1.1. Understanding Information Security

Information security narrows down the definition of security. The term information security covers a wide array of activities in an organization. It includes not only the products, but also the processes used to prevent unauthorized access to, modification of, and deletion of information. This area also involves protecting resources by preventing them from being disrupted by situations or attacks that may be largely beyond the control of the person responsible for information security.

From the perspective of a computer professional, you're dealing with issues that are much bigger than protecting computer systems from viruses. You're also protecting an organization's most valuable assets from people who are highly motivated to misuse those assets. Fortunately, most of them are outsiders who are trying to break in, but some of these people may already be inside your organization and discontented in their present situation. Not only do you have to keep outsiders out, but you have to be prepared for the accountant who has legitimate access to files and wants to strike out because he did not get as good a performance review as he thought he should.

Needless to say, this job isn't getting any easier. Weaknesses and vulnerabilities in most commercial systems are well known and documented, and more become known each day. Your adversaries can use search engines to find vulnerabilities on virtually any product or operating system. To learn how to exploit the most likely weaknesses that exist in a system, they can buy books on computer hacking, join newsgroups on the Internet, and access websites that offer explicit details. Some are doing it for profit or pleasure, but many are doing it just for the sheer thrill of it. There have been many glamorized characters on television and in movies who break into computer systems and do things they should not. When was the last time you saw a glamorized security administrator on such a show? If you make things look fun and exciting, there is some part of the audience that will attempt it.

Compounding matters, in many situations you'll find yourself constantly dealing with inherent weaknesses in the products you use and depend on. You can't count on the security within an application to be flawless from the moment it is released until the next version comes out three years later. The following sections discuss in detail the aspects you must consider in order to have a reasonable chance of securing your information, networks, and computers. Make sure you understand that I'm always talking about reasonable.

One of the first things you must develop as a security administrator is a bit of paranoia. It's important to remember that you're dealing with both system vulnerabilities and human vulnerabilities—although they aren't the same, they both affect the organization significantly. You must assume that you're under attack right now, even as you read this book.

Information security includes a number of topics of primary focus, each addressing different parts of computer security. An effective computer security plan and process must evaluate the risks and create strategies and methods to address them. The following sections focus on three such areas:

• Physical security

• Operational security

• Management and policies

Each of these areas is vital to ensure security in an organization. You can think of information security as a three-legged stool: If any one of the legs of your stool breaks, you'll fall down and hurt yourself. You must look at the overall business and address all the issues that business faces concerning computer security. Figure 1.1 shows how these three components of computer security interact to provide a reasonably secure environment.

Part of your job is to make recommendations to management about needs and deficiencies; to take action to minimize the risks and exposure of your information and systems; and to establish, enforce, and maintain the security of the systems with which you work. This is not a small task, and you must do each and every one of these tasks well in order to have a reasonable chance of maintaining security in your organization.

1.1.1. Securing the Physical Environment

Physical security, as the name implies, involves protecting your assets and information from physical access by unauthorized persons. In other words, you're trying to protect items that can be seen, touched, and stolen. Threats often present themselves as service technicians, janitors, customers, vendors, or even employees. They can steal your equipment, damage it, or take documents from offices, garbage cans, or filing cabinets. Their motivation may be retribution for some perceived misgiving, a desire to steal your trade secrets to sell to a competitor as an act of vengeance, or just greed. They might steal $1,000 worth of hardware that they can sell to a friend for a fraction of that and have no concept of the value of the data stored on the hardware.

Physical security is relatively easy to accomplish. You can secure facilities by controlling access to the office, shredding unneeded documents, installing security systems, and limiting access to sensitive areas of the business. Most office buildings provide perimeter and corridor security during unoccupied hours, and it isn't difficult to implement commonsense measures during occupied hours as well. Sometimes just having a person present—even if it's a guard who spends most of their time sleeping—can be all the deterrent needed to prevent petty thefts.

Many office complexes also offer roving security patrols, multiple lock access control methods, and electronic or password access. Typically, the facility managers handle these arrangements. They won't generally deal with internal security as it relates to your records, computer systems, and papers; that is your responsibility in most situations.

The first component of physical security involves making a physical location less tempting as a target. If the office or building you're in is open all the time, gaining entry into a business in the building is easy. You must prevent people from seeing your organization as a tempting target. Locking doors and installing surveillance or alarm systems can make a physical location a less desirable target. You can also add controls to elevators, requiring keys or badges in order to reach upper floors. Plenty of wide-open targets are available, involving less risk on the part of the people involved. Try to make your office not worth the trouble.

The second component of physical security involves detecting a penetration or theft. You want to know what was broken into, what is missing, and how the loss occurred. Passive videotape systems are one good way to obtain this information. Most retail environments routinely tape key areas of the business to identify how thefts occur and who was involved. These tapes are admissible as evidence in most courts. Law enforcement should be involved as soon as a penetration or theft occurs. More important from a deterrent standpoint, you should make it well known that you'll prosecute anyone caught in the act of theft to the fullest extent of the law. Making the video cameras as conspicuous as possible will deter many would-be criminals.

The third component of physical security involves recovering from a theft or loss of critical information or systems. How will the organization recover from the loss and get on with normal business? If a vandal destroyed your server room with a fire or flood, how long would it take your organization to get back into operation and return to full productivity?

Recovery involves a great deal of planning, thought, and testing. What would happen if the files containing all your bank accounts, purchase orders, and customer information became a pile of ashes in the middle of the smoldering ruins that used to be your office? Ideally, critical copies of records and inventories should be stored off-site in a secure facility.

1.1.2. Examining Operational Security

Operational security focuses on how your organization does that which it does. This includes computers, networks, and communications systems as well as the management of information. Operational security encompasses a large area, and as a security professional, you'll be primarily involved here more than any other area.

Operational security issues include network access control (NAC), authentication, and security topologies after the network installation is complete. Issues include the daily operations of the network, connections to other networks, backup plans, and recovery plans. In short, operational security encompasses everything that isn't related to design or physical security in your network. Instead of focusing on the physical components where the data is stored, such as the server, the focus is now on the topology and connections.

Survey Your Physical Environment As a security administrator, you need to put yourself in the position of an intruder. For this exercise, think of yourself as an outsider who wants to gain access to the company server and damage it. Don't think of trying to steal data but rather of trying to pour water into the server. See if you can answer these questions: How would you gain access to the building? Is a key or code required? Is there any security—a guard, a receptionist, or cameras? Are they highly visible, or does someone have to look to even know they are there? How would you gain access to the floor the server is on? Is the elevator keyed, or can anyone use it? Do the doorways to the stairs only open outward, or can anyone walk up and enter? How would you find the server? Is it sitting in the middle of the office, or is it in a separate room? If the latter, is the door to that room secured? How is it secured—by key, badge, punchpad? After you reach the server, would anyone see what you're doing? Does the server room have glass windows? Is there a camera overlooking the server? Is the server viewable from a distance? Would anyone question why you were there? If you do use cameras for surveillance, where are the tape machines? Are they located near the server so someone can steal the evidence of their crime as well? If you can easily spot flaws in the security using these questions, then there is a risk that someone could harm your operations. Finally, try to answer similar questions, but instead of imagining that you're an outsider to the company, use the perspective of someone from accounting who didn't get the promotion they thought they should and now wants to hurt the company. They have already gained access to much of the building—what keeps them from carrying out the crime?

The issues you address in an operational capacity can seem overwhelming at first. Many of the areas you'll address are vulnerabilities in the systems you use or weak or inadequate security policies. For example, if you implement a comprehensive password expiration policy, you can require users to change their passwords every 30 or 60 days. If the system doesn't require password rotation, though (it allows the same passwords to be reused), you have a vulnerability that you may not be able to eliminate. A user can go through the motions of changing their password only to reenter the same value and keep it in use.

From an operational perspective, the system described has weak password-protection capabilities. There is nothing you can do, short of installing a higher-security logon process or replacing the operating system. Either solution may not be feasible given the costs, conversion times, and possible unwillingness of an organization—or its partners—to make this switch.

Such dependence on a weak system usually stems from the fact that most companies use software that was developed by third parties in order to save costs or meet compatibility requirements. These packages may require the use of a specific operating system. If that operating system has significant security problems or vulnerabilities, your duties will be mammoth because you'll still be responsible for providing security in that environment. For example, when your secure corporate network is connected to the Internet, it becomes subject to many potential vulnerabilities. You can install hardware and software to improve security, but management may decide these measures cost too much to implement. Again, operationally there may be little you can do.

Much of this book discusses the technologies and tools used to help ensure operational security. Figure 1.2 illustrates the various concerns you face from an operational perspective.

1.1.3. Working with Management and Policies

Management and policies provide the guidance, rules, and procedures for implementing a security environment. Policies, to be effective, must have the full and uncompromised support of the organization's management team. Management directions can give security initiatives the teeth they need to be effective. In the absence of support, even the best policies will be doomed to failure.

Information security professionals can recommend policies, but they need the support of management to implement them. There is nothing more ineffective than a self-proclaimed security "czar" who has no support from management. Not only is their tenure often short-lived, but so too is the security of their network.

Survey Your Operational Environment As a security administrator, you'll need to assess the operational environment of your network by looking for "doors" that an outsider could use to gain access to your data. Securing the network involves far more than simply securing what exists within the four walls of your building. Look for openings that intruders can use to enter your network without walking through the door. Don't think of the safeguards that may currently exist, but rather focus on ways someone not on your network might join it. See if you can answer these questions: How do users on your network access the Internet? Do any users use dial-up connections within the office? Do they use dial-up access when they take their laptops home with them? Are proxy servers in use? Do you use private or public IP addresses? If you are using private IP addresses, are you using something as simple as Internet Connection Sharing or as complex as Network Address Translation (both perform the same function, but the latter offers more functionality and security)? Are there wireless access points on the network? Can a mobile user with a laptop configure their settings to join the network? What is the range of your access points? Are signals stopped at the perimeter, or can someone sitting in the parking lot access the network? Are dial-in connections allowed? Can users call in from home? Can they call in from hotel rooms? Do you verify the number they are calling from or merely allow anyone in with a correct username/password combination? Do you use Terminal Services? Are thin clients employed/allowed? Are entire sessions on the server run remotely? Is remote administration enabled? Do your users have shares on their laptops that would potentially compromise the laptop's data security? What ports are open on your routers and firewalls (or on a user's personal firewall solution)?

The issues that must be decided at the management and policy level affect the entire company and can greatly impact productivity, morale, and corporate culture. Policies also establish expectations about security-related issues. Security policies should be treated no differently than an organization's vacation, sick leave, or termination policies. Most people can tell you exactly how many days of vacation they get per year; however, many can't tell you what the company's information usage or security policies are. This can be solved by posting such information on an intranet or including it in a manual issued to all employees (with a note in each employee's personnel file indicating that they've received the manual).

A number of key policies are needed to secure a network. The following list identifies some broad areas that require thought and planning:

• Administrative policies

• Disaster recovery plans

• Information policies

• Security policies

• Software design requirements

• Usage policies

• User management policies

1.1.3.1. Administrative Policies

Administrative policies lay out guidelines and expectations for upgrades, monitoring, backups, and audits. System administrators and maintenance staff use these policies to conduct business. The policies should clearly outline how often and when upgrades appear, when and how monitoring occurs, and how logs are reviewed. They should also identify—not by name, but by title—who is responsible for making decisions on these matters and how often decisions should be reviewed. Ideally, the policies should also include information about who wrote them, who signed off on them, and at what date they were mandated.

The policies must be specific enough to help the administrative staff keep focused on the business of running the systems and networks. At the same time, they must be flexible enough to allow for emergencies and unforeseen circumstances. This trade-off is common to most policies, and you always want to be careful to avoid leaving a gap too wide, making the policy virtually ineffective or unenforceable.

1.1.3.2. Disaster Recovery Plans

Disaster recovery plans (DRPs) are one of the biggest headaches that IT professionals face. The DRP is expensive to develop and to test, and it must be kept current.

Many large companies invest huge amounts of money in DRPs, including backup or hot sites. A hot site is a facility designed to provide immediate availability in the event of a system or network failure. These sites are expensive to maintain and sometimes hard to justify. The likelihood that an organization will need a hot site is relatively small, and the site may seem unimportant—right up to the point when you don't have one and you need it.

A good DRP takes into consideration virtually every type of occurrence or failure possible. It may be as simple as a single system failing or as complicated as a large multinational company needing to recover from a cataclysmic event. The key to its success is its completeness. For example, if a company is located in the Midwest region of the United States, plans should be in place to address tornadoes, floods, fires, and every conceivable disaster.

1.1.3.3. Information Policies

Information policies refer to the various aspects of information security, including access, classifications, marking and storage, and the transmission and destruction of sensitive information. If your company records audio communications, that should be addressed as well.

The development of information policies is critical to security. It is not uncommon for such a policy to include a data classification matrix that defines various classification levels. The levels are usually similar to the following examples:

Public

For all advertisements and information posted on the Web

Internal

For all intranet-type information

Private

Personnel records, client data, and so on

Confidential

Public Key Infrastructure (PKI) information and other items restricted to all but those who must know them

As with all other policies, the key is to be as comprehensive as possible. Little should be left to chance or conjecture when you're writing information policies.

1.1.3.4. Security Policies

Security policies define the configuration of systems and networks, including the installation of software, hardware, and network connections. Security policies also define computer room and data center security as well as how identification and authentication (I&A) occurs. These policies determine how access control, audits, reports, and network connectivity are handled. Encryption and antivirus software are usually covered. Security policies also establish procedures and methods used for password selection, account expiration, failed logon attempts, and related areas.

Although each security policy is intended for a specific purpose, there may be scope overlap in many of the different policies. It is not uncommon as well to have overlap between information policies and security policies.

1.1.3.5. Software Design Requirements

Software design requirements outline what the capabilities of the system must be. These requirements are typically part of the initial design and greatly affect the solutions you can use. Many vendors will respond to every bid and assure you that they're secure. You can use the requirements to have vendors explain proposed solutions. A software design policy should be specific about security requirements. If your design doesn't include security as an integral part of the implementation, you can bet that your network has vulnerabilities.

Design requirements should be viewed as a moving target. The requirements that exist today shouldn't be the same in two years when the network environment has been significantly modified.

1.1.3.6. Usage Policies

Usage policies cover how information and resources are used. You need to explain to users how they can use organizational resources and for what purposes. These policies lay down the law about computer usage. Usage policies include statements about privacy, ownership, and the consequences of improper acts. Your usage policies should clearly explain usage expectations about the Internet, remote access, and e-mail.

They should also address how users should handle incidents—whom they should contact if they suspect something is awry. The policy should spell out the fact that monitoring can take place and that users agree to it. Consequences for account misuse, whether termination or something less severe, should also be stated.

1.1.3.7. User Management Policies

User management policies identify the various actions that must occur in the normal course of employee activities. These policies must address how new employees are added to the system as well as training, orientation, and equipment installation and configuration.

Employee transfers are a normal occurrence within a company. If an employee transfers to a new job, the privileges and access they had in the old position may be inappropriate for the new position. Establishing new access rights allows the employee to continue working. If you forget to revoke the old privileges, this user may have access to more information than they need. Over time, this can result in a situation called privilege creep. The user may acquire administrative privileges to the system by accident.

Terminated employees pose a threat to information security. In some cases, a terminated employee may seek to gain access to customer lists, bank accounts, or other sensitive information. When employees leave the company, it's imperative that their accounts be either disabled or deleted and that their access be turned off. You'd be amazed how often system administrators don't know about personnel changes. Your user management policies should clearly outline who notifies the IT department about employee terminations as well as when and how the notification occurs.

Assemble and Examine Your Procedures It's surprising how many businesses think they have a policy in place when one can't be produced when needed. See if you can answer these questions: Does your company have administrative policies in place? What are they, and where can they be found? Are they easily accessed by, or provided to, new employees? Does each written policy offer some indication of who to contact if there is a question or a breach? When were the software design requirements last checked and/or updated? Are they routinely given to vendors? Who is responsible for reviewing them? When was the last time the disaster recovery plan was checked? Do all administrators know it? Is it in writing and accessible from a remote location should this site become inaccessible? Are informational policies easy to locate? By whom? Are security policies updated frequently? Are they updated with each software change? Do they incorporate the latest patches? Are usage policies part of the employee handbook? Do users sign off that they have seen the policies and are aware of them? How do users receive updates to the policies and signal that they have them and understand them? How do they know when those updates exist? Can the user management policies be located and adhered to in the event that a situation occurs while the chief administrator is at a conference? Is there an escalation procedure in writing indicating who should be notified and when? Policies not only need to exist, they also must be readily available so they can be referenced by all relevant parties. If this can't be said of the policies we've discussed, then their value is drastically diminished.