ITS 421 - Tactical Perimeter Defense

Chapter 3, Business Drivers for Access Control
Chapter 4, Access Control Policies, Standards, Procedures, and Guidelines


This lesson concerns two chapters, so it is a little long. Objectives important to this lesson:

  1. Business requirements for asset protection
  2. How information is classified
  3. Using information competitively
  4. Business drivers for access control
  5. How controlling access protects value
  6. Example of access control

  7. US laws and regulations concerning IT
  8. Access control security policy best practices
  9. Access control as part of IT security
  10. Examples of policies, standards, procedures, and guidelines

Chapter 3

Business Requirements

The chapter begins with a short discussion about protecting assets and the importance of good policies. Policies are where we start, because they name the assets we are protecting, they tell us why we are protecting them, and they usually tells us what to do. They should be clearly written, so they can be followed without confusion. The text also points out that controls, procedures that support policies, should be put in place to require compliant behavior by employees.

The text also mentions that senior management should act as role models. Make that all levels of management, because a policy need support from all levels. The example used in the text is requiring each person who enters a secure site to be admitted only after their ID badge has been properly scanned. The text warns us that this procedure is often circumvented by people who hold doors open for others, whether the others are known or not.

This is a hard control to implement, because people do not like it. I have seen a successful control implemented that works for this policy. Let the doors to the site open to turnstiles. To pass through, employees must scan their ID badges on an ID scanner incorporated into each turnstile. This makes each individual scan their own badge without closing a door in someone's face. It also speeds up the entry process, because there is more than one scanner at each door. A nearby security guard processes admission for people who need help.

Information Classification

The next topic is about classifying information in terms of sensitivity or secrecy. If your documents, files, and other information types are tagged with a security level indicator, your staff may be tagged as well, as being allowed to access information at or below a particular level. A common term for an access level is clearance.

Two classification systems are mentioned. The link in the previous sentence will take you to an article that has more breadth. It describes the systems used by a number of countries.

  • National Security Classification (US government)
    Note that although it has four levels, the adjectives used in the three levels of sensitivity are not defined, so it would be impossible to classify information under this system without more guidance. There is more guidance in Executive Order 13526.
    • Unclassified - information that is available for general release
    • Confidential - information whose disclosure would cause damage to national security
    • Secret - information whose disclosure would cause serious damage to national security
    • Top Secret - information whose disclosure would cause exceptionally grave damage to national security
  • Common Corporate Security Classification
    • Public - information that may be given to the public
    • Internal - information not given to the public, but disclosure would not damage the company
    • Sensitive - information whose disclosure would cause serious damage to the company
    • Highly Sensitive - information whose disclosure would cause extreme damage to the company

Classified material should be examined before it is classified, and it should be reexamined periodically to consider changing its classification category. The text lists four ways a document classified by the US government may be declassified:

  • Automatic declassification - classified documents that are 25 years old may be automatically declassified and placed in the national archives; there are exceptions to this rule, established by the Department of Justice
  • Systematic declassification - documents less than 25 years old may be reviewed for historical importance, and may be declassified
  • Mandatory declassification review - if an authorized holder requests that a document be declassified, the owning agency must review the request and respond that the request is approved, the request is denied, or that the agency cannot confirm or deny the existence of the document; denials may be appealed
  • Freedom of Information Act (FOIA) request - anyone in the general public may request that a document be declassified by filing a FOIA request; as the video below explains, there are limits to the kinds of requests that can be made.

The text explains that personally identifiable information (PII) is the most sensitive information most companies have. When this kind of information about customers is stolen, customers lose confidence even if they don't lose money or their identities to the thieves. In the worst cases, customers lose all of those things, and the companies may be liable for the losses. The most important types of PII are social security numbers and credit card numbers, paired with customer names.

The text emphasizes the importance of PII in the context of the Health Insurance Portability and Accountability Act (HIPAA) on page 47.  It lists various penalties for disclosure of health related information to parties who do not have a legitimate right to know. Note that the penalties increase dramatically if the intent of the offender is more criminal, and if proper steps to stop further disclosures are not taken.

The text presents some business related reasons for using access control:

  • Confidential business information and trade secrets must be protected because they lose their value if they are known by the public or a competitor. See, for example, the formula for Coca-Cola. According to the Coca-Cola company, only two people know their formula at any given time. No doubt, there is a process to tell the next one when a new one is needed.

  • A strictly enforced access control program might avoid the risk of exposing customer PII to thieves. Of course, such defense needs to be checked, tested, and improved over time.
  • In the context of risk assessment, the text reminds us that we will generate a list of assets, a list of vulnerabilities for each asset, and a list of potential exploits for each vulnerability. The question is asked, "How do we prioritize?" Do we protect the most valuable asset first? The most vulnerable asset? The "most likely to be attacked" asset? The answer to that question will tell you something about your organization. Maybe the most common vulnerability needs to be addressed first, partly because it affects more assets, but also because it may be the quickest problem to resolve. That matters, too. Quick solutions are valuable, because they protect something right away, and because that gives you more time to address something else.

The text move on to discuss some examples of access rights, but the first one falls apart. Who cares if the newsletter is stuffy or funny? Well, the people reading it do, but that has nothing to do with access rights. The only part of the story on page 50 that matters is that everyone in the company can read the newsletter, but only a few are allowed to edit or change it. Not much of a surprise, right? The author tries a few more stories, but the points are elusive.

A Warning about Risk Assessment

Skipping ahead to pages 55 and 56, we seem to be returning to risk assessment. The author elaborates on some of the phases, from the perspective an an attacker:

  • Full asset inventory - The asset inventory becomes a target for an attacker. It can be used to find assets, to prioritize them, and to make a list for Santa.
  • Vulnerability assessment - If the asset inventory is a target for an attacker, the vulnerability assessment becomes a guidebook to your assets as the attacker takes a tour of all their weak spots.
  • Threat assessment - This becomes a lesson in what not to do for the attacker. The attacker needs to look in his bag of tricks and find an exploit that your defense experts did not anticipate being used.
  • Mitigation plans - The mitigation plans are the defense plans for your network. Typically, there will be a prioritization to them, which will tell the attacker where he is wasting his time, and where he should be attacking the richest or easiest targets.
  • Risk assessment policies - The author suggests that this will include a schedule for conducting risk assessments, which will tell the attacker the age of the plans he has stolen. What is the point? That things change, and an assessment that was done long ago may not reflect the current state of the network. Hmm. Was this set of plans actually a honey pot?

So, it should be obvious that if we conduct all the security studies we should, we need to hide the output of those studies even more than the assets themselves.

Access Control Recommendations

The chapter ends with some thoughts about access controls that work, and some that don't.

  • The text has recommended that we should always follow the policies of least privilege and need to know. Don't assign more access than a person needs, and not for longer than they need it.
  • The first story on page 60 follows this advice. The staff are assigned to groups based on their job function, and those groups are given access only to those assets they need, and only for the duration of that need.
  • In the second story on page 60, the trade secrets and a prototype left a company due to an open door and an executive assistant who wanted to sell secrets to a competitor. A lock, a guard, and maybe some security on the actual secrets of the company in question would have been a good idea.

Chapter 4

This chapter is concerned with US laws and regulations, many of which were enacted in response to specific security problems. The text cautions us to keep up with relevant laws and to stay compliant with them. This chapter goes into more detail about these laws than any other we have used in the past, so let's take a look at them.

US Laws
  • Gramm-Leach-Bliley Act (GLBA, 1999) - also called the Financial Services Modernization Act; deregulated banks and financial services, allowing each institution to offer banking, investments, and insurance services.

    It Included three rules that affect privacy.
    • The Financial Privacy Rule allows people to opt out of having their data shared with partner companies, but it is usually implemented so that it is easier to allow the sharing.
    • The Safeguards Rule requires that companies have data security plans.
    • The Pretexting Rule tells institutions to implement procedures to keep from releasing information to people who are trying to gain information under false pretenses (pretexting). (They had to be told to do that?)

    The text observes that GLBA-based access controls should specify what a person may access, and how long that permission should be granted. One way to do this would be to set up a new login ID for the person, and to set an expiration date for it. Tracking the access to the sensitive data would be easier this way because it would be linked to the actions of that ID.

  • Health Insurance Portability and Accountability Act (HIPAA, 1996) - Establishes a large, complicated rule set for storing health information in a common format, making it sharable, and making it a crime to share it with people who should not have it. It prohibits disclosure of protected health data, with penalties up to $250,000 and 10 years in prison for trying to sell it; penalties for an accidental disclosure can be as low as $100, so the intent of the person responsible makes a difference. The text discusses several rules that are part of this act.
    • Privacy Rule (2003) - The basic rule is to protect the privacy of information about a patient's status, health care, and payments. The aggregate of this information is called Patient Health Information (PHI). Organizations are limited to disclosing the minimum information needed to facilitate treatment or payment, to disclose information required by law, and to disclose other information only to the patient and to others whom the patient has given us permission to provide information.
    • Transactions and Codes Set Rule - This rule establishes a common data set, a configuration of health data, to be used when transferring data from one health provider to another, or to entities concerned with billing.
    • Unique Identifier Standards Rule - This sets rules to identify each of four entities: employers, health providers, health plans, and individual patients.
    • Security Rule - Established particular safeguards that providers must use to protect PHI. Note the requirements on pages 67 and 68. Some of the highlights would include establishing written procedures, designating a privacy officer, identifying groups or staff who have access to PHI, and establishing processes to grant, modify, and remove access rights.
      The rule specifies a list of technical and physical controls, also listed on page 68.
    • Enforcement Rule - The enforcement rule establishes rules for investigations and penalties for noncompliance. Note that penalties vary based on the number of times a violation occurs, the number of people affected by each violation, and the duration of the violation.

  • Sarbanes-Oxley Act  (Sarbox or SOX, 2002) - A reaction to corporate fraud and corruption, it provided penalties up to $5,000,000 and 20 years in prison for officers who file false corporate reports. It also established rules about proper performance by those in fiscally responsible roles (they deal with money). Note the eleven parts of the rule listed on page 70.

  • Family Educational Rights and Privacy Act (FERPA, 1974) - Protects the information of educational records, the rights of students to keep their records private, and the rights of students to access information about themselves. There is no requirement to preserve privacy about directory information, unless a student specifically requests that it be made private. Directory information includes name, address, phone number, email address, dates attended, and degrees earned.

  • Communications Assistance for Law Enforcement Act (CALEA) - Requires the communications industry to provide support for properly ordered wiretaps and surveillance by law enforcement officers. It includes access to electronic communications, such as Voice over IP and Internet traffic.

  • Children's Internet Protection Act (CIPA, 2000) - Requires that schools and libraries add controls to their systems to protect/prevent minors from accessing obscene or harmful content. It also requires that the systems be protected from viruses and other inbound attacks.

The last few pages in this section get into less significant laws. Let's move on to the next topic.

Access Control Best Practices

The text begins with proposals for enterprise (large) organizations:

  • Define an authorization policy - Under what circumstances are access rights assigned? Who makes the requests, and who approves or denies them? How are rights audited and removed?
  • Access control for facilities - What physical security controls will be used for our data centers? How will we monitor those controls? As discussed elsewhere, decisions must be made about controlled access, guards, locks, single factor or multifactor security, and more.
  • Social Engineering - It is more likely that a social engineer will succeed in an enterprise environment than in a small business. Why? Because everyone does not know everyone else in an enterprise environment. There are frequently new people, contractors, temporaries, and guests, and any of them might be standing by the door, smiling sadly, in need of our help. The social engineer is like Blanche DuBois in A Streetcar Named Desire, who always depended on the kindness of strangers. Yes, if I saw Blanche standing there, I would let her through the door, too. But I would watch where she went and what she did. We all need to learn to be responsible for our choices and our actions.

  •  Access control for systems and applications - Systems in any facility, data centers included, need their own security and access controls. So should applications that hold sensitive data. Some applications need access to system resources that an attacker may use. As usual, assign the lowest set of privileges that will allow people to do their jobs. This goes for every item in the list.
  • Access control for data - What must be encrypted? It is common these days to require that any data in transit, whether across a wire or on a portable device, be encrypted. This is a standard that can be enacted easily in enterprise editions of Windows.
  • Access control for remote access - Mobility is a time saver and a productivity increaser, when security controls are in place. It is an open door to attackers when there is no encryption, no VPN, no encrypted channel on a public wireless access point.

The text explains that the recommendations for government installations are not really different, just stricter because of federal, state, and municipal laws requiring adherence to best practices. The text continues on the same theme for several pages, quoting more standards that mean the same thing: identify, protect, and preserve. Do the right thing. There is no IT category that requires no security at all.

On page 83, we are given a set of four terms that explain the key parts of a security framework. These terms are defined differently by different authors, and used differently from business to business. You need to know the equivalent of each term in the environment where you work, especially if you are responsible for creating something at any of these levels.

  • Policy - specific requirements or rules for a set of resources in an organization
  • Standard - a set of rules to be followed for the operation of a specific task or system
  • Guideline - suggestions and proposed best practices to be used in meeting a standard or policy
  • Procedure - specific steps to be followed for a specific task that will lead to an acceptable result, in compliance with the items above

Guidelines are options, but the other three components go from general rules at the top to specific operational steps that must be followed at the bottom of the list.

Assignments for Chapter 3

  1. Questions 20 - 30 from Review for Test 1
  2. Hands-on projects assigned in class