written by: Tom Olzak, CISSP•edited by: Bill Bunter•updated: 5/7/2010
In this final installment of the Information Security Primer series, we'll examine some fundamentals of risk management, specifically the components of a sound security program. The proper application of risk management principles provides the framework upon which managers base the reasonable and appropriate application of security controls.
slide 1 of 5
Risk Managment Defined
The application of controls to achieve confidentiality, integrity, and availability should always be applied judiciously. This is the role of Risk Management. Risk management is the process of reducing and maintaining risk at an acceptable level through the use of a well-defined and actively employed security program. The security program should always weigh the business impact of a security incident against the cost of protecting against that incident. It's a wise manager who doesn't unnecessarily spend a large percentage of her working capital in an attempt to completely eradicate all system vulnerabilities.
slide 2 of 5
Elements of a Security Program
In order to effectively employ the information security concepts introduced in the previous articles, an organization must have a well documented and active security program.
A security program consists of policies, procedures, standards, and guidelines defining a framework upon which to build three basic types of security controls: prevention, detection, and recovery. Figure 1 shows the relationship between these layers.
The first layer of controls is designed to prevent a threat agent from exploiting a vulnerability resulting in business impact. When presented with a threat, prevention controls attempt to block it from reaching its target. If the prevention controls fail to stop the threat agent, the second layer of controls is intended to detect the unusual activities that serve as warning signals that a security incident may be imminent or in process. If it's determined that a security incident is occurring, the third layer of controls is activated. These controls are designed to identify, contain, eradicate, and manage the threat agent and its effects, thus mitigating the impact on the business.
Within each of these control layers there are three control areas: physical, administrative, and technical. The following sections describe each of the control areas and the security controls that commonly fall into each.
Physical prevention controls are intended to block physical access by humans or to mitigate physical damage by natural or man-made events. Physical prevention controls include:
Man traps (see Figure 2)
Secure data centers and limited access to buildings through the use of badge systems, locks, etc.
Stationary or roving security guards
Alternative power sources, such as uninterruptible power supplies or generators
Fire detection and suppressions systems. The proper selection of fire prevention and suppression systems affects the amount of damage caused by a facility fire.
Administrative controls implemented to prevent the success of threat agents focus on the management of people and processes. Common controls of this type include:
Policies, procedures, standards, and guidelines
Tested business continuity plans
Separation of duties
The third area of prevention controls consists of hardware and software. These technical controls designed to block threat agents include:
Smart cards. A smart card is a physical device about the size of a credit card that contains user authentication information. It's usually used in addition to a user ID and password. A user must have the smart card in his possession to log on to his PC or to the network.
Encryption. This is the conversion of readable plaintext information to unreadable ciphertext. Highly sensitive data should be encrypted both while traveling over the network and while at rest on a drive, tape, or other storage medium.
Operating system access controls.
Biometrics. This is the use of one or more biological attributes to identify a user attempting to authenticate to a system. These attributes include finger prints, finger or hand geometry, retinal scans, typing patterns, and voice recognition.
Anti-virus and anti-spyware software.
Intrusion prevention systems, both host and network based.
Controls in the same three areas are used to detect threat agents or their effects if the prevention controls fail. Physical detection controls include:
Smoke and fire detectors.
Sensors and alarms.
As with administrative prevention controls, administrative controls designed to detect evidence of current or intended malicious activity against information assets are focused on management actions, including:
Rotation of duties.
Security reviews and audits.
Mandatory vacations. Mandatory vacations serve the same purpose as rotation of duties. Someone else must look at the work the vacationing employee has been doing.
Finally, audit trails and intrusion detection systems are implemented to provide technical detection controls.
How prevention and detection controls are implemented is often just as important as the controls themselves. There are two primary principles that should govern the deployment of security controls: diversity in design and defense in depth.
The diversity in design principle deals with the degree of variety in implemented controls. By variety is meant not only the types of controls but also the number of vendors and approaches to applying control features. Let's look at Figure 3 as an example.
From the Internet, packets must travel through a firewall to reach the organization's DMZ. The DMZ is home for a Web server and a front-end email server. Only packets destined for port 25 on the email filtering server or port 80 on the Web server are allowed through the external firewall. However, it's possible for an attacker to crack the security of this device. If this happens, the attacker has access to all devices in the DMZ. Since the DMZ devices are hardened and contain no sensitive information, the attacker will most certainly attempt to get to the internal network where the pickings are usually easier and richer.
If both firewalls are the same model from the same vendor, the attacker's job is much easier. The actions she takes to crack the external firewall will probably work quite well in cracking the internal firewall. But in our example, the firewalls are from different vendors. This means that the techniques the attacker uses to crack the first firewall will probably not work on the second. Since cracking a hardened firewall typically requires significant effort, the work factor associated with cracking two dissimilar firewalls may be too great for the attacker's liking. Diversity in design will increase the work factor to a level much higher than that of a network with a single vendor design.
There is often one big disadvantage to employing this approach to network defense. Your network team must understand multiple vendor device configurations. In this example, it might increase the total cost of ownership of the diverse firewalls.
Defense in depth is a layered approach to applying controls. Figure 4 depicts the various layers that an organization should consider. Each of the physical, administrative, and technical categories on the stairway leading to Information Security should be assessed as part of an effective risk management effort.
Each layer is designed to provide support for the layers below it, and to prevent or detect the advance of an attacker to his objective. The layers work in concert to delay and frustrate. It's the combination of the right policies, processes, and controls at the appropriate layers that provide a secure processing environment.
Recover is slightly different from prevent and detect. Although prevent and detect rely in part on process, recovery activities are all about processes; processes that identify, contain, eradicate, and control. These processes are combined to form an organization's Incident Management Program. Figure 5 shows how the various processes relate to each other.
Once a security event is detected, the first step is to identify what is occurring. For example, if a malware attack is suspected, what type of malware is it? What is the potential impact? How widespread is the infection? If an intruder has cracked a server, what data may be compromised? Is the intruder still accessing the information? The goal of the identify process is to correctly define what's happening, how it is happening, and the scope of the attack. This helps with the next process, contain.
Once the attack parameters are defined, the impact on the business must be mitigated. This is called containment. If malware has infected a machine, disconnect the machine from the network. If the infection has spread to several computers on a floor at the corporate office, disconnect the floor. In the case of an intruder, remove her path to the target system. If the path is unclear, shut down the system. The goal of containment is to minimize the business impact of the attack.
Beyond physical containment, communication to shareholders, employees, and customers may be necessary to properly convey information about the attack and to curtail rumors. In addition, regulatory requirements might mandate a communication to affected parties that a potential compromise of personal information has occurred.
Once the attack is contained, all threat agents must be eradicated. For malware, this means running vendor supplied removal programs, applying patches, or even re-imaging PCs. For other types of attacks, notification of law enforcement or the termination of one or more employees may be appropriate. The Incident Management process should include a list of actions to take based on the type of attack identified. The purpose of eradication is to remove all remnants of the attack from your network.
The control or management process wraps up the management of an incident by answering four questions:
What was the cause
What controls failed or were missing
What steps can be taken to
Prevent similar future incidents
Detect similar future incidents faster
Recover from similar future incidents more quickly
The primary tool of the control process is the After Action Review (AAR). The AAR is a meeting held after the attack is contained and eradicated. The attendees at the meeting include all individuals who participated in dealing with the security incident. The input to the meeting is the open and frank observations of the attendees. Answers to the four questions listed above are the output.
Once the results of the AAR are fully documented, the answers to the elements in question 4 are converted into an action plan or, in some cases, one or more project plans. What controls are necessary, the types of modifications to be made to existing controls, and the resources to be applied to remediation efforts should be based on an effective Risk Management process.
slide 3 of 5
In this series, I've presented a high level view of Information Security. But although Information Security is a very wide field of study, it isn't necessary to understand all the subtleties in every security domain to provide effective security for your organization. Included in these articles were the definition of Information Security and the three levels of security controls: preventive, detective, and recovery. We also explored the value of using diversity in design and defense in depth to apply those controls. Finally, we took a very brief look at how to manage a security incident if prevention or early detection controls fail.
We saw that risk management is the process in a solid security program that helps managers make informed decisions about what and how many resources should be expended to prevent and detect specific threat agents. This is an important and often overlooked area of Information Security. I highly recommend you take some time to understand the importance of risk management and how to implement a risk management program in your organization.
Policy - A policy contains management's position on security issues. Developed to address issues at a high level, policies can include enterprise-wide security concerns or only issues pertaining to a specific system. Policies don't include detailed steps for building policy compliant systems. This is the role of procedures.
Procedure - A procedure contains detailed, step-by-step instructions for building a secure system or system component. Procedures are written to consistently deploy systems that are compliant with management policies.
Standards - These mandatory activities, rules, etc. support policies by specifying in detail how systems should be configured, deployed, and managed.
Guidelines - Unlike standards, guidelines provide a discretionary framework. If a specific standard doesn't exist to cover a specific activity, guidelines can be used to determine the best course of action while maintaining policy compliance.
Threat Agent - A threat agent is an entity or event that attempts to exploit one or more weaknesses in the security controls protecting an information asset resulting in an adverse impact on the asset's confidentiality, integrity, or availability.
Man Trap -- A man trap is typically a small room with a door at each end that serves as an access point for a restricted facility. When a person enters one door, the other door is shut. A security officer is typically stationed at a window to check identification and to prevent piggybacking. If the security officer suspects that the person attempting to enter the facility is an intruder, she secures both doors trapping the suspect until the police or other authorities respond. A scale can also be used to prevent piggybacking or the smuggling of contraband. If the weight on the scale appears to be too high, the security officer can take steps to investigate prior to opening either door.
Piggybacking - When an unauthorized person enters a restricted room or facility by passing through an open door or gate with an authorized person, this is called piggybacking. For example, an intruder may wait by a locked door until a person with a key card opens the door to enter the secure area. Prior to the door closing, the intruder simply passes through. Organizations with weak security awareness training programs may find that courteous employees actually hold the door for intruders.
Hardened - A hardened device is one that is configured to run the minimal number of services or programs or that processes only packets that meet specific criteria. For example, steps for hardening a Windows server include disabling or deleting all unnecessary accounts, disabling all unneeded services and ports, and assigning very strong passwords to the local administrator account.
Work Factor - Work factor is the level of effort required for an attacker to crack security controls, using a specific amount of resources, to achieve a specific objective. This objective may include unauthorized access to systems and data or it may be the decryption of ciphertext. One of the fundamental goals of implementing security controls is to increase the work factor to the point where the effort required to reach the objective is greater than the benefits gained.