obtained in
SPRINT, at the Business Impact Assessment stage, to perform the
Risk Assessment of critical systems, identifying in greater detail the
precise nature of risk, with a more accurate calculation of the level
upon which countermeasures are determined (security controls).
FIRM (Fundamental of Information Risk Management)
This complete risk analysis and management methodology
makes it possible to continuatively and dynamically monitor and manage the efficiency of the security Management System within complex
organisations:
• It supplies a methodology for continuous risk assessment and
monitoring, enabling all corporate personnel involved in the
security management process to have a clear view of the corporate risk scenario.
• It is made up of a series of actions that must be implement-
ed to bring the risk within an acceptable level for management
• It uses both qualitative and quantitative risk calculation metrics, based on a scorecard concept, that offer a general
overview of the different levels of detail
178
APPENDIX 2
• It supplies a method for recording incidents, ensuring dynam-
ic risk assessment measures, as well as other dynamic and
induced upgrading measures
• It can be conciliated with standard operational activities
(implementation of new systems, maintenance of existing
systems, operativeness).
The basic concept of the methodology is supported by the
Information Resource that highlights correlation among data, information, applications and information systems (Architectures, platforms and devices).
The main activity of FIRM is to cense and rank the information resources that establish the protection context. A systematic
approach is then used to:
• Define the monitoring scope and range: the purpose is name-
ly to keep top management informed on the evolution of the
information risk level within an organisation, and to encourage owner to lower risk to a level considered acceptable by
the top-management
• Offer a coherent definition of roles, responsibilities and com-
munication lines within the company; each corporate line
(from the owner to the top-management passing from monitoring process coordinators) plays a specific role and has precise responsibilities, with pre-determined standards and communication protocols
• Prepare sound fact-gathering tools for risk analysis and
management (balance scorecard for risk assessment, incident
assessment questionnaire, etc.)
• Set-up and manage a (constructive and continuative) dynamic
evaluation and monitoring process
• Prepare concise reports and presentations for the top-management.
179
SECURITY NETWORK
The FIRM methodology is also supported by specific tools
(for example Citicus One) that allow the management of every phase
of the process by means of special computerised desks.
Actually, the fundamental element of the methodology is the precise and continuous cycle measurement system aimed at
supporting top-management and owners to:
• Extend the approach to the entire organisation, despite its
structure and hierarchic scale
• Support key Corporate Governance keys, to meet identification, monitoring and detection of fundamental operational
risks
• Cut costs, by better targeting specific investments, while also
assessing their efficiency (value reporting)
• Enhance corporate value by reducing the negative impact of
incidents and the interruption of fundamental services.
180
APPENDIX 2
NORA
The so far described ISF methodologies, like others, measure
the risks facing an organisation using generic models that are applicable to any information context.
Specific methodologies must be evaluated if the only focus is
a computerised communication network and a high defence level has
already been opted for (after a conceptual risk analysis or because the
network represents the main activity of an organisation).
For instance, PricewaterhouseCoopers resorts to the methodology it developed, known as NORA (Network Oriented Risk Assessment)
that uses the following basic elements in an analytic process:
• Network Access Path (NAP): description of network access
paths in terms of clients, servers and network functions
(O&M Billing, etc.)
• Threat Scenario: created on the basis of scenarios identified
within the information systems; NORA has pre-defined
“Threat Scenarios” that must be mapped on the specific situation of the company object of the analysis and assessed by
the NAPs
• The NSC matrix is determined by correlating the NAP and
the Threat Scenario (Nap/Scenario combination)
• Impact Criteria: impact assessment criteria (defined on a scale
from 1 to 5)
• Probability Scale: evaluation of the threat implementation
probability (on a scale form 1 to 5)
• Gravity Matrix: combination of the Impact Criteria and
Probability Scale to determine seriousness levels.
The methodology includes the following three stages and relative activities:
Stage 1: Initialization:
•
Identification of all network links
181
SECURITY NETWORK
•
Identification of the organisational structure (organisation supporting the network)
•
•
Identification of technological platforms
•
Inventory of network documentation.
Collection of other information useful for setting-up
the analysis process (e.g. known threats and network
vulnerabilities, business driver)
Stage 2: Analysis:
Risk Assessment:
•
-
Mapping of Business communication on Network
Access Path (NAP)
-
Definition of possible combinations between the
Threat Scenario and NAP, according to an NSC
(Nap/Scenario combination) matrix
-
Assessment of possible impacts on threat scenarios,
with respect to RID parameters, determined according
to the Impact Criteria
-
Vulnerability analysis, performed by means of audit
programs, to determine the probability of a given
threat scenario happening (according to a probability
scale), with the purpose of defining a gravity matrix
(the Gravity Matrix is the outcome of the combination
of the impact and the occurrence probability)
Future developments:
•
-
Evaluation of future technological developments
Evaluation of the security impacts that such developments could involve.
182
APPENDIX 2
Stage 3: Action Plan
Definition of an action plan based upon generic solutions and
the assessment of what the market has to offer (i.e. state of the art); it
is typically structured on three levels, defined as follows:
•
Legacy system/Critical action, to mitigate highgravity risks
•
Legacy system/Complementary action, to mitigate
addressed risks in the medium-long term
•
The Way Forward, for a proactive planning of security measures addressing future network developments.
Appendix 2.3 – CRAMM
Information supplied by Giampaolo Scafuro from “Sicurezza e Sistemi”
(distributor in Italy of CRAMM)
Definition
CRAMM (CCTA Risk Analysis and Management Method) is a
support methodology to the risks analysis and management within
ICT systems, developed by CCTA (Central Computer
Telecommunications Agency). The methodology provides analysis
guidelines, with support software for information entering, storing and
processing. The market offers different, pre-defined versions of
CRAMM (UK Standard, NATO, NHS, Social Care, etc.) that can be
adapted to meet different requirements. CRAMM V is made up of two
different modalities for Risk analysis: Expert and Express.
The Express modality is faster to perform and is more suitable
for areas where time and resources are perhaps limited and the precision level of CRAMM Expert is not necessary. The description below
focuses mainly on the potentials offered by the Expert modality.
Basic Principle
CRAMM supplies a risk analysis process structured in different stages, each supported by questionnaires and guidelines.
183
SECURITY NETWORK
It is within the analysis application domain that the
most significant resources for achieving the corporate mission are
identified, and resource models are created.
The Asset Model represents the schematisation used by the
CRAMM methodology to organise information pertaining to identified assets. The different types of assets that can be processed are:
•
Data Assets (files, databases, transmission data, documents, etc.)
•
Physical Assets (i.e. the technological components of
the intervention boundary)
•
•
Software Assets (i.e. the applicative components)
Location Assets (identify the rooms and buildings and
the physical locations making up the intervention
boundary)
A particular physical resource is what in CRAMM is defined as
an End-User Service (representing the transmission and processing
modality of the identified Data Assets).
To guarantee Privacy, Integrity and Availability for the identified Data Assets, it is necessary to protect the Software Assets,
Physical Assets and Location Assets supporting them. To this end, it
is important to define dependences among the different kinds of
assets by creating Asset Models.
184
APPENDIX 2
Asset evaluation is performed by estimating the criticality of
every asset, according to impacts and guidelines. Impacts essentially
assess the unavailability, destruction and loss of privacy and integrity
of information. Instead, guidelines define the scenarios within which
impacts can find an application.
Threat and vulnerability assessment makes it possible, by
means of a special questionnaire, to evaluate the probability level of
threat occurrence and vulnerability degree, in terms of the exposure to
threats of every previously identified asset.
The information enables the determination of the risk extent
that, according to the CRAMM methodology, depends on two distinctive aspects: the combination of threat and vulnerability, on the one
hand, and the impact on a specific resource caused by the occurrence
of a harmful event.
The assessment is performed on scale of values from 1 to 7,
by means of a risk matrix. The identified protection measures (countermeasures) represent the protection profile of each asset, and the
starting point of the risk management stage.
CRAMM selects the most suitable security measures by comparing risks associated to each identified threat with the security level
ensured by the countermeasure. This is the stage in which the differences between the security measures proposed by CRAMM and other
existing solutions are compared, so as to pinpoint any weaknesses or
areas with redundant security measures.
The security measures (hardware, software, communications,
procedural, physical, organisational) are grouped together according to
their objectives. For each of the above-mentioned stages, CRAMM
supplies a report summarising the achieved results.
CRAMM: BS 7799
CRAMM controls comply with the ISO 17799 standard. The
product can be used to support companies in evaluating compliance
with the 2002 BS 7799 part 2 standard, supplying to this aim a specific section enabling, among other things, a gap analysis according to the
185
SECURITY NETWORK
plan, do, check, act principles, and the production of all necessary
documentation.
CRAMM is suitable for all medium/large companies, including complex entities such as large industrial groups. It can adapt very
well to IT environments, offering support for technical aspects (hardware, software, communication protocols, etc.) and physical security
(site, building, room). Some aspects also include punctual references to
organisational and procedural security.
The use of CRAMM in security management processes makes
it possible to:
• Support users throughout the structured security management
process, by means of supportive templates, applicative masks
and review schemes
• Assess the state of protection of the entire analysis boundary
by verifying the suitability of existing or planned protection
measures, compared to identified risks
• Assess the implemented or planned measures in the light of
security best practices
• Provide each asset with a protection profile indicating priori-
ties to easily identify those needing urgent intervention and
the ones for which it can be postponed
• Enable the constant monitoring of the process efficiency by
means of the review activities supplied by the product
• Support users in documenting security management processes,
thanks to the existence of guidelines and operational reports.
186
APPENDIX 2
Appendix 2.4 – RISKWATCH
Information supplied by Renzo Dell’Agnello from Elea S.p.A. (distributor in Italy of RiskWatch)
RiskWatch is a risk management system developed by
RiskWatch Inc. and used by large companies and public administrations worldwide. RiskWatch exists in different languages versions,
other than English: amongst them, the most relevant version for Italy
is the VPI version, developed by ELEA since it was first commercialised in Italy.
The specific features of the VPI version are its language
(Italian) and compliance with the Italian legislation (e.g. Law Decree
196/03 on privacy), in addition to its conformity with reference standards, namely ISO 17799/BS 7799. Furthermore, the VPI version has
additional characteristics compared to the international version.
The assessment of the security requirements of companies
and public administrations has revealed the need for different methodological analysis definitions, according to the type of analysis and
organisation, and the budget available for such activities. This is why
RiskWatch VPI supports quantitative (SQRM and TLQ), qualitative
(TLQ QUAL) and semi-quantitative (TLQ/SQRM) methodological
definitions.
SQRM is the standard RiskWatch methodology also available
in the international English version.
Instead TLQ QUAL is a qualitative methodology that enables
consistent time and cost reductions, at the same time allowing for
thorough assessment of the security level, as well as the identification
of possible risks in the context of the analysis. It generates particularly relevant indexes for risk level assessment, as for example the
Impact Relative Index.
The TLQ QUAL methodology is nothing but the qualitative
version of the TLQ methodology; the only difference is that it does not
include the final stage of the methodology in which quantitative data
are requested. Furthermore, since there are no quantitative results, it
187
SECURITY NETWORK
has a different system reporting. The very characteristics of TLQ make
it possible to perform a cost/benefit analysis, like with the SQRM.
The TLQ/SQRM semi-quantitative methodologies sum up all
the advantages of methodological research in risk analysis and the processing and flexible possibilities of RiskWatch VPI.
This methodological setup makes it possible to achieve risk
level assessment with minimum impact to the real asset value (it
accepts the input of both quantitative and qualitative values, thanks to
a specific normalisation process), at the same time supplying the
Impact Relative Index and the Backward Traceability that characterise the TLQ and TLQ QUAL methodologies.
Some of the concepts and terms used in the previous description of the methodologies supported by RiskWatch VPI need to be
explained to those who have not been able to learn about the previously-described methodological definitions.
Once a risk value has been determined, Backward
Traceability makes it possible to define the risk percentage deriving
from the vulnerability areas that are relevant in terms of a specific
threat; this information enables the tracing of the fundamental riskengendering vulnerabilities.
The Impact Relative Index (IRI) is a relative risk measurement index, expressed within the range 0-100, which represents the
ratio between the effective risk level and the maximum risk level (0, no
risk, optimal protection; 100, maximum risk, no protection) of a specific threat. It also expresses the lack of protection against the threat
in question.
The idea underscoring the semi-quantitative TLQ/SQRM
methodology, in addition to the possibility of managing qualitative and
quantitative data, is to identify two kinds of substantially independent assessments making up the risk analysis process.
The first estimation concerns the value exposed to risk, in
other words the potential risk value without protection, which
amounts to maximum risk value.
The second estimation concerns the protection level, which
188
APPENDIX 2
can be determined through a comparison with a so-called state-ofthe-art protection model, in other words optimal for the current technical expertise, corresponding to the defined protection level.
The effective risk level is obtained from the two previously
mentioned assessments (RLE – Risk Level Estimated) expressed in a
metrics from 0 to 10. Once an acceptability threshold has been
defined, one can decide whether to intervene or not, depending on the
value, and where, thanks to backward traceability.
The answers to the questionnaires containing information on
the analysed environment are compatible and can therefore be used on
all methodological setups. It is therefore possible to start from a simpler setup, moving on to a more complete one in a modular and scalable way, recovering investments made.
RiskWatch VPI brings together flexibility within a methodological environment and complete operational support, with the possibility of obtaining information at Intranet and geographic network
level, either thanks to customized printed questionnaires, or by means
of special applications that interact directly with the people supplying
the information.
RiskWatch VPI has the data import/export features and the
extensive possibility of reporting with graphs and tables for the significant indexes of the analysis. There is also a complete auditing feature
of the analytic process and the identified data, in addition to statistical
findings.
189
SECURITY NETWORK
Appendix 2.5 – Information Security Assessment (ISA),
Enterprise Security Architecture (ESA) and Risk
Analysis
Information supplied by Simona Napoli and Andrea Mariotti from KPGM
The risk analysis is targeted to identify the value of information managed within corporate processes and the pending risk level
and, hence, to outline the most adequate security countermeasures for
information protection. Furthermore, risk analysis enables the definition of security policies and standards in relation to the corporate
context.
In this sense, it represents a fundamental step, both in terms
of the evaluation of the actual state of security (Information Security
Assessment), and the definition of the requisites of the security management system that the company wishes to set-up (Enterprise
Security Architecture).
The correct application of risk analysis must thus allow for
the following:
• Identification of the security controls to be implemented by
means of the application of the most widespread international security standards (BS 7799-2, ISO 17799, etc.), drafted and developed with the active participation of KPGM, a
signee member of committee BSI-DISC BDD/2.
• Valorisation of internationally consolidated experiences and
best practices
• Easy adaptation to specific contexts by means of the modification of models in time, in the wake of technological innovation
• Production of consistent and structured documentation
• Definition of different grades of security measures, thus
optimising the cost-benefit ratio and simplifying user operativeness
190
APPENDIX 2
• Identification of key information needing protection, both
in business terms and to comply with the provisions in
force; such a characteristic is essential for making sure security policies are applied in coherence with business requisites
and in compliance with the law (e.g. Consolidation Act on
privacy)
• Constitution of interdisciplinary working groups to facilitate
the sharing of project objectives among the different functions, and to organise parallel training for the participants of
the working groups, to increase their awareness of problems
connected to risks, controls and the relative information
security requisites.
Lastly, another advantage lies in the use of tools that exploit
Intranet functions to facilitate the identification and management of
information needed for analysis, allowing for more efficient reassessment and operational management processes.
Reference Model
To identify critical business information and assess underlying
risk levels, it is important to first link them to the corporate processes using the information, and then identify the relative management
modalities.
Information mapping is made up of macro-data concerning
corporate processes; macro-data is a minimum set of information, or
a collection of data, representing a homogeneous group for the application of protection measures.
The criticality of macro-data depends on their value in terms
of privacy, integrity and availability within the process they belong to,
despite their type, format and storing equipment used.
Risk level is defined according to the value of the macro-data,
the level of threat they are submitted to and the vulnerability of the
support tools and infrastructures (applications, systems, networks,
191
SECURITY NETWORK
location) that manage them:
Risk = f (Value, Threats, Vulnerability)
The reference model used for risk analysis can therefore be
summarised by the following graph:
PROCES 1
RESOURCE
AND DATA
FLOW
PROCES 2
SUBPROC. SUBPROC.
1
2
SUBPROC. SUBPROC.
1
2
RESOURCES 1
RESOURCES 2
RESOURCES 3
MAACRODATA 1
MAACRODATA 2
MAACRODATA 3
Location 1
Location 2
Threats
Vulnerabilities
Threats
Vulnerabilities
Threats
Vulnerabilities
Threats
Vulnerabilities
Threats
Vulnerabilities
Threats
Location 3
Risk Analysis Stages
To identify the macro-data embodying the corporate information asset, assess their criticality and relative risk exposure, and to
define suitable security countermeasures, the following stages must be
performed.
Stage 1: Identification of Corporate Macro-Processes
and Mapping of Information Systems
The main objective of stage 1 is the detection and classification of macro-processes and information systems supporting
192
Risk
SUPPORT INSTRUMENTS
AND INFRASTRUCTURES
Value
APPENDIX 2
corporate processes, precisely identifying the risk analysis
application environment.
The identification of macro-processes makes it possible to
outline the structure of the information flow generated in the
course of the different activities making up the processes. The
analysis is a starting point that will later support activities of
information classification, threat evaluation, vulnerability
analysis and risk level determination.
Stage 2: Classification of information Value
The classification of information, associated with its value for
the organisation, is an essential process representing the very
foundation of risk evaluation, at the same time enabling the
company to gain better knowledge of its information heritage.
The classification of information in terms of relative value –
an activity that can be performed at different aggregation levels, expressing the absolute value of the entire information
heritage - therefore reveals the sensitivity and criticality level
that a company attributes to itself.
The value of managed information is estimated by means of a
special matrix for each security parameter (privacy, integrity,
availability); an evaluation is made of the impact caused by the
possible occurrence of an event described in the different
columns of the matrix. Then, the aggregate value of the information is calculated by adding-up the value of the different
parameters. Lastly, according to the value obtained, the information is placed within a criticality category.
Stage 3: Threat Assessment and Vulnerability Analysis
Threat Assessment
Threat assessment is the process that leads on to the identification of events with a potentially negative impact on the
value of the information heritage.
Threat assessment consists in attributing a value representing
193
SECURITY NETWORK
the perceived level of threat against corporate information.
The assessment is made for several threat categories, from the
source (e.g. internal/external), to the nature (e.g. hostile/nonhostile) and the complexity (structured/non-structured).
Vulnerability Analysis
The information system vulnerability definition process consists in the evaluation and identification of parameters that are
associated to previously identified threats. Vulnerabilities are
defined as a gap between the current state of information and
the protection expectations considered adequate and capable
of preventing an external agent from compromising information. The vulnerabilities analysed by the methodology concern
both technical aspects, connected to the logical or physical
security of the supporting tools and infrastructures, and
organisational aspects, pertaining for example to work procedures or personnel responsibility.
The vulnerability of applications can concern different categories: access control, development and maintenance, outsourcer management, auditing and log, backup, etc.
The vulnerability level of each application also depends on the
vulnerability of the network and the systems making it operational; they, in turn, can be classified into further categories
(security of operating systems, antivirus, backup and disaster
recovery, auditing and log, management of outsourcers for
what concerns systems; infrastructural security, remote access,
auditing and log, for the network).
Furthermore, since vulnerabilities also depend on the physical
location for the performance of corporate processes activities,
or where the supports and infrastructures are situated, the
location vulnerabilities are also evaluated and grouped into different categories: protection boundary, position and protection of appliances, behavioural standards, environmental control systems, physical access control, loading and unloading
areas, protection of in-coming and out-going appliances,
194
APPENDIX 2
cabling protection.
Each vulnerability is given a weight representing the level of
risk deriving from the presence of a given vulnerability.
Susceptibility is an indicator of information exposure to risk,
and is connected to the presence of vulnerabilities and threats.
The contribution of each vulnerability to the susceptibility
value depends on its weight and the presence of threats that
could exploit the vulnerability in question.
Stage 4: Risk Level Definition and Identification of
Recommended Security Measures
The risk model used by the methodology provide for that risks
are determined according to the combination of information
value, the nature of the existing threats, and vulnerabilities.
The information collected in the previous stages thus makes it
possible to determine a level of risk for each application,
defined as follows:
Risk = Value * Susceptibility
The value obtained leads to the attribution of a risk category
(low, average, high).
The risk assessment defined by such a methodology represents
the starting point for the application of corporate policies,
while homogeneous intervention plans are prepared for each
area, in compliance with centrally established requisites.
195
SECURITY NETWORK
Appendix 2.6 Symantec
Methodology (SSRAM)
Security
Risk
Analysis
Information supplied by Andrea Rigoni from Symantec
Definition
Symantec Security Risk Analysis Methodology (SSRAM) is a
methodology developed by Symantec to help organisations
measure their level of exposure to risk, and identifies a suitable
countermeasure plan. SSRAM is also a reference framework
adopted by Symantec for creating Risk Management support
services.
SSRAM is for any organisation needing not only to measure
the risk levels of its information systems, but also to setup correct management and control processes for continuous risk
government.
Basic Principles
SSRAM is based on the ISO/IEC 17799 methodology for
total risk identification in relation to identified services and
assets. The approach supplies statistic information revealing
which services and components have high-risk exposure, thus
requiring additional protection. Basic risks are verified on the
basis of the assumption that no active security measures have
been implemented, thereby offering an objective overview of
the overall risk. The security controls involved in ISO/IEC
17799:2000 are grouped to form filters (sets of countermeasures) and used to calculate risk reduction following the application of the countermeasures. All the values produced are
based on the visibility offered by Symantec on new vulnerabilities, threats and their impact on ICT services.
196
Tools and Services
The SSRAM methodology provide for both a risk measurement, and a constant control stage.
To support customers in the use of this methodology, a
SSRAM Toolkit is available, a software tool that supports
clients during all the measurement, assessment and simulation
stages.
Vulnerabilities and threats change continuously: an average of
eight new vulnerabilities connected to technologies and commercial products are discovered every day. Furthermore, all latest global threats have affected the most vulnerable systems
within a few hours from their appearance. To support the continuous assessment of the vulnerability, threat and impact profile on services, SSRAM offers a classification and a series of
metrics for vulnerability and threat assessment, which can be
used to feed a database with external Security Intelligence
services.
Furthermore, a methodology connected to SSRAM is available
for launching control, monitoring and incident reaction
processes, to reduce or nullify the impacts.
197
SECURITY NETWORK
198
APPENDIX 3
NETWORK SECURITY
From risk analysis
Appendix 3 Acronyms and abbreviations
Acronym
Description
ADSL
AIPA
AP
BSI
CA
CC
CENTR
CERT
CERT-AM
CNIPA
CNR
CNSI
CObIT
COSO
CRAMM
CRL
CSIRT
DMZ
DNS
EAP
EFS
ENISA
Asymmetric Digital Subscriber Line
Autorità per l'Informatica nella Pubblica Amministrazione
Access Point
British Standards Institute
Certificazion Authority
Common Criteria
Council of European National Top Level Domain Registries
Computer Emergency Response Team
CERT dell'Amministrazione Pubblica
Centro nazionale per l'informatica nella pubblica amministrazione
Consiglio Nazionale delle Ricerche
Centro Nazionale per la Sicurezza Informatica
Control Objectives for Information and related Tecnology
Committee of Sponsoring Organizations of the Treadway Commission
Risk Analysis and Management Methodology
Certificate Revocation List
Computer Security Incident Response Team
Demilitarized Zone
Domain Name System
Extensible Authentication Protocol
Encrypting File System
European Network and Information Security Agency
199
SECURITY NETWORK
Acronym
Description
GMITS
Guidelines for the Management of IT Security
GSM
Global System for Mobile Communication
GPRS
General Packet Radio Service
HIDS
Host Intrusion Detection System
IANA
Internet Assigned Number Authority
ICANN
Internet Corporation for Assigned Names and Numbers
ICT
Information & Communication Technology
IdM
Identity Management
IDS
Intrusion Detection System
IETF
Internet Engineering Task Force
IPSec
IP Security
ISACA
Information System Audit and Control Association
ISDN
Integrated Services Digital Network
ISF
Information Security Forum
ISMS
Information Security Management System
ISO
International Standard Organisation
ISOC
Internet Society
LAN
Local Area Network
LDAP
Lightweight Directory Access Protocol
MPLS
Multi Protocol Label Switching
MSS
Managed Security Services
MSSP
Managed Security Service Provider
NAT
Network Address Traslation
NAT/PAT
Network Address Traslation/Port Address Traslation
NDA
non-disclosure agreement
NIDS
Network Intrusion Detection System
OCSE
Organizzazione per la Cooperazione e lo Sviluppo Economico
OTP
One time password
PA
Pubblica Amministrazione
PEAP
Protected Extensible Authentication Protocol
PIN
Personal Identification Number
PKI
Public Key Infrastructure
PMI
Privilege Management Infrastructure
PPAA
Pubbliche Amministrazioni
RADIUS
Remote Authentication Dial-In User Service
RAS
Remote Access Service
200
APPENDIX 3
Acronym
Description
RIPE NCC
ROI
RTO
RUPA
S/MIME
SIA
SOC
SPC
SSL
SSO
TACACS
TCP/IP
TLS
UE
UMTS
URL
VPN
W3C
WAN
WEP
Reseaux IP Européen Network Coordination Centre
Return on Investement
Recovery Time Objective
Rete Unitaria della Pubblica Amministrazione
Secure Multipurpose Internet Mail Extensions
Sistema Informativo Aziendale
Security Operations Center
Sistema Pubblico di Connettività
Secure Sockets Layer
Single Sign On
Terminal Access Controller Access Control System
Transmission Control Protocol/ Internet Protocol
Transport Layer Security
Unione Europea
Universal Mobile Telecommunications System
Uniform Resource Locator
Virtual Private Network
World Wid Web Consortium
Wide-Area Network
Wired Equivalent Privacy
201
Stampa: PrintArt
Via Tiburtina Km 18.700 - 00012 Guidonia (RM)
Ministero delle Comunicazioni

NETWORK SECURITY

Transcription

Similar documents

Newsletter 7 1984 - Tools and Trades History Society

Form 990 for GLADWYNE MONTESSORI SCHOOL (23

ABnote DuoChrome is an exclusive, state-of-the

The State of Security

Abuse in close relationships - Upplands

- Telefonica Business Solutions

Brochure - cg world

Darktrace Case Study: William Hill plc, Leading Gaming Company

FOIPPA Toolkit

Florida: Attacking Fraud Head on