Chapter 4. Planning Your Security Needs
At a Glance
This chapter covers policy and procedural issue related to creating an effective defense to the security threats presented in the previous chapter and goes into greater detail on the planning process.
Effective Security Based on Technical Solutions and Policy Guidance
Fundamentally, computer security is a series of technical solutions to non-technical problems. You can spend an unlimited amount of time, money, and effort on computer security, but you will never quite solve the problem of accidental data loss or intentional disruption of your activities. Given the right set of circumstances—software bugs, accidents, mistakes, bad luck, bad weather, or a sufficiently motivated and well-equipped attacker—any computer can be compromised, rendered useless, or even totally destroyed.
The job of the security professional is to help organizations decide how much time and money need to be spent on security. Another part of that job is to make sure that organizations have policies, guidelines, and procedures in place so that the money spent is spent well. And finally, the professional needs to audit the system to ensure that the appropriate controls are implemented correctly to achieve the policy’s goals. Thus, practical security is really a question of management and administration more than it is one of technical skill. Consequently, security must be a priority of your organization’s management. Even in a very small enterprise without a significant budget for security, the management should understand the core security issues and implement basic (and relatively inexpensive) measures to protect its assets.
Security planning may be divided into five discrete steps:
1) Planning to address your security needs
2) Conducting a risk assessment or adopting best practices
3) Creating policies to reflect your needs
4) Implementing security
5) Performing audit and incident response
There are two critical principles implicit in effective policy and security planning:
Policy and security awareness must be driven from the top down in the organization. Security concerns and awareness by the users are important, but they cannot build or sustain an effective culture of security. Instead, the head(s) of the organization must treat security as important, and abide by all the same rules and regulations as everyone else.
Effective computer security means protecting information. Although protecting resources is also critical, resource losses are more easily identified and remedied than information losses. All plans, policies and procedures should reflect the need to protect information in whatever forms it takes. Proprietary data does not become worthless when it is on a printout or is faxed to another site instead of contained in a disk file. Customer confidential information does not suddenly lose its value because it is recited on the phone between two users instead of contained within an e-mail message. The information should be protected no matter what its form.
There are many different kinds of computer security, and many different definitions. Rather than present a formal definition, this Handbook takes a practical approach and discusses the categories of protection you should consider.
Types of Security Concerns
Within this broad definition, there are many different types of security that both users and administrators of computer systems need to be concerned about:54
54 See also the COBIT approach to security methodology http://www.isaca.org/cobit.htm
Confidentiality
Protecting information from being read or copied by anyone who has not been explicitly authorized by the owner of that information. This type of security includes not only protecting the information in toto, but also protecting individual pieces of information that may seem harmless by themselves but that can be used to infer other confidential information.
Data integrity
Protecting information (including programs) from being deleted or altered in any way without the permission of the owner of that information. Information to be protected also includes items such as accounting records, backup tapes, file creation times, and documentation.
Availability
Protecting your services so they’re not degraded or made unavailable (crashed) without authorization. If the systems or data are unavailable when an authorized user needs them, the result can be as bad as having the information that resides on the system deleted.
Consistency
Making sure that the system behaves as expected by the authorized users. If software or hardware suddenly starts behaving radically differently from the way it used to behave, especially after an upgrade or a bug fix, a disaster could occur. Imagine if your ls command occasionally deleted files instead of listing them! This type of security can also be considered as ensuring the correctness of the data and software you use.
Control
Regulating access to your system. If unknown and unauthorized individuals (or software) are found on your system, they can create a big problem. You must worry about how they got in, what they might have done, and who or what else has also accessed your system. Recovering from such episodes can require considerable time and expense for rebuilding and reinstalling your system, and verifying that nothing important has been changed or disclosed—even if nothing actually happened.
Audit
As well as worrying about unauthorized users, authorized users sometimes make mistakes, or even commit malicious acts. In such cases, you need to determine what was done, by whom, and what was affected. The only sure way to achieve these results is by having some incorruptible record of activity on your system that positively identifies the actors and actions involved. In some critical applications, the audit trail may be extensive enough to allow “undo” operations to help restore the system to a correct state.
Although all of these aspects of security are important, different organizations will view each with a different amount of importance. This variance is because different organizations have different security concerns, and must set their priorities and policies accordingly. For example:
A Banking Environment
In such an environment, integrity, control, and audit ability are usually the most critical concerns, while confidentiality and availability are the next in importance. A national defense related system that processes classified information. In such an environment, confidentiality may come first, and availability last. In some highly classified environments, officials may prefer to blow up a building rather than allow an attacker to access the information contained within that building’s walls.
A University
In such an environment, integrity and availability may be the most important requirements. It is more important to ensure that students can work on their papers, than that administrators can track the precise times that students accessed their accounts.
If you are a security administrator, you need to thoroughly understand the needs of your operational environment and users. You then need to define your procedures accordingly. Not everything we describe in this book will be appropriate in every environment.
Trust
Security professionals generally don’t refer to a computer system as being “secure” or “unsecure.” Instead, we use the word trust to describe our level of confidence that a computer system will behave as expected. This acknowledges that absolute security can never be present. We can only try to approach it by developing enough trust in the overall configuration to warrant using it for the applications we have in mind. Developing adequate trust in your computer systems requires careful thought and planning. Operational decisions should be based on sound policy and risk analysis and it is important to get professional advice when possible:
If you are at a larger company, university, or government agency, we suggest that you contact your internal audit and/or risk management department for additional help (they may already have some plans and policies in place that you should know about). You can also learn more about this topic by consulting some of the works referenced in the Annexes. You may also wish to enlist a consulting firm. For example, many large accounting and audit firms now have teams of professionals that can evaluate the security of computer installations.
If you are with a smaller institution or are dealing with a personal machine, you may not have specialized departments to call on and you should review Part 2 of this Handbook carefully. You may decide that we cover these issues in greater detail than you actually need. However, the information contained in these chapters should help guide you in setting your priorities.
Cost-Benefit Analysis and Best Practices
Time and money are finite. After you complete your risk assessment, you will have a long list of risks — far more than you can possibly address or defend against. You now need a way of ranking these risks to decide which you need to mitigate through technical means, which you will insure against, and which you will simply accept. Traditionally, the decision of which risks to address and which to accept was done using a cost-benefit analysis, a process of assigning cost to each possible loss, determining the cost of defending against it, determining the probability that the loss will occur, and then determining if the cost of defending against the risk outweighs the benefit.
Risk assessment and cost-benefit analyses generate a lot of numbers, making the process seem quite scientific and mathematical. In practice, however, putting together these numbers can be a time-consuming and expensive process, and the result are numbers that are frequently soft or inaccurate. Risk analysis depends on the ability to gauge the expected use of an asset, assess the likelihood of each risk to the asset, identify the factors that enable those risks, and calculate the potential impact of various choices—figures that are devilishly hard to pin down. How do you calculate the risk that an attacker will be able to obtain system administrator privileges on your web server? Does this risk increase over time, as new security vulnerabilities are discovered, or does it decrease over time, as the vulnerabilities are publicized and corrected? Does a well-maintained system become less secure or more secure over time? And how do you calculate the likely damages of a successful penetration? Unfortunately, few statistical, scientific studies have been performed on these questions. Many people think they know the answers to these questions, but research has shown that most people badly estimate risk based on personal experience.
Because of the difficulty inherent in risk analysis, another approach for securing computers has emerged in recent years called best practices, or due care. This approach consists of a series of recommendations, procedures, and policies that are generally accepted within the community of security practitioners to give organizations a reasonable level of overall security and risk mitigation at a reasonable cost. Best practices can be thought of as “rules of thumb” for implementing sound security measures.
The best practices approach is not without its problems. The biggest problem is that there really is no one set of “best practices” that is applicable to all sites and users. The best practices for a site that manages financial information might have similarities to the best practices for a site that publishes a community newsletter, but the financial site would likely have additional security measures.
Following best practices does not assure that your system will not suffer a security-related incident. Most best practices require that an organization’s security office monitor the Internet for news of new attacks and download patches from vendors when they are made available. But even if you follow this regimen, an attacker might still be able to use a novel, unpublished attack to compromise your computer system. And if your news feed is down, or the person monitoring the mailing lists goes on vacation, then the attackers will have a lead on your process of installing needed patches.
The very idea that tens of thousands of organizations could or even should implement the “best” techniques available to secure their computers is problematical. The “best” techniques available are simply not appropriate or cost-effective for all organizations.
Many organizations that claim to be following best practices are actually adopting the minimum standards commonly used for securing systems. In practice, most best practices really aren’t.
We recommend a combination of risk analysis and best practices. Starting from a body of best practices, an educated designer should evaluate risks and trade-offs, and pick reasonable solutions for a particular configuration and management. For instance, servers should be hosted on isolated machines, and configured with an operating system and software providing the minimally required functionality. The operators should be vigilant for changes, keep up-to-date on patches, and prepare for the unexpected. Doing this well takes a solid understanding of how the system works, and what happens when it doesn’t work. This is the approach that we will explain in the sections that follow.
|
