Example Decision
Here, I have created an example situation where we would need to make a good security decision. I follow the process outlined above, making note of the applicable rules and theories that have gone into the decision-making process. Of course, it is not recommended that every security decision be written down in the following manner. However, when we can train our minds to follow this process, it will be easier to make good, strong, and consistent security decisions for our organizations.
An Example Security Issue
Our organization just announced a new partnership with Big Bob's Billing. Big Bob's is a third-party billing group that will handle all customer financial issues, such as payments, credits, and delinquent accounts. To accomplish this, Big Bob's requires some link into our order tracking system. The work is on a real-time request system; therefore, we cannot simply send them the information. Big Bob's works with other organizations through VPN-encrypted Internet tunnels, and with some customers through direct links like ISDN and frame relay. They will require some form of connection to our DB server and have asked us how we desire to handle it.
Identifying the Components
This decision includes several components, each with its own security issues, risks, and threats. We have identified the components that we have some concerns with in Table 6.3:
| Component | Description |
|---|---|
| Connection | The connection to and from Big Bob's Billing that will allow access into our DB. This includes the connection itself as well as the data traversing the connection. |
| Order tracking DB | The actual DB and server to which we are allowing access. |
| Internal network | The network where we will terminate the connection and to which the DB server is connected. |
Filtering Through the Security Rules
The following is a sample instance where our organization will follow the previous process to analyze the situation and make a decision:
| Connection | Big Bob's will terminate a connection within our organization. We should take steps to implement some form of connection authentication to ensure Big Bob's is the only organization able to make this connection. |
| DB server | Big Bob's will need access into the DB, but only for the particular data records that affect them. Big Bob's only needs access to read information; therefore, no write or delete privileges should be granted. We should limit DB access accordingly through whatever means possible. The DB server can enforce authentication and authorization restrictions, but it would be even better to isolate Big Bob's data on a separate server. |
| Network | To gain access to this data, Big Bob's employees will have to traverse the internal network. Since they only need access to this one server, we should strictly limit access within the network via source, destination, ports, time of day, and any other applicable filters via a firewall and other forms of layered filtering (such as a router and server). |
| Connection | The connection will be plugged into an existing router. This is a simple process, so we just need to inform the IT group and schedule the change in advance. |
| DB server | A few minor adjustments will need to take place on the DB server to allow for the access. The changes will be performed off-hours and all steps of the change will be documented and reviewed in advance. All related DB and application developers and administrators will be informed of the change. |
| Network | Introducing the new network connection will require a simple change in internal routing. This change will be announced to the IT group, scheduled in advance, and documented in change logs. |
| Connection | Big Bob's is a foreign entity, ungoverned by our policies; as such, we cannot trust them. We will put security devices in place to strictly control and monitor what subjects have access to what objects. |
| DB server | We do not trust that Big Bob's will access only the DB server and we will do everything we can to monitor such access and limit it to exactly what is required. |
| Network | Big Bob's is an untrusted entity and will not be granted any form of access to the internal network beyond the required access. |
| Connection | The connection to Big Bob's will be treated like any other partner or vendor, and does not introduce any significant risk or threat that we do not already have. |
| DB server | This is the first time we will allow access to the internal DB server from an external party. We need to research any vulnerabilities that we have not considered, since to date we have been using it strictly for internal access. Allowing access into this server may expose vulnerabilities never before considered by the staff. |
| Network | The internal network does not currently allow anyone access to internal systems within the environment. Allowing Big Bob's employees to traverse the internal network introduces a new weak link for the organization. We should consider pushing the data out to the DMZ to avoid reducing security of the internal network or creating any new exposures. |
| Connection | As already decided, the connection will be filtered through a firewall and isolated from other network connections. |
| DB server | When accessed by Big Bob's client systems, the DB server will be somewhat exposed to the vulnerabilities of those clients. This supports the idea of pushing the data off the DB server and having clients grab the information from somewhere else beside this critical system. |
| Network | The Rule of Separation further supports the idea that the DB should live on a separate DMZ network, isolating any exposures from the sensitive internal network. |
| Connection | The monitoring and maintenance of the connection itself is taken care of by the telephone company, and we should verify that this is the case. As for the router, it is included with the regular maintenance plan for all the networks. We will develop a process to adequately monitor and maintain any security device put into place. |
| DB server | We will need to inform the group that monitors the servers of these changes, and may desire to set up scripts to closely monitor the access from Big Bob's. We will continue to maintain the DB's security level by keeping up-to-date with security-related patches and fixes. |
| Network | The network will be continually monitored for intrusions from Big Bob's and other external entities. Other objects within the network will be updated regularly with security patches. |
| Connection | The connection with Big Bob's will be included in regular security audits. All components related to this connection will be inspected. |
| DB server | The DB server will be continually maintained with any new security updates. It will also be scanned and inspected during audits for any new vulnerabilities. |
| Network | Controls to protect the internal network from Big Bob's will be reviewed and tested during regular security audits. |
| Connection | A simple plan will be drafted stating how to handle a potential intrusion from external networks like Big Bob's. The connection with Big Bob's is not required on a 24×7 basis, so it will be specifically listed as a connection that can be “unplugged” during an incident. |
| DB server | Plans will be made to revoke external access, including Big Bob's, in the event of an attack against this sensitive server. |
| Network | Since it was determined that Big Bob's can be disconnected without issue, the network security staff will be informed to do so in the case of a network attack originating from Big Bob's, or related to the DB server. |
Identify the Risks and Threats of Each Component
As part of the agreement with Big Bob's Billing, we have no responsibility for the safety of their company through this connection, and we will not go out of our way to protect them any more than our other networked partners. We have recommended that the organization place their end of the connection safely behind their own firewall for protection. For our organization, each component in Table 6.12 has been identified to have risks.
Considering the Zones
To help enforce the Rule of Least Privilege, we will place Big Bob's connection in front of our firewall. However, we not only want to limit Big Bob's access to our networks, but we also want to control the area that will be responding to Big Bob's communication requests. Considering several zoning scenarios, we find that the indirect inbound access scenario best secures the organization and its resources. Rather than allowing connections to go directly into the network, we will instead set up a DMZ with a smaller middle DB server that hosts only the information Big Bob's needs to access. This system will be fed information every couple of hours by the normal DB server. The middle system will not have direct access into the internal network and will not expose us to a relayed attack. We will also not allow this system to directly communicate with external parties, thereby reducing the risk of internally launched exploits.
| Component | Risk from Big Bob's Billing |
|---|---|
| Direct risk | In three months, this connection will most likely become very valuable since our entire billing system will be switched through to Big Bob's Billing. The work of about 20 local employees and all immediate revenue generated from customer bills will depend on the link. A full-day outage could cost an estimated $10,000 in damages. The data transmitted across this line is very sensitive and valuable to others since it includes credit cards and personal information about clients. If it was compromised, it could cause great damage to the organization. The data must also be accurate and free of error to ensure proper billing takes place. The data must also be hidden from the eyes of others. |
| Room | The connection must be terminated in a room or closet with a router. The line could be made unavailable of exposed due to poor environmental conditions, untrained personnel tripping on cords and pulling wires, or if the termination is “tapped.” As such, the room should be secured and protected from these threats. |
| Network | The line will either directly connect us to Big Bob's Billing at a medium cost or be terminated through the Internet at a very low cost. Traversing the Internet poses much greater threats than a direct connection, and the risk of information being exposed is very high for the organization. Despite the cost savings, the Internet is not considered safe enough for this form of transmission, even with VPN encryption. There is no guarantee that the VPN device will not fail, be misconfigured, or be hacked and expose extremely sensitive data. Regardless of how access is granted, the organization is introducing new potential threats into the organization. As with any external connection, there is always the possibility of an exposure to the outside world. |
Layering Security
Security in this situation will be layered in the following manner:
All requests will be performed against the secured middle server, not directly against the internal server.
The external router that terminates the connection from Big Bob's will have basic access controls to limit traffic, providing an additional layer and protecting the firewall.
All requests will pass through the firewall and IDS servers, which will filter and log access attempts.
The DB server's operating system will be hardened to reduce vulnerabilities and increase security.
The DB application will enforce its own security controls with user authentication and authorization.
Considering Overall Security
The organization recognizes that it is taking on new risks by connecting with Big Bob's network and by allowing Big Bob's access to sensitive information and services. However, we have some level of confidence in Big Bob's reputation and the security of their organization and employee practices. We have put enough security measures in place to make up for many of the new risks. As such, this decision does not lessen security, nor does it require excessive measures or costs to secure our network from this foreign entity.
Putting It All Together
The example process of examining the rules in light of a specific security issue has provided us with all the elements for making a good security decision. We have determined several areas of concern and the security precautions we should take to avoid exposure. Given the information documented above, we could draw the following conclusion:
The connection to Big Bob's Billing introduces several risks that the organization has never been exposed to before. By allowing an external party to connect in such a manner, we are putting the internal network and critical DB server at risk. Sensitive customer information is going to be transmitted to Big Bob's via a network connection, putting this data at the risk of exposure. Also, by relying on an external entity to perform a critical function, there is a high risk if the connection becomes unavailable. This risk, however, can be greatly reduced through the following security precautions:
Connection— The connection should be terminated in a secure location, preferably behind a locked door. Wires and such should be organized to reduce the possibility of accidental damage. The termination point should have security controls that ensure that only Big Bob's has access to make the connection. The changes made on the router terminating this connection should be scheduled in advance, with our change management staff.
DB— The critical DB server has, thus far, only been accessible to the internal community. Allowing Big Bob's access to it introduces several new threats and justifies enhanced security controls. To reduce the amount of exposure, it is desirable to push the information required by Big Bob's onto another server dedicated to Big Bob's and any future partner with similar needs. If this new server was attacked, only the information used by Big Bob's would be exposed, and there would be no need to modify or erase information on the main server.
The DB information will be read-only to Big Bob's employees and the server will have control such as authentication, authorization, and logging to keep unauthorized users out. This server will only accept updates from the main server on the internal network.
Network— Some form of access must be granted into our organization's network to accommodate Big Bob's. Access from a dedicated connection was decided to be much more appropriate given the highly sensitive nature of the information. In addition, rather than allowing for this partner to traverse the internal network, the data will be pushed to a DMZ. Access to this DMZ will be highly restricted by a firewall and monitored by an IDS. Information will be pushed to this network on a regular basis, and access will be allowed from Big Bob's or from the DMZ into the internal network. It has also been determined that sensitive information needs to be encrypted while in transit. Big Bob's will need to coordinate some form of encryption via the secure sockets layer (SSL), a local VPN, or through the DB itself.
Overall— All components of this connection will be included in regular security audits. Additions will be made to the incident response plan as related to this new connection and access. A connection policy will be drafted to detail all the information discussed above. This policy will be reused for any similar situations in the future.