Jennings it security overview 1 2


Published on

IT Network Security Engineering Resource

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Jennings it security overview 1 2

  1. 1. Network Security OverviewSecure computing and communications using a Layered Defense Strategy An IT Engineering Resource Version 1.2 D. E Jennings April 2012
  2. 2. CONTENTS:1.INTRODUCTION:...............................................................................................................................................32.HOW WE GOT TO THIS POINT:.............................................................................................................................33.PROTECTING THE COMPANY FROM CYBER CRIME:.................................................................................................44.SECURITY PLANS AND POLICIES:........................................................................................................................55.SECURITY OPERATIONS:....................................................................................................................................66.RISK MANAGEMENT:.......................................................................................................................................97.CATEGORIES OF RISK:....................................................................................................................................108.PERSONNEL SECURITY:...................................................................................................................................159.BUILDING SECURITY:.....................................................................................................................................1610.ACCESS CONTROL:......................................................................................................................................1711.TELECOMMUNICATIONS: ...............................................................................................................................2012.NETWORK SECURITY....................................................................................................................................2113.ARCHITECTURE............................................................................................................................................2514.INTRUSION DETECTION SYSTEM (IDS)...........................................................................................................2715.ELECTRONIC MAIL SECURITY: ......................................................................................................................2916.DISASTER RECOVERY...................................................................................................................................31APPENDIX I Security Policy 35APPENDIX II Vulnerability Assessment 37APPENDIX III Roles Matrix & Organization Chart 38APPENDIX IV Typical Network Design 39© Copyright: April 2012, D. E. Jennings Page 2 of 41
  3. 3. 1. Introduction:This document presents a discussion of concepts, plans and process used to protect the assets andmaintain business continuity for a typical small to medium sized company. Although most of themeasures discussed here are applicable to the large and extremely companies, theseorganizations usually have international locations and require additional measures not discussedin this document.The approach taken here differs from the traditional approach and to understand why, it is usefulto look very briefly at the history of Corporate Security. Before computer networks security wasa physical lockdown kind of thing. It was handled by the same people who managed otherphysical requirements of the company. Because the primary threat has changed, we believe thatSecurity should now be managed by the Information Technology-Security department. In manycompanies today there are two departments: Physical security where security guards man thedoors and the IT Security department where computer technicians keep the network safe. Whenthere is a split responsibility there is room for a gap. With two departments managing differentaccess lists, and different access procedures, there is the possibility of too much or too littlesecurity. Most companies are suffering from this problem. The approach suggested in this paperis to administer a unified policy for all security under one department, i.e. the IT Securitydepartment. Therefore they would include physical security in their mandate. At the center ofsecurity is an automated Identity Management System. 2. How we got to this point:When corporate computer networks came into existence security did not seem to be an issue.They were very big and very expensive, run by large institutions or the largest corporations only.In the 1980’s, using a “dumb terminal” over dial up phone lines, from home, an employee couldaccess the corporate computing center across the country. It was possible to input data that wouldbe run as a “batch” file overnight and printed at the office in the morning - no passwordsinvolved. The probability of anyone getting in and doing damage was extremely small and theyreally couldn’t do any damage. Computers were managed by a small group of very highly trainedprofessionals and the knowledge as to what they were doing was not known to the generalpublic. Then Atari and others invented computer game machines. Around that time the personal© Copyright: April 2012, D. E. Jennings Page 3 of 41
  4. 4. computer was invented and then came dial up bulletin boards. Security was not built intoprograms and hacking them was easy. Lots of cracked1 commercial software (mostly games)appeared on bulletin boards. This went on for many years with computer cracked software andgames passing from one dial-up bulletin board to another. The International community “got it”and computer uses all over world paid literally “$0.0” for quality software and games (andcontinue to do so). Then the “internet” arrived. The number of “hackers” multiplied… theamount of commercial (software, games, audio files, video, etc.) products being “cracked” is stillincreasing. Hacking into high profile institutions was and is considered a “badge” of honor andgarners great admiration from fellow hackers. The monetary gain incentive is at least as enticingas the “just see if you can do it” incentive.2 A report from the anti-virus company, Norton, saidmost of us are not secure and the cost of all this in the US alone is over $139 billion dollars ayear. 3 So in spite of this background, companies have embraced the use of the internet toconduct business in a big way. The same highway, known well and used by hackers to infiltrate,is used by companies to conduct billions of dollars worth of business daily. Although thebenefits outweigh the risks, the risks are still there and must be … mitigated. Although thethreats from outside are enormous, the fact of life is that the greatest threat for small businessesis from their own employees. 4 3. Protecting the company from Cyber Crime:As we see in the preceding the type and severity of cyber crime is still evolving. Protecting thecompany is always a challenge, and IT security departments must keep pace with the changingthreats.The size of the company, the location and nature of the facilities, the number of locations and theInformation Technology (IT) requirements of each affect the level and type of security required.For example a company that utilizes a mobile sales force will need encrypted laptops and robustsecure communications channels to enable sales teams to keep in touch with the office. Also, acompany with two geographically separated locations can use the other location as a data backupfacility for disaster recovery.A centralized security policy and access control model is a model where all company locationsare governed by the same security policy. A decentralized model allows each domain (orlocation) to control its own security. This may be advisable when there is a wide difference in© Copyright: April 2012, D. E. Jennings Page 4 of 41
  5. 5. requirements from one location or domain to another. An example: one location must meet TopSecret security requirements, and others may not. For most small to medium companies acentralized policy is more efficient to administer and maintain.This document is not the Security Policy, the Operational Security Plan, or the BusinessContinuity Plan, but an overview of what goes into these and other documents. 4. Security Plans and Policies:1. This document: A description of Security Plans and Operations.2. Security Policy: Senior management’s directives to create an information security program toprotect the corporation’s assets, establish security related goals and security measures, as well astarget and assign responsibilities.5 The Security Policy contains sections on: Purpose, Scope,Responsibilities and Compliance. It is a high-level statement of management’s intentions abouthow security should be practiced within the organization. It identifies what actions areacceptable, and what level of risk the company is willing to accept. Reviewed by Securitydepartment and Corporate Management for updating every 1 year and approved by CorporateManagement.3. Operational Security Plan.6 This document is the detailed plan that contains instructions forputting the policy into action. It is basically a “manual” on how to get it done. It contains abreakdown of each security measure implemented. Audience: Program Management, ITManagement, Program Operations Staff, IT Staff, Auditors. Reviewed by Security departmentfor updating every 6 months, The Operational Security Plan is developed and revised by Securitydepartment, and approved Corporate Management.4. Business Continuity Plan. (BCP) This is a plan to preserve the business activities when facedwith disruptions or disasters. The plan includes the identification of real risks, risk assessment,and countermeasure implementation plans. Although many organizations use the phrasesBusiness Continuity Planning or Disaster Recovery Planning interchangeably, they are twodistinct disciplines. Though both plans are essential to the effective management of disasters andother disruptive events, their goals are different. The goal of a BCP is for ensuring that thebusiness will continue to operate before, throughout, and after a disaster event is experienced.The focus of a BCP is on the business as a whole, and ensuring that those critical services that© Copyright: April 2012, D. E. Jennings Page 5 of 41
  6. 6. the business provides or critical functions that the business regularly performs can still be carriedout both in the wake of a disruption as well as after the disruption. In order to ensure that thecritical business functions are still operable, the plan takes into account the common threats totheir critical functions as well as any associated vulnerabilities that might make a disruptionmore likely.5. Disaster Recovery Planning (DRP) is considered tactical rather than strategic and provides ameans for immediate response to disasters. The DRP can be, but is not necessary within theBCP. The DRP is developed by Security Department, and reviewed yearly with representativesof each department and approved by Corporate Management. The DRP is exercised once a year.(a simulated disaster is staged and response team must respond according to the plan enablingcontinuity of operations.) For example, the plan to locate two manufacturing facilities indifferent geographic areas in case one is disabled by a disaster is BCP and the plan to allowworkers to “work from home” via a secure Virtual Private Network (VPN) using virtual facilitieson secure databases is DRP. The DRP should be exercised at least yearly. The exercise (asimulated disaster event) is planned on a weekend or time when normal business low… i.e. overChristmas, or super bowl weekend, etc. For the exercise the normal facilities are disabled and the“backup” plan to operate, possibly on a limited basis, goes into effect. 5. Security Operations:The role of Security Operations is to:1) Protect the assets both physical and information, of the organization.2) Protect the employees from harm both inside the building and on the premises.3) Enable company operations after a loss of functionality.4) Accomplish this in a cost effective way that does not unduly hinder operations.These goals are accomplished through the implementation a “Defense in Depth” layered plan ofphysical, administrative, managerial, technical and operational controls.7 The methods oflayering defensive technologies included in defense in Depth (DiD) are physical, logical andvirtual security solutions. The information assets are secured to reduce the risk of loss ofconfidentiality, integrity or availability.© Copyright: April 2012, D. E. Jennings Page 6 of 41
  7. 7. Confidentiality provides a degree of assurance that data has not been made available or disclosedto unauthorized individuals, processes, or other entities. In essence, it assures that data can onlybe read or understood between trusted parties. Confidentiality can be breached or bypassed bysomeone shoulder surfing, sniffing or network monitoring, stealing passwords, or socialengineering (an attacker posing as a trusted individual). In the network, confidentiality isaccomplished through encryption.Threats to confidentiality include: Hackers/crackers Masqueraders/spoofing Unauthorized user activity Unprotected downloaded files Network sniffing Trojan horses Social engineeringIntegrity includes the issue of protecting against unauthorized modification or destruction ofinformation. It includes the assurance that data leaving point A and arriving at point B arriveswithout modification and assures that point A and point B are who they claim to be.The three basic principles used to establish integrity in the enterprise: Need-to-Know Access - Users should be granted access only to those files and programs they absolutely need to fulfill their duties. (Role based security) Separation of Duties - No single person has control of a critical transaction from beginning to end. Two or more people should be responsible for an entire critical transaction. Rotation of Duties - Job responsibilities should be periodically changed so that users will find collaboration more difficult to exercise complete control of a transaction or subvert© Copyright: April 2012, D. E. Jennings Page 7 of 41
  8. 8. one for fraudulent purposes. This also has many other beneficial effects including redundancy and continuity of operations in the event of loss of key personnel.Availability is the attribute that ensures the reliable and timely access of resources to authorizedindividuals. The means the corporation is expecting IT resources: Perform or function properly. The IT resource or Network is available / accessible. The IT resource or Network is available when it is needed.Availability can be compromised by Denial-of-Service (DoS) attacks. These are actions by usersor attackers that tie up computing resources in such a way that renders the system unusable.Availability is lost when natural disasters (fire, flood, earthquake) or human action (bombs,strikes, malicious code) create loss of IT or Network capabilities.Availability is also lost due to normal equipment failure. The IT security department works withthe IT Architect to ensure high availability design of the network. In some cases the ITArchitecture is within the Security Department as security and availability is paramount in thenetwork design.The security department utilizes the Protect, Detect and React paradigm. In order to accomplishthis the department incorporates protection mechanisms and utilizes detection tools andprocedures and logs that allow the discovery, and ability to react and recover from attacks ordisasters. The security department focus is on People, Technology and Operations.The company Security Policy (see overview - Appendix I) is the foundation of the securityoperations of the company. The Security Policy, Operational Security Plan and DisasterRecovery Plan is evaluated and updated if required on an annual basis. The updates are based ondata provided by the network information controls, re-evaluation of risks and stakeholder inputas to usability and effectiveness.The Operational Security Plan includes the detail processes for physical security, access control,telecommunications and network security, and operations security.© Copyright: April 2012, D. E. Jennings Page 8 of 41
  9. 9. 6. Risk Management:In order to determine what level of security an asset requires, we first identify and rank the assetsto be protected, and then determine what level of protection is required. This is accomplished bya risk analysis, a risk assessment and a business impact analysis. These are completed by thesecurity team with the business unit management that has custody of the asset with an overviewof corporate management. Risk is a function of the likelihood of a given threat-source’sexercising a particular potential vulnerability, and the resulting impact of that adverse event onthe organization. It’s interesting that the Federal Government has revised their Risk Analysisapproach to more closely follow industry standards.8A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking)the vulnerabilities in a system.A Risk Analysis involves identifying the most probable threats to an organization and analyzingthe related vulnerabilities of the organization to these threats.A Risk Assessment involves evaluating existing physical and environmental security andcontrols, and assessing their adequacy relative to the potential threats of the organization. Seeexample table in Appendix II.A Business Impact Analysis involves identifying the critical business functions within theorganization and determining the impact of not performing the business function beyond themaximum acceptable outage. Types of criteria that can be used to evaluate the impact include:customer service, internal operations, legal/statutory and financial.The Risk Analysis is the first step in the risk management methodology.9 1. Identify and prioritizing assets; 2. Identify vulnerabilities; 3. Identify threats and their probabilities; 4. Identify countermeasures; 5. Develop Cost benefit analysis; 6. Develop security policies and procedures.© Copyright: April 2012, D. E. Jennings Page 9 of 41
  10. 10. Using the formula: Risk = Threat * Vulnerability. A risk analysis is completed for each corporateasset.Vulnerability assessment has many things in common with risk assessment. Assessments aretypically performed according to the following steps: 1. Cataloging assets and capabilities (resources) in a system. 2. Assigning quantifiable value (or at least rank order) and importance to those resources 3. Identifying the vulnerabilities or potential threats to each resource 4. Mitigating or eliminating the most serious vulnerabilities for the most valuable resources 7. Categories of Risk: 1. Damage - Results in physical loss of an asset or the inability to access the asset as in the case of a cut in a network cable. 2. Disclosure - Disclosing critical information regardless of where or how it was disclosed. 3. Losses - Can be permanent or temporary, including the altering of data or the inability to access data. 4. Physical damage - Can result from natural disasters or other factors as in the case of a power loss or vandalism. 5. Malfunctions - The failure of systems, networks, or peripherals 6. Attacks - Purposeful acts whether from the inside or outside. Misuse of data, as in unauthorized disclosure, is an attack on that information asset. 7. Human errors - Usually considered accidental incidents as compared to attacks that are purposeful incidents. 8. Application errors - Failures of the application, including the operating system. Application errors are usually accidental errors while exploits of buffer overflows or viruses are considered attacks.© Copyright: April 2012, D. E. Jennings Page 10 of 41
  11. 11. A Risk Assessment chart is used to rank the effect of threats and vulnerabilities that aredetermined to be risks. Cost benefit analysis is used to determine when a risk is worthy ofmitigation. An earthquake although is very unlikely would have a catastrophic effect. Thereforea plan for continuing operations in the event of an earthquake will be advisable, however the costof maintaining complete redundant facilities my not be warranted, unless the business is locatedin a heavy earthquake zone.The tables in the following pages are intended to show examples of how the risk analysis andmitigation is documented. There is no one “correct” table. The analysis should drill down to thelevel of detail that you will be able to manage. The team that conducts and reviews the assetsand risks will include department managers that have ownership of the assets. For personnel, wesuggest that a professional from the Human Resource (HR) department take the lead in thepersonnel risk analysis by role. The table below is an example of a Risk Assessment Chart for loss of personnel, in this case the Chief Information Officer. Risk: Loss of personnel: Chief Information Officer Likelihood > A. Very B. C. Unlikely Mitigation: Consequence Likely Somewhat Likely Catastrophic The market is Although the Two or more trained in this in short CIO is being position within the company at all supply, many recruited he/she times to mitigate the risk of loss recruiters are is content and since it is a critical position and contacting does not seem to difficult to replace. Retention our CIO want to leave policy (bonus, vacation, etc.). w/offers Very Disruptive Inconvenient Note: The difference between “Very Likely” and “Unlikely” above is that the Corporate management is aware of the first scenario and makes an effort to retain the CIO making the likelihood of he/she leaving “unlikely”. Never- the-less in either case the result would be “catastrophic” so planning for his/her leaving is done by identifying a “backup” person and making sure that person is able to assume the duties by using the policy of “rotation of duties”.10 In this economy there is less likelihood of people changing jobs, however key positions should be looked at in terms of duplication of capability and personnel retention. This is not necessarily a function of the security department, however when risks such as these are identified they should be brought up to corporate management for inclusion in the overall company risk management process. Example of a Risk Assessment Chart for less critical roles. Risk: Loss of personnel: Assistant Staff Likelihood > A. Very B. Somewhat C. Unlikely Mitigation:© Copyright: April 2012, D. E. Jennings Page 11 of 41
  12. 12. Consequence Likely Likely Catastrophic Very Disruptive Inconvenient Personnel for this This position, although very useful and position are important to the company is not available in the considered a high risk. Except for normal marketplace. role documentation and training materials other mitigation is not necessary. For less critical roles, turnover is always inconvenient and may be very disruptive even though the positions are quickly replaced. Therefore each role / position is looked at in detail and effort is made to ensure continuity of operations and minimize the effects of loss of personnel. Risk Assessment Chart for Information Technology / Computing and Network hardware. Hardware failure (general) Likelihood:  Very Likely Somewhat Unlikely Mitigation Likely Consequence:  (1) (2) (3) (1) (2) (3) (1) (2) (3) Router - Core We can reduce the consequence to inconvenient by deploying redundant X routers or diverse paths. The failure rate is a function of the equipment design and environment. Router - As the router controls less critical branches Distribution of the network we might economize and X only utilize diverse routing to ensure high availability. Switch (non Diverse paths may be able to move the X redundant) consequence to “inconvenient”. Server (non Servers are usually deployed in redundant redundant) modes as the cost of servers had dropped X in relation to their critical use in the network. Consequence: 1) Catastrophic, 2) Very Disruptive, 3) Inconvenient Hardware fails. Depending on the age, vendor, maintenance, environment (heat / cold) etc. Constant temperature is usually preferred, as heating and cooling expand and contract metal and substrates that have different expansion coefficients and can separate and crack. The life of equipment is variable. Redundancy for key equipment is almost always cost effective. A much more detailed / extensive analysis should be completed for an actual risk analysis.The consequence can be rated as: 1= Catastrophic, Major damage to the equipment and/orfacilities, interruption in operations for more than 48 hours, 2= Very Disruptive, interruption inoperations for up to 8 hours, 3= Inconvenient or little impact or interruption in operations.The table below lists common Cyber Attacks and mitigation strategies. This table is pretty muchon the top of the list for evaluation and re-evaluation by the IT Security Department. This is whatthey deal with on a day to day basis. New attacks are coming out daily. Operating systemspatches are automatically reviewed daily and updates made as required. Software versionnumbers are important and tracked by date. All software used by the company must bemaintained and kept up to date with the latest release. There is a function in the Security ITdepartment devoted to this process.© Copyright: April 2012, D. E. Jennings Page 12 of 41
  13. 13. Common Network Cyber Attacks Likelihood:  Very Likely Somewhat Unlikely Mitigation Likely Consequence:  (1) (2) (3) (1) (2) (3) (1) (2) (3) Denial of service Malformed bits / false IP addresses can be mitigated by keeping OS up to date and X logging frequent connection attempts against one service. SYN Flood An overload of packets that have the SYN flag set can be blocked by a firewall and X keeping the OS up to date and review of log files. Malware Up to date antivirus signatures are essential in combating viruses, Trojans, worms, spyware etc. Also restricting access to non- essential web surfing, especially in critical X branches of the network. Segmenting the network critical assets. Restrict access to administrator privileges on user computers to keep unauthorized software off machines or change security settings. Social Engineering Servers are usually deployed in redundant X modes as the cost of servers had dropped in relation to their critical use in the network. Port Scanning Firewall will protect from port scanning with X intention to infiltrate network. ICMP abuse Packet Filtering via a firewall will block X abusive ICMP echo requests. Host Attack A Proxy Server will keep attackers from accessing IP addresses, hostnames and X passwords which can be used to find other hosts to attack. Man in middle VPN Virtual Private Network encryption can attack keep an attacker from operating between X computers, impersonating one to intercept communications. New Files on Use system auditing software to control this X network as a behavioral monitor / block. Remote Procedure Intrusion Detection System will defeat this calls X threat as well as keeping OS patches up to date. Consequence: 1) Catastrophic, 2) Very Disruptive, 3) InconvenientThe following table takes the credible threats from individual analysis charts in a summary formon one chart. These charts are not meant to be exhaustive but rather illustrative of the process. Example: Threat / Vulnerability and Mitigation Summary Table: Vulnerability: Threat: Risk Assessment: Mitigation: Probability Consequence© Copyright: April 2012, D. E. Jennings Page 13 of 41
  14. 14. Personnel Employees may be Mugging, theft, Unlikely / Cost benefit analysisInjury while vulnerable between the panhandling or other Catastrophic makes lighting andentering /leaving time they leave their personal attacks most locations - risk cameras feasible forbuilding vehicles and when they while alone walking is “unlikely” / this threat. enter the building. to car. consequence can be “catastrophic”Personnel Key operation may be Loss of Likely / Catastrophic Make sure eachResignations at risk functionality, leave role / duty has back Key employees are company, Illness at more likely to be up. Capture and critical time. document key recruited by other companies. information.Personnel Employees with access Sabotage, theft, Unlikely / Critical assetsDisgruntled to assets disruption of Disruptive identified andinside teamwork Most lost assets – protected: Locked / non critical, critical RFID tags similar to assets must be those used in retail. protectedPersonnel Former employee with Sabotage, theft, Unlikely / IdentityDisgruntled passwords enabled logs disruption of Disruptive Management Systemoutside onto network via teamwork Although most and Log File review. borrowed laptop or dial assets can be lost in access. with only disruptive consequences, critical assets must be protectedSocial Sensitive information is PII theft can lead to Unlikely / Education andEngineering vulnerable. Inadvertent identity theft. Disruptive periodic test / release of Password release This has to be probing to keep information… PII, can lead to actual evaluated employees alert and passwords, etc. infiltration of the periodically, in most aware. network cases this threat is unlikelyHardware Loss of Servers, Functionality / Unlikely / Utilize Redundantfailure routers, etc. through availability of the Catastrophic Equipment where equip. failure cause heat network This can be feasible lack of maintenance determined on an equip by equip basisHardware theft Located in unlocked Sabotage or Unlikely / Keep in lockedtamper room Accessible to inadvertent damage Catastrophic secure environment employees due to error After the initial installation equipment is often ignored.Software Category A: necessary Loss / tamper / out Unlikely / Very Backups must be to company operations. of date Disruptive maintained. software versions up to date with patches, antivirus protection.Software Category B: used to Loss / tamper / out Unlikely / Keep non-critical support / promote of date Disruptive software up to date business with patches, antivirus protection.© Copyright: April 2012, D. E. Jennings Page 14 of 41
  15. 15. Information Key inventions – Theft – duplication Unlikely / Knowledge is most intellectual property if in the hands of Catastrophic valuable. competitorInformation Customer lists, PII Illicit use if in the Unlikely / hands of Catastrophic competitor / thief 8. Personnel Security:Although not generally thought of in an IT Security Plan, Personnel security is always a part ofthe overall security considerations, and with IT Security responsible for the entire companysecurity this becomes part of their responsibility. The main thrust here is to make sure employeesare safe. Vulnerabilities exist mostly while moving between the parking lot and the building.The other aspect of security involving personnel is the risk to the company when personnel endtheir employment with the company (voluntarily or otherwise). Several security issues areinvolved with employees who move on. These are mostly handled by with the help of theautomated Identity Management System.Security starting at the parking lot is designed to accomplish two things. First: physical securityor safety of employees. The plan is designed to protect employees from the threat of personalharm when they are between their cars and the building. This is accomplished by the use of 8ft.high fencing integrated into landscaping and color coordinated to be less visible, intrusiondetection sensors, cameras and lighting. The parking lots will have cameras installed at locationsthat enable viewing of activity anywhere in the lots. The entire area, building and parking lotwill be fenced and lighting and cameras will be deployed in strategic areas. This will enhancethe landscaping which will be designed to enhance security, leaving areas near the windows andbuilding entrances free of large shrubs so as to enable greater visibility.Physical security is closely connected with Identity Management and starts with vehicleidentification. The parking lots will be for employee use only. There will be a separate lot forvisitors and clients. The employee lots will have Radio-Frequency Identification (RFID)transceivers installed and each employee will be issued tags (also called transponders) that willenable identification of their vehicles as they enter the lots. 11 There is one entrance at eachlocation and the receptionist in the building who also functions as a security officer will have a© Copyright: April 2012, D. E. Jennings Page 15 of 41
  16. 16. picture and name of employee on her screen before they enter the front entrance. (Captured bythe RFID system) If he/she sees a different person enter she will deal with that in a differentway. Visitors may not be in the system until they have visited the first time and been identifiedand put in the database. First time visitors are treated slightly different from 2nd time visitors andemployees. In each case the goal is to have flawless security and we want the person to feelgood about the security measures and tolerate if not enjoy their participation in the process. Wealso do not want to delay a legitimate entry. Trained and motivated security personnel areessential to this process. One option is to institute a Rotation of Duties with all other roles in thecompany with the security point person which will enable all employees to appreciate the role ofsecurity. Front desk security would be a duty everyone would be able to enjoy. This wouldincrease security awareness and allow everyone in the company eventually to meet everyoneelse. 9. Building Security:Windows and doors to the outside will be alarmed to a central alarm system. During businesshours there will be one entrance for employees to enter the building. At that location they willuse their RFID badge to open a door. Once inside there is a lobby where they will be allowedinto the building after showing their ID badge to the receptionist. This process is two factorsecurity, RFID badge and personal recognition by a human.After hours the building will be locked and secure by 24 hour security monitoring. The securitymonitoring will include the grounds, the parking lot and cameras at strategic locations within andoutside the building. The cameras will be on a 24/7 recording schedule and archived and aregular schedule. Those who require after hours work must have prior approval and will beadmitted by the security guard on duty.Sensitive rooms within each building will be secured from general employee access. Eachemployee RFID badge will give them access to specific areas divided by department. TheHuman Resources department will have a lobby area with soundproof rooms where employeeinterviews will be conducted. Also the finance area will have an area where non-financeemployees will be admitted without having to enter the restricted “Finance” area which isrestricted to finance employees only. Conference rooms, cafeteria, restrooms, etc., will be opento the general employee population.© Copyright: April 2012, D. E. Jennings Page 16 of 41
  17. 17. 10.Access Control:Access control is enabled by an efficient Identity Management system.12 Identity Management isthe management of user credentials and the means by which users log on to corporate networkresources. With the emergence of phishing attacks good identity management became essentialin maintaining the CIA triad. Phishing exploits the difficulty of properly identifying andauthenticating identities. The evolution of identity management follows the progression ofInternet technology closely.Typical identity management functionality includes the following: 1. User information self-service 2. Password resetting 3. Management of lost passwords 4. Workflow 5. Provisioning and de-provisioning of identities from resourcesIdentity management also addresses the age-old N+1 problem — where every new applicationmay entail the setting up of new data stores of users. The ability to centrally manage theprovisioning and de-provisioning of identities, and consolidate the proliferation of identitystores, all form part of the identity management process.Identity management starts with the risk assessment to determine the need for particular controlsto properly protect information, applications, and infrastructure as required. These controls setthe lifecycle security objectives for creating and maintaining an identity, verifying andauthenticating an identity, granting permissions and authorities, monitoring and accountability,and auditing and appraisal of the identity management processes.The identity management system defines the control objectives required to enforce the securitypolicy: 1. Identification: The process that creates an entity and verifies the credentials of the individual, which together form a unique identity for authentication and authorization purposes).© Copyright: April 2012, D. E. Jennings Page 17 of 41
  18. 18. 2. Authentication: Verifies credentials to support an interaction, transaction, message, or transmission). 3. Authorization: Grants permissions by verifying the authenticity of an individual’s identity and permissions to access specific categories of information or to carry out defined role based tasks). 4. Accountability: The process that records the linkage between an action and the identity of the individual or role who has invoked the action, thus providing an evidence trail for audit or non-repudiation purposes). 5. Audit: The process that examines data records, actions taken, changes made, and identities/roles invoking actions which together provide a reconstruction of events for evidential purposes). The control objectives above serve the requirement to provide an auditable chain of evidence.Using the Identity Management system, each employee is given access to physical locations,network locations, information databases, etc. based on their role and classification. Each roleand title will imply certain tasks and levels of authorization to perform particular tasks. Anexample of a Role table is in Appendix III . Access to the required resources will be based onthose roles. The identity management system enables efficient deployment of employees andremoval of employees when they no longer are required to have the access or they leave thecompany.Maintaining access control in the enterprise requires several components for each category ofaccesscontrol. There are three main categories of access control:13 Administrative: 1. Policies and procedures - A high-level plan that lays out management’s plan on how security should be practiced in the company. It defines what actions are not acceptable and what level of risk the company is willing to accept.© Copyright: April 2012, D. E. Jennings Page 18 of 41
  19. 19. 2. Personnel controls - Indicate how employees are expected to interact with corporate security, and how non-compliance will be enforced. 3. Supervisor structure - Defines the overall company hierarchy. Each employee has a supervisor they report to and that supervisor has a superior they report to. This chain of command dictates who is responsible for each employee’s actions. 4. Security awareness training - Users are usually the weakest chain in the security chain. Proper training on security issues can instill access control usage on the network. 5. Testing - Test access controls on the network to determine their effectiveness (or ineffectiveness). Physical: 1. Network segregation - Defining segregation points can help enforce access controls on ingress or egress to the segment. 2. Perimeter security - Defines how the perimeter of the company will be enforced such as guards, security badges, fences, gates. 3. Computer controls - Defines the physical controls on computer systems such as locks on systems to deter theft of internal parts, removal of floppy to deter copying. 4. Work area separation - Separation of work areas based on type of use such as server room, wiring closets, experimental room. 5. Data backups - This physical control is used to ensure access to information in case of system failure or natural disaster. 6. Cabling - Protecting the cabling from electrical interference, crimping, and sniffing. Technical: 1. System access - Controls that determine how resources on a system are accessed such as MAC architecture, DAC architecture, username/password, RADIUS, TACACS+, Kerberos. 2. Network architecture - Defines logical network segmentation to control how different network segments communicate.© Copyright: April 2012, D. E. Jennings Page 19 of 41
  20. 20. 3. Network access - Defines access controls on routers, switches, and network interface cards, and bridges. Access control lists, filters, AAA, and firewalls would be used here. 4. Encryption and protocols - A technical control that encrypts traffic as it courses through untrusted network segments. Protocols could include IPSec, L2TP, PPTP, SSH, SSL/TLS. 5. Control zone - A specific area in the enterprise that surrounds and protects network devices that emit electrical signals. Electrical signals emanate from all computer systems and travel a certain distance before being drowned out by interference from other electrical fields. Control zones are both a technical and physical control. 6. Auditing - Tracks activity as resources are being used in the enterprise. 11.Telecommunications:Along with access to the network from the company intranet, employees may gain remote accessvia a remote log-on through a secure Virtual Private Network (VPN).Virtual Private Networks (VPNs) are secure private connections created using a public network.They are virtual in the sense that the public network is seen as a single hop between networksallowing the two networks to be virtually connected. They are private in the sense that data sentover the public network cannot be viewed by un-trusted personnel. Encryption techniques createthe privacy.The four main VPN protocols are in use today:Layer two Forwarding (L2F) is a protocol developed by Cisco that supports the creation ofsecure virtual private dial-up networks (VPDNs) over the Internet.Point to Point Tunneling Protocol (PPTP) is a network protocol developed by Microsoft thatenables the secure transfer of data from a remote client to a private enterprise server by creatinga VPN across TCP/IP-based data networks. PPTP supports on-demand, multiprotocol, virtualprivate networking over public networks, such as the Internet.© Copyright: April 2012, D. E. Jennings Page 20 of 41
  21. 21. Layer 2 Tunnel Protocol (L2TP) is an Internet Engineering Task Force (IETF) standard thatcombines the best features of two existing tunneling protocols: Ciscos Layer 2 Forwarding(L2F) and Microsofts Point-to-Point Tunneling Protocol (PPTP).IPSec - The Security Architecture for the Internet Protocol is designed to provide interoperable,high quality, cryptographically based security for IPv4 and IPv6. The set of security servicesoffered includes access control, connectionless integrity, data origin authentication, detection andrejection of replays, a form of partial sequence integrity, confidentiality through encryption, andlimited traffic flow confidentiality. The IP layer provides these services, offering protection in astandard fashion for all protocols that may be carried over IP, including IP itself.When the Identity Management System is used, the VPN access is seamlessly integrated with theIdentity Management System. 12. Network SecurityAttackers are continuously attempting to gain access to corporate resources for profit or fun.Once the security world obtains an understanding of the exploit used, the application, algorithm,or protocol is updated to mitigate the threat. Attackers then try different avenues of attack, whichleads to an endless exploit/mitigation loop.Examples of Network Attacks:Smurf: This is an attack with three entities: the attacker, the victim, and the amplifying network.The attacker spoofs, or changes the source Internet Protocol (IP) address in a packet header, tomake an Internet Control Message Protocol (ICMP) ECHO packet seem as though it originatedat the victim’s system. This ICMP ECHO message is broadcasted to the amplifying network,where all active nodes send replies to the source (the victim). The victims system and networkbecome overwhelmed by the large amounts of ECHO replies.Fraggle: This is the same type of attack as the Smurf attack, except here the attacker broadcasts aspoofed UDP packet to the amplifying network, which in turn replies to the victim’s system.Denial of Service (DoS): This attack consumes the victim’s bandwidth or resources, causing thesystem to crash or stop processing other packets. DoS attacks are carried out by attackers with anintent to stop legitimate users from accessing certain resources. Their intent is malicious and notdesigned to obtain information. DoS attacks are usually the most formidable of attacks to deal© Copyright: April 2012, D. E. Jennings Page 21 of 41
  22. 22. with as they usually involve very large amounts of traffic that may or may not look on the wireas valid transmissions. Knowing how these attacks are sculpted and executed will allow networkadministrators to better deter them on their networks. Mitigation of DoS attacks can beperformed at the ISP egress router into the company via rate limiting, via NIDS, HIDS, and byhave up to date security patches and hot fixes installed on all critical servers and systems. Tomitigate this type of attack, input-checking included in the login subsystem can easily stop thisthe DoS attack.Distributed Denial of Service (DDoS): This is a logical extension of the DoS attack. The attackercreates master controllers that can in turn control slaves/zombie machines, all of which can beconfigured to attack a single node.DNS DoS Attacks: In this attack a record at a domain name server (DNS) server is replaced witha new record pointing at a fake/false IP address.Cache Poisoning: Here the attacker inserts data into the cache of the server instead of replacingthe actual records.A buffer overflow is a software-based attack created when a program does not check the lengthof data that is inputted into it, which will then be processed by the CPU. A buffer overflow existswhen a particular program attempts to store more information in a buffer memory storage than itwas intended to hold. Since the buffer was only intended to hold a certain amount of data, theadditional data overflows into a different area of memory. It is this different area of memorywhere overflows cause the problem.Brute force attacks occur when a cracker attempts to obtain the correct password for an accountby trying every conceivable value hoping to stumble across the correct one. Administrators haveknown about brute force attacks for many, many years and have come up with ways to mitigatethese types of attacks. One of the easiest methods is to rename the administrator account tosomething else. In this way the cracker must know two things, the account name and thepassword. Administrators will also create passwords of at least eight characters in length. Thistechnique helps because it takes time to brute force an attack on a password that is at least eightcharacters long. Hopefully, the administrator will notice the attack and take precautionary stepsto block the cracker. The length of the password and number of possible values a password may© Copyright: April 2012, D. E. Jennings Page 22 of 41
  23. 23. have will delay the success but not stop this attack. Also, imposing a delay of say 20 secondsbetween failed attempts or locking the account after 10 failed attempts deters this type of attack.Dictionary attacks are another form of brute force attacks and take advantage of a well-knownflaw in the password authentication scheme. That flaw is the fact that many people use commonwords as the password for an account. Attackers exploit this fact by using a source for commonwords (the dictionary) to try to obtain a password for an account. They simply try every possibleword in the dictionary until a match is found. Proper password usage is key to the mitigation ofthis attack. Dictionary attacks are usually mitigated by systems that use pass phrases instead ofpasswords.Spoofing: Attackers can use many different types of spoofing attacks, but they all use spoofingfor one reason, which is to impersonate another host. Sometimes the attacker does not care whohe or she is impersonating; the attacker only cares that the packet he or she is transmitting doesnot identify him or her. Other times the attacker knows exactly what host he or she wants toimpersonate and wants the return traffic to reach this host. A spoofing attack on a passwordsystem is one in which one person or process pretends to be another person or process that hasmore privileges. An example would be a fake login screen also called a Trojan horse login. Inthis attack, the attacker obtains low-level access to the system and installs a malicious code thatmimics the user login screen. On the next attempt to login, the user enters his username andpassword into the fake login screen. The malicious code then stores the username and passwordin a certain location or may even email the information to an email account. The Trojan horsethen calls the correct login process to execute. To the user, the entry appears to be an incorrect ormistyped username or password and he or she will try again. When they do, of course, they arelet into the system.DNS spoofing attacks work by convincing the target machine that the machine that it wants tocontact (for example, is the machine of the attacker. When the targetissues a DNS query, it could be intercepted and replied with the spoofed IP address, or the querycould reach the DNS server, which has been tampered with in order to give the IP address of thecracker’s host, rather than the real server’s IP address. Either way the target receives a false IPaddress of the target and will attempt to contact it.© Copyright: April 2012, D. E. Jennings Page 23 of 41
  24. 24. Sniffing: The act of sniffing is the use of a program or device that monitors data traveling over anetwork. Sniffing is hard to detect because as a passive attack, it only receives information andnever sends out information. The goal of sniffing is to capture sensitive information such as apassword in order to perform a replay attack at a later time. Mitigation against sniffing attackscan include using a switched infrastructure, using one-time passwords, or enabling encryption.In a Transmission Control Protocol (TCP) takeover attack, the cracker will attempt to insertmalicious data into an already existing TCP session between two hosts. In this type of attack, theattacker is either attempting to inject false data into the conversation, or take over the sessioncompletely. This type of attack is usually used in conjunction with a DoS attack to stop the hostit is impersonating from sending any further packets. The DoS attack against the impersonatedhost will itself be using spoofed packets. In this way, the attacker will hide his or her identityfrom the host he or she took over the TCP session from, while the opposite end still believes itsongoing session is with the original host.A pseudo flaw is an apparent loophole deliberately implanted in an operating system or programas a trap for intruders. Pseudo flaws are inserted into programs to get attackers to spend time andenergy attempting to uncover weaknesses in programs that they hope will allow them to gainaccess to other parts of the system. Because these are deliberate flaws, the attacker can spendweeks attempting to exploit the flaw, before he or she becomes discouraged and moves on todifferent parts of the program.Alteration of Authorized Code: Attackers often write small programs that create a patch inauthorized code. Take a program that will not execute until the user enters a valid serial numberor authorization code. The attacker does not have this information, yet still wants to execute theprogram. Using his or her knowledge of programming and off-the-shelf software, the attackercan identify where in the program the subroutine that performs authorization is called from. Theattacker then writes a program that modifies that very same area of the program, but instead ofcalling the authorization subroutine, the instructions are now a series of NOPs (no operations).This alteration of authorized code simply bypasses the authorization subroutine and beginsexecuting the program.Flooding is the process of overwhelming some portion of the information system. This could bebandwidth on a serial link or memory in a router or server. There are many uses of flooding for© Copyright: April 2012, D. E. Jennings Page 24 of 41
  25. 25. attackers. Attackers could hide their attacks in a flood of random attack packets, they couldattempt to overwhelm a switch’s Address Resolution Protocol (ARP) table, or they couldperform DoS attacks. SYN floods are an example of flooding used in a DoS attack. SYN floodstake advantage of TCP’s three-way-handshake. In this DoS attack, the attacker sends manythousands of half-formed or embryonic TCP connection requests (SYN packets), usually with aspoofed source address, to the target server. The server that receives these connection requestssets aside a small amount of memory for each connection, and replies with an SYN-ACK to thespoofed address. The spoofed host (if it exists) receives the SYN-ACK packet and discards it.This leaves the server with an open or a half-formed connection, which will remain so for threeminutes as it waits for the connection to complete. A few open connections will not cause harmto a server, but thousands upon thousands of open connections, each using a small amount ofmemory, will quickly consume all available resources on the server. When all resources areconsumed, the server will no longer respond to the SYN requests of the attacker. Unfortunately,the server will also not respond to any SYN request from a valid user, which is what the DoS theattacker is trying to accomplish.These attacks are always changing and methods of mitigating them are also changing. 13. ArchitectureAn example network architecture for a single location is located in Appendix IV. The network issegregated into 7 sub-networks which include the 10 functional areas.Fundamental Firewall DesignsFirewall design has evolved, from flat designs such as dual-homed host and screened host, tolayered designs such as the screened subnet. The evolution has incorporated network defense indepth, incorporating the use of DMZ and more secure networks.A Bastion host is any host placed on the Internet which is not protected by another device (suchas a firewall). Bastion hosts must protect themselves, and be hardened to withstand attack.Bastion hosts usually provide a specific service, and all other services should be disabled.A Dual-homed host has two network interfaces: one connected to a trusted network, and theother connected to an untrusted network, such as the Internet. This design was more common© Copyright: April 2012, D. E. Jennings Page 25 of 41
  26. 26. before the advent of modern firewalls in the 1990s, and is still sometimes used to access legacynetworks.Screened Host Architecture is an older flat network design using one router to filter externaltraffic to and from a bastion host via an access control list (ACL). The bastion host can reachother internal resources, but the router ACL forbids direct internal/external connectivity. Thedifference between dual-homed host and screened host design is screened host uses a screeningrouter, which filters Internet traffic to other internal systems. Screened host network design doesnot employ network defense-in-depth: a failure of the bastion host puts the entire trusted networkat risk. Screened subnet architecture evolved as a result, using network defense in depth via theuse of DMZ networks.DMZ Networks and Screened Subnet Architecture. A DMZ is a dangerous “no-man’s land”: thisis true for both military and network DMZ. Any server that receives traffic from an untrustedsource such as the Internet is at risk of being compromised. We use defense-in-depth mitigationstrategies to lower this risk, including patching, server hardening, NIDS, etc., but some riskalways remains.Network servers that receive traffic from untrusted networks such as the Internet should beplaced on DMZ networks for this reason. A DMZ is designed with the assumption that any DMZhost may be compromised: the DMZ is designed to contain the compromise, and prevent it fromextending into internal trusted networks. Any host on a DMZ should be hardened. Hardeningshould consider attacks from untrusted networks, as well as attacks from compromised DMZhosts. A “classic” DMZ uses two firewalls, also called a screened subnet dual firewall design. Inthis design two firewalls screen the DMZ subnet. A single-firewall DMZ uses one firewall. Thisis sometimes called a “three-legged” DMZ. The single firewall design requires a firewall that canfilter traffic on all interfaces: untrusted, trusted, and DMZ. Dual-firewall designs are morecomplex, but more secure. In the event of compromise due to firewall failure, a dual firewallDMZ requires two firewall failures before the trusted network is exposed. Single firewall designrequires one failure.© Copyright: April 2012, D. E. Jennings Page 26 of 41
  27. 27. 14.Intrusion Detection System (IDS)An important tool in network defense is the Intrusion Detection System (IDS). An IDS utilizesaudit records of all activities on a system. An IDS has three basic components: a sensor (agent),an analyzer, and a security interface (also called the director). The sensor collects informationand forwards it to the analyzer. The analyzer receives this data and attempts to ascertain if thedata constitutes and attack or intrusion. The security interface, which is usually a separate device,displays the output to the security administrator configures the sensors in the network. There aretwo basic types of intrusion detection mechanisms: Network-based Intrusion Detection Systems(NIDS) and Host-based Intrusion Detection Systems (HIDS).Intrusion detection devices attempt to identify any of the following types of intrusions: Input Validation Errors Buffer Overflow Boundary Conditions Access Validation Errors Exceptional Condition Handling Errors Environmental Errors Configuration Errors Race ConditionsNIDS: Protects an entire network segment and is usually a passive device on the network. Usersare unaware of NIDS existence unless they learn about it through the general security trainingsessions. NIDS cannot detect malicious code in encrypted packets, and is cost effective for massprotection. It requires its own sensor for each network segment.HIDS: Protects a single system. It uses system resources (CPU and memory) from the systemand provides application level security. An advantage of HIDS is that it provides day-onesecurity. Intrusion detection is performed after decryption so it is used on servers and sensitiveworkstations, but is costly for mass protection.© Copyright: April 2012, D. E. Jennings Page 27 of 41
  28. 28. The two forms of Intrusion Detection:Profile-based Intrusion Detection (Also known as anomaly detection): In profile-baseddetection, an alarm is generated when activity on the network goes outside of the profile. Aprofile is a baseline of what should be considered normal traffic for each system running on thenetwork. A problem exists because most systems do not follow a consistent profile. What isnormal today, might not be normal tomorrow.Signature-based Intrusion Detection: In signature-based detection, a signature or set of rules isused to determine intrusion activity. An alarm is generated when a specific pattern of traffic ismatched or a signature is triggered. Typical responses to an attack include the following: Terminating the session (TCP resets) Block offending traffic (usually implemented with Access Control Lists - ACLs) Creating session log files Dropping the packetIDS Examples:14 Tripwire scans files and directories on Unix systems to create a snapshot record of their size, date, and signature hash. If you suspect an intrusion in the future, Tripwire will rescan your server and report any changed files by comparing the file signatures to the stored records. Tripwire was an open-source project of Purdue University, but it continues development as a licensed package of Tripwire Security Systems ( ). Snort ( ) is an open-source intrusion detection system that relies upon raw packet capture (sniffing) and attack signature scanning to detect an extremely wide array of attacks. Snort is widely considered to be the best available intrusion detection system because of the enormous body of attack signatures that the open source community has created for it. The fact that it’s free and cross platform pretty much ensures that the commercial IDSs won’t develop much beyond where they are now. Snort was originally developed for Unix and has been ported to Windows.© Copyright: April 2012, D. E. Jennings Page 28 of 41
  29. 29. Demarc PureSecure ( ) is a best-of-breed network monitoring and intrusion detection system descended from Snort. PureSecure is a commercial product that uses Snort as its intrusion detector, but it adds typical network monitoring functions like CPU, network, memory, disk load, ping testing, and service monitoring to the sensors that run on every host. Demarc creates a web-based client/server architecture where the sensor clients report back to the central Demarc server, which runs the reporting website. By pointing your web browser at the Demarc server, you get an overview of the health of your network in one shot. Demarc can be configured to alert on all types of events, so keeping track of your network becomes quite easy. Demarc’s price is $1,500 for the monitoring software, plus $100 per sensor. Network Flight Recorder (NFR, ) was one of the first inspector based intrusion detection systems on the market and was originally offered as a network appliance. Now available as both software and network appliances, NFR has evolved into a commercial product very similar to Snort in its capabilities. However, since it is a commercial product, NFR can consult with you directly to analyze intrusion attempts, to train your staff, and to provide product support for its products. 15.Electronic Mail Security:E-mail access was one of the first protocols defined under the Transmission ControlProtocol/Internet Protocol (TCP/IP) protocol suite. The two main mail protocols are Post officeProtocol 3 and Simple Mail Transfer Protocol.Post office Protocol 3 (POP3) is a lightweight e-mail client using TCP port 110, used to receivee-mail from a server.Simple Mail Transfer Protocol (SMTP). Is an effective mail transfer protocol, but not verysecure. SMTP uses port 25 and is used to send e-mail from client to server and server to serverforwarding.© Copyright: April 2012, D. E. Jennings Page 29 of 41
  30. 30. SMTP protocol defines the mechanism a sender uses to connect to, request, and send e-mail tothe server. SMTP was an effective protocol, but is riddled with security holes. SMTP can beidentified as using TCP port 25 on the network. SMTP takes up a lot of overhead. The PostOffice Protocol version 3 (POP3) was created as a means of reducing the required overhead for asingle workstation. POP3 is intended to permit a workstation to dynamically access a mail-dropon a server host. SMTP is used to send e-mail from an e-mail client to an e-mail server and POP3is used to receive e-mail from the e-mail server to the e-mail client. POP3 can be identified asusing TCP port 110 on the network.When e-mail first came into existence, e-mail messages were meant to be pure text onlymessages. As the Internet started to grow, graphic files, audio files, Hypertext Transport Protocol(HTTP), were a part of mail. The Multipurpose Internet Mail Extensions (MIME) protocol wasdeveloped to handle these. MIME allows a one-time modification to e-mail reading programsthat would enable the program to display a wide variety of messages types. This e-mail extensionallows you to view dynamic multitype email messages that include color, sound, animations, andmoving graphics. The drawback of MIME is that it also lacks adequate security. E-mail was stillsubject to the same old hacks, such as sniffing and replay. Secure MIME (S/MIME) was createdto enable a more secure MIME.S/MIME provides cryptographic security services for electronic messaging applications byproviding authentication, message integrity, non-repudiation of origin (using digital signatures),and privacy and data security (using encryption). Using S/MIME is the preferred way of securinge-mail as it traverses the Internet.Public Encryption of E-Mail messages - PGPPGP uses a public key cryptosystem. In this method, each party creates an RSA public/privatekey pair. One of these keys is kept private (the private key), and one is given out to anyone in thepublic Internet (the public key). What one key encrypts, only its partner private key can decrypt.© Copyright: April 2012, D. E. Jennings Page 30 of 41
  31. 31. This means if user X obtains user Y’s public key and encrypts a message destined to user Yusing its public key, the only person in the universe who can decrypt the message would be userY, as he or she has the corresponding private key. PGP is a hybrid cryptosystem in that beforeencryption is performed the e-mail data is first compressed. Compression not only makes an e-mail message smaller, it also removes any patterns found in plain text, which mitigate manycryptanalysis techniques that look for these patterns. PGP performs the following securitymeasures: confidentiality, data integrity, and sender authenticity.Secure Web based mail: For a small business utilizing a free open mail server has someadvantages. Yahoo, for example has teamed with Zixit Corporation, a company that enablessecure, certified email to any recipient. 15 16. Disaster RecoverySometimes called Business Continuity Planning, the Disaster Recovery Plan is the tacticalactualization of BCP. The DRP is the operational plan and is a requirement for the corporationthat has the goal of remaining in business after a natural or manmade disaster. In this section wediscuss the back up and restore plan and strategies for business continuity. First a listing of thetypes of events that might occur:Sabotage Bombings Loss of Electrical PowerArson Earthquakes StormSecurity Incidents (major) Fire Communication system outageStrike (labor unrest) Flood Unavailability of Key EmployeesThe planning committee (DRP team) is made up of management and technical experts from eacharea of the company meet at regular intervals. This team will hold yearly a disaster recoveryexercise and participate in periodic probes and assessments of the company security practicesand technologies.The general process of disaster recovery involves responding to the disruption; activation of therecovery team; ongoing tactical communication of the status of disaster and its associated© Copyright: April 2012, D. E. Jennings Page 31 of 41
  32. 32. recovery; further assessment of the damage caused by the disruptive event; and recovery ofcritical assets and processes in a manner consistent with the extent of the disaster.Respond: First there must be an initial response that begins the process of assessing the damage.Speed is essential during this initial assessment. There will be time later, to more thoroughlyassess the full scope of the disaster. The initial assessment will determine if the event in questionconstitutes a disaster. An alternate data center may be required. If there is doubt that an alternatefacility will be necessary, then the sooner this fact can be communicated, the better for therecoverability of the systems. The initial response team should also be mindful of assessing thefacility’s safety for continued personnel usage, or seeking the counsel of those suitably trainedfor safety assessments of this nature.Activate Team: If during the initial response to a disruptive event a disaster is declared, then theteam that will be responsible for recovery needs to be activated.Communicate: One of the most difficult aspects of disaster recovery is ensuring that consistenttimely status updates are communicated back to the central team managing the response andrecovery process. In addition to communication of internal status regarding the recoveryactivities, the organization must be prepared to provide external communications, which involvesdisseminating details regarding the organization’s recovery status with the public.Assess: Though an initial assessment was carried out during the initial response portion of thedisaster recovery process, a more detailed and thorough assessment will be done by the disasterrecovery team. The team determine the proper steps necessary to ensure the organization’sability to meet its mission and Maximum Tolerable Downtime (MTD).Reconstitution: The goal of the reconstitution phase is to recover critical business operationseither at primary or secondary (recovery) site. If an alternate site is used, adequate safety andsecurity controls must be in place in order to maintain security continuity. In addition to therecovery team’s efforts at reconstitution of critical business functions at an alternate location, asalvage team will be employed to begin the recovery process at the primary facility thatexperienced the disaster.One key to data recovery and business continuity is the data backup process. Holding databackups at safe locations is a major requirement. Another aspect of DRP becoming more© Copyright: April 2012, D. E. Jennings Page 32 of 41
  33. 33. prevalent is where two companies agree to be the “backup” facility for the other. This can bewhere industries are similar and each company will set aside an area for the business continuityof the other. This may not work for dire competitors; however the cost benefit of these plans issuch that cooperation among rivals is actually becoming cost effective. (see reciprocalagreement, below) The Alternate or Secondary (recovery) site:A redundant site is an exact production duplicate of a system that has the capability to seamlesslyoperate all necessary IT operations without loss of services to the end user of the system. Aredundant site receives data backups in real time so that in the event of a disaster, the users of thesystem have no loss of data. It is a building configured exactly like the primary site and is themost expensive recovery option because it effectively more than doubles the cost of IToperations. To be fully redundant, a site must have real-time data backups to the productionsystem and the end user should not notice any difference in IT services or operations in the eventof a disruptive event.A hot site is a location that an organization may take time to relocate to following a majordisruption or disaster. It could be a datacenter with a raised floor, power, utilities, computerperipherals, and fully configured computers. The hot site will have all necessary hardware andcritical applications data mirrored in real time. A hot site will have the capability to allow theorganization to resume critical operations within a very short period of time (hours). Hot sitescan quickly recover critical IT functionality. However, a redundant site will appear as operatingnormally to the end user no matter what the state of operations is for the IT program. A hot sitehas all the same physical, technical, and administrative controls implemented of the productionsite.A warm site has readily-accessible hardware and connectivity, but it will have to rely uponbackup data in order to reconstitute a system after a disruption. It may have a datacenter with araised floor, power, utilities, computer peripherals, and fully configured computers. Because ofthe extensive costs involved with maintaining a hot or redundant site, many organizations willelect to use a warm site recovery solution. These organizations will have to be able to withstand© Copyright: April 2012, D. E. Jennings Page 33 of 41
  34. 34. a Maximum Tolerable Downtime (MTD) of at least 1-3 days in order to consider a warm sitesolution. The longer the MTD is, the less expensive the recovery solution will be.A cold site is the least expensive recovery solution to implement. It does not include backupcopies of data, nor does it contain any immediately available hardware. After a disruptive event,a cold site will take the longest amount of time of all recovery solutions to implement and restorecritical IT services for the organization. It could take weeks to get vendor hardware shipments inplace so organizations using a cold site recovery solution will have to be able to withstand asignificantly long MTD. A cold site is typically a datacenter with a raised floor, power, utilities,and physical security, but not much beyond that.Reciprocal agreements are a bi-directional agreement between two organizations in which oneorganization promises another organization that it can move in and share space if it experiences adisaster. It is documented in the form of a contract written to gain support from outsideorganizations in the event of a disaster. They are also referred to as Mutual Aid Agreements(MAAs) and they are structured so that each organization will assist the other in the event of anemergency.For each of these scenarios frequent testing for a simulated disaster and the associated recoveryis absolutely essential.In this paper we have given a brief overview of some of the aspects of corporate security. Wetouched on physical security, network security, Identity Management and disaster recovery.There is no one correct way to maintain a secure operation. The emphasis should be on costappropriate measures rather than the latest technological gimmick, lots of training to keepawareness of employees of the threats and risks. There should be a minimum of disruption toemployees and their normal operations.© Copyright: April 2012, D. E. Jennings Page 34 of 41
  35. 35. APPENDIX ISecurity Policy: (Overview)1.1 Goal: Secure and maintain company integrity, assets and personnel with minimum disruptionto core operations. Updates: The security department will facilitate semi-annual meetings to update thispolicy. Feedback will be solicited from each department.Manufacturing Facilities: 2.0 Network assets (Listed) 2.1 Human Resources 2.2 Research and Development 2.3 Engineering 2.4 Corporate Management3.0 Roles:Each Role is defined by: Task definitions and detail, education and training requirements,certification requirements, particular compliance requirements (Fire Safety, OSHA, HIPPA,Sarbanes Oxley, etc), pay and benefits scale, all maintained by the HR department.Security Levels: Each role will imply at least two security levels (Role - A) and (Role - B). The“A” level will be used for the employee who is completed the six month evaluation periodrequired for each role. The Role definitions for each department will specify which function “B”level employee can complete alone and which would need to be completed with the oversight ofan “A” level employee in the same role. For example creating or deleting corporate folders fordata storage, creating, moving or modifying corporate data. The actual role detail is developedby management of the particular department and maintained by the Human Resourcesdepartment. Corporate management develops the roles in the Management level I andManagement level II roles. See appendix III for a matrix of Roles.4.0 Security Breach:© Copyright: April 2012, D. E. Jennings Page 35 of 41
  36. 36. The list of information assets that requires protection and the level of protection is negotiatedbetween the department heads and the Security department after the Risk Analysis has beencompleted by the management team with the facilitation of the Security Department. A securitybreach may or may not involve the actual release of information. Logs for each securitymeasure are one of several sources of discovery used to identify a security breach. In the eventof a security breach specific actions are to be taken and are different for each type of breach.Details are enumerated in the Security Policy. For example if a breach in Personally IdentifiableInformation, PII occurs the response team completes a specific process. PII refers to informationthat can be used to distinguish or trace an individual’s identity, e.g. name, social securitynumber, date and place of birth, etc. The process is brief is: 1) Notify Security, your department manager. 2) Complete a report containing: a. Date of incident b. Number of individuals impacted c. Their status: Government / Military / Civilian. d. Description of the incident including circumstances of the breach, type of information lost of compromised and if the PII was encrypted or password protected. 3) Security department completes the process with the corporate Legal team depending on the actual incident. State laws differ on notifications; therefore the actual response may be different depending on where the incident occurred.The process for HIPPA information breach is somewhat different and is spelled out in the policyas well.© Copyright: April 2012, D. E. Jennings Page 36 of 41
  37. 37. APPENDIX II Vulnerability Assessment The table below shows the results of assessment that may be completed by an outside consulting firm. It should be repeated periodically asimprovements are made. This type of security audit or assessment is often required by Government contracts. It is presented for illustration only. Of course an actual list would depend on the particular network / implementation being assessed. Risk Assessment Vulnerability Business Impact Mitigation Finding Analysis Server located in unlocked room. Physical access by unauthorized Potentially cause loss of CIA for Install hardware locks with PIN alarm persons. email system through physical system (risk is reduced to acceptable attack on the system level). Software is out of date. This version is insecure and has Loss of CIA for email system Update system software (risk is reached end of life from vendor. through cyber attack. eliminated). Firewall weak or not properly Exposure to Internet without Loss of critical data possible. Move email server into a managed implemented. Need DMZ Firewall increases cyber threat. Potential catastrophic impact. hosting site (risk is transferred to protection due to network hosting organization). Conduct architecture and risk of intrusion. Penetration testing and resolve network breaches through improved network / firewall design and implementation.CIA = Confidentiality, Integrity, or Availability © Copyright: April 2012, D. E. Jennings Page 37 of 41