More Technical Aspects of Security Policy

 

Introduction.  Probably one of the more perplexing aspects of developing security for many technically oriented people  is to make certain they are meeting the business needs of the people who will be using the system so they can work effectively.  These approaches must also stay up-to-date and always be on the lookout for realistic ways to improve.

The following outline summarizes many of the issues related to the more technical aspects of providing security.

  • Meet the Organization's Needs
    • You do not want to secure an organization to the point it cannot conduct its functions
      • Your own customers will find ways to defeat it if you aren't really meeting their needs
      • If you make it easy and/or reasonable to do the right things then people are much more likely to do them
    • What are people in the organization trying to do?
    • How are people trying to do it?
    • What does their workflow look like?
    • Be aware of reasonable technological solutions
    • You must enable people to work effectively
    • Provide reasonable levels of security
    • Create solutions that are as clean and simple as reasonable
    • Implement security within a reasonable time scale
  • Stay Up to Date
    • A security professional must be aware of the most likely forms of attack
    • Track bulletins from vendors
    • Peruse particularly informative websites daily
    • Read advisories from organizations that track security issues
    • Keep aware of new vulnerabilities
  • Authentication and Authorization
    • Fundamental to have a strong authentication system
    • Each user needs to have a unique identity
    • There should be no accounts with multiple users
    • Along with authentication comes authorization so that users can attain the appropriate levels of access for the appropriate systems
      • authentication assesses the users identity
      • authorization determines what this user can do
      • usually require at least username and password
      • a role account gives a user privileges and functions they normally can't
    • Authentication capability can usually be increased if some additional means are used to determine identities
      • biometrics
      • smart cards
      • something important the user doesn't want to lose
      • something important and unusual the users won't reveal about themselves
    • An authorization matrix is a good device to help the security administrators determine who has what levels of access/permission to use what
  • Selecting Products and Vendors
    • Almost all products must be evaluated from a security point of view considering issues such as
      • is it used by a third party who has a restricted level of access for the product
      • is it part of the authentication, authorization, access control system
      • is it accessible from the internet or any other untrusted network
      • does it provide authenticated access to sensitive data or systems
      • degree of confidence about in-built product security
      • vendor direction and maintenance
      • functionality and integration
    • Simplicity
    • Security
    • Open Source
      • often times if the source is available then smart intruders can really investigate their options
      • closed source can lead to other suspicions such as the vendor hides behind obscurantism
    • Usability
      • component interactions
      • ease of configuration
      • effects of configuration changes
      • training
      • validate appropriate configurations
      • vendor issues
        • maintenance patches
        • updates
        • security consciousness of the vendor
        • notification mechanisms
    • Integration
      • will it make use of your existing authentication system?
      • what sort of load does it put on the network and systems?
      • if it has to talk through the firewall are its protocols appropriate?
      • can its logs coordinate with the central host?
      • what sort of network service is required?
      • is the appropriate OS already supported?
    • Cost of Ownership
      • how long to configure software?
      • are there autoload options?
      • how much fine tuning and day to day maintenance are required?
      • already familiar?
      • how will new hires learn?
      • how will current employees learn?
      • ease and comfort of use
    • Futures
      • scalability
      • future directions for vendor and product
      • version support
      • frequency of new releases
      • market pressures

Governmental Ratings.  The US Government has developed criteria for security ratings.  The DOD's TCSEC -Trusted Computer System Evaluation Criteria is sometimes called the orange book.  It is used in conjunction with the TNI - Trusted Network Implementation of the TCSEC which can be referred to as the red book.

The TNI has developed ratings that start at A, which is the highest security rating.  They go to D which is the lowest security rating.  The C rating is divided into two, the C1 and higher C2.  The C2 rating is sought after by organizations that want to obtain governmental contracts.  The C2 requires the operating system to be able to do the following among other things.

  •  keep track of when and whom has accessed data
  • control access to objects
  • provide unique identification of users
  • be capable of auditing security related events

The following table surveys operating systems and shows the security ratings they have been able to achieve.

 

Operating System Vendor NSA Certification
UNIX XTS-200 and XTS 300 Wang Government Services Orange Book B3
UNIX Trusted Xenix 3 and 4 Trusted Information Systems Orange Book B2
UNIX HP-UX 8.04 and 9,0,9 Hewlett Packard Orange Book B1
UNIX UNICOS 8.0.2 Cray Research Red Book B1
UNIX RS/6000 IBM Orange Book C2
Windows NT 3.5/SP3
and Windows NT 4.0
Microsoft Orange Book C2
NetWare 4 and 4.11 Novell Red Book C2

 

Merely installing the operating system doesn't guarantee the rating.  There are other criteria such as network connectivity and operating system features.  The entire hardware and software configuration must achieve the rating.  These baselines for the NOSs help.

Now we need to discuss some aspects of auditing before getting back to our outline.  Auditing is the process of tracking the activities of users and the system.  Most operating systems have these built into them.  Log files are maintained that track what are determined to be salient events and aspects of the network.

Most auditing makes use of passive detection where in order to find out particular information a sys admin must actually go and search log files for particular activities.  In situations requiring more intense security there needs to be active detection in which software continually scans the network for signs of intrusion.  Some programs even alert sys admins in certain situations and disconnect suspicious sessions.  The following list contains some examples of active detection software.

  • SATAN - Security Administrator's Tool for Analyzing Networks
  • SAINT - Security Administrator's Integrated Network Tool
    • upgrade to SATAN
  • WebSAINT - allows discovery of system vulnerabilities over the Internet

Getting back to our outline.

  • Internal Auditing
    • are security environments in compliance with policies and design criteria?
    • checking employee and contractor lists against authentication and authorization databases
    • physical perusal of machine rooms, wiring and telecom closets for intrusive devices
    • verifying up to date security patches
    • launching sophisticated attacks against infrastructure to test and improve
    • Log Processing
    • Internal Verification
      • traffic routes
      • phone numbers
      • source machines
      • who's actually using remote access
    • Per Project Verification
    • Physical Checks
  • Make Security Pervasive
    • make sure everyone is aware of what is being done and how it works
  • Maintain/Improve Contacts
    • make sure you are in touch with those that are on the cutting edge
    • make sure you are in touch with those that are aware of what really works
  • Produce Metrics
    • validate security effectiveness with data
    • have external audits assess as objectively as possible

Impact of Organization Size and Type.  The size  of the organization is going to have huge impact on security implementation and how many people are involved.  Whether the organization is small, medium or large and how technically oriented it infrastructure needs to be in order to be competitive are going to have a huge impact on how security is implemented.  The levels of security requirements for their operation are something else that are going to be very important.