Creating a Baseline Definition for Information Systems Security
Taking your policies and building security baselines is a good way to ensure compliance. For example, suppose you have about 200 servers and an Active Directory (AD) server that enforces password rules. Configuring the servers to use AD to authenticate ensures that their passwords meet standard requirements. Additionally, if the password rules within the policy are compliant with NIST standards, then AD might be an effective tool to enforce that aspect of regulatory compliance. So, a baseline is a good starting point for enforcing compliance.
Within IT, a baseline provides a standard focused on a specific technology used within an organization. When applied to security policies, the baseline represents the minimum security settings that must be applied.
For example, imagine that an organization has determined every system needs to be hardened. The security policy defines specifically what to do to harden the systems. For example, the security policy could provide the following information:
- Protocols—Only specific protocols listed within the security policy are allowed. Other protocols must be removed.
- Services—Only specific services listed in the security policy are allowed. All other services are disabled.
- Accounts—The administrator account must be renamed. The actual name of the new administrator may be listed in the security policy, or this information could be treated as a company secret.
The security policy would have much more information, but these few items give you an idea of what is included. The point is that baselines can be complex, referencing multiple policies. A server baseline, for example, may be configured to enforce both passwords and monitoring standards.
Baselines have many uses in IT. Anomaly-based intrusion detection systems (IDSs) use baselines to determine changes in network behavior. Server monitoring tools also use baselines to detect changes in system performance. This chapter focuses on the use of baselines as part of enforcing compliance with security policies and detecting security events.
An anomaly-based IDS, at least in part, operates by detecting changes in the network’s behavior. You start by measuring normal activity on the network, which becomes your baseline. The IDS then monitors activity and compares it against the baseline. As long as the comparisons are similar, activity is normal. When the network activity changes so that it is outside a predefined threshold, activity is abnormal. It should be noted that IDSs and intrusion prevention systems (IPSs) use signature matching in addition to anomaly detection.
Abnormal activity doesn’t always mean a security event. An alert could be what’s referred to as a “false positive.” That means the alert was triggered by activity that appears unusual but after closer examination can be explained. Consider an online retailer’s spike in activity during the holiday season, for instance, or the introduction of a new application on the network, generating new transactions. Much of this abnormal activity can be anticipated or detected. The IDS can be configured to ignore it.
However, the point of an IDS device is to detect security threats. For example, if a worm infected a network, it would increase network activity. The IDS recognizes the change as an anomaly and sends an alert. The anomaly-based IDS can’t work without first creating the baseline. You can also think of an anomaly-based IDS as a behavior-based IDS because it is monitoring the network behavior.
Administrators commonly measure server performance by measuring four core resources: the processor, the memory, the disk, and the network interface. When these are first measured and recorded, it provides a performance baseline. Sometime later, the administrator measures the resources again. As long as the measurements are similar, the server is still performing as expected; however, if there are significant differences that are not explainable, the change indicates a potential problem. For example, a denial of service (DoS) attack on the server may cause the processor and memory resource usage to increase.
TIP
Some people argue that one should only use an intrusion prevention system (IPS)—one that actually stops the suspected malicious activity. However, the issue of false positives means this is not always advisable. One has to weigh the impact of failing to stop a real attack (false negative) against accidentally shutting down legitimate traffic (false positive) in order to choose between IDS and IPS. It should be noted that IDS and IPS usually require some effort to get configured properly.
A security baseline is also a starting point. For example, a security baseline definition for the Windows operating system identifies a secure configuration for the operating system in an organization. As long as all Windows systems use the same security baseline, they all start in a known secure state. Later, you can compare the security baseline against the current configuration of any system. If it’s different, something has changed. The change indicates the system no longer has the same security settings. If a security policy mandated the original security settings, the comparison shows the system is not compliant.
Policy-Defining Overall IT Infrastructure Security Definition
Many organizations use imaging techniques to provide baselines. An image can include the full operating system, applications, and system settings. This includes all the desired security and configuration settings required for the system.
FIGURE 15-1 shows an example of how imaging is accomplished. You start with a clean system, referred to as a source computer. You install the operating system and any desired applications on the source computer. Next, you configure specific settings needed by users. Then you configure the security settings to comply with the security policy; for example, you could remove unneeded protocols, disable unused services, and rename the administrator account. You can lock this system down with as much security as you need or desire.
FIGURE 15-1 Using imaging technologies.
Next, you capture an image of the system. You can think of this as being like taking a snapshot. Imaging captures the entire software contents of the system at that moment. Symantec Ghost is a popular imaging program used to capture images of any operating system. This is particularly easy when using virtual systems. Most virtualization software includes snapshot capability.
Once you’ve captured the image, you can deploy it to other systems. The original image is often referred to as the gold master. Each system that receives the image will have the same operating system and applications. It will also have the same security and configuration settings.
This baseline improves security for systems. It also reduces the total cost of ownership. Imagine that the security policy required changing 50 different security settings. Without the baseline, these settings would have to be configured separately across potentially hundreds or thousands of servers. The time involved to configure them separately may be substantial. Additionally, there’s no guarantee that all the settings would be configured exactly the same on each system when done manually.
NOTE
Gold master refers to a master image that is copied for deployment. Use of golden images saves time by eliminating the need for repetitive configuration changes and performance tweaks. It ensures that all images imaged using a copy of the gold master are configured in the same manner.
If all the systems are configured the same, help desk personnel can troubleshoot them more quickly. This improves availability. Imagine if hundreds (or thousands) of different systems were configured in different ways. Help desk personnel would first need to determine the normal configuration when troubleshooting problems. Once they determined normal operation, they would then determine what’s abnormal in order to fix it. Each time they worked on a new system, they’d repeat the process. Worse yet, the same servers configured radically differently mean lack of consistency and lack of compliance with security standards.
TIP
Be sure to protect the integrity of the gold master. If your gold master is infected with malware, you will be replicating the infection in every copy. Never use the gold master for production or any use other than creating deployment images.
However, if all the systems are the same, help desk personnel need to learn only one system. This knowledge transfers to all the other systems. Troubleshooting and downtime are reduced. Availability is increased. Compliance with security policies is consistently enforced.
Vulnerability Window and Information Security Gap Definition
The vulnerability window is the gap between when a new vulnerability is discovered and when software developers start writing a patch. Attacks during this time are sometimes referred to as zero-day vulnerabilities. This means that there have been zero days that the vendor is aware of the vulnerability. These are a serious concern because there is not yet any patch or remediation available for this vulnerability. You don’t know when the vulnerability window opens, because you don’t know when an attacker will find the vulnerability. However, most vendors will start writing patches as soon as they learn about the vulnerability. For example, Microsoft announced on April 26, 2014, a zero-day vulnerability that resided in all versions of Internet Explorer. By May 1, a patch was released.
There are other examples. In 2019, there was a vulnerability found in Windows task scheduler. It affected Windows 10 and Windows server 2019. The Task Scheduler service runs at the maximum level of privilege defined by the local machine, namely NT AUTHORITYSYSTEM. There was a weakness in the task schedule that allowed attackers to elevate privileges. It was eventually found and given the designation CVE-2019-1069.
TIP
You have probably heard the recommendation that you should use automatic updates on your computer. That is true for home users but is not recommended for business. There is always the chance of a patch having a conflict with some proprietary or specialized application on your systems. Therefore, it is recommended that you apply the patch to a test system first to see its effects. If all goes well, it can be rolled out to the rest of the network.
Similarly, there’s a delay between the time a patch is released and when an organization patches its systems. Even if you start with a baseline, there is no way that it will always be up to date or will meet the needs for all your systems. The difference between the baseline and the actual security needs represents a security gap. For example, you may create an image on June 1. One month later, you may deploy the image to a new system. Most of the configuration and security settings will be the same; however, there may have been some changes or updates that occurred during the past month. These changes present attackers with a vulnerability window and must be plugged.
If your organization uses change management procedures, you can easily identify any changes that should be applied to the system. If you don’t have a change management procedure, you will have a significant gap in security policies. Change management is fundamental to network administration, software development, and security.
In addition to change management, patch management is an important security practice. Software vulnerabilities are routinely discovered in operating systems and applications. Vendors release patches or updates to plug the vulnerability holes; however, if the patches aren’t applied, the system remains vulnerable. Keeping systems patched helps an organization avoid significant attacks and outages.
Within a Microsoft domain, Group Policy deploys many settings. Group Policy allows an administrator to configure a setting once, and it will automatically apply to multiple systems or users. If Group Policy is used to change settings, the changes will automatically apply to the computer when it authenticates on the domain. Additional steps are not required.