Focusing Security

Impact analysis is not simply a matter of determining the raw value of information and then predicting how much money you lose when the information is inaccessible, stolen, or destroyed. In fact, you need to consider four important exposure parameters:

• The relative value of the information or infrastructure component. For example, product plans, accounting systems, customer databases, and so on, usually have a high value; a company phone list has a lower value.

• The possible publicity fallout. A defaced Web site, for example, means embarrassment for your company, at the very least. This can translate to lost confidence in your organization's products and services.

• The denial of business (DoB) potential. Will an attack affect your ability to do business? Being inconvenienced is one thing; having your ability to operate entirely halted is quite another.

• The ease of attack. The easier a component is to attack, the more often it will be struck. Components closest to the public Internet are more accessible. These systems also act as jumping-off points for further attacks.

In a large company, a security team drawn from business and technical areas would likely perform the impact analysis, which could be very complex, taking dozens of components into account. We'll look at these factors in the context of an imaginary company that has five key systems. Figure 1 describes these five systems and includes a rating of low, medium, or high for each of the exposure parameters based on the current security mechanisms in place. To make things easier and more flexible, we've used more specific weightings—ranging from 1 to 10; the sum of these for each component appears in the last column. This number represents the security impact value. A higher impact value means greater effect on the company should the system be compromised. Thus, a company can assign scarce resources where needed most.

As you can see, although the ease of attack on the company's accounting system is at a medium level of difficulty (6), the overall impact to the business is the highest (36), because of high scores on the other parameters. The accounting system therefore should be the focus of this company's security plan.

Money Is An Object

Organizations have finite resources: finances, staff, and the ability to accommodate security overhead are limited. The objective should be to reduce vulnerability to the lowest acceptable level while minimizing cost. After applying security measures, you revise the values of the four exposure parameters, and recompute the impact value to see whether it is acceptably low.

To provide a simplified framework for analyzing cost scenarios, we'll group the costs of preventative measures into three categories: low, moderate, and high. Each cost category enables a different strategy. This, in turn, implies a particular level of security and a corresponding reduction in impact on the company should the component in question be compromised.

• Low cost. Making maximum use of freeware and implementing good practices should produce an impact reduction of 35 percent.

• Medium cost. Using commercial security software, implementing safety measures beyond good practices, and improving vendor support should reduce impact by 50 percent.

• High cost. This enhanced solution provides greater diversity and redundancy, as well as stronger authentication. Impact reduction should be around 60 percent.

The graph in Figure 2 illustrates how the analysis might proceed. The horizontal axis shows cost. The vertical axis is the impact value for a given solution. The lines dividing the graph into four sections represent maximum allowable impact and cost, showing four categories of solutions. The low-cost solution is too risky, and the high-cost version is a bad value.

Developing a Plan

In deriving low-, medium-, and high-cost plans for securing the accounting system, we've addressed the vulnerabilities revealed by our impact analysis, keeping in mind the principles of a sound security implementation.

• Operating system and application lockdown. Our imaginary company's accounting systems comprise three major elements: a Web-based front-end server, a back-end database, and business-logic applications. OS-level console access is used for system administration. Accountants access the system with Web browsers using HTTP only. Accountants are authenticated via the HTTP basic authentication mechanism.

The Unix operating system is not adequately locked down. Most processes (including the Web server) are running at full superuser level, potentially allowing a hacker to take control of the entire system by compromising just one process. Access control and process permissions are not well thought out. The Web server running the accounting application is vulnerable because of insecure CGI scripts that the IT department uses to simplify administration. Rewrite the scripts and secure them using the operating system's resource-access-control and process-permission mechanisms.

• Identity, access, and information protection. The most sensitive accounting information is sent via HTTP basic authentication, which sends user names and passwords across the network without encryption. This in itself is insufficient, but in addition, user names and passwords are managed very poorly across all three systems.

Administrators routinely use telnet to administer the accounting systems. Because of security problems inherent in telnet, root superuser passwords for the systems are exposed on the internal corporate network.

Database encryption, although available from the database application, is not enabled.

Access control, process permissions, administrator permissions, and the kernel configuration for the accounting server operating system all demand significant improvement. There are access and authentication problems spread across all three of the accounting system's elements.

• Network addressing, protocol space, routing plan, filtering, and disablement. The accounting server resides on a subnet of a network that's shared with many other systems. The accounting system can't be properly isolated from compromises in the other systems. Moreover, this exposure makes intrusion detection difficult. The subnetwork has heavy traffic, so the intrusion system issues frequent false alarms. Also, the corporate firewall lets through too many protocols and too much content.

• Network and application infrastructure diversity, redundancy, and isolation. The Web server, database application, and business logic all run on the same system server. Tape backups are done once a week by the system administrator. Having so many applications on a single server raises its vulnerability considerably and makes the server significantly more difficult to secure.

• Physical security. The accounting system's server and tape backups are abysmally protected. Rooms are unlocked. Tapes are not stored off-site in a secure location. Furthermore, accountants routinely leave their desktops unattended while logged on to the system. Intrusion detection and vulnerability analysis are performed in an ad hoc manner by system administrators. Nothing is systematic, and the tools used are crude. Logs are unreliable at best.

The Solutions

Low-cost. A freeware intrusion detection system (IDS) and a free vulnerability scanner are important components of a low-cost solution. Another is documentation and implementation of an access-control matrix for the server. The matrix should address process-, file-, administrator-, and user-level permissions. Reloading and recompiling the Unix OS off-line will ensure that it is secure and unmodified. Kernel configuration should include disabling of services not absolutely required by the accounting system. Killing native administrator telnet access and substituting telnet access in conjunction with a secure tunneling protocol such as Secure Shell (SSH) increases security.

Placing the accounting server on its own subnetwork lets the IDS and vulnerability scanner monitor and analyze server activity carefully. Tape backups should occur daily, with the tapes in a convenient, secure location off-site. The accounting server should reside in a locked room to which only administrators have access.

Medium-cost. This solution comprises the elements of the low-cost plan with modifications. Commercially available products with 24/7 support substitute for freeware IDS and vulnerability scanners. Review, then rewrite or disable insecure CGI scripts on the Web server. The security setup should include back-to-back firewalls, each from a different vendor.

Accountants will access the system with HTTP in conjunction with the Secure Sockets Layer (SSL) protocol. This may require a higher-performance server as well as a server-side X.509 certificate to support SSL processing. Installing a strength-testing mechanism (that tests the relative difficulty of guessing a given string) will weed out weak passwords. All users and administrators must select new user names and passwords, and system log-ons should timeout after 20 minutes of inactivity. An intrusion-detection alert mechanism should kick in when someone attempts more than seven incorrect log-ons.

Database encryption will boost security but may require a server with more processing power. Putting in place a scalable privilege/access control mechanism that uses a Lightweight Directory Access Protocol (LDAP)–compatible directory service reinforces the installation.

The Web server, business logic software, and database should be on separate servers. Each should implement only operating services and network protocols that are absolutely necessary. Each server should have its own subnetwork, linked with a simplified routing scheme.

Daily attended tape backups, daily off-site tape storage, and a weekly disaster recovery drill will help ensure the company can spring back from adversity quickly. A separate accounting system dedicated to testing can stave off failures.

Placing accounting systems in a room of their own, installing a combination lock, and restricting room access to certain employees limits the potential for attacks from the inside. Implementing an audit trail for those entering and exiting the room (date, time, and actions performed) bolsters this safeguard.

High-cost. The primary difference between this approach and the medium-cost plan is that we outsource security management to a third-party organization that also hosts the systems at its own facility. The managed security provider houses the accounting systems in its own highly secured (caged) area. The system is accessible to the corporation through multiple physically diverse, highly secured virtual-private-network connections. The security provider monitors all systems and is available by phone 24/7.

The security company performs all system management, including lockdown, patches, and so on. Physically diverse hot standby systems are deployed. The company must provide daily security and performance reports. The firewall implementation consists of back-to-back and side- by-side units in a meshed design, for a total of four firewalls. Biometric authentication and video surveillance restrict physical access to systems. Administrator authentication is done via encrypted smart cards. User access to accounting systems is restricted by HTTPS SSL X.509 client-side authentication and smart-card tokens.

Security planning and vulnerability management are exercises in balance and optimization. Effective security implementations consider the full impact of a security compromise in both technical and business terms. An understanding of the organization's business and a framework for weighing the variables are the keys to planning your security and associated budgets.

Eric Greenberg is a security consultant and author of the book Network Application Frameworks, published by Addison Wesley Longman.

Home ] [ Profile ] [ SMM Sites ] [ Flash Samples ] [ B2B Affiliates] [Support] [ Contact Us ] [SMM News Archive]