Jennings IT Security Overview 1-2

Network Security Overview
Secure computing and communications using a Layered Defense Strategy An IT Engineering Resource
Version 1.2
D. E Jennings April 2012
CONTENTS:
INTRODUCTION:..................................................................................................................................................3 HOW WE GOT TO THIS POINT:................................................................................................................................3 PROTECTING THE COMPANY FROM CYBER CRIME:....................................................................................................4 SECURITY PLANS AND POLICIES:...........................................................................................................................5 SECURITY OPERATIONS:.......................................................................................................................................6 RISK MANAGEMENT:..........................................................................................................................................8 CATEGORIES OF RISK:.......................................................................................................................................10 PERSONNEL SECURITY:......................................................................................................................................15 BUILDING SECURITY:........................................................................................................................................16 ACCESS CONTROL:...........................................................................................................................................16 TELECOMMUNICATIONS: ....................................................................................................................................20 NETWORK SECURITY.........................................................................................................................................21 ARCHITECTURE.................................................................................................................................................25 INTRUSION DETECTION SYSTEM (IDS)................................................................................................................26 ELECTRONIC MAIL SECURITY: ...........................................................................................................................29 DISASTER RECOVERY........................................................................................................................................31
APPENDIX I Security Policy APPENDIX II Vulnerability Assessment APPENDIX III Roles Matrix & Organization Chart APPENDIX IV Typical Network Design
35
37 38 39
Copyright: April 2012, D. E. Jennings
Page
2 of 41
Introduction: This document presents a discussion of concepts, plans and process used to protect the assets and maintain business continuity for a typical small to medium sized company. Although most of the measures discussed here are applicable to the large and extremely companies, these organizations usually have international locations and require additional measures not discussed in this document. The approach taken here differs from the traditional approach and to understand why, it is useful to look very briefly at the history of Corporate Security. Before computer networks security was a physical lockdown kind of thing. It was handled by the same people who managed other physical requirements of the company. Because the primary threat has changed, we believe that Security should now be managed by the Information Technology-Security department. In many companies today there are two departments: Physical security where security guards man the doors and the IT Security department where computer technicians keep the network safe. When there is a split responsibility there is room for a gap. With two departments managing different access lists, and different access procedures, there is the possibility of too much or too little security. Most companies are suffering from this problem. The approach suggested in this paper is to administer a unified policy for all security under one department, i.e. the IT Security department. Therefore they would include physical security in their mandate. At the center of security is an automated Identity Management System. How we got to this point: When corporate computer networks came into existence security did not seem to be an issue. They were very big and very expensive, run by large institutions or the largest corporations only. In the 1980s, using a dumb terminal over dial up phone lines, from home, an employee could access the corporate computing center across the country. It was possible to input data that would be run as a batch file overnight and printed at the office in the morning - no passwords involved. The probability of anyone getting in and doing damage was extremely small and they really couldnt do any damage. Computers were managed by a small group of very highly trained professionals and the knowledge as to what they were doing was not known to the general public. Then Atari and others invented computer game machines. Around that time the personal computer was invented
Page
3 of 41
and then came dial up bulletin boards. Security was not built into programs and hacking them was easy. Lots of cracked1 commercial software (mostly games) appeared on bulletin boards. This went on for many years with computer cracked software and games passing from one dial-up bulletin board to another. The International community got it and computer uses all over world paid literally $0.0 for quality software and games (and continue to do so). Then the internet arrived. The number of hackers multiplied the amount of commercial (software, games, audio files, video, etc.) products being cracked is still increasing. Hacking into high profile institutions was and is considered a badge of honor and garners great admiration from fellow hackers. The monetary gain incentive is at least as enticing as the just see if you can do it incentive.2 A report from the anti-virus company, Norton, said most of us are not secure and the cost of all this in the US alone is over $139 billion dollars a year. 3 So in spite of this background, companies have embraced the use of the internet to conduct business in a big way. The same highway, known well and used by hackers to infiltrate, is used by companies to conduct billions of dollars worth of business daily. Although the benefits outweigh the risks, the risks are still there and must be mitigated. Although the threats from outside are enormous, the fact of life is that the greatest threat for small businesses is from their own employees. 4 Protecting the company from Cyber Crime: As we see in the preceding the type and severity of cyber crime is still evolving. Protecting the company is always a challenge, and IT security departments must keep pace with the changing threats. The size of the company, the location and nature of the facilities, the number of locations and the Information Technology (IT) requirements of each affect the level and type of security required. For example a company that utilizes a mobile sales force will need encrypted laptops and robust secure communications channels to enable sales teams to keep in touch with the office. Also, a company with two geographically separated locations can use the other location as a data backup facility for disaster recovery. A centralized security policy and access control model is a model where all company locations are governed by the same security policy. A decentralized model allows each domain (or location) to control its own security. This may be advisable when there is a wide difference in requirements from one location or domain to another. An example: one location must meet Top Secret security
Page
4 of 41
requirements, and others may not. For most small to medium companies a centralized policy is more efficient to administer and maintain. This document is not the Security Policy, the Operational Security Plan, or the Business Continuity Plan, but an overview of what goes into these and other documents. Security Plans and Policies: 1. This document: A description of Security Plans and Operations. 2. Security Policy: Senior managements directives to create an information security program to protect the corporations assets, establish security related goals and security measures, as well as target and assign responsibilities.5 The Security Policy contains sections on: Purpose, Scope, Responsibilities and Compliance. It is a high-level statement of managements intentions about how security should be practiced within the organization. It identifies what actions are acceptable, and what level of risk the company is willing to accept. Reviewed by Security department and Corporate Management for updating every 1 year and approved by Corporate Management. 3. Operational Security Plan.6 This document is the detailed plan that contains instructions for putting the policy into action. It is basically a manual on how to get it done. It contains a breakdown of each security measure implemented. Audience: Program Management, IT Management, Program Operations Staff, IT Staff, Auditors. Reviewed by Security department for updating every 6 months, The Operational Security Plan is developed and revised by Security department, and approved Corporate Management. 4. Business Continuity Plan. (BCP) This is a plan to preserve the business activities when faced with disruptions or disasters. The plan includes the identification of real risks, risk assessment, and countermeasure implementation plans. Although many organizations use the phrases Business Continuity Planning or Disaster Recovery Planning interchangeably, they are two distinct disciplines. Though both plans are essential to the effective management of disasters and other disruptive events, their goals are different. The goal of a BCP is for ensuring that the business will continue to operate before, throughout, and after a disaster event is experienced. The focus of a BCP is on the business as a whole, and ensuring that those critical services that the business provides or critical functions that the business regularly performs can still be carried out both in the wake of a disruption as well as after the disruption. In order to ensure that the critical business
Page
5 of 41
functions are still operable, the plan takes into account the common threats to their critical functions as well as any associated vulnerabilities that might make a disruption more likely. 5. Disaster Recovery Planning (DRP) is considered tactical rather than strategic and provides a means for immediate response to disasters. The DRP can be, but is not necessary within the BCP. The DRP is developed by Security Department, and reviewed yearly with representatives of each department and approved by Corporate Management. The DRP is exercised once a year. (a simulated disaster is staged and response team must respond according to the plan enabling continuity of operations.) For example, the plan to locate two manufacturing facilities in different geographic areas in case one is disabled by a disaster is BCP and the plan to allow workers to work from home via a secure Virtual Private Network (VPN) using virtual facilities on secure databases is DRP. The DRP should be exercised at least yearly. The exercise (a simulated disaster event) is planned on a weekend or time when normal business low i.e. over Christmas, or super bowl weekend, etc. For the exercise the normal facilities are disabled and the backup plan to operate, possibly on a limited basis, goes into effect. Security Operations: The role of Security Operations is to: 1) 2)
3)
Protect the assets both physical and information, of the organization. Protect the employees from harm both inside the building and on the premises. Enable company operations after a loss of functionality. Accomplish this in a cost effective way that does not unduly hinder operations.
4)
These goals are accomplished through the implementation a Defense in Depth layered plan of physical, administrative, managerial, technical and operational controls.7 The methods of layering defensive technologies included in defense in Depth (DiD) are physical, logical and virtual security solutions. The information assets are secured to reduce the risk of loss of confidentiality, integrity or availability. Confidentiality provides a degree of assurance that data has not been made available or disclosed to unauthorized individuals, processes, or other entities. In essence, it assures that data can only be read or understood between trusted parties. Confidentiality can be breached or bypassed by someone shoulder surfing, sniffing or network monitoring, stealing passwords, or social
Copyright: April 2012, D. E. Jennings Page
6 of 41
engineering (an attacker posing as a trusted individual). In the network, confidentiality is accomplished through encryption. Threats to confidentiality include: Hackers/crackers Masqueraders/spoofing Unauthorized user activity Unprotected downloaded files Network sniffing Trojan horses Social engineering
Integrity includes the issue of protecting against unauthorized modification or destruction of information. It includes the assurance that data leaving point A and arriving at point B arrives without modification and assures that point A and point B are who they claim to be. The three basic principles used to establish integrity in the enterprise: Need-to-Know Access - Users should be granted access only to those files and programs they absolutely need to fulfill their duties. (Role based security) Separation of Duties - No single person has control of a critical transaction from beginning to end. Two or more people should be responsible for an entire critical transaction. Rotation of Duties - Job responsibilities should be periodically changed so that users will find collaboration more difficult to exercise complete control of a transaction or subvert one for fraudulent purposes. This also has many other beneficial effects including redundancy and continuity of operations in the event of loss of key personnel. Availability is the attribute that ensures the reliable and timely access of resources to authorized individuals. The means the corporation is expecting IT resources: Perform or function properly.
Page
7 of 41
The IT resource or Network is available / accessible. The IT resource or Network is available when it is needed. Availability can be compromised by Denial-of-Service (DoS) attacks. These are actions by users or attackers that tie up computing resources in such a way that renders the system unusable. Availability is lost when natural disasters (fire, flood, earthquake) or human action (bombs, strikes, malicious code) create loss of IT or Network capabilities. Availability is also lost due to normal equipment failure. The IT security department works with the IT Architect to ensure high availability design of the network. In some cases the IT Architecture is within the Security Department as security and availability is paramount in the network design. The security department utilizes the Protect, Detect and React paradigm. In order to accomplish this the department incorporates protection mechanisms and utilizes detection tools and procedures and logs that allow the discovery, and ability to react and recover from attacks or disasters. The security department focus is on People, Technology and Operations. The company Security Policy (see overview - Appendix I) is the foundation of the security operations of the company. The Security Policy, Operational Security Plan and Disaster Recovery Plan is evaluated and updated if required on an annual basis. The updates are based on data provided by the network information controls, re-evaluation of risks and stakeholder input as to usability and effectiveness. The Operational Security Plan includes the detail processes for physical security, access control, telecommunications and network security, and operations security. Risk Management: In order to determine what level of security an asset requires, we first identify and rank the assets to be protected, and then determine what level of protection is required. This is accomplished by a risk analysis, a risk assessment and a business impact analysis. These are completed by the security team with the business unit management that has custody of the asset with an overview of corporate management. Risk is a function of the likelihood of a given threat-sources exercising a particular potential vulnerability, and the resulting impact of that adverse event on the
Page
8 of 41
organization. Its interesting that the Federal Government has revised their Risk Analysis approach to more closely follow industry standards.8 A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. A Risk Analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to these threats. A Risk Assessment involves evaluating existing physical and environmental security and controls, and assessing their adequacy relative to the potential threats of the organization. See example table in Appendix II. A Business Impact Analysis involves identifying the critical business functions within the organization and determining the impact of not performing the business function beyond the maximum acceptable outage. Types of criteria that can be used to evaluate the impact include: customer service, internal operations, legal/statutory and financial. The Risk Analysis is the first step in the risk management methodology.9 1. Identify and prioritizing assets; 2. Identify vulnerabilities; 3. Identify threats and their probabilities; 4. Identify countermeasures; 5. Develop Cost benefit analysis; 6. Develop security policies and procedures. Using the formula: Risk = Threat * Vulnerability. A risk analysis is completed for each corporate asset. Vulnerability assessment has many things in common with risk assessment. Assessments are typically performed according to the following steps: 1. Cataloging assets and capabilities (resources) in a system. 2. Assigning quantifiable value (or at least rank order) and importance to those resources 3. Identifying the vulnerabilities or potential threats to each resource
Copyright: April 2012, D. E. Jennings Page
9 of 41
4. Mitigating or eliminating the most serious vulnerabilities for the most valuable resources Categories of Risk: 1. Damage - Results in physical loss of an asset or the inability to access the asset as in the case of a cut in a network cable. 2. Disclosure - Disclosing critical information regardless of where or how it was disclosed. 3. Losses - Can be permanent or temporary, including the altering of data or the inability to access data. 4. Physical damage - Can result from natural disasters or other factors as in the case of a power loss or vandalism. 5. Malfunctions - The failure of systems, networks, or peripherals 6. Attacks - Purposeful acts whether from the inside or outside. Misuse of data, as in unauthorized disclosure, is an attack on that information asset. 7. Human errors - Usually considered accidental incidents as compared to attacks that are purposeful incidents. 8. Application errors - Failures of the application, including the operating system. Application errors are usually accidental errors while exploits of buffer overflows or viruses are considered attacks.
A Risk Assessment chart is used to rank the effect of threats and vulnerabilities that are determined to be risks. Cost benefit analysis is used to determine when a risk is worthy of mitigation. An earthquake although is very unlikely would have a catastrophic effect. Therefore a plan for continuing operations in the event of an earthquake will be advisable, however the cost of maintaining complete redundant facilities my not be warranted, unless the business is located in a heavy earthquake zone.
The tables in the following pages are intended to show examples of how the risk analysis and mitigation is documented. There is no one correct table. The analysis should drill down to the
Page
10 of 41
level of detail that you will be able to manage. The team that conducts and reviews the assets and risks will include department managers that have ownership of the assets. For personnel, we suggest that a professional from the Human Resource (HR) department take the lead in the personnel risk analysis by role.
The table below is an example of a Risk Assessment Chart for loss of personnel, in this case the Chief Information Officer.
Likelihood > Consequence Catastrophic Risk: Loss of personnel: Chief Information Officer A. Very B. Somewhat C. Unlikely Mitigation: Likely Likely The market is Although the Two or more trained in this in short CIO is being position within the company at all supply, many recruited he/she times to mitigate the risk of loss recruiters are is content and since it is a critical position and contacting does not seem to difficult to replace. Retention our CIO want to leave policy (bonus, vacation, etc.). w/offers
Very Disruptive Inconvenient Note: The difference between Very Likely and Unlikely above is that the Corporate management is aware of the first scenario and makes an effort to retain the CIO making the likelihood of he/she leaving unlikely. Neverthe-less in either case the result would be catastrophic so planning for his/her leaving is done by identifying a backup person and making sure that person is able to assume the duties by using the policy of rotation of duties.10 In this economy there is less likelihood of people changing jobs, however key positions should be looked at in terms of duplication of capability and personnel retention. This is not necessarily a function of the security department, however when risks such as these are identified they should be brought up to corporate management for inclusion in the overall company risk management process. Example of a Risk Assessment Chart for less critical roles. Risk: Loss of personnel: Assistant Staff Likelihood > A. Very B. Somewhat C. Unlikely Mitigation: Consequence Likely Likely Catastrophic Very Disruptive Inconvenient Personnel for this This position, although very useful and position are important to the company is not available in the considered a high risk. Except for normal marketplace. role documentation and training materials other mitigation is not necessary. For less critical roles, turnover is always inconvenient and may be very disruptive even though the positions are quickly replaced. Therefore each role / position is looked at in detail and effort is made to ensure continuity of operations and minimize the effects of loss of personnel. Risk Assessment Chart for Information Technology / Computing and Network hardware. Hardware failure (general) Very Likely Somewhat Unlikely Mitigation Likelihood: Likely (1) (2) (3) (1) (2) (3) (1) (2) (3) Consequence: Router - Core X We can reduce the consequence to
Page
11 of 41
Router Distribution Switch (non redundant) Server (non redundant)
X X X
inconvenient by deploying redundant routers or diverse paths. The failure rate is a function of the equipment design and environment. As the router controls less critical branches of the network we might economize and only utilize diverse routing to ensure high availability. Diverse paths may be able to move the consequence to inconvenient. Servers are usually deployed in redundant modes as the cost of servers had dropped in relation to their critical use in the network.
Consequence: 1) Catastrophic, 2) Very Disruptive, 3) Inconvenient Hardware fails. Depending on the age, vendor, maintenance, environment (heat / cold) etc. Constant temperature is usually preferred, as heating and cooling expand and contract metal and substrates that have different expansion coefficients and can separate and crack. The life of equipment is variable. Redundancy for key equipment is almost always cost effective. A much more detailed / extensive analysis should be completed for an actual risk analysis.
The consequence can be rated as: 1= Catastrophic, Major damage to the equipment and/or facilities, interruption in operations for more than 48 hours, 2= Very Disruptive, interruption in operations for up to 8 hours, 3= Inconvenient or little impact or interruption in operations. The table below lists common Cyber Attacks and mitigation strategies. This table is pretty much on the top of the list for evaluation and re-evaluation by the IT Security Department. This is what they deal with on a day to day basis. New attacks are coming out daily. Operating systems patches are automatically reviewed daily and updates made as required. Software version numbers are important and tracked by date. All software used by the company must be maintained and kept up to date with the latest release. There is a function in the Security IT department devoted to this process.
Likelihood: Consequence: Denial of service Very Likely (1) (2) (3) Common Network Cyber Attacks Somewhat Unlikely Mitigation Likely (1) (2) (3) (1) (2) (3) Malformed bits / false IP addresses can be mitigated by keeping OS up to date and X logging frequent connection attempts against one service. An overload of packets that have the SYN flag set can be blocked by a firewall and X keeping the OS up to date and review of log files.
SYN Flood
Page
12 of 41
Malware
Social Engineering X Port Scanning ICMP abuse Host Attack X Man in middle attack New Files on network Remote Procedure calls X X
X X X
Up to date antivirus signatures are essential in combating viruses, Trojans, worms, spyware etc. Also restricting access to nonessential web surfing, especially in critical branches of the network. Segmenting the network critical assets. Restrict access to administrator privileges on user computers to keep unauthorized software off machines or change security settings. Servers are usually deployed in redundant modes as the cost of servers had dropped in relation to their critical use in the network. Firewall will protect from port scanning with intention to infiltrate network. Packet Filtering via a firewall will block abusive ICMP echo requests. A Proxy Server will keep attackers from accessing IP addresses, hostnames and passwords which can be used to find other hosts to attack. VPN Virtual Private Network encryption can keep an attacker from operating between computers, impersonating one to intercept communications. Use system auditing software to control this as a behavioral monitor / block. Intrusion Detection System will defeat this threat as well as keeping OS patches up to date.
Consequence: 1) Catastrophic, 2) Very Disruptive, 3) Inconvenient
The following table takes the credible threats from individual analysis charts in a summary form on one chart. These charts are not meant to be exhaustive but rather illustrative of the process. Example: Threat / Vulnerability and Mitigation Summary Table:
Vulnerability: Personnel Injury while entering /leaving building Personnel Resignations Employees may be vulnerable between the time they leave their vehicles and when they enter the building. Key operation may be at risk Threat: Mugging, theft, panhandling or other personal attacks while alone walking to car. Loss of functionality, leave company, Illness at critical time. Risk Assessment: Probability Consequence Unlikely / Catastrophic most locations - risk is unlikely / consequence can be catastrophic Likely / Catastrophic Key employees are more likely to be recruited by other companies. Mitigation: Cost benefit analysis makes lighting and cameras feasible for this threat. Make sure each role / duty has back up. Capture and document key information.
Page
13 of 41
Personnel Disgruntled inside
Employees with access to assets
Sabotage, theft, disruption of teamwork
Personnel Disgruntled outside
Former employee with passwords enabled logs onto network via borrowed laptop or dial in access.
Sabotage, theft, disruption of teamwork
Social Engineering
Sensitive information is vulnerable. Inadvertent release of information PII, passwords, etc. Loss of Servers, routers, etc. through equip. failure cause heat lack of maintenance Located in unlocked room Accessible to employees
PII theft can lead to identity theft. Password release can lead to actual infiltration of the network Functionality / availability of the network Sabotage or inadvertent damage due to error
Hardware failure
Hardware theft tamper
Software
Category A: necessary to company operations.
Loss / tamper / out of date
Unlikely / Disruptive Most lost assets non critical, critical assets must be protected Unlikely / Disruptive Although most assets can be lost with only disruptive consequences, critical assets must be protected Unlikely / Disruptive This has to be evaluated periodically, in most cases this threat is unlikely Unlikely / Catastrophic This can be determined on an equip by equip basis Unlikely / Catastrophic After the initial installation equipment is often ignored. Unlikely / Very Disruptive
Critical assets identified and protected: Locked / RFID tags similar to those used in retail. Identity Management System and Log File review.
Education and periodic test / probing to keep employees alert and aware. Utilize Redundant Equipment where feasible Keep in locked secure environment
Software
Category B: used to support / promote business Key inventions intellectual property Customer lists, PII
Loss / tamper / out of date Theft duplication if in the hands of competitor Illicit use if in the hands of competitor / thief
Unlikely / Disruptive Unlikely / Catastrophic Unlikely / Catastrophic
Information Information
Backups must be maintained. software versions up to date with patches, antivirus protection. Keep non-critical software up to date with patches, antivirus protection. Knowledge is most valuable.
Page
14 of 41
Personnel Security: Although not generally thought of in an IT Security Plan, Personnel security is always a part of the overall security considerations, and with IT Security responsible for the entire company security this becomes part of their responsibility. The main thrust here is to make sure employees are safe. Vulnerabilities exist mostly while moving between the parking lot and the building. The other aspect of security involving personnel is the risk to the company when personnel end their employment with the company (voluntarily or otherwise). Several security issues are involved with employees who move on. These are mostly handled by with the help of the automated Identity Management System. Security starting at the parking lot is designed to accomplish two things. First: physical security or safety of employees. The plan is designed to protect employees from the threat of personal harm when they are between their cars and the building. This is accomplished by the use of 8ft. high fencing integrated into landscaping and color coordinated to be less visible, intrusion detection sensors, cameras and lighting. The parking lots will have cameras installed at locations that enable viewing of activity anywhere in the lots. The entire area, building and parking lot will be fenced and lighting and cameras will be deployed in strategic areas. This will enhance the landscaping which will be designed to enhance security, leaving areas near the windows and building entrances free of large shrubs so as to enable greater visibility. Physical security is closely connected with Identity Management and starts with vehicle identification. The parking lots will be for employee use only. There will be a separate lot for visitors and clients. The employee lots will have Radio-Frequency Identification (RFID) transceivers installed and each employee will be issued tags (also called transponders) that will enable identification of their vehicles as they enter the lots. 11 There is one entrance at each location and the receptionist in the building who also functions as a security officer will have a picture and name of employee on her screen before they enter the front entrance. (Captured by the RFID system) If he/she sees a different person enter she will deal with that in a different way. Visitors may not be in the system until they have visited the first time and been identified and put in the database. First time visitors are treated slightly different from 2nd time visitors and employees. In each case the goal is to have flawless security and we want the person to feel good about the security measures and tolerate if not enjoy their participation in the process. We also do not want
Page
15 of 41
to delay a legitimate entry. Trained and motivated security personnel are essential to this process. One option is to institute a Rotation of Duties with all other roles in the company with the security point person which will enable all employees to appreciate the role of security. Front desk security would be a duty everyone would be able to enjoy. This would increase security awareness and allow everyone in the company eventually to meet everyone else. Building Security: Windows and doors to the outside will be alarmed to a central alarm system. During business hours there will be one entrance for employees to enter the building. At that location they will use their RFID badge to open a door. Once inside there is a lobby where they will be allowed into the building after showing their ID badge to the receptionist. This process is two factor security, RFID badge and personal recognition by a human. After hours the building will be locked and secure by 24 hour security monitoring. The security monitoring will include the grounds, the parking lot and cameras at strategic locations within and outside the building. The cameras will be on a 24/7 recording schedule and archived and a regular schedule. Those who require after hours work must have prior approval and will be admitted by the security guard on duty. Sensitive rooms within each building will be secured from general employee access. Each employee RFID badge will give them access to specific areas divided by department. The Human Resources department will have a lobby area with soundproof rooms where employee interviews will be conducted. Also the finance area will have an area where non-finance employees will be admitted without having to enter the restricted Finance area which is restricted to finance employees only. Conference rooms, cafeteria, restrooms, etc., will be open to the general employee population. Access Control: Access control is enabled by an efficient Identity Management system.12 Identity Management is the management of user credentials and the means by which users log on to corporate network resources. With the emergence of phishing attacks good identity management became essential in maintaining the CIA triad. Phishing exploits the difficulty of properly identifying and
Page
16 of 41
authenticating identities. The evolution of identity management follows the progression of Internet technology closely. Typical identity management functionality includes the following: 1. User information self-service 2. Password resetting 3. Management of lost passwords 4. Workflow 5. Provisioning and de-provisioning of identities from resources Identity management also addresses the age-old 'N+1' problem where every new application may entail the setting up of new data stores of users. The ability to centrally manage the provisioning and de-provisioning of identities, and consolidate the proliferation of identity stores, all form part of the identity management process. Identity management starts with the risk assessment to determine the need for particular controls to properly protect information, applications, and infrastructure as required. These controls set the lifecycle security objectives for creating and maintaining an identity, verifying and authenticating an identity, granting permissions and authorities, monitoring and accountability, and auditing and appraisal of the identity management processes.
The identity management system defines the control objectives required to enforce the security policy:
1.
Identification: The process that creates an entity and verifies the credentials of the individual, which together form a unique identity for authentication and authorization purposes).
2.
Authentication: Verifies credentials to support an interaction, transaction, message, or transmission).
Page
17 of 41
3.
Authorization: Grants permissions by verifying the authenticity of an individuals identity and permissions to access specific categories of information or to carry out defined role based tasks).
4.
Accountability: The process that records the linkage between an action and the identity of the individual or role who has invoked the action, thus providing an evidence trail for audit or non-repudiation purposes).
5.
Audit: The process that examines data records, actions taken, changes made, and identities/roles invoking actions which together provide a reconstruction of events for evidential purposes). The control objectives above serve the requirement to provide an auditable chain of evidence.
Using the Identity Management system, each employee is given access to physical locations, network locations, information databases, etc. based on their role and classification. Each role and title will imply certain tasks and levels of authorization to perform particular tasks. An example of a Role table is in Appendix III . Access to the required resources will be based on those roles. The identity management system enables efficient deployment of employees and removal of employees when they no longer are required to have the access or they leave the company. Maintaining access control in the enterprise requires several components for each category of access control. There are three main categories of access control:13
Administrative:
1.
Policies and procedures - A high-level plan that lays out managements plan on how security should be practiced in the company. It defines what actions are not acceptable and what level of risk the company is willing to accept.
2.
Personnel controls - Indicate how employees are expected to interact with corporate security, and how non-compliance will be enforced.
Page
18 of 41
3.
Supervisor structure - Defines the overall company hierarchy. Each employee has a supervisor they report to and that supervisor has a superior they report to. This chain of command dictates who is responsible for each employees actions.
4.
Security awareness training - Users are usually the weakest chain in the security chain. Proper training on security issues can instill access control usage on the network.
5.
Testing - Test access controls on the network to determine their effectiveness (or ineffectiveness). Physical:
1.
Network segregation - Defining segregation points can help enforce access controls on ingress or egress to the segment.
2.
Perimeter security - Defines how the perimeter of the company will be enforced such as guards, security badges, fences, gates.
3.
Computer controls - Defines the physical controls on computer systems such as locks on systems to deter theft of internal parts, removal of floppy to deter copying.
4.
Work area separation - Separation of work areas based on type of use such as server room, wiring closets, experimental room.
5.
Data backups - This physical control is used to ensure access to information in case of system failure or natural disaster.
6.
Cabling - Protecting the cabling from electrical interference, crimping, and sniffing. Technical:
1.
System access - Controls that determine how resources on a system are accessed such as MAC architecture, DAC architecture, username/password, RADIUS, TACACS+, Kerberos.
2.
Network architecture - Defines logical network segmentation to control how different network segments communicate.
3.
Network access - Defines access controls on routers, switches, and network interface cards, and bridges. Access control lists, filters, AAA, and firewalls would be used here.
Page
19 of 41
4.
Encryption and protocols - A technical control that encrypts traffic as it courses through untrusted network segments. Protocols could include IPSec, L2TP, PPTP, SSH, SSL/TLS.
5.
Control zone - A specific area in the enterprise that surrounds and protects network devices that emit electrical signals. Electrical signals emanate from all computer systems and travel a certain distance before being drowned out by interference from other electrical fields. Control zones are both a technical and physical control.
6.
Auditing - Tracks activity as resources are being used in the enterprise.
Telecommunications: Along with access to the network from the company intranet, employees may gain remote access via a remote log-on through a secure Virtual Private Network (VPN). Virtual Private Networks (VPNs) are secure private connections created using a public network. They are virtual in the sense that the public network is seen as a single hop between networks allowing the two networks to be virtually connected. They are private in the sense that data sent over the public network cannot be viewed by un-trusted personnel. Encryption techniques create the privacy. The four main VPN protocols are in use today: Layer two Forwarding (L2F) is a protocol developed by Cisco that supports the creation of secure virtual private dial-up networks (VPDNs) over the Internet. Point to Point Tunneling Protocol (PPTP) is a network protocol developed by Microsoft that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand, multiprotocol, virtual private networking over public networks, such as the Internet. Layer 2 Tunnel Protocol (L2TP) is an Internet Engineering Task Force (IETF) standard that combines the best features of two existing tunneling protocols: Cisco's Layer 2 Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). IPSec - The Security Architecture for the Internet Protocol is designed to provide interoperable, high quality, cryptographically based security for IPv4 and IPv6. The set of security services
Page
20 of 41
offered includes access control, connectionless integrity, data origin authentication, detection and rejection of replays, a form of partial sequence integrity, confidentiality through encryption, and limited traffic flow confidentiality. The IP layer provides these services, offering protection in a standard fashion for all protocols that may be carried over IP, including IP itself. When the Identity Management System is used, the VPN access is seamlessly integrated with the Identity Management System. Network Security Attackers are continuously attempting to gain access to corporate resources for profit or fun. Once the security world obtains an understanding of the exploit used, the application, algorithm, or protocol is updated to mitigate the threat. Attackers then try different avenues of attack, which leads to an endless exploit/mitigation loop. Examples of Network Attacks: Smurf: This is an attack with three entities: the attacker, the victim, and the amplifying network. The attacker spoofs, or changes the source Internet Protocol (IP) address in a packet header, to make an Internet Control Message Protocol (ICMP) ECHO packet seem as though it originated at the victims system. This ICMP ECHO message is broadcasted to the amplifying network, where all active nodes send replies to the source (the victim). The victims system and network become overwhelmed by the large amounts of ECHO replies. Fraggle: This is the same type of attack as the Smurf attack, except here the attacker broadcasts a spoofed UDP packet to the amplifying network, which in turn replies to the victims system. Denial of Service (DoS): This attack consumes the victims bandwidth or resources, causing the system to crash or stop processing other packets. DoS attacks are carried out by attackers with an intent to stop legitimate users from accessing certain resources. Their intent is malicious and not designed to obtain information. DoS attacks are usually the most formidable of attacks to deal with as they usually involve very large amounts of traffic that may or may not look on the wire as valid transmissions. Knowing how these attacks are sculpted and executed will allow network administrators to better deter them on their networks. Mitigation of DoS attacks can be performed at the ISP egress router into the company via rate limiting, via NIDS, HIDS, and by have up to date
Page
21 of 41
security patches and hot fixes installed on all critical servers and systems. To mitigate this type of attack, input-checking included in the login subsystem can easily stop this the DoS attack. Distributed Denial of Service (DDoS): This is a logical extension of the DoS attack. The attacker creates master controllers that can in turn control slaves/zombie machines, all of which can be configured to attack a single node. DNS DoS Attacks: In this attack a record at a domain name server (DNS) server is replaced with a new record pointing at a fake/false IP address. Cache Poisoning: Here the attacker inserts data into the cache of the server instead of replacing the actual records. A buffer overflow is a software-based attack created when a program does not check the length of data that is inputted into it, which will then be processed by the CPU. A buffer overflow exists when a particular program attempts to store more information in a buffer memory storage than it was intended to hold. Since the buffer was only intended to hold a certain amount of data, the additional data overflows into a different area of memory. It is this different area of memory where overflows cause the problem. Brute force attacks occur when a cracker attempts to obtain the correct password for an account by trying every conceivable value hoping to stumble across the correct one. Administrators have known about brute force attacks for many, many years and have come up with ways to mitigate these types of attacks. One of the easiest methods is to rename the administrator account to something else. In this way the cracker must know two things, the account name and the password. Administrators will also create passwords of at least eight characters in length. This technique helps because it takes time to brute force an attack on a password that is at least eight characters long. Hopefully, the administrator will notice the attack and take precautionary steps to block the cracker. The length of the password and number of possible values a password may have will delay the success but not stop this attack. Also, imposing a delay of say 20 seconds between failed attempts or locking the account after 10 failed attempts deters this type of attack. Dictionary attacks are another form of brute force attacks and take advantage of a well-known flaw in the password authentication scheme. That flaw is the fact that many people use common words as the password for an account. Attackers exploit this fact by using a source for common words
Page
22 of 41
(the dictionary) to try to obtain a password for an account. They simply try every possible word in the dictionary until a match is found. Proper password usage is key to the mitigation of this attack. Dictionary attacks are usually mitigated by systems that use pass phrases instead of passwords. Spoofing: Attackers can use many different types of spoofing attacks, but they all use spoofing for one reason, which is to impersonate another host. Sometimes the attacker does not care who he or she is impersonating; the attacker only cares that the packet he or she is transmitting does not identify him or her. Other times the attacker knows exactly what host he or she wants to impersonate and wants the return traffic to reach this host. A spoofing attack on a password system is one in which one person or process pretends to be another person or process that has more privileges. An example would be a fake login screen also called a Trojan horse login. In this attack, the attacker obtains low-level access to the system and installs a malicious code that mimics the user login screen. On the next attempt to login, the user enters his username and password into the fake login screen. The malicious code then stores the username and password in a certain location or may even email the information to an email account. The Trojan horse then calls the correct login process to execute. To the user, the entry appears to be an incorrect or mistyped username or password and he or she will try again. When they do, of course, they are let into the system. DNS spoofing attacks work by convincing the target machine that the machine that it wants to contact (for example, www.makebigchecks.com) is the machine of the attacker. When the target issues a DNS query, it could be intercepted and replied with the spoofed IP address, or the query could reach the DNS server, which has been tampered with in order to give the IP address of the crackers host, rather than the real servers IP address. Either way the target receives a false IP address of the target and will attempt to contact it. Sniffing: The act of sniffing is the use of a program or device that monitors data traveling over a network. Sniffing is hard to detect because as a passive attack, it only receives information and never sends out information. The goal of sniffing is to capture sensitive information such as a password in order to perform a replay attack at a later time. Mitigation against sniffing attacks can include using a switched infrastructure, using one-time passwords, or enabling encryption. In a Transmission Control Protocol (TCP) takeover attack, the cracker will attempt to insert malicious data into an already existing TCP session between two hosts. In this type of attack, the attacker is either attempting to inject false data into the conversation, or take over the session
Page
23 of 41
completely. This type of attack is usually used in conjunction with a DoS attack to stop the host it is impersonating from sending any further packets. The DoS attack against the impersonated host will itself be using spoofed packets. In this way, the attacker will hide his or her identity from the host he or she took over the TCP session from, while the opposite end still believes its ongoing session is with the original host. A pseudo flaw is an apparent loophole deliberately implanted in an operating system or program as a trap for intruders. Pseudo flaws are inserted into programs to get attackers to spend time and energy attempting to uncover weaknesses in programs that they hope will allow them to gain access to other parts of the system. Because these are deliberate flaws, the attacker can spend weeks attempting to exploit the flaw, before he or she becomes discouraged and moves on to different parts of the program. Alteration of Authorized Code: Attackers often write small programs that create a patch in authorized code. Take a program that will not execute until the user enters a valid serial number or authorization code. The attacker does not have this information, yet still wants to execute the program. Using his or her knowledge of programming and off-the-shelf software, the attacker can identify where in the program the subroutine that performs authorization is called from. The attacker then writes a program that modifies that very same area of the program, but instead of calling the authorization subroutine, the instructions are now a series of NOPs (no operations). This alteration of authorized code simply bypasses the authorization subroutine and begins executing the program. Flooding is the process of overwhelming some portion of the information system. This could be bandwidth on a serial link or memory in a router or server. There are many uses of flooding for attackers. Attackers could hide their attacks in a flood of random attack packets, they could attempt to overwhelm a switchs Address Resolution Protocol (ARP) table, or they could perform DoS attacks. SYN floods are an example of flooding used in a DoS attack. SYN floods take advantage of TCPs three-way-handshake. In this DoS attack, the attacker sends many thousands of halfformed or embryonic TCP connection requests (SYN packets), usually with a spoofed source address, to the target server. The server that receives these connection requests sets aside a small amount of memory for each connection, and replies with an SYN-ACK to the spoofed address. The spoofed host (if it exists) receives the SYN-ACK packet and discards it. This leaves the server
Page
24 of 41
with an open or a half-formed connection, which will remain so for three minutes as it waits for the connection to complete. A few open connections will not cause harm to a server, but thousands upon thousands of open connections, each using a small amount of memory, will quickly consume all available resources on the server. When all resources are consumed, the server will no longer respond to the SYN requests of the attacker. Unfortunately, the server will also not respond to any SYN request from a valid user, which is what the DoS the attacker is trying to accomplish. These attacks are always changing and methods of mitigating them are also changing. Architecture An example network architecture for a single location is located in Appendix IV. The network is segregated into 7 sub-networks which include the 10 functional areas. Fundamental Firewall Designs Firewall design has evolved, from flat designs such as dual-homed host and screened host, to layered designs such as the screened subnet. The evolution has incorporated network defense in depth, incorporating the use of DMZ and more secure networks. A Bastion host is any host placed on the Internet which is not protected by another device (such as a firewall). Bastion hosts must protect themselves, and be hardened to withstand attack. Bastion hosts usually provide a specific service, and all other services should be disabled. A Dual-homed host has two network interfaces: one connected to a trusted network, and the other connected to an untrusted network, such as the Internet. This design was more common before the advent of modern firewalls in the 1990s, and is still sometimes used to access legacy networks. Screened Host Architecture is an older flat network design using one router to filter external traffic to and from a bastion host via an access control list (ACL). The bastion host can reach other internal resources, but the router ACL forbids direct internal/external connectivity. The difference between dual-homed host and screened host design is screened host uses a screening router, which filters Internet traffic to other internal systems. Screened host network design does not employ network defense-in-depth: a failure of the bastion host puts the entire trusted network at risk. Screened subnet architecture evolved as a result, using network defense in depth via the use of DMZ networks.
Page
25 of 41
DMZ Networks and Screened Subnet Architecture. A DMZ is a dangerous no-mans land: this is true for both military and network DMZ. Any server that receives traffic from an untrusted source such as the Internet is at risk of being compromised. We use defense-in-depth mitigation strategies to lower this risk, including patching, server hardening, NIDS, etc., but some risk always remains. Network servers that receive traffic from untrusted networks such as the Internet should be placed on DMZ networks for this reason. A DMZ is designed with the assumption that any DMZ host may be compromised: the DMZ is designed to contain the compromise, and prevent it from extending into internal trusted networks. Any host on a DMZ should be hardened. Hardening should consider attacks from untrusted networks, as well as attacks from compromised DMZ hosts. A classic DMZ uses two firewalls, also called a screened subnet dual firewall design. In this design two firewalls screen the DMZ subnet. A single-firewall DMZ uses one firewall. This is sometimes called a three-legged DMZ. The single firewall design requires a firewall that can filter traffic on all interfaces: untrusted, trusted, and DMZ. Dual-firewall designs are more complex, but more secure. In the event of compromise due to firewall failure, a dual firewall DMZ requires two firewall failures before the trusted network is exposed. Single firewall design requires one failure.
Intrusion Detection System (IDS) An important tool in network defense is the Intrusion Detection System (IDS). An IDS utilizes audit records of all activities on a system. An IDS has three basic components: a sensor (agent), an analyzer, and a security interface (also called the director). The sensor collects information and forwards it to the analyzer. The analyzer receives this data and attempts to ascertain if the data constitutes and attack or intrusion. The security interface, which is usually a separate device, displays the output to the security administrator configures the sensors in the network. There are two basic types of intrusion detection mechanisms: Network-based Intrusion Detection Systems (NIDS) and Host-based Intrusion Detection Systems (HIDS). Intrusion detection devices attempt to identify any of the following types of intrusions: Input Validation Errors Buffer Overflow
Page
26 of 41
Boundary Conditions Access Validation Errors Exceptional Condition Handling Errors Environmental Errors Configuration Errors Race Conditions NIDS: Protects an entire network segment and is usually a passive device on the network. Users are unaware of NIDS existence unless they learn about it through the general security training sessions. NIDS cannot detect malicious code in encrypted packets, and is cost effective for mass protection. It requires its own sensor for each network segment. HIDS: Protects a single system. It uses system resources (CPU and memory) from the system and provides application level security. An advantage of HIDS is that it provides day-one security. Intrusion detection is performed after decryption so it is used on servers and sensitive workstations, but is costly for mass protection.
The two forms of Intrusion Detection: Profile-based Intrusion Detection (Also known as anomaly detection): In profile-based detection, an alarm is generated when activity on the network goes outside of the profile. A profile is a baseline of what should be considered normal traffic for each system running on the network. A problem exists because most systems do not follow a consistent profile. What is normal today, might not be normal tomorrow. Signature-based Intrusion Detection: In signature-based detection, a signature or set of rules is used to determine intrusion activity. An alarm is generated when a specific pattern of traffic is matched or a signature is triggered. Typical responses to an attack include the following: Terminating the session (TCP resets) Block offending traffic (usually implemented with Access Control Lists - ACLs) Creating session log files
Page
27 of 41
Dropping the packet
IDS Examples:14 Tripwire scans files and directories on Unix systems to create a snapshot record of their size, date, and signature hash. If you suspect an intrusion in the future, Tripwire will rescan your server and report any changed files by comparing the file signatures to the stored records. Tripwire was an open-source project of Purdue University, but it continues development as a licensed package of Tripwire Security Systems (www.tripwiresecurity.com ). Snort ( www.snort.org ) is an open-source intrusion detection system that relies upon raw packet capture (sniffing) and attack signature scanning to detect an extremely wide array of attacks. Snort is widely considered to be the best available intrusion detection system because of the enormous body of attack signatures that the open source community has created for it. The fact that its free and cross platform pretty much ensures that the commercial IDSs wont develop much beyond where they are now. Snort was originally developed for Unix and has been ported to Windows. Demarc PureSecure ( www.demarc.com ) is a best-of-breed network monitoring and intrusion detection system descended from Snort. PureSecure is a commercial product that uses Snort as its intrusion detector, but it adds typical network monitoring functions like CPU, network, memory, disk load, ping testing, and service monitoring to the sensors that run on every host. Demarc creates a web-based client/server architecture where the sensor clients report back to the central Demarc server, which runs the reporting website. By pointing your web browser at the Demarc server, you get an overview of the health of your network in one shot. Demarc can be configured to alert on all types of events, so keeping track of your network becomes quite easy. Demarcs price is $1,500 for the monitoring software, plus $100 per sensor. Network Flight Recorder (NFR, www.nfr.com ) was one of the first inspector based intrusion detection systems on the market and was originally offered as a network appliance. Now available as both software and network appliances, NFR has evolved into a
Page
28 of 41
commercial product very similar to Snort in its capabilities. However, since it is a commercial product, NFR can consult with you directly to analyze intrusion attempts, to train your staff, and to provide product support for its products.
Electronic Mail Security: E-mail access was one of the first protocols defined under the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. The two main mail protocols are Post office Protocol 3 and Simple Mail Transfer Protocol.
Post office Protocol 3 (POP3) is a lightweight e-mail client using TCP port 110, used to receive email from a server.
Simple Mail Transfer Protocol (SMTP). Is an effective mail transfer protocol, but not very secure. SMTP uses port 25 and is used to send e-mail from client to server and server to server forwarding.
SMTP protocol defines the mechanism a sender uses to connect to, request, and send e-mail to the server. SMTP was an effective protocol, but is riddled with security holes. SMTP can be identified as using TCP port 25 on the network. SMTP takes up a lot of overhead. The Post Office Protocol version 3 (POP3) was created as a means of reducing the required overhead for a single workstation. POP3 is intended to permit a workstation to dynamically access a mail-drop on a server host. SMTP is used to send e-mail from an e-mail client to an e-mail server and POP3 is used to receive e-mail from the e-mail server to the e-mail client. POP3 can be identified as using TCP port 110 on the network.
When e-mail first came into existence, e-mail messages were meant to be pure text only messages. As the Internet started to grow, graphic files, audio files, Hypertext Transport Protocol (HTTP), were a part of mail. The Multipurpose Internet Mail Extensions (MIME) protocol was developed to handle these. MIME allows a one-time modification to e-mail reading programs that would enable
Page
29 of 41
the program to display a wide variety of messages types. This e-mail extension allows you to view dynamic multitype email messages that include color, sound, animations, and moving graphics. The drawback of MIME is that it also lacks adequate security. E-mail was still subject to the same old hacks, such as sniffing and replay. Secure MIME (S/MIME) was created to enable a more secure MIME.
S/MIME provides cryptographic security services for electronic messaging applications by providing authentication, message integrity, non-repudiation of origin (using digital signatures), and privacy and data security (using encryption). Using S/MIME is the preferred way of securing e-mail as it traverses the Internet.
Public Encryption of E-Mail messages - PGP PGP uses a public key cryptosystem. In this method, each party creates an RSA public/private key pair. One of these keys is kept private (the private key), and one is given out to anyone in the public Internet (the public key). What one key encrypts, only its partner private key can decrypt. This means if user X obtains user Ys public key and encrypts a message destined to user Y using its public key, the only person in the universe who can decrypt the message would be user Y, as he or she has the corresponding private key. PGP is a hybrid cryptosystem in that before encryption is performed the e-mail data is first compressed. Compression not only makes an e-mail message smaller, it also removes any patterns found in plain text, which mitigate many cryptanalysis techniques that look for these patterns. PGP performs the following security measures: confidentiality, data integrity, and sender authenticity.
Secure Web based mail: For a small business utilizing a free open mail server has some advantages. Yahoo, for example has teamed with Zixit Corporation, a company that enables secure, certified email to any recipient. 15
Page
30 of 41
Disaster Recovery Sometimes called Business Continuity Planning, the Disaster Recovery Plan is the tactical actualization of BCP. The DRP is the operational plan and is a requirement for the corporation that has the goal of remaining in business after a natural or manmade disaster. In this section we discuss the back up and restore plan and strategies for business continuity. First a listing of the types of events that might occur:
Sabotage Arson Security Incidents (major) Strike (labor unrest)
Bombings Earthquakes Fire Flood
Loss of Electrical Power Storm Communication system outage Unavailability of Key Employees
The planning committee (DRP team) is made up of management and technical experts from each area of the company meet at regular intervals. This team will hold yearly a disaster recovery exercise and participate in periodic probes and assessments of the company security practices and technologies.
The general process of disaster recovery involves responding to the disruption; activation of the recovery team; ongoing tactical communication of the status of disaster and its associated recovery; further assessment of the damage caused by the disruptive event; and recovery of critical assets and processes in a manner consistent with the extent of the disaster. Respond: First there must be an initial response that begins the process of assessing the damage. Speed is essential during this initial assessment. There will be time later, to more thoroughly assess the full scope of the disaster. The initial assessment will determine if the event in question constitutes a disaster. An alternate data center may be required. If there is doubt that an alternate facility will be necessary, then the sooner this fact can be communicated, the better for the recoverability of the systems. The initial response team should also be mindful of assessing the facilitys safety for continued personnel usage, or seeking the counsel of those suitably trained for safety assessments of this nature.
Page
31 of 41
Activate Team: If during the initial response to a disruptive event a disaster is declared, then the team that will be responsible for recovery needs to be activated. Communicate: One of the most difficult aspects of disaster recovery is ensuring that consistent timely status updates are communicated back to the central team managing the response and recovery process. In addition to communication of internal status regarding the recovery activities, the organization must be prepared to provide external communications, which involves disseminating details regarding the organizations recovery status with the public. Assess: Though an initial assessment was carried out during the initial response portion of the disaster recovery process, a more detailed and thorough assessment will be done by the disaster recovery team. The team determine the proper steps necessary to ensure the organizations ability to meet its mission and Maximum Tolerable Downtime (MTD). Reconstitution: The goal of the reconstitution phase is to recover critical business operations either at primary or secondary (recovery) site. If an alternate site is used, adequate safety and security controls must be in place in order to maintain security continuity. In addition to the recovery teams efforts at reconstitution of critical business functions at an alternate location, a salvage team will be employed to begin the recovery process at the primary facility that experienced the disaster.
One key to data recovery and business continuity is the data backup process. Holding data backups at safe locations is a major requirement. Another aspect of DRP becoming more prevalent is where two companies agree to be the backup facility for the other. This can be where industries are similar and each company will set aside an area for the business continuity of the other. This may not work for dire competitors; however the cost benefit of these plans is such that cooperation among rivals is actually becoming cost effective. (see reciprocal agreement, below)
The Alternate or Secondary (recovery) site: A redundant site is an exact production duplicate of a system that has the capability to seamlessly operate all necessary IT operations without loss of services to the end user of the system. A redundant site receives data backups in real time so that in the event of a disaster, the users of the system have no loss of data. It is a building configured exactly like the primary site and is the most
Page
32 of 41
expensive recovery option because it effectively more than doubles the cost of IT operations. To be fully redundant, a site must have real-time data backups to the production system and the end user should not notice any difference in IT services or operations in the event of a disruptive event. A hot site is a location that an organization may take time to relocate to following a major disruption or disaster. It could be a datacenter with a raised floor, power, utilities, computer peripherals, and fully configured computers. The hot site will have all necessary hardware and critical applications data mirrored in real time. A hot site will have the capability to allow the organization to resume critical operations within a very short period of time (hours). Hot sites can quickly recover critical IT functionality. However, a redundant site will appear as operating normally to the end user no matter what the state of operations is for the IT program. A hot site has all the same physical, technical, and administrative controls implemented of the production site. A warm site has readily-accessible hardware and connectivity, but it will have to rely upon backup data in order to reconstitute a system after a disruption. It may have a datacenter with a raised floor, power, utilities, computer peripherals, and fully configured computers. Because of the extensive costs involved with maintaining a hot or redundant site, many organizations will elect to use a warm site recovery solution. These organizations will have to be able to withstand a Maximum Tolerable Downtime (MTD) of at least 1-3 days in order to consider a warm site solution. The longer the MTD is, the less expensive the recovery solution will be. A cold site is the least expensive recovery solution to implement. It does not include backup copies of data, nor does it contain any immediately available hardware. After a disruptive event, a cold site will take the longest amount of time of all recovery solutions to implement and restore critical IT services for the organization. It could take weeks to get vendor hardware shipments in place so organizations using a cold site recovery solution will have to be able to withstand a significantly long MTD. A cold site is typically a datacenter with a raised floor, power, utilities, and physical security, but not much beyond that. Reciprocal agreements are a bi-directional agreement between two organizations in which one organization promises another organization that it can move in and share space if it experiences a disaster. It is documented in the form of a contract written to gain support from outside organizations in the event of a disaster. They are also referred to as Mutual Aid Agreements
Page
33 of 41
(MAAs) and they are structured so that each organization will assist the other in the event of an emergency. For each of these scenarios frequent testing for a simulated disaster and the associated recovery is absolutely essential. In this paper we have given a brief overview of some of the aspects of corporate security. We touched on physical security, network security, Identity Management and disaster recovery. There is no one correct way to maintain a secure operation. The emphasis should be on cost appropriate measures rather than the latest technological gimmick, lots of training to keep awareness of employees of the threats and risks. There should be a minimum of disruption to employees and their normal operations.
Page
34 of 41
APPENDIX I Security Policy: (Overview) 1.1 Goal: Secure and maintain company integrity, assets and personnel with minimum disruption to core operations. Updates: The security department will facilitate semi-annual meetings to update this policy. Feedback will be solicited from each department. Manufacturing Facilities: 2.0 Network assets (Listed) 2.1 Human Resources 2.2 Research and Development 2.3 Engineering 2.4 Corporate Management 3.0 Roles: Each Role is defined by: Task definitions and detail, education and training requirements, certification requirements, particular compliance requirements (Fire Safety, OSHA, HIPPA, Sarbanes Oxley, etc), pay and benefits scale, all maintained by the HR department. Security Levels: Each role will imply at least two security levels (Role - A) and (Role - B). The A level will be used for the employee who is completed the six month evaluation period required for each role. The Role definitions for each department will specify which function B level employee can complete alone and which would need to be completed with the oversight of an A level employee in the same role. For example creating or deleting corporate folders for data storage, creating, moving or modifying corporate data. The actual role detail is developed by management of the particular department and maintained by the Human Resources department. Corporate management develops the roles in the Management level I and Management level II roles. See appendix III for a matrix of Roles.
4.0 Security Breach:
Page
35 of 41
The list of information assets that requires protection and the level of protection is negotiated between the department heads and the Security department after the Risk Analysis has been completed by the management team with the facilitation of the Security Department. A security breach may or may not involve the actual release of information. Logs for each security measure are one of several sources of discovery used to identify a security breach. In the event of a security breach specific actions are to be taken and are different for each type of breach. Details are enumerated in the Security Policy. For example if a breach in Personally Identifiable Information, PII occurs the response team completes a specific process. PII refers to information that can be used to distinguish or trace an individuals identity, e.g. name, social security number, date and place of birth, etc. The process is brief is: 1) Notify Security, your department manager. 2) Complete a report containing: a. Date of incident b. Number of individuals impacted c. Their status: Government / Military / Civilian. d. Description of the incident including circumstances of the breach, type of information lost of compromised and if the PII was encrypted or password protected. 3) Security department completes the process with the corporate Legal team depending on the actual incident. State laws differ on notifications; therefore the actual response may be different depending on where the incident occurred. The process for HIPPA information breach is somewhat different and is spelled out in the policy as well.
Page
36 of 41
APPENDIX II
Vulnerability Assessment The table below shows the results of assessment that may be completed by an outside consulting firm. It should be repeated periodically asimprovements are made. This type of security audit or assessment is often required by Government contracts. It is presented for illustration only. Of course an actual list would depend on the particular network / implementation being assessed.
Risk Assessment Finding
Server located in unlocked room.
Vulnerability
Physical access by unauthorized persons. This version is insecure and has reached end of life from vendor. Exposure to Internet without Firewall increases cyber threat.
Business Impact Analysis

Potentially cause loss of CIA for email system through physical attack on the system Loss of CIA for email system through cyber attack. Loss of critical data possible. Potential catastrophic impact.
Mitigation
Install hardware locks with PIN alarm system (risk is reduced to acceptable level). Update system software (risk is eliminated). Move email server into a managed hosting site (risk is transferred to hosting organization). Conduct Penetration testing and resolve network breaches through improved network / firewall design and implementation.
Software is out of date. Firewall weak or not properly implemented. Need DMZ protection due to network architecture and risk of intrusion.
CIA = Confidentiality, Integrity, or Availability
Page
37 of 41
Appendix III
Roles matrix and Organization Chart ROLES (Used for Security Authorization Purposes)
Management Level I A&B Human Resources Research and Development Engineering & Technology Corporate Management Marketing Sales Finance & Accounting Manufacturing & Operations IT Security & Architecture Information Technology Documentation & Training X X Management Level II A&B X X X X X X X X X X Supervisor A&B X X X X X X X X X X Project Manager A&B X X X X X X X Compliance A&B X X X X X X X X X X Subject Matter Expert A&B X X X X X X X X X X Operator Class I A&B X X X X X X X X X X Operator Class II A&B X X X X X X X X X X
DEPARTMENTS:
The matrix (above) outlines potential allocations of roles within departments for security level authorizations and does not indicate actual assignments. The Organization chart (below) represents the philosophy of utilizing the IT Security department to manage the IT department whereas in traditional organizations it may be reversed or often there are two competing organizations sometimes performing similar operations.
Corporate Management
Marketing & Sales
Engineering & Technology Research & Development
Manufacturing & Operations
IT Security & Architecture Information Technology
Finance & Accounting
Human Resources
Documentation & Training
Page
38 of 41
Appendix IV
Typical network design: single location:
Screened Subnet dual firewall DMZ Design

DNS Server
WEB Server
Firewall
Hot Standby Backup
Firewall
DMZ: All w/IDS Agent running DMZ Switch

Mail Server
File Server w/IDS Agent
Firewall
Firewall
SW
SW
SW
SW
SW
SW
SW
Corp
HR
Finance
Eng R&D
IT & Security
Mfg
Marketing Sales
Features: Redundant firewalls, redundant paths, Sales isolated on separate router.
Page
39 of 41
END NOTES
E
Crack: from www. Webopedia.com: (1) To break into a computer system. The term was coined in the mid-80s by hackers who wanted to differentiate themselves from individuals whose sole purpose is to sneak through security systems. Whereas crackers sole aim is to break into secure systems, hackers are more interested in gaining knowledge about computer systems and possibly using this knowledge for playful pranks. Although hackers still argue that there's a big difference between what they do and what crackers do, the mass media has failed to understand the distinction, so the two terms -- hack and crack -- are often used interchangeably. (2) To copy commercial software illegally by breaking (cracking) the various copy-protection and registration techniques being used. Hacker: A slang term for a computer enthusiast, i.e., a person who enjoys learning programming languages and computer systems and can often be considered an expert on the subject(s). Among professional programmers, depending on how it used, the term can be either complimentary or derogatory, although it is developing an increasingly derogatory connotation. The pejorative sense of hacker is becoming more prominent largely because the popular press has coopted the term to refer to individuals who gain unauthorized access to computer systems for the purpose of stealing and corrupting data. Hackers, themselves, maintain that the proper term for such individuals is cracker.
2 2
The Internet Crime Complaint Center (IC3) is a partnership between the FBI and the National White Collar Crime Center. IC3 received 303,809 Complaints from 1/1/10 to 12/31/10 and of these 121,710 Complaints were referred to law enforcement. 3 According to a recent Norton cybercrime report, 431 million adults in 24 countries experienced some type of cybercrime over the past year, which is up 3 percent from the 2010 study. (The top three cybercrimes, according to the study, are viruses or malware, online credit card fraud, and phishing - or e-mail scams.) In the United States, that comes to 141 victims per minute. "Our study found over 41 percent of us don't have software security," said Helen Malani, Norton's consumer cybercrime expert. "There's a general apathy about it - a disconnect. Three times as many people have been the victim of online crimes, but yet they are more afraid that they will be robbed on the street." According to the study, over the past year the United States' total bill for cybercrime topped $139 billion.
4
From www.answers.com/topic/computer-crime As criminologist and computer-insurance executive Ron Hale indicated to Tim McCollum of Nation's Business, one of the most unsettling facts about computer crime is that the greatest threat to information security for small businesses is their employees. As McCollum noted, "a company's employees typically have access to its personal computers and computer networks, and often they know precisely what business information is valuable and where to find it." The reasons for these betrayals are many, ranging from workplace dissatisfaction to financial or family difficulties.
5
NIST Special Publication 800-12, Chapter 5 Discusses three policy types: Program policy, issue-specific policy, and system-specific policy. Program policy establishes an organizations information security program.
6
NIST SP 800-18 Guide for developing Security Plans for Information Technology Systems, February 2006. Also ISO 17799 Information Technology Code of practice for information security management.
7
NIST SP800-27 Rev A June 2004: Engineering Principles for Information Technology Security. Securing information and systems against the full spectrum of threats requires the use of multiple, overlapping protection approaches addressing the people, technology, and operational aspects of information systems. This is due to the highly interactive nature of the various systems and networks, and the fact that any single system cannot be adequately secured unless all interconnecting systems are also secured. By using multiple, overlapping protection approaches, the failure or circumvention of any individual protection approach will not leave the system unprotected. Through user training and awareness, well-crafted policies and procedures, and redundancy of protection mechanisms, layered protections enable effective protection of information technology for the purpose of achieving mission objectives.
8
OMB's 1996 revision of Circular A-130, Appendix III recognizes that federal agencies have had difficulty in performing effective risk assessments--expending resources on complex assessments of specific risks with limited tangible benefits in terms of improved security. For this reason, the revised circular eliminates a long-standing federal requirement for formal risk assessments. Instead, it promotes a risk-based approach and suggests that, rather than trying to precisely measure risk, agencies focus on generally assessing and managing risks. This approach is similar to that used by the organizations we studied
9
NIST 800-30 Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process.
10
Rotation of Duties: that is, moving employees from one job to another at set or random intervals, helps deter fraud. As a result of rotating duties, employees are also cross-trained to perform each others functions in case of illness, vacation, or termination. Enabling job rotation allows the company to have more than one person who understands the tasks and responsibilities of a specific job title, which provides personnel redundancy if a person leaves the company or is absent. Job rotation also helps when attempting to identify internal fraudulent activity.
11
1 12
Layered Defense This is part of the Defense-in-depth strategy. In a layered defense, the perimeter is the first line of defense that intruders must overcome. Providers of Identity Management Systems are: Sun IM (supported until 2014), Oracle IM, IBM Tivoli IM, Microsoft Active Directory, Microsoft Identity Lifecycle Manager, CA Technologies, Courion IM, Novell IM
13
Adapted from Certified Information Systems Security Professional Thompson NETg, 2005 Sybex: Network Security Fundamentals
14
15
WindowsITPro Jonathan Hassell: Why should a SOHO user trust Zixit? The company has a well-planned security schedule with a data center it has secured by three manned controlsvideo monitoring, zone-based security, and smart authentication (e.g., proximity cards and biometric reading). Zixit uses Triple Data Encryption Standard (3DES) to secure messages coming into the data center, and duplicates the messages for storage on an online, redundant array of disks. To guard against media theft, Zixit doesn't make any removable media backups of the email messages it stores. The company also enforces a sender-configured expiration date, after which Zixit permanently erases all copies and records of the email. Zixit strictly schedules and adheres to third-party audits of its security procedures. In addition, the company reviews access logs for any unauthorized entry attempts and forwards the information to law enforcement authorities.

Jennings IT Security Overview 1-2

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Jennings IT Security Overview 1-2

Hochgeladen von

Copyright:

Verfügbare Formate

Network Security Overview

D. E Jennings April 2012

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Router Distribution Switch (non redundant) Server (non redundant)

Copyright: April 2012, D. E. Jennings

Consequence: 1) Catastrophic, 2) Very Disruptive, 3) Inconvenient

Copyright: April 2012, D. E. Jennings

Personnel Disgruntled inside

Employees with access to assets

Sabotage, theft, disruption of teamwork

Personnel Disgruntled outside

Sabotage, theft, disruption of teamwork

Hardware theft tamper

Category A: necessary to company operations.

Loss / tamper / out of date

Unlikely / Disruptive Unlikely / Catastrophic Unlikely / Catastrophic

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Authentication: Verifies credentials to support an interaction, transaction, message, or transmission).

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Auditing - Tracks activity as resources are being used in the enterprise.

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Dropping the packet

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Sabotage Arson Security Incidents (major) Strike (labor unrest)

Bombings Earthquakes Fire Flood

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

4.0 Security Breach:

Copyright: April 2012, D. E. Jennings

Copyright: April 2012, D. E. Jennings

Business Impact Analysis

CIA = Confidentiality, Integrity, or Availability

Copyright: April 2012, D. E. Jennings

Marketing & Sales

Engineering & Technology Research & Development

Manufacturing & Operations

IT Security & Architecture Information Technology

Finance & Accounting

Documentation & Training

Copyright: April 2012, D. E. Jennings

Screened Subnet dual firewall DMZ Design

Hot Standby Backup