▶ 1.5 Drafting Security Requirements
Security requirements complete the first step of both NIST’s Risk Management Framework and the simplified PRMF. The requirements describe what we want the security measures to do. The list of requirements is sometimes called the security policy.
We draft the security requirements to address the risks we identified. We then select security measures to implement those requirements. The requirements identify in general what we want for security, while the implemented security controls identify specifically what we get for security. For example, a household’s security requirement might say: “We admit only family, friends, and trusted maintenance people to our house.” The implementation says: “We have a lock on the door, we keep it locked, and we open the door only to admit people we know.”
The list of security risks, requirements, and controls form the security plan. We draft the security requirements based on our list of risks. We then design the security system by selecting controls to implement those requirements. Once our design is complete, we review it to ensure that it implements all of the requirements.
Sometimes it is hard to tell if a statement represents a requirement or control. As we make statements that describe our system, some statements are more general and others are more specific; the more specific statements represent implementation. Some statements “set the stage” for other statements; those preparatory statements represent requirements.
Writing Security Requirements
A well-written set of security requirements contains a series of individual statements. Each statement represents a single requirement. A well-written requirement has these five properties:
Each statement is numbered. This allows us to cross-reference the requirement statements to features of our implementation. A complicated policy might use outline numbering so that statements are arranged into sections and subsections.
Each statement uses the word “shall.” This is part of many standards for writing requirements. We omit “shall” only if the requirement is somehow optional. In our examples, however, we won’t have optional statements.
There should be a way to test the implementation to determine whether the requirement is true. When we test our implementation, the policy provides a list of features we must test.
Each statement identifies which prioritized risks the statement is intended to address.
Whenever possible, we phrase the statements in a positive and specific sense. In other words, requirements should describe what the system does, instead of talking about what it doesn’t do. Although a few requirements may require global quantifiers like all or any, we should produce as few such statements as possible. It is harder (and less certain) to test and verify negative or global requirements.
To develop our requirements, we start with our prioritized list of risks. For each risk, we identify security requirements that, if achieved, will minimize or eliminate the risk.
1.5.1 Analyzing Alice’s Risks
Alice’s policy evolves directly from the risks. We identify how each risk might occur, and we choose a general strategy to defend against that risk. As we analyze these risks, we focus on risks to Alice’s information; we don’t address other risks that apply to her personally or to other possessions of hers. To analyze a risk, we review it against the threat agents behind the risk.
In the following, we will review and analyze each risk. The results appear in TABLE 1.5.
TABLE 1.5 Security Requirements for Alice’s Arts |
||
|---|---|---|
| # | Requirement | Risks |
| 1 | Alice’s Arts shall be locked up when no store employees (including Alice) are present. | 1 |
| 2 | There shall be insurance on the store’s contents to cover the risks of theft, fire, or natural disasters. | 1 |
| 3 | The POS terminal shall be physically secured to the sales counter. | 1 |
| 4 | Alice or her trusted manager shall be able to adjust the POS terminal configuration. | 1 |
| 5 | Alice’s laptop shall be locked in her office when Alice is not in the store. | 1 |
| 6 | Alice shall have a secure, fireproof location separate from Alice’s Arts for storing copies of her software (her “backup location”). | 2, 3, 4, 7 |
| 7 | Alice shall keep her software recovery disks in her backup location when they are not in use. | 2, 7 |
| 8 | Alice shall keep an up-to-date backup of her computer configurations for the POS terminal and the laptop, stored at her backup location. | 3, 7 |
| 9 | Alice shall keep an up-to-date backup of her laptop’s working files, stored at her backup location. | 4, 7 |
| 10 | Alice shall provide her clerks with a sales process that works correctly, even if credit card processing or her POS terminal is offline. | 5 |
| 11 | Computers shall regularly check for system security updates and install those updates. | 6 |
| 12 | Computers shall contain and use antivirus software. | 6 |
| 13 | There shall be an uninterruptable power supply for the store’s computers. | 7 |
| 14 | Alice shall protect her most important passwords (her “critical passwords”) from disclosure. | 8, 9, 10 |
| 15 | Critical passwords shall be hard to guess. | 8, 9, 10 |
| 16 | Alice’s laptop shall require a critical password before granting access to its resources. | 8 |
| 17 | Alice shall not leave a computer unattended if it is logged in using a critical password. | 8, 9, 10 |
| 18 | Passwords to bank and merchant websites shall be treated as critical passwords. | 9 |
| 19 | Social media passwords shall be treated as critical passwords. | 10 |
Physical damage to computer hardware and software
The computer hardware Alice owns is all more-or-less portable, and she could carry the equipment with her. We want to focus our analysis on Alice’s Arts, so we will assume the equipment resides in the store.
We start by physically securing the premises: (1) Alice’s Arts shall be locked up when no store employees (including Alice) are present. This provides basic protection. We can’t protect against all possible burglaries, though, so we include a requirement to reduce the impact of a successful burglary: (2) There shall be insurance on the store’s contents to cover the risks of theft, fire, or natural disasters.
A POS terminal generally serves two purposes: it keeps a record of sales, and it contains a physically secure cash box. A thief could run into the store, overpower the clerk, grab the terminal, and carry it away. This leads to the requirement: (3) The POS terminal shall be physically secured to the sales counter. A burglar with time to work could still dislodge the terminal and carry it away, but this slows the thief down and reduces chances of success.
When it records the store’s sales, the POS terminal also keeps a running tally of the amount of cash in the drawer. Alice or a trustworthy manager can compare the cash in the drawer against what the POS terminal expects. This helps detect dishonest clerks. Alice or her manager can reset the POS terminal’s running total when they add or remove cash from the drawer. Clerks aren’t allowed to make such changes: (4) Alice or her trusted manager shall be able to adjust the POS terminal configuration. Cash stored in the POS terminal also poses a large security risk; as it isn’t a cyber risk, we won’t analyze it here.
Laptops are popular targets for thieves and shoplifters. Alice’s laptop is for her exclusive use and she doesn’t share it with her clerks. The next requirement protects it when Alice isn’t in the store: (5) Alice’s laptop shall be locked in her office when Alice is not in the store. This also protects the laptop from tampering by store clerks.
Physical damage to recovery disks
If Alice suffers a hardware failure or theft, she needs to reinstall software from recovery disks. The software vendor generally provides these disks. Some vendors charge money to replace a lost recovery disk; some may demand the original purchase price. Alice needs to keep the recovery disks in a safe place, along with other backup copies: (6) Alice shall have a secure, fireproof location separate from Alice’s Arts for storing copies of her software (her “backup location”). (7) Alice shall keep her software recovery disks in her backup location when they are not in use.
Physical damage to computer customization
This also arises from hardware failure or theft, but Alice needs to take the time to save this data for later recovery: (8) Alice shall keep an up-to-date backup of her computer configurations for the POS terminal and the laptop, stored at her backup location.
Physical damage to spreadsheets
This is a variant of the previous one. Alice’s configurations might not change very often, but working files will change quite often: (9) Alice shall keep an up-to-date backup of her laptop’s working files, stored at her backup location.
Denial of service for online business and credentials
If Alice’s ISP connection fails, or her power fails, or her credit card processor drops offline, she still needs to transact business. She can lose access to her other bank accounts, her merchandise ordering accounts, and other services, but she must still be able to sell merchandise: (10) Alice shall provide her clerks with a sales process that works correctly even if credit card processing or her POS terminal is offline. Alice will simply accept the risk of being offline temporarily, as far as it affects her ability to order more merchandise or do online banking.
Subversion of computer hardware and software
This is primarily a risk arising from the internet: Alice’s equipment might be infected by a worm or virus, or it may accidentally download malware when visiting a website. This risk is too complicated to fully address here, but we will address the basic problems.
Computer worms propagate by exploiting vulnerabilities in system software, and worms are blocked when those vulnerabilities were patched: (11) Computers shall regularly check for system security updates and install those updates.
Second, we are all familiar with antivirus software. The software searches a computer for files or other indicators of malicious software and disables that software: (12) Computers shall contain and use antivirus software. Antivirus software needs to be kept up-to-date, and that is covered by the previous requirement.
Denial of service by computer hardware and software
This may be caused by power failures; we provide partial relief with an uninterruptable power supply (UPS), which provides a temporary battery backup: (13) There shall be an uninterruptable power supply for the store’s computers. Other mishaps could wipe out Alice’s working files or part of her computer configuration. Although she may be able to recover from this, the time involved and the likelihood of the risk makes this worth avoiding. We addressed this through our earlier backup requirements.
Disclosure of spreadsheets
While spreadsheet disclosure poses a minor threat, it’s a good place to start securing Alice’s laptop from prying eyes. Like most people today, Alice has countless passwords. The security plan will identify certain passwords that Alice should protect in particular: (14) Alice shall protect her most important passwords (her “critical passwords”) from disclosure. (15) Critical passwords shall be hard to guess. (16) Alice’s laptop shall require a critical password before granting access to its resources. Requirement 15 isn’t really a positive requirement and will be hard to validate.
There is another important aspect of password use: leaving a computer unattended while logged in. If Alice leaves her office open with her laptop logged in, a clerk or customer could wander in and damage some of her files. This yields another requirement: (17) Alice shall not leave a computer unattended if it is logged in using a critical password.
Identity theft of online business and credentials
Alice needs to avoid identity theft, even though the average loss is alleged to be small: (18) Passwords to bank and merchant websites shall be treated as critical passwords.
Identity theft of social media and credentials
Alice’s information on the social website is protected by a password. The estimated loss to social masquerade is relatively small, but Alice has decided to avoid the risk: (19) Social media passwords shall be treated as critical passwords.
The Requirements
Now that we have analyzed Alice’s high-priority risks, we extract the requirements from our analysis. As we draft our requirements, we review them against our five rules. We also ensure that all risks are addressed by at least one requirement. The result appears in Table 1.5.
As the lists of risks and requirements get longer, it becomes more challenging to process and cross-reference this information in textual form. Engineers often use spreadsheets or databases to maintain such information. While some may use a package like FileMaker or Microsoft Access, there are also specialized packages for requirements management (“Rational Doors,” for example).
1.5.2 Monitoring Security Measures
Security measures are not implemented in a vacuum. They are often just a delaying tactic, something to slow the attacker down while raising the alarm. Sometimes they only provide indications that trouble occurred and a record of the harm.
There are several ways to keep track of what happens to a computer. Most operating systems provide “logging” or “security auditing” services that keep track of significant events. These logging services can keep very detailed records. Detailed logging takes extra time and storage. By default, most systems only record the most significant events. A typical log indicates when a user logs in or logs out, and when major administrative or application programs are used. They also record obvious security events, like bad password entries or attempts to retrieve protected files. File systems often record key events for each file, including the date and time of creation, the last time it was examined, and the last time it was modified.
Years ago, typical system administrators turned off logging mechanisms to save resources; a detailed log requires extra computing time to create and a lot of hard disk space for storage. Separately, most file systems keep track of which files have been modified, and users can often use this feature to identify recent changes. This does not always tell us the entire story.
An Incident: A team of consultants visited a smaller Fortune 500 company to help them establish a computer security program. The company had some protections installed by rule, but very little else. The Information Technology (IT) manager described an incident that occurred the night before: A person had connected to the main server over the internet and located “the big spreadsheet” used to track and control the company’s financial status. The spreadsheet included every possible operational detail, including salaries of all employees. The IT manager was unhappy because the visitor had changed the access permissions so that anyone in the company could read or write “the big spreadsheet” and, in particular, look at the salaries.
The consultant sighed and asked, “Can you tell me if the visitor, or anyone else, has also modified the spreadsheet?”
The IT manager gasped. If someone had modified the spreadsheet, there would be no way to tell which cells had been changed. The spreadsheet had thousands of cells.
The IT manager was monitoring the site’s internet connection, and the monitor detected the break-in. This wasn’t sufficient to identify all of the damage done, but at least people were alerted to the problem.