|
4 |
Business Challenges Within the Seven Domains of IT Responsibility |
ORGANIZATIONS OF ANY SIZE can have millions of transactions occurring every day between customers, employees, and suppliers. Today, many systems are automated. They generate their own transactions in the form of online product queries, searches, inventory checks, authorization checks, and log entries. Tracking of product, pricing, invoicing, service calls, e-mail, instant messages, support tickets, and order processing all require data. One touch of a keyboard generates potentially hundreds of transactions in today’s complex business environment. All of this information needs to be protected. Whether the data is stored at rest on a hard drive or in transit over the network, regardless of form or method of access, threats to the information must be considered.
Reports predict that over 40 zettabytes of data will be stored digitally worldwide by 2020. A zettabyte is unit of measure equivalent to 1021 bytes of data. In context, 42 zettabytes is equivalent to storing every word spoken by every human in history.
The expanded use of social media, more widespread cloud and mobile computing, and increasing government surveillance programs are a few of the factors contributing to this growth. And future technologies just now being envisioned mean this growth trend will not stop in the foreseeable future. The large accumulation of data is often referred to as Big Data. The global society is wired. Among the items going into the vast global store of data may be a Tweet, a copy of an e-mail, an Internet search, or a copy of a receipt from retail store. This vast array of data is often unstructured, and for a market researcher or a government snoop, it may be a treasure trove of information that reveals a lot about an individual: his or her habits, interests, gender, associations, opinions, and much more.
What does this mean for business? It means new opportunities and new challenges. Businesses that understand how to mine this data will understand their customer needs. Companies that lose control over their data will put their customers and businesses at risk. This data is accumulated over years and is relatively static. Yet the law is not static. For example, as privacy laws change, what was once considered acceptable business use may now be illegal. Security policies must keep up with these ever-changing legal requirements or run the risk of exposing the business to legal penalties.
This chapter divides the IT environment into seven logical domains. Each domain represents a logical part of the technology infrastructure. You will follow the data through these seven domains to understand the business challenges collecting, processing, and storing information. You will also consider the business, technical, and security policy challenges that affect organizations.
Chapter 4 Topics
This chapter covers the following topics and concepts:
• What the seven domains of a typical IT infrastructure are
• How security policies mitigate risk within the seven domains
• What the different methods of building access control are
Chapter 4 Goals
When you complete this chapter, you will be able to:
• Identify the seven domains of typical IT infrastructure
• Identify the risks and concerns involved with the various domains
• Describe the top business risks within each of the seven domains
• Understand the difference between role based access control (RBAC) and attribute based access control (ABAC)
• Understand how security policies map to business requirements
• Understand the role security policies play in mitigating business risks within the domains
The Seven Domains of a Typical IT Infrastructure
Examining risk from a data perspective means to follow data through an end-to-end process. As you move through your technology infrastructure, you’ll find similar risk and policies issues. There are many ways to group security policies. A common method is to group common risks and related policy issues into domains. These domains share similarities but are distinctive enough to allow logical separation into more manageable secure areas. An advantage of this method is that each domain typically focuses on a different target audience. This means security awareness and training can be more precisely targeted.
In this section of the chapter, you will learn the definition of these domains. This section examines the attributes of each domain so you can gain a better understanding of the issues. Later in the chapter, you will examine the business issues and policy challenges of these problems, along with risk mitigation techniques.
Figure 4-1 illustrates seven typical domains of an IT infrastructure, which include:
• User—This domain refers to any user accessing information. This includes customers, employees, consultants, contractors, or any other third party. These users are end users.
• Workstation—This domain refers to any endpoint device used by end users. This can mean any smart device in the end user’s physical possession. For the purposes of this chapter, it’s any device accessed by the end user, such as a smartphone, laptop, workstation, or mobile device.
• LAN—This domain refers to the organization’s local area network (LAN) infrastructure. A LAN connects two or more computers within a small area. The small area could be a home, office, or group of buildings.
• WAN—A wide area network (WAN) covers a large geographical area. The Internet is an example of a WAN. A private WAN can be built for a specific company to link offices across the country or globally. Many business use the Internet for communicating between offices and regions. The Internet has become so inexpensive and reliable that it is often the first choice of businesses. Communications are typically secured through the use of encryption.
• LAN-to-WAN—This domain refers to the technical infrastructure that connects the organization’s LAN to a WAN. This allows end users to access the Internet. Communications flow in both directions in the LAN-to-WAN Domain.
• Remote Access—This domain refers to the technologies that control how end users connect to an organization’s LAN. A typical example of remote access is someone connecting to the office network from a home computer. End users can use a WAN to access a LAN. For example, an end user could use the Internet to create a private and secure session to connect with the office through a virtual private network (VPN) connection.
• System/Application—This domain refers to the technologies needed to collect, process, and store information. The System/Application Domain includes hardware and software.
While there are many advantages to grouping policies this way, it can be hard to understand how data is controlled. In other words, it could be challenging to understand the end-to-end layers of controls. One way to overcome this challenge is to map business requirements by examining each of these logical segments. These requirements provide constraints upon end users and ultimately determine how security controls are designed.
Take a look at each of the seven domains to better understand how data is treated and how many common constraints are placed on them by the business.
User Domain
The User Domain refers to any end user accessing information in any form. This includes how end users handle physical information such as reports. Control of physical information starts well before someone ever touches a keyboard. It must start with end user awareness of policies and on-the-job training. As good as an awareness program is, formal education programs are no substitute for the experience gained from on-the-job training. Onboarding refers to new employee training. Even if your organization doesn’t have a formal on-the-job training program, something as simple as giving someone a “buddy” to show him or her how the area operates often achieves many of the same goals.
There are several key policies that an end user must be familiar with before accessing company information. Some of the more important policies you should include in an awareness training program include:
• Acceptable use policy—An acceptable use policy (AUP) establishes a broad set of rules for acceptable conduct when a user accesses information on company-owned devices. For example, this policy may set rules on what type of Web site browsing is permitted or if personal e-mails over the Internet are allowed.
• E-mail policy—An e-mail policy discusses what’s acceptable when using the company e-mail system. The policy is much more specific than the broad statements found in an AUP policy.
WARNING
How coworkers treat data can significantly influence an employee’s behavior beyond any formal awareness training. Regardless of training, if coworkers and management treat policies as unimportant, a new employee might treat policies as unimportant as well.
• Privacy policy—A privacy policy addresses the importance the organization places on protecting privacy. It also discusses the regulatory landscape and government mandates. This policy discusses how to handle customer data as well as the individual obligation to protect the information.
• System access policy—A system access policy includes rules of conduct for system access. This policy covers end user credentials like IDs and passwords. The policy may also be specific to the business or application.
• Physical security and clean desk policy—The physical security and clean desk policy outlines conduct in the workplace. It typically covers the expectation that employees will lock up sensitive information before going home at the end of the workday. This is what the term clean desk refers to.
• Corporate mobility policy—An organization’s corporate mobility policy sets expectations on the use and security of mobile devices. This policy could also set requirements on using personal devices to access company systems. For example, there is a growing trend of allowing personal smartphones to access company e-mail systems. This reduces costs because the company does not have to issue phones. But it also creates new risks, as companies have less control over devices they do not own.
• Social networking policy—The social networking policy has emerged as a type of code of conduct. With the rise of social media, many businesses are concerned about employees posting information about the company on these sites. This policy provides guidance to employees. For many organizations, posting any information about the business beyond the employee’s name and title is strictly forbidden.
Authentication is one of the most important components of the User Domain. You must determine an authentication method that makes sense for your organization. Your authentication method must also meet business requirements.
The use of user IDs and passwords remains a minimum standard for many organizations. It is considered a foundational control for many businesses. The ID and password can be widely used, and a password can be easily reset in the event an end user forgets it.
The low cost and high efficiency of this method of authenticating users also represent its greatest weakness. Because IDs and passwords have been used throughout the history of modern computing, exploits of this authentication method continue to be refined.
For many businesses, however, IDs and passwords alone are not enough. Authenticating the end user device in combination with the ID and password provides a stronger authentication method. For example, access may be restricted only to work hours on devices issued by the business for employees with a valid ID and password. Although the ID and password may be compromised, the risk is reduced because access would be denied on non-company computers.
The best method for ensuring you know who is being authenticated is to restrict access to an ID and password to a single individual and force individuals to change their password often. The key lesson is that authentication must make sense in the business context in which you use it.
Another key component is authorization. Authorization is especially important in large complex organizations with thousands of employees and hundreds of systems. The authorization method must clearly define who should have access to what. One popular method is role based access control (RBAC). In this method, instead of granting access to individuals, you assign permissions to a role. Then you assign one or more individuals to that role.
The huge advantage of RBAC is speed of deployment and clarity of access rights. Let’s assume you hire an accountant named Nikkee and you grant her access to 12 systems, many spreadsheets, e-mail folders, and more. If you had to grant that access to her individual ID, it could take you days or even weeks. Given the complexity of a system, you may need to grant hundreds of permissions. The volume of permissions means there is a good chance of an error by missing something or granting too many rights. Now let’s assume you hire a second accountant named Vickee. You would have to start the process over again to grant her rights to the systems, spreadsheets, and so on. What’s even more time consuming is if one of these individuals leaves, you have to go through a similar process to remove her access.
Instead, let’s assume you previously set up a role called “Accountant” and granted all necessary permissions to this role. Creating a new account would take the same time as creating a single user without RBAC. But creating a role is a onetime event. When you hire Nikkee and Vickee, you can connect their IDs to the Accountant role, quickly giving them access to the systems, spreadsheets, and e-mail folders they need to perform their jobs. Now let’s say Vickee is promoted. You can quickly remove her ID from the Accountant role and place her ID in a Senior Accountant role. You reduced deployment time for these individuals from days or weeks to hours or minutes. By listing the people connected to the roles and the permissions within the roles, you can clearly see who has access to what business resources. This clarity of access helps an organization control access to its critical processes, manage its risk, and prove to regulators that it manages customer data properly. Figure 4-2 illustrates the RBAC concept.
FIGURE 4-2
Role based access control concept.
Several emerging variations of the RBAC model have recently been published. In January 2014, NIST issued publication 800-162, entitled “Guide to Attribute Based Access Control (ABAC).” Attribute based access control (ABAC) relies on dynamic roles, rather than the static roles found in the RBAC model. In an RBAC model, you build a static role. In an ABAC model you build an expression of attributes that describes the role that is built dynamically at run time. For example, “All accountants from the regional offices can post deposits.” This assumes you have assigned attributes that define “accountant,” “regional offices,” and “posting deposits.”
Both RBAC and ABAC can provide the same access. The advantage of ABAC is that roles are expressed more in business terms and thus may be more understandable. The other advantage that ABAC has is that roles are dynamically built, unlike RBAC, which requires resources to engineer roles. The disadvantage of ABAC is that it requires an application to use a central rules engineer at run time. Most legacy applications do not have this capability. Consequently, adoption of ABAC will be slow. Many organizations that want to adopt ABAC will have both RBAC and ABAC deployments for the foreseeable future.
The Workstation Domain includes any computing devices used by end users. Usually, the term workstation refers to a desktop or laptop computer. However, a workstation in the context of this chapter can be any end user device that accesses information. Control on your handheld device, like a smartphone, would fall within this domain.
NOTE
For the purposes of this chapter, the term workstation refers to any end user device that accesses information.
Usually, when an end user seeks to access information, he or she authenticates in the User Domain. Once he or she is known, the end user is often authorized to the workstation itself. Each workstation has an identity much like an end user. Not only can you restrict end users to specific workstations, you can also restrict what workstations are allowed on your network. This is particularly important when connecting to a network wirelessly because wireless access may be available to the public. Most wireless access points restrict which devices can access the internal network. Wireless access points also should encrypt the traffic between the authorized wireless device and the access point into the LAN.
NOTE
Authentication of a workstation and encryption of wireless traffic are Workstation Domain and LAN Domain issues. The assignment of a workstation identity and configuration of the wireless protocol is a Workstation Domain issue. The authentication and encryption of the traffic is a LAN Domain issue.
The Workstation Domain defines the controls within the workstation itself, such as limiting who can install software on the workstation. Some end users share a workstation. Therefore, it is important that settings be stable, and that one end user not be able to affect another. To achieve this, end users often have limited rights on workstations. That means they can typically access the software that’s been installed, and they have some rights to configure the software to their needs, but they do not have unlimited rights to make changes that could affect another user. This also ensures that an end user does not inadvertently infect the workstation with a virus or malware. Most domain controls ensure that appropriate antivirus software is loaded and runs on each workstation.
A central management system typically manages workstations such as Microsoft System Center Configuration Manager. These management systems have evolved over time and help an organization save time, money, and greatly improve response time. Can you imagine having to visit hundreds or thousands of desktops individually to apply a patch or install a piece of software? Fortunately, those days are long over. Regardless of the management software used, different brands all generally share many of the same capabilities. The key functionalities to look for are these:
• Inventory management—An inventory management system tracks devices as they connect to the LAN. This builds an inventory of which devices are on the network and how often they connect to the LAN. Information inventories are useful for investigating security incidents and ensuring regulatory compliance.
• Discovery management—Detects software that is installed on a device. Discovery management can also detect information on a workstation. This is highly specialized software that is not routinely used.
• Patch management—A patch management system ensures that current patches are installed on devices. It’s particularly important to apply security patches in a timely manner to address known vulnerabilities.
• Help desk management—A help desk management system provides support to end users through a help desk. Help desk technicians may remotely access a device to diagnose problems, reconfigure software, and reset IDs.
• Log management—A log management system extracts logs from a device. Typically, log management software moves logs to a central repository. Typically, the volume of logs is so large that it takes special software to automatically search and highlight potential risks. Administrators scan these logs to find security weaknesses or patterns of problems.
• Security management—A security management system manages workstation security. This may include ensuring end users have limited rights and that new local administrator accounts are not present. The unexpected addition of local administrator accounts may be an indication that a security breach has occurred.
LAN Domain
The LAN Domain encompasses the equipment that makes up the LAN. A LAN typically has network devices that connect a local office or buildings. A LAN can be either simple or complex. If you have a wireless network device at home, you have a simple LAN. Let’s say you have a home cable modem connected to a wireless device, which is usually called a wireless router. The wireless router creates a LAN, bridging your cable modem to your home computer. This wireless router is your LAN access point to the Internet. The following are definitions for common network devices found on LANs:
• Switch—A switch is similar to a hub but can filter traffic. You can set up rules that control what traffic can flow where. Unlike hubs, which duplicate traffic to all ports, a switch is typically configured to route traffic only to the port to which the system is connected. This reduces the amount of network traffic, thus reducing the chance that someone will intercept communications. The ability to configure a switch to control traffic is a real advantage over a hub. Many organizations do not allow the use of hubs and prefer switches for enhanced security.
• Router—A router connects LANs, or a LAN and a WAN.
• Firewall—A firewall is a software or hardware device that filters traffic in and out of a LAN. Many can do deep-packet inspection, in which the firewall examines the contents of the traffic as well as the type of traffic. You can use a firewall internally on the network to further protect segments. Firewalls are most commonly used to filter traffic between the public Internet WAN and the internal private LAN.
A LAN in the business world is far more complex than a home LAN, and has many layers of controls. Let’s look at two general types of LANs, flat and segmented networks.
A flat network has few controls, or none, to limit network traffic. When a workstation connects to a flat network, the workstation can communicate with any other computer on the network. Think of a flat network as an ordinary neighborhood. Anyone can drive into the neighborhood and knock on any door. This doesn’t mean whoever answers the door will let the visitor in. However, the visitor has the opportunity to talk his or her way in. In the case of flat networks, you can talk your way in by being authorized or by breaching a server, for instance, by guessing the right ID and password combination. Flat networks are considered less secure than segmented networks because they rely on each computer (i.e., each home on the block) to withstand every possible type of breach. They are also less secure because every computer on the network can potentially see all the network traffic. This means a computer with a sniffer can monitor a large portion of the communication over a LAN. A sniffer can record the traffic on a network. This includes recording IDs and passwords in the clear. So if there’s a special code, secret knock, or handshake at the door, it has also been recorded. That’s why most security policies require passwords to be encrypted when passed through the network.
A segmented network limits what and how computers are able to talk to each other. By using switches, routers, internal firewalls, and other devices, you can restrict network traffic. Continuing the analogy from the previous paragraph, think of a segmented network as a gated community. To access that neighborhood, you must first approach a gate with a guard. The guard opens the gate only for certain traffic to enter the community. Once inside, you can knock on any door. A segmented network acts as a guard, filtering out unauthorized network traffic.
NOTE
Many standards require network segmentation. Payment Card Industry Data Security Standard (PCI DSS), for example, requires network segmentation to further protect credit cardholder information.
Why do you want to segment a network? The basic idea is that by limiting certain types of traffic to a group of computers, you are eliminating a number of threats. For example, if you have a database server with sensitive information that by design should receive only database calls (such as Structured Query Language [SQL] traffic), why allow File Transfer Protocol (FTP) traffic? If the server is not properly configured, the FTP service could be used as a way to break into the computer. By eliminating the FTP traffic, you have effectively eliminated that particular threat. You should still make sure the server is properly configured to prevent such an attack. However, you reduced the likelihood of a successful breach because the attacker must first breach the segment (i.e., get by the guard at the gate) and then breach the database server (i.e., break down the door). Security is never absolute, but segmenting your network makes it more difficult to breach a computer.
The LAN-to-WAN Domain is the bridge between a LAN and a WAN. A LAN is efficient for connecting computers within an office or groups of buildings. However, to connect offices across the country or globally you need to connect to a WAN. Generally, routers and firewalls are used to connect a LAN and WAN. The Internet is a WAN. The Internet, like many WANs, is public and considered unsecure. Figure 4-3 illustrates the basic LAN-to-WAN network layers.
How do you move data from an unsecure WAN to a secure LAN? Typically, you begin by segmenting a piece of your LAN into a demilitarized zone (DMZ). The military uses the term DMZ to describe a buffer between two opposing forces. The DMZ sits on the outside of your private network facing the public Internet. Servers in the DMZ provide public-facing access to the organization, such as public Web sites. They are especially hardened against security breaches because the servers are easily accessible to the public and hackers. Sitting between the DMZ and internal network are firewalls that filter traffic from the DMZ servers to the private LAN servers. Often, the DMZ sits between two layers of firewalls. The first firewall allows limited Internet traffic into the DMZ, and the second highly restricts traffic from the DMZ servers into the private network.
FIGURE 4-3
Basic LAN-to-WAN network layers.
There are a number of different network architecture designs that can be used to connect your internal private LAN with the external Internet WAN. The key point is to understand that you need some layer of firewalls to limit traffic between these domains. Creating a network segment like the DMZ as buffer between the LAN and WAN is a good way to protect your private network.
In recent years some firewalls have added behavior and heuristic checks. Basically, this means the firewalls learn over time what “normal” looks like. By recording volume and type of traffic, they create a pattern. When these behaviors change dramatically, firewalls can limit traffic and alert the security teams. For example, assume typical overseas customers represent 3 percent of your Web site’s traffic, but then suddenly turn into 99 percent of your traffic. This could be an indication of a potential breach, especially if that country of origin is known to be a source for hacks. Although each individual transaction looks valid, collectively the pattern can trigger firewall rules to restrict access.
WAN Domain
The WAN Domain, for many organizations, is the Internet. Alternately, large organizations can lease dedicated lines and create a private WAN. However, as connectivity to the Internet has become more reliable, many organizations have switched from private WANs to using the Internet to connect offices over all over the world.
A challenge for companies using the Internet to connect offices is how to keep communications secure and private. A common solution is a virtual private network (VPN). By setting up network devices at both offices, you can create an encrypted tunnel through the Internet. The tunnel protects communication between the offices from eavesdropping. You can use a dedicated network device whose only function is to create and manage VPN traffic. These devices are VPN concentrators. Many firewalls also have the capability to create and maintain a VPN tunnel.
Organizations can lower communication costs by using VPN tunnels instead of leasing private lines for WANs. Beyond cost there’s also the issue of time. Leased lines for WANs can take weeks to months to order, contract for, install, and set up. Most companies already have an Internet connection. They can add VPN-compatible devices at both ends to establish a VPN tunnel in days. For small and medium-size companies, it’s the only practical solution given the cost and technical complexities.
Cloud computing has emerged as a major technology. Forbes estimates that in 2014 businesses in the United States will spend more than $13 billion on products and services related to the cloud. Most projections show that this expenditure will substantially grow in coming years.
Think of cloud computing as way of buying software, infrastructure, and platform services on someone else’s network. You rent this capability when you need it and stop paying when you are done. It’s like renting a car: If you have out-of-town guests, you might rent a large van while they are in town. Your costs are incurred during their stay. When your guests leave, you return the van and go back to driving your two-seat sports car. Likewise, cloud computing allows you to rent additional computing power when you need it and release it when the demand is low. Access to cloud computing is typically through the WAN (i.e., Internet).
Remote Access Domain
The Remote Access Domain is nothing more than an enhanced User Domain. The only difference is that you are traveling from a public unsecure network into the private secure company network. You have all the issues you have in the User Domain plus special remote authentication and network connectivity issues.
Remote authentication has always been a concern because the person is coming from a public network. Do you truly know that individual is an employee, or is he or she a hacker pretending to be an employee? There’s less of a concern when accessing the network within the office. The office might have guards at the entrance, locked doors, badges, and visibility of people sitting at workstations. Over the Internet, how do you know who’s on the other side of the wire? Most organizations today feel that an ID and password combination is not an adequate authentication method for remote access.
Many companies require two-factor authentication for remote access. Two-factor authentication requires an end user to authenticate his or her identity using at least two of three different types of credentials. The three most commonly accepted types of credentials are as follows:
• Something you know—Refers to something only you are supposed to know, such as your ID and password combination. You should never share your password with anyone.
• Something you have—Refers to a unique device that you must have in your physical possession to gain access. This physical device could be your computer itself. In general terms, all devices have identities, from your laptop to your phone. The physical device you are logged on with can be used as a way of verifying your identity.
• Something you are—Refers to some sort of biometric feature such as a fingerprint scanner.
technical TIP
There are many ways to verify a computer’s identity. A common method is using certificates. In general terms, the certificate acts like a digital fingerprint. No two computers have the same certificate or digital fingerprint. This is useful in verifying that the user is on a specific computer. For example, suppose a bank wants to make sure any money wired is sent from only one computer in a locked room. That would provide both a physical and logical control over sending money. The wire application could verify the digital fingerprint of the remote computer to verify that any wire request is coming from a specific authorized computer.
Many organizations today require two-factor authentication for remote users. The authentication factors may be an ID/password combination (something you know) plus some type of token or smart card (something you have) to authenticate remote access. This provides a high level of confidence that the remote user is an employee. Some tokens can be loaded directly to the company laptop. The laptop becomes something you must have to connect remotely.
NOTE
In 2012, the Federal Financial Institutions Examination Council (FFIEC) issued guidance entitled “Authentication in an Electronic Banking Environment.” It requires financial institutions go beyond using just IDs and passwords. It required banks to use multifactor authentication more widely.
Remote network connectivity has the issues previously discussed with WAN Domains: how to keep communications secure and private. A VPN is typically the solution. You can configure a VPN to permit only predefined workstations to be connected. Each site has a dedicated hardware device that creates an encrypted tunnel through the Internet. This is typically called a site-to-site VPN connection. A remote user can also create a VPN tunnel. Instead of having VPN hardware at home, you have a desktop or laptop with software called a VPN client. This VPN client communicates with the VPN hardware to create the same type of encrypted tunnel through the Internet. This is typically called a client-to-site VPN connection. In both cases VPN is used to secure the communication through the Internet. Figure 4-4 illustrates the site-to-site and client-to-site connectivity.
FIGURE 4-4
Basic types of VPN connectivity.
The combination of enhanced remote authentication and network connectivity can be powerful tools to ensure a network’s protection. Yet these tools also extend the business network anywhere in the world. Consider this scenario: Don, an executive, receives a call on a Saturday to approve a change to a vital business shipment. For Don to approve the shipment, he must review the changes on an internal system and electronically sign off on the changes. However, he is away for the weekend with his family.
Fortunately, Don has his laptop in the hotel and he has an Internet connection. He signs onto his company laptop and connects to the network using his ID/password and a token he carries on his key chain. A VPN tunnel is established, and his laptop is authorized onto the network. Don can now access the system the same way he does from his desk in the office. The encrypted communications are secure and private. He can review the shipment change and approve its release. The use of the ID/password and token achieves authentication and nonrepudiation for any transactions Don decides to execute. The confidentiality and integrity of the communication is achieved through encrypting the tunnel.
System/Application Domain
As complex as networks are, they essentially secure communication between an end user and some application software. What collects, processes, and stores data is ultimately software. Business software is typically an application. System software, such as a server operating system, runs business applications. The System/Application Domain refers to all the system and application software-related issues.
Application software is at the heart of all business applications. Application software can run on a workstation or server. For example, an application can display a screen by which customers and employees can select products and enter data. Once the information is collected, the application transmits the transaction to a server. The server stores the information in a database to be processed later or instantly processes the transaction, stores the results, and displays information back to the end user. Later an employee can extract data from this ordering application into a spreadsheet to track the total number of orders each month by product type. The application that took the orders, the spreadsheet that tracked the orders, and perhaps the e-mail client used to announce record sales for the month, are all examples of application software.
FYI
People often use the terms system software and application software interchangeably. They are not the same. Generally, any business software that an end user (including customers) touches is an application. This includes e-mail, word processing, and spreadsheet software. The operating system, which is the software that runs applications, and software that allows a computer to communicate over a network, are system software.
Information Security Business Challenges and Security Policies That Mitigate Risk Within the Seven Domains
The previous section provided a foundational understanding of each of the seven domains. In this section, you will examine the business challenges and risks in each domain. You will also learn how the proper application of security policies can mitigate many of these risks.
User Domain
For an organization to be efficient requires the proper alignment of people, processes, and technology. As with most technology problems that are enormous in size, scope, and complexity, the best approach to finding a solution is to break down the problem into manageable pieces. In this case, the goal for business is to have this alignment to produce consistent, repeatable, high-quality results. The challenge is that humans are not always predictable and consistent. So any process that relies on humans must reinforce good behavior and verify results often. This reinforcement of education, monitoring, and adjusting behaviors is a never-ending cycle in implementing security policies.
Employee efficiency starts with well-defined policies that reflect the organization’s reasonable expectations. Security policies must closely align with business requirements. This situation allows employees to understand the importance of the policy to the organization. It also ensures that security policies support business goals. One of the major business challenges is getting employees to follow policies. There are several ways good security policies can mitigate this risk, as follows:
• Awareness—Policies require employees to receive formal security awareness training. Most importantly, this training lets employees know where to go for help when the unexpected arises. The training also sets expectations on the handling of sensitive information to protect such as ensuring customer privacy.
• Enforcement—Security controls flow from security polices. These controls are designed to enforce how the business wishes to operate. Among the most important security controls are those that enforce segregation of duties. Separation of duties, or segregation of duties, means a single person cannot execute a high-risk transaction, for example, wiring large sums of money out of a bank. Typically, this requires one person to request the wire and a manager to approve the transfer.
• Reward—Refers to how management reinforces the value of following policies. An organization should put in place both disciplinary actions for not following policies and recognition for adhering to policies. This could be as simple as noting the level of compliance to policies in the employee’s annual review.
• Monitoring—It’s not enough to publish well-defined security policies. You have to know they are working. Monitoring can take many forms. Typically, it is a combination of quality assurance and quality control. Quality assurance is about verifying and approving actions before they occur. Quality control is about sampling work that has already been done to ensure that, collectively, actions meet standards. This combination of two types of monitoring can be used to drive enforcement and improve awareness.
Another business concern is handling sensitive information in physical form, such as reports. As noted earlier, many organizations have a clean desk policy. This policy generally requires employees to lock up all documents and digital media at the end of a workday and when not in use. Compliance checks are relatively easy because any report or CD left out overnight is a violation of policy. This protects customer privacy and reminds employees of the sensitivity of company information. It also sets the right image for customers and vendors who may be visiting the office.
Security policies also ensure that contractors and consultants are properly vetted before gaining access to company information. This includes performing background checks. Employees and non-employees alike must follow security policies.
Not all business processes can be standardized. Employees sometimes transfer knowledge by word of mouth, such as how to run some nonstandard transaction. The potential for significant failure in these processes may exist. At a minimum, when a failure occurs, the security policies ensure the process and related data can be restored.
Workstation Domain
Locking your front door but leaving your window wide open is not good security. Let’s assume you have good authentication and you know who is signed onto your network. However, if a workstation is breached, you could have malicious software compromising your network whenever the authorized user connects.
The ramifications of a security breach are more severe for some organizations that are regulated. There is an expectation that leading practices are being applied to prevent such breaches. Security policies help identify those practices and ensure they are applied to protecting the workstation. That includes ensuring that all workstations that access the network are patched and have antivirus software installed. The business may not be aware of many of these basic common controls expected by regulators. The security policies ensure such controls are in place and help ensure regulatory compliance.
Effective security is often a matter of determining some basic security configuration rules and applying them consistently across your enterprise. Applying such security without disrupting the business is a concern. The days of sending a technology person to each desk to configure a workstation for most organizations are long past. Security policies can help establish a reliable automated patch management process. Security policies can specify the type and frequency of patches to apply. The policies often require IT to test patches in a lab setting before applying them to workstations. Changes are made at night so there is a minimal impact on the company’s day-to-day operations.
FYI
A botnet is a collection of computers infected by malware loaded onto them by hackers without the knowledge of the computers’ owners. What distinguishes this type of attack from others is its ability create a vast array of computers that all communicate for a single purpose. For example, a botnet can be used to launch a distributed denial of service (DDoS) attack from millions of points across the globe.
Security policies also reduce the risk of malware by limiting access to workstations. Usually an end user does not have administrative rights on a workstation. This means the end user cannot inadvertently install programs like malware that could launch a botnet attack.
If they cannot breach your company’s network directly, hackers often attempt to breach a workstation and infect it in some manner. The attempt is to either capture information from the workstation or use the workstation as a way to access the protected network. Security policies are good at outlining the rules for protecting workstations. One good example is encrypting laptop hard drives. This has become standard practice in many industries. With the increase in mobile computing, sensitive data leaves networks more easily and more often. As a result, many companies that handle sensitive information encrypt their employee’s laptop hard drives. In that way, if the laptop is lost or stolen, the sensitive data is protected.
Many security policies require the encryption of data whenever the information leaves the protection of the network. This include encrypting data over the Internet, in e-mails, and on mobile devices such as universal serial bus (USB) drives, CDs, personal digital assistants (PDAs), and laptops. Despite these efforts, 2013 was a record year for data losses due to breaches, according to a study published in February 2014. The study noted 2,164 recorded incidents, resulting in 822 million records being exposed. This illustrates the need to have strong policies, monitoring, and enforcement.
Security policies that set encryption standards need to ensure the vendors and contractors follow the same policies that employees are required to follow.
LAN Domain
Many organizations have discovered that granting mobile access to business applications can increase productivity and revenue. A LAN is all about connectivity for the business. The more easily you can be connected to a LAN, the faster you can start accessing and exchanging data. Wireless and mobile computing have changed the way people understand LANs. This new view affects the perception of LAN and Remote Access Domain issues.
Wireless connectivity allows you to view the LAN more broadly than the computer on your desktop. Handled devices allow you to extend your LAN network out of the office and into the business. In other words, you can connect to the network and access or exchange information where the product or service is being made or delivered. Here are a few examples of how using wireless technology can extend the LAN into the business:
• Health care—Health care providers can access real-time patient information or medical research from a patient’s bedside. These devices enhance collaboration for more accurate diagnoses. These devices can also track medical equipment to ensure availability at critical times.
• Manufacturing—Wireless connectivity allows employees to share real-time data on the factory floor.
• Retail—Wireless access to a LAN helps retailers place intelligent cash registers where there is no network wiring. This network access allows retailers to manage inventory, check customers out faster, and print the latest promotion coupons from the register.
Extending the LAN has many advantages over just connecting a standard PC. LANs today can carry voice, video, and traditional computer traffic. Voice over Internet Protocol (VoIP) allows you to place and receive phone calls over a LAN or WAN. This has become popular for both home and business because of the cost savings over traditional telephone systems. Rather than incurring high flat-rate fees and per-minute call charges, most VoIP services charge a low flat-rate fee. New companies continue to enter the market offering less expensive voice and video solutions over the Internet.
NOTE
LANs today often carry physical security information, such as video feeds. With this expanded capability, you can see the growing integration of logical and physical security. For example, employee card access is tightly aligned with an individual’s logical security access. These work together both to control the room one can access and to restrict the computers one can access once one is in the room.
Organizations often view LANs much like utilities such as electricity, water, or gas. The organization expects the LAN to be always available and always have capacity. It’s also thought of as a commodity that should be inexpensive to install and run. This puts tremendous pressures on LAN resources. Bandwidth within the LAN, for example, decreases as new services such as VoIP and video are offered.
NOTE
Bandwidth is a measurement that quantifies how much information can be transmitted over the network. When a LAN reaches its maximum bandwidth, it becomes susceptible to many kinds of transmission errors and delays.
It’s not uncommon to have security policies limit the use of live video, music feeds, and social media sites. They can represent hours of lost employee and contractor productivity. These feeds also take up significant bandwidth. For example, in 2012, Procter & Gamble, with 129,000 employees, used security policies to stop video and music feeds. Many such policies can be enforced at the firewall, cutting off the source of video and music from the Internet.
Even with these business challenges, the benefits of extending a LAN beyond the workstation are enormous and include enhanced productivity, collaboration, and responsiveness.
LAN-to-WAN Domain
A major concern of organizations is protection of the servers in the DMZ. In other words, are the Web site servers protected? Organizations are particularly concerned about Web site availability and integrity. The Web sites for many organizations represent their public image and, for companies, their major saleschannel.
NOTE
An organization’s reputation can be diminished by the appearance of Web graffiti on its Web site. Web graffiti is a result of Web site defacement, in which a Web site is breached and its content altered, usually in a way that embarrasses the Web site owner. Web graffiti can contain abusive language or even pornographic images.
Security policies set strict rules on how DMZ traffic should be limited and monitored. Security policies outline how the DMZ server should be configured and how often security patches should be applied. Security policies also outline how often external penetration testing is conducted. Penetration testing probes the network for weaknesses and vulnerabilities from the outside looking in. Penetration testing is required by many standards and is considered a best practice. For example, if you accept or process credit cards, PCI DSS requires penetration testing.
However, these rules and limitations put onto the DMZ create their own risks. DDoS attacks typically attempt to overwhelm the DMZ capability, resulting in the servers crashing and becoming unavailable. So the more limits put on the traffic, the more you have to test whether the systems can withstand a DDoS attack. It’s not enough just to limit traffic; the policy must also ensure that systems stay available.
WAN Domain
When it comes to WANs, an organization is generally concerned about cost, reliability, and speed. As discussed earlier in the chapter, many organizations use virtual private networking to protect and secure communications over the Internet. With most organizations having already incurred the cost of Internet connectivity, the use of secure communications over the Internet is now seen as a de facto standard.
Cost-wise, a VPN over the Internet is the right choice. The cost is fairly modest. Because most organizations already have Internet connectivity, IT can quickly deploy VPN technology. It could be as easy as installing devices and synching keys to establish a VPN tunnel.
NOTE
With virtual private networking, you “tunnel” through the public Internet to reach a specific site. Typically, two VPN devices establish a site-to-site VPN tunnel. Both devices are usually preconfigured with keys so only these devices communicate with each other. Once the tunnel is established, it can link entire LANs. A remote office, for example, can link to headquarters.
Reliability of a VPN depends on your Internet service provider (ISP). You can experience reliability issues even if your ISP guarantees a level of service while you’re traveling over a public network. Think of the Internet like a road system. You have local roads, main arteries, and superhighways. Some ISPs advertise how many hops away from the Internet backbone they are. The Internet backbone represents the superhighway in our road system and can handle the fastest traffic. In theory, the fewer hops it takes to get to the backbone, the faster your access. A hop is a term meaning generally how many routers you have to pass through to get to your destination. If you have to go through a lot of back roads to get to your destination it takes a lot longer than if you live close a superhighway. The same holds true for the Internet traffic. Many large organizations will connect to multiple ISPs. This will give the redundancy needed in the event a single ISP fails to deliver the needed connection speed.
While speed over the Internet continues to improve, it’s not an unlimited resource. To control usage, many ISPs limit bandwidth. As upper limits are reached, some customers may be transferred to slower network connections. This may be acceptable for a home user. However, for a business this could be devastating. Businesses often require consistent response times for the customer. To achieve that, they pay a premium to the ISP. This premium places the business on a less crowded network connection. This less crowded network connection has excess capacity to ensure the response level does not fall below a prescribed level. This makes predicting reliability less of a challenge.
NOTE
Private WANs are point-to-point solutions that are not publicly shared and thus are usually not encrypted. Service providers of private WANs can guarantee upload and download bandwidth consistency.
Deciding on a public or private WAN solution for your organization depends on your requirements and budget. Small organizations have few options. For large enterprises, both WAN options are available.
Security policies outline how each connection type should be configured and protected. The security policies also outline roles and responsibilities. Keep in mind that the service provider typically configures private WAN security. Therefore, your security policies need to include how to deal with the vendor and how to validate the security configuration. Companies of any size can manage security for Internet-based VPN solutions in-house.
Remote Access Domain
When it comes to remote access, organizations are concerned about flexibility, reliability, and speed. As discussed, extending the LAN into the business where products are produced and services delivered has tremendous benefits. This is also true for extending the LAN anywhere in the world. This is where remote access concerns need to be addressed.
When it comes to flexibility, employees cannot be tethered to their desktops. Laptops have broken that tie, allowing employees to connect to the company network wherever there is an Internet connection. Wireless connections further extend the flexibility of laptops. Today, travelers and mobile employees often use a laptop with a mobile hotspot to access the Internet and work network. A mobile hotspot can be a personal device that acts like a cell phone for a laptop, allowing the end user to obtain a broadband Internet connection. These personal hotspots often support connections for typically four to eight devices. Hotspot can also refer to a fixed Internet access point available to the public. For example, coffee shops often provide hotspot access to the Internet for their customers.
Mobile devices and broadband are becoming very reliable. However, the speed and reliability with which they can access and exchange data depend on location and carrier. Much like cell phone coverage, mobile broadband coverage is spotty at times. However, despite their drawbacks, mobile devices offer many business benefits, including:
• Increased customer responsiveness
• Quick reaction to news and business-related events
• Advantage of real-time data access
Bring Your Own Device (BYOD) is a current trend within many organizations. BYOD refers to allowing employees to bring their own devices to work to access the organization’s data. For example, it could allow employees to access their company e-mail through their personal smartphones. Businesses embrace BYOD to reduce cost and expand connectivity options. Costs are reduced because a company does not have to buy and deploy company-owned mobile devices.
Security depends on your business requirements—how much data you need to send and how fast you need it to arrive. Some good examples are the use of smartphones and iPads and other tablet computers. They are very efficient for gaining access to well-defined applications such as e-mail. However, they do introduce risks and policy questions that must be addressed. Some security policy questions that must be addressed for handheld device use include:
• Who owns the device?
• Who has the right to wipe the device if it’s lost or stolen?
• How do you encrypt data on the device?
• How do you apply patches?
• Who’s allowed to have such a device connected to the company network?
With any emerging technology, well-defined security policies help an organization think through these risk decisions. Security policies ensure risk assessments are performed and leading practices are reviewed. This is vital so the organization can understand not only the benefits of new technology but also the risks.
Security policies should focus, not on specific products, but on broader capability. A smartphone can access e-mail but also has a camera. Rather than addressing smartphones, a well-defined policy deals more broadly with mobile e-mail access and acceptable use of digital recordings. By taking this approach as new technology is introduced, the organization covers the capability in the policy.
An organization has two main concerns when it comes to information collected, stored, and processed: Is the information safe? Can you prevent confidential information from leaving the organization? These seem like fairly easy questions but are complicated to answer.
This chapter has discussed many ways to keep information safe. Security policies ensure risks are evaluated throughout the seven domains. Security policies ensure alignment to business requirements. When risks exist, security policies ensure a risk assessment is performed so that management can make a balanced decision.
In this section, you will focus on the second business concern of how to prevent confidential information from leaving the organization. Security policies define what’s often called either a data loss protection (DLP) or a data leakage protection (DLP) program. Both terms refer to a formal program that reduces the likelihood of accidental or malicious loss of data.
Company managers worry about secret business information ending up in competitors’ hands. Managers must also protect customer privacy as required by law. A hacker does not have to be physically present to steal your business secrets, especially if he or she is a disgruntled employee who might work in a data-sensitive area of the company. Your top salesperson might leave the company to work for a competitor and e-mail your entire sales database to his home Internet account. These are not theoretical losses to a business. You must ensure that all of your potential data leaks, both physical and digital, are plugged.
The concept of DLP comes from the acknowledgment that data changes form and often gets copied, moved, and stored in many places. This sensitive data often leaves the protection of application databases and ends up in e-mails, spreadsheets, and personal workstation files. Business is most concerned about data that lives outside the hardened protection of an application.
A typical DLP program provides several layers of defense to prevent confidential data from leaving the organization, including:
• Inventory
• Perimeter
• Device management
• Governance and compliance
Inventory
The DLP inventory component attempts to identify where sensitive data may be stored. This includes scanning workstations, e-mail folders, and file servers. The process requires actually inspecting the content of files and determining if they contain sensitive information such as Social Security numbers. Once data locations are identified, reports can be created to compare the security of files with security policies. For example, this helps prevent private customer information from accidentally being stored in a public e-mail folder. While this is an important capability, it has its limitations. The ability to understand the sensitivity of a file is very difficult to automate. Either you end up having too many false positives or end up missing the identification of sensitive data.
Perimeter
The DLP perimeter component ensures that data is protected on every endpoint on your network, regardless of the operating system or type of device. It checks data as it moves, including the writing of data to e-mail, CDs, USB devices, instant messaging, and print. If sensitive data is written to an unauthorized device, the technology can either stop and archive the file or send an alternate. It stops data loss initiated by malware and file sharing that can hijack employee information. Through the logging and analysis server, the DLP perimeter monitors real-time events and generates detailed forensics reports.
You can also establish and manage security policies to regulate and restrict how your employees use and transfer sensitive data. It uses the same basic technology that is applied with the inventory component. It has the same limitations. Because you are dealing with data movement, you can add rules not often found in the inventory process, such as not permitting large database files to be e-mailed. Regardless of content, these rules can stop a hacker from sending a large volume of data out the door.
Device Management
In many ways, mobile devices like smartphones and tablets are mobile external hard drives. They carry the same information that can sit on a workstation or server. When an executive receives an e-mail on an upcoming merger, or a doctor gets a message about a patient, the information needs the same protection as if it were on a workstation or server. The information on mobile devices is subject to the same regulatory requirements. This means you must also apply the same level of controls, such as encryption.
The ability to manage these devices from a central service is essential. As new threats are identified, this device management capability is essential to push out patches and ensure controls are working well.
You need a DLP program because loss of confidential data hurts the reputation of a business, discloses competitive secrets, and often violates regulation. Well-defined security policies establish a formal DLP program within an organization.
You learned in this chapter how to break up policies into seven domains. You examined each of the domains to learn why they exist, looked at related business concerns, and learned how to mitigate common risks. You now understand that security policies have to be aligned to the business. Most important, you see how security policies can highlight regulatory and leading practice to guide the business in controlling these risks.
The chapter examined the changing nature of business through technologies such as wireless and handheld devices. You read about the differences between access methods such as RBAC and ABAC. You understand the importance of security policies keeping pace with changing technologies. You also saw what happens when security policies are not effective, as when more than 882 million customer records were exposed in 2013. You should better understand the expanding role of the LAN to establish global connectivity through WANs. You read about techniques, such as VPN, to keep this communication protected and private. Finally, you read about the importance of having a DLP program defined in your security policies. You read about the drivers for DLP, including BYOD programs. DLP programs help organizations reduce the likelihood of data loss.
KEY CONCEPTS AND TERMS
Application software
Attribute based access control (ABAC)
Bring Your Own Device (BYOD)
Data leakage protection (DLP)
Data loss protection (DLP)
Demilitarized zone (DMZ)
Discovery management
Domain
E-mail policy
File Transfer Protocol (FTP)
Firewall
Flat network
Help desk management
Inventory management
LAN Domain
LAN-to-WAN Domain
Log management
Multifactor authentication
Patch management
Privacy policy
Remote Access Domain
Remote authentication
Role based access control (RBAC)
Router
Security management
Segmented network
Sniffer
Structured Query Language (SQL)
Switch
System access policy
System software
System/Application Domain
Two-factor authentication
User Domain
Virtual private network (VPN)
WAN Domain
Web graffiti
Web site defacement
Workstation Domain
1. Private WANs must be encrypted at all times.
A. True
B. False
2. Which of the following attempts to identify where sensitive data is currently stored?
A. Data Leakage Protection Inventory
B. DLP Encryption Key
C. Data Loss Protection Perimeter
D. DLP Trojans
3. Voice over Internet Protocol (VoIP) can be used over which of the following?
A. LAN
B. WAN
C. Both
D. Neither
4. Which of the following is not one of the seven domains of typical IT infrastructure?
A. Remote Access Domain
B. LAN Domain
C. World Area Network Domain
D. System/Application Domain
5. Which of the seven domains refers to the technical infrastructure that connects the organization’s LAN to a WAN and allows end users to surf the Internet?
6. One key difference between RBAC and ABAC is which of the following?
A. ABAC is dynamic and RBAC is static.
B. ABAC is static and RBAC is dynamic.
C. No difference; these are just different terms to mean the same thing.
7. A ________ is a term that refers to a network that limits what and how computers are able to talk to each other.
8. A LAN is efficient for connecting computers within an office or groups of buildings.
A. True
B. False
9. What policy generally requires that employees lock up all documents and digital media at the end of a workday and when not in use?
A. Acceptable use policy
B. Clean desk policy
C. Privacy policy
D. Walk out policy
10. What employees learn in awareness training influences them more than what they see within their department.
A. True
B. False
11. What kind of workstation management refers to knowing what software is installed?
A. Inventory management
B. Patch management
C. Security management
D. Discovery management
12. Always applying the most strict authentication method is the best way to protect the business and ensure achievement of goals.
A. True
B. False
13. Generally, remote authentication provides which of the following?
A. Fewer controls than if you were in the office
B. The same controls than if you were in the office
C. More controls than if you were in the office
D. Less need for controls than in the office
14. Remote access does not have to be encrypted if strong authentication is used.
A. True
B. False
15. Where is a DMZ usually located?
A. Inside the private LAN
B. Within the WAN
C. Between the private LAN and public WAN
D. Within the mail server
16. Dedicated network devices whose only function is to create and manage VPN traffic are called VPN ________.
17. What is a botnet?
A. A piece of software the end user loads onto a device to prevent intrusion
B. A piece of software a company loads onto a device to monitor its employees
C. A piece of software a hacker loads onto a device without user knowledge
D. A piece of software used to communicate between peers
18. The minimum standard in authentication for businesses is the use of ________.