ITS 305 - Security Policies and Auditing

Chapter 2, Planning for Security

Objectives:

This lesson discusses high level planning for the organization's information security interests. Objectives important to this lesson:

  1. Organizational planning vs contingency planning
  2. Top-down planning elements
  3. Strategic vs tactical vs operational
  4. SecSDLC
  5. Risk and associated terms
  6. Common attack types
Concepts:

This chapter covers organizational planning for security, which you might want to think of as planning for what we will do if everything goes right. The next chapter covers contingency planning, which is more about what we will do when something goes wrong.

The text tells us, in a round about fashion, that we need to include all of our stakeholders in our plans. What is a stakeholder? A stakeholder is anyone affected by our plans, such as management, employees, and stockholders of our company (if it has any). A stakeholder, with regard to anything, is anyone who is affected by that thing's success or failure.

When making our security plans we should consider five environments that our company operates in:

  • physical
  • technological
  • political
  • legal
  • competitive

The text tells us that strategic planning is typically preceded by creating a values statement, a vision statement, a mission statement, a strategy, and plans for "sub-units" of the company. In some organizations this is called a vision, mission, and values approach. It is created at the highest levels of the company first, and lower levels create their more specific versions based on the higher level work, making this a top-down approach.

Whether you believe in the value of such elements or not, you must deal with this as an operational reality if the people in charge of your organization have made it a part of your environment. For example, all plans made by departments in the state of Michigan (my day employer) must fit with and refer to higher level plans made for the state in general. The concept is meant to lead to consistency and to keep the organization focused on the big picture. An organization will suffer if the high level or lower level statements fail to apply to lower level activities.

A mission statement can be concise and meaningful, defining what a company is about, like the one sentence example (page 40) in the text. This is a company that designs and produces quality products and associated equipment for use in business environments. That statement says what they do, what they make, and what their market is without being so specific that it could be unusable next year. It is not full of grandiose adjectives that praise the company instead of describing it.

The example of a mission statement for an IT security department that follows is much longer, and reads more like a position description for a jack-of-all-trades job in the department. The example fails to relate to the first example, which it should if the two mission statements are documents in the same company.

The text moves on to discuss strategic planning, which relates to tactical planning, and operational planning, as discussed in the first chapter. The text points out that objectives in a strategic plan should be SMART objectives. The meaning of that acronym varies from source to source. Some alternative versions are listed and explained on the Wikipedia page for SMART.

  • S - specific: what must be done?
  • M - measurable: how do we know it is done, and how well it is done?
  • A - achievable: is it possible to do it?
  • R - relevant or reasonable: does it make sense to do it?
  • T - time-bound: can it be done in the time allotted?

When planning your objectives for your strategic plan, you should make sure that these characteristics apply to each objective.

A tactical plan should cover a shorter time span than a strategic plan, address objectives for a smaller part of your organization, and should break down appropriate strategic objectives into a series of objectives.

An operational plan is on an even shorter time scale, is for even smaller parts of the organization, and seeks to meet more immediate objectives. A strategic plan should translate to a series of tactical plans. Each tactical plan should translate to a series of operational plans.

Moving ahead to page 55, the text uses the rest of the chapter to discuss a Security Systems Development Life Cycle, which it abbreviates as SecSDLC. This is a variation of the standard SDLC that is used in software development. The text reminds us that an SDLC can be triggered by plans or events, events being external causes for changes in a system. The text warns us that projects are often triggered by security breaches.

The model shown in figure 2-10 has six steps that loop back to the beginning, indicating that any system must be reevaluated from time to time.

  • Investigation - creation of security policies to meet some goals or outcomes; teams define the scope, goals, and constraints of the project; teams determine whether an analysis can be done
  • Analysis - teams analyze existing policies and programs, known threats, and current controls; teams analyze legal issues affecting design of a solution; teams analyze risk management of the problems (more on this below)
  • Logical Design - design of the capabilities of the new or improved system
  • Physical Design - specification of the components to be used in the new or improved system; includes designing the Security Education, Training, and Awareness (SETA) program
  • Implementation - planning the project, building out the system, and bringing it up
  • Maintenance - running and monitoring the new system, evaluation of need for a new cycle

The text spends many pages on the analysis phase above. Risk analysis is a large portion of it. The following material is from my notes for CSS 211,chapters 1 and 2, as well as this chapter.

More vocabulary:

  • asset - information that we care about
  • threat - a potential form of loss or damage; many threats are only potential threats, but we plan for them because they might happen
  • threat agent - a vector for the threat, a way for the threat to occur; could be a person, an event, or a program running an attack
  • vulnerability - a weak spot where an attack is more likely to succeed
  • exploit - a method of attack
  • risk - the probability of a loss

Goals of information security that could also be considered as benefits of it:

  • preventing data theft - prevention of loss is an obvious benefit of a working security system
  • preventing identity theft - this is not necessarily different from the first bullet, since identity information is one kind of data; stolen identity information, however, has a more personal effect on the victims than the simple theft of other corporate data, and provides a means to defraud each victim multiple times
  • avoiding legal consequences - those who do not protect their data may be subject to legal charges; the text has a list of several applicable state and federal acts in the US:
    • HIPAA (Health Insurance Portability and Accountability Act), prohibits disclosure of protected health data, with penalties up to $250,000 and 10 years in prison for trying to sell it
    • Sarbox (Sarbanes-Oxley Act of 2002), a reaction to corporate fraud and corruption. Provides penalties up to $5,000,000 and 20 years in prison for officers who file false corporate reports
    • GLBA (Gramm-Leach-Bliley Act), protects consumer data at banks and financial institutions, provides penalties up to $500,000 for unauthorized disclosure
    • USA Patriot Act of 2001, authorized law enforcement agencies to obtain documents and data if they have a court order, subpoena, or other authorization; provides several penalties for noncompliance
    • California Database Security Breach Act of 2003, the first state law requiring that businesses notify state residents within 48 hours of experiencing a data breach of specific personal information data (other states have enacted similar laws)
    • COPPA (Children's Online Privacy Act of 1998), federal act that requires entities to get parental permission before collecting, using, disclosing, or displaying data about children under 13 (no penalties stated in the text)
  • maintaining productivity - prevention saves the effort (time and cost) that a successful attack would incur
    The text implies that in the case of an attack, you should estimate that it will take about 1% of your total staff to combat the attack.
    The cost of virus attacks includes cleaning cost, loss of productivity, and loss of revenue. Follow this link to a list of ten famous and expensive viruses.
  • foiling cyberterrorism - the potential for terrorists to disrupt a national infrastructure includes disruption of health and emergency services, power, communications, and commerce.

Categories used to classify attackers:

  • hackers - One of the buzzwords of computer system geeks, this one can mean anything; it is generally accepted to mean someone with more skill than an average user, may be a white hat (good guy) or black hat (bad guy). A hacker may break in to a system for a thrill, to show off, or to cause some kind of damage.
  • script kiddies - attackers who use hacking tools that they don't really understand
  • spies - computer attackers who are looking for specific data from specific systems
  • employees - Computer security includes the concept of protecting data from people who aren't authorized to access it. What about protecting it from authorized users who want to give or sell it to someone else? What about authorized users who give out their password because someone asks for it? What about users who are no good at protecting their secrets?
  • cybercriminals - The text has a longer discussion of this category. The bottom line is that they are after some financial gain. This could be data they can sell, actual fund transfers, or theft of financial instruments.
  • cyberterrorists - A cyberterrorist is defined as a system attacker whose motivations are ideological.

Twelve categories of threats, from our text (the list is not exhaustive). This list appears on page 57 of the 4th edition of our text:

  1. Compromised intellectual property - a specific form of theft, typically piracy
  2. Deviations in service, like power and communication services - systems can be damaged by bad power, such as running computers from generators whose power is not passed through a capacitor/filter
  3. Espionage or trespass - unauthorized and unlawful access
  4. Acts of nature - could be a flood, storm, earthquake, volcano, tsunami, or other natural event
  5. Human error or failure - social engineering falls in this category, as does displaying a password, or failing to lock a door
  6. Information extortion - sometimes called kidnap, information is stolen and offered for sale back to the owner
  7. Sabotage or vandalism - this can be damage to hardware, software, or an electronic system like a web service
  8. Software attacks - see the notes below about malware variations
  9. Hardware failure or error - all devices fail, so you need redundancy and/or monitoring
  10. Software failure or error - systems are designed to work within predictable conditions, outside of which they fail
  11. Obsolescence - There is a saying that military secrets are by nature short lived. IT Security measures suffer from this quality as well. Today's secure measure is tomorrow's joke. Stop using encryption methods for which there are known exploits.
  12. Theft - a catchall category

Five defenses against attacks, from the CSS 211 text:

  • layering - the author spends more time with metaphors than with examples; the point is just that a security solution will have multiple layers, requiring an attacker to get through several kinds of protection before accessing data
  • limiting - it is a standard feature of most databases that the designer can restrict users to specific views of the data, letting them see only what their role requires, letting only specific authenticated users modify or add information to the data files; network security can be like this as well, offering only role or user specific views of data, only allowing limited changes by specific users
  • diversity - diversity should be paired with the layering concept; diversity means that each layer of security is different in some way from the other layers, so an attacker will not be able to use the same exploit to get through all the layers
  • obscurity - this means that the inner workings of the system should not be described or stated where a potential attacker could access that information; As a network system user, this is one of the more irritating aspects to me. Consider passwords. The network tells me my password will expire, and offers me a chance to change it now. I offer it a new password, and it replies that the new password is too short. I offer another one, and it tells me I haven't used enough complexity (upper case, lower case, numbers, and symbols: use at least one from at least three types). I offer another, and it tells me I can't use a password I used as recently as 10 changes ago. You see the pattern? There are rules for using the system, but the user is not made aware of a rule until it is violated. In the case of securing the system from attackers, the attacker is not told any of these rules when they are trying to guess a password.
  • simplicity - let the system be simple to administer, but hard to hack

The term malware means any software that does something harmful to a system. The CSS 211 text breaks malware in to three types, based on which of three objectives the malware follows: infecting a system, concealing its actions, or bringing profit from its actions.

Infecting Malware

Infecting software is divided into viruses and worms. A virus typically requires a carrier to infect a system, like an email, an instant message, or a program that the user runs. A virus typically has two tasks: replicate and damage. Some viruses have historically been rather benign, just displaying a message to the user. The ones that cause damage to a system are categorized by the method they use or the damage they cause:

  • file infector - the virus attaches itself to an executable file; it is triggered when that file is run
  • resident (aka terminate and stay resident) virus - loads into RAM, then does its damage based on actions the user takes through the operating system
  • boot virus - infects the Master Boot Record of a hard disk, which means the virus will load and run the next time the hard drive is used to boot the computer; typically the virus will trash the hard drive
  • companion virus - found more on pre-Windows systems, loads a program with a name similar to that of a real program, but with a preferred extension so the companion (malware) program is run when the user tries to run the real program from a command line; this seems like it might have a resurgence in Windows Server 8 which has more command line features
  • macro virus - a script virus that is typically placed in a Microsoft Office file

Virus protection programs typically recognize viruses by signatures, the way they look. This recognition method is complicated by metamorphic viruses that change the way they look over time, and polymorphic viruses that change their signature and their encryption methods.

Worms are described on page 44. The text tells us a major difference between worms and viruses: once it is started, a worm can replicate itself across connected computer systems by itself. It does not need a carrier. A worm can attack any running computer that is connected to a network that an infected computer is on: it does not require cooperation from the user. Worms are more dangerous due to their self driven nature. Once a worm is detected in a system, each device on the network must be scanned for it, cleaned if necessary, and prevented from accessing the network until this is done.

Concealing Malware

The text lists four types of malware that are first concerned with remaining hidden from the user and from security personnel: Trojan horses, rootkits, logic bombs (not a terribly accurate name), and privilege escalators.

Trojan horse programs are named for the myth of a wooden horse that was used to smuggle Greek soldiers inside the walls of Troy. A program of this sort has two aspects: what we are told it does, and what it actually does. In some cases, Trojans may do what they say, but they also have a hidden malicious purpose which is what puts them in this category. A classic ploy used by Trojans is to pretend not to be a program at all. The text gives an example of a file that has a .exe extension, but the characters .docx occur in the name immediately before it. If a Windows computer is using the default (idiotic!) configuration, the actual .exe extension will be hidden from the user, and the user may think it is only a Word document.

Students should become familiar with the methods to turn off "Hide extensions for known file types" in common versions of Windows.

The text continues with a discussion of rootkits. At first, the rootkit sounds like a resident virus that replaces operating system files with its own. There are similarities, but one difference is that a rootkit is much more extensive, and another is that the rootkit obtains elevated privileges to carry out its stealth actions. The resident virus may replace one program on the computer, which will then do some harm to the system. The rootkit opens a door for lots of malware. How?

Have you ever seen a movie about a robbery in which the robbers send false information to security staff (like a video loop) that shows all is well, while the robbers proceed to steal whatever they want? That's kind of what a rootkit does. The rootkit assumes the role of a trustworthy part of the operating system. It will stand between the user and security software on one side, and other malware doing whatever it wants on the other.

The intention of the rootkit programmer may not be malicious. The text discusses the example of Sony, who in 2005 installed a rootkit installer on their audio CDs which had the goal of preventing computer users from copying those CDs. Their intent was not malicious, but it changed a PC without the user's consent, and it made the PC vulnerable to security exploits. The first is just wrong, and the second is worse. As the saying goes, the road to hell is paved with good intentions.

Detection and removal of a rootkit can be difficult, but it is worth trying before following the text's scenario of formatting the hard drive and starting over. The Sophos company, for example, has a free download that is supposed to be good at finding and removing these problems. Here is another one from Kaspersky. Students should do an Internet search for tools from the vendor of their choice.

A logic bomb is not a bomb. It is malware that waits for a logical condition to occur before it executes its mission. A classic case was the Michelangelo virus that only executed on the birthday of Michelangelo Buonarroti (which, as everyone knows, is March 6th). Other examples are given in the text. Some act like "dead man switches", where the malware engages if it is not regularly reset, or if a person's ID is removed from a network. A logic bomb can be hidden in a much larger program, making it difficult to find.

Privilege escalation is a technique, not a type. The technique is commonly use by system administrators. They log in to networks with an ID that has normal privileges on the system, but they execute administrative tasks with an ID that has elevated privileges. Of course, these are authorized users who are supposed to do such things. When malware does this, it may do it in one of two ways. It may use an exploit to escalate its own privileges, or it may access the privileges of another account which are greater than its own.

Malware for Profit

The first type in this category is spam. Spam that is sent for profit is sent to as many addresses as possible to maximize the potential of getting a sale. The cost to the spammer is minimal (until they are arrested) and the returns are very large.

Some techniques to make a spam email that will get by spam filters in many security products:

  • image spam - words that would trigger spam filters are presented in images (graphic art) instead of in text to avoid alerting the spam filter that the email is about a trigger subject
  • GIF layering - the graphics that present the message are placed in the message in layers, so a human reader will see the intended message, but a spam filter will not notice the subject matter
  • word splitting - trigger words are shown as graphics, and the graphics have white (or other color) bars running through them to avoid optical character recognition, but still allow a human being to recognize the message
  • geometric variance - the background, the font, and other characteristics are varied from one spam message to another so the messages from the spammer are not recognized as identical messages

Spyware is defined as software that violates a user's security. More informatively, spyware typically has one of three missions: advertising, collection of personal information, or changing configuration settings. If other software did what spyware does with the user's permission, that software would not be spyware. So the issue is not what it does, as much as the fact that it is done in secret.

Another type of malware is adware. As its name suggests, adware is concerned with presenting advertisements to the computer user.

Another subcategory of spyware: Keyloggers can be implemented through hardware or software. The idea is that the program (or device) captures every key press the user makes, which can be analyzed later for by someone who reads the key log. Obviously, capturing IDs and passwords would be one use of such a product. Keeping a log of all activity on a computer would be another. Some viruses contain a key logging function which sends its log to the virus originator.

A newer wrinkle in malware is the botnet. This has been around for a while, but it is a refinement and a step back from the others at the same time. A botnet is a network of computers that have been infected, turned into robots (aka zombies), that can be used for any of several kinds of attacks. The refinement is the creation of a network of infected machines on one mission. The step back is the brute force aspect of the attacks. The attacker (the bot herder) does not depend on finesse or subtlety, he uses more points of attack to meet his goal.

Hardware-based attacks

All PCs have BIOS chips or chip sets. They control the computer hardware at a very basic level and are still important to computer systems. As the text explains, once upon a time (let's say the 1970s), BIOS chips were read-only and had to be replaced if you were going to update them. The text reviews the history of BIOS chips becoming flashable (rewritable). A virus that overwrites the BIOS and the Master Boot Record of a computer has the potential to make the computer unusable until the BIOS is physically replaced. Other viruses will attack the BIOS and coopt it with malware or a rootkit. For these reasons, the text recommends setting the BIOS chip to be write protected.

The phrase USB device can mean any device that attaches through a USB port, but the text is concerned with those that contain memory chips or hard drives that could contain viruses. This is not to say that other devices can't be modified to become exploit devices. At the 2011 DEFCON conference, a pair of hackers demonstrated that they could rig a mouse to hold a USB stick that contained malware that could compromise a network. In a sense, this is just another instance of a hack involving a memory stick, but it is more in that most people can be made aware of the dangers of flash memory, and few would generalize that awareness to other devices that they would normally consider safe. The text lists three methods to disable USB devices:

  • disable the USB system in the computer's hardware (BIOS)
  • disable USB in the operating system by removing support files for USB
  • use third party software

Of the three, only the third is practical. How many of you connect a mouse or a printer by any means other than a USB port? Wireless, maybe, but you still insert a transceiver in a USB port in most cases. A good security program can be configured to scan devices as they are attached or used to minimize this risk.

Assignments: Assignments 1 and 2 below are individual assignments, number 3 is a group assignment.

  1. Exercise 1 from chapter 2, page 69. Find a reputable article, and discuss its point in a short individual response. Cite your source.
  2. Exercise 2 from page 69. Find at least three vision or mission statements, not five. Cite your sources. Instead of the question in the text, discuss whether they seem to include SMART objectives.
  3. Consider recent developments about credit card fraud reported by various brick and mortar or online retailers. Search the Internet for recent news, and look at the reports on the Krebs on Security web site. Decide where this kind of event falls in the list of twelve threat categories above. Discuss whether it belongs in one or more categories, or if it needs a new category. Explain your answer in a short discussion of it from your group.