Chapter 3, Business Drivers for Access Control
Chapter 4, Access Control Policies, Standards, Procedures, and Guidelines
Objectives:
This lesson concerns two chapters, so it is a little long. Objectives
important to this lesson:
Business requirements for asset protection
How information is classified
Using information competitively
Business drivers for access control
How controlling access protects value
Example of access control
US laws and regulations concerning IT
Access control security policy best practices
Access control as part of IT security
Examples of policies, standards, procedures, and guidelines
Concepts:
Chapter 3
Business Requirements
The chapter begins with a short discussion about protecting assets and
the importance of good policies.
Policies are where we start, because they name the assets
we are protecting, they tell us why
we are protecting them, and they usually tells us what
to do. They should be clearly written,
so they can be followed without confusion. The text also points out that
controls, procedures
that support policies, should be put in place to require compliant
behavior by employees.
The text also mentions that senior management
should act as role models. Make that all
levels of management, because a policy need support from all levels. The
example used in the text is requiring each person who enters a secure
site to be admitted only after their ID
badge has been properly scanned.
The text warns us that this procedure is often circumvented
by people who hold doors open for others, whether the others are known
or not.
This is a hard control to implement, because people do not like it. I
have seen a successful control
implemented that works for this policy. Let the doors to the site open
to turnstiles. To pass through,
employees must scan their ID badges
on an ID scanner incorporated into each
turnstile. This makes each individual scan their own badge without closing
a door in someone's face. It also speeds up the entry process, because
there is more than one scanner at each door. A nearby security
guard processes admission for people who need help.
Information Classification
The next topic is about classifying information in terms of sensitivity
or secrecy. If your documents,
files, and other information types are tagged with a security
level indicator, your staff may be tagged as well, as being allowed
to access information at or below a particular level. A common term for
an access level is clearance.
Two classification
systems are mentioned. The link in the previous sentence will take
you to an article that has more breadth. It describes the systems used
by a number of countries.
National Security Classification
(US government)
Note that although it has four levels, the adjectives used in the three
levels of sensitivity are not defined, so it would be impossible to
classify information under this system without more guidance. There
is more guidance in Executive
Order 13526.
Unclassified - information
that is available for general
release
Confidential - information
whose disclosure would cause damage
to national security
Secret - information whose
disclosure would cause serious damage
to national security
Top Secret - information
whose disclosure would cause exceptionally
grave damage to national security
Common Corporate Security Classification
Public - information that
may be given to the public
Internal - information not
given to the public, but disclosure
would not damage the company
Sensitive - information
whose disclosure would cause serious
damage to the company
Highly Sensitive - information
whose disclosure would cause extreme
damage to the company
Classified material should be examined
before it is classified,
and it should be reexamined periodically
to consider changing its classification
category. The text lists four ways a document classified by the US government
may be declassified:
Automatic declassification
- classified documents that are 25 years old may be automatically declassified
and placed in the national archives; there are exceptions
to this rule, established by the Department of Justice
Systematic declassification
- documents less than 25 years old may be reviewed for historical importance,
and may be declassified
Mandatory declassification review
- if an authorized holder requests
that a document be declassified, the owning
agency must review the request
and respond that the request
is approved, the request is
denied, or that the agency cannot
confirm or deny the existence of the document; denials may be
appealed
Freedom of Information Act
(FOIA) request
- anyone in the general public may request that a document be declassified
by filing a FOIA
request; as the video below explains, there are limits to the kinds
of requests that can be made.
The text explains that personally identifiable
information (PII) is the
most sensitive information most companies have. When this kind of information
about customers is stolen, customers lose confidence even if they don't
lose money or their identities to the thieves. In the worst cases, customers
lose all of those things, and the companies may be liable for the losses.
The most important types of PII are social security numbers and credit
card numbers, paired with customer names.
The text emphasizes the importance of PII
in the context of the Health Insurance
Portability and Accountability Act (HIPAA)
on page 47. It lists various penalties
for disclosure of health related information to parties who do not have
a legitimate right to know. Note that the penalties increase dramatically
if the intent of the offender
is more criminal, and if proper steps to stop
further disclosures are not taken.
The text presents some business related
reasons for using access control:
Confidential business information
and trade secrets must be protected
because they lose their value if they are known by the public or a competitor.
See, for example, the formula for Coca-Cola. According to the Coca-Cola
company, only two people know their formula at any given time. No doubt,
there is a process to tell the next one when a new one is needed.
A strictly enforced access control program might avoid the
risk of exposing customer PII to thieves. Of course, such
defense needs to be checked, tested, and improved over time.
In the context of risk assessment, the text reminds us that we will
generate a list of assets, a list of vulnerabilities for
each asset, and a list of potential exploits for each vulnerability.
The question is asked, "How do we prioritize?" Do we protect
the most valuable asset first? The most vulnerable asset?
The "most likely to be attacked" asset? The answer to that question
will tell you something about your organization. Maybe the most common
vulnerability needs to be addressed first, partly because it affects
more assets, but also because it may be the quickest problem
to resolve. That matters, too. Quick solutions are valuable, because
they protect something right away, and because that gives you more time
to address something else.
The text move on to discuss some examples of access rights, but the first
one falls apart. Who cares if the newsletter is stuffy or funny? Well,
the people reading it do, but that has nothing to do with access rights.
The only part of the story on page 50 that matters is that everyone in
the company can read the newsletter, but only a few are allowed to edit
or change it. Not much of a surprise, right? The author tries a few more
stories, but the points are elusive.
A Warning about Risk Assessment
Skipping ahead to pages 55 and 56, we seem to be returning to risk assessment.
The author elaborates on some of the phases, from the perspective an an
attacker:
Full asset inventory - The asset inventory becomes a target
for an attacker. It can be used to find assets, to prioritize
them, and to make a list for Santa.
Vulnerability assessment - If the asset inventory is a target
for an attacker, the vulnerability assessment becomes a guidebook
to your assets as the attacker takes a tour of all their weak
spots.
Threat assessment - This becomes a lesson in what not
to do for the attacker. The attacker needs to look in his bag of tricks
and find an exploit that your defense experts did not
anticipate being used.
Mitigation plans - The mitigation plans are the defense
plans for your network. Typically, there will be a prioritization
to them, which will tell the attacker where he is wasting his time,
and where he should be attacking the richest or easiest targets.
Risk assessment policies - The author suggests that this will
include a schedule for conducting risk assessments, which will tell
the attacker the age of the plans he has stolen. What is the point?
That things change, and an assessment that was done long ago may not
reflect the current state of the network. Hmm. Was this set of plans
actually a honey
pot?
So, it should be obvious that if we conduct all the security studies
we should, we need to hide the output of those studies even more than
the assets themselves.
Access Control Recommendations
The chapter ends with some thoughts about access controls that work,
and some that don't.
The text has recommended that we should always follow the policies
of least privilege and need to know. Don't assign more access than a
person needs, and not for longer than they need it.
The first story on page 60 follows this advice. The staff are assigned
to groups based on their job function, and those groups are given access
only to those assets they need, and only for the duration of that need.
In the second story on page 60, the trade secrets and a prototype
left a company due to an open door and an executive assistant who wanted
to sell secrets to a competitor. A lock, a guard, and maybe some security
on the actual secrets of the company in question would have been a good
idea.
Chapter 4
This chapter is concerned with US laws and regulations, many of which
were enacted in response to specific security problems. The text cautions
us to keep up with relevant laws and to stay compliant with them. This
chapter goes into more detail about these laws than any other we have
used in the past, so let's take a look at them.
US Laws
Gramm-Leach-Bliley Act (GLBA,
1999) - also called the Financial Services Modernization Act; deregulated
banks and financial services, allowing each institution to offer banking,
investments, and insurance services.
It Included three rules that affect privacy.
The Financial Privacy Rule allows
people to opt out of having their data shared with partner companies,
but it is usually implemented so that it is easier to allow the
sharing.
The Safeguards Rule requires
that companies have data security plans.
The Pretexting Rule tells
institutions to implement procedures to keep from releasing information
to people who are trying to gain information under false pretenses
(pretexting). (They had
to be told to do that?)
The text observes that GLBA-based access controls should specify what
a person may access, and how long that permission should be granted.
One way to do this would be to set up a new login ID for the person,
and to set an expiration date for it. Tracking the access to the sensitive
data would be easier this way because it would be linked to the actions
of that ID.
Health Insurance Portability and
Accountability Act (HIPAA,
1996) - Establishes
a large, complicated rule set for storing health information in a common
format, making it sharable, and making it a crime to share it with people
who should not have it. It prohibits disclosure of protected
health data, with penalties up to $250,000 and 10 years in prison for
trying to sell it; penalties for an accidental disclosure can be as
low as $100, so the intent of the person responsible makes a difference.
The text discusses several rules that are part of this act.
Privacy
Rule (2003) - The basic rule is to protect the privacy
of information about a patient's status, health care, and payments.
The aggregate of this information is called Patient
Health Information (PHI).
Organizations are limited to disclosing the minimum information needed
to facilitate treatment or payment, to disclose information required
by law, and to disclose other information only to the patient and
to others whom the patient has given us permission to provide information.
Transactions
and Codes Set Rule - This rule establishes a common data
set, a configuration of health data, to be used when transferring
data from one health provider to another, or to entities concerned
with billing.
Unique
Identifier Standards Rule - This sets rules to identify
each of four entities: employers,
health providers, health
plans, and individual patients.
Security
Rule - Established particular safeguards that providers
must use to protect PHI. Note the requirements on pages 67 and 68.
Some of the highlights would include establishing written procedures,
designating a privacy officer, identifying groups or staff who have
access to PHI, and establishing processes to grant, modify, and remove
access rights.
The rule specifies a list of technical and physical controls, also
listed on page 68.
Enforcement
Rule - The enforcement rule establishes rules for investigations
and penalties for noncompliance. Note that penalties vary based on
the number of times a violation occurs, the number of people affected
by each violation, and the duration of the violation.
Sarbanes-Oxley
Act (Sarbox
or SOX, 2002) - A reaction to
corporate fraud and corruption,
it provided penalties up to
$5,000,000 and 20 years in prison for officers who file false corporate
reports. It also established rules about proper performance by those
in fiscally responsible roles (they deal with money).
Note the eleven parts of the rule listed on page 70.
Family
Educational Rights and Privacy Act (FERPA,
1974) - Protects the information of educational records, the rights
of students to keep their records private, and the rights of students
to access information about themselves. There is no requirement to preserve
privacy about directory information,
unless a student specifically requests that it be made private. Directory
information includes name, address, phone number, email address, dates
attended, and degrees earned.
Communications
Assistance for Law Enforcement Act (CALEA)
- Requires the communications industry to provide support for properly
ordered wiretaps and surveillance by law enforcement officers. It includes
access to electronic communications, such as Voice over IP and Internet
traffic.
Children's
Internet Protection Act (CIPA,
2000) - Requires that schools and libraries add controls to their systems
to protect/prevent minors from accessing obscene or harmful content.
It also requires that the systems be protected from viruses and other
inbound attacks.
The last few pages in this section get into less significant laws. Let's
move on to the next topic.
Access Control Best Practices
The text begins with proposals for enterprise (large) organizations:
Define an authorization policy - Under what circumstances are
access rights assigned? Who makes the requests, and who approves or
denies them? How are rights audited and removed?
Access control for facilities - What physical security controls
will be used for our data centers? How will we monitor those controls?
As discussed elsewhere, decisions must be made about controlled access,
guards, locks, single factor or multifactor security, and more.
Social Engineering - It is more likely that a social engineer
will succeed in an enterprise environment than in a small
business. Why? Because everyone does not know everyone else in
an enterprise environment. There are frequently new people, contractors,
temporaries, and guests, and any of them might be standing by the door,
smiling sadly, in need of our help. The social engineer is like Blanche
DuBois in A Streetcar Named Desire, who always depended on the
kindness of strangers. Yes, if I saw Blanche standing there, I would
let her through the door, too. But I would watch where she went
and what she did. We all need to learn to be responsible for
our choices and our actions.
Access control for systems and applications - Systems
in any facility, data centers included, need their own security and
access controls. So should applications that hold sensitive data. Some
applications need access to system resources that an attacker may use.
As usual, assign the lowest set of privileges that will allow people
to do their jobs. This goes for every item in the list.
Access control for data - What must be encrypted? It is common
these days to require that any data in transit, whether across a wire
or on a portable device, be encrypted. This is a standard that can be
enacted easily in enterprise editions of Windows.
Access control for remote access - Mobility is a time saver
and a productivity increaser, when security controls are in place. It
is an open door to attackers when there is no encryption, no VPN, no
encrypted channel on a public wireless access point.
The text explains that the recommendations for government installations
are not really different, just stricter because of federal, state,
and municipal laws requiring adherence to best practices.
The text continues on the same theme for several pages, quoting more standards
that mean the same thing: identify, protect, and preserve. Do the right
thing. There is no IT category that requires no security at all.
On page 83, we are given a set of four terms that explain the key parts
of a security framework. These terms are defined differently by different
authors, and used differently from business to business. You need to know
the equivalent of each term in the environment where you work, especially
if you are responsible for creating something at any of these levels.
Policy - specific requirements or rules for a
set of resources in an organization
Standard - a set of rules to be followed for the operation
of a specific task or system
Guideline - suggestions and proposed best practices
to be used in meeting a standard or policy
Procedure - specific steps to be followed for a specific
task that will lead to an acceptable result, in compliance
with the items above
Guidelines are options, but the other three components go from general
rules at the top to specific operational steps that must be followed at
the bottom of the list.