Elements of a Security Program
In order to effectively employ the information security concepts introduced in the previous articles, an organization must have a well documented and active security program.
A security program consists of policies, procedures, standards, and guidelines defining a framework upon which to build three basic types of security controls: prevention, detection, and recovery. Figure 1 shows the relationship between these layers.
The first layer of controls is designed to prevent a threat agent from exploiting a vulnerability resulting in business impact. When presented with a threat, prevention controls attempt to block it from reaching its target. If the prevention controls fail to stop the threat agent, the second layer of controls is intended to detect the unusual activities that serve as warning signals that a security incident may be imminent or in process. If it's determined that a security incident is occurring, the third layer of controls is activated. These controls are designed to identify, contain, eradicate, and manage the threat agent and its effects, thus mitigating the impact on the business.
Within each of these control layers there are three control areas: physical, administrative, and technical. The following sections describe each of the control areas and the security controls that commonly fall into each.
Physical prevention controls are intended to block physical access by humans or to mitigate physical damage by natural or man-made events. Physical prevention controls include:
- Data backups
- Man traps (see Figure 2)
- Secure data centers and limited access to buildings through the use of badge systems, locks, etc.
- Stationary or roving security guards
- Alternative power sources, such as uninterruptible power supplies or generators
- Fire detection and suppressions systems. The proper selection of fire prevention and suppression systems affects the amount of damage caused by a facility fire.
Administrative controls implemented to prevent the success of threat agents focus on the management of people and processes. Common controls of this type include:
- Policies, procedures, standards, and guidelines
- Tested business continuity plans
- Separation of duties
The third area of prevention controls consists of hardware and software. These technical controls designed to block threat agents include:
- Smart cards. A smart card is a physical device about the size of a credit card that contains user authentication information. It's usually used in addition to a user ID and password. A user must have the smart card in his possession to log on to his PC or to the network.
- Encryption. This is the conversion of readable plaintext information to unreadable ciphertext. Highly sensitive data should be encrypted both while traveling over the network and while at rest on a drive, tape, or other storage medium.
- Operating system access controls.
- Biometrics. This is the use of one or more biological attributes to identify a user attempting to authenticate to a system. These attributes include finger prints, finger or hand geometry, retinal scans, typing patterns, and voice recognition.
- Anti-virus and anti-spyware software.
- Intrusion prevention systems, both host and network based.
Controls in the same three areas are used to detect threat agents or their effects if the prevention controls fail. Physical detection controls include:
- Motion detectors.
- Smoke and fire detectors.
- Security cameras.
- Sensors and alarms.
As with administrative prevention controls, administrative controls designed to detect evidence of current or intended malicious activity against information assets are focused on management actions, including:
- Rotation of duties.
- Security reviews and audits.
- Mandatory vacations. Mandatory vacations serve the same purpose as rotation of duties. Someone else must look at the work the vacationing employee has been doing.
- Performance evaluations.
- Background investigations.
Finally, audit trails and intrusion detection systems are implemented to provide technical detection controls.
How prevention and detection controls are implemented is often just as important as the controls themselves. There are two primary principles that should govern the deployment of security controls: diversity in design and defense in depth.
The diversity in design principle deals with the degree of variety in implemented controls. By variety is meant not only the types of controls but also the number of vendors and approaches to applying control features. Let's look at Figure 3 as an example.
From the Internet, packets must travel through a firewall to reach the organization's DMZ. The DMZ is home for a Web server and a front-end email server. Only packets destined for port 25 on the email filtering server or port 80 on the Web server are allowed through the external firewall. However, it's possible for an attacker to crack the security of this device. If this happens, the attacker has access to all devices in the DMZ. Since the DMZ devices are hardened and contain no sensitive information, the attacker will most certainly attempt to get to the internal network where the pickings are usually easier and richer.
If both firewalls are the same model from the same vendor, the attacker's job is much easier. The actions she takes to crack the external firewall will probably work quite well in cracking the internal firewall. But in our example, the firewalls are from different vendors. This means that the techniques the attacker uses to crack the first firewall will probably not work on the second. Since cracking a hardened firewall typically requires significant effort, the work factor associated with cracking two dissimilar firewalls may be too great for the attacker's liking. Diversity in design will increase the work factor to a level much higher than that of a network with a single vendor design.
There is often one big disadvantage to employing this approach to network defense. Your network team must understand multiple vendor device configurations. In this example, it might increase the total cost of ownership of the diverse firewalls.
Defense in depth is a layered approach to applying controls. Figure 4 depicts the various layers that an organization should consider. Each of the physical, administrative, and technical categories on the stairway leading to Information Security should be assessed as part of an effective risk management effort.
Each layer is designed to provide support for the layers below it, and to prevent or detect the advance of an attacker to his objective. The layers work in concert to delay and frustrate. It's the combination of the right policies, processes, and controls at the appropriate layers that provide a secure processing environment.
Recover is slightly different from prevent and detect. Although prevent and detect rely in part on process, recovery activities are all about processes; processes that identify, contain, eradicate, and control. These processes are combined to form an organization's Incident Management Program. Figure 5 shows how the various processes relate to each other.
Once a security event is detected, the first step is to identify what is occurring. For example, if a malware attack is suspected, what type of malware is it? What is the potential impact? How widespread is the infection? If an intruder has cracked a server, what data may be compromised? Is the intruder still accessing the information? The goal of the identify process is to correctly define what's happening, how it is happening, and the scope of the attack. This helps with the next process, contain.
Once the attack parameters are defined, the impact on the business must be mitigated. This is called containment. If malware has infected a machine, disconnect the machine from the network. If the infection has spread to several computers on a floor at the corporate office, disconnect the floor. In the case of an intruder, remove her path to the target system. If the path is unclear, shut down the system. The goal of containment is to minimize the business impact of the attack.
Beyond physical containment, communication to shareholders, employees, and customers may be necessary to properly convey information about the attack and to curtail rumors. In addition, regulatory requirements might mandate a communication to affected parties that a potential compromise of personal information has occurred.
Once the attack is contained, all threat agents must be eradicated. For malware, this means running vendor supplied removal programs, applying patches, or even re-imaging PCs. For other types of attacks, notification of law enforcement or the termination of one or more employees may be appropriate. The Incident Management process should include a list of actions to take based on the type of attack identified. The purpose of eradication is to remove all remnants of the attack from your network.
The control or management process wraps up the management of an incident by answering four questions:
- What happened
- What was the cause
- What controls failed or were missing
What steps can be taken to
- Prevent similar future incidents
- Detect similar future incidents faster
- Recover from similar future incidents more quickly
The primary tool of the control process is the After Action Review (AAR). The AAR is a meeting held after the attack is contained and eradicated. The attendees at the meeting include all individuals who participated in dealing with the security incident. The input to the meeting is the open and frank observations of the attendees. Answers to the four questions listed above are the output.
Once the results of the AAR are fully documented, the answers to the elements in question 4 are converted into an action plan or, in some cases, one or more project plans. What controls are necessary, the types of modifications to be made to existing controls, and the resources to be applied to remediation efforts should be based on an effective Risk Management process.