The Shortcut Guide To

tm tm

Business Security Measures Using SSL

Dan Sullivan

IntroductiontoRealtimePublishers
by Don Jones, Series Editor

Forseveralyearsnow,Realtimehasproduceddozensanddozensofhighqualitybooks thatjusthappentobedeliveredinelectronicformatatnocosttoyou,thereader.Weve madethisuniquepublishingmodelworkthroughthegeneroussupportandcooperationof oursponsors,whoagreetobeareachbooksproductionexpensesforthebenefitofour readers. Althoughwevealwaysofferedourpublicationstoyouforfree,dontthinkforamoment thatqualityisanythinglessthanourtoppriority.Myjobistomakesurethatourbooksare asgoodasandinmostcasesbetterthananyprintedbookthatwouldcostyou$40or more.Ourelectronicpublishingmodeloffersseveraladvantagesoverprintedbooks:You receivechaptersliterallyasfastasourauthorsproducethem(hencetherealtimeaspect ofourmodel),andwecanupdatechapterstoreflectthelatestchangesintechnology. Iwanttopointoutthatourbooksarebynomeanspaidadvertisementsorwhitepapers. Wereanindependentpublishingcompany,andanimportantaspectofmyjobistomake surethatourauthorsarefreetovoicetheirexpertiseandopinionswithoutreservationor restriction.Wemaintaincompleteeditorialcontrolofourpublications,andImproudthat weveproducedsomanyqualitybooksoverthepastyears. Iwanttoextendaninvitationtovisitusathttp://nexus.realtimepublishers.com,especially ifyouvereceivedthispublicationfromafriendorcolleague.Wehaveawidevarietyof additionalbooksonarangeoftopics,andyouresuretofindsomethingthatsofinterestto youanditwontcostyouathing.WehopeyoullcontinuetocometoRealtimeforyour educationalneedsfarintothefuture. Untilthen,enjoy. DonJones

 IntroductiontoRealtimePublishers.................................................................................................................i Chapter1:SecurityThreatstoITOperationsintheAgeofCybercrime..........................................1 EvolvingInformationSecurityThreats.....................................................................................................2 . MinimalThreats:ExperimentersandDabblers................................................................................2 SomethingOld,SomethingNew:CybercrimePutsaNewTwistonOldCrimes.................2 CybercrimeasaGlobalIndustry..............................................................................................................3 MalwareDevelopers.................................................................................................................................5 BotHerders..................................................................................................................................................5 SpammersandPhishers.........................................................................................................................7 HackersandDataThieves......................................................................................................................7 BrokersandExchanges...........................................................................................................................8 IncreasingNumbersandSophisticationofAttacks.........................................................................9 CaseStudyinCreditCardTheft................................................................................................................9 DoingBusinessintheAgeofCybercrime.........................................................................................10 BusinessResourcesTargetedbyCybercrime......................................................................................10 TargetedInformationAssets..................................................................................................................10 IdentityInformation..............................................................................................................................10 CreditCardandBankAccountData...............................................................................................11 ProprietaryInformationandIntellectualProperty.................................................................11 TargetedComputingAssets....................................................................................................................12 PoorSecuritysImpactonBusiness.........................................................................................................12 . DamageinPlainSight................................................................................................................................13 HiddenCostsofPoorSecurity................................................................................................................13 Summary..............................................................................................................................................................14 Chapter2:CommonVulnerabilitiesinBusinessITSystems..............................................................15 TechnicalWeaknesses....................................................................................................................................16 UnencryptedCommunications..............................................................................................................16 i

 ManintheMiddleAttack...................................................................................................................16 ReplayAttack............................................................................................................................................18 InsufficientlyPatchedOSsandApplications...................................................................................20 InsufficientUseofAntivirusandPersonalFirewalls...................................................................22 WeakBoundarySecurity..........................................................................................................................23 PoorApplicationSecurity........................................................................................................................24 OrganizationalWeaknesses.........................................................................................................................25 EndUserTrainingandSecurityAwareness....................................................................................25 . EndUserTrainingMyths.....................................................................................................................26 LaxSecuritywithMobileDevices.........................................................................................................27 InappropriateUseofBusinessComputersandNetworkServices........................................28 OptionsforAddressingTheseThreats...................................................................................................28 . Summary..............................................................................................................................................................29 Chapter3:DevelopingaHighImpactSecurityManagementStrategy..........................................30 ReviewofBusinessProcessesandWorkflows....................................................................................31 DatainMotion:IdentifyingUnencryptedCommunications.....................................................33 MovementWithinSecuredNetworkSegments.........................................................................33 MovementAcrossEnterpriseNetworks.......................................................................................34 MovementOutsideoftheEnterpriseNetwork..........................................................................34 DataatRest:IdentifyServersHostingCriticalApplications....................................................36 . AccesstoInformation:ManagingIdentitiesandAuthorizations...........................................36 ReviewofTechnicalInfrastructure..........................................................................................................37 NetworkSecurityMeasures....................................................................................................................37 PerimeterDeviceConfiguration.......................................................................................................38 NetworkMonitoring..............................................................................................................................38 ReportingandAlertSystems.............................................................................................................38 ServerandWorkstationSecurityMeasures....................................................................................39 ii

 HardeningOSs..........................................................................................................................................39 Patching......................................................................................................................................................40 ApplicationSecurityMeasures..............................................................................................................41 AccessControls........................................................................................................................................41 SecurityTesting.......................................................................................................................................43 HardeningApplicationComponents..............................................................................................44 SecurityPoliciesandGoverningProcedures........................................................................................44 Summary..............................................................................................................................................................46 Chapter4:BestPracticesforImplementingaBusinessCentricSecurityManagement Strategy......................................................................................................................................................................47 ProtectingCriticalServers............................................................................................................................48 WhatConstitutesaCriticalServer?.....................................................................................................49 UsingEncryptedCommunications.......................................................................................................50 HardeningServerOSs................................................................................................................................51 LockingDownDatabases.........................................................................................................................52 ProtectMobileDevicesandCommunications.....................................................................................52 . EncryptCommunicationswithMobileDevices..............................................................................54 AuthenticateMobileDeviceswithDigitalCertificates................................................................54 MaintainOSPatches...................................................................................................................................55 KeepAntivirusUptoDate........................................................................................................................55 UseEncryptiononMobileDevices.......................................................................................................55 NetworkDefenses............................................................................................................................................56 DeployingandConfiguringNetworkPerimeterDevices...........................................................56 Firewalls.....................................................................................................................................................57 IPSs................................................................................................................................................................57 NetworkAccessControls....................................................................................................................58 . FilteringContentontheNetwork........................................................................................................58 .

iii

 MonitoringandAuditingNetworkActivity......................................................................................59 SecurityAwareness.........................................................................................................................................59 SecurityAwarenessTopics.....................................................................................................................60 . EffectiveSecurityAwarenessTraining..............................................................................................60 ChecklistofPracticesandTechnologies.................................................................................................61

iv

Copyright Statement
2009 Realtime Publishers. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers (the Materials) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtime Publishers or its web site sponsors. In no event shall Realtime Publishers or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtime Publishers and the Realtime Publishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtime Publishers, please contact us via e-mail at info@realtimepublishers.com.

ThissponsoredeBookisvaliduntilJune30,2011.

c)2009VeriSign,Inc.Allrightsreserved.VeriSign,theVeriSignlogo,andother VeriSigntrademarks,servicemarks,anddesignsareregisteredorunregistered trademarksofVeriSign,Inc.anditssubsidiariesintheUnitedStatesandinforeign countries.Allothertrademarksarepropertyoftheirrespectiveowners.

Chapter1:SecurityThreatstoIT OperationsintheAgeofCybercrime
Overthepastdecade,businesseshavehadtoadapttoanarrayoftechnicalchanges, includinganincreasinglyhostilecyberenvironment.Wesawtheearlyprecursorsof cybercrimedecadesagowhencomputerusewaslimitedtoarelativelysmallgroupof specialistsandelectronicsenthusiasts.Innovativeprogrammers,somestillinhighschool, wouldfindwaystodisplayannoyingmessagesontheirfriendscomputersandfromthere spreadtootherdevicesviasharedfloppydisks.Thiskindofpartpracticaljokepart vandalismformofmalwarehasbeenovershadowedbythemoreserious,technically complex,andfinanciallylucrativeformoftodayscybercrime. Inthisguide,wewillexaminemajortypesofthreatstoinformationsecuritythat businessesfacetodayaswellastechniquesformitigatingthosethreats.Oneofthemost importanttoolsavailabletousisSSLtechnology. Note Thisisactuallysomethingofamisnomer.SecureSocketLayer(SSL) protocolshavelargelybeenreplacedwithTransportLayerSecurity(TLS) protocolsbutbyconvention,wecontinuetousethetermSSL. WithSSLtechnology,weenablesecurecommunication,identityverification,andultimately trustbetweenbusinesses.SSLtechnologydoesnotexistinavacuum,though.Information securityisamultifacetedchallengethatrequirescoordinationofavarietyofsecurity measures,sothisguidewillexaminethebusinessandtechnicalpracticesthatweaken securityaswellasbestpracticesforimprovinginformationsecurity.Thisguideis organizedintofourchapters: Chapter1describestheevolvingnatureofsecuritythreats,includingthe developmentofanundergroundeconomyforcybercrimes.Italsocoversthe businessresourcestargetedbycriminalsandtheimpactofpoorsecurityon businessoperationsandinnovation. Chapter2examinescommonvulnerabilitiesinITsystemsandbusinesspractices thatundermineinformationsecurity.

 Chapter3focusesondevelopingandmaintainingahighimpactsecuritystrategy.In thischapter,theemphasisisonreviewingbusinesspracticesandworkflows, assessingtechnicalinfrastructure,andrefiningsecuritypoliciesandprocedures. Chapter4concludesthisguidewithadiscussionofpracticesforimplementinga businesscentricsecuritymanagementstrategy.Topicsrangefromprotecting infrastructuretosecuringdesktopsandotherendpointdevices.Specialattentionis paidtoendusersecurityawarenesstraining.Achecklistofpracticesand technologiesisincludedtohelpyoubeginimplementingthemeasuresimportantto yourenvironment.

Takingtheadageknowthyenemytoheart,westartwithalookatthenatureof cybercrime.

EvolvingInformationSecurityThreats
Beforedelvingintothedetailsoftodayscybercrimeenvironment,letsdispelanylast semblanceofmalware,hacking,andrelatedactivitiesassimplymischievouspranksor technicalvandalism.Thosedaysaregone.

MinimalThreats:ExperimentersandDabblers
Ofcourse,therearecurious,ingeniousprogrammersexperimentingwithoperating systems(OSs),browsers,andapplicationsoftwaretryingtobreakthemorusethemfor unintendedpurposes.Therearealsolessingenious,lessskilleddabblers,knownasscript kiddies,whousetoolsprovidedbytheirmoretechnicallyadvancedcolleagues.The formergroupisnotasignificantthreataslongastheirworkisnotletlooseintothewild; thelatterarenotmuchofathreatbecausemuchoftheircomputergeneratedmalwareis easilydetectedandcontainedbytodaysantivirussystems.Moresignificantthreatscome fromattackerswithadifferentsetofmotives.

SomethingOld,SomethingNew:CybercrimePutsaNewTwistonOldCrimes
Cybercrimeisblankettermthatcoversabroadrangeofcrimesandmaliciousactivitiesthat canadverselyimpactabusinessoperationsandevenlongtermviability.Formsof cybercrimeinclude: Fraud,whichcanoccur,forexample,becauseofmistakenidentity,pooraccess controlsthatallowunauthorizeduserstotamperwithdata,ormisappropriating softwaretoolstohideunauthorizedtransactions. Identitytheft,whichisfacilitatedbypooridentitymanagement,insufficientaccess controls,unencryptedcommunications,orothersloppydataprotectionmeasures.

 Embezzlementisaclassicinsiderthreat;computertechnologycanhelpenableas wellaspreventthiscrime.Properauthentication,suchaswithdigitalsignatures implementedwithSSLtechnologies,canhelpmitigatethisthreatthroughnon repudiation.ExtortionwithahightechtwistcancomeintheformofDenialof Service(DoS)attacksthateffectivelyrendernetworkdevicesinaccessiblebecause ofanoverloadofmalicioustraffic.ManybusinessesinEstoniawereaffectedbythe widespreadDoSattackonthatcountryin2007.Inthatcase,theattackwas promptedbypoliticaltensionsbetweenEstoniaandRussiaratherthanimmediate financialgain. Intellectualpropertytheftisnotanewproblem,butlikeotherformsofcrime,itcan takeonnewdimensionswhenbusinesssystemsareinterconnected.Take,for example,thecaseofaformerIntelemployeechargedwithstealingmorethan$1 billionintradesecretsfromthecompany(Source:PressRelease,U.S.Departmentof Justice.FormerIntelEmployeeIndictedforStealingMorethan$1BillionofTrade Secrets,availableathttp://www.cybercrime.gov/paniIndict.pdf).Themanhad receivedajobofferfromcompetitorAMDandhespentthelastseveraldaysatIntel downloadingconfidentialandproprietaryinformation,including13documents designatedastopsecretbythecompanysdataclassificationstandard.

Informationtechnology(IT)hasradicallychangedthewaycriminalscancommitcrimes andthisexposesbusinessestonewtypesofthreats.Ofcourse,employeescouldstealtrade secretsinthepastbystuffingcopiesofdocumentsintheirbriefcases.Itisdifficultto imagineonemanstealing$1billionworthofsecretsusingonlyacopierandabriefcase. OnethingtokeepinmindaboutcybercrimeisthatthesameITthatmakesbusinesses moreefficientandabletodomorewithlessisthesametechnologythatallows cybercriminalstodothesame.ITprofessionals,fortunately,havethetoolsandpracticesto mitigatetheserisks.Thepurposeofthisguideistoprovidesomeguidanceonwhichtools, suchasSSLcertificates,andpractices,suchasidentitymanagement,areappropriatefor specificcircumstances.Anotherthingtokeepinmindaboutcybercrimeisthatthepatterns oforganizationthathavehelpedbusinesses,industries,andevenglobalmarketsgrowand succeedarenowusedtoextendthereachandimpactofcybercrime.

CybercrimeasaGlobalIndustry
Severalthingsthathavemademodernmarketssosuccessfulsuchasdivisionoflabor, specialization,brokers,andexchangesthatbringbuyersandsellerstogetherare emergingintheworldofcybercrimeaswell.In2006,AssistantDirectorBrianNagelofthe U.S.SecretServicesOfficeofInvestigationsobserved: Cybercrimehasevolvedsignificantlyoverthelasttwoyears,fromdumpsterdivingand creditcardskimmingtofullfledgedonlinebazaarsfullofstolenpersonalandfinancial information(Source:PressRelease,U.S.SecretService,UnitedStatesSecretServices OperationRollingStoneNetsMultipleArrests,March28,2006,availableat http://www.secretservice.gov/press/pub0906.pdf).

 More recently, KilianStrauss,oftheOrganisationforSecurityandCooperationinEurope (OSCE)observedhowdifficultitistokeepupwiththepaceofinnovationincybercrime: Thesecriminals,theyoutsmartusten,orahundredtoone(Source:SarahMarsh, CybercrimeCouldBeasBadastheCreditCrisis,Reuters,November29,2008, availableathttp://www.itpro.co.uk/608466/cybercrimecouldbeasbadasthe creditcrisis). Cybercrimeisnowfunctioninglikeanindustry.Likeotherindustries,thisoneisprofit driven,sopatternsthatworkforbusinesses,suchasoutsourcingspecializedservices, formingmarketstoexchangegoodsandservices,andcounteringcompetitivethreats,will befoundincybercrime.Asafirststeptounderstandingthisindustry,weneedto understandthespecialiststhatconstitutethemajoractors,suchas: Malwaredevelopers Botherders Spammersandphishers Hackersanddatathieves Brokers

Eachoftheseactorsplaysacriticalroleincurrentdaycybercrime.Withoutanyoneof them,thenatureoftodayscybercrimewouldbesignificantlyaltered.

Figure1.1:Cybercrimehasevolvedtosupportacomplexmixofdifferentskillsand servicesmuchlikelegitimatebusinesses.

 MalwareDevelopers Malwaredevelopersaretheinnovatorsthatproducethenewtoolsforthecybercrime industry.Thesesoftwarecreatorsarethesourceofviruses,worms,Trojanhorses,bots, rootkits,andotherexploits.Giventhefinancialmotivationofcybercriminals,themalware thatisingreatestdemandisthatwhichcanleadtofinancialgain,includingtheabilityto steal: Creditcarddatasufficienttosuccessfullycommitfraud Personalinformationthatwouldallowsomeonetostealanotherpersonsidentity Intellectualproperty,suchastradesecrets,thatcanprovideacompetitive advantagetotheultimaterecipientofthestolengoods Authenticationcredentials,suchasusernamesandpasswords,thatwouldallowan attackertogainaccesstothosekindsofdatalistedpreviously ComputingandnetworkresourcesthatallowotherstogeneratespamorlaunchDoS attacksatlowornocost

Thereisaspecializationoflaborincybercrime,soitisnotsurprisingthatmalware developersarenotnecessarilyusingtheirownsoftware.Thatislefttoothers,suchasbot herdersandspammers. BotHerders Abot,akaazombie,isacomputerunderthecontrolofsomeoneotherthanitslegitimate user.Putagroupofbotstogetherandyouhaveabotnet.

Figure1.2:Abotnetisacollectionofcompromisedcomputerscontrolledbyabot herder.Themostresilientbotnetsdonotdependonasingleserverforcommand andcontrolstructure;rather,theyusemoredistributedcommunicationsmethods andemployrecoverytechniquestoworkwithdifferentbotsshouldotherbotsthey hadbeenworkingwithbecomeunavailable.

 Fromapurelydisinterestedpointofview,botnetsarehighlyusefuldistributedsystems. Theyprovideondemandcomputingandnetworkingservicestothepeoplethatcontrol them.Theycangeneratephishingluresandsendthoselurestomillionsofemailrecipients orlaunchDoSattackstodisruptbusinessorgovernmentoperations.Thelegitimate businessworldhasananalogofbotnetsintheformofcloudcomputing. Cloudservicesprovide(legitimately)ondemandcomputingresources,storage,and networkingforspecializedprojectsorongoingbusinessoperations.AmazonsS3storage serviceandEC3computingservicesareprobablythebestknownexamplesofcloud services.Thereasonbotnetsarepopularincybercrimeisthesamereasoncloudcomputing isofgrowinginteresttobusiness:littleornocapitalinvestmentisrequired,theongoing operationalcostsareminimized,andyoucanscalerapidlytomeetpeakdemandwithout havingtomaintainpeakcapacityduringlessdemandingperiods. Theresiliencyofbotnetsbecameclearrecently.Inawellpublicizedcounterattackagainst spammersinNovember2008,theInternetserviceprovider(ISP)thathadbeenhosting commandandcontrolserversforthe450,000botSrizbibotnetcutoffservicetothebot herder.Forseveraldays,therewasguardedhopethatthismightputadentintothe amountofspamgenerated,butthathopewasshortlived.Thebotnetdevelopershad plannedforsuchacontingencyandthebotswereabletoreestablishcommunicationwith newcommandandcontrolservers. Spamisnottheonlypotentialwaytomakemoneywithbotnets;launchingDoSattacksis anotherrevenuestream.Inonecase,aMichiganbusinessmanwassentencedto30months inprisonforconspiringwithabotherdertodisruptcompetitorsbusinessbylaunching DoSattacksagainsttheirWebsitesandonlinesalesservers(Source:U.S.Departmentof JusticePressRelease,MichiganManGets30MonthsforConspiracytoOrderDestructive ComputerAttacksonBusinessCompetitors,August25,2006,availableat http://www.cybercrime.gov/araboSent.htm).OtherbusinessesusingthesameISPhosting thevictimwerealsoadverselyaffected.Theseincludedamajoronlineretailer,banks,anda communicationsanddataservicescompany. Howbigisthebotnetproblem?In2007,10%ofonlinecomputerswereinfectedby malwareandbytheendof2008,thatnumberisexpectedtohavegrownto15%,according toresearchersattheGeorgiaTechInformationSecurityCenter(Source:DavidStevenson ProfitfromtheFightAgainstCyberCrime,MoneyWeek,December19,2008,availableat http://www.moneyweek.com/investmentadvice/profitfromthefightagainstcyber crime14304.aspx).

 SpammersandPhishers Althoughmostofuswillnothavemuchdirectcontactwithmalwaredevelopersandbot herders,wearealltoofamiliarwiththeproductsofspammersandphishers.Ifwecansay anythingpositiveaboutthesepurveyorsofunwantedandunsolicitedemail,itisthatthey arepersistent,theyareefficient,andtheyareeffective. Theconstantdelugeofjunkemailwegetinouremailandcontentfilteringsystemsisa testamenttospammerspersistence.Theproblemshowsnosignsofabatingand,giventhe resiliencyofbotnetslikeSrizbiandtheexpectedincreaseinthesizeofbotnets,itis prudenttoassumethatspammingandphishingarewithusforthelongterm. Wecandeducetheefficiencyandeffectivenessofspammersbythefactthattheychooseto continuetooperate.Thelowcostofspammingmeansthatminutelysmallresponserates canstillyieldaprofitablebusinessmodel.Inthecaseofphishing,wecandeducethatextra timeandefforttocreatesmallertargetedattacks,knownasspearphishing,payoffas well. HackersandDataThieves Someattacksarelaunchedatabroadpoolofpotentialvictims;theattackersaretrolling withwidenetstocatchasmuchaspossible.Otherattacksaremoretargetedandseekto victimizeasinglebusiness.Someexamplesofthisinclude: ThelargestbreachtodateoccurredatTJXCompanieswhichoperatesT.J.Maxxand MarshallsstoresintheUSaswellasT.K.MaxxstoresintheU.K.andIreland.The costwasmorethan$100milliontothecompanyitselfwithothercoststobanks whohadtoreissuecreditcards. ThesupermarketchainHannafordBros.Co.sufferedadatabreachfromDecember 2007toMarch2008whenattackerswereabletocapturedataintransit. In2008,extortioniststriedtocompelExpressScripts,apharmacybenefits managementcompany,topayorelseriskhavingpersonalinformationabout millionsofcustomersexposed.Inanoteworthytwist,thecompanyrefusedtopay andinsteadoffereda$1millionrewardforinformationleadingtothearrestand convictionoftheperpetrator(s).

Hackersanddatathievescanusemanydifferenttechniquestocompromisecorporate computers.Vulnerabilityscannerscanprobenetworksanddevicesonnetworkslooking forunpatchedsoftwarethatcanbeexploitedtogainelevatedprivilegesoraccess otherwiserestricteddata.Informationsentoverwirelessnetworksthatisnotencrypted maybepickedupbyeavesdroppers.PoorlydesignedWebapplicationsmayexpose databasestoSQLinjectionattacksthatcanleakprivateandconfidentialdata.Weak passwordsanddefaultpasswordscanleaveserversandnetworkdevicesvulnerableto dictionaryattacks.Withsomuchvaluabledatawithinbusinesssystemsandsomanyways tolaunchtargetedattacks,itisnotsurprisingthatcriminalshavetakentothisopportunity.

 BrokersandExchanges Marketsdependonbuyersandsellersbeingabletoefficientlyfindeachother.Brokers facilitatethisprocessinmanymarketsandcybercrimeisonceagainfollowingtriedand truepatternsofbusiness.Cybercriminalswhohavemanagedtostealvaluabledatacansell itthroughcollaborativesystemssuchasundergroundforums.

Figure1.3:Attackerscanexploitmultipletypesofvulnerabilitiesondesktops, servers,databases,applications,andnetworkstostealprivateandconfidential businessdata.

IncreasingNumbersandSophisticationofAttacks
Somesecurityresearchersmonitorcommunicationchannelsaswellasotherindicatorsof overallcybercrimeactivity,andhaveobservedpatternsthatindicateanupturnin cybercrimeactivity.Forexample: Inonestudyspanningaoneyearperiod,69,130advertiserssoughttosellstolen informationinundergroundforums;thetop10sellersoffered$16.3millionin creditcarddataand$2millioninbankaccountdata(Source:SymantecPress Release,NewSymantecReportRevealsBoomingUndergroundEconomy, November24,2008,availableat http://www.symantec.com/about/news/release/article.jsp?prid=20081123_01). Onesecurityserviceproviderobserveda30%increaseinnetworkandWebbased securityeventsovera4monthperiodamongtheirclients;thenumberofevents rosefrom1.8billionto2.5billioneventsperday(Source:IBMPressRelease,Citing aSurgeinOnlineCybercrime,IBMBolstersSecurityService,December4,2008, availableathttp://www03.ibm.com/press/us/en/pressrelease/26232.wss). Thepriceofstoleninformationisdropping.Creditcardnumbersnowsellfor$2to $3andfullvictimprofiles,withcreditcardnumber,mothersmaidenname,Social Securitynumber,andsoonaresellingfor$10(Source:TaylorBuley,CrimeStill PaysforIdentityThievesJustaLittleLessthanItOnceDid,Forbes,October27, 2008,availableathttp://www.forbes.com/security/2008/10/25/creditcardtheft techsecuritycz_tb1024theft.html).

Clearly,cybercriminalsareadaptingtonewopportunitiespresentedbythechanging economiclandscape.Therearelikelymultiplereasonsfortheincrease,onboththesupply andthedemandside.Theglobaldownturnleavesfewerlegitimateopportunitiesfor computerprofessionals,someofwhommaybeturningtocybercrime.Victimslookingto makeupforlostincomecanbeeasypreyforphishersandotherscammers.Alongwiththe increaseinvolumeofattacks,thereisanincreaseinsophisticationofattacks.

CaseStudyinCreditCardTheft
Fromlate2007toearly2008,amajorsupermarketchainwassubjecttoasophisticated databreachthatnettedmorethan4millioncreditanddebitcardnumbersforthe attackers.300storesintheHannafordBros.chainhadserversinfectedwithmalwarethat interceptedcreditcarddataandsentittoserversoutsidethecountry.Unlikeotherwell publicizeddatabreaches,HannafordBros.wasnotstoringmoredatathanallowedunder industryrulesandthecompanywasincompliancewithPaymentCardIndustry(PCI) standards. Theproblemwasthatdatawascapturedasitwastransmittedfromthepointofsale devicetotransactionprocessingservice.Thisexampleshowsthatevenwhenin compliancewithindustrystandards,databreachescanstilloccur.Evenwhendatais transmittedontrustednetworks,encryptingdataintransitusingSSLtechnologiescan mitigatetheriskofthistypeofattack.

DoingBusinessintheAgeofCybercrime
Cybercrimeisevolvingandbecomingmoredangerous.Itisusefultothinkofcybercrimeas anindustrywithsimilardivisionoflabor,serviceprovidermodels,anddrivestoefficiency andrevenuegrowthseeninlegitimatebusinesses.Wealsoneedtokeepinmindthat compliancewithregulationsisaminimalsetofrequirementsforsecuringbusiness information.Malwaredevelopers,botherders,spammers,phishers,andotherattackers havedemonstratedthattheycanandwilldevelopnewtechniquestobypasssecurity countermeasures. Nowthatwehavehighlightedsomeofthestructuralcharacteristicsofthecybercrime industry,letsturnourattentiontobusinesstargetsoftheirattacks.

BusinessResourcesTargetedbyCybercrime
Businesseshaveprimarilytwoassetsofvaluetocybercriminals:informationand computingresources.Bothareactivelysoughtafterinthecybercrimeunderground economy.

TargetedInformationAssets
Informationisinmanywaysanidealtargetforcriminals.Itisintangible,soyoudonot needtobeinphysicalproximityoftheinformationtostealit.Therearemanywaystohide youridentityandeliminatetracesofmaliciousactivity.Perhapsbestofall,largeamounts ofvaluableinformationtendtobestoredincentralizedrepositories,suchasdatabases,or aretransmittedacrosscommonpaths,suchasfromapointofsalessystemtoatransaction processingserver.Insuchcases,ittakesonlymarginallymoreefforttostealthousandsor evenmillionsofcreditcardsthanitdoestostealoneortwo. Threetypesofinformationofvaluetocybercriminalsare: Identityinformation Creditcardandfinancialaccountdata Proprietaryinformationandintellectualproperty

IdentityInformation Identityinformationisthekeytosuccessfullycommittingidentitytheft.Theobjectof identitytheftistocommitfraudusingthecreditprofileofthevictim.Identitytheftvictims mayfindfraudulentbankwithdrawals,newaccountsopenedintheirnames,andeven bankruptcyfiledintheirnames.Specializedformsofidentitytheftcanwreakevenmore havoconvictims.Medicalidentitytheft,forexample,occurswhensomeoneusesanother personsidentitytoreceivepaymentformedicaltreatmentorprovidemedicalgoods.In additiontotheusualcreditproblemsthatfollowforidentitytheft,thesevictimsmayhave tocorrectinaccuratemedicalrecords.Therippleeffectsofidentitytheftcaninclude complicationswithtaxpayerrecordsthatneedtoberesolvedwiththeInternalRevenue Service(IRS).

10

 CreditCardandBankAccountData Creditcardandbankaccountfraudisbigbusiness.Onestudyfoundthatalmostonethird ofalladvertisementsinacybercrimeforumwereforcreditcarddata.In2008,theFBIand otherinternationallawenforcementagenciesshutdownoneforum,knownasDark Market,thathadatitspeak2500registeredmembers(Source:FBIPressRelease,FBI CoordinatesGlobalEfforttoNabDarkMarketCyberCriminals,October16,2008, availableathttp://www.fbi.gov/pressrel/pressrel08/darkmarket101608.htm).Theforum wasnotoriousasamarketforcreditcarddata,logincredentials,andevensomeequipment usedinfinancialcrimes.Breakingupthatoneforumresultedin56arrestsandprevented $70millioninlossesduetofraud. Identitytheftandcreditcardfraudarewellpublicizedaspectsofcybercrime,somuchso, thatonemightthinkcybercrimeisprimarilyaproblemforbanks,retailers,andotherswith highvolumesofconsumerfinancialtransactions.Thatiscertainlynotthecase. ProprietaryInformationandIntellectualProperty Tradesecretsandotherintellectualpropertyarenotthecommodityproductsof cybercrimethewaycreditcardandbankaccountdataare,butitcanstillbeahighlyvalued target.Considersomeexamplesofcybercrimeinvolvingproprietaryinformation: AformerNetgearengineerwasindictedfortheft,misappropriation,and unauthorizeddownloadingoftradesecrets.Itisallegedthattheengineerused accesstoasemiconductorsupplierstechnicaldocumentationtodownloadtrade secretinformationaboutthesuppliersswitchesandtransceiverproducts.Hethen tookthosedocumentswithhimwhenhewenttoworkforoneofthesuppliers competitors(Source:U.S.DepartmentofJusticePressRelease,SiliconValley EngineerIndictedforStealingTradeSecretsandComputerFraud,December22, 2005,availableathttp://www.cybercrime.gov/zhangIndict.htm). TwoformeremployeesofNetLogicsMicrosystemsstolechipdesigntradesecrets fromtheirthenemployeraswellasothercompaniesandthenstartedtheirown companyinthehopesofobtainingventurecapitalfundingfortheirefforts(Source: U.S.DepartmentofJusticePressRelease,TwoBayAreaMenIndictedonChargesof EconomicEspionage,Sept.26,2007). Threechemicalcompanyexecutiveswereindictedforconspiringwithanemployee ofanotherchemicalcompanytostealtradesecrets.Theindictmentallegesoneof theconspiratorswoulddownloadtradesecretdatatoanexternalstoragedevice priortomeetings.Theconspiracyappearstohavecontinuedformorethan6years (Source:U.S.DepartmentofJusticePressRelease,TradeSecretChargesFiled AgainstCompanyExecutivesandSouthKoreanNationals,November12,2008, availableathttp://www.cybercrime.gov/shinIndict.pdf).

Cybercrimeprovidesthemeanstoavoidthehighcostofresearchanddevelopmentin intellectualcapitalintenseindustries.Itisnotsurprisingthatevenwithinlegitimate businesses,therearethosethatwillturntocybercrimeoruseITsystemsinthecourseof theirintellectualpropertytheft.

11

TargetedComputingAssets
WhenyouconsiderthecostbusinessesincurtopurchaseandmaintainITinfrastructure,it becomesclearwhycybercriminalswouldhaveaninterestinstealingcomputingassets. Justasinlegitimatebusinesses,cybercrimeoperatorsneedtobeabletoensure: Theyhaveadequatecomputing,storage,andnetworkresourcestomeetdemands Failoveranddisasterrecoveryproceduresareinplace Costsareminimizedwithoutadverselyaffectingperformance Ironically,malwareandattackersdonotgaincontroloftheirinfrastructure

Botnetmalwareandbotherdersareintegralpartsofacquiringandmaintaininga cybercrimeinfrastructure.Asnotedearlier,botnetsaredesignedtoavoidsinglepointsof failureandtogracefullydegradeandultimatelyrecoverinresponsetoisolatedfailures. Themoresophisticatedbotnetsalsouseblendedthreatstodetectbotsincompetitors botnets,disablethealternatebotsoftware,andaddthebottotheirownbotnet.Thebenefit ofwelldesignedbotsoftwareisavirtuallyfreeITinfrastructure;therearenoneofthe typicalsupportcostsincludingpower,hardwaremaintenance,servicesupport,rent, softwarelicensing,andsoon. Asabaselineforthevalueofbotnets,wecanlooktoalegitimateproviderofondemand computingandstorage:Amazon.TheAmazonSimpleStorageService(S3)andElastic ComputeCloud(EC2)providecustomerswithlongtermstorageandcomputingservices forcostsoftenbelowthechargessmallorganizations,suchasbusinessITdepartments,can offer.Nonetheless,therearecosts. Businessesareattractivetargetsforcybercriminals.Theyhavevaluablecommoditydata, suchascreditcardandbankaccountinformation,identityinformationsufficienttoenable identitytheft,aswellasproprietaryinformationthatmaybeofvaluetolessscrupulous competitors.Businessesalsohavewellmanagedcomputinginfrastructureswiththe computing,storage,andnetworkingservicesneededinthecybercrimeeconomy.The businessconsequencesofcybercrimeincludetheimmediateeffectsofdatabreachesand relatedattacksaswellassubtlerandsometimesunderappreciatedimpactonbusiness.

PoorSecuritysImpactonBusiness
Headlinesaboutsecuritybreachesanddatalossesatmajorretailers,banks,and governmentagenciescertainlydogetattention,especiallywhencostsarementioned.The fullcostofpoorsecurityisnotcapturedevenintheseattentiongrabbingincidents.They aremoreliketheproverbialtipoftheicebergthanareflectionofthefullimpactofweak securitymeasures.Tounderstandthefullextentofcybercrimesadverseimpacton business,weshouldconsidertheobviousaswellasthelessobviousconsequences.

12

DamageinPlainSight
Thecostofpoorsecurityisapparentafterasecuritybreach.Considerafictionalbut representativeexample.Supposeadisgruntledemployeehasdecidedthathehasbeen underpaidandmistreatedbyhisemployer.Tocompensatehimself,hedecidestocapture customercreditcarddataasitmovesacrossthenetwork.Thisemployeehasaccessto internalsystems,sothistaskisnotaproblem,especiallybecausethistypeofdataisonly encryptedwhenitissentoutsidethetrustednetwork.Aftertheemployeecollectsa sufficientamountofcreditcarddata,hecopiesthedatatohisiPod,headshome,andposts anadvertisementonacybercrimeforum.Ifheissuccessful,hewillearnacoupleofdollars foreachaccount. Nowitistimetotallyupthecoststothebusiness: Thecostofviolatinganyofthemanystateandfederalprivacyregulations protectingconsumerdata Thecostofpossibleindustryregulationviolations,suchasPCIdataprotection standards Thecostoflitigationassociatedwithlawsuits Thecostofnotifyingcustomersofthebreachandpossiblypayingforcredit monitoringservicesforvictims Thesoftcostofbranddamageandlossofcustomerloyalty

ThesecostscouldhavebeenavoidedwiththeuseofSSLtechnologiestoencrypt communicationbetweenserversandendpointdevices.

HiddenCostsofPoorSecurity
Notallcostsareasobviousasthoserelatedtodatabreachesandassociatedregulation violations.Thelessobviouscostscomeintheformofreducedeffectivenessofbusiness operations,andinparticular: Reducedinnovation Costlyadhocresponsestoincidents OpportunitycoststootherITinitiatives

13

 Imagineastrategysessionwithexecutivesandbusinessmanagersplanningtooverhaula businessprocesswithpartners.Someonesuggestsworkingwithsupplierstoofferdrop shippingfromtheirfacilitiesratherthanmaintainhighlevelsofinventorywithinthe companyswarehouses.Thecompanycouldworkwiththesupplierstoleveragetheir shippingandorderprocessingsystemsandrebrandthesuppliersWebsitetolooklikethe companyswhenitscustomersarecheckingshippinginformation.Asoftwaredevelopment managermakessomesuggestionsaboutusingWebservices,passingcustomerdatatothe supplier,andreceivingshippingdetailsinreturn.Sofar,sogood.Thenoneofthemore securityconsciousmembersofthemeetingchimesinwithquestionssuchas: Howdoweensureorderinformationisnottamperedwithduringtransmission? Howdoweknowprotectedcustomerinformationisnotleaked? HowwillthecompanysapplicationverifyitisworkingwiththesuppliersWeb serviceandnotafakeWebservicesetuptocapturecustomerinformation?

Withoutpropersecuritymeasures,suchasSSLtechnologiesforencryptingdataand verifyingdigitalidentities,innovativebusinessprocessessuchasthesemightbeleftonthe drawingboard.Ultimately,ifwedonotprotectinformationassets,wecanexposeour businesses,partners,andcustomerstocompromise. Daytodayoperationscanbeadverselyaffectedbypoorsecuritypractices.Adhoc responsestoincidentssuchasmalwareinfectionsandtheneedtopatchapplicationscan ultimatelycostmorethanamoremethodicalapproach.Withproperassetmanagement applications,patchmanagementtools,andanincidentresponseplan,businessescanmore effectivelyandefficientlyrespondtoadverseevents. Overall,thetruecostofpoorsecurityisreflectedinacombinationofcostsfromdata breachesandothersecurityincidentsandtheopportunitycostofnotimplementing innovativeproceduresandprocessesbecauseoffearofpotentialsecurityproblems.Itis worthemphasizingthatsuchfearisnotunfounded;theremaybesignificantrisksto changingworkflowsandopeningsystemstoworkwithbusinesspartnersapplications whenpropersecuritymeasuresarenotinplace.Oneofthegoalsofthisguideistoprovide youwithinformationabouttechniquessuchasusingSSLforencryptionanddigitalidentity verificationtohelpcontrolsomeoftheserisks.

Summary
Virusesandhackingarenolongerjustelectronicformsofvandalismcarriedoutby programmersdemonstratingtheirtechnicalprowess.Cybercrimehasevolvedintoan industrylikephenomenoncompletewithmarkets,specializationofservices,andmultiple businessmodelsforturningstoleninformationandcomputingresourcesintocash.For businessestosucceedandthriveinsuchanenvironment,theymustmanagesecurity processesandleveragetechnologiessuchasSSLforencryptionanddigitalidentity verification.Theremainingchaptersofthisshortcutguidewilldelveintodetailsofhowto accomplishthis.

14

Chapter2:CommonVulnerabilitiesin BusinessITSystems
Businesses,governments,andotherorganizationsfaceawidearrayofinformationsecurity risks.Somethreatentheconfidentialityofprivateinformation,somethreatentheintegrity ofdataandoperations,andstillothersthreatentodisruptavailabilityofcriticalsystems. Chapter1examinedtheroleoforganizedcybercrime,theprevalenceofmalicioussoftware andtheundergroundmarketplacesthatfacilitatetheexchangeofstoleninformation,and toolsofthecybercrimetrade.Inthischapterweturnourattentioninsidetheorganization. Althoughtheexternalthreatsareconsiderable,theyarenottheonlycomponentintherisk equation.Anotherimportantsetoffactorsarethevulnerabilitiesthatliewithinan organization. Forourpurposes,wewillbroadlyorganizethesevulnerabilitiesintotwocategories: technicalweaknessesandorganizationalweaknesses.Thisspecificationistodraw attentiontothefactthatinformationsecurityisnotjustabouttechnology,althoughthatis anobviouscomponent.Howweperformbusinessoperations,howweattendto informationsystemsmanagement,andhowwetrainandhelpothersunderstandthe natureofsecurityriskscanmakeacriticaldifferenceintheoveralleffectivenessofan informationsecuritystrategy.Perhapsmoreimportantly,itiscrucialtounderstandthat technicalcontrolswillnotcompensateforpoororganizationalpractices,andthebest trainedstaffandmostwellintentionedITprofessionalswillnotbeabletoprotect informationassetswithoutpropertechnicalcontrols.Anoverallsecuritypostureisa combinationoftechnicalandorganizationalcontrols.

Figure2.1:Technicalandorganizationalcontrolsoverlapandarebothessentialto informationsecurity. Thischapterwillexaminecommonweaknessesintechnicalandorganizationalcontrols andthendiscussoptionsforaddressingthoseweaknesses.

15

TechnicalWeaknesses
Technicalweaknessesarevulnerabilitiesthatcanbemitigatedusingtechnicalcontrols, suchastheimplementationofnewfirewallrulesoranupdateofantivirussignaturesona clientdevice.Therearemanydifferenttypesofsuchvulnerabilities;wewillconcentrateon severalthatarealltoocommon: Unencryptedcommunications Insufficientlypatchedoperatingsystems(OSs)andapplications Insufficientuseofantivirusandpersonalfirewalls Weakboundarysecurity Poorapplicationsecurity

Foreachofthese,letsconsidertypesofattacksenabledbythesevulnerabilitiesandtheir costtobusiness.

UnencryptedCommunications
Rapid,reliable,andtrustworthycommunicationsareessentialintodaysbusinessworld. Althoughpostalmailandtelephonesarestillusedwidely,someofthemostcosteffective communicationstakeplaceonline.Weroutinelyemailcolleagues,customers,clients,and otherprofessionalandpersonalcontacts.Instantmessagingisespeciallyusefulfor geographicallydistributedteamswhoneedanelectronicequivalentoftalkingacrossthe roomoroverthetopofacubiclepartition.Manyhavetakentosocialnetworkingservices, fromLinkedInandFacebooktoTwitter,tokeepuptodatewithlargegroupsofindividuals. Allthesecommunicationmechanismshavetheiradvantagesandfewwouldwanttoban themfromtheoffice,butwiththeirconvenienceandefficiencycomessecurityrisks. Whencommunicationsaretransmittedinunencryptedformssuchasplaintextthereis thepotentialforsomeonetointerceptthemessagetolearnthecontentsortamperwiththe contentsbeforetheyarriveattheintendedrecipientsinbox.Wewillconsidertwo examplesofsuchattacks:themaninthemiddle(MITM)attackandthereplayattack. ManintheMiddleAttack AnMITMattackinjectsamaliciousthirdpartyintoacommunicationbetweentwo presumablyunsuspectingvictims.Thepurposeoftheattackistocontrolthe communicationsbetweenthetwovictimsandaltermessagesbetweenthem.Several conditionsmustbeinplaceforanMITMattacktosucceed: Theattackermusthaveaccesstothecommunicationchannelbetweenthetwo parties Theattackermustbeabletoimpersonateeachofthevictimssufficientlyto overcometechnicalcontrolsandpotentialsuspicionsonthepartofeithervictim. Theattackermustbeabletoalter,inject,orremovemessagessentonthe communicationchannelwithoutdetection

16

 Accessingcommunicationchannelsusedtorequireaccesstowirednetworkequipment, suchasroutersorhubs,buttheprevalenceofwirelessnetworksallowsattackerstogain accesstoacommunicationchannelfromadistance. Note Usingjustanyencryptionforwirelesscommunicationisnotsufficientto protectcommunications.TheWiredEquivalentPrivacy(WEP)protocolwas definedinthelate1990sforencryptingwirelesscommunications.Within severalyears,flawswerefoundinthealgorithm,andtoolsareavailable todaytobreakWEPencryptioninminutes.Wirelessnetworksshouldusethe WiFiProtectedAccess(WPA)orWPAversion2(WPA2)encryption,bothof whicharestrongerthanWEP.

l tua Ac

Co

un mm

l ne an Ch ns tio ica

Ac

tu al

Co m

un ica

tio

ns

Ch

an

ne l

Apparent Communications Chann el

Victim 2

Victim 1

Figure2.2:MITMattacksinjectamaliciousthirdpartyintoacommunications channelwiththeintentofreadingandtamperingwithmessagessentbetween victims. Toimpersonatebothvictims,theattackerneedstoovercomeanytechnicalcontrolsin place.Forexample,unlessauthenticationmechanismsareinplace,suchasthoseusedin SSLbasedcommunications,itispossibleforanattackertospoof,orimpersonate,the victims.SSLcommunicationscanuseacombinationofpublicandprivatepiecesof informationknownaskeystoauthenticatethepartiesincommunication,soanattacker wouldneedaccesstotheprivatekeysofbothvictimstocarryoutasuccessfulMITMattack.

17

 Note SSLandTransportLayerSecurity(TLS)usebothsymmetricandasymmetric cryptography.Asymmetricencryptionisusedforauthenticationwhile symmetricencryptionisusedforlargedatatransfers,asitiscomputationally moreefficient.ItisconceivablethatanMITMattackcouldoccurbybreaking thesymmetrickeyencryptionafterauthenticationhasoccurred.Theuseof strongsymmetricencryptionalgorithms,suchastheAdvancedEncryption Standard(AES),makesthathighlyunlikely. Inadditiontoovercomingtechnicalcontrols,thecontentofthemessagesinjectedbythe attackermustbebelievableenoughtoconvincethevictimtheyareauthentic.Thisisnot difficult,especiallyinbusinesscommunicationswheremanyexchangesarestandardized. Forexample,itwouldnotbedifficulttochangequantitiesonanorderorreplaceacredit cardnumberwithanotherlegitimatecreditcardnumberwithoutraisingsuspicion. ReplayAttack AreplayattackisatypeofMITMattackinwhichamessageiscapturedbyamaliciousthird partyandresentorreplayedforthetargetvictim.Forexample,ifAlicewastosenda messagetoBobsayingSend100widgetstoCharlesandchargetomyaccountandthat messagewascapturedbyanattacker,theattackercouldthenresendthemessagetoBob. Bobinturnwouldthenhaveorderstosendatotalof200widgetstoCharlesandcharge themalltoAlice.Inamorerealisticexample,themessagewouldbeastructured transactionfollowingawelldefinedprotocol,butthepointisthatunprotectedmessages canbecapturedandusedagaininunintendedways. Onewaytoprotectagainstreplayattacksistousesometypeofsessionvariable.For example,eachmessagefromAlicetoBobwouldincludeamessagecounter.Themessage counterisincrementedaftereachtransactionissent.Ifthistechniquewereused,Bob wouldrecognizethesecondmessagesentbytheattackerwasarepeatofthefirstmessage andcouldsafelyignoreit.However,ifthemessagetransmissionisinplaintext(thatis, unencrypted),theattackercouldsimplychangethevalueofthemessagecounter. AliceandBobmighttrytooutwiteavesdroppersbyhavinganonobviouspatterninthe waytheyincrementthecounter.Insteadofincrementingthemessagecounterbyone,they mightincrementby2,101,thenumberofthedayofthemonthofthetransaction,orany otherpattern.Unlesstheattackerknowstheproperincrement,theexpectedmessage counterwouldbeincorrectandtherecipientwouldrecognizethemessageasinvalid. AttackerscouldsolvethisproblembymonitoringtrafficbetweenAliceandBobuntilthey haveenoughsampletransactionstodeterminetheruleforincrementingthemessage counter.

18

 Thissimpleexampleillustrateshowhomegrownsolutionstoprotectingconfidentiality canbreakdown.Cryptography,thestudyanddevelopmentofencryptionalgorithms,isa scienceasiscryptanalysis,thestudyofcodebreaking.Itishighlyunlikelythatsomeone otherthanaspecialistincryptographycoulddevelopasufficientlydifficulttocrack algorithmtowarrantattemptsatsuchdevelopment.Abettersolutionistousepublic algorithms,suchasAES.Confidentialityisassuredbyacombinationofthestrengthofthe algorithm,whichispubliclyknown,andthekeys,whicharekeptprivate,usedtoencrypt messages.

<Order> <Message-Counter>18763</Message-Counter> <Bill-To> <Company-Name>ABC Enterprises</CompanyName> <Address>1010 Main St. Springfield, IL 62701</ Address> <Account>ABC123456</Account> <Bill-To> <Items> <Item> <Part-Number>XY7631</Part-Number> <Quantity>12</Quantity> </Item> <Item> <Part-Number>NN8123</Part-Number> <Quantity>12</Quantity> </Item> </Items> <Message-Counter>18763</Message-Counter> </Bill-To> </Order>

Encryption Key (Private)

Plain Text Message (Private)

Encryption Algorithm (Public)

CB1D029FC2641D086C285110158AF585 A14745BE97068660AF08E6AAC9ABC27E 23DBDF4DF6353D0C3E7D391209F54F26 89B50B409A198F303BD7F6273D1A580E 70BA585857B026A8173B6D74F9F2502C 6038C7CBD1802BD5799495C13E44D5A9 41CFDB83DBA2ED159E135F266E60A288 51F3B61E7826B83DC6F135B44AE0B4E0 4E8BAD08B9DFF7C28BE5AE040F0930E1 593B7B4ECFB9FEDC902AD5A485EB46DC B0C81BA5AD21B7E0882BFC14A47697EF 70BA585857B026A8E2721822D39E9772 C5AB90DB738C8C1E2E3E8A20FD9E94BA 7FA1488B5783B8885351B790AA0589CD CD9531F3851114A81BEA99448E1FA075 B847423AAEBA525C4448C77BAF0CA434 414D5982C6F61B95B19BA54F514BDAB9 3D277181201457F64C22BFC26FA6C933

Figure2.3:Confidentialityisensuredifamessageandtheencryptionkeyarekept secret;thereisnoneedtouseasecretorhomegrownalgorithm.Infact,public algorithmsaresubjecttoagreatdealofcryptanalysisscrutinyandaremorelikelyto providecodesthatcannotbebrokeninareasonableamountoftimewithreasonable resources.

Encrypted Message

19

 MITMandreplayattackscouldbequitecostlytobusinessesfortworeasons.First, individualtransactionscouldberepeatedortamperedwithasameanstocommitfraud. Thepotentialcostofasingleactoffraudmaybegreatenoughonitsowntojustify implementingstrongersecuritymeasures,suchasusingSSLforallbusinessessential communications.PerhapsagreaterreasonforconcernisthatwithoutSSLencryption,any electroniccommunicationscouldbecalledintoquestion.Thispositionisextremebutthe lackoftrustincommunicationssystemscouldunderminebusinessoperationsand efficiencies.Willsalespersonscallcustomersonthephonetoverifyelectronically submittedorders?Theuseofasecondmeansofcommunication,knownasoutofchannel communications,isonewaytoreducepotentialfraud,butitishighlyinefficientforboth parties.SecuringcommunicationswithSSLbasedcommunicationsismoreefficientand practicalforbusinessoperations. Encryptingmessagetransmissionsprotectsdatainmotion.Dataatrestandtheserversand otherdevicesusedtostoreandprocessthatdatarequireadditionaltechnicalcontrolsto providesufficientsecurityfortypicalbusinessoperations.

InsufficientlyPatchedOSsandApplications
OneofthemostmemorablemalwareattackstobroadlyimpacttheInternethitinJanuary 2003.TheSQLSlammerwormspreadacrosstheglobeandinfectedtensofthousandsof machinesinminutes.ThewormsDenialofService(DoS)attackslowedInternettrafficand effectivelyblockedtrafficonsomesegments.Themalwaretookadvantageofa vulnerabilityintheSQLServerdatabaseandtheMicrosoftSQLServerDesktopEngine. Microsofthadreleasedapatch6monthsbeforetheattack;unfortunately,manyusersof theaffectedsystemsdidnotpatchtheirsystems. AlthoughtheimpactofSQLSlammerwasquitedramatic,theexistenceofprogram vulnerabilitiesisfarfromrare.TheNationalVulnerabilityDatabase (http://nvd.nist.gov/home.cfm),whichtracksknownvulnerabilities,listed35,142 softwarevulnerabilitiesasofearlyFebruary2009,publishingonanaverageof15 vulnerabilitiesperday.VulnerabilitiesarenotlimitedtopopulardatabasesandOSs; considersomeofthevulnerabilitiesdiscoveredoverthepastfewyearsinwidelyused applications: InternetExplorerAvulnerabilityinIEcouldallowremotecodeexecution (MicrosoftSecurityAdvisory961051). MicrosoftAccessAvulnerabilityinanActiveXControlcouldallowremotecode execution(MicrosoftSecurityAdvisory955179) MicrosoftExcelAvulnerabilityinExcelcouldallowremotecodeexecution (MicrosoftSecurityAdvisory947563) Xterm(Linux)ThedefaultconfigurationofxtermonDebianGNU/Linux,and possiblyUbuntu,couldpotentiallyallowarbitrarycodeexecution(CVE20067236)

20

 Thecostofunpatchedsystemstobusinessescanbesignificant.Astheexample vulnerabilitieshighlightedinthepreviouslylistshow,commonlydeployedapplicationscan beusedtoexecutearbitrarycode.Whenmaliciouscodecanbeexecutedwith administratororrootprivileges,itisdifficultifnotimpossibletopreventanattackerfrom gainingcontrolofadevice.Unpatchedapplicationscanprovideattackerswithastepping stonetocommittingdatabreaches,tamperingwithdatabases,ordenyingaccessto missioncriticalapplications.

Figure2.4:Thepatchmanagementcyclestartswithacquiringpatchesfromvendors andothersources,testingthemtoensurecriticalfunctionsaremaintained,deployed todevices,andassessedinoperations. Keepingtrackofapplications,versions,configurations,andpatchlevelsischallengingbuta setofpracticesknownasthepatchmanagementcycle(seeFigure2.4)isdesignedto addressthesechallenges.Thekeystepsinthepatchmanagementcycleare(1)acquiring thepatch,(2)testingthepatchinacontrolledenvironment,(3)deployingthepatchto productionsystems,and(4)assessinganyproblemswithapatchdeployment.Asset managementsystemscanimprovetheefficiencyofpatchingbyautomaticallypushing patchestodevicesandprovidingreportsonthestatusofpatchoperations.Hardware vendorsareimprovingremotedevicemanageabilitythroughofferingssuchasIntelsvPro andAMDssupportforthedesktopandmobilearchitectureforsystemhardware(DASH); assetmanagementandpatchmanagementtoolsmaytakeadvantageoftheseforadditional efficiencyimprovements.

21

 Thesametoolsthathelpwithpatchmanagementcanalsohelpwithanothertypical technicalweakness.

InsufficientUseofAntivirusandPersonalFirewalls
Usingantivirussoftwareislikedrivingwithseatbeltsweallknowweshouldusethe precautionarymeasure.Theanalogyquicklybreaksdownthough.Althoughwerarelyneed seatbeltsbecausemostofushavefewifanyaccidents,mostusersarelikelytoencounter malicioussoftware.Partoftheproblemistheprevalenceofmalware. Malwarecaninfectdevicesfrommultiplepointsofentryintoasystem: Malwareattachedtoemails Malwareinfectedmediafiles,suchasvideoandmusicfiles MalwaredownloadedwhenvisitingacompromisedWebsite,atechniqueknownas adrivebydownload Malwaretransmittedfromanotherinfectedmachineonthenetworkusing weaknessesinfirewallconfigurationsornetworkvulnerabilitiestoinfectother devices

Antimalwarevendorsareconstantlyupdatingsignaturedetectiondatabaseandbehavior analysissystemsusedtodetectmalware.LikeapplicationandOSpatching,antimalware softwarehastoberoutinelyupdatedtocounternewandemergingthreats.Malware developersknowthis,andsomemalwareincludescodetoblockupdates.Sometimesthe blockingtechniquesaresimple,suchaseditingalocalfileusedtomapdomainnamestoIP addresses,soantivirussoftwareisdirectednottothevendorsupdatesitebuttoanother nonfunctionalsite(thus,updatesareneverdownloaded). Personalfirewallscanhelpstemthespreadofmalwarebyblockingtrafficonportsthatare notneededforlegitimatepurposes.Thiscan,forexample,preventwormsfromaccessinga deviceviaablockedport;itcanalsoblockoutboundtraffic,suchasspamgeneratedbya botthathasalreadyinfectedthemachine.Lowcostandfreepersonalfirewallsarereadily availableforWindows;MacOSXandmostLinuxdistributionsincludefirewalls.Proper firewallconfigurationcanprovideanadditionallayerofsecurityondevices. Thecostofinsufficientuseofantivirusandpersonalfirewallsismanifestedinpoor performanceindevices,unnecessaryconsumptionofbandwidthinthecaseofdevices infectedwithbotnetsoftware,increaseddemandforHelpdeskservicetodiagnose performanceproblems,andthecostofremovingmalwareonceitisdetected.

22

 Keyloggersandvideoframegrabbersareparticularlydangeroustypesofmalware.These notonlycompromisethesystemstheyinfectbutalsoaredesignedtostealinformation, suchaslogincredentialsorconfidentialinformation,andtransmitittoapointwherethe attackercanretrieveit.Oneofthereasonspasswordsandotherauthentication mechanismsshouldbeupdatedfrequentlyisbecausetheymaybeleakedorstolen.Credit cards,driverslicenses,anddigitalcertificatesalluseexpirationdatesbecausesomething cangowrongandthoseartifacts,forwhateverreason,cannotbetrusted.Creditcardand driverslicenseissuerscannotgointothefieldandretrievethecards(atleastinany practicalsense).Similarly,wecannotrecoverstolenpasswords.Malwareisjustoneofthe reasonstofrequentlychangeauthenticationinformation.

WeakBoundarySecurity
Assystemsbecomemoredistributedandweadaptmoreserviceorientedarchitectures,we findtheneedtomovedatafurtherandsometimesacrossorganizationalboundaries.This practiceisunderminingthetraditionalnotionofthenetworkperimeter. Inthepast,acompanymayhavehadalltrafficmovingoverafirewallbetweentheinternal networkandtheInternet.Trafficacrossthisboundarywasrestrictedtothoseprotocols neededforWebbrowsing,email,andinstantmessaging.Today,companiesmayhave Adatabasehostedbyathirdpartysitewithdatabaseprotocolsusedtoexchange databetweenclientandserver InternalapplicationsinvokingWebservicesprovidedbybusinesspartners; confidentialdataismovedbackandforthbetweenthesetwosystems(inwhich case,digitalcertificatesshouldbeusedtoauthenticatethepartnersWebservice andSSLshouldbeusedforcommunications) Remoteusersconnectingtothecorporatenetworkusingvirtualprivatenetworks (VPNs)

Networkperimeterstodayaremoreporousthantheyhavebeeninthepast.Nowrather thandependingtooheavilyonboundarysecurity,wemusthavemultiplelayersof overlappingsecurity(knownasdefenseindepth)toprotectdataandsystems.This securityincludesimplementingtechnicalcontrolstoavoidthecommonweaknesses describedinthissectionaswellassecuringdataatrestandinmotionwiththeuseof encryption.Organizationsthatdonotaddresstheboundarysecurityrequirementsrisk wellknownproblems,includingdatabreaches,compromiseddevices,andthepotential lossofcomputingandnetworkservices. Wemustbecarefulnottoconfuseinformationsecuritywithjustnetworksecurity; applicationsareanotherbroadareaofconcernininformationsecurity.

23

PoorApplicationSecurity
ItissomewhatironicthatimprovementsinourabilitytoprotectOSsandnetworkdevices haveledtoaheightenedawarenessofapplicationvulnerabilities.Likewaterseekingthe lowestlevel,attackerslookfortheeasiestwaytoreachtheirtarget.Today,thetargetis ofteninformation.Applicationvulnerabilitiesinclude: Injectionflaws,suchasSQLinjectionattacksinwhichSQLcommandsaresentas partofinputdata Crosssitescriptingattacks,whichallowattackerstoexecutescriptswithinthe contextofausersbrowser Poorlymanagedauthenticationindistributedapplicationsthatallow,forexample,a victimsusernameandpasswordstobestolen Insecurecommunications,inwhichprivateandconfidentialinformationissentin unencryptedoreasilydecryptedform

Alloftheseandothercommonapplicationvulnerabilitiescanbeavoidedwithsound codingandsoftwareengineeringpractices. Note Formoreinformationaboutapplicationsecurity,especiallyWeb applications,seetheOpenWebApplicationSecurityProject(OWASP)at http://www.owasp.org. Automatedapplicationvulnerabilityscanningcanhelpidentifyvulnerabilitiesindeployed applicationsandpredeploymentcode.Somescannersworkwithsourcecodeusingstatic analysistoidentifyweaknessesapparentfromthestructureofcode,suchaspotentialout ofboundsreferences;otherscannersperformdynamicanalysisandprobeapplicationsfor vulnerabilitieswhiletheyrun.Thelatterisespeciallyusefulwhensourcecodeisnot available. Asnotedearlier,evenwidelyusedapplicationscancontainvulnerabilities.Businesses, governmentagencies,andotherscanmitigatetheriskandpotentiallyavoidthecostof havingapplicationvulnerabilitiesexploitediftheyaredetectedbeforethesystemismoved intoproduction.Itisalsolessdisruptiveandmorecosteffectivetocorrectproblemsas earlyaspossibleinthesoftwaredevelopmentlifecycle. Itshouldalsobenotedthatincorrectconfigurationscanleadtoapplicationvulnerabilities. Usingdefaultconfigurationanddefaultpasswords,forexample,provideaneasywayfor attackerstogetstartedcompromisinganapplication.Asageneralrule,configurations shouldimplementonlyfunctionsneededbybusinessrequirements.Themoresubsystems enabledinanapplication,thegreaterthesurfaceareaforanattack.Eachunnecessary subsystemmaybringwithitvulnerabilitiesthatcanbeleveragedbyattackers.

24

 Thissectionhashighlightedsomeofthetechnicalweaknessesthatcanundermine informationsecurity.Notsurprisingly,theseweaknessesspanthebreadthofIT infrastructurefromnetworkarchitecturetoendpointdevicestothewayswetransmit sensitiveandconfidentialinformation.Weaknesses,however,arenotlimitedtotechnical issues.

OrganizationalWeaknesses
Inmanyrespects,thechallengesofimplementingandmanagingeffectivetechnicalcontrols paleincomparisonwiththedifficultiesinaddressingorganizationalweaknesses,suchas insufficientorineffectivesecurityawarenesstraining.Thissectionwillconsiderhowend usersecuritytraining,securitypoliciesgoverningmobiledevices,andtheinappropriate useofbusinesscomputersandnetworkscanresultinsecurityvulnerabilities.

EndUserTrainingandSecurityAwareness
Technicalcontrolsalonewillneverconstituteacomprehensivesecuritystrategy.Humans canoverride,alter,disconnect,turnoff,andignoretechnicalcontrols.Technologyisa supportingpartofsecuritycontrols;itisnotthefullpicture;thus,itisimperativethat employees,contractors,consultants,andbusinesspartnersunderstandtheirroleinthe informationsecuritymosaicthatprotectsbusinessassetsanddata. Togetasenseofjusthowdifficultitistomitigatevulnerabilitiesrelatedtothehuman factorinITsecurity,considersomeofthefindingsofa2008surveybyCiscoandInsight Expressondataleaks (Source:http://cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/Cisco_STL_Dat a_Leakage_2008.pdf).Someofthemoretellingfindingsinclude: 10%ofsurveyedemployeeshavestolenorknowofotheremployeeswhohave stolendataordevices 10%ofemployeeshavelostorwerethevictimsoftheftofacompanyissued computer,mobiledevice,orportablestoragedevicecontainingcorporatedatain thepast12months 11%ofUSITdecisionmakersindicatetheircompanyhassufferedadatabreach thatincludedthetheftofcompanydata Thetopthreeconcernsfordataleaksare,inorder:portableUSBdrives,email,and stolenlaptops

25

 Thesestatisticsdemonstratethewidespreadignoranceofsoundsecuritypracticeswith regardstocomputeruseoradisregardforthosepractices.Suchbreadthofweaknessisnot necessarytocreateasignificantrisk.Forexample,thatsamesurveyfoundthat14%of globalrespondentshadchangedsecuritysettingsontheircomputers;2%ofUS respondentshaddoneso.Ofthosethatdidmakechanges,halfofthemadmittedtheydidso tovisitsitesregardlessoftheircompanyspolicy,andmorethanonethirdfeltitwasnot theconcernoftheircompanyiftheydidchangesecuritysettingsoncompanyissued devices!Likeachainthatisonlyasstrongasitsweakestlink,asmallnumberofemployees withcavalierattitudesareenoughtocompromisesecurity. Statisticssuchastheseandanecdotalevidenceaboutlostlaptops,simplisticphishinglures, andirresponsiblebehaviorshaveledtoacoupleofmythsaboutendusersecurity awarenesstrainingthatneedtobedispelled. EndUserTrainingMyths Unfoundedmythsaboutusersandtheirwillingnessorneedtolearnunderminean appreciationforwhatisnecessarytoimprovethehumanfactorcomponentsofinformation security. Myth#1:Ifsecuritytrainingworked,itwouldhaveworkedbynow. Thisfatalisticviewonlyringstrueifweassumethatourtrainingmethodsaresufficient andwedonotneedtotryotherapproaches.Widespreadpublichealthcampaigns,suchas antismokingefforts,andpublicsafetycampaigns,suchaspromotingtheuseofseatbelts, havelargelysucceededandcanofferguidanceonhowtoproceed.Thesesuccessful campaignsarecontinuousandlongrunning.Antismokingeffortsthatstartedinthelate 1960sandearly1970scontinuetosomedegreetoday.Itisdifficulttodriveacrossstate linesintheUSwithoutseeingsignstobuckleup.Successfulcampaignsuseacombination oftechniquestogettheirpointacross,includinghumor.Talkingcrashtestdummiestaught usaboutcarcollisions.Thepointisthatweshouldnotgiveupontrainingemployeesabout securitybecausepastmethodshavenotworked;wecanlearnfromotherssuccesses. Myth#2:Youngerworkersaremoretechsavvyandthereforemoreskepticalof scamsanddonotneedsecuritytraining. Theideathatonegenerationwillnotrepeatthemistakesofpreviousgenerationsis appealingbutlackssufficientevidencetobebelieved.Moreimportantly,socialengineering attacks,malware,hackingtechniques,andantiforensictechniquesareconstantly changing.Someofuswillnotbetemptedbyaphishingscampromisingextraordinary returnsifwejustsendmoneytoaforeignnationalinatemporarybind;thatisnoreasonto assumeweareimmunetootherscamsorthatweknowallthewaysattackerscaninfecta devicewithmalware.DrivebydownloadsfromcompromisedWebsiteswerenotknown 10yearsago;whyshouldwethinkthat10yearsfromnownewtechniqueswontstump todaystechsavvygeneration?

26

 Theimpactonbusiness,includingthecost,ofinsufficientandineffectiveendusertraining couldbemeasuredincomputersinfectedwithmalwarefromsitesusersshouldnothave visited,leakedinformationgiveninresponsetophishingluresthatshouldhavebeen ignored,andinaccuratedataleftafteradisgruntledemployeegainedaccesstodatausing someoneelsesaccountleftopenafterhours.

LaxSecuritywithMobileDevices
Mobiledevicesrequirebothtechnicalandorganizationalcontrols.Antivirus,personal firewalls,andvulnerabilityscanning(atleastwithtoolssuchastheMicrosoftBaseline SecurityAnalyzeravailableathttp://technet.microsoft.com/en us/security/cc184923.aspx)fallonthetechnicalsideoftheequation.Onceagain,themore difficultchallengescomeontheorganizationalsideofthings. Partofthechallengewithlaxsecuritywithmobiledevicesisthatemployeesarenotaware ofriskstomobiledevices.ThePrivacyClearinghouseChronologyofDataBreaches (http://www.privacyrights.org/ar/ChronDataBreaches.htm)hasplentyofexamplesof stolenlaptopscontainingtensofthousandsofdatabaserecordscontainingpersonal information.Asmoresmartphonesareusedtoaccessandstoredata,therewillbemore opportunityforconfidentialinformationtobelostorstolen.Employeesshouldbetrained inreasonableproceduresforprotectingmobiledeviceswhentheyareincars(apopular target)andintheuseofencryptiontopreventdatafromfallingintothehandsofthievesif adeviceisstolen. Anotherproblem,onethatgetslessattention,isthegrowinguseofpersonalmobile devicesintheworkplace.EmployeesmaypurchaseBlackberryandiPhonesmartphoneson theirownandusethemtoaccesscorporatedata.Thesedevicesarenotownedbythe company,sotherearelimitstowhatthecompanycandictatewhilestillallowingthese devicestoaccesscorporaterepositories.Considerhowpoliciesmayneedtobereworked toaccommodatethesedevices: Ifthesedeviceswerecompanyowned,theycouldbestandardized;however,the companymaynotwanttolimitaccesstoonlythosewithaparticulardevicetypeor OS. Asthesearepersonaldevices,companiesmaynotbeabletodictatehowtheyare usedwhennotaccessingcorporatesystems.Sitesthatmaybeblockedfrom corporatenetworksmaybereadilyaccessiblefromasmartphonealsousedto accessconfidentialdata. Companiesmayhaveapolicydictatingminimumsecuritymeasuresforan employeeowneddeviceusedonthecorporatenetworkbutmaynothavethe meanstoenforcethatpolicy.Forexample,apolicymaydictateuptodateantivirus signaturesbutnotbeabletoverifyaconfigurationbeforeallowingauserto downloaddatatotheirdevice.

27

 Hereagain,wehaveanexamplewheretechnicalcontrolsarenotenough.Weneed educatedandcooperativeemployeeswhounderstandandfollowpolicies.Thecostto business,andpresumablyanemployeescareer,canbesignificantifadatabreachistraced toapoorlysecured,personallyownedsmartphone.

InappropriateUseofBusinessComputersandNetworkServices
Afinalexampleoranorganizationalvulnerabilityistheimproperuseofcomputersand networkservices.Somemighttrytolookatthisfromalostproductivitystandpointifan employeeischeckingpersonalemailororderingpersonalitemsonline,theyarenot productivefromthecompanysperspective.However,itisequallyplausibletoarguethat useofcompanysystemsallowsanemployeetoattendtopersonalerrandsmoreefficiently andthereforeleavesthemmoretimetofocusontheirwork.Thereisnouniversalformula forfindingtheproperbalance,butwecanreasonablyconjecturethatoneexists.Amore pressingproblemthanunproductivetimeisthepotentialtointroducemalicioussoftware onthenetwork. Ifanemployeechecksapersonalemailaccount,theremaynotbethesamefiltersthatare appliedtothecorporateemailsystem,thusallowingmalicioussoftwaretoenterthe networkviaemail.Similarly,employeesbrowsingtononworkrelatedsitescanresultin drivebydownloadingofmalware.Thesesitesarenotjustthoseconsideredinappropriate fortheworkplace;legitimatepopularsites,suchasnewssites,couldbecompromised becauseofvulnerabilitiesintheirsystemswhichinturnresultinanadverseimpacton yournetwork.Theservicesupportstaffprobablyhasenoughtodowithouthavingtoclean upabotnetinfectiononthecorporatenetworkbecauseanemployeesurfedsomewhere shedidnotbelong. Organizationalweaknessesgenerallystemfromhumanbehavior.Changinghuman behaviorisanartthatmayneverbemastered.Nonetheless,helpingemployeesunderstand thenatureofsecuritythreatsandtheirroleinprotectingthecompanysassetsaswellas themselvesisthestartingpointtomitigatingorganizationalweaknesses.

OptionsforAddressingTheseThreats
Broadlyspeaking,therearethreeapproachestodealingwithtechnicalandorganizational weaknesses.Thereisalwaystheoptionofdoingnothing,ormoreproperly,theoptionof continuingtofunctionasis.Atbest,onecanreasonablypresumethattheorganization wouldcontinuewiththesamelevelsofrisks.Iftherehavebeennomajorbreaches, confidentialcommunicationshavenotbeenintercepted,andmalwareoutbreaksare infrequent,thismightseemlikeaprudentcourseofaction.Theproblemwiththisscenario isthatitassumestheoverallsecurityandbusinessenvironmentwillstaythesame.We knowthatisnottrue.Malwarehasbecomemoredifficulttodetect,itspreadsbymore methods,thesizeofmajordatabreachesisincreasing,andcybercriminalsappeartobe gettingbetteratcoveringtheirtracksduringanattack.

28

 Attheotherendofthespectrumisthesparenoexpenseapproach.Eveninthebestof economicconditions,thisisnotreasonable.Wecannotsimplybuysecuritysystemsand deployendpointsecurityapplicationslikebuckshotinthehopesofhittingallthe weaknessesinournetwork. Abalancedapproachis,notsurprisingly,theonethatiscalledfor.Wecannotletfearof securitythreatskeepusfromaligningsecuritystrategywithbusinessstrategy.Oneofthe hallmarksofthisalignmentisidentifyingriskstothebusinessstrategyandthen implementingacombinationoftechnicalandorganizationalcontrols. Theamountwespendonsecurityshouldnotexceedthevalueoftheassetswearetryingto protectandthecostsincurredbytheorganizationintheeventofabreach.Losingapatient recordmaynotdirectlycostahospital,butitmayhavesignificantcosttoapatientwhose identityisstolenandcouldhavedetrimentalimpactonthetrustworthinessofthehospital anditsbrandreputation.Regulationsinternalizesomeofthosecostswhichwere previouslybornebythoseoutsidetheorganization.Ariskassessmentcanhelpilluminate theassetsweneedtoprotect,thethreatstothoseassets,andvariouscombinationsof technicalandorganizationalcontrolsthatcanhelpmitigatethreatstothoseassets.

Summary
Sometimeswecanbeourownworstenemy.Howweaddresstechnicalandorganizational weaknessesinsidetheorganizationcanhelporhinderouroverallgoals.Securityisa functionoftechnicalcontrols,suchasSSLforsecurecommunicationsanddiskencryption forreducingtheriskofdatacompromise,andorganizationalcontrols,suchassufficient andeffectivetrainingandrealisticpoliciesthataccountforchangingwaysemployees accessandusedata.Abalancedapproachisbasedonriskmanagementpracticesand incorporatesbothtechnicalandorganizationalcontrols;thismethodcanhelpmitigate riskswhileaccountingforlimitedresources.

29

Chapter3:DevelopingaHighImpact SecurityManagementStrategy
Effectiveinformationsecurityrequiresacombinationoftechnicalandorganizational controls;however,runningdownagenericchecklistisrarelysufficient.Instead,ahigh impactsecuritymanagementstrategyisdrivenbytheparticularneedsofabusiness,and theseneedsspanthebreadthofbusinessandtechnicaloperationswithinanorganization. Forexample,considersomeofthequestionsoneshouldposewhendevelopingasecurity strategy: Whatbusinessprocessesandworkflowsarevulnerabletoattack? Ifaparticularserverwerecompromised,whatwouldbetheimpactondaytoday operationstousersorcustomers? Howcanweensurethatournetworkedapplicationscommunicateonlywith trusted,verifiedpartnerapplications? Canexchangeofdigitaldocumentsbeassecure,trustworthy,andenforceableasthe exchangeofpaperdocuments? Howcanweensurethatconfidentialinformationcanbeexchangedoveremailand onlinewithreasonableassurancethatitwontbeinterceptedanddisclosedtoan unauthorizedparty?

Thesolutiontoaddresstheanswerstothesequestionswillentailacombinationof technicalmeasures,suchashardeningserversanddeployingSSLcertificatesforsecure communicationsandauthentication,aswellasorganizationalmeasures,suchas developingandenforcingsecuritypolicies,auditingandmonitoringnetworkactivities,and providingsecurityawarenesstraining.InChapters1and2,weexaminedsecuritythreats, technicalvulnerabilities,andorganizationalweaknessesthatcandirectlyimpactthe overallsecuritypostureofanorganization.Inthischapter,webuildonthosediscussions anddescribeaframeworkforcreatingahighimpactsecuritystrategy.Thistaskentailsa numberofstepsthataredividedintothreebroadcategories: Reviewofbusinessprocessesandworkflows Reviewoftechnicalinfrastructure Definitionofsecuritypoliciesandprocedures

Eachofthesestepsaddressesbothtechnicalandorganizationalaspectsofsecurity,which aretightlycoupled.Wewillnothaveeffectivesecurityoverthelongtermwithout appropriateattentiontoboth.

30

ReviewofBusinessProcessesandWorkflows
Businessprocessesrangefromtherelativelysimple,suchasprocessingtimecards,to complexmultiorganizationoperations,suchasorderprocessingthatentailsjustintime delivery.Theflowofinformationiscommontovirtuallyallbusinessprocessesand informationsecuritypracticeshavetotakeintoaccountthoseworkflows.

Figure3.1:Informationsystemsandtheflowofinformationarefundamentalaspects ofvirtuallyanybusinessprocess.Securingtheseinformationflowsbeginswith understandingthedetailsoftheflowandidentifyingriskstotheinformation.

31

 Itisnotsufficienttosimplyprotectinformationatonepointinabusinessflowbecause, likeachain,abusinessprocessisonlyassecureasitsweakestlink.Forexample,aretailer mightlockdownadatabasesosecurelythatthetimeandeffortrequiredtobreakinand stealcreditcarddataisnotworthit.However,ifcreditcarddataisthensentfromapoint ofsalessystemtothedatabaseusingawirelessnetworkencryptedwiththeweakWEP protocol,attackerswillsimplytargetthatpointinthebusinessprocess.Whenwethinkof protectinginformation,weneedtothinkintermsofthefulllifecycleofthatinformation. Howandwhereisitcreated?Howisittransmitted?Whereisitstored?Howisitbackedup andarchived?Ifdataisdeletedfromaproductionsystem,howlongwillitremainin backups?Howisdataprotectedwhenitismovedonphysicalmedia,suchasbackuptapes anddisksmanagedbythirdpartyserviceproviders?Thesetypesofquestionscanbe addressedbyconsideringthreeelementsofworkflows: Datainmotion Dataatrest Accesstoinformation

Whenwehaveasolidunderstandingofthesethreeelements,wecanproperlydesign securitymeasuresandimplementcontrolstoprotectbusinessprocessandinformation flows. DataClassificationandSecurityMeasures Whenconsideringinformationflows,rememberthatnotallinformationis equallyvaluableorinneedofthesamelevelsofprotection.Adata classificationschemeisameansofdefininglevelsofprotectionappropriate fordifferenttypesofinformation.Publicdata,suchaspressreleases,donot requirespecialcontrolsbecausethepurposeofthistypeofdataistoshare informationoutsidetheorganization.Priortorelease,however,apress releasewithtimesensitivedatamaybecategorizedassensitiveoreven confidentialifitsearlyreleasecouldharmthebusiness.Abusinesstrade secretsorprivatecustomerfinancialdatashouldbetreatedasconfidential andprovidedwithappropriatelevelsofprotectionwhenthedataisbeing transmittedandwhenitisstoredonbusinesssystems.

32

DatainMotion:IdentifyingUnencryptedCommunications
Oncewehaveidentifiedcorebusinessprocesses,wecanbegintolookintothedetailsof howinformationmovesbetweenservers,workstations,mobiledevices,pointofsale systems,andotherkindsofdevices.Keyquestionstoconsiderare: Isthedatasensitive,private,orconfidentialandthereforewarrantadditional attentiontoprotecttheprivacyandintegrity? Doesthedatamovethroughsystemsornetworksthatmightbevulnerableto attack?

Forthepurposesofdiscussion,wewillconcentrateonsensitive,private,andconfidential information;thatis,information,whichifdisclosedortamperedwith,couldadversely harmthebusiness,itscustomers,businesspartners,orotherstakeholders.Sensitive informationisinformationthatshouldnotbereleasedforgeneralaccess,butifweremade available,wouldnothaveseriousimpactsontheorganization.Privateandconfidential information,incontrast,isinformationthatifaccessedinunauthorizedwayswouldhave severeimpactontheorganization.Privateinformationpertainstoindividuals,suchas customersandemployees,whileconfidentialinformationisrelatedtothebusinessitself, suchastradesecrets.Withregardstowheretheinformationflows,therearesomany specificpossibilitiesthatitmakessenseonlytocategorizethegeneralrangeofnetworks andsystemsintermsofthelevelofadditionalsecurityrequired. MovementWithinSecuredNetworkSegments Onepossibilityisthatinformationmovesonlywithinacontrollednetworkenvironment thatisalreadyhardened(thatis,securedbeyondnormaldefaultconfigurationstoreduce vulnerabilities).Forexample,supposeinformationfromatransactionprocessingdatabase isbeingcopiedeverynighttoadatawarehouseserveronthesamenetworksegment. Giventhehighvalueofthetransactionprocessingsystemandthedatawarehouse,wecan assumenetworksecuritystaffhasconfiguredserverstoruntheminimalsoftwareneeded tocompletebusinessoperations,keepstheserverspatched,andusesnetworkfirewalls, intrusionpreventionsystems(IPS),applicationfirewalls,anddatabaseactivitymonitoring systems.Inshort,thisnetworksegmentismadeassecureastheriskwarrantswithinthe constraintsofexistingtechnologiesandbudgets. Addingalayerofsecuritywiththeuseofencryptionwouldaddanotherleveltoadefense indepthstrategybutatacost.Ifthedatawarehouserequiredlargevolumesofdatatobe transferredwithinarelativelyshortwindowofoperation,addingtimetoencryptand decryptdatamovingoverawellsecurednetworkcouldjeopardizefinishingtheoperation inthetimeallottedwhilenotsignificantlyreducingtheremainrisks.

33

 MovementAcrossEnterpriseNetworks Next,considerthecaseofdatamovingacrossanenterprisenetwork.Inthiscase,wecan imaginedatamovingoutsideofhighlysecuredsegmentstoareasofthenetworkdesigned forperformanceandeaseofuse.Therearemanywaystouseandmisuseanenterprise network.Acceptableusescanrange:mobileusersconnectingtothenetworkusingvirtual privatenetworks(VPNs),contractorsandbusinesspartnersaccessingbusinesssystems relatedtotheirwork,developerscreatingandtestingnewapplications,andsystems administratorsinstallingnewsoftwareandexperimentingwithdifferentconfigurations.All oftheseactivitiescancreaterisksthatdonotexistinahighlycontrolledenvironment.In addition,theremaybeactivitiesthatviolatepolicybutmanagetoflyundertheradar.For example: WebapplicationdevelopersmaydeployaWebserveronanextraworkstationin theofficewithoutfollowingITprocedures AnanalystmaydecideitwouldtakeITtoolongtodevelopreportsforher,soshe createsadatabaseandreplicatesdataasneededfromproductiondatabases Ateamofconsultantssetupshopinaconferenceroomforashorttermprojectand installawirelessaccesspointfortheirconvenience

Securityprofessionalsmightcringeattheseexampleswhilebusinessprofessionalsmight bemorewillingtotheweightheprosandconsofbypassingtheITbureaucracy.Letus justassumethattherearetimeswhenreasonableprofessionalswilldisagreeaboutthe meritofsuchactions.Howshouldweprotectinformationflowingthroughpartsofthe networkthatcouldharborvulnerablesystemsthatcouldbeusedfordatabreaches? Ideally,wecouldeliminateallunofficialapplications,databases,andmakeshiftservers; butevenifwecouldeliminateallsuchsystems,thesameconditionsthatpromptedtheir introductioninthefirstplacewilllikelyremain.Anothertactic,andonethatfitsina defenseindepthstrategy,istoencryptcommunicationsontheenterprisenetwork,atleast whendealingwithconfidentialandprivatedata.ByusingSSLencryptedcommunications forthemostvaluabledata,wemakeitmuchmoredifficultforunauthorizedpersonsor programstocapturethatdataintransit. MovementOutsideoftheEnterpriseNetwork Oncedataleavesthecontrolledboundariesoftheenterprisenetwork,wecannotsafely makeanyassumptionsaboutthesecurityofsuchexternalsystemsortheapplicationsor serversforwhichthedataisdestined.Inthissituation,SSLtechnologiesprovidetwotypes ofprotection:confidentialcommunicationandreliableauthentication. Supposeyouwouldliketosendconfidentialinformationtoabusinesspartneroverthe Internet.Ifitisasmallamountofdata,youmightuseemail;forlargeramounts,FTPmay bethetoolofchoice.Ineithercase,thereisnowaytoensurethatthemessageortransfer couldnotbeinterceptedandreadunlessthemessageisencrypted.SSListhestandard methodfordoingso.Anotherconcernisensuringthatthemessageactuallyreachesthe intendedparty.

34

 Authenticationistheprocessofverifyingapartysidentity.Usernamesandpasswordsare frequentlyusedwhensomeonewantstoemployanapplicationorservice,butthese authenticationmechanismsareoflittleusewhentryingtonegotiateatransferbetween twoservers.Abetteroptionistousedigitalcertificates.Theseareelectronicformsof identificationthataredesignedtobevirtuallytamperproof.Ifyoureceiveadigital certificateelectronicallysignedbyatrustedthirdparty,youhavesoundevidencethatthe senderiswhoitclaimstobe.Figure3.2showsanexampleofacertificatewithinformation aboutthedomainoftheserverforwhichitwasissued,theissuer,thatisthetrustedSSL certificatevendor,validdatesforthecertificate,andcryptographicattributesthatareused todetecttampering.

Figure3.2:AnSSLdigitalcertificateislikeadigitalidcard;itisevidencefroma trustedthirdpartythattheserverholdingthiscertificateisactuallypartofthe businessitclaimstobe.

35

 Whendatamoveswithinhighlysecuredsegmentsofanetworkandperformance considerationsoutweighthemarginalbenefitofanothersecuritycontrol,SSLencryption mightnotbeused.However,whendatamovesoutsidetheenterpriseandforconfidential andprivatedata,evenwithintheenterprisenetworkSSLtechnologiescanprovide encryptionforconfidentialityanddigitalcertificatesforauthenticationpurposes.

DataatRest:IdentifyServersHostingCriticalApplications
Anotherelementofahighimpactsecuritystrategyisthepropermanagementofservers hostingcriticalapplications.Partofthatmanagementprocessaddressesdataandpart addressessystemsissues;herewewillfocusondata. CrossReference Seethesection,ServerandWorkstationSecurityMeasuresformore informationaboutsystemssecurity. Businessprocessesandworkflowscopy,move,anddeletedatafrommanypartsofthe network.Duringthebusinessprocessreview,itisimportanttoidentifyservershosting criticalapplicationsandprotecteddata.Inthecaseofhighlyregulateddata,itisimportant tobeabletodemonstratethatoneknowswhereprivateandconfidentialdataislocated, howitisstored,andhowitisprotected.Partofthatprotectionwillofteninclude encryptionofdatawhenstoredpersistentlyandensuringthatserversreceivingprotected dataareproperlyauthenticated,asdiscussedearlier.

AccesstoInformation:ManagingIdentitiesandAuthorizations
Inadditiontoreviewingtheflowofinformationandtheserversthatholdpersistentcopies ofprotecteddata,ahighimpactsecuritystrategybeginswithareviewofidentitiesand authorizations.Securitytechnologies,suchasSSLencryptedcommunicationsanddigital certificates,dependonsoundbusinesspracticesthatensureauthenticatedusersare legitimatelyauthorizedtoviewandmanipulateinformation. Themodernworkforceishighlydynamic,inbothgoodeconomictimesandduring downturns.Employeesleavepositionstojoinotherfirmsormoveinternally,consultants andcontractorsaugmentstaffduringpeakdemandperiods,andbusinessesform collaborativearrangementswithbusinesspartnerstomoreefficientlydelivergoodsand servicestotheircustomers.Oneofthetasksthatcannotbefullyautomatedisreviewing useraccountsandtheprivilegestheyhave.Thistaskmightsoundrelativelyeasy,atleast oncetheresponsibilityisdelegated,butitisoftenmorecomplicatedthanitfirstappears.

36

 Thereareseveralwaysinwhichdifficultiesarise,including: Staffmaychangepositionsandrequiresome,butnotall,oftheirexistingprivileges aswellasnewprivileges. Companiesmayusefederatedidentitymanagement,inwhicheachcompany dependsontheothertodefinetherolesoftheirownemployees.Thismaybe difficulttomonitorbecauseeachbusinessdependsontheother. Accountsmaybeshared,sometimesinformally,withincloseworkinggroups. Developersandsystemsadministratorsmayestablishcommonapplicationand databaseaccountsthataresharedbypoolsofusers.Theseaccountsmaynotappear onastandardreportofeachemployeesauthorizations.

Astheseexamplesdemonstrate,trackingidentitiesandauthorizationscanleadtomore complexarrangementsthanmaybeapparentatfirst. Thefirststepindevelopingahighimpactsecuritystrategyistounderstand(1)howdata movesthroughanorganizationandoutsideanorganization;(2)howdataismanaged whenitisstored;and(3)whohasaccesstothatdata.Aswecanfollowfromthis discussion,itsoundseasierintheorythanitisinpractice.Oncewehaveahandleon businessprocessandinformationflows,itistimetotackleanothersubstantial,butdoable, challenge:reviewthetechnicalinfrastructure.

ReviewofTechnicalInfrastructure
Withasolidunderstandingofhowinformationflows,wecanturnourattentionto understandinghowtheinfrastructurethatsupportsthoseflowscanbesecured.In particular,wewillexaminethreecategoriesofinfrastructuresecurity: Networksecuritymeasures Serverandworkstationsecuritymeasures Applicationsecuritymeasures

Thegoalinexaminingeachoftheseareasistoidentifyparticularsecurityissuesthat shouldbeaddressedwithrespecttoeachofthesesegmentsoftheITinfrastructure.

NetworkSecurityMeasures
Theoverallgoalofnetworksecuritymeasuresistoensurethattheflowofinformation overthenetworkisauthorizedandlimitedtolegitimatebusinesspurposes.Thisisatall order.Someofthetechnologiesthatarerequiredincludegatewaystocontroltrafficinand outofthenetwork,SSLencryptiontoprotecttheconfidentialityofinformationflowing throughthenetwork,intrusionpreventionandmonitoringapplicationstodetectunusual patternsinnetworkactivity,andvulnerabilityscanningtoolstohelpidentifyweaknesses ininfrastructureconfigurationsandsoftware.Aswedrilldowndeeperintomorespecific technologies,wecanseehowvarioustechnologiescanhelpprotectthenetwork.

37

 PerimeterDeviceConfiguration Gateways,orfirewalls,haveimprovedfromrelativelysimple,statelesspacketinspectorsto devicesthatprovidedeeperandmorecomplexanalysisofdataflowingoveranetwork.Of course,gatewaysarestillneededtocontrolhowdataflowsinandoutofanetwork,and thatstartswithcontrollingwhichportsareopenforuse.Theemergenceoftunnelingthe processofusingoneprotocoltocarryasitspayloadtrafficinanotherprotocolisjustone exampleofadataflowthatistoocomplexforsimplefirewallrulestohandle.Aperimeter securitystrategyshouldconsiderwayssuchasthesethatbasicsecuritymeasuresmaybe circumvented.Moreadvancedgatewaydevices,suchasapplicationfirewalls,include softwarethatcananalyzedataenroutetoanapplicationanddeterminewhetheritis appropriatetraffic. NetworkMonitoring IPSmayfurtherimproveoverallnetworksecuritybyanalyzingtrafficpatternsand detectinganomalousactivity.WhenplanningontheuseofIPS,ithelpstounderstandhow theywork.IPScandetectanomalousnetworkactivitythroughtheuseofrules,by comparisontobaselinestatisticalpatterns,orboth.Anadvantageofrulebasedapproaches isthattheycanbesharedacrossusersofanIPSsystem.Forexample,anattackusinga knownvulnerabilityinanoperatingsystem(OS)componentmayrequireaparticular sequenceofactionstoinitiate,andanIPScouldhavearuletodetectthatpattern.Statistical patternmethodsarecomplementaryandcanhelpaccommodatetheuniqueactivitiesona network.Forexample,itmaybeperfectlynormalforlargedatatransferstooccurbetween serversduringthemiddleofthenightbutnotintheearlymorning.Ifthelatterwereto occur,itmightbeanindicationofadatabreachinprogress. ReportingandAlertSystems Itwouldbedifficulttofindasystemsadministratorornetworkmanagercomplaining aboutnotenoughdataornetworkactivity.Securitysystems,applications,andOSsare profusegeneratorsofloggingdata.Theproblemisnotlackofdatabutextractinguseful informationfromthatdata.Securityinformationmanagement(SIM)systemsaretoolsfor collecting,consolidating,andreportingfrommultipledevices.Thereareformidable challengestobuildingSIMs,andweshouldmanageourexpectationsforthesetools. SIMsareusefultodayasconsolidatedreportingtools.UsingprotocolssuchastheSimple NetworkManagementProtocol(SNMP),SIMscancollectdatafrommultipledevicesand helpnetworkadministratorsreviewdatafromacrossavarietyofdevicetypes.Asthe technologyadvances,morecomplexanalysismaybeavailable,butinsomecases,agood solidtoolforreportingadiversesetoffactscanbestillbeuseful. Networksecurityatonelevelentailsacombinationofperimeterdevices,network monitoring,andreportingsystems.Wehaveseenhowsecurityofdataflowingoverthe networkisenhancedwiththeuseofSSLencryption.Next,wewillexaminetheroleof serverandworkstationsecuritymeasuresinstrategiesforprotectingITinfrastructure.

38

ServerandWorkstationSecurityMeasures
Serversandworkstationsarelikefactoriesinanindustrialsociety:theyareproducersof specializedartifactsthatdependoneachotherforinputsandusesharedresourcesfor distributingtheiroutputs.Unlikethephysicalworldwhereitwouldbedifficultto masqueradeasafactory,thedigitalworldofserversandworkstationsdonothavethe samebarrierstofraud.Intermsofahighimpactsecuritystrategy,akeyelementis ensuringthatserversandworkstationscantrusteachother.Forexample,whenaWeb servicereceivesamessagerequestingaserviceorpieceofdata,theserverrunningthat Webserviceneedstobeabletotrusttherequestorifprivateorconfidentialinformationis beingrequested.SSLdigitalcertificatesarethestandardmeansforestablishingthistrust. Inadditiontotrustingthatserversandworkstationsarewhattheyappeartobe,itis importanttoimplementpracticesthatprotecttheintegrityofthesedevices. HardeningOSs Aquickscanofavulnerabilitydatabase,suchastheNationalVulnerabilityDatabase (http://nvd.nist.gov/),willshowmanydifferenttypesofvulnerabilitiesaffectingavariety ofcomponents,including: Webservers FTPservers Mediaplayers Networkmanagementsoftware Processmonitoringapplications

Someoftheproblemsinvolvetechnicalissues,suchasbufferoverflows,andtheallowance ofremoteexecutionofcodeandprivilegeescalation.Ifsystemsadministratorsdonothave enoughtokeepthemselvesawakeatnight,avisittoavulnerabilitydatabasewillsolvethat problem.ModernOSsareallcomplex,multifacetedapplicationsandtheyhave vulnerabilities.Oneofthebestwaystomitigatetherisksassociatedwiththese vulnerabilitiesistohardentheOSthatis,minimizethenumberofservicesrunningand thetypesofapplicationsavailableonsystemsandproperlyconfiguretheOS. Ageneralruleofthumbisifaserviceisnotneeded,itshouldnotberunning.FTPservers, forexample,haveseenmorethantheirshareofvulnerabilitiesandexploits.IfFTPisnot required,donotrunit.Similarly,productionserversshouldnothavecompilersinstalled unlessthereissomecompellingreason.Codeshouldbedevelopedandcompiledon developmentserversandthebinariesthenportedtoaproductionserver.Ifanattacker wereabletocompromiseaproductionserverandhadaccesstoacompiler,theattacker couldconceivablydownloadcode,compileitlocally,andinstallitontheserver.Ofcourse, anattackercouldalsocompilethecoderemotelyandinstallit,buttheattackerwouldneed acompilerforeverydifferenttypeofsystemtargeted;havingaccesstoalocalcompilerjust makesanattackerslifeeasier.

39

 Resource FormoreinformationabouthardeningOSs,seetheBastilleLinuxProjectat http://bastillelinux.sourceforge.net/andthebenchmarktoolsatCenterfor InternetSecurityathttp://cisecurity.org/bench.html. Hardeningalsorequiresproperconfiguration,whichincludeschangingdefaultpasswords, notreusingpasswordsacrossadministrator/rootaccounts,enforcingastrongpassword policy,andshuttingdownunnecessaryservicesanddaemons.HardeninganOSshouldbea standardizedprocedure.Consistencycanhelpimproveoverallsecurityandease administrativeoverhead.However,therearetimeswheresomeserversshouldhave additionalcontrolsputinplace.Forexample,accesstodatabaseserversmaywarrant strongauthentication,suchasmultifactorcontrolsorachallengeresponsesystem. Patching Athirdelementofaserverandworkstationsecuritystrategyispatching.Wevealready describedtheextentofvulnerabilitiesandonemethodfordealingwiththem(removing thevulnerableapplicationsthroughhardening).Notallvulnerableapplicationscanbe removed,butmanyofthemcanbepatched.Patchingisasufficientlycomplexprocessthat itshouldbecarefullyconsideredandproceduresformulatedforpatchinginahighimpact securitystrategy.Someofthekeyelementsofasoundpatchingstrategyare: Proceduresformonitoringtheavailabilityofpatches Methodsforassessingtheimportanceofapatchandthespeedwithwhichitshould beapplied RankingsofdifferentinstancesofsystemsthatshouldbepatchedsothatITsupport staffcanprioritizepatchingoperations Proceduresfortestingandthenrollingoutpatches Bypassproceduresforfasttrackingemergencypatches(thisshouldbedone judiciouslyduetotheriskofdisruptingproductionoperationswhensufficient testingisnotundertaken)

Serversandworkstationsrequiresupportfromseveralelementsofasecuritystrategy, includingtheuseofdigitalcertificates,OShardening,andpatchingtoreduce vulnerabilities.

40

ApplicationSecurityMeasures
Thethirdlegoftheinfrastructurereviewtriadisapplicationsecurity.Forourpurposes,the termapplicationincludessoftwarethatrangesfrommonolithicmainframeapplications toindividualWebservices.Aspartofasecuritystrategy,businessesshouldassess applicationspecificsecuritymeasures,including: Accesscontrols Securitytesting Hardeningapplicationcomponents

Asweshallsee,theseconsiderationsparallelsomeoftheissuesinserverandworkstation security;however,thesetendtoaddresssecuritymorefromasoftwareengineering perspectivethanfromasystemsmanagementpointofview. AccessControls Attheveryminimum,applicationsecurityentailsspecifyingwhocanuseanapplication andwhatcantheydo,orinsecurityparlance,authenticationandauthorization. Thinkofauthenticationandwhatcomestomind?Probablycommonscenariossuchasa userloggingintoanemailserviceorverifyingtheidentityofabusinessrunningaWebsite likelycometomindbycheckinganSSLcertificate(SeeFigure3.3,whichisactually displayinganExtendedValidationEVSSLcertificate,aformofdigitalcertificatethat requiresmoreextensiveverificationthanconventionalSSLcertificates).

Figure3.3:Whenwevisitasite,wewanttomakesurewearedealingwiththe businesswethinkwearedealingwith.Inotherwords,wewanttotrusttheWebsite. SSLalsosupportsmutualauthentication,whichallowstheWebsitetotrustits visitors. UserstrustingaWebsiteareonlyhalfoftheauthenticationprocess.Businessneedto verifythatbusinesspartners,customers,andotherswhoaregivenaccesstotheir applicationsarewhotheyclaimtobe.Justascustomerswanttobesureoftheidentityofa businessbehindaWebsitebeforehandingoveracreditcardnumber,businessesneedto besureofwhotheyaredealingwithbeforehandingoverdataorgrantingaccessto services.

41

 Thiscanbedonewithmutualauthentication.Forexample,aretailermightwantsuppliers tohaveaccesstoinventorylevelsaspartofajustintimedeliveryplan.Mutual authenticationisintheinterestofallparties.Theretailerprobablydoesnotwant competitorspokingarounditsoperationaldatabases,andsupplierswouldnotwanttolose competitiveadvantagethataccesstodetailedinventoryinformationcanprovide.

Figure3.4:Mutualauthenticationviadigitalcertificatescanbeusedtocontrolaccess toconfidentialinformationandservices. Accesscontrolsarebasedonsomeleveloftrust.Wetrustusersnottosharetheir passwords,tochangethemfrequently,andtonotreusethem.Abusinesscouldconceivably justhandoutpasswordstobusinesspartnersbutthatintroducesnewrisks.Forexample, thebusinesspartnermightdealwithseveralretailers,eachgivingoutpasswords;tokeep thingsmanageable,thepartnerkeepsthepasswordswrittendownonastickynote,or worse,recordedinawikiorothercollaborationsite.Digitalcertificatesavoidthistypeof problem.Insteadoftrustingaccountuserstokeeppasswordssecret,wetrustdigital certificateproviderstousereliableprocedurestoverifyidentitiesandtomanage certificateoperations,suchasrevokingcertificateswhenneeded.

42

 SecurityTesting Securitytestingisacomplexsubjectbutonethatcanandshouldbemanagedinthescope ofabroadsecuritystrategy.Securitytestingshouldbedonebeforeanewapplicationis releasedtoproductionandthroughoutthelifeoftheapplication.Initialtestingshould includeteststoensure: Processesrunwiththeleastprivilegesrequiredtofunction Applicationsfailsecurelyforexample,ifanunexpectedinputispassedtoan application,theapplicationshouldgracefullyfailandnotsufferabufferoverflowor similarproblemthatleavestheapplicationinavulnerablestate Exposeonlyneededfunctionality;thisreducesthenumberofwaysanattackercan compromisethesystemandisknownasreducingtheattacksurface Unusualorunexpectedeventsareloggedwithsufficientdetailtoenable administratorsanddeveloperstodiagnosetheproblem Applicationsfunctionproperlyonhardenedservers(seetheearliersectionon HardeningOSs)

Ongoingtestingisrequiredforseveralreasons.First,vulnerabilitiesinanapplicationor constituentcomponentmaybediscoveredaftertheapplicationisdeployed.Second,during thecourseofroutinepatching,anew,unknownvulnerabilitycouldbeintroduced.Third, theconfigurationstatesofapplicationschangeovertimeandusersmaybegranted elevatedprivilegesthatintroduceadditionalvulnerabilities.Also,applicationsmaybeused innewways,suchasprovidingdatatobusinesspartnersoutsidetheenterprisenetwork, whichshouldpromptthoroughtesting.Automatedtestingtoolsandvulnerabilityscanners shouldbeusedmakethisprocessmoreefficientthanacompletelymanualoperation. Resource SeetheOpenWebApplicationSecurityProject(OWASP)formore informationaboutbestpracticesinapplicationsecuritytestingat http://www.owasp.org/index.php/Main_Page.

43

 HardeningApplicationComponents Thelastoftheapplicationsecuritymeasuresishardeningapplications.AswithOS hardening,thegoalistoreducevulnerabilitiesinanapplication.Securitytestingcanreveal potentialproblemswithsoftwaresuchas: InjectionattackvulnerabilitiesThiscanoccurifinputsarenotproperlyscrubbed beforetheyarepassedtomodulesorsubsystems,suchasdatabasequery processors;SQLinjectionattacksareperhapsthemostwellknownformofsuch attacks Insecureconfigurationsinsubsystemssuchasapplicationserversanddatabase listeners Hardcodedusernameandpasswordsfordatabaseaccountsorotherservice accounts Unnecessarilyelevatedprivileges

Manyofthesevulnerabilitiescanbecorrectedbychangingcodeorconfiguration parameters.Inothercases,additionalmeasures,suchastheuseofapplicationfirewallsor databaseactivitymonitoringsystems,maybewarranted. Areviewoftechnicalinfrastructurecanhelpidentifysecuritymeasuresfornetwork security,serverandworkstationsecurity,andapplicationspecificmeasures.Not surprisingly,manyfundamentalsecuritycontrols,suchastheuseofSSLforencryption,the useofdigitalcertificatesforauthentication,andvulnerabilityscanningplayprominent rolesinprotectingITinfrastructure. ITenvironmentsarehighlydynamic.Reviewingbusinessprocesses,workflows,andIT infrastructureatonepointintimeisnecessarybutnotsufficientfordevelopingand maintainingadequatesecurity.Anongoinggovernanceprocessisrequiredaswell.

SecurityPoliciesandGoverningProcedures
Securitypracticesinanorganizationmaybeginwithbestpracticesestablishedbythe securitycommunitybutwillinevitablychangetoaccommodatetheparticularneedsofthe organization.Costsandbenefitsarebalanced.Compliancerequirementsaretargeted. Businessstrategiesareaccommodated.Evengivensuchdynamicconstraints,itis importanttoformulatepoliciesandgoverningprocedurestoavoidadhocresponsesto situationsandtoensurethatlessonslearnedovertimearecapturedandincorporatedinto ongoingprocedures.

44

 Inordertomaintainahighimpactsecuritystrategy,welldefinedpoliciesandprocedures shouldbeestablishedcoveringanumberoftopics: Useofencryptiontoprotecttheconfidentialityofdataatrestanddatainmotion Useofserverauthenticationandmutualauthenticationforapplicationservices; thesepoliciesshoulddescribewhendigitalcertificatesshouldbeused,limitsofself signeddigitalcertificates(thatis,digitalcertificatescreatedbytheuserofthe certificate,notatrustedthirdparty),andtheneedformutualauthenticationinWeb servicesprovidingprivateorconfidentialdata Anoverviewofpatchmanagementprocedures,includingmonitoringthereleaseof patches,testingpatchespriortouseinproductionenvironments,andexceptionsfor emergencypatching ProcessesforhardeningOSsandapplicationstoeliminateknownvulnerabilities Useofvulnerabilityscanningandreportingtools Workstationsecuritypractices,includingtheuseofantivirus,antispyware, personalfirewalls,anddiskencryption Secureuseofmobiledevicesandlimitsonthetypesofdatathatmaybecopiedto mobiledevices Securityawarenesstrainingforstaff,contractors,andconsultantsaswellas acceptableusepoliciesclearlydescribingthetypesofactivitiesthatmaybe performedontheorganizationsITinfrastructure Auditingandmonitoringrequirementstomaintaincompliancewithgovernment andindustryregulations

Policiesaddressingtheseareasandothersrelatedtosecurityrequiremaintenance.They havetobemodifiedtoaccommodatechangesintechnology,businesspractices,and businessstrategy.GoverningstructuresthatincludebothITandbusinessexecutives familiarwiththebreadthofthebusinessenvironmentandcurrentstrategyarenecessary toensurethatpoliciesandproceduresremainusefulguidestosecuritypracticesandnot simplydocumentsonashelfshowntoauditorsonceayear.

45

Summary
Creatingandmaintainingahighimpactsecuritystrategybeginswithunderstanding businessprocessesandworkflow.ThisprocessisfollowedbyananalysisofIT infrastructure,particularlynetworkingservices,serversandworkstations,and applications.Thefinalstepiscreatingpoliciesandgoverningproceduresthatshapeand maintainasufficientlysecureenvironment.Throughoutthischapter,wehaveseen recurringreferencetofundamentalsecuritytechnologiessuchasSSL,encryption,and digitalcertificatesaswellascoresecuritypractices,suchasapplicationandOShardening andvulnerabilityscanning.Thisshouldbenosurprise.Thesetechnologiesandpractices arewellestablishedelementsofinformationsecuritybestpracticesthatonewillseeover andoveragain.

46

Chapter4:BestPracticesforImplementing aBusinessCentricSecurityManagement Strategy

Abusinesscentricsecuritymanagementstrategyismultifacetedandtakesintoaccount boththetechnicalandorganizationalaspectsofinformationsecurity.Throughoutthis guide,wehaveseenhowsecuritythreatsandvulnerabilitiescanunderminebusiness operationsandintegrity,andwehavediscussedmethodsfordevelopingasecurity strategy.Inthis,thefinalchapteroftheguide,weturnourattentiontoexaminingbest practicesforimplementingabusinesscentricsecuritymanagementstrategy. Sohowisbusinesscentricanydifferentfromotherapproachtoinformationsecurity?The startingpointisthebusinessstrategy.Whatarethegoalsandobjectivesofthebusiness(or otherorganization)andhowaretheyimplemented?Theanswerstothosequestionsstart toframethesecuritydiscussionbecausewecanassessriskstoparticularbusiness processesandassets.Partofthatassessmentprocessisdeterminingarelativevalueforan assetorprocessthatisbeingprotected.Forexample,wewouldntinvestmorethanthe valueofcarinanantitheftdeviceforthevehicle.Thesamelogicappliesininformation security.Wemitigateriskstobusinessinformationassetsaccordingtothevalueofthose assetsandthepriorityweassigntothem. Onceweunderstandthreats,vulnerabilities,andtherisksandcostsassociatedwiththem, wecanthenformulateasecuritystrategyforprotectingthebusiness.Thischapter examinesspecificmethodsformitigatinginformationsecurityrisks.Asweshallsee,one securitycontrol,ormeasure,canhelpreducemultiplerisks,andeveryriskisideally mitigatedbymorethanonecontrol.Ofcourse,therealityofbusinessisthatwecannot alwayshaveourbestcasescenario,butwestrivetogetascloseaspossible. Thefundamentalareasofabusinesscentricsecuritymanagementstrategyspananumber ofareasandinclude: Protectingcriticalservers Protectingmobiledevicesandcommunications Deployingsufficientnetworkdefenses Providingendusertraining

47

Figure4.1:Aguidingprincipleofbestpracticesinbusinesscentricsecuritystrategy istoapplymultiplesecuritycontrolsinanoverlappingmannertocreateadefense indepthapproachtomitigatingrisks. Thedriversbehindthebestpracticesineachoftheseareasaretheneedtomaintainthe confidentialityofbusinessinformation,integrityofthatdata,andtheavailabilityof informationsystemsandassets.Whatfollowsisanonexhaustivesetofbestpracticesthat servethosedrivers.Serversthatsupportcriticalapplications,maintainenterprise databasesandperformotheressentialfunctionsareagoodplacetobeginourdiscussion.

ProtectingCriticalServers
Acriticalserverisonethat,ifitweretogodownorotherwisehavedegradedperformance, wouldhaveanadverseimpactonbusinessoperations.Examplesincludeemailservers, databaseservers,andapplicationserversusedinproductionenvironments.Itisimportant toclassifyserversintermsoftheircriticalitybecause,aswithdataclassification,some serversaremoreimportantthanothers;whenitcomestimetoallocateinformation securityresources,itisimperativetoknowhowtoprioritizeserversecurityspending.

48

WhatConstitutesaCriticalServer?
Howdowedistinguishcriticalserversfromnoncriticalservers?Weneedtostartwith businessstrategyandthebusinessprocessesputinplacetosupportthem.Notethatwedo notstartbyaskingopinionsofusersofthoseservers.Developers,forexample,may considertheirserverscriticalbecauseineffecttheyareproductionserversfromtheir perspective.Ifdevelopersdatabaseservergoesdown,theywillnotbewritingmuch databasecode;thatdoesnot,however,makeitaproductionserverandthereforepossibly acriticalserver.Ofalltheproductionservers,someofthesearecriticalbecausebusiness processesdependonthem,andiftheyweretofail,thebusinessprocesscouldnotbe executedorcouldonlybeexecutedatasignificantlyslowerpace. Clearlythisisagrayareawherereasonablepeoplecandisagree.Forexample,manyofus mightconsideraWebserverhostingasiteoncorporatecharitablegivingasaproduction systembutnotcritical;ifitweredownfortheday,itwouldbeaninconveniencebutwork couldbemadeupwhenthesystemisrestored.Ingeneral,wecanthinkofserver categorizationasasubsetofallenterpriseserversthataremostimportantforbusiness operations.Many,butperhapsnotall,productionserversmaybecategorizedascritical.

All Enterprise Servers

Production Servers

Critical Servers

Figure4.2:Serverscanbecategorizedintermsofcriticalitytobusinessoperations. Criticalservershavethehighestpriorityforsecuritymeasuresbecausetheir disruptioncanhavesignificantadverseimpactonbusinessoperations. Oncecriticalservershavebeenidentified,wecanapplyadefenseindepthstrategyto protectthem.Weshouldapplytheseprinciplestoallserversifpossible,butweshould startwithcriticalservers,thenotherproductionservers,andthentoallotherenterprise serversiftherearesufficientresources.

49

 Someofthemultiple,overlappingsecuritymeasureswecanuseinclude: Encryptedcommunications Hardenedoperatingsystems(OSs) Lockeddowndatabasesrunningonthoseservers

Thesethreemeasuresrepresentthetypesofcontrolsthatcanbeappliedtoprotect informationexchangebetweenservers,reducetheattacksurfaceoftheOS,andreduce vulnerabilitiesincoreapplicationsrunningonthesecriticalservers.

UsingEncryptedCommunications
Serverscanhousedatafromthevariousdataclassificationcategories,suchaspublic, sensitive,private,andconfidential. Publicdatacanbefreelydisclosed;sensitivedatashouldnotbedisclosedbutwould notcausesignificantharmtothecompanyifitweredisclosed. Sensitivedatashouldnotbedisclosed,butifitwere,thatwouldnotcause significantharmtotheorganization.Examplesofsensitivedataincludeproject schedulesandapprovedvendorlists. Privatedataisdataaboutathirdparty,suchasacustomerorpatient,thatmustnot bedisclosedoutsideofestablishedprocedures. Confidentialdataiscompanyproprietarydata,suchastradesecrets,thatneedtobe keeptightlycontrolledtopreventadverseaffectsontheorganization.Intheory,we mightonlybeconcernedaboutprotectingcommunicationswhenprivateand confidentialdataisinvolved;however,asserversmaysharedifferentcategoriesof data,weshouldapplysecuritytoprotectthecategoryofdatawarrantingthemost control.

ConsideraWebapplicationwithaproductandorderdatabase.Theproductcatalog includingproductlists,descriptions,andcurrentpricingispublicinformation.Customer orderdata,includingshippingaddresses,billingaddresses,andcreditinformation,is private.Ratherthanriskdisclosingprivatecustomerdata,allcommunicationsbetweenthe applicationandthecustomershouldbeprotectedwithencryptedcommunications. SSL/TLScommunicationistheindustrystandardmethodforsecurecommunications(TLS isalsoknownasSSLversion3).Itprovidesauthenticationsothatwecanverifytheidentity oftheserverweareworkingwithaswellasencryptionofdatacommunicationsbetween serversorbetweenserversandclients.(Actually,theSSL/TLSstandardsdonotrequire encryptionofdatatobecompliantwiththestandards,butSSL/TLSisoftenusedfor encryption).

50

 SSLencryptedcommunicationscanhelpmitigateanumberofthreats: Maninthemiddleattacksinwhichanattackerinterceptsamessagebetween partiesandaltersthemessagestream.SSLencryptionscramblesthecontentof messagesandrelatedservices,suchasdigitalsignatures,andprovide authenticationandnonrepudiationfunctions. Eavesdroppingoncommunications.Protectingagainstthisthreatisespecially importantifthecommunicationstraveloverunencryptedorweaklyencrypted wirelessnetworks.Anearlywirelessencryptionstandard,WEP,isfairlyeasily crackedandshouldnotbedependedontoprotecttheconfidentialityofserverto serverorservertoclientcommunication.Fortunately,iftheserverencryptsdata usingSSLbeforeitissentoveraweaklyprotectedwirelessnetwork,attackerswill notbeabletodecipherthemessageinanyreasonableperiodoftime. Insiderattacksfrompersonswithaccesstointernalcommunications.Aninternal attackerwhodoesnothaveaccesstoanapplicationordatabasemaystillbeableto capturedatafromthosesystemsifthedataweretransmittedinunencryptedform. Eveninthecaseofcommunicationsbetweeninternalservers,thereisoftenaneed forencryptedcommunications.

Remember,datainmotionisnotprotectedbytheapplicationanddatabaseaccesscontrols thathelpprotectthatdatawhenitisatrest.

HardeningServerOSs
HardeninganOSreducesthepotentialvulnerabilitiesbyusingseveraltechniques: Changingdefaultconfigurations Removingdefaultaccounts Shuttingdownservicesthatarenotrequired Removingapplicationsnotneededinaproductionenvironment,suchasremoving compilersonproductionserversthatrunapplicationsdevelopedandcompiledon otherservers Reducingprivilegesonallaccountstotheminimumsetneededtoperformbusiness operations PatchingtheOStoapplysecurityupdates Resources FormoreinformationabouthardeningOSs,seetheBastilleHardening programathttp://bastillelinux.sourceforge.net/andCenterforInternet SecurityBenchmarksathttp://cisecurity.org/bench.html. Weshouldalsoapplythesameprinciplestoenterpriseapplicationsrunningonthese servers.Wellconsiderdatabasesasanexample.

51

LockingDownDatabases
Databasesareaprimetargetforattackersbecausedatabasesoftenstorevaluable information.EveniftheserverusesSSLencryptedcommunicationsandtheOSis hardened,attackersmaybeabletostealdatabyattackingattheapplicationlayer. Lockingdownadatabaseincludesseveralsteps: Removingordisablingdefaultaccountsandschemas Changingdefaultpasswords Removingunnecessarydatabaseoptions Securingthedatabaselistener,theprocessthatestablishesconnectionstothe database Applyingaccesscontrolstodatabasefilesanddirectories Implementingstrongpasswordpoliciesorotherauthenticationmeasurestoreduce theriskofpasswordcrackingattacks

Inadditiontosecuringthedatabaseserver,developersshouldbeawareofcoding techniquesforavoidingSQLinjectionattacks.Allthemeasurespreviouslylistedwillnot blockanapparentlylegitimatequerythatissenttothedatabasebyanapproved application.Itisthedevelopersresponsibilitytoimplementapplicationcodethatisnot vulnerabletosuchattacks. Resource SeeColinAngusMackaysSQLInjectionAttacksandSomeTipsonHowto PreventThemformoreonthistopic. Inadditiontoprotectingservers,businessesshouldadapttheirsecuritymeasuresto protectinformationwhenitisstoredorusedonmobiledevices.

ProtectMobileDevicesandCommunications
Mobiledevicesarenowcommonplace.Smartphones,netbooks,laptops,andothermobile devicesaredefactopartsoftheITinfrastructure.Wedonotgenerallyconsidermobile devicesaspartoftheITassetbase,whichincludesservers,networkhardware,desktop devices,andsoon.Thismustchange.Employees,businesspartners,contractors, consultants,andcustomersareusingmobiledevicestoconductbusiness.Businesseswith largeconsumercustomerbases,suchasbanks,arecreatingmobileversionsoftheironline services,suchasonlinebanking.Mobiledevicesareanestablishedandwidelyadapted platformthatweneedtoconsiderinabusinesscentricsecuritystrategy.

52

 Thereisasignificantdifferencebetweenmanymobiledevicesusedforbusinessandother IThardware:themobiledevicesareoftennotownedbythebusiness.Obviously,this meansthatabusinessisnotinfullcontrolofthedevice,thus, Thereisnostandardplatformforallmobiledevicesusedforthebusiness ITprobablydoesnothaveaninventoryofmobiledevices Thesedevicesarenotmanagedwithinabusinessassetmanagementprogram

Thereare,however,waysbusinessescancontrolwhatbusinessdataandbusiness operationsareallowedonnonbusinessownedmobiledevices.Thisisdonethrougha seriesofsecuritypoliciesthatdefinesecuritycontrolsthatshouldbeinplacebefore businessisconductedwithanemployeeownedmobiledevice.Thesepoliciesasserta businessneedtoprotectinformationassetswhilerecognizingthatthemobiledeviceis ultimatelyownedandcontrolledbysomeoneelse.Todistinguishthesedifferenttypesof devices,wewillrefertoemployeeorotherthirdpartyowneddevicesassemimanaged devices.

Figure4.3:Mobiledevicesownedbyemployeesareonlysemimanaged;however, theymaybesubjecttopoliciesgoverningconditionsunderwhichbusinessdatamay bestoredortransmittedtothosedevices.

53

 Forbothmanagedandsemimanagedmobiledevices,businessescanuseseveralpolicy andtechnicalmeasurestoreduceriskstodatarelatedtomobiledevices: Encryptingcommunicationswithmobiledevices Authenticatingmobiledeviceswithdigitalcertificates MaintainingOSpatches Keepingantivirussoftwareuptodate

Aswithserversecurity,weusemultiplemeasuresintoimplementourdefenseindepth strategy.Thatstrategyenablesustomitigatemultipleriskswithasinglesecuritycontrol andtoapplymultiplecontrolstoindividualrisks.

EncryptCommunicationswithMobileDevices
Datathatistransmittedtoandreceivedfrommobiledevicesmaybesentoverwireless communicationprovidersprivatecellphonenetworksaswellastheInternet.Thismay notbeaconcernformanytypesofcommunications,butwhendealingwithprivateand confidentialdata,especiallywhenthereisaregulatoryresponsibilitytoprotectthisdata, encryptingcommunicationstomobiledevicesmaybenecessary. Unlikesomeoftheothersecuritycontrolswecandictateformobiledevices,thisoneis wellwithinthecontrolofthebusiness.Privateandconfidentialdataissentonlyoveran SSLencryptedcommunicationchannel.PartoftheSSLprotocoldefinesahandshaking procedurebetweentheserverandclient,sowecanbesurethattheclientwillreceivethe dataonlyafterestablishingasecureconnection.Ofcourse,withoutsufficientlystrong authentication,weruntheriskoftransmittingdatatoaspoofeddevice.

AuthenticateMobileDeviceswithDigitalCertificates
Digitalcertificatesareakeypartofensuringwearecommunicatingwiththemobiledevice webelievewearecommunicatingwith.Thisallowspartiesinacommunicationsessionto authenticatetheidentityofthedeviceswithwhichtheyaredealing.Letstakealookat digitalcertificatecapabilitiesonacoupleofmobiledeviceplatforms. WhenusingtheWindowsMobile6OS,itisrelativelyeasytoinstalldigitalcertificates. WindowsMobileispreconfiguredtomanagethreetypesofcertificates: PersonalcertificatesmaintainedintheMYstore IntermediateCertificationAuthority(CA)certificates,whicharestoredintheCA store RootCAs,whicharestoredintheROOTstore

Thesecertificatesareusedbyapplicationscommunicatingwiththedevice.Forexample, MicrosoftExchangeActiveSyncverifiesthetrustworthinessofadevicebyexaminingits digitalcertificate.WindowsMobilealsoprovidesacryptographyapplicationprogramming interface(API)forworkingwithdigitalsignaturesanddigitalcertificates.

54

 ThepopularBlackberrysmartphonealsosupportsdigitalcertificatebasedauthentication. ThesemobiledevicessupporttheExtensibleAuthenticationProtocolTransportLayer Security(EAPTLS)formutualauthenticationandtheuseofclientdigitalcertificates. Mobiledevicevendorsandsoftwaredevelopersareprovidingsomeofthetoolsneededto securemobiledevicecommunicationandprovidefordigitalcertificatebased authentication.Itisbusinessroletocreatepoliciesdefiningwhenthisfunctionalityshould beused.

MaintainOSPatches
Mobiledevicesarelikeotherdevicesonthecorporatenetwork:theyrunwithcomplexOSs thatoccasionallyneedtobepatched.Notallpatchesaresecuritypatches,butwhenapatch isreleasedtocorrectavulnerability,thepatchshouldbeinstalledinordertoreducerisks. Manysmartphonesarepersonallyowned,sobusinessescannotforcedeviceownersto patch.Theremaybelegitimatereasonsfornotpatching.Forexample,ifapatchtocorrect oneproblemintroducesanother,theusermayconcludefromtheirperspectivethatthey wouldratherlivewiththesecurityvulnerability.Thismaynotbeinthebestinterestofthe business. Ingeneral,therearetwomethodsforensuringdevicesareproperlypatchedand configured.Networkaccesscontrolserverscanqueryadevicetryingtoconnecttothe networkanddeterminewhetherthedevicesconfigurationmeetsminimumrequirements. ThisworkswellwhenaconventionallaptoprunningWindowsconnectstothenetwork, butmaynotbesufficientforallthesmartphoneplatformsthatcouldtrytoestablisha connection.Analternativemethod,andonethatshouldbeinplaceevenifnetworkaccess controlsareinplace,isapolicythatdictatestheconfigurationandsecurityexpectationsfor usingacorporatenetwork.Thisobviouslydoesnothavethesameenforceabilitythat technicalcontrolshave,butitatleastputsusersonnoticethatthereareminimumsecurity requirementsforusingasmartphonewithinthebusinessnetworkenvironment.

KeepAntivirusUptoDate
Inasimilarmanner,mobiledevicesshouldmaintainuptodateantivirusandotheranti malwareapplications.Applicationsrunningonsmartphonescanopeninfecteddocuments andinadvertentlydownloadmaliciouscontentaseasilyastheycanonlaptops,so comparableprotectionsshouldbeinplaceonbothplatforms.

UseEncryptiononMobileDevices
ItwouldbeunfortunateifthedatacommunicatedoveranSSLencryptedchannelwere leakedonceitarrivedatthemobiledevicebecauseofunencryptedstorage.SSLencryption onlyprotectsdatainmotion;onceitlandsonthedeviceandisdecryptedduringthelast stepsoftheSSLcommunicationsprotocol,itisuptheplatformOSandapplicationsto protectthedata.Deviceencryptionisonepartofthesolutiontotheproblem.When selectinganencryptionprogramforamobiledevice,besuretoconsidertheneedto encryptdataonpermanentandremovablemedia,suchasSDcards.

55

 Protectingmobiledevicesandcommunicationsrequiresmultiplelayersinaccordancewith adefenseindepthstrategy.Theselayersincludeencryptingdataduringcommunication withSSLtechnologies,authenticatingdeviceswithdigitalcertificates,maintainingOS patches,keepingantimalwareuptodata,andmitigatingtheriskofadataleakbyusing deviceencryptionforbothpermanentandremovablestoragedevices.

NetworkDefenses
Networksecuritywasatonetimepracticallysynonymouswithinformationsecurity.Weve movedwellbeyondthosedaysasweseefromthedemandsformobiledeviceand communicationsecurity.Networksecurityisstillanessentialelementininformation security,ofcourse,andnodescriptionofbusinesscentricsecuritymanagement,nomatter howbrief,wouldbecompletewithoutit.Thefollowingdiscussionisnotexhaustivebut doeshighlightthecontrolsthatcanbeusedtomitigatethreatstothenetworkandto devicesonthenetwork.Theseinclude: Deployingandconfiguringnetworkperimeterdevices Filteringcontentonthenetwork Monitoringandauditingnetworkactivity

DeployingandConfiguringNetworkPerimeterDevices
Thepurposeofnetworkperimeterdevicesistokeepmaliciousattackers,content,and softwareoffthenetworkwhilepreventingvaluabledatafromleaking.Thisgoaliseasily statedbuttheimplementationissomewhatmorecomplex.Forstarters,thetypesof materialthatshouldbeblockedrangefrommalicioussoftwaretocontentthatisoffensive orinappropriateforthebusinessenvironment.Preventingdataleaksischallenging becauseitrequirespoliciesandrulesthatdefinethetypeofcontentthatshouldnotbesent unencryptedoutsidethenetworkaswellashowtoidentifythattypeofcontent.(Oneof theadditionalbenefitsofusingSSLencryptionisthereissignificantlylessriskofthe contentthatlegitimatelyleavesthenetworkbeingcompromisedbydatathieves). Blockingmaliciouscontentandunauthorizedaccessrequiresanumberofsecurity controls: Firewalls Intrusionpreventionsystems(IPSs) Networkaccesscontrols

Thesecontrolscomplementeachotherbyaddressingdifferenttypesofthreats.

56

 Firewalls Firewallsarestillastapleofnetworksecurityalthougharchitecturalchangeshavemade theperimetermoreporousthanithasbeeninthepast.Firewallshaveevolvedfrom statelessdevicesthatcouldblockornotblockaportorfilteroutaparticulartypeof networktraffictosystemsthatcaninspectdeepintothecontentsofthepacket,use informationaboutthestateofasession,andapplyapplicationspecificrulestoidentifyand blockunwantedcontent. Networkfirewallscanstillactasgatewaysbetweennetworksegmentsandshouldbe deployedwhereclearlinesofseparationareneeded.Applicationfirewallsshouldalsobe usedwhenthereisaneedtofiltercontenttocriticalapplications.Forexample,an applicationfirewallmaybeusedtoscaninputtoaWebapplicationinordertoblockuser inputdesignedtoconductaSQLinjectionattack.Thistypeofapplicationfirewallwould provideonelineofdefenseagainstSQLinjectionattacks.Developerswhowritecodethat cleansesuserinput,usestoredbindvariables,andothertechniquesforavoidingSQL injectionvulnerabilitiesconstituteanotherlineofdefense.Bothareneededwhen practicingdefenseindepth.AsmoreprogrammaticservicesdependonHTTPtosendand receivedata,thetraditionalroleoftheportblockingfirewallischanging.Blockingmost portsbutallowingHTTPdatastillallowsagreatdealoftrafficintothenetwork. Applicationfirewallsandothermeansofdeeppacketinspectionarerequiredtodetect threatstunnelinginonHTTPtraffic. IPSs IPSsshouldbedeployedtomonitorthestateofthenetworkandhosts.IPSscanuse signaturepatterns,behavioralanalysis,orbothtodetectanomaliesonthenetwork,such as: Largevolumesoftrafficfromaserverthatnormallyhaslowtrafficactivityatthat timeoftheday Attemptsatpasswordcracking KnownOSvulnerabilityattacks DenialofService(DoS)attacks Webapplicationexploits

Unlikefirewalls,IPSsarenotaboutjustblockingcontentbypackettypeorportbut analyzingcontentanditsimpactondevices.Thisfunctionalityisimportantbecausenotall maliciouscontentcanbeblockedbygatewaydevices.Somemaliciouscontentisnot apparentuntilitentersthenetworkandbeginstointeractwithdevicesonthenetwork; thatiswhenanIPScanprovideadditionalmeasurestodetectandblockthatkindof activity.

57

 NetworkAccessControls Networkaccesscontrolsaregatekeepersforallowingandblockingaccesstonetwork resources.Whereasfirewallsoperateatthepacketleveltoblockcontent,networkaccess controlsdeterminewhoandwhatdeviceswillbeallowedtoestablishaconnectiontoa corporatenetwork.Ideally,adeployednetworkaccesscontrolwillenforceestablished policies,suchas: Whoisallowedtoaccessthenetworkbasedontheiridentity Userrolestodeterminewhatresourcesusersmayaccessoncetheyhave establishedconnectionstothenetwork Ensuredevicesconnectingtothenetworkmeetminimumconfiguration requirements Varyaccessprivilegesbasedonthetypeofdevice;forexample,allowingonly limitedaccesstonetworkresourcesfromunmanageddevices

Networkaccesscontrolsarerecommendedwhenremoteusersregularlyconnecttothe network,especiallywhenunmanageddevicesareusedtoworkwithcorporateassets.

FilteringContentontheNetwork
Contentfilteringisanetworkbasedmethodforscanningcontentasitentersorleavesthe networktopreventunwantedmaterialsuchas: Viruses,worms,Trojans,andothermalware Spamandphishingemails Spywareandadware Contentthatisoffensiveorinappropriateforabusinessenvironment

Mostendpointdevicestoday,suchasdesktopworkstationsandlaptops,runafullsuiteof antivirus,antispam,andantispywareapplicationsbutnetworkprotectionisalso advised.Thecombinationofendpointbasedsecuritymeasuresandnetworkbased measuresprovidedefenseindepthagainstthesethreats. Networkcontentfiltershaveanaddedbenefitofkeepingemployeesandothersfrom downloadingcontentfromorsurfingtoinappropriatesiteswhileonthejob.Foran additionallayerofdefense,businessescanusethirdpartyWebcontentfilteringservices, suchasthefreeOpenDNSservice(http://www.opendns.com/).Thisserviceprovides domainnameservicesbutalsoallowsuserstoblockaccesstospecifictypesofsites,such asadult,gambling,shopping,andotheruserselectablecategories.

58

MonitoringandAuditingNetworkActivity
Anunintendedconsequenceofdeployingvariousnetworksecuritydevicesisthatthese devicescangenerateagreatdealoflogdata.Thispresentsasetofalltoocommon problems: Eachtypeofdevicegenerateslogdataspecifictothedevice Thedataisdistributedacrossdifferentsystems Thereissomuchdatathatitissometimesdifficulttoculloutusefulinformation

Onewaytohelpimprovethemanagementefficiencyofnetworkmonitoringistousealog aggregationtool.Thesecancollectdatafrommultipledevicesusingcommonprotocols, suchasSimpleNetworkManagementProtocol(SNMP),andperformbasicdata transformations,suchasnormalizingtimestamps.Theadvantageoftheselogaggregation toolsisthatanetworkmanagercanretrievemultipletypesoflogdatafromasingle application,andbasicintegrationhasalreadybeenperformed.Thequalityofintegration andtheabilitytodetectandhighlightimportanteventswilllikelyimproveinthefuture, butthesetoolscanstillreducetheburdenonnetworkmanagementtoday. Networksecuritymeasuresarelikecommongoods,allpartsoftheinfrastructureand businessprocessesbenefitfromtheiruse.Ifwestartwithabusinesscentricviewof networksecurity,wewouldwantmanyofthestandardnetworksecuritycontrols,suchas firewalls,IPSs,andnetworkaccesscontrols.Also,monitoringnetworkactivitycanbecome timeconsumingwithouttoolsthatcanhelpmanagerskeepupwiththevolumeoflogdata thattheseothersecuritymeasuresgenerate. Thecollectionoftechnicalcontrolswehavediscussed,frommeasurestoprotectcritical serversandsecuringcommunicationstoprotectingmobiledevicesandnetworkassets,are justonepartofabusinesscentricsecuritystrategy.Anotherpartisafocusonenduser trainingoninformationsecurity.

SecurityAwareness
Theoldadagesaysachainisonlyasstrongasitsweakestlinkthesamegoesfor informationsecurity.Toooften,itistheusers,andnottechnicalcontrols,thatfailus.A businesscentricsecuritystrategyneedstoconsidersecurityawarenesstopicsandtraining deliverymethodstomitigatethreatsduetohumanerrorandpoorjudgments.

59

SecurityAwarenessTopics
Therangeofsecurityawarenesstopicsthatcouldbecoveredintrainingisasbroadasthe threats,vulnerabilities,andcountermeasuresthatsecurityprofessionalsdealwithona daytodaybasis.Wedonotneedtoturnallusersintosecurityprofessionals,anditis sufficienttofocusonseveralfundamentaltopicsthattogethercanhelpmitigatethreats: Trainingonsecuritypolicieswithintheorganization Typesofthreatstothedevicescommonlyusedinbusiness,includingmobiledevices TheneedtoprotectdatainmotionwithSSLencryptedcommunications Threatsfromspoofingandmistakenidentityandhowtopreventitwiththeuseof digitalcertificates Threatsofdatabreachesfromlostorstolenmobiledevicesandtheneedfor encryptingstoreddata Phishingandotherformsofsocialengineeringattacks Malware,infecteddocuments,maliciousWebsites,anddrivebydownloads

Admittedly,someofthesetopicscanbeabitdry(onlysomeofuscaretodelveintothe detailsofthingslikeSSL/TLShandshakeprotocols).Howwepresentsecurityawareness trainingisasimportantaswhatwepresent.

EffectiveSecurityAwarenessTraining
Effectivesecurityawarenesstrainingisdeliveredinabusinesscontext,notatechnical context.Businessusersdonotneedtoknowtheintricaciesofasymmetricencryption,but theydoneedtounderstandthattheirbusinessdataisthreatenediftheylosetheirlaptops orsomeoneinterceptstheirwirelesscommunicationswhileemailingfromacoffeeshop. Anotherimportantaspectofcontextisthesecuritypoliciesthatabusinessestablishes. Thosepoliciesareformulatedforareasonthatmustbeconveyedtotheusers.Ingeneral, securityawarenesstrainingshouldfocusonbusinessfundamentals,suchasprotectingthe confidentiality,integrity,andavailabilityofsystems.Withthoseasframingprinciples,the trainingcanthenmoveontoexaminehighlevelthreats,includingmalware,phishingand socialengineeringattacks,anddatabreaches.Next,wecanfocusonsolutions,suchasSSL encryption,digitalcertificates,safebrowsingpractices,andcluestowatchforinphishing scams.Noteveryonefindsinformationsecurityanengagingtopic,andtheyshouldnthave toinordertounderstandtheimpactofsecurityriskstothebusiness.

60

ChecklistofPracticesandTechnologies
Wehavecoveredquiteafewtopicsinthischapter;torecap,thefollowingquickchecklistof practicesandtechnologiescanbeincorporatedintoyourbusinesscentricsecurity strategy: SecurecommunicationswithSSLDatainmotiondoesnothavetheadvantageof theaccesscontrolsinplacewithdataatrest;encryptionprovidesaddedprotection againstanumberofthreats Usedigitalcertificatestoauthenticatedevicesfromserverstomobiledevices Ratherthanassumewecantrustthedevicetowhichweareabouttosend confidentialdata,verifythedevicesidentityfirst Protectagainstmaliciouscontentwithantimalwareandcontentfilteringonthe networkandonendpointdevices Usenetworksecuritycontrolssuchasfirewalls,IPSs,andnetworkaccesscontrols DevelopapatchmanagementplantoensureOSsandcriticalapplications,suchas databases,arepatchedagainstsecurityvulnerabilities MonitornetworkandhostactivityThevolumeoflogdatafromdevicescanbe substantial;datacollectionandreportingtoolscanhelp Trainendusersbyfocusingondeliveringinformationfromabusinesscentric,nota technical,perspective Thinkintermsofdefenseindepthandusemultiplesecuritycontrolstoprotect againstasinglethreatFortunately,manysecuritycontrolsprotectagainst multiplethreatsaswell

Tosummarize,abusinesscentricsecuritystrategystartswiththerequirementsof business,assessesthethreatsandvulnerabilitiestothebusiness,andformulatesa combinationoforganizationalandtechnicalcontrolstomitigaterisks.Severaltechnologies, suchasSSLbasedencryption,digitalcertificates,antimalware,andnetworksecurity controls,aswellasorganizationalcontrols,includingpolicesandendusertraining,canbe usedcollectivelyinadefenseindepthmannertoimprovethesecurityoftheenterprise.

61