Securing Web-accessible Information Systems within Higher

Download PDF
0 downloads 0 Views 96KB Size Report
Comment
Page 1 of 6. Securing ... address security implications of “joined up systems ... However, some departments keep their own version of student ... solution applicable to other HE institutions. The ..... William Stallings, Cryptography and Network.
Securing Web-accessible Information Systems within Higher Education Institutions Janet Lavery and Cornelia Boldyreff Department of Computer Science University of Durham Science Laboratories, South Road Durham, DH1 3LE, U.K. [email protected] [email protected]

Abstract Within Higher Education, concerns are growing with regard the gap between what university central services traditionally provide and what the academic departments within the institution need. The Institutionally Secure Integrated Data Environment (INSIDE) project is a JCIEL1 funded collaborative project between the Universities of St Andrew and Durham that proposes to address the above concerns by investigating the issues surrounding the development and delivery of “joined up system for institutions”. The INSIDE project intends to work utilising both universities’ existing information bases to develop a model of distributed functionality. The intention is to solve the problems at a high enough level of abstraction to provide a generic solution applicable to other Higher Education institutions. The model must address security implications of “joined up systems for institutions” balancing an institution’s need for effective data security with universities' culture of open access to information.

1. Background: INSIDE Project Domain

expend extensive effort to accomplish what should be simple tasks. Users are often prevented from carrying out work by inappropriate access control mechanisms and the lack of appropriate client software. Additional difficulties occur as a result of the numerous ad hoc record systems developed at the departmental level that replicate processing being done centrally, but that are not co-ordinated with each other or central services. For example, at the University of Durham, the centralised Admissions department controls student records on a Unix system known as Banner20002. However, some departments keep their own version of student records stored locally and manipulated using local software such as Administration and Running Continuous Assessment with Deadlines and Extensions (Arcade) a software that records attendance and awarded marks [CUR00]. While student records from Banner2000 are used initially to populate Arcade; correction to the student records made in Arcade are not automatically reflected in Banner2000. Instead discrepancy reports are generated by the academic department and sent to the centralised Admissions department. Central services then uses the discrepancy reports to update the student records in Banner2000.

Within Higher Education (HE), concerns are growing with regard to the gap between what university central services traditionally provide and what the academic departments currently need. Members of the administrative staff and academic community (staff and students) of institutions are finding the performance of routine tasks difficult due to the nature of their institution’s current systems. These systems, usually comprised of multiple unconnected data repositories, require a user to

The Institutionally Secure Integrated Data Environment (INSIDE) project is a JISC3 Committee for Integrated Environments for Learners (JCIEL) funded collaborative project between the Universities of St Andrew and Durham that is currently addressing the above problems. The project specifically addresses the issues surrounding the development and delivery of “joined up system for institutions”. The Universities of Durham and St Andrews are presently responding to the need for user-centric information systems, accessible

1

2

JISC Committee for Integrated Environments for Learners

Page 1 of 6

3

Banner2000 ©Copyright Unisys, 1999 Joint Information Systems Committee

campus-wide. The INSIDE project is part of that response. It is intended that the project will not “throw technology” at the problem but instead work with the existing information base to develop a model of distributed functionality to deliver the information services users in HE need securely. The intention is to solve the problems at a high enough level of abstraction to give a sufficiently generic solution applicable to other HE institutions. The model will then be used to provide a basis for access to existing services and value-added services derived from the existing information base, encompassing both centralised and decentralised information systems. The model must address the broad requirements of an integrated data environment including the need for effective data security in terms of access, authentication, and privacy. The pragmatic goal for this project is the development of a pilot implementation of webbased, user-oriented portals [ALL00] for end-users, both university staff and students. User-oriented portals will be built around the identity of the user and will be dynamically maintained using information known about the user’s roles and responsibilities within an institution. User-oriented portals provide a single, initial point of contact to a range of appropriate services. The channels represented by portal links must be secure and preserve identity. This implies authentication of all client-server transactions. Thus, the project has been considering Internet security issues with a particular focus on institutional and human issues. This paper presents our findings and discusses the relevance of these issues to the work of the INSIDE project.

2. Internet Security Issues The Internet can generally be regarded as a clientserver system. The Internet encompasses all the technical security issues surrounding any networked system together with some specific to the Internet [STA99]. There are a wide variety of methods for attacks via the Internet and numerous countermeasures that need to be employed to prevent or reduce the severity of the attack. These methods and countermeasures can be organised in a variety of different ways. Stalling classifies attacks as “passive” and “active”[STA99]. This is based on the outcome of the attack. Passive attacks cause no ‘physical’ damage to the data i.e. the data is read. Active attacks, however, do cause damage to the data i.e. data is deleted or altered. This classification scheme does not address the issues of damage caused to an institution resulting from the passive

Page 2 of 6

attack i.e. what people will do as a result of reading the data. Appendix A contains a table comprising of a more specific classification of attacks. The table "Security Attacks With Countermeasures" has been taken from Dorothy Denning’s overview article on Internet security [DEN98]. It provides a very useful association between web attack types and appropriate countermeasures. The table "Security Attacks With Countermeasures" [DEN98] shows attacks broken into eight different categories applied against seven categories of countermeasures that can be used to support the security of a system. The table identifies the type of support that a specific category of countermeasure can provide in terms of particular kinds of attack. The countermeasures provide support to prevent, detect, or recover from an attack. Some provide more than one kind of support. The attack categories can be combined and used in a single attack. For instance, an attacker can eavesdrop by using a sniffer program to capture an authorised user’s login id and password. Once in possession of the login id and password, the attacker can use them to gain entry to an institution’s environment. Once inside, the attacker can observe i.e. read data or actively alter the data [STA99]. Reasons for attacks are as varied as the kinds and combinations of attacks. Reasons can be one of gain through fraud or extortion, or one of maliciousness where data and programs are deleted or altered. Some attackers simply enjoy of the challenge of breaching an Internet system’s security [DEN98]. As an example, last year a teenager successfully copied twenty-six thousand credit card details from several ecommerce sites. The teenager seems to have committed the attack simply because it was easy to do [COR00]. Some students equally enjoy such challenges, so these countermeasures are particularly relevant to any INSIDE pilot developments. Dorothy Denning [DEN98] asserts that the best defence against security breaches is to make use of the tools and knowledge of good software engineering practice to prevent security attacks by developing and evolving secure systems. This means that the requirements related to security issues must be identified and included early in the development and evolution of systems. Care must be taken to ensure that security requirements are correct and complete [NEU98]. Further difficulties in securing a system arise with the use of third party software. This is

especially true of Internet and Intranet systems. The ease with which web browser software can be used disguise the fact that the underlying technology is very complex and therefore vulnerable from a security perspective [STA99]. The ease of use and the high visibility of web browser software make it ideal for use as an interface and communication tool. However, developers of web browser software are reluctant to publish the problems with their very complex software, as they believe the publicity would damage their business reputations and adversely affect their profits [CAR00]. The highly visible nature of the web makes it ideal for communicating information; and this visibility makes any errors, especially security errors, on the web very newsworthy. Highly publicised security breaches, both software errors and faulty technology, can cause a great deal of harm to individuals and to the reputation of institutions [STA99]. One of the tasks performed by CERT® Coordination Center (CERT/CC) an independent centre of Internet security expertise is to publish security alerts [CER01]. Actively monitoring security reports and alerts from a variety of sources is essential to institutional users of third party software. As INSIDE will utilise an existing information base, this issue is unavoidable in our project. HE institutions can reduce the risk entailed in using third party software by sharing information about the software's problems and usefulness. The INSIDE project participates in the North East Learning Environment (NELE) group. This is a group of U.K. universities located in the North East of England that have chosen to share information about the development of web-based learning environments. They share information concerning the comparison of third party software, as well as the development of the selected software, Blackboard. In addition, NELE disseminates information to the wider HE via events such as the 'Successful implementation of a Learning Environment' workshop. This one day event held on the 12th of December 2000 provided an opportunity for any interested HE institution to learn about the processes employed and problems encountered by NELE in the development of online learning environments for their institutions. Also in attendance was a representative from Blackboard, a supplier of eLearning software. Forging strong communication links with a third party software suppliers is another way of reducing the risks associated with using a third party software.

3. Institutional and Human Issues According to Stalling [STA98] the use of the Internet or World Wide Web (web) is now common in government, industry, and education. Within UK HE, the use of the web is ubiquitous, and yet effective and secure access through the web to distributed information services within universities is difficult to achieve without full consideration being given to the needs of the institution and the people (staff and students) working within the institution. A JTAP4 project intended to discover the security requirements for networks in HE approached the problem by tying the security requirements to the goals of the institution. In this way the security requirements arose from an assessment of the ‘business’ objective of HE institutions [LEA98]. To demonstrate this approach, take, for example, a summary of one business requirement taken from one of the reports compiled for the project "Findings from the first stage of the Study in the Requirements for Authentication, Authorisation and Privacy in Higher Education" [LEA98]. The summary is "To demonstrate that the HE institution has a good standard of control over management and administration IT". One of the influences on the identification of this requirement was the desire to "reduce the number of adverse reports from external auditors". One of the security requirements related to this goal was "to have appropriate Risk Management structures and practices in place". As the example above demonstrates not all security requirements are directly related to technology. Some are derived from and will impact the human practices of an institution. The security of a system has an influence on other requirements as well. These requirements such as flexibility, interoperability, and usability [DEN98] are not only influenced by security requirements but also have an impact on security requirements. In the context of web based or Internet systems, developers must balance the Internet access needs of the community with the security requirements of the institution [SPI00]. Financial considerations are also an issue within most institutions. Effective security has a cost that can place a burden on an institution’s resources [VOW00]. As a result it is best to assess the cost of security measures and compare them with an assessment of the potential financial consequences 4

Page 3 of 6

JISC Technology Applications Programme

of an attack [DEN98]. In addition, financial constraints in other areas can have an impact on security issues. For example, a firewall is a common tool used to protect an institution's systems from incoming and outgoing messages. Firewalls can be used by institutions to restrict access to their systems to those users known to the system thereby preventing unauthorised access to the university's system in general. Firewalls can also be used to control outgoing messages such as requests for web pages. A firewall can be employed to force outgoing web page fetch commands to search a local national cache before going to fetch a web page from a server in America. The motivating factor in constructing this type of firewall is likely to be that the university is subject to charges for back traffic from America. Though the motivation in this case may not be the need to practice authorisation, the financial reasoning behind the employment of a firewall enables the improvement of the HE institution’s security. The weakest link in the security chain is people [VOW00]. The use of the Internet brings additional security issues mostly in the form of human issues [STA98]. Enthusiasm for the web grows as more institutions and individuals develop web sites that can be viewed by anyone with Internet connection and web browser software. The ease of use of web browsers means that occasional and technologically unsophisticated users can now access an institution’s systems [STA99]. Their lack of experience and failure to understand security implications can cause individuals within a HE institution to make decisions that can have a negative impact on the security of the institution’s systems. For example, the use of anonymous FTP might seem like an effective way for a remotely located student to send an essay to a lecturer for marking. The file containing the essay is uploaded onto a server within the HE institution. A member of staff then retrieves the file at any convenient time and marks it. Later, the student retrieves the marked copy of the file. This seems a practical and paperless way for the student and the lecturer to communicate. However, attackers use sniffer programs on the Internet looking for anonymous ftp sites. Once the sites have been located attackers can use the server open to anonymous ftp to as a storage devise for any file they choose. They can communicate the server address to others who then copy the stored files. This activity can put a strain on an institution's resources causing a slowdown in productivity. This activity could also damage an institution's reputation. Depending on the content of the files, the

Page 4 of 6

institution can be participating, albeit unwittingly, in a distasteful or even an illegal activity. A more common example of human fallibility concerns the “sharing of” login ids and passwords needed to gain access to an Intranet. An institution could insist that passwords are seven or more alphanumeric characters long and include at least two numerical characters. They could disseminate the information that pass-phrases are better than passwords. In addition, the institution could make use of non-malignant background processes that attempt to crack passwords and then warn users of their passwords vulnerability [DEN98]. But all of these security measures are undermined the moment a user gives their login id and password to a ‘friend’. Spinello [SPI00] asserts that even the most sophisticated security methods and tools are vulnerable and that the best method of securing a system is to have a coherent security strategy. This strategy needs to include the technology to secure the system and an institutional security policy. The security strategy must balance the Internet access needs of the community with the security requirements of the institution. In addition, the security policy should be well publicised and enforced. Having a security policy is important and equally important is making users aware of it. The users need to be made aware of not only the consequences of a security breach but also the consequences of a security breach to themselves e.g. termination of employment [VOW00]. Security policies usually advise users on matters such as the construction of passwords and the need to keep them private. In addition, most security policies include some reference to relevant legislation such as the Data Protection Act [DAT00] in the U.K. The University of St Andrews' security policy is broken-down by legislation providing subsections entitled "The Computer Misuse Act" etc. The document "Conditions for Use of the Computers within the University" [UNI98] is made available on the institutions web site and in hard copy. The University of Durham policy is broken-down into institutionally relevant subsections such as "University Policy", "IT Regulations", and "Code of Conduct". The documents are available on the institution's web site and in hard copy. Reference to relevant legislation is included within the subsections of the document. Both institutions provide guidance on security issues, the reasoning behind the security policy and procedures, and the consequences to the users.

The use of the web has meant that guidelines of web content must now become part of the security policy for a HE institution. The University of Durham's security policy includes a subsection "WWW Code of Practice" in which the institutions current policy on acceptable web site content is outlined. It is, however, not enough to warn users about not including offensive and illegal materials in their web site content. Nor is it sufficient to provide content design restrictions such as when to use the University's crest. Spinello contends that those members of an institution allowed to put content on a web site must be educated in the ways in which the publication of an institution's legitimate information can cause security risks [SPI00]. Take, for example, a boast on a web site about the expensive technology available for use by members of the HE institution. Though the motivation is probably to increase student recruitment, the result could be burglary. Thus, within the INSIDE project, special consideration will be given to who needs to access the information services and how their appropriate usage of the information obtained can be assured.

Jones, Head of Systems Group, Information Systems Service, University of Durham, for his time and insight into IT security issues.

6. References ALL00

CAR00

COR00

CER01

CUR00 DAT00 DEN98

4. Conclusion Bridging the gap between what university central services traditionally provide and what the academics currently need through the development of an institutionally secure integrated data environment is the goal of the INSIDE project. This project is investigating issues surrounding the development and delivery of “joined up system for institutions”. The INSIDE project is developing a model of distributed functionality. As the model will be realised through user-oriented portals on the web and accessible via the Internet, it must address security issues. No web-based environment can be completely secure. It is important to realise that technical security issues, though important, are overshadowed by the institutional and human issues. Security issues are dependent on the needs of the institution and the people working and studying within that institution. Education of the users of a web-based environment is an important part of an effective security strategy and is therefore a key part of the security requirements for any web-based system, such as INSIDE.

KOT98

LEA98

NEU98

SPI00

STA98

STA99

UNI98

5. Acknowledgements This research has been funded by the JISC Committee for Integrated Environments for Learners. The authors would like to thank Paul

Page 5 of 6

UNI99

Colin Allison, Malcolm Bain, et al, "An Institutionally Secure Integrated Data Environment". In JCIEL Managed Learning Environments Bid, February 2000. Damian Carrington, "Are Computer viruses unstoppable? ". In BBC News Online, 5th of May 2000. http://news.bbc.co.uk/hi/english/business/newsi d_924000/924401.stm Jane Corbin, "Teenage hackers target security flaws" In BBC News Online, 3rd of July 2000. http://news.bbc.co.uk/hi/english/business/newsi d_8170100/817762.stm The CERT® Coordination Center (CERT/CC) part of Carnegie Mellon Software Engineering Institute http://www.cert.org/ Jennifer Currie, "Stay ahead of the deadline". In The Times Higher, May 12, 2000. http://www.dataprotection.gov.uk/ Dorothy E. Denning, "Cyberspace Attacks and Countermeasures". In Internet Besieged Countering Cyberspace Scofflaws, eds. Dorothy E. Denning and Peter J. Denning, ACM Press, New York, N.Y., 1998. Pages 29 - 51 Gerald Kotonya and Ian Sommerville, Requirements Engineering: Process and Techniques, John Wiley & Sons Ltd., Chichester, West Sussex, 1998 John Leach, "Findings from the first stage of the Study into the Requirements for Authentication, Authorisation and Privacy in Higher Education". In Report 015, JISC Technology Application Programme, February 1998 Peter G. Neumann, "Reviewing the Risks Archives". In Internet Besieged Countering Cyberspace Scofflaws, eds. Dorothy E. Denning and Peter J. Denning, ACM Press, New York, N.Y., 1998. Pages 67 - 72 Richard A. Spinello, "Information Integrity". In Internet Ethics, ed. Duncan Langford, MacMillan Press Ltd, London, 2000. William Stallings, Cryptography and Network Security: Principles and Practice, 2nd edition. Prentice Hall, New Jersey, 1998. William Stallings, Network Security Essentials: Applications and Standards, Prentice Hall, New Jersey, 1999. University of St Andrews Conditions for Use of the Computers within the University, September 1998. http://www.stand.ac.uk/ITS/condcodes/CoUcomputers.html University of Durham ITS Rules and Regulations, 2 July 1999. http://www.dur.ac.uk/ITS/Regulations/index.ht m

VOW00

Julia Vowler, "Security – it’s not an IT problem, it’s a business risk". In Computer Weekly, page 76, 14 September 2000.

7. Appendix A Security Attacks With Countermeasures [DEN98] P = Prevention, D = Detection, and R = Recovery Countermeasures

Encryption (Secrecy)

Authentication

Attacks P Eavesdropping Snooping Storage, P Memory Tampering Spoofing Jamming Injecting Code Exploiting Flaws Cracking

Page 6 of 6

Access Audit, Control, Intrusion Monitor Detection

P

D

P

D D D D D D

D PD PD

P P P

Virus Scan & Disinfect

Backup

Design, Implementation and Operation P P

R

PD

P P P P P P P