Establishing and Maintaining a Security Policy - Computer Security - Computer Security Basics, 2nd Edition (2011)

Computer Security Basics, 2nd Edition (2011)

Part II. Computer Security

Chapter 5. Establishing and Maintaining a Security Policy

Secure system planning and administration is the human side of computer security. Even in a highly trusted system, security isn’t automatic. Administrators need a written guideline, spelled out beforehand, that clearly outlines what steps to take and what procedures to follow in the pursuit of security. The assault on trusted systems seems relentless these days, as vulnerability after vulnerability has riddled both the Windows and Linux worlds, and perfidy abounds abounds both inside and outside an organization’s walls. If there is safety in the changing world of security, it seems to lie not in what our equipment or software does for us, but in what we do for ourselves. The first step in maintaining security today is to set security policies for our organizations, and then to exercise diligence in promulgating and maintaining them. This effort cuts across all layers. Although the security administrators carry out the security policy in terms of protection, detection, and enforcement, it is the users who must keep the security, and the owners and managers who must authorize and sustain it, and administer the required sanctions against those who violate it.

For example, your organization’s security policy may require regular backups, but it’s the administrator who must actually run the backups. Once administrators train users to copy files to areas that will be protected, managers must deal with noncompliance. Similarly, administrators may tell users to avoid writing down machine-issued passwords and laying them near their keyboards, but management must give the policy teeth.

The most critical area for all layers to come together is likely incident response—what to do once a breach occurs. Decisions about evidence preservation, notifying authorities (and which ones), and what to do next must be hashed out before the fact. These should be codified in writing and distributed to all persons likely to be affected.

The security policy is a living document that must be examined and updated regularly. Training users, administrating passwords, backing up system-critical files, setting up and tuning firewalls and intrusion detection systems, and examining audit logs: these are some of the many ways that a system’s abstract security policy gets translated into real world defenses. This is the role of the security administrator.

Administrative Security

Administrative security falls into three general categories:

Overall security planning and administration

This category includes working with management to set a security policy for your organization, publicizing it and gaining management support for it, performing risk analysis and disaster planning, monitoring employees, training users, answering their questions, and so on.

Day-to-day security administration

This category includes creating accounts and assigning security profiles for users—for example, their initial passwords, their password controls (e.g., how often they must change their passwords), their login controls (e.g., what hours they can log in), making sure there aren’t security holes in your system, and so on.

Day-to-day system administration

This category includes keeping the system running, doing daily backups, trolling for breaches, and testing the condition of hardware and software used to sustain operations in times of stress or attack. This type of system administration is vital to any system. Although these mundane tasks may not seem especially security-relevant, they’re actually vital. Remember that “availability” is a key goal of overall computer security. Day-to-day system administration keeps the system available.

This chapter provides some guidelines for sound administration. Most enterprises today are a heterogeneous environment, that is some legacy functions reside on creaky old mainframes, some business critical processes are accomplished on a fairly modern computing core, and lots of client server networks unite a mixture of Windows and Unix users. Wireless implementations accommodate drop-in users and guests, as well as worker who insist on carrying their work to the lunchroom with them. There may even be a layer of mobile devices—PDAs with radios built in—by which a few workers keep in touch with each other during meetings. Each of these systems requires its own series of administrative practices, and each requires administrators to carefully develop security policies regarding its use.

Actually, in some respects, the highest levels of security are the easiest to attain. Most ultra-sensitive systems use an air wall, that is nothing goes in or out. Each terminal or workstation connects to its own network, and that network goes nowhere else. None of the users’ devices are equipped with floppy drives or removable media. And rogue wireless devices (or in the old days, rogue modems) are usually considered contraband in this environment.

This environment is practical only in a few disciplined organizations. Most organizations connect users to some kind of server or server cluster via a local area network, and the LAN usually connects at some point to the Internet, usually via a firewall. As this arrangement is most common, the bulk of security policies apply to it, although password administration and certain other tenets, such as division of duties and least privilege certainly apply no matter what server and network configuration is in effect.

Fortunately, the more esoteric the network, the more administrator documentation the vendors supply to describe the security features of their systems. If your organization has government contracts, you may need to observe more stringent security policies established by the government for high-security sites. When your organization gets a security clearance, you’ll find out the details of what you need to do.

It is in the vast bog of PC LANs and wireless networks that most security is made or broken. Because of size, staffing, or budget, some organizations may not have dedicated system administrators charged with security administration. In this case, the burden of security administration is likely to fall on the existing system administrators. If your organization can’t afford full-time system administration, or if you don’t have the appropriate staff to administer a security policy that adequately protects your equipment and information, you should consider hiring a security consultant on a short-term or periodic basis. Such a person can analyze your security risks and needs, help you set up a workable security policy, and conduct periodic security audits. (See the discussion in the later section "Performing a Security Audit.”)

Overall Planning and Administration

System administrators once may have found themselves in the uncomfortable position of being the security advocates within their organizations—having to sell security both to users (who may question why they need to use features they may find cumbersome) and to upper management (who may question why it all costs so much money).

It is a different environment today. In the wake of 9/11, several industries found themselves regarded as part of their nations’ critical infrastructure. While it is nice to be wanted, this carries with it the responsibility of confidentially and availability that meets someone else’s imposed standards, rather than what internal leadership considered previously to be good enough to get by. In addition, many recent corporate accounting scandals appear to have defrauded millions of people and have led to an increased accountability regarding the creation and maintenance of financial data. Finally, and somewhat belatedly, privacy has been raised as an issue, likely because of fear of identity theft, and in some cases of fear of discrimination based on personal or health data. This too has lead to a raft of new statutes. These regulations go by titles such as PDD-63, HIPAA, GLBA, the Patriot Act, the Sarbanes-Oxley Act, and others. Many of them carry fines, some of them per incident, for security infractions.

In addition, it has been determined that the storage or transmission of certain materials, such as pornography, obscene materials, or materials designed to incite racial hatred or discrimination based on gender, may produce a threatening environment for employees subjected to them. This may be considered a form of job discrimination, and federal and state law enforcement agencies can investigate. Even if no discrimination is proved by the authorities, the party who feels aggrieved may choose to pursue legal action on his own after the official investigation.

Finally, there is the issue of copyrighted material. If software or MP3 music files are downloaded or distributed using company property, it may subject the company to legal action.

With the increasing liability surrounding their computers and networks, management is now much more interested in security. Unfortunately, moving towards a more secure network is often handled on a piecemeal, sporadic basis. A much more regulated approach is usually indicated.

Analyzing Costs and Risks

Computer security is a tradeoff. When you’re considering building, buying, or even using a security product, you have to balance the cost of the product against the risk of doing without it. Most organizations formalize this process and call it a risk analysis. Risk analysis is a procedure used to estimate potential losses that may result from system vulnerabilities and to quantify the damage that may result if certain threats occur. The ultimate goal of risk analysis is to select cost-effective safeguards that reduce risks to an acceptable level. Basically, risk analysis is a way to figure out how important your system is, and how far you’re willing to go—in terms of equipment, people, and budget—to protect it.

Standard risk analysis involves looking at your tangible assets—for example, your buildings, computers, and other equipment—and determining how to protect them. Because your organization’s most valuable asset may be the information processed by your computers, not the computers themselves, you need to take a good look at how best to protect that information as well.

When you’re evaluating your organization’s information asset and considering whether and how to protect it, you’ll have a number of important questions to ask.

What information do you have, and how important is it?

There are many different types of information: national defense information describing military resources and deployment; corporate records showing projected profits, losses, and strategies; personnel records describing health, financial, academic, and employment history. You’ll need to assess how important that information is to your own organization. Information of inestimable value to one organization may have little or no value to another organization.

However, holding information is a two-edged sword. Legal safeguards today make it an expensive offense to release information in your possession. The Health Insurance and Portability and Accountability Act protects patient records, the Gramm-Leach-Bliley Act of 1999, protects customer records in the financial industry, and its January 2003 extensions apply to all data in the financial industry. Other specific legislation may apply to other areas, such as the Family Educational Rights and Privacy Act, which applies to educational records.

How vulnerable is the information?

Some information may be very important to you, but may be of little interest to anyone else. The novel you’re writing on your PC may fall into this category. In this case, simple backups may suffice (and hard disk encryption if you write controversial material). Other information may be of great interest, but may be so inaccessible that additional security controls aren’t really justified. (Classified military information that’s stored on a heavily guarded computer with one authorized user and no network connections may fall into this category.)

Everyone needs to worry about physical threats (e.g., fire and power loss) and accidents caused by careless or untrained employees. Beyond these obvious perils, you’ll need to evaluate whether realistic attempts are being made, or could be made, to break into your system, and to assess how likely it is that a break-in will occur in the future. If you’re responsible for national defense information, you’ll have to worry about foreign intelligence. If you’re protecting your business’s data, you’ll be concerned about your competitors, crackers, and insider threats. Remember, too, that threats to information tend to grow as people learn about your system’s vulnerabilities, and as methods of exploiting those vulnerabilities get cheaper and easier.

What is the cost of losing or compromising the information?

There are many different costs and consequences for failure to secure computers and networks effectively. If we’re talking about the loss of vital national defense information, the cost of information loss or leakage might be cataclysmic. If a medical experiment is disrupted, or if patient records are lost or compromised, people might die. If the security of an ATM is breached, a bank might lose a lot of money—and, when the news hits the press, the bank might also suffer a loss of confidence by customers and possibly lawsuits by shareholders.

What about corporate strategy information? Personal health or financial information? Loss or compromise of each has its own risks, costs, and consequences, both tangible and intangible, ranging from the loss of competitive advantage to the risk of losing government benefits to personal embarrassment. Again, legislative action has increased the stakes to system operators, often making data safety the responsibility of the computer system owner. Any lapses in security may be reportable. The California Data Security Act (California SB 1386), for instance, requires disclosure of computer-security breaches in which confidential information of any California resident may have been compromised.

What is the cost of protecting the information?

There are certain basic costs that you must incur. You must back up your data. No matter what security violation occurs—a natural disaster, a user mistake, or a break-in—having a recent backup of your data will allow you to go on.

There are many different types of additional costs. Will you need to buy new equipment? Will the use of a security product slow down response time and performance in a system that must provide quick customer service? Will security controls detract from the user-friendliness of a system that you’re marketing as easy to use?

Here, too, you’ll have to consider the different types of costs within your own organization and to assess the impact of security costs in relation to expected security benefits. One rule of thumb is that the cost of securing information shouldn’t exceed the financial and administrative cost of recovering that information—although certain types of information, such as national defense information, can’t necessarily be quantified in this way. It’s also hard to quantify the damage done by publicity and the loss of public confidence. Dennis Steinauer of the National Institute of Standards and Technology put it this way, “Controls that are more expensive than the value of the information they protect are not cost-effective. Absolute security is achieved only at unlimited cost.”

Based on the answers to these questions, you’ll need to make a determination, balancing your assessment of the value of your information asset against the risks of losing it and the financial and human costs of protecting that information. Then you’ll need to decide what your priorities are, and what types of security—physical, operating system, communications lines, encryption, biometric devices, and so on—best fit your information, your risks, and your budget. Finally, you’ll need to make an educated guess about what to protect and how.

Who are you going to call?

One issue that requires considerable attention in advance is to whom to report computer incursions. A computer attacker may be wading through your dumpster right now, trying to find old employee directories, in which case the local police or sheriff would be a good start. However, electronic breaking and entry is not always simple to prosecute. The attacker may be in your city or across the globe. Local agencies may not have the expertise or jurisdiction to help you much. A good rule of thumb is to start with higher authorities first. Federal investigators can always refer you to state agencies in your area.

A “don’t cry wolf” policy may be a good thing to apply. If a break-in you experienced has definitely resulted in the release of confidential records, you might want to take steps to preserve any evidence and call the authorities. If you suspect some script kiddie is probing your resources after school is out, you may want to tighten your firewall and hope she just goes away. If your network is violated, some of the new disclosure laws may limit your ability to keep it secret. Review with counsel your rights and obligations before any incursions occur. Then put the steps for your plan into the security policy, and distribute it to all personnel likely to be affected.

Of course, there is an obvious reason to state the course of action to be taken in advance in writing. It helps preclude an executive from committing a crime and then ordering the staff to avoid documenting or investigating it. For further information, see Chapter 25 of Practical Unix and Internet Security (Garfinkel et al., O’Reilly).

Planning for Disaster

One of the most important things you can do to protect your organization from disaster is to plan for that disaster. A disaster recovery plan is a plan for keeping your computer equipment and information available in case of an emergency. Disaster planning may spell the difference between a problem and a (possibly business-threatening) catastrophe.

Your organization’s disaster recovery plan will involve such activities as backing up data for storage at remote secure facilities and arranging for the use of other computer facilities or equipment in case of an emergency. Such arrangements may be informal (for example, you might make a reciprocal agreement with another department or organization to use each others’ equipment if a disaster occurs), or they may be formal (for example, you might prepare a separate emergency site or contract with an organization that handles disaster preparedness).

Emergency sites are usually characterized as cold, warm, or hot. Cold sites are emergency facilities containing air conditioning and cabling, but no computers. You can hustle up some servers and desktops, move other replacement equipment into this site, and continue processing. Hot sites are emergency facilities containing computers, backup data—the works! Warm sites, a hybrid, are sites in which computers and equipment are preinstalled, but not programs or backup data With increasing awareness of the frailty of the interconnected power grid, more companies are incorporating an additional requirement into their back up sites—geographic distance. It is no good having the backup site and the main site both fail due to the same calamity.

In addition to protecting your organization’s equipment and information, a disaster recovery plan may greatly increase public confidence—as well as the confidence of your employees and managers—in your ability to safeguard data and continue to provide service.

Remember that backups are the key to disaster planning. If a disaster occurs and you’ve backed up your system, you’ll be able to recover eventually. See the discussion in the section "Performing Backups" later in this chapter.

Chapter 9 discusses some of the natural disasters that face your organization and describes what you can do to reduce your risks.

Setting Security Rules for Employees

Some aspects of security are simply good management. Be sensible about who you hire, what computer resources you let them use, and what you do when they leave your organization. See the sidebar "Hints for Employee Security Management" for the most basic rules.

HINTS FOR EMPLOYEE SECURITY MANAGEMENT

§ Make sure the system administration staff is well-trained and that your organization has a policy for handling turnover and training new people. Inexperienced system administrators are a major threat to security.

§ Monitor your employees’ security practices. If your employees are careless about logging off when they leave their desk, if they fail to do backups, or if they’re not diligent about protecting their passwords, remind them of the importance of these activities!

§ Put your organization’s security policy in writing. Be sure that all levels of management agree with it and that employees understand it and agree to abide by it.

§ Check out your employees before they’re hired or given security-related work. Different organizations believe in different levels of checking. Some might simply check references. Others might do personal background checks, administer lie detector and drug tests, and insist on written contracts and agreements of various kinds. Online subscription services can perform cursory versions of these checks for a nominal fee. Make sure that you understand local right-to-work and equal opportunity laws before you exclude someone from employment based on a background check. One class of employee deserves very close attention—those who have power to disable security mechanisms and perform maintenance around them. Enforce vacation policies and try to rotate certain types of assignments. Many security attacks take a long time to complete (e.g., slicing tiny amounts daily off bank balances) or involve daily monitoring. Shaking up staff assignments periodically may uncover such long-term attacks.

§ Limit the access that users have to equipment and information. If someone doesn’t need access to a particular network or server, or a certain set of files, don’t grant access automatically. Also, lock server rooms and telecommunications closets. If someone from outside your organization must enter a locked space to do maintenance, see that they are accompanied by a trusted employee.

When an employee leaves your organization, be sure to review with the employee his continuing obligation to keep company information confidential:

§ Revoke all of that employee’s authorizations immediately; get back keys, smart cards, tokens, badges, and the like. Consider changing the locks to the facility and/or computer room.

§ Delete or deactivate the employee’s account and password from all systems and networks. Some operating systems specify that user profiles can be renamed to replacement employees rather than creating a new security profile from scratch.

§ Save the employee’s files in case they’re needed for proof if you discover wrongdoing.

Training Users

No matter how diligent and careful a system administrator you are, you can’t underestimate the ability of your users to undermine your efforts. In polite language, this is called “the human factor,” and it has grown exponentially since the PC became commonplace. The users in your organization have to take some responsibility for security. Teach your users how to use the hardware and software, be sure they understand your organization’s security policy, and impress upon them the importance of observing good security practices. (See the sidebar "Hints for Safe Computing" for some very basic guidelines for individual user security.) Most important, be sure they know how to recognize security problems and what to do if they occur. Remember, improperly trained users are more of a peril to system security than attackers.

HINTS FOR SAFE COMPUTING

Security features and trusted systems do a lot to make your computer environment a secure one. But in most systems, the final word on security is your own. Here’s a collection of general hints for protecting your computer and your data. Other chapters contain additional hints in specific areas.

§ Obey your site’s security policy. Follow the rules, make sure your work habits are secure, and don’t try to bypass security. Taking a few extra minutes to protect your login, your password, and your data is a pretty good bargain compared with trying to reconstruct your work and deal with the consequences if PCs or files are stolen, lost, or damaged.

§ Never leave your computer, workstation, or terminal unattended. If you’re going out to lunch, log out first. The easiest way for someone to crack a system is simply to use your account.

§ Sanitize the hard drives on old computers before you discard them. Be sure to delete all data by overwriting what’s there. Don’t just reinitialize your tapes or disks. That typically rewrites only the header. Be aware that skilled computer forensics professionals can recover data that has been overwritten several times.

§ Don’t eat or drink near your computer or any computer media. A soda spilled into the ventilation holes of your PC can cause a tremendous amount of damage. And even after all these years, the CD drive is still not a cupholder.

§ Be careful not to damage your disks and other media. For example, don’t write directly on their labels with a ballpoint pen. Remember that the surfaces of recordable CDs and DVDs must remain scratch free. The label may actually be a protective covering for a mirror surface behind.

§ Use any security controls and products available to you. These may include locks, security boards, and software packages and features.

§ All data theft does not have to be electronic. Be careful about leaving sensitive documents within easy access.

§ Most manufacturers now recommend that you use physical security, such as a firewall and possibly an intrusion detection system for your network, as well as software security, such as an antivirus software and a personal firewall.

Day-to-Day Administration

Day-to-day system administration encompasses many activities, but most focus on keeping your computers and networks running smoothly by maintaining equipment, making sure there’s sufficient space on the system disks, and protecting the system and its software from damage. Examples include making sure users can’t modify system software; checking each new release of a vendor’s software, especially fixes to security problems, to be sure such problems have really been fixed; and insisting that users or system administrators promptly patch any security holes or other bugs that are discovered.

It is essential to monitor various groups and news wires, as well as official sites of your vendors, so that you are aware of potential problems. Unfortunately, there are still instances where a patch to one problem breaks something else, especially in cross-vendor situations. The most affluent of organizations maintain test networks in which checks are made to make sure the cure is not worse than the disease prior to pushing out software updates. If you would prefer to get a holiday bonus rather than get more problems to worry about, stay tuned to security web sites for news of troubles with bug fixes and patches.

Performing Backups

Backups of your system and all the data stored on your system are absolutely essential if you expect to be able to recover from a disaster. What kind of disaster? It might be a natural disaster, such as a fire or a flood. It might be a crime, such as a system intruder’s meddling, vandalism of your computer room, or theft of a computer or a disk. It might be a hardware or software failure or a user error (e.g., deleting the latest version of a document or the latest release of some development software). Whatever the cause, and whatever the extent of the damage, you will be able to recover eventually if you have recent backups of all your system data.

In a PC environment, many system administrators discover that critical documents on a user’s machine often disappear when a disk fails. They can help protect against this by providing personal folders in common space on a server. Users are responsible for the contents of their own hard disks. Failure to have these files in a public storage area is not an excuse at your performance review, when a PC failure necessitates rework.

There are many systems for backup. You should do it regularly. Many organizations have well-defined rules about performing backups; if you don’t follow the rules, you’ll lose your job. But many other organizations have much looser policies. The scheduling and the extent of backups is far more discretionary. In these cases, it’s really up to you. You’ll find some general guidelines in the "Hints for Backups" sidebar.

HINTS FOR BACKUPS

Remember that your backups are the key to recovering your system in case of a disaster. Back up all of your files, and follow these rules:

§ Encrypt your backups if they contain sensitive data.

§ Keep extra backups off-site in a locked, fireproof location. You don’t want a fire, lightning, or some other disaster to wipe out your system and your backups at the same time. Usually third-party couriers can provide this service.

§ Secure your backup tapes or disks in locked areas with a sign-out sheet. Don’t leave them on a desk for someone to steal or mistakenly use.

§ Verify your backups. Check periodically to make sure they’ve been produced correctly and haven’t been damaged in any way. Many consultants tell horror stories about systems that owners thought were backed up that were not, either because backup tapes were faulty or were not being properly rotated.

§ Sanitize your backups before discarding them. Be sure to delete all data by overwriting what’s there; don’t just reinitialize your tapes or disks. (That typically rewrites only the header.) The process of overwriting and deleting may need to be repeated several times to make the backup completely secure. In some cases, bulk degaussing may be required.

§ If you’re throwing backups away, destroy the media first (by burning, crushing, or shredding.) Commercial service providers can degauss, shred, and disintegrate media, rendering it particle-sized. Locate these services in the Yellow Pages or on the Internet. Of course, make sure to provide for secure transport to the destruction facility.

§ Consider buying an automatic backup program that runs full or incremental backups (without your intervention) every night. There are also services available to encrypt and back up your data over a phone line to an “electronic vault.”

What does it mean to perform regular backups? That’s an organizational decision: it depends on the number of users in your system, the volume of work, and many other variables. Many organizations perform a full backup (of every file in the system) every night. Others may do a full backup only once a month, or more commonly, once a week, but they do an incremental backup (of everything that’s changed since the last full backup) every day. The best rule of thumb is to back up frequently enough that you can afford to recreate the work that may be lost since the last backup.

Like most security practices, however, backups have a cost associated with them. In this case, it is usually network bandwidth and server capability. You’ll need to schedule backups in less desirable parts of the day, so that they will inconvenience the fewest users. If your organization operates 24/7, it may be necessary to host redundant systems, so that one can be backed up while the other is live. Fortunately, improvements in fault tolerance, using technical means to limit any single points of failure, and clustering technology, which entails running several computers in parallel to spread the load and provide redundancy, make this economically feasible. It is not necessary for the redundant system to just sit there when it is not being used, it can share the load of normal processing as well.

Hardware and Software Security Tools

Fortunately, today there’s a good variety of hardware and software tools designed to prevent network incursion. As I mentioned previously, one of the most important is the firewall. A firewall monitors communications that pass through it, and it can take action against users that seem to be abusing or attacking the network. In some cases, the firewall monitors the Internet Protocol (IP) address of a packet, and if it is not found on a safe list, or is discovered to be on a “deny entry” list, it deletes the packet from the transmission stream, and usually any that follow from the same unauthorized addresses.

A firewall can also monitor the ports used by a communications session. Each protocol has a unique combination of ports available to it over which to communicate information. Using ports allows several different conversations to take place using the same IP address. However, the presence of communications from unexpected ports may indicate that an attack is underway. A firewall can also silence packets to and from undesired ports.

An intrusion detection system (IDS), on the other hand, usually listens to the circuit, taking note if any unusual activity is taking place. For instance, a certain user that constantly connects to a little used disk drive may be storing information there, either for later theft, or perhaps to be used as a tool in a future incursion. Intrusion detection systems usually have large libraries of attack signatures, that is, lists of the steps attackers typically take or have taken in the past to accomplish some attack. If the pattern of these attacks is repeated in a system being monitored by the IDS, the IDS will likely stop the transaction if it can, and place a page or call to an administrator informing of the attempted attack.

A honeypot, sometimes called a honeynet, is a decoy. It is usually placed in an unprotected portion of the network as a lure to attackers. While unauthorized users are checking out the honeypot, their movements are recorded. This helps further develop the library of attack signatures.

Penetration testing, or pentesting is a programmed, usually automated series of attacks that administrators carry out on their own network. The purpose of pentesting is to locate overlooked vulnerabilities. These are then patched, and communications proceeds. Pentesting may be performed by network personnel or by outsiders contracted for the purpose.

Performing a Security Audit

It’s a good idea to check on the security of your system by performing periodic security audits. A security audit is a search through your system for security problems and vulnerabilities.

Check your system files and any system logs or audit reports your system produces for dangerous situations or clues to suspicious activity. These might include:

Accounts without passwords

They might have come with the system, or they might have been set up for guests or demos. Anyone can log in using such accounts.

Accounts with easily guessed passwords

These might include passwords selected by users or passwords associated with administrator or guest accounts. In addition, most attackers are well aware of the passwords and usernames that come with equipment from the factory. Change these immediately.

Group accounts

Long lists of privileges for individual accounts sometimes create confusion. Group management of accounts can simplify security administration by allowing precise, predetermined groups of privileges to be assigned to groups such as accountants, HR, engineering, and so on, in accordance with the organization’s security policy.

Dormant accounts

These include accounts of users who have left your organization, have gone on vacation, or have moved to a different group or system.

New accounts

Be sure these are accounts you have assigned and not accounts that an intruder has created.

Default accounts

Many operating systems create “Everybody” or “Guest” or even “Administrator” accounts automatically. In some cases, these accounts are disabled, but an attacker may be able to make them live, or use them as a foothold to deeper penetrations. For this reason, some administrators delete them or provide more subtly labeled replacements.

Recent changes in file protection

An intruder may have given special privileges to certain programs or may have made system files accessible to ordinary users. Individual users may have carelessly made their files accessible to everyone in the system. Monitor logs for privilege escalation to make sure attackers aren’t gradually trying to obtain administrative ability.

Suspicious user activity

Basically, this means that a user (or someone using that user’s account) is acting in an unexpected way—for example, someone logs in from a number of different terminals, logs in at odd times of the day or the week, runs protected system programs, transmits or dials out an unusual amount, uses new networks, etc.

Separation of Duties

Separation of duties is the principle that it’s better to assign pieces of security-related tasks to several specific individuals. If no one user has total control of the system’s security mechanisms, no one user can completely compromise the system. This principle is related to another important security principle, that of least privilege, the idea that the users and the processes in a system should have the least number of privileges—and for the shortest amount of time—needed to do their work.

In many systems, the system administrator has total control of the system’s daily operations and security functions. In secure systems, this concentration of power in a single individual isn’t allowed. It’s obvious that in such systems, ordinary users shouldn’t be allowed to perform security-related functions (except those that are discretionary to them, such as protecting files they, themselves, own). It may not be so obvious that security-related functions should not automatically be in the bailiwick of the system administrator, who takes responsibility for other important system operations.

In highly secure systems, as many as three distinct, complementary administrative functions, or roles, may be required: a system administrator, a security administrator (sometimes called an Information System Security Officer or ISSO), and an operator.

Typical system administrator/operator functions include:

§ Installing system software

§ Starting up and shutting down the servers in the system

§ Adding and removing system users

§ Performing backup and recovery

§ Handling and servicing printers

Typical security administrator functions include:

§ Setting user clearances, initial passwords, and other security characteristics for new users, and changing security profiles for existing users

§ Setting or changing file sensitivity labels

§ Setting security characteristics of devices and communications channels

§ Reviewing audit data

If an operator role is defined, the operator may perform some of the more mundane system administrator duties, such as doing backups.

The system administrator, the security administrator, and the operator may not always be different people, but in a secure system their roles must be clearly divided. Whenever the system administrator assumes the role of security administrator, for example, the person must switch hats thoroughly enough so the system is aware that the person is changing roles.

Suppose the person serving as system administrator needs to perform a security function—for example, starting up an auditing program. She will typically have to exit from the system administrator interface and switch, in some system-defined way, to the security administrator interface before being able to run the program. Although cumbersome, this process clearly reinforces the system administrator/security administrator’s understanding that the two roles are very different, with clearly delineated responsibilities that are monitored by the system. The system administrator and the security administrator play complementary roles that provide checks and balances on each other.

In some ways, these roles meet the objective of the so-called two-man control discussed in government security guidelines—the idea that it’s much less likely that two people will conspire to breach security. For example, the system administrator’s job is to add new users to the system; the security administrator’s is to assign a password, a clearance, and other security information to that user’s account. The security administrator usually must create system administrator accounts; the system administrator cannot create his own.

Summary

Security grows down into an organization once a written policy dictates it is required. Administratively, this means that management creates and sustains the demand for things to be done according to certain standards and levels. This requires that risks be categorized and prioritized, and the value of the asset to be protected is weighed against the cost of its protection.

Security policies require procedures. Security procedures include holding regular security audits, and implementing rules such as separation of duties and use of two-man controls. To insure people know how execute security procedures requires security training. To make sure people actually follow policies and procedures requires oversight and enforcement. For there to be enforcement, management must be involved. Management, after all, sets the policies.