Design of a computer security system in Cuba

Introduction.

All technological change has advantages, but we must be aware of its disadvantages. The use of Information Technology (IT) has meant an unquestionable advance, but also its inappropriate use has introduced new manifestations inappropriate for society.

Cuba, a country blocked by the richest imperialist power in the world, which dominates the large transnational corporations of technologies, has known how to articulate its social goals intelligently and rationally, in the Guidelines for the Informatization of Cuban Society. Information Technology (IT) in Cuba, are educational means aimed at education, not only for schools, but also for the entire society.

Its perspective development must articulate coherently with the social goals outlined in the Guidelines for the Informatization of Cuban Society, with the strategies and goals set out in international events, such as the World Forum on Education, in Dakar, Senegal (April 2000), the World Summits of the Information Society Held in Geneva, Switzerland (December 2003) and that of Tunes Turkey (December 2005), the Ibero-American Conferences of Ministers of Education (Chile July 2007 and San Salvador May 2008), where The mission of education in these purposes is highlighted.

They are used, for educational purposes, for the formation and consolidation of revolutionary values ​​and principles, based on solid foundations in accordance with our Martian, Marxist and Fidelista ideology, for the sake of forming a fully educated man, with moral, spiritual and revolutionary in correspondence with our socialist model.

For this it is important to know that computer security, according to Pfleeger, is the area of ​​computing that focuses on the protection of computing infrastructure and everything related to it (including the information contained therein). For this, there are a series of standards, protocols, methods, rules, tools and laws designed to minimize possible risks to infrastructure or information. Computer security is a process that includes software, databases, metadata, files and everything that the organization values ​​(active) and represents a risk if it reaches other people's hands. This type of information is known as privileged or confidential information.

The concept of information security should not be confused with that of computer security, since the latter is only responsible for security in the computer environment, being able to find information in different media or forms.

The Computer Security Plan is designed and constitutes the basic document that establishes the organizational and functional principles of the Computer Security activity in an entity and clearly includes the security policies and the responsibilities of each of the participants in the computer process, as well as the measures and procedures that allow to prevent, detect and respond to the threats that hang over it.

During the design process of a Computer Security System, three stages are distinguished:

1. Determine the protection needs of the computer system under analysis, which includes:

• Characterization of the computer system. Identification of threats and estimation of risks. Assessment of the current state of security.

1. Define and implement the security system that guarantees minimizing the risks identified in the first stage.

• Define security policies Define measures and procedures to implement.

1. Evaluate the designed security system.

Due to the above, it is essential to develop a long-term strategy to deal with determining the most sensitive elements to be interrupted in the computerization process that is taking place. This strategy must be able to face and respond to the different types of incidents that may arise, both those that originate from the outside and those that are internal.

In addition, it should consider creating a cooperation mechanism between the different networks that supports and coordinates the efforts between them, while identifying and generalizing the best experiences in this regard.

Being necessary to determine as Study objectives :

1. Critical management systems, particularly those supported by data networks, the threats that act on them, the levels of risk and the possible impact. Determine the current and prospective degree of dependency in relation to these systems. Establish the policies that required to minimize the risks on critical IT assets and implement the actions and mechanisms needed for their prevention, detection and recovery. Determine the parameters that allow establishing minimum levels of permissible availability. Establish a system that guarantees the continuity of this study on the basis of changes that arise and incidents that occur.

Information is the most important asset of computer security, it seeks to maintain the confidentiality, integrity and availability of information, these concepts are defined below:

1. Confidentiality is given when only authorized persons have access to the information. Availability when only the information can be accessed by authorized persons, whenever they wish. Integrity consists in guaranteeing that the information does not undergo any modification or alteration with the exception of persons. authorized to do so.

When one of these three objectives is not met, it can be said that the information is exposed to vulnerabilities that can be identified in security systems and threats; the latter, when materialized, become attacks.

Vulnerability in a system can be identified as the weakness that when located is used to cause damage to the system, while the threat is caused by a number of situations that can cause damage and / or loss of information.

It was previously mentioned that when a threat materializes it turns into an attack and these can be classified into two types: active and passive.

When a passive attack occurs, the information normally does not undergo any modification, it is only accessed, the communication, without altering its flow, with the aim of intercepting it and analyzing the traffic. Among the examples that could be cited are:

• Social engineering Monitoring

However, when it refers to an active attack, it implies that in addition to obtaining information, it undergoes modifications, since the flow of data is altered. This is the case in identity theft, reactivation and fraudulent degradation of the service.

Social engineering, including attacks by Reverse Social Engineering and Trashing or Cartoneo; It is based on the fact that the human factor is the weakest link in security. It is based on manipulating people to convince them to carry out actions or acts that reveal the information necessary to overcome security barriers (Pfleeger, 2006).

Monitoring is carried out to observe the victim and his system in order to establish his vulnerabilities and possible forms of future access. Among these attacks we have ShoulderSurffing, Decoy or Lures, Phishing and Scanning or Search which in turn has several classifications (Pfleeger, 2006).

Phishing is where the intruder masquerades as a different entity. It normally includes some of the other forms of active attack. For example, authentication sequences can be captured and repeated, allowing an unauthorized entity to access a series of privileged resources by impersonating the entity that has those privileges, such as stealing the password to access an account. Among these attacks we find Spoofing and all its classifications, IP Splicing Hijacking. (Pfleeger, 2006).

The reactivation is one or more legitimate messages are captured and repeated to produce an unwanted effect, such as repeatedly depositing money into a given account (Pfleeger, 2006).

The fraudulent degradation of the service: Based on the fact that the existing protocols were currently designed to be used in an open community and with a relationship of mutual trust, it can be assured that it is easier to disorganize the operation of a system than to access it, and this type of attack aims to prevent or inhibit the normal use or management of computing and communication resources. These types of attacks include DoS (Denial of Services): Jamming or Flooding and their various classifications, Smurf or Broadcast Storm, and Email sbombing-spammong (Pfleeger, 2006).

Definitions.

Threat: situation or event that may cause damage to computer assets.

Risk: probability of damage occurring.

Impact: damages produced by the materialization of a threat.

Vulnerability: Rate the risk level of a system.

Critical systems: those whose affectation can paralyze or severely affect the management of an organization.

Among the most common deficiencies of Computer Security we have:

1. Management of computer security in most organizations is practically nil. Security is seen as a product and not a process. The Computer Security Plan is drawn up and security controls are implemented and nothing else is done until an incident occurs. scarcely limit to approve it. IT staff have a free hand for almost everything, from the introduction or change of a team, the creation of new users to the implementation of a new service. Poor control and demand (or absence of both). The work of staff, in particular that of network administrators, is not supervised.There is no adequate control of the services provided by data networks, nor the allocation of access accounts to these services and their use. The underestimation of the human factor, due attention is not paid to the selection, preparation and awareness of the personal or control of their actions and the demands of their obligations. A firewall and a good antivirus are installed and it is thought that the problem is solved, when in reality most of the problems derive from the action of man, all the responsibilities in the same person. A person is appointed to attend to the security on which all the obligations and responsibilities in this matter fall, including those that correspond to other members of the organization.Overvaluation of outsourcing. A consulting company is hired to do everything,thinking that you will have to work less and that there will be more security. Security is not a matter of once, but of every day Poor password management. Failure to comply with the rules established for the use of access passwords, as they do not have the required structure and strength, do not change them frequently, and their privacy is not guaranteed. Shared resources. Files, folders and even entire disks are shared indiscriminately with users who do not require them for their work and with full access privileges. Audit trace management. Traces of the operating system, events and the use of services are not analyzed to detect signs of abnormal behavior, limiting their use to the moment of a security incident. They are not preserved,only a few are kept or for a shorter time than established by the regulations, frequently due to poorly configured mechanisms, indifference or intentionality. Management of audit trails. Traces of the operating system, events and the use of services are not analyzed to detect signs of abnormal behavior, limiting their use to the moment of a security incident. They are not kept, only some are kept or for a shorter time than established by the regulations, frequently due to poorly configured mechanisms, indifference or intentionality. Supporting information. Backup copies of the critical entity information (on servers and stations) are not performed to allow effective recovery after an incident.Frequently, copies of system and network configurations are not saved. Malicious programs. Poor application of established procedures to prevent the introduction and spread of malicious programs. Removable media. Indiscriminate use of removable media (external discs, USB devices, memory cards, CDs, DVDs), without authorization or control. Access to global networks. Servers are not configured correctly for internet access and they do not install well-configured firewalls according to the organization's work, nor intrusion detectors with the appropriate rules, nor event alarms.Indiscriminate use of removable media (external discs, USB devices, memory cards, CDs, DVDs), without authorization or control. Access to global networks. Servers are not configured correctly for internet access and they do not install well-configured firewalls according to the organization's work, nor intrusion detectors with the appropriate rules, nor event alarms.Indiscriminate use of removable media (external discs, USB devices, memory cards, CDs, DVDs), without authorization or control. Access to global networks. Servers are not configured correctly for internet access and they do not install well-configured firewalls according to the organization's work, nor intrusion detectors with the appropriate rules, nor event alarms.

The scope will express the radius of action covered by the Plan, according to the Computer System to be protected, for which the risks were determined and the Security System was designed. The importance of clearly defining the scope of the Plan (and hence its inclusion at the beginning of it) lies in the fact that it allows a priori to have a precise idea of ​​the extent and limits to which it is in force.

The aspects that make up the strategy to be followed by the Entity based on its own characteristics and in accordance with the current policy in the country in this matter and the designed security system, through the establishment of the general rules that personnel must comply with. that participates in the computer system, which are derived from the results obtained in the risk analysis and from those defined by the highest instances in the laws, regulations, resolutions and other governing documents. When defining the Computer Security policies, the following aspects, among others, will be considered:

• The convenient and safe use of the installed technologies and each of the services that they can offer.The treatment required by official information that is processed, exchanged, reproduced or preserved through information technologies, according to its category. of the privileges and rights of access to information assets to guarantee their protection against unauthorized modifications, losses or disclosure. The principles that guarantee effective control of access to technologies, including remote access, and to the premises where they are located.The saving and conservation of information. The connection to external networks to the Entity, especially those of global reach and the use of its services.The Computer Security requirements to be taken into account during the design or acquisition of new technologies or software projects. The definition of the principles related to the monitoring of email, the management of audit trails and access to the files of user.The maintenance, repair and transfer of technologies and technical personnel who require access to them for these reasons.The regulations regarding the certification, installation and use of Electromagnetic Protection Systems.The regulations related to certification, installation and use of Cryptographic Systems, where required. The general principles for the treatment of incidents and security breaches.The definition of the principles related to the monitoring of electronic mail, the management of audit trails and access to user files. The maintenance, repair and transfer of technologies and technical personnel that require access to them by those Reasons. The regulations regarding the certification, installation and use of Electromagnetic Protection Systems. The regulations related to the certification, installation and use of Cryptographic Systems, where required. The general principles for the treatment of incidents. and security breaches.The definition of the principles related to the monitoring of electronic mail, the management of audit trails and access to user files. The maintenance, repair and transfer of technologies and technical personnel that require access to them by those Reasons. The regulations regarding the certification, installation and use of Electromagnetic Protection Systems. The regulations related to the certification, installation and use of Cryptographic Systems, where required. The general principles for the treatment of incidents. and security breaches.repair and transfer of technologies and technical personnel who require access to them for these reasons. Regulations regarding the certification, installation and use of Electromagnetic Protection Systems. Regulations related to the certification, installation and use of Cryptographic Systems, where required. The general principles for the treatment of incidents and security breaches.repair and transfer of technologies and technical personnel who require access to them for these reasons. Regulations regarding the certification, installation and use of Electromagnetic Protection Systems. Regulations related to the certification, installation and use of Cryptographic Systems, where required. The general principles for the treatment of incidents and security breaches.

Therefore, it is necessary to highlight legal instruments that have been in force since 1990 in our country related to computer security:

• INSAC Resolution 3 of 1992, Data Protection Regulation, MININT Resolution 6 of 1996, Information Security Regulation, SIME Resolution 204 of 1996, Regulation on the Protection and Technical Security of Information Systems (Repealed), Decree Law 199 of 1999, On the Security and Protection of Official Information. Methodology of the Computer Security Plan of 2000. Methodology of Design of the Computer Security System of 2001. Act MINFAR - MININT - MIC of 2004. Agreement 6058 of 2007 of the CECM, Guidelines for the Improvement of the Security of Information and Communication Technologies. MIC Resolution 2007 of 2007, Regulation of Security for Information Technologies.

In order to protect the general policies that have been defined for the entire entity, in correspondence with the protection needs in each of them, taking into account their forms of execution, frequency, participating personnel and means.

It is based on the available resources and, depending on the levels of security achieved, a Computer Security Program will be prepared, which includes the actions to be carried out in stages to achieve higher levels.

The security controls implemented will be described separately in accordance with their nature, according to the use made of human resources, technical means or the measures and procedures that personnel must comply with.

1. Human Resources: Reference will be made here to the role of personnel within the security system implemented, defining their responsibilities and functions with respect to its design, establishment, control, execution and updating.

The structure conceived in the Entity for the management of Computer Security will be described, specifying the powers and functions of the different categories of personnel, which include: leaders at the different levels (Head of the entity, Heads of departments, areas and groups of equivalent work or structures); IT managers and specialists; Network, system and application administrators; Security and Protection Specialists; Responsible for Computer Security and Common Users of Information technologies.

1. Technical Security Means: The technical means used in order to guarantee adequate security levels, both at the software and hardware level, as well as their configuration will be described. For which the following will be taken into account:

• Operating systems and installed security level. Type of networks used and their topology. Connections to networks external to the entity. Servers for internal and external use. Configuration of services. Protection barriers and their architecture. Hosts Bastions, Proxy Systems, etc. Packet filtering Management and monitoring tools Enabling trace and auditing subsystems Setting system alarms Cryptographic protection systems User identification and authentication devices Protection against unwanted programs.Special security software. Intrusion detection technical means. Floppy disk locks. Protection devices against theft of equipment and components. Grounding systems. Electromagnetic protection. Electric power backup sources.Fire fighting means Air conditioning means Others

1. Computer Security Measures and Procedures.

In this part of the Plan the actions that must be carried out in each specific area by the personnel referred to in section 5.1 will be listed, in correspondence with the general policies for the entire entity established in section 4 and with the help, in the cases that require it, of the technical means described in 5.2, adapting them to the protection needs of each one of them according to the weight of the estimated risk for each computer asset protected.

The Computer Security measures and procedures that are specifically required (not to be confused with general policies) are required in the different areas, will be defined clearly and precisely enough, avoiding ambiguous interpretations by those who have to execute them and are mandatory for the parties involved.

Its wording should be made as clear and simple as possible, specifying unequivocally the steps to be followed in each case to avoid possible incorrect interpretations, so that they can be faithfully carried out by the people responsible for it, without the need for any other additional help.. If all are grouped as an annex, the format to be used will be as follows:

• Name of the procedure (title). Sequence of the actions to be carried out.

Specifying in each case: what is done, how it is done and who does it, as well as the resources that are necessary for its fulfillment.

Some procedures to consider are the following:

• Grant (withdraw) people's access to information technologies and how it is controlled. Assign (withdraw) rights and permissions on files and data to users. Authorize (deny) services to users. (Example: E-mail, Internet) Define work profiles. Authorization and control of the entry / exit of information technologies. Manage access codes considering for each level the type of key according to its length and composition, the frequency of updating, who should change it, its custody, etc. Carrying out a backup salvo, according to the work regime of the areas, so that the salvoes are kept up-to-date, and the actions taken to establish their safeguarding,in such a way that the compartmentalization of the information is guaranteed according to their level of confidentiality. Ensure that the maintenance of the equipment, supports and data is carried out in the presence and under the supervision of responsible personnel and that in the event of the equipment being moved outside entity the classified or limited information is physically erased or protected its disclosure. Save and analysis of records or audit trails, specifying who performs it and how often. They will be specified, based on the definitions established in the Computer Security Regulation, the areas that are considered vital and reserved in correspondence with the type of information that is processed, exchanged,reproduce or keep the same or the impact that may affect the Entity the affectation of the assets or resources that are in them, relating the specific measures and procedures that are applied in each one. (Example: restrictions to limit access to premises, procedures for the use of security locks and technical devices for intrusion detection, etc.) The measures and procedures for the use of technical means of physical protection directly applied to information technologies that require the functions for which they are intended or the working conditions of the areas in which they are located. (Example: use of floppy disk locks, chassis anchor, processor ignition lock etc.) Position of information technologies intended for information processing with a high degree of confidentiality or sensitivity in the premises so as to avoid the visibility of information at a distance, minimize the possibility of capturing electromagnetic emissions and ensure better care and their conservation. Measures and procedures to guarantee the control of existing information technologies, during their exploitation, conservation, maintenance and transfer.Measures and procedures to guarantee the control of existing information technologies, during their exploitation, conservation, maintenance and transfer.Measures and procedures to guarantee the control of existing information technologies, during their exploitation, conservation, maintenance and transfer.

The information system will describe the control regime established for the magnetic information media, referring among other things to:

• Related to the identification of the removable media authorized to be used within the entity, including its physical and logical identification. The conditions of conservation of the media, specifying the measures that guarantee the integrity and confidentiality of the information collected. and procedures established to guarantee the deletion or physical destruction of the classified or limited information contained in a medium once its purpose has been fulfilled. The measures and procedures established to guarantee the integrity and confidentiality of the classified or limited information during the transfer of the supports.

Techniques or Logics will specify the security measures and procedures that are established, whose implementation is carried out through software, hardware or both.

User identification The method used to identify users to existing systems, services and applications will be explained, specifying:

• How user identifiers are assigned If there is a standard structure for the conformation of user identifiers Who assigns user identifiers How user identifiers are removed once the need for their use is concluded and how to ensure that These are not used again. Review process of use and validity of the assigned user identifiers.

User authentication will explain the authentication method used to verify the identification of users to existing systems, services and applications.

When a specific authentication device is used, its use will be described. In the case of using simple authentication through passwords, the following will be specified:

• How passwords are assigned Types of passwords used (Setup, Screen Saver, Applications, etc.) Structure and periodicity of change established to guarantee the strength of passwords used in systems, services and applications, in correspondence with the estimated risk weight for the same. Causes that motivate the change of passwords before the end of the established term.

Access control to assets and resources will describe the measures and procedures that ensure authorized access to information assets and computer resources that require the imposition of restrictions on their use, specifying:

• To which assets and resources are access control measures implemented. Access control methods used. Who grants access rights and privileges. Who is granted access rights and privileges. How are rights and privileges granted and suspended. of access.

Access control to assets and resources must be based on a “minimum privilege” policy, in the sense of granting each user only the rights and privileges that are required for the fulfillment of the functions assigned to them.

Files and data integrity The measures and procedures established will be described in order to avoid unauthorized modification, destruction and loss of files and data, as well as to prevent them from being accessed publicly, specifying:

• Security measures implemented at the operating system, application or both levels to restrict and control access to databases. Measures to guarantee the integrity of the software and the configuration of technical means. Use of cryptographic means for the protection of files and Data: Measures and procedures established for protection against viruses and other harmful programs that may affect operating systems, as well as to prevent their generalization, specifying the antivirus programs used and their installation and update regime.

Audit and Alarms will describe the measures and procedures implemented for the registration and analysis of audit trails in the networks and installed systems, in order to monitor the actions carried out (access to files, devices, use of services, etc.), and detect indications of relevant events for the purposes of security that may affect the stability or operation of the computer system.

In case of using specialized software that allows the detection of possible configuration errors or other vulnerabilities, the required procedures will be described. In addition, the measures that guarantee the integrity of the audit mechanisms and records limiting their access only to those authorized to do so.

The security of operations will include the measures and procedures related to the identification and control of technologies in operation, particularly those where classified information is processed. Control over the entry and exit in the entity of information technologies (portable machines, peripherals, supports, etc.).

• Established methodology for saving the information, specifying its periodicity, responsibilities, number of versions, etc.).

Recovery in the event of contingencies, the neutralization measures and procedures and recovery in the event of any event that may paralyze all or part of the computer activity or degrade its operation, minimizing the negative impact of these on the entity.

Based on the results obtained in the risk analysis, the actions to be taken to neutralize those threats that are most likely to occur if they materialize, as well as for the recovery of the affected processes, services or systems, will be determined.

Conclusions.

Computer security must integrate components aimed at achieving a solid preparation from the political and ideological point of view for computer security, where the issues and dilemmas of moral values ​​that are affected by improper conduct in our society in the use of technologies, the foundations of computer security, knowledge of their fundamental concepts, policies, rules and regulations, computer security in daily tasks or activities, such as the knowledge required from computer technologies essential for their performance, computer security violations, computer viruses, need for access codes, prevention measures against the use of external devices, need for information backups,configurations in computer tools and applications, are the necessary knowledge of some tools and applications essential for performance with email, instant messaging, office applications, operating system updates, antivirus, need to detect and report incidents. The elements of computer security are with the aim of facilitating pedagogical tools and procedures for their performance with users of computer technologies and networks, in illustration, motivation and awareness of this topic, as a way to educate.need to detect and report incidents. The elements of computer security are with the aim of facilitating pedagogical tools and procedures for their performance with users of computer technologies and networks, in illustration, motivation and awareness of this topic, as a way to educate.need to detect and report incidents. The elements of computer security are with the aim of facilitating pedagogical tools and procedures for their performance with users of computer technologies and networks, in illustration, motivation and awareness of this topic, as a way to educate.

Bibliography.

• Computer Security Training, DISAIC Consulting Company, of the Ministry of the Sidero Mechanical Industry (SIME), April 2010.García García, Armando. Computer Security, Legal Base. SCDI Workshop Ciego de Ávila, November 2012.Arencibia González, Mario. Selection of readings on Computer Ethics. Havana: sn, 2006. Arteaga, Chacón and others: Ethical dimension of Cuban education. Editorial Pueblo y Educación 2006.MIERES, JORGE. Computer attacks Commonly exploited security weaknesses. 2009.PFLEEGER, CHARLES P. Security in computing (4th Edition) ISBN: 978-0-13-239077-4. 2006.

Download the original file