Organizations are facing various types of threats. Threats can come from inside, outside your organization or from both. This article focus on monitoring informational resources against all types of threats against your critical functions supported by computer equipment such as servers, desktops, switches, routers, firewalls, etc.
Monitoring your organization against threats - Critical System Control
1. S e c u r i t y a n d C o m p l i a n c e : M o n i t o r i n g , c o n t r o l l i n g , a n d c h a n g e s P a g e | 1
Monitoring your
organization
against threats
Critical System Control
Montreal, April 24, 2014
By Marc-Andre Heroux
CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
Compliance & Security Advisor
ll organizations are facing various types
of threats. Threats can come from
inside, outside your organization or
from both. This article focus on monitoring
informational resources against all types of
threats threatening your critical functions
supported by electronic assets such as servers,
desktops, switches, routers, firewalls, etc.
Today, some people think that keeping a system
or a state hidden make a system more secure.
Probably because of my own experiences and
knowledge about Cyber Security, I see things
little bit differently from many other experts.
Over the last 17 years, I have implemented and
conducted security assessments against many
types of critical systems, and often connected to
the Internet.
Critical public systems such as DNS, Web, Mail,
VPN using various types of authentication
mechanisms such as saslauthd, oauth2, SAML,
etc. against Oracle, MySQL, MS-SQL and using
many types of technologies such as secure
LDAP or SSL can be easily discovered by
attackers.
Why monitoring for potential threats?
Simple: organizations are getting more and more
interconnected and thinking that the obscurity
can be considered as a security control is similar
to me to ignoring the new reality of
Interconnected Networks and the risk
surrounding the Internet.
As a security specialist I share the same
approach as the Kerckhoffs's principlei
, also
formulated by Claude Shannon as the enemy
knows the system and widely used by
cryptographers as opposed to security by
obscurity: “a critical system can be known and
be secure”.
For a critical system connected to the Internet, I
recommend to keep it up-to-date (ex.: latest
kernels, modules, etc.), continuously monitor
against threats and abnormal activities and
correct issues when detected by the
implementation or the correction of a physical,
operational, administrative or technical controls.
I do also recommend to use application controls
such as whitelisting and implement an IPS (if
data flow are critical, IDS mode is usually
preferable).
For critical system not connected to the Internet
or not connected to a network (no access in, no
access out), my recommendations are different
and vary in function of many elements. This
article explain you what are the basics elements
you may have to consider to choose the proper
controls.
Lock and monitor
Most knowledgeable security specialists agree
and understand that we “monitor” traffic for
critical activities such as bank transactions,
Programmable Logic Controller (PLC) and
critical computers used by industrial
organizations (e.g.: energy) with IDS and that
we do not use IPS. It’s the same situation with
the use of anti-malware technical controls on
very critical isolated systems, it’s often
preferable to have a system state unchanged and
operationally functional and receive an alert
regarding a potential suspicious activity or an
alarm when abnormal activity is detected as
opposed to block a system execution. Blocking
valid activity could potentially generate a
negative business impact while the control is
A
2. S e c u r i t y a n d C o m p l i a n c e : M o n i t o r i n g , c o n t r o l l i n g , a n d c h a n g e s P a g e | 2
A u t h o r : M a r c - A n d r e H e r o u x
Monitoring your organization against threats
Critical System Control
supposed to protect. This is one of the main
reason why some very critical and isolated
system are simply not running anti-malware, IPS
or specific technical control against threats and
rely on strict procedure and acceptable practices.
We must remember that subnets must be
segregated and if necessary, multi-level DMZ
must be implemented and virtual routing and
forwarding as well as 802.1Q tunneling must be
used carefully. Conducting a risk assessment
including a risk analysis and a business impact
assessment allow to establish the proper
orientation and select the proper controls. Such
experts understand when it is preferable to use
an IPS (often against Internet threats in TCP
segments and never on against frames of internal
networks when critical system are involved
(e.g.: Ethernet II). This apply to all organizations
conducting critical activities such as banks,
energy, industrial, etc.
Monitoring traffic is crucial and is often
mandatory (e.g.: NERCii
). Filtering and
blocking malicious traffics is often optional, but
I usually suggest IPS to detect and block threats
in incoming/outgoing traffics from boundaries
of critical perimeters (e.g.: Internet to Intranet,
Intranet to critical perimeter gateways), but
never in electronic security perimeters (ESP)
where blocking valid traffics could lead to
various operational disaster scenarios. Real-time
monitoring of firewalls and other security
sensors is required to rapidly detect and initiate
response to cyber incidents.iii
Security and Compliance involve by default:
exception, justification and compensatory
measures. In all organizations, there are
situations where it is considered more secured
with reason to not apply any changes to a
specific system (ex.: a HSM bank system remain
usually unchanged, mainframes and Unix
systems are other examples, especially in
industrial organizations (ex.: in the energy
sector, Technical Feasibility Exceptions (TFE)
can justify the exemption of running a protective
control such as an anti-malware or applying any
update like system or firmware update, etc.).
Security paradigm
Despite it is usually considered unsecured to
keep a system unchanged, as previously
explained, it is sometimes the only way to keep
it to an acceptable security posture considering
the potential impacts of loss, especially when
systems are isolated and very critical. In those
situations, a justification (e.g.: ticket,
derogation, statement of applicability, etc.) must
be provided in order to document the reasons
and duration of the exception in time.
An organization can be compliant and secure
while system are unchanged during a long period
of time (e.g.: years) and it is important to
understand this reality in large corporations
conducting critical activities. Not all systems can
remain secured while unchanged, usually
systems isolated in restricted networks or not
interconnected to a computer network are valid
examples.
This is where compensatory measures are
especially important (e.g.: the Stuxnet virusiv
was able to infect critical systems, particularly
IDSIDS
sensor
3. S e c u r i t y a n d C o m p l i a n c e : M o n i t o r i n g , c o n t r o l l i n g , a n d c h a n g e s P a g e | 3
A u t h o r : M a r c - A n d r e H e r o u x
Monitoring your organization against threats
Critical System Control
because of a lack of procedures surrounding the
acceptable uses of USB keys). The uses of USB
keys against critical systems must be strictly
controlled and ideally avoided. The use of an
infected USB key could be very risky lead to
disclosure and modification of information and
in some cases, to system dis-functionality and
disruption. It appears that good practices and
appropriate procedures in the management of
critical system permits to many organizations to
remain safe against technical threats while
monitoring abnormal activities.
For critical system, we often suggest to apply
controls to maintain a system unchanged and
monitor it to abnormal behaviours or
modifications. As opposed to general security
practices suggesting regular systems updates,
critical systems (ex: industrial, bank) must
remain unchanged during a long period and be
monitored for abnormal activities or behaviours.
This approach: “controlling and monitoring” can
be very effective. Technically, the most
challenging aspects while controlling and
monitoring activities, are selecting the proper
i
David Salomon, “Kerckhoffs's principle”
Data Privacy and Security: Encryption and Information
Hiding , 2003, ISBN 0-387-00311-8,
P. 15,435.
ii
North American Electric Reliability Corporation (NERC)
CIP-005-4 R3, Monitoring Electronic Access
iii
Keith Stouffer, Joe Falco, Karen Scarfone, National Institute
controls (e.g.: McAfee Application Control,
Tripwire, etc.), IDS location (e.g.: boundaries of
perimeters) where the sensors send capture logs,
the sensors emplacement and the type of traffic
to monitor (e.g.: UDP, TCP, Ethernet II).
Remember, monitoring local traffic is necessary
to be able to detect layer 2 threats (e.g.: MAC
Address attack).
As already mentioned, in certain circumstances,
especially for critical electronic assets, a
machine can remain out of date (kernel,
modules, etc.) and it can be justified, considered
acceptable and secure based on the threats and
vulnerabilities assessed.
It’s important to remember that this concept is
applicable to all organizations. Updating a
system is not necessarily the option to consider
while at other moment, change is the only
acceptable way to remain secure.
Finally, while often mandatory, monitoring
against threats is a crucial security activity that
all organizations can benefit.
of Standards and Technology, Guide to Industrial Control
Systems (ICS) Security, Special Publication 800-82 P. 5-3.
iv
Katherine Hibbs Pherson, Randolph H Pherson, “PART V:
CASE STUDIES” Critical Thinking For Strategic Intelligence,
2013, 1st
ed., 978-1452226675
P. 240.