ITS 421 - Tactical Perimeter Defense

Chapter 6, Mapping Business Challenges to Access Control Types
Chapter 7, Human Nature and Organizational Behavior

Objectives:

This lesson reviews needs for access controls, human elements in our environment, and controls to manage expected behaviors. Objectives important to this lesson:

  1. Applying access controls to needs
  2. Solving problems with access controls

  3. Human nature as a cause for access controls
  4. Organizational model for access controls
  5. Separation of duties
  6. Responsibilities of access owners
  7. Employee training
  8. Handling behavior
Concepts:

Chapter 6

Business Needs

The text begins with the idea that access controls need to have a higher purpose than just what they do. They need to exist because there is a reason that causes an organization to create them. The authors refer to these as business needs, but they apply to government and other organization types as well.

  • Business continuity - Keeping the operation running regardless of the event, attack, disaster, or mayhem should be one of our goals. Picking the right balance of choices that protect us against some risks means deciding which ones make more sense for our needs. The suggestions in the list below are not all mutually exclusive, but the typical organization will pick some of them and reject others.
    • The text recommends placing our data centers away from natural threats that occur regularly, like hurricanes and predicable, frequent floods. Can you name parts of the United States where these threats are less probable? How about other countries?
    • Placing our data in more than one location is also recommended, but with the caveat that running a hot backup site (always running and up to date) can be expensive.
    • The text also recommends that we consider cloud based data centers. This sounds nice, but remember that there is no cloud, You are simply remotely connecting to someone else's server farm. If your contract with them includes their storing information in multiple locations, great. That means you are subcontracting the service in the bullet item above. There is an advantage, that you can have thin clients for your cloud services. The disadvantage is that you are out of luck if you don't have connectivity to the contracted servers. There is another aspect, too. Is the cloud storage protected? Are you as protected or better than you would protect yourself?
    • A lower cost suggestion is to take the time honored approach of running backups regularly, and storing copies away from your data site. How often is often enough? How costly will this be? What about the cost of new hardware when you need to restore, if that is an issue?

For any strategy or mix of them, choices also must be made about access controls. Who has access? What kind of access? what changes need to be made to that access when an emergency occurs?


The text gives us a story on page 112 that should sound like the one I told you in week 1. In this case, an employee is believed to be stealing company money. Evidence is gathered and presented to her. She is asked to resign to avoid prosecution. She asks for an hour to prepare to leave. She is then left alone in her office for an hour. She copies account information, deletes date, and plants viruses and spam bots on the company network. She later offers her clients a discount if they will come to her new company, which she presumably just created.

The text then explains what should have been done. This is a classic case in which business needs and the usual treatment of an employee collide.

  • The classic approach to removal of personnel includes removing their access rights to the company systems and data at or before the moment they are informed that they are leaving employment.
  • Such an employee should never be left alone with a computer on the company network, in case they have installed a back door, or another identity that could be used to cause the kind of damage described in the story. She could, of course, already have prepared a copy of the data she wanted to take, but this would have removed her means of deleting data directly.
  • When there is no suspicion that the employee bears any ill will against the company, there can be some variation in this procedure. When there is such suspicion, it is prudent to restrict the employee's rights as soon as possible. This is difficult to do when the job they hold gives them access to sensitive information, which is why extreme measures are often taken with departing system administrators. As the story shows, the employee in question did not hold such a job, but she knew how to create problems without elevated rights. Most people are capable of this sort of action, by intention or by accident.

The text tells us another story on the next page. It is longer and less detailed than we might like. In the course of a fire at a company's main office, their web server is taken down due the power being out. There is no clear way for the Chief Operating Officer to restore the web site without getting a login ID and other information from a system administrator. A problem with this story is that it would never happen that way. In a well run company, there would be an emergency plan for bringing up an off site server and a backup copy of the web site, and the COO would probably have nothing to do with it except to authorize it to happen, long before any such emergency actually occurs. The authors suggest that the use of emergency phone numbers (cell phones) for such events would make it more likely that someone receiving such a call would be receiving it from an authorized caller. Nice idea, but costly, if those phones were only used in emergencies. Oh, by the way, where is it? My phone. Where is my emergency phone?

Businesses have many reasons to keep their operating procedures and data private and secret. We are aware of the need to protect a customer's personal information, but some businesses have their own secrets that they do not want to share with competitors. The same methods used to protect other sensitive information should be used to protect trade secrets and secret recipes as well.

  • Assign the least necessary privilege to any resource, to the fewest people possible
  • Promote/require strong passwords and use other technical protections
  • Physically secure our locations, using locks, guards, and other measures as needed
  • Deactivate lost devices and ID cards as soon as possible; require employees to report such losses promptly
  • Maintain a program of security awareness for staff
Solutions

The text turns to risk management strategies on page 116. It expands on the ideas it presented in chapter 2 for four risk strategies. Remember that there are other strategies than the four the text presents.

  • avoidance - make every effort to avoid your vulnerabilities being exploited; make the attack less possible, make the threat less likely to occur; avoid risk by avoiding the activity associated with the risk, and by providing an active defense against it
  • acceptance (acceptance) - this counterintuitive idea makes sense iif the cost of an incident is minimal, and the cost of each of the other methods is too high to accept; the basic idea here is that it costs less just to let it happen in some cases, and to clean up afterward
  • transference - in general, letting someone else worry aabout it; engaging a contracted service to protect us against risk would an example of transference
    mitigation (mitigation) - this method seeks to reduce the effects of an attack, to minimize and contain the damage that an attack can do; Incident Response plans, Business Continuity plans, and Disaster Recovery plans are all part of a mitigation plan

The text repeats some material about protecting confidentiality, integrity, and availability from threats by using access controls. On the same theme, it considers vulnerabilities and mentions three areas where vulnerabilities are often found:

  • Operating systems - The text points out that most viruses attack the operating system of a computer. Updated protection software and patches to the OS should be applied regularly.
  • Applications - Applications typically do not receive patches as often as operating systems, but some are famous for patches, such as Adobe Reader and Flash Player. Updates to applications that address known vulnerabilities are required in a well run environment.
  • Users - The text advises us to teach users to resist social engineering, and to create stronger passwords.

The next section of the chapter reminds us about some terms used to describe the need for access rights:

  • subject - an entity that requires access rights to some resource; like the use of the this word in grammar, the subject takes action on something
  • object - a resource that some subject needs to act upon; again, like the grammar use of the word, an object is acted upon by a subject

The text uses these terms to explain that we can make lists of the subjects who need particular kinds of access to particular objects. We can use these lists to make plans for granting access. We can also use this information to make plans about the access controls we need to apply to the sensitive, popular, and necessary objects. The text stresses that we need to make sure we are covering all subjects and objects in our system, but we should remember that no environment is stable for very long. There will be new subjects and objects, and there will be subjects and objects that should be removed from our system on a regular basis. Everything changes.

For some kinds of access, it makes sense to create groups, assign access rights to those groups, and to make users members of those groups for the time they need to access the relevant objects. This allows us to make one rights assignment, which can be modified or removed in one place if a mistake is discovered, affecting the rights of all members of the group at once. In Active Directory, such a group is typically called a security group. When a user no longer needs access rights to an object, that user can be removed from the group in question. When a new user needs those access rights, that user can be made a member of the right security group to receive the same access as the other members.

That was not really news. The strategies listed on page 123 are new to this subject, at least in this text. The text introduces three kinds of access control methods, and two review methods:

  • Mandatory Access Control (MAC) - the most restrictive model; the owner defines a security policy, a security agent (a central authority) implements it, and the end users cannot change it
  • Role Based Access Control (RBAC) - access is granted to roles (groups) defined on the systems, end users are assigned to roles so they can access assets needed for their jobs
  • Discretionary Access Control (DAC) - least restrictive model; subjects (end users) can own objects, and have total control over them (like a Sharepoint web server system); end users must set and maintain security for their assets, which most people will do badly; processes run by end users inherit their permission levels
  • Automated account review - The word "automated" is improperly used to mean that access controls that have not been used in a specific time period are automatically selected to be reviewed. The review is done by people, not by a computer or a program. The program simply finds the accounts that should be reviewed, and notifies appropriate staff.
  • Automated expiration of temporary access - Accounts in many systems can be created with expiration dates. This principle uses this feature to make sure that temporary accounts do not continue to be usable without human intervention.

Page 124 review two well known principles that address business needs.

  • Separation of responsibilities - make sure that large purchases and otherr sensitive activities cannot be accomplished without the approval of at least two areas of responsibility, such as requiring two signatures on large checks; don't give any one person the ability to defraud the system; checks and balances of power are better
  • Least privilege - never assign more access rights than are actually need to perform a task, in order to reduce the exposure of assets that need not be exposed

Another kind of risk is discussed on page 125. We are cautioned not to grant administrative rights (the highest level of rights) to an asset without a good reason. The text warns us that having this level of permission to a computer, for example, allows the operator to do almost anything they want, including choosing to install software. That does not sound so bad, but the main problem is that not only can the operator do anything, so can any process started by the operator, including viruses and malware. There is some level of protection to be had from running a computer as a user who is not allowed to install new software.

Chapter 7

Chapter 7 returns to the discussion of the effects that human behaviors have on our organization. The text seems to be on the nature side of the Nature vs. Nurture argument. If you don't know what I mean, follow that link to some ideas about a concept that has bothered scientists for a long time. Are some aspects of humans determined completely by their environment (nurture) or by their biology (nature)? I suspect that the answer is usually a combination of the two, but there is a third idea as well, that we can determine our own outcomes or actions in some cases. I may not be able to wish myself into being another kind of creature, but I hope I can decide to be a better man than I might otherwise be. So, when the authors talk about some aspects of human nature, we should allow that the meaning of the passage is about observable human behavior, regardless of its cause.

Some threat types are described in the first pages of the chapter:

  • Unintentional threats - People often do not think about security. They don't worry about opening an email attachment, following a link, leaving equipment unprotected, or exposing themselves and their workplace to other threats. They don't mean to cause any harm, but they can become the vulnerable avenue for an exploit without meaning harm themselves. The text warns us to train people in security awareness, to remind them often enough to do some good, and to install security controls to minimize these risks.
  • Hackers - This text simplifies hackers into two caategories: those who are after money and those who are after status. The ones who want "money" may be after something they want themselves (and would not pay for) or something they hope to sell or ransom back to the owner.
  • Social engineers - A social engineer is what we used to calll a con artist. He or she is someone trying to get someone else to do something they should not do. On the other hand, you could use social engineering techniques to get someone to do something they should do, but that is another topic. The text presents an outline of features commonly seen in social engineering exploits:
    • Assumed identity - The social engineer often pretends to be someone the victim will or should trust, such as an IT support person, an executive with a problem, or a new employee who needs help.
    • Believability - A background story that explains what the social engineer is doing there, why we should supply what they want, and why we should do it right away is very helpful in getting the victim's cooperation. In con artist terms, this part may be called telling the mark the tale.
    • Multiple contacts - Some social engineering exploits involve one contact with the victim, because that is all it takes to get the desired outcome. Others require a bit more familiarity with the victim, so the social engineer may make a series of contacts, either gathering data with each one, or preparing the victim with the earlier contacts for the moment of trust that the real exploit requires.
    • Request for help - The classic exploit involves a request to grant access, to change a password, or to reveal something the victim can access or already knows. The social engineer presents a reasonable need for that information or access, which should be granted as a favor for the poor helpless person they are portraying.

The text has a few pages with ideas about hiring the right people for sensitive positions. From the perspective of a student looking for work, you will want to know about the generally accepted factors that go into a hiring decision.Read this material, and believe that the prospective employer really will ask for and check this data.

The next main topic in the chapter starts on page 141. It links back to the material on social engineering. The text explains that an organization's structure usually has three or more layers.

  • Staff, who have the fewest access rights
  • Operational management, who have more access rights
  • Upper level or senior management, who typically have the most rights

This common structure explains why a social engineer may pretend to be a member of senior management, who has forgotten a password, or who has lost rights to some asset that is needed for a pressing task immediately. Of course, the poor victim will feel the need to do the senior person a favor, is the request is made artfully.

A better model to follow is to grant access based on the needs of one's job. Of course, this makes it more difficult for the social engineer, but it only means the grifter has to do deeper research to find the right person to impersonate. Three suggestions are presented to counteract this problem:

  • Job rotation - If people in sensitive positions are moved on a regular basis, a rogue employee will only be in one position for the time allowed, and a social engineer may have trouble finding out who to impersonate currently.
  • Required vacations - This concept addresses the same one thatt rotation does: don't allow anyone to continue in a sensitive role indefinitely. A required vacation presumes a substitute or backup person, who must know the job well enough to do it and to notice if the usual person were doing anything inappropriate.
  • Separation of duties - As noted in most texts, a common controll on money is to make sure it cannot be moved or spent without the cooperation of several agents. This does not apply equally in terms of data. Money cannot be copied, but data can. This concept applies to the world of data by making sure that reviews and audits are done regularly, by people in a different branch of the organization.

The text makes a point of explaining that the people called access owners (or data owners, or other titles) have a responsibility to protect their data, which includes the proper oversight of granting access rights. In practice, this may mean that such a person is interviewed by IT staff who translate the owner's business requirements into program code or procedures that IT staff can follow. You should review the bullet points on page 145 about this, and understand that the actual performance of each of those points will involve business staff, general IT staff, and IT security staff.

The text moves on to discuss training employees in security issues, such as resisting social engineering (the authors seem very afraid of this) and maintaining awareness of security needs. The main idea is that there should be clear training, employees should be able to look up rules when they are needed, and there should be multiple ways to ask for help in this area, including web resources, other employees, and security staff who may be consulted with questions.

The text offers two suggestions that cover many situations:

  • Acceptable use policy - A well crafted acceptable use policy should give employees a sense of how protective of our environment we need to be. It is a starting point, in many cases, not an end point.
  • Security awareness policy - This is a daily problem, so one session talking about security is not enough. Reminders, preferably in different formats and media, should be offered to employess regularly.

As we have discussed before, the security policies of your organization should be made available to all employees, and efforts should be made to make compliance a default behavior.

 

Assignments for Chapters 6 and 7

  1. Complete the Review Questions posted for these chapters, numbers 13 through 28.
  2. Pick one of the case studies at the end of the chapter. Briefly explain what you see as right and wrong about the situation and the solution proposed by the authors. Is there another recommendation you would make?