Maintaining the C-I-A Triad in the Microsoft Windows OS World
Every security control deployed should directly address a security policy goal. Each goal in the security policy should support one or more of the C-I-A triad properties—confidentiality, integrity, and availability. As controls are developed and deployed, be sure to protect all three properties for data at multiple layers. Any unaddressed security property leaves your data vulnerable to attack.
Maintaining Confidentiality
Protecting data confidentiality means keeping it safe from unauthorized access. All object access decisions made in Windows depend on the effective user. The effective user is the user account that is running the process requesting object access. Any decision to grant or deny access to an object depends on the discretionary access control list (DACL) that exists for the object and effective user. Ensuring that you know the identity of the user running any process is crucial to protecting integrity and confidentiality. With respect to user identity and authorization, you can use the same types of controls to enforce confidentiality that you used to enforce integrity.
Confidentiality extends the scope of protecting data to ensure that no unauthorized user can view data. Many OSs and applications use encryption as a primary confidentiality control. Encrypting data and then providing decryption keys only to authorized users enforces confidentiality for data either at rest or in transit. TABLE 10-2 lists some controls that help maintain data confidentiality.
TABLE 10-2 Security Controls that Protect Data Confidentiality |
|
|---|---|
| CONTROL | DESCRIPTION |
| Encryption | Encrypting any data scrambles the information in such a way that it is unreadable. Anyone who possesses a valid decryption key can unscramble tha data back to its original form. By distributing decryption keys to authorized users only, you can use encryption to enforce data confidentiality. You can employ encryption at different levels, including disk, volume, folder, file, or application-level data object. |
| Password policies | Documented password policies serve as a basis for user training. Password settings in Group Policy make it easy to enforce password policies across your entire Windows environment. |
| Object DACLs | Extend DACLs used to protect integrity to include restrictions on users authorized to read or access objects, not just modify them. |
| AD | AD provides a central repository for security policy settings along with the ability to easily deploy settings to many target locations. AD is an important part of an effective security administration plan. |
| Physical access controls | If you employ Windows Encrypting File System, an attacker can boot from alternate media and cause you to lose data. If the attacker can boot and reset passwords, users will be unable to decrypt data that were encrypted before the password reset. Physical access controls will protect you from this type of attack. |
| Anti-malware protection | Malware can substantially modify or delete data. Successful attacks can render all or part of your data unavailable for use. |
| OS and application software updates | Many attacks target known OS and software vulnerabilities. Apply all available software patches to remove as many vulnerabilities as possible. |
© Jones & Bartlett Learning. |
|
Maintaining Integrity
Protecting integrity is crucial to maintaining trust in your data’s accuracy. Your main goal is to ensure no unauthorized user can change data. Changing data includes modifying or deleting data. The majority of the controls you’ll deploy to protect integrity focus on user identification, authentication, and authorization. Windows provides you with the tools to positively identify a unique user and determine what that user can do. The three main types of integrity concerns include:
User identification—The first step in granting or denying actions is to identify the user attempting an action. Users are identified in Windows through a user account. Organizations using AD can define users. AD uses the same account when accessing different resources, avoiding a logon each time.
User authentication—Authentication is proving to Windows that you are who you say you are. The most common type of authentication is providing a password when you log on. You can choose to use other methods with, or instead of, passwords. You can make it harder for attackers to log on using someone else’s user account by requiring a security token, smart card, or even a biometric input. You can use any method that provides assurance that a user is authentic.
User authorization—Once you know who a user is, you can determine what that user can do. Windows grants rights to users that dictate what they can do. You can also define DACLs for individual objects to allow or deny users, or groups of users, different types of access to the object. AD and Group Policy Objects (GPOs) make this process manageable across a network of any size.
When considering the integrity property of data security, make sure to deploy controls addressing each of the areas of concern listed below. TABLE 10-3 lists some controls that help maintain data integrity.
TABLE 10-3 Security Controls that Protect Data Integrity |
|
|---|---|
| CONTROL | DESCRIPTION |
| Password policies | Documented password policies serve as a basis for user training. Password settings in Group Policy make it easy to enforce password policies across your entire Windows environment. |
| Object DACLs | Each object DACL defines specific access permissions for users. Since Windows stores DACLs in AD, the settings can be globally administered and deployed (within an AD domain or forest). DACLs protect integrity by restricting permissions to write or modify object data to authorized users. |
| Active Directory (AD) | Active Directory provides a central repository for security policy settings along with the ability to easily deploy settings to many target locations. AD is an important part of an effective security administration plan. |
| Physical access controls | Persistent attackers can defeat the best access controls. One tactic is to boot a computer from alternate boot media and load a different operating system. The attacker can then use tools to directly access files and folders without going through Windows and its controls. Since an attacker needs to physically access a computer to insert alternate boot media, physical access controls can limit an attacker’s ability to carry out such attacks. |
| Message/file authentication | You can use a message digest to detect unauthorized modifications to messages or files. A message digest is a shortened unique string of digits that represent a file or message. You can use one of several popular hashing algorithms to create a message digest. The recipient uses the same hashing algorithm to create a message digest of the received message. If the two digests are identical, the message has not been modified. |
| Anti-malware protection | Malware can substantially modify or delete data. Successful attacks can render all or part of your data unavailable for use. |
| Operating system and application software updates | Many attacks target known operating system and software vulnerabilities. Apply all available software patches to remove as many vulnerabilities as possible. |
© Jones & Bartlett Learning. |
|
Maintaining Availability
Availability can often be the trickiest of the three security properties to protect. The unforeseen issues must be uncovered to establish the best controls. Ensuring data availability requires controls that address both daily operation and unusual situations. Four main types of concerns affect data availability. All four types of issues must be addressed to ensure that data is available when are needed. The four main types of availability concerns are as follows:
Attacks—Denial of service (DoS) and distributed denial of service (DDoS) attacks specifically target your network’s ability to access data. If the network or server is too busy to service authorized users’ requests, your data are not available. Other types of attacks move, modify, or destroy data and can affect availability.
Performance—All computing environments tend to suffer performance loss over time. Increased resource load, fragmented disks, out-of-date configuration settings, and malware are examples of why computers get slower. Monitor system and network performance and fix any performance problems. This ensures that your environment does not become slow. Slow environments limit access to data that users need to do their jobs.
Interruptions or disasters—Short-duration interruptions, such as a power outage or a network service interruption, can prevent your users from accessing data. Disasters, such as fires or floods, can cause data loss and interruptions lasting longer than minutes or hours. You need to plan for both types of availability problems.
Other security controls—Controls protecting data integrity or confidentiality can violate availability. For example, you can choose to disable access to your database for all users outside your organization’s local area network (LAN). This control can help protect the data’s integrity and confidentiality. However, it makes your data unavailable to users in remote locations. Always search for controls that balance all three security properties. The best way to uncover the side effects of controls is to check each one thoroughly in a test environment. Ensure that new or changed controls allow users to do their jobs.
When you consider the availability property of data security, be sure to deploy controls that address each of the four areas of concern in the preceding list. The goal is to ensure your data are always available to authorized users when needed, and never available to unauthorized users. TABLE 10-4 lists some controls that help maintain data availability.
TABLE 10-4 Security Controls that Protect Data Availability |
|
|---|---|
| CONTROL | DESCRIPTION |
| Firewall, intrusion detection system (IDS), intrusion prevention system (IPS) | A firewall can block traffic that matches specific rules. In many cases, firewall rules are based on IP address and port numbers. An IDS can analyze traffic and detect a potential intrusion based on traffic patterns. An IPS can not only detect an intrusion but also change firewall rules in real time to prevent further damage from an attack. |
| System and network performance monitors | Windows workstation and server versions include the Windows Performance Monitor (PerfMon) toolset. PerfMon provides a rich collection of monitors, alerts, logging options, and reports to create baselines and real-time samples of your Windows systems’ performance. Several third-party vendors also provide tools to make it easy to monitor network traffic and recognize problems. |
| Backup and recovery plan | Use the Windows backup utilities to create frequent backups and know how they fit into your complete business continuity plan (BCP) and disaster recovery plan (DRP). |
| Security control testing | Test all new controls and changes to existing controls before deploying them to a live environment. More restrictive controls may limit availability as they increase integrity and confidentiality protection. Virtual machines are useful when testing any configuration and software changes. |
| Anti-malware protection | Malware can substantially modify or delete data. Successful attacks can render all or part of your data unavailable for use. Controlling this type of threat overlaps with protecting data integrity. |
© Jones & Bartlett Learning. |
|
Consider the controls you’ll need to ensure authorized users can access data, regardless of any other influences. Other controls, interruptions, disasters, and attacks can reduce users’ ability to access data. Your job is to ensure the data are available.