More Technical Aspects of Security Policy

Introduction. Probably one of the more perplexing aspects of developing security for many technically oriented people is to make certain they are meeting the business needs of the people who will be using the system so they can work effectively. These approaches must also stay up-to-date and always be on the lookout for realistic ways to improve.

The following outline summarizes many of the issues related to the more technical aspects of providing security.

Meet the Organization's Needs

You do not want to secure an organization to the point it cannot conduct its functions

Your own customers will find ways to defeat it if you aren't really meeting their needs

If you make it easy and/or reasonable to do the right things then people are much more likely to do them

What are people in the organization trying to do?

How are people trying to do it?

What does their workflow look like?

Be aware of reasonable technological solutions

You must enable people to work effectively

Provide reasonable levels of security

Create solutions that are as clean and simple as reasonable

Implement security within a reasonable time scale

Stay Up to Date

A security professional must be aware of the most likely forms of attack

Track bulletins from vendors

Peruse particularly informative websites daily

Read advisories from organizations that track security issues

Keep aware of new vulnerabilities

Authentication and Authorization

Fundamental to have a strong authentication system

Each user needs to have a unique identity

There should be no accounts with multiple users

Along with authentication comes authorization so that users can attain the appropriate levels of access for the appropriate systems

authentication assesses the users identity

authorization determines what this user can do

usually require at least username and password

a role account gives a user privileges and functions they normally can't

Authentication capability can usually be increased if some additional means are used to determine identities

biometrics

smart cards

something important the user doesn't want to lose

something important and unusual the users won't reveal about themselves

An authorization matrix is a good device to help the security administrators determine who has what levels of access/permission to use what

Selecting Products and Vendors

Almost all products must be evaluated from a security point of view considering issues such as

is it used by a third party who has a restricted level of access for the product

is it part of the authentication, authorization, access control system

is it accessible from the internet or any other untrusted network

does it provide authenticated access to sensitive data or systems

degree of confidence about in-built product security

vendor direction and maintenance

functionality and integration

Simplicity

Security

Open Source

often times if the source is available then smart intruders can really investigate their options

closed source can lead to other suspicions such as the vendor hides behind obscurantism

Usability

component interactions

ease of configuration

effects of configuration changes

training

validate appropriate configurations

vendor issues

maintenance patches

updates

security consciousness of the vendor

notification mechanisms

Integration

will it make use of your existing authentication system?

what sort of load does it put on the network and systems?

if it has to talk through the firewall are its protocols appropriate?

can its logs coordinate with the central host?

what sort of network service is required?

is the appropriate OS already supported?

Cost of Ownership

how long to configure software?

are there autoload options?

how much fine tuning and day to day maintenance are required?

already familiar?

how will new hires learn?

how will current employees learn?

ease and comfort of use

Futures

scalability

future directions for vendor and product

version support

frequency of new releases

market pressures

Governmental Ratings. The US Government has developed criteria for security ratings. The DOD's TCSEC -Trusted Computer System Evaluation Criteria is sometimes called the orange book. It is used in conjunction with the TNI - Trusted Network Implementation of the TCSEC which can be referred to as the red book.

The TNI has developed ratings that start at A, which is the highest security rating. They go to D which is the lowest security rating. The C rating is divided into two, the C1 and higher C2. The C2 rating is sought after by organizations that want to obtain governmental contracts. The C2 requires the operating system to be able to do the following among other things.

keep track of when and whom has accessed data

control access to objects

provide unique identification of users

be capable of auditing security related events

The following table surveys operating systems and shows the security ratings they have been able to achieve.

Merely installing the operating system doesn't guarantee the rating. There are other criteria such as network connectivity and operating system features. The entire hardware and software configuration must achieve the rating. These baselines for the NOSs help.

Now we need to discuss some aspects of auditing before getting back to our outline. Auditing is the process of tracking the activities of users and the system. Most operating systems have these built into them. Log files are maintained that track what are determined to be salient events and aspects of the network.

Most auditing makes use of passive detection where in order to find out particular information a sys admin must actually go and search log files for particular activities. In situations requiring more intense security there needs to be active detection in which software continually scans the network for signs of intrusion. Some programs even alert sys admins in certain situations and disconnect suspicious sessions. The following list contains some examples of active detection software.

SATAN - Security Administrator's Tool for Analyzing Networks

SAINT - Security Administrator's Integrated Network Tool

upgrade to SATAN

WebSAINT - allows discovery of system vulnerabilities over the Internet

Getting back to our outline.

Internal Auditing

are security environments in compliance with policies and design criteria?

checking employee and contractor lists against authentication and authorization databases

physical perusal of machine rooms, wiring and telecom closets for intrusive devices

verifying up to date security patches

launching sophisticated attacks against infrastructure to test and improve

Log Processing

Internal Verification

traffic routes

phone numbers

source machines

who's actually using remote access

Per Project Verification

Physical Checks

Make Security Pervasive

make sure everyone is aware of what is being done and how it works

Maintain/Improve Contacts

make sure you are in touch with those that are on the cutting edge

make sure you are in touch with those that are aware of what really works

Produce Metrics

validate security effectiveness with data

have external audits assess as objectively as possible

Impact of Organization Size and Type. The size of the organization is going to have huge impact on security implementation and how many people are involved. Whether the organization is small, medium or large and how technically oriented it infrastructure needs to be in order to be competitive are going to have a huge impact on how security is implemented. The levels of security requirements for their operation are something else that are going to be very important.

Operating System	Vendor	NSA Certification
UNIX XTS-200 and XTS 300	Wang Government Services	Orange Book B3
UNIX Trusted Xenix 3 and 4	Trusted Information Systems	Orange Book B2
UNIX HP-UX 8.04 and 9,0,9	Hewlett Packard	Orange Book B1
UNIX UNICOS 8.0.2	Cray Research	Red Book B1
UNIX RS/6000	IBM	Orange Book C2
Windows NT 3.5/SP3 and Windows NT 4.0	Microsoft	Orange Book C2
NetWare 4 and 4.11	Novell	Red Book C2