by John D. Johnson
Everyone has an opinion on good security and for a nickel more, will tell you more than you want to know about bad security. What they all agree on is that security expenditures should be kept as small as possible, forgetting the adage "you get what you pay for".
There are wide differences between perceptions, reality and just getting the job done. To most, security is either an obstacle to job performance or nothing to worry about at all. The reality is usually somewhere in the middle, and certainly not nothing to worry about at all. That is, unless you want Alfred E. Newman from Mad Magazine fame as your security director, with his famous quote "What me, worry?" Getting the job done is at the heart of the effort. A small group of people assigned to security work cannot do everything in any organization. Within small organizations, relying on one person for various tasks becomes a problem when that person takes a vacation or is out sick. Depending on the duration, their tasks are not done or completed by someone else on a temporary basis.
Security functions normally can't be put on hold, if the goal is to truly protect company assets: information, people, equipment, and property. The perception that security is always working requires a reality that security resources function properly at all times. Thus, absolute security is an illusion to help management sleep better at night. Getting the job done in the security field means implementing enough measures to reduce the potential risks. Any threat should find it uneconomical to expend its resources to penetrate or circumvent an organization's defenses. Just as the information flow of data on a computer network follows the path of least resistance to deliver its information to a destination, most threats follow the path of least resistance in trying to compromise an organization's data.
You must establish policies to develop the type of secure environment you want to operate in. Some areas to consider in that effort are the auditing and analysis of network logs, social engineering against your employees, and the rise of cyber crime and need for integrating procedures that support computer forensics.
Auditing and Analysis of Network Logs
Many people initially have a negative perception of audits in general and security-related audits in particular. Auditing security-relevant events is important for ensuring that access to information on networks follows the established security policy that firewalls and other protection devices manage. Ensuring compliance to access controls on systems connected to the network is an important aspect of protecting your network. How do you know your network access controls are working unless an independent audit or assessment is done?
There are two basic security functions of auditing. First, the monitoring of network compliance of procedures established within your company security policy. Second, a security audit allows you to reconstruct an audit trail to determine the location or source of security-related events.
For companies doing business worldwide or around the corner, information is a key economic resource with technology providing faster product development and extensive communications. Protection of a company's information and the technology to utilize that information to achieve business objectives is a vital function in today's environment.
Typical auditing of security-related events on network activity include successful or unsuccessful logons; logouts (when a user is logged out of the network for some reason); remote system accesses; file openings, closures, renaming and deletions; changes in network access privileges; or, changes in security attributes. Each event should include the type or name of the event, the date and time of occurrence, whether successful or not, and any program or file names involved. Audit management should develop and implement procedures for conducting the audit, select events to audit, review audit trails daily, maintain and safeguard audit data, and review audit parameters periodically. Always remember that audit trails require protection.
Auditing of system logs requires a predictable, repetitive, review of complex and enormous volumes of data. An automated process designed to detect any anomalies based on a predetermined set of qualifications quickly, best performs this. Human reviews are best reserved for endeavors that require decisions based on incomplete or uncertain information, a task at which we excel. Ensuring the automated processes for analyzing huge volumes of data are protected from corruption by an intruder or system malfunction is vital for relying on such mechanisms.
Corporate security policy should require network servers to provide authorized personnel to audit any action that could potentially cause access to, generation of, or affect the release of sensitive or proprietary information.
An audit to reconstruct security-related events should have specific goals in reviewing how users perform daily activities in compliance with security policies. These may include:
In reconstructing security-related events through audit trails, the purpose is simply to detect, deter and reveal any attempts, internally or externally, to circumvent network protection mechanisms and network audit monitoring. Audit trails need to be transparent to network users, support all audit applications, complete and accurate in reconstructing network events, and protected against file manipulation by unauthorized users or intruders.
Auditing personnel should be from a different department than those responsible for maintaining systems. This not only avoids functional conflicts of interest but also ensures reliable reporting and analysis of protective mechanism shortcomings. No matter how limited resources are, personnel responsible for keeping systems functioning should never be tasked with conducting reviews that point out any failures in system functioning. Would you accept a quality control inspection of the work done on your car if conducted by the same mechanics that did the work? Yet, many organizations give the tasks of audits and reviews of system logs to find discrepancies to the same IT department responsible for maintaining those systems.
Managers must understand that the purpose of monitoring audit logs is to detect changes and review services to find any unusual activities. Users should have access only to the services and resources needed to do their job. Of course, user assignments change; so does their access to services and resources. Access by users to resources not needed should be removed. While many intrusions come from the inside, servers connected to the outside world should be read-only and protected as well. External intruders are denied any access into the network if there are no paths to execute or write changes to network directories and files. Findings of security audits should be presented in a risk-based approach so that threats, vulnerabilities and risks are efficiently and effectively understood by management for corrective action.
Employees can assist the auditing process by reporting to company information technology personnel, security office staff or their supervisor any unexplained system damage, missing files, wrong last logon time, changed passwords, phantom or unexplained logons, or unexplained changes in file protections. They could also report system anomalies like mysterious system loading, missing listings, unexplained software either added or removed, accounting imbalances in financial data, or unexplained batch jobs.
Whether conducted daily, weekly or whenever the moon turns blue, what does your audit report reveal? When was the last time one was conducted? Was one ever conducted? Now, not after your information systems or network are exploited and damaged, is the time to find out.
Unless you have established effective auditing procedures with automated analysis tools and in-depth-security with network protection devices and procedures, you may not find malicious internal or external activity until your business discovers either substantial financial losses or a tremendous loss of propriety information from the data maintained on your networks. Relying on system administrators to find unusual activity while auditing network logs is like expecting the police to catch a criminal in your house by reading the weekly police reports of burglaries in your community newspaper more than a week after the event.
Social Engineering in the Cyber World
There are deceptive attacks known as "social engineering" that people use to obtain information and/or access, or cause actions for malicious purposes. Employees need to be aware to never share passwords with anyone, especially those claiming to be from their IT departments that ask for it. These attempts by telephone, face-to-face, e-mail or even a pop-up message window on an application are attempts to get people to divulge sensitive information without realizing it. This is a common threat. Security awareness training of your employees will increase knowledge about this problem.
Cyber Crime and the Need for Computer Forensics
Along with the growth of Internet use and increasing business reliance on information technology is a parallel rise in criminal activity that takes advantage of the basic openness of computer systems.
Theft of credit card and personal data, compromise of banking and financial transactions, cyber stalking, fraud, child pornography, sexual harassment, privacy and copyright violations are just some of the criminal activities found in cyber space. Criminals seem to take advantage of new technology faster than law enforcement or new legislation can keep up with it. An example is the lack of applicable laws in the Philippines to prosecute the people involved in releasing the "I Love You" virus. However, investigative techniques and international cooperation is improving. After all, they found the "Love Bug" gang in less than a week. Just as a regular crime scene requires forensic work, computer forensics is growing to support this investigative activity. Procedures need to be disseminated to ensure employees follow steps that protect this type of evidence.
Keeping your organizational assets and employees safe from criminal threats will keep things focused on business objectives. Diversions caused by concern about cyber crime jeopardizing their activities are certainly a consideration for your security planning. User understanding that management is using every possible means to secure the network and protect them will eliminate such concerns.
Final Thoughts, Alfred
Relying on only one or two security features to protect your network is simply creating a security illusion. Employing a full range of security options will reduce the risks to your business and vital assets without overspending your operating budget if planned correctly. Just as anything else in business, an effective security program requires innovation and a solid foundation to build on. If you insist on a security plan tied to a smaller budget than the protection level you require, then hire Alfred E. Newman and don't worry about security since he doesn't.
John D. Johnson is currently a senior security analyst supporting NASA Headquarters in Washington D.C. and a former Special Security Officer for the U.S. Government. His ten years in security management, including eight in network security, involved protection of classified and unclassified systems and information, personnel screening for sensitive positions, development of policies and procedures, oversight of network physical security and communications security, budget management for security operations, and conducting security awareness training.
Subscribe to the FOCUS-Incident Handling Mailing List
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.