Security Administration and Supporting Controls

If no security officer role currently exists, one should be established by management. The security officer role is directly responsible for monitoring a majority of the facets of a security program. Depending on the organization, security needs, and size of the environment, the security administration may consist of one person or a group of individuals who work in a central or decentralized manner. Whatever its size, the security administration requires a clear reporting structure, an understanding of responsibilities, and testing and monitoring capabilities to make sure compromises do not slip in because of a lack of communication or comprehension.

Information owners should dictate which users can access their resources and what those users can do with those resources after they access them. The security administration’s job is to make sure these objectives are implemented. The following controls should be utilized to achieve management’s security directives:

• Administrative controls These include the developing and publishing of policies, standards, procedures, and guidelines; risk management; the screening of personnel; conducting security-awareness training; and implementing change control procedures.

• Technical controls (also called logical controls) These consist of implementing and maintaining access control mechanisms, password and resource management, identification and authentication methods, security devices, and the configuration of the infrastructure.

• Physical controls These entail controlling individual access into the facility and different departments, locking systems and removing unnecessary floppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and environmental controls.

Figure 3-1 illustrates how the administrative, technical, and physical controls work together to provide the necessary level of protection.

The information owner (also called the data owner) is usually a senior executive within the management group of the company, or the head of a specific department. The information owner has the corporate responsibility for data protection and would be the one held liable for any negligence when it comes to protecting the company’s information assets. The person who holds this role is responsible for assigning classifications to information and dictating how the data should be protected. If the information owner does not lay out the foundation of data protection and ensure the directives are being enforced, she would be violating the due care concept.

By having a security administration group, a company ensures it does not lose focus on security and that it has a hierarchical structure of responsibility in place. The security officer’s job is to ensure that management’s security directives are fulfilled, not to construct those directives in the first place. There should be a clear communication path between the security administration group and senior management to make certain the security program receives the proper support and ensure management makes the decisions. Too often, senior management is extremely disconnected from security issues, despite the fact that when a serious security breach takes place, senior management must explain the reasons to business partners, shareholders, and the public. After this humbling experience, the opposite problem tends to arise—senior management becomes too involved. A healthy relationship between the security administration group and senior management should be developed from the beginning, and communication should easily flow in both directions.

An Example of Security Management Anyone who has been involved with a security initiative understands it involves a balancing act between securing an environment and still allowing the necessary level of functionality so that productivity is not affected. A common scenario that occurs at the start of many security projects is that the individuals in charge of the project know the end result they want to achieve and have lofty ideas of how quick and efficient their security rollout will be, but they fail to consult the users regarding what restrictions will be placed upon them. The users, upon hearing of the restrictions, then inform the project managers they will not be able to fulfill certain parts of their job if the security rollout actually takes place as planned. This usually causes the project to screech to a halt. The project managers then must initialize the proper assessments, evaluations, and planning to see how the environment can be slowly secured and how to ease users and tasks delicately into new restrictions or ways of doing business. Failing to consult users or fully understand business processes during the planning phase causes many headaches and wastes time and money. Individuals who are responsible for security management activities must realize they need to understand the environment and plan properly before kicking off the implementation phase of a security program.

Inadequate management can undermine the entire security effort in a company. Among the possible reasons for inadequate management are that management does not fully understand the necessity of security; security is in competition with other management goals; management views security as expensive and unnecessary; or management applies lip service instead of real support to security. Powerful and useful technologies, devices, software packages, procedures, and methodologies are available to provide the exact level of security required, but without proper security management and management support, none of this really matters.

Fundamental Principles of Security

Now, what are we trying to accomplish again?

Security programs have several small and large objectives, but the three main principles in all programs are availability, integrity, and confidentiality. These are referred to as the AIC triad. The level of security required to accomplish these principles differs per company, because each has its own unique combination of business and security goals and requirements. All security controls, mechanisms, and safeguards are implemented to provide one or more of these principles, and all risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the AIC principles. Figure 3-2 illustrates the AIC triad. Some documentation on this topic may reverse the acronym order, calling it the CIA triad, but it still refers to the concepts shown in Figure 3-2.

Availability

Emergency! I can’t get to my data!

Response: Turn the computer on!

The systems and networks should provide adequate capacity in order to perform in a predictable manner with an acceptable level of performance. They should be able to recover from disruptions in a secure and quick manner so productivity is not negatively affected. Single points of failure should be avoided, backup measures should be taken, redundancy mechanisms should be in place when necessary, and the negative effects from environmental components should be prevented. Necessary protection mechanisms must be in place to protect against inside and outside threats that could affect the availability and productivity of the network, systems, and information. Availability ensures reliability and timely access to data and resources to authorized individuals.

System availability can be affected by device or software failure. Backup devices should be used and be available to quickly replace critical systems, and employees should be skilled and on hand to make the necessary adjustments to bring the system back online. Environmental issues like heat, cold, humidity, static electricity, and contaminants can also affect system availability. These issues are addressed in detail in Chapter 6. Systems should be protected from these elements, properly grounded electrically, and closely monitored.

Integrity

Integrity is upheld when the assurance of the accuracy and reliability of the information and systems is provided, and any unauthorized modification is prevented. Hardware, software, and communication mechanisms must work in concert to maintain and process data correctly and move data to intended destinations without unexpected alteration. The systems and network should be protected from outside interference and contamination.

Environments that enforce and provide this attribute of security ensure that attackers, or mistakes by users, do not compromise the integrity of systems or data. When an attacker inserts a virus, logic bomb, or back door into a system, the system’s integrity is compromised. This can, in turn, negatively affect the integrity of information held on the system by way of corruption, malicious modification, or the replacement of data with incorrect data. Strict access controls, intrusion detection, and hashing can combat these threats.

Users usually affect a system or its data’s integrity by mistake (although internal users may also commit malicious deeds). For example, a user with a full hard drive may unwittingly delete configuration files under the mistaken assumption that deleting a boot.ini file must be okay because they don’t remember ever using it. Or, for example, a user may insert incorrect values into a data processing application that ends up charging a customer $3,000,000 instead of $300. Incorrectly modifying data kept in databases is another common way users may accidentally corrupt data—a mistake that can have lasting effects.

Security should streamline users’ capabilities and give them only certain choices and functionality so errors become less common and less devastating. System-critical files should be restricted from viewing and access by users. Applications should provide mechanisms that check for valid and reasonable input values. Databases should let only authorized individuals modify data, and data in transit should be protected by encryption or other mechanisms.

Confidentiality

Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of confidentiality should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination.

Attackers can thwart confidentiality mechanisms by network monitoring, shoulder surfing, stealing password files, and social engineering. These topics will be addressed in more depth in later chapters, but briefly, shoulder surfing is when a person looks over another person’s shoulder and watches their keystrokes or views data as it appears on a computer screen. Social engineering is when one person tricks another person into sharing confidential information such as by posing as someone authorized to have access to that information. Social engineering can take many other forms. Indeed, any one-to-one communication medium can be used to perform social engineering attacks.

Users can intentionally or accidentally disclose sensitive information by not encrypting it before sending it to another person, by falling prey to a social engineering attack, by sharing a company’s trade secrets, or by not using extra care to protect confidential information when processing it.

Confidentiality can be provided by encrypting data as it is stored and transmitted, by using network traffic padding, strict access control, and data classification, and by training personnel on the proper procedures.

Availability, integrity, and confidentiality are critical principles of security. You should understand their meaning, how they are provided by different mechanisms, and how their absence can negatively affect an environment, all of which help you best identify problems and provide proper solutions.

Every solution, whether it be a firewall, consultant, or security program, must be evaluated by its functional requirements and its assurance requirements. Functional requirements evaluation means, “Does this solution carry out the required tasks?” Assurance requirements evaluation means, “How sure are we of the level of protection this solution provides?” Assurance requirements encompass the integrity, availability, and confidentially aspects of the solution.

Security Definitions

I am vulnerable and see you as a threat.

Response: Good.

The words “vulnerability,” “threat,” “risk,” and “exposure” often are used to represent the same thing even though they have different meanings and relationships to each other. It is important to understand each word’s definition, but more important to understand its relationship to the other concepts.

A vulnerability is a software, hardware, or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment. A vulnerability characterizes the absence or weakness of a safeguard that could be exploited. This vulnerability may be a service running on a server, unpatched applications or operating system software, unrestricted modem dial-in access, an open port on a firewall, lax physical security that allows anyone to enter a server room, or nonenforced password management on servers and workstations.

A threat is any potential danger to information or systems. The threat is that someone, or something, will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information or destroy a file’s integrity.

A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an intentional or unintentional mistake that may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.

An exposure is an instance of being exposed to losses from a threat agent. A vulnerability exposes an organization to possible damages. If password management is lax and password rules are not enforced, the company is exposed to the possibility of having users’ passwords captured and used in an unauthorized manner. If a company does not have its wiring inspected and does not put proactive fire prevention steps into place, it exposes itself to potentially devastating fires.

A countermeasure, or safeguard, is put into place to mitigate the potential risk. A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates a vulnerability or reduces the likelihood a threat agent will be able to exploit a vulnerability. Examples of countermeasures include strong password management, a security guard, access control mechanisms within an operating system, the implementation of basic input/output system (BIOS) passwords, and security-awareness training.

If a company has antivirus software but does not keep the virus signatures up-to-date, this is a vulnerability. The company is vulnerable to virus attacks. The threat is that a virus will show up in the environment and disrupt productivity. The likelihood of a virus showing up in the environment and causing damage is the risk. If a virus infiltrates the company’s environment, then a vulnerability has been exploited and the company is exposed to loss. The countermeasures in this situation are to update the signatures and install the antivirus software on all computers. The relationships among risks, vulnerabilities, threats, and countermeasures are shown in Figure 3-3.

Applying the right countermeasure can eliminate the vulnerability and exposure, and thus reduce the risk. The company cannot eliminate the threat agent, but it can protect itself and prevent this threat agent from exploiting vulnerabilities within the environment.

References

• NIST Computer Security Resource Center csrc.ncsl.nist.gov

• CISSP and SSCP Open Study Guides www.cccure.org

• CISSP.com www.cissps.com

Order of Concepts The proper order in which to evaluate these concepts as they apply to your own network is threat, exposure, vulnerability, countermeasures, and, lastly, risk. This is because there can be a threat (new SQL attack) but unless your company has the corresponding vulnerability (SQL server with the necessary configuration), the company is not exposed and it is not a vulnerability. If the vulnerability does reside in the environment, then a countermeasure is applied to reduce the risk.

Security Through Obscurity

We write all of the sensitive data backwards and upside down to fool the bad guys.

An improper understanding about the risks and requirements can lead to all kinds of problems for an organization. Typically, this results in bad security practices. Things such as security through obscurity become common practices that usually have damaging results. The root of the issue here is the lack of understanding about what the Information Age is really like, what kinds of tools malevolent forces have at their disposal, and the resourcefulness of attackers. This lack of understanding typically leads a defender to the most devastating mistake they can make: believing their opponent is less intelligent than they are. This leads to simple and sloppy mistakes and the proliferation of a false sense of security. Included are ideas such as: flaws cannot be exploited if they are not common knowledge; compiled code is more secure than open-source code because people can’t see the code; moving HTTP traffic to port 8088 will provide enough protection; developing personal encryption algorithms will stop the crackers; and if we all wear Elvis costumes, no one can pick us out to conduct social engineering attacks. These are just a few of the kinds of potentially damaging ideas that can result from taking a security-by-obscurity approach.

This is a controversial approach and yet is principal in the areas of computer security and cryptography. Reliance on confusion to provide security can be dangerous. Though everyone wants to believe in the innate goodness of their fellow man, no security professional would have a job if this was actually true. In security, a good practice is illustrated by the old saying, “There are only two people in the world I trust: you and me... and I’m not so sure about you.” This is a better attitude to take, because security really can be compromised by anyone, at any time.

A layman’s example of security through obscurity is the old practice of putting a spare key under a doormat in case you are locked out of the house. You assume that no one knows about the spare key, and as long as they don’t it can be considered secure. The vulnerability here is that anyone could gain easy access to the house if they have access to that hidden spare key, and the experienced attacker (in this example, a burglar) knows that these kinds of vulnerabilities exist and takes the appropriate steps to seek them out. This is the same thing with other security systems and practices. Setting up confusing or “tricky” countermeasures does not provide the assurance level that a solid, defense-in-depth, security program can.

In the world of cryptography, the Kerckhoffs’ principle embodies the ideas against security through obscurity. Back in the 1880s, Mr. Kerckhoffs stated that no algorithm should be kept secret; only the key should be the secret component. His message is to assume that the attacker can figure out your algorithm and its logic, so ensure that the key is properly protected—which the attacker would need to make the algorithm decode sensitive data.

If Not Obscurity, Then What? Throughout the chapters of this book, best practices, open standards, and implementing and maintaining security controls in an effective manner will be discussed. The development of a security program with layers of protection may take more time in the beginning, but in the long run it provides a better chance of keeping your organization out of both the frying pan and the fire.