Active vs Passive Security Threats Explained

Active vs Passive Security Threats Explained

A threat as described by Workman, Phelps & Gathegi (2013) in relation to information security, view a threat to the potential of a security breach in relation to a vulnerability. Vulnerabilities as described by Workman, Phelps & Gathegi (2013), is an artifact of a system in which the security of the system is breached. During the attack, vulnerability is exploited in a can be passive or active.

An active threat as described by Traynor, McDaniel & La Porta (2008) is a bad actor or enemy that launches an active attack by manipulating the system that has been targeted directly. Active attacks can send forged messages, modify internal or external data, and or prevent legitimate activities from occurring. In the case of a threat of an active attack, like Traynor, McDaniel & La Porta (2008) points out the enemy needs to interact with the system in a way which is beneficial in a sense because it provides some behavior for detection. An active security threat or attack as described by Cole (2008) is the attempt to evade or break protection features, present malicious code, or steal or modify information.

A passive attack launched by a bad actor does not interact with the system directly as Traynor, McDaniel & La Porta (2008). A passive attack or threat results in disclosure of information or data files to a bad actor or attacker without the user's consent or knowledge the event occurred as described by Cole (2008). A passive attack as discussed by Workman, Phelps & Gathegi (2013) can be designed, so the victim has simply no idea that the information was stolen.

Categories of Active and Passive Security Attacks

Three categories of an active security attack as described by Traynor, McDaniel & La Porta (2008), are sending a forged message(s), altering internal or external data and preventing legitimate activities from occurring. An example of a forged message could be impersonating a bank email or website and using it for a phishing attack. A phishing attack as described by Comer (2014) is masquerading as a well-known bank or other organization to obtain a victim's personal information. An example of altering external data as Comer (2014) points out is address spoofing. Address spoofing is faking the IP source address in a network packet to fake the receiver or victim into processing the network packet as Comer (2014) points out. A denial of service attack is an example of preventing a legitimate activity from occurring. A denial of service attack as described by Comer (2014) consists of a bad actor flooding a site with network packets which prevents the site from performing normal operations for its customers.

Three categories of the passive attack are passively listening, traffic monitoring and information collection. Passive listening as described by Traynor, McDaniel & La Porta (2008) is overhearing a conversation that the people are having without them aware one is listening to the conversation. Monitoring technical infrastructure traffic or wiretapping as described by Comer (2014) consists of making a copy of packets as the bad actor navigates the network to obtain information. The last example is simple information collection as Peltier (2013) points out. Information gathering is finding the victim's contact information, search for information on a search engine, collecting information on the organization's website and any other information that can be gathered to assist in an attack.

Security Services: Cryptography, Authentication, and PKI

Three security services as described by Traynor, McDaniel & La Porta (2008) are Cryptography, Authentication and Authorization, and Certificates and PKI. The first security service that is known as the art of writing secrets is called cryptography as Traynor, McDaniel & La Porta (2008) points out. Cryptography, as described by Paar & Pelzl (2010), is the science of secret writing with an objective of hiding the meaning of the message. Cryptography started by hiding military and diplomatic communications. Cryptography can be split into three main branches which as Paar & Pelzl (2010) points out are Symmetric Algorithms, Asymmetric Algorithms, and Cryptographic Protocols.

Another security services category is authentication and authorization. Authentication, as described by Traynor, McDaniel & La Porta (2008), is the process of establishing the identity of an entity which might be a user or a process that getting inspected. A userid and password is a good example. The userid is not allowed to be logged in until the password authenticated that belongs to a userid as Traynor, McDaniel & La Porta (2008) points out. The password strength or weakness is protecting the userid from logging in. Authorization as Traynor, McDaniel & La Porta (2008) point out provides the access the userid is granted by a defined set of access controls within the system. The access controls are the permissions or privileges that are allocated to the userid. Once the userid authentication is completed, then the userid is assigned the privileges and rights on the system they have logged into as Traynor, McDaniel & La Porta (2008) points out. In more secure systems more than one authentication method may be required. An example of this is two-factor authentication. The first level of authentication is password and the second authentication could be a card that provides a token to login in as Traynor, McDaniel & La Porta (2008) describes. The password and the token provided during authentication is called a credential.

The third security service is Certificates and PKI. A digital certificate as described by Peltier (2014) is a certificate recognizing a public key to its subscriber, that matches with a private key held by the subscriber. A digital certificate is a unique code that normally is used to permit the authenticity and integrity of communication. A certificate is commonly used for authentication by demonstrating that the private key is known and for trust via the digital signature of the certificate as Traynor, McDaniel & La Porta (2008) points out. Certain organizations are in the business of authorizing certificates. They are called certificate authorities and issue a certificate by signing an identity, validity dates and the public key as Traynor, McDaniel & La Porta (2008) describes.

The OSI security architecture as described by Stallings (2014) focuses on security attacks, mechanisms, and services. A security service as Stallings (2014) points out, is a processing or communication service which can enhance the security of processing data and the information that is transferred in an organization. The security services as Stallings (2014) points out are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service.

Security Mechanisms: VPN, Firewall, and Intrusion Detection

Three categories of security mechanisms are IP Security Protocol (IPsec) or Virtual Private Networks (VPN), firewalls and intrusion detection systems (IDS) as Traynor, McDaniel & La Porta (2008) discusses. IPsec is commonly used to implement a VPN.

One VPN protocol which is IPSec supports the transport and tunnel encryption modes as described by Peltier (2014). The IPSec transport mode encrypts the payload or the data portion of a packet and leaves the header intact. The IPSec tunnel mode is more secure, as Peltier (2014) points out since it encrypts payload and the header of the packet. With IPSec, the packet is encrypted from the sending side, and on the receiving side, the device decrypts each packet.

Another example of a VPN is the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) provide security at the application layer as described by Traynor, McDaniel & La Porta (2008). SSL is a newer revised version of TLS. SSL and TLS are primarily used as Traynor, McDaniel & La Porta (2008) points out to secure Internet communication such as securing the communication of instant messaging, electronic mail, and other user applications. OpenSSL, an open source implementation of SSL widely used and the acceptance of the protocol is largely due to how easy it is to use as Traynor, McDaniel & La Porta (2008) points out.

The second security mechanism is the firewall. A firewall is used to isolate one application or network from another. The Firewall is placed at entry, and exit points of a network, host, or application as Traynor, McDaniel & La Porta (2008) describes. The traffic that passes through the interface is processed according to the specified rules or policies set-up for the traffic that may or may not be enabled to pass through the firewall. The most common firewall policies are accept, deny or log traffic. A firewall can be installed anywhere between the physical to the application layer in the protocol stack.

The third category of security mechanism is the IDS. The IDS is designed to monitor the state of network system by detecting or identifying malicious activity.

The history of intrusion detection started in the 1980s when James Anderson proposed monitoring security threats from audit trails as Tsai & Yu (2011) point out. Over the years, audit data, containing system, user and application and network activities have been used to detect intrusions. Separate analysis and detection methods were proposed and established, from statistical analysis, expert system, model-based systems, and machine learning or data mining-based systems. The detection methods are classified into two broad categories: misuse also known as signature based detection and anomaly detection.

The main goal of deploying an Intrusion Detection System (IDS) is to use it as another layer of security to protect the system as described by Tsai & Yu (2011). They go on to point out the definition of "intrusion" as the attempt to compromise the confidentiality, integrity, availability of a resource, or to bypass security mechanisms of a computer or network system. The IDS role in security is the detection of attempts to penetrate into a system by monitoring events that happen in a computer system or network and then analyze them for signs of intrusions. The IDS can generate and report alarms to system operators when it detects intrusive or abnormal activities.

There are many intrusion prevention techniques. Examples of techniques are user and application authorization and authentication, avoiding design and programming errors, information protection and firewall for network connection protection. Intrusion prevention by itself is not always sufficient to protect a system because the system becomes more complex, there is always an exploitable system weakness from design and programming errors, incorrect system configurations and operations penetration techniques.

Symmetric vs Asymmetric Encryption

The symmetric encryption uses a single key shared among people who need to receive the message, but with an asymmetrical encryption method, a pair of public keys and private keys are required to encrypt and decrypt messages when communicating as Paar & Pelzl (2010) point out. Asymmetric algorithms also called public keys, introduced in 1976, by the creators Whitfield Diffie, Martin Hellman and Ralph Merkle. The way public-key cryptography works is similar to the symmetric algorithm, but a user possesses a secret and a public key. The user keeps the secret, or private key and the public key is shared with others. The asymmetric encryption was created to supplement the main problematic issue of the symmetric key which is the requirement to share the key in the symmetric encryption model as Paar & Pelzl (2010) describe. Another difference is that symmetric encryption takes less time than asymmetric encryption as described by Paar & Pelzl (2010).

Symmetric algorithms are what people commonly think about when someone says cryptography. Symmetric algorithms or ciphers allow two parties, to have encryption and decryption method and they share the same secret key. Cryptography that occurred in early or ancient times until 1976 are exclusively based on symmetric methods. Symmetric ciphers are still used mainly for integrity checking and data encryption of messages. Symmetric algorithms are best introduced with an easy to understand problem as described by Paar & Pelzl (2010). The example uses two users, Alice and Bob. They are interested in communicating over an insecure network. The insecure network can be the Internet, communications via mobile phones or wireless network. Alice encrypts the message using the symmetric algorithm or secret keys shared between them. Bob receives the ciphertext and decrypts the message using the same secret key as Alice. Encrypting the message with the key keeps a third party from knowing what Alice and Bob are communicating over the network.

Triple DES, Key Distribution, and AES vs DES

Triple encryption as described by Traynor, McDaniel & La Porta (2008) is a triple DES algorithm also known as 3DES. Triple encryption was created to prolong the lifetime of DES algorithm by using multiple keys and increase security by effectively extending the key size to 122 bits. The triple encryption takes time and can be slow, and some view the time required to encrypt as unattractive for use in some applications. Triple encryption, as Peltier (2013) points out is not secure due to a vulnerability that enables a malicious user to modify the key length which essentially reduces the time required for cryptanalysis.

Symmetric encryption works, as described by Stallings (2014), when the two parties exchange or share the same key, and the key used needs to be protected from use by others. It is also best practice, as Stallings (2014) points out that frequent key rotation is desirable to limit the volume of data compromised if a bad actor learns the key. Key distribution can be achieved in a number of ways. For two parties Alice and Bob, Stallings (2014) describes the following four options. The first is Alice's key could be selected by Alice and physically delivered to Bob. The second: a third party could select the key and physically deliver it to Alice and Bob. The third option is if Alice and Bob have previously and recently used a key, one could transmit the new key to the other, using the old key to encrypt the new key. The fourth option as Stallings (2014) points out is if Alice and Bob both have an encrypted connection to a third party Charlie, Charlie could deliver a key on the encrypted links to Alice and Bob.

There are differences between Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES). 3DES has a couple of attractive features as described by Stallings (2014). One is that with 168-bit key length, it overcomes the vulnerability to brute-force attack of DES. The second is that the fundamental encryption algorithm in 3DES is the same encryption algorithm used in DES. One disadvantage of 3DES is that the algorithm is relatively slow in software implementations as Stallings (2014) points out. 3DES requires three times as many rounds as DES so is slower. Another disadvantage is that both DES and 3DES use a 64-bit block size. For efficiency and security reasons, a larger block size is appropriate as Stallings (2014) describes. With these disadvantages, 3DES is not a solid candidate for long-term use as Stallings (2014) discusses. A replacement which is AES should have a security strength equal to or better than 3DES and significantly improved efficiency. AES is a symmetric block cipher that has the block length of 128 bits and key length support of 128, 192, and 256 bits. Evaluation criteria included security, computational efficiency, memory requirements, hardware and software suitability, and flexibility.

References

Cole, E. (2009). Network security bible, 2nd edition. John Wiley & Sons.

Comer, D. E. (2014). Computer networks and internets, 6th edition. Pearson.

Paar, C., & Pelzl, J. (2010). Understanding cryptography: A textbook for students and practitioners. Springer. doi:10.1007/978-3-642-04101-3

Peltier, T. R. (2013). Information security fundamentals, second edition. CRC Press.

Stallings, W. (2014). Network security essentials: Applications and standards, 5th edition. Pearson.

Traynor, P., McDaniel, P., & La Porta, T. (2008). Security for telecommunications networks: Advances in information security. Springer.

Tsai, J. J. P., & Yu, Z. (2011). Intrusion detection. World Scientific Publishing Company.

Workman, M. D., Phelps, D. C., & Gathegi, J. N. (2013). Information security for managers. Jones & Bartlett Learning.