The Definitive Guide to Service-Oriented Systems Management

(Sponsor Logo Here)

The Definitive Guide Totm

The Definitive Guide Totm

Service-OrientedSystemsManagement

Dan Sullivan

sponsored by

Chapter 9

i

Chapter 9: Supporting Security with Systems Management .......................................................181

Network Security .........................................................................................................................182

Host Security................................................................................................................................183

Personal Firewalls............................................................................................................183

Anti-Malware...................................................................................................................184

Viruses and Worms..............................................................................................184

Keyloggers and Video Frame Grabbers...............................................................185

Trojan Horses.......................................................................................................186

Remote Control and Botnets................................................................................186

Hiding Malware with Rootkits ............................................................................186

Managing Security Vulnerabilities ..............................................................................................188

Configuration and Patch Management.........................................................................................189

Configuration Management .............................................................................................189

Patch Management...........................................................................................................189

Controlling Access.......................................................................................................................190

Identity Management, Authentication, and Authorization ..............................................190

File and Disk Encryption .................................................................................................191

VPNs and Secure Remote Access....................................................................................192

Security Information Management ..............................................................................................192

Security Policies...............................................................................................................193

Compliance ......................................................................................................................194

Security Management and Asset Management................................................................194

Hardware and Software Asset Management........................................................195

Information Classification ...................................................................................196

Security Auditing and Monitoring ...............................................................................................197

Audit Controls..................................................................................................................197

Security Monitoring .........................................................................................................198

Security Management and Risk Assessment ...................................................................198

Security Management and Business Continuity Management ........................................199

Incident Response ........................................................................................................................200

Incident Response Procedures .........................................................................................200

Summary ......................................................................................................................................201

Chapter 9

ii

Copyright Statement © 2007 Realtimepublishers.com, Inc. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtimepublishers.com, Inc. (the “Materials”) and this site and any such Materials are protected by international copyright and trademark laws.

THE MATERIALS ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtimepublishers.com, Inc or its web site sponsors. In no event shall Realtimepublishers.com, Inc. or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials.

The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, non-commercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice.

The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties.

Realtimepublishers.com and the Realtimepublishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners.

If you have any questions about these terms, or if you would like information about licensing materials from Realtimepublishers.com, please contact us via e-mail at [email protected].

Chapter 9

181

Chapter 9: Supporting Security with Systems Management

The security and systems management functions of an organization go hand in hand. Security professionals depend on the services and infrastructure maintained by application, server, and network administrators. Countermeasures such as firewalls, content filters, and anti-malware must be deployed, maintained, monitored, and integrated and these tasks fall into the domain of network and systems management. At the same time, systems managers have a wide array of responsibilities and they require a secure foundation upon which to do their work. We cannot expect application administrators to maintain a mission-critical application while the server is subject to Denial of Service (DoS) attacks or client devices are riddled with spyware and malware. There is much overlap between security and systems management, and this chapter will focus on how systems managers can support and help to improve the overall security of the IT infrastructure.

Information is a broad and challenging field. Several frameworks and organizing structures have been proposed. The ISO-17799 standard is popular among security professionals because it addresses the field from their perspective. Another approach, taken by the SANS Institute, is to think in terms of layered walls and defense in depth. This model is probably more similar to architecture models and infrastructure designs used by systems management. Although the topics addressed in this chapter span both the ISO-17799 standard and the SANS model, the SANS model will serve as an organizing principle.

The key areas of information security as it relates to system management are:

• Network security

• Host security

• Vulnerability management

• Authorized user support

• Security management

Some areas, such as network security, have dedicated administrators and engineers who specialize in both managing and securing network assets. The other areas are more likely to require the support of systems and application administrators and warrant the most attention in this chapter. However, for completeness, we will examine all the areas.

Chapter 9

182

Network Security Network security requires many security measures around the network perimeter. For example, common network security devices include:

• Firewalls • Intrusion detection/prevention systems • Content filters • Network access controls • Messaging boundary gateways

All these are primarily security devices, but they are still information assets that require management. Furthermore, these devices are becoming more complex and that implies more demanding management. Take, for example, the most basic of network security devices, the firewall.

Firewalls segment networks and control the type of traffic that can pass between segments. For example, HTTP traffic may be allowed from devices outside of the organization’s network but FTP traffic is not. Firewalls are a first line of defense but are limited by the amount of information they analyze. For example, packet filtering firewalls examine only packet header information, whereas proxy firewalls examine information within the packet. Application firewalls are increasing in popularity because they can filter traffic based on the needs and vulnerabilities of a particular application.

For network administrators, the increasing complexity of firewalls and other network security devices will bring with it greater demand for mature systems management practices. Whereas in the past when one or two packet firewalls might be used in a network, today there may be several other more complex firewalls within the segments as well. These must be administered, patched, and maintained, and that means these must fall under systems management operations.

The following activities can generally be expected of network administration and systems administration groups when supporting network security:

• Assisting with the procurement of network security devices • Installing and configuring those devices • Monitoring basic functionality • Generating alerts and logging events, such as a device going offline • Maintaining asset information in a configuration management database • Applying patches • Assisting with vulnerability assessments • Participating in risk analysis operations related to network security

Of course, network administration and systems administrators each have distinct areas of focus; to maintain and improve security, they should also understand the architectures and processes that constitute their colleagues domains.

As you move further from the perimeter and away from specialized security devices, the roles of systems administrators as security professionals increase. This is certainly true of host security operations.

Chapter 9

183

Host Security Host security measures maintain the integrity, confidentiality, and availability of information and services provided by servers and client devices. System attacks are those targeted to particular applications or hosts. The purpose of such attacks may be to disrupt services or steal information. As the economic motives behind attacks have grown to dominate the reasons for serious attacks, we are likely to see more attacks targeted to specific applications and hosts.

Attacks may include:

• DoS attacks attempting to disrupt the operations of an organization

• Database breaches attempting to steal private but profitable customer information

• Application-specific attacks, such as attacks on enterprise management systems that contain sensitive and confidential information about an organization’s operations

System attacks are often not ends in themselves but rather a means to an end—information and resource theft. In spite of the range of functions hosts serve, a number of security measures are common to all, including:

• Personal firewalls

• Anti-malware

These are some of the most common elements of security support within the practice of systems management.

Personal Firewalls Personal firewalls serve the same purpose as network firewalls but the function is localized to a single host. The personal firewall controls traffic into and out of a device. Controlling inbound traffic on a host is a basic perimeter type defense with obvious benefits.

Outbound traffic can also be blocked. This can reduce the impact of a compromised device, which might, for example, be part of a spam-generating botnet. The malware infecting the device may generate spam but the personal firewall can block the transmission of the unwanted email.

The challenge for managing personal firewalls is the number of devices that must be deployed and the varying requirements. Consider some examples:

• A Web server will require traffic on HTTP, HTTPS, and related ports

• A database server will require inbound and outbound traffic on ports dedicated to the database listener

• A salesperson’s notebook will should have email (SNMP) traffic blocked

• All hosts may, by default, require ftp ports blocked

Determining the proper configuration of a personal firewall is the responsibility of security staff. Once the configuration is defined, though, ensuring that the proper configuration is in place and the software is up to date and activated on the device is the responsibility of systems administrators. One of the areas in which the systems management and security staff will have shared responsibilities is in managing anti-malware systems.

Chapter 9

184

Anti-Malware The malware threat has evolved from disruptive and annoying viruses written to demonstrate a hackers ability to circumvent normal operating system (OS) operations to financially motivated, sophisticated blended threats designed to steal information and compromise hosts. There are several distinct types of malware:

• Viruses and worms

• Keyloggers and video frame grabbers

• Trojan horses

• Botnets

• Rootkits

These different types of malware are used for carrying out different aspects of an attack and may be blended together to create a more serious threat than posed by any single type of malware on its own. Understanding the difference in malware is important to understanding how they can impact IT operations.

Viruses and Worms Viruses and worms are the most well-known forms of malware. Viruses consist of a payload, the part of the virus that carries out its malicious activity, and propagation code, which allows the program to spread by attaching to other programs. More sophisticated forms of viruses include encryption modules used to mask the viruses from antivirus detection. In practice, encryption is not enough of a defense because signature-based detection methods can still be used to identify encryption modules even when the payload is encrypted.

Polymorphic viruses change the structure of the program without changing its functions. These kinds of viruses include a module known as the polymorphic engine that introduces operations that have no effect on the functioning of the program, such as an instruction to add 0 to a number or to concatenate strings into a variable that is never used in the control or output of the program.

Worms are similar to viruses but propagate on their own by exploiting vulnerabilities in applications and network systems. The SQL Slammer worm, for example, spread by using a vulnerability in SQL Server communications that allowed it to find other SQL Server instances by searching random IP addresses. The worm spread rapidly and within minutes had slowed traffic on large segments of the Internet when it struck in 2003.

Chapter 9

185

Keyloggers and Video Frame Grabbers Another type of malware that is a growing concern is malware designed to electronically eavesdrop and steal information. Keyloggers are programs or hardware devices that intercept keystrokes from a keyboard and log them to a file. The file is then sent to an attacker, in the case of software-based keyloggers, or retrieved by an attacker, in the case of a hardware keylogger. It is easy to imagine a scenario in which a keylogger could be used to collect useful information for a thief. Consider the following sequence of events in which a user

• Opens a browser and enters a URL for a popular online auction • Searches for an electronic devices and makes a purchase • Opens her payment service account by entering a username and password • Navigates to her bank’s Web site • Logs into her accounts using her bank username and password • Transfers funds from her savings account to checking account • Navigates to several news sites

Logging every keystroke can lead to a great deal of useless information from the attacker’s point of view; however, by scanning for text patterns found in known sites, such as the names of online auctions, banks, and retailers, attackers can quickly identify parts of the log files that will most likely have usernames, passwords, and account numbers.

For example, an attacker may scan the file looking for text such as “www.mybankwebsite.com” or “www.someonlineauction.com” and then search for a single term 4 to 12 characters long, such as “JaneDoeNYC” followed by another word 6 to 15 characters long, such as “P2sSw5rd!” to retrieve usernames and passwords. Similar scanning techniques can be used to find Social Security numbers, drivers license numbers, bank account numbers, and so on. Of course, there is more useful information than just the text that passes through the keyboard.

A Picture, a Thousand Words, and Video Frame Grabbers One way to avoid having passwords captured by keyloggers is to display a virtual keyboard on the screen and have users mouse over and click each character in a password. This can circumvent a keylogger but, as we should expect, attackers have devised ways to continue to steal information in spite of the countermeasure.

A video frame grabber makes copies of the contents of video memory and so can capture a wide array of information, such as:

• Virtual keyboards used to enter passwords • Email messages displayed on the screen • Spreadsheets and documents displayed • Instant message discussions • Account information displayed by database applications

Both keyloggers and video frame grabbers are especially threatening when unmanaged devices are used to access information. Unmanaged devices include home computers used by customers to access their account information as well as public access computers, such as in hotels, which may be infected with malware, including keyloggers and video frame grabbers.

Chapter 9

186

Trojan Horses Trojan horses are programs that appear to serve one purpose but actually contain malware. Trojan horses may be found in:

• Browser add-ons

• Utility programs, such as clock synchronizers

• File-sharing utilities

• Programs and files sent through email and instant messaging

Trojan horses are a mechanism for distributing malicious code. They are often used with multiple forms of malware, known as blended threats, which can include keyloggers, communications programs, file transfer programs, and command and control programs that allow remote control or remote execution of code. The ability to execute programs on compromised hosts gives attackers the means to create networks of compromised computers, sometimes called zombies but more commonly known as bots.

Remote Control and Botnets A bot is a program that may be controlled by an attacker. Bots have been used to distribute spam and phishing attacks, conduct click fraud, and launch distributed DoS attacks. A compromised host typically listens for commands on an Internet Relay Chat (IRC) channel or instant messaging service. Botnet controllers can send commands to execute scripts, send spam, or download updates to the botnet software.

Identifying and eradicating botnets, Trojan horses, keyloggers, video frame grabbers, viruses, worms, and other malware is more difficult when a device is also compromised because of the presence a rootkit.

Hiding Malware with Rootkits A rootkit is a program that masks the presence of other programs and files and makes the activities of those programs more difficult to detect. Rootkits may modify OS or application code to

• Intercept low-level system calls for file information

• Prevent the display of information about processes executing

• Load rootkit code instead of OS code

• Substitute legitimate application code with compromised versions of code

Chapter 9

187

Rootkits compromise the OS, so there is not necessarily a trusted computing base. Any information returned by the OS kernel (for example, processes that are executing or the size of a particular binary file) may not be true because the code that executes the requested service may be compromised.

Some tools have been developed to detect patterns indicative of the presence of a rootkit. For example, a rootkit detector might compare file system information returned by the OS with information returned by low-level analysis of the disk system; any discrepancies could indicate the presence of a rootkit. Another technique is to boot a device from a trusted source, such as an OS CD and scan for rootkits.

Rootkits may become even more difficult to detect, especially if vulnerabilities in BIOS are exploited. See Robert Lemos’ “Researchers: Rootkits Headed for BIOS” at http://www.securityfocus.com/news/11372.

The best response to the threat of malware attacks is to use a defense-in-depth strategy. This approach recognizes that no one countermeasure or policy will fully mitigate the risks of an attack. It also recognizes that anti-malware programs and related systems are themselves complex programs with their own limits and vulnerabilities. A defense-in-depth approach to malware protection will include:

• Antivirus and personal firewalls on client devices

• Network-based content filtering to block malicious content before it reaches the client

• Intrusion prevention monitoring to detect unusual network activity, such as large volumes of network traffic outside of normal patterns

• Host-based intrusion prevention that detects changes to OS files

• Regular monitoring of logs and audits of security measures

• End-user training, especially on the threat of social engineering techniques

• Comprehensive set of policies that define an organization’s strategy for managing the risks of malware attacks

An emerging technique for addressing the threat of unwanted applications—such as malware, bots, and other unintentionally downloaded software—is application control. Application control mechanisms allow administrators to define policies about the programs that may run in an environment. For example, a policy may categorize applications based on an administered security rating, digital signing, date of discovery, or other attribute. Measures such as application controls are an increasingly important addition to defense-in-depth strategies.

Another area of security that is dependent on systems management services is vulnerability management.

Chapter 9

188

Managing Security Vulnerabilities Complex systems are vulnerable to compromise. Sometimes attackers can gain access because they have detailed knowledge of an application and can exploit subtle and little-known vulnerabilities. In other cases, attackers may exploit an old version of code with a known vulnerability that has not been corrected on the victim’s device. Understanding vulnerabilities and correcting or compensating for them is essential to managing security vulnerabilities.

Detecting security vulnerabilities through penetration testing is another area in which security professionals depend upon systems managers. Penetration testing is the processes of examining networks and systems for vulnerabilities and attempting to exploit those vulnerabilities. It almost goes without saying, but there are many kinds of vulnerabilities that can be tested, including:

• Network security • Server security • Application security • Social engineering and user awareness • Physical security • Wireless network security

Systems and application managers can be especially helpful with network, server, application, and wireless network security penetration testing.

There are two approaches to penetration testing. First, you can start with an assumed knowledge of the network and server infrastructure; and second, starting without such knowledge. The former, known as white box testing, gives the tester the most knowledge with which to conduct the test and therefore increases the chances of finding vulnerabilities. Starting without knowledge of the IT infrastructure may give a better indication of how an attacker with no knowledge of the systems would proceed. The goal of penetration testing is to find as many vulnerabilities as possible, so white box testing is the favored method. The black box testing method entails an implicit dependence on “security by obscurity,” a discredited countermeasure.

Assuming white box testing is used, systems management personnel will be needed to provide details about:

• The types of devices deployed • Network topology • Applications and version information • Authentication and authorization mechanisms • Countermeasures in place • Operational procedures • Wireless network configurations

An attacker may not have access to all this information, but a penetration test conducted by security professionals with these details is more likely to provide the kind of vulnerability information sought. Once vulnerabilities are found, the next step is to correct them.

Chapter 9

189

Configuration and Patch Management In many cases, vulnerabilities can be corrected through either changes to configuration or through the application of patches. Each will be considered in turn.

Configuration Management Configuration management entails tracking the software and configuration of devices. This is of importance to security management in a number of scenarios. First, if a vulnerability is discovered in a particular version of an application, a configuration management reporting system can identify which hosts are running that version. This is especially important when client devices may have one of several different versions. Although an organization may make it a policy to standardize on one or two versions of office suites, it may have half a dozen or more versions of client-side database drivers.

Another case in which configuration management supports security operation is with risk analysis and incident response. The existence of a vulnerability is one factor that determines how to respond; another factor is the importance of the device with the vulnerability. High-priority devices, such as customer-facing servers, should be patched immediately if the vulnerability could seriously disrupt operations. However, a lower-priority device, such as a server running a database tracking a training schedule, can be queued for patching at a later time after critical systems have been addressed.

Another area configuration management can help with security is in the planning process. For example, if antivirus software will be upgraded, the configuration management database can help to determine the number of licenses required. Much of host-based security, though, is based on countermeasures, such as personal firewalls and anti-malware systems.

Patch Management Patch management is the process of updating software and configuration (“patching”) to improve security, functionality, or performance. There are several components in patch management:

• Being aware of patch releases

• Testing patches

• Deploying patches

• Maintaining configuration information

All of these require systems management support. Patches are released on regular schedules by many vendors, so those can be incorporated into maintenance schedules. These patches often address minor or moderate impact bugs or provide performance improvements. Unscheduled patches, such as fixes for security vulnerabilities, may come at any time. Assessing the impact of vulnerabilities and the benefit of patching is a process that should be done by both security and systems administration teams.

Chapter 9

190

Prior to deploying a patch, it needs to be tested. If a patch breaks a functioning system, a decision must be made—does the benefit of the patch outweigh the benefit of the lost functionality? Most likely, a patch that causes a problem will do so with a limited number of configurations. In such cases, a configuration management database can aid in determining where the patch should be deployed and where it should not.

Deploying patches is strictly a systems management operation. Ideally, the process is automated so that code is distributed to the appropriate clients, the installation is verified, and details are logged for analysis when installation fails.

The final step in the patch management process is updating configuration information. A configuration management database and related applications may pull this data as part of its routine operations or configuration information may be pushed to the database during the deployment process. Yet another area that requires security and systems management coordination is access control.

The SQL Slammer incident is one of those cases that did not have to happen. Microsoft had patched the vulnerability exploited by SQL Slammer months before the worm struck. Part of the problem was that database administrators had not patched SQL Server instances, and part of the problem was due to users not knowing they were running a desktop version of SQL Server that had been embedded in some applications. This is one of the reasons asset management is so important to information security—you must know what software you are running and how it is patched.

Controlling Access One of the most challenging aspects of both security and systems management is access controls. The number of users, roles, and privileges is growing so rapidly that for many organizations, the only way to keep up is to leverage automation. This, in turn, requires a policy framework for driving the automated tools.

Controlling access is not one dimensional and one must look at it from both a user and resource perspective. With regards to users, the key issues are identity management and authentication and authorization. From the resource management perspective, it is important to address topics such as file and disk encryption as well as secure remote access.

Identity Management, Authentication, and Authorization Identities, at least in the realm of information security, are a representation of a user for the purpose of providing access to resources and services. Identity management is an operational practice that includes:

• Provisioning user identity records • Automating supporting workflows • Administering identity services • Providing self-service mechanisms, such as password resets • Decommissioning identities

There are both security and systems management benefits of identity management. From the security side, a single representation of a person is much easier to manager than multiple instances.

Chapter 9

191

For example, if a new employee joins the finance department, a policy can define the authorizations to use all the financial systems common to members of the department as well as common to all employees. More specific details, such as the person’s role in the department, can provide further authorizations. This model provides for a centralized method for access control in contrast to a commonly found alternative.

Without identity management, a user’s authentications are distributed across systems and applications. If a person needs access to the financial planning system, an account is created on that application for them. If they need access to a network file server, authorizations are established on the network server for them. When the person changes positions or leaves the company, systems and application administrators around the company have to update access controls. Deploying identity management is clearly beneficial for both operational and security reasons and it is another area that crosses boundaries between systems management and security management.

File and Disk Encryption Mobile computing has introduced a new set of threats and management concerns. News stories about stolen notebook computers with tens of thousands, or more, records with personally identifying information are too common.

For more information about the problem of lost and stolen notebooks, see the Realtime IT Compliance Community at http://www.realtime-itcompliance.com/lost_stolen_laptops/.

A logical solution for security professionals is to use file, or ideally full disk, encryption. If a mobile device is stolen or lost, no one else will be able to access the information on the device assuming sufficiently strong encryption is used.

Systems administrators may not see it as such a black-and-white situation. Yes, encryption will protect data when the device is stolen, but what about operations when the device is not stolen. Consider:

• What happens if there is a problem with the disk drive, the encryption key cannot be recovered, and the disk must be reformatted?

• The encryption key is lost?

• What is the performance penalty for encryption?

• How will devices be administered once they are encrypted?

• How will full disk encryption configurations vary by hardware model and feature?

Full disk encryption is growing in popularity and more organizations are likely to adopt it. Administrators will have to understand how this functionality will effect end user support, recovery efforts, and device management tools and procedures.

File encryption also helps to address the growing problem of data in motion. Files are easily transferred to removable media, such as USB memory devices, iPods, and removable disk drives. Encryption can help to protect data copied to such devices; a better solution is controlling access to such media based on policy, or in some cases, blocking access to them completely.

Chapter 9

192

VPNs and Secure Remote Access VPNs and secure remote access services are similar to full disk encryption in terms of the benefits to security but at an increasing cost of management complexity. Some of the common issues with VPNs are:

• Ensuring proper client configuration

• Establishing policies

• Managing VPN certificates

• Maintaining sometimes fine-grained access control rules

As with access controls, as the number of subjects involved with VPNs increases so do the management issues.

One must also keep in mind that remote workers use a variety of methods to communicate: managed Internet access, unmanaged Internet access, wireless access, and direct connections. Enforcement of VPN usage is especially important when connecting wirelessly. Make sure the security tools being used to enforce remote worker policies actually enforce VPN usage automatically and transparently, according to policies based on location and concomitant risk.

Centralized release and patch management along with a configuration management database can support VPN administration. Although many may think of managing a VPN as a security or network administration function, there are still fundamental tasks in the systems management area as well.

Security Information Management Security management is the practice of establishing, coordinating, and evaluating the range of security measures put in place within an organization:

• Security policies

• Compliance

• Auditing

• Incident response and forensics

• Business continuity

Chapter 9

193

Security Policies Security policies are the foundation of an information security program. Policies are high-level descriptions of what is permitted and what is expected with regard to security. Organizations will typically have several security polices, covering:

• Acceptable use of IT infrastructure

• Access control

• Anti-malware policy

• Content-filtering policy

• Encryption policy

• Document and email retention

• Notebook and mobile device security

• Server and workstation security policy

• Wireless network access policy

Policies are generally written to clearly define the scope of the policy, the reason for the policy, and the details of the policy as well as provide the definition of technical terms if needed. An encryption policy, for example, might contain:

• A scope statement that defines the business units, employees, contractors, and business partners that need to adhere to the policy.

• An explanation for the need for the policy, such as protecting the confidentiality of customer information and proprietary company information.

• Policy details, such as a list of the categories of information that must be encrypted (for example, confidential, private, and sensitive information), the algorithms that may be used, and minimum key lengths.

• Definitions for terms such as digital signatures and public key cryptography.

Policies, such as encryption, can apply to multiple services or they may be specific to a particular service, such as email policies. In either case, policies should be aligned with the service-oriented model.

Chapter 9

194

Compliance Adequate protection of private and confidential information plays a role in many government regulations. Some of the most well known include:

• Sarbanes-Oxley Act—publicly traded companies

• Gramm-Leach-Bliley Act—financial service firms

• Health Insurance Portability and Accountability Act (HIPAA)—health care firms

• BASEL II—financial services

• 21 CFR Part 11—pharmaceutical companies

• Federal Information Security Management Act (FISMA)—federal government

• California State Bill (SB) 1386—business with customers in California

• EU Directives on Privacy—companies doing business in the EU

• Personal Information Protection and Electronic Documents Act (PIPEDA)—companies doing business in Canada

Responsibility for complying with the array of regulations in existence is likely spread across a number of departments. Fortunately for IT practitioners, sound security management practices often contribute significantly to meeting compliance requirements. With proper controls, such as information classification, access controls, network and host defenses, and proper monitoring and auditing, IT departments can meet the requirements of many regulations by continuing their security best practices. The organization of information security addresses the need for governance and management of security services and functions.

With regards to governance, executive management should have well-defined controls and measures in place to allow them to monitor and, if necessary, correct security operations. The governance model detailed in the Control Objectives for Information and Related Technologies (COBIT) framework provides a sound foundation for governance practices in general. The controls and measures described in COBIT are useful across the spectrum of service-oriented management, not just security management.

For more information about COBIT, see the Information Systems Audit and Control Association’s Web site at https://www.isaca.org/.

Security Management and Asset Management Like policy formation, asset management is one of the fundamental activities in security management. Asset management consists of two components: tracking hardware and software assets and classifying information.

Chapter 9

195

Hardware and Software Asset Management Assets cannot be protected if they are not managed, and they cannot be managed if they are not identified. This idea seems so obvious that it should not warrant mentioning, but tracking IT inventory is not a trivial task. Consider some of the factors that have to be accounted for when tracking inventory:

• Hardware has to be identified and inventory

• Software running on a device must be tracked

• Components within a device may be replaced or removed

• Hardware may be transferred between departments or individuals

• Some devices that access IT resources are not owned or controlled by the IT department or the organization

Hardware is one of the easiest aspects of physical inventory to manage. The location and the person or department responsible must be tracked. Movement within the organization needs to be monitored, and when the device is retired that must be noted as well. When devices are transferred or retired, operations may need to be performed to erase private or confidential data. This should be governed by information classification policy.

Software can be a challenge to track without tools. Applications are often installed, patched, and removed from users’ devices as their needs change. Very few organizations can maintain a consistent set of software components on all devices across the organization even when they standardize as much as possible.

In both hardware and software management, a subunit of a device or application may be moved among devices. For example, disk drives may be moved between workstations and application server modules may be uninstalled from one server and moved to another.

To compound the challenges facing IT managers responsible for asset management, many managers now have to deal with semi-managed devices. These are often mobile devices that are owned by employees, contractors, and consultants but have some access to IT infrastructures. The most common are:

• Mobile email devices, such as BlackBerry devices

• PDAs

• Smartphones

• Data exchange devices, such as flash drives

The problem with these devices is that they can introduce malware or other threats to a network. Even if a complete inventory is maintained of all the software and hardware owned by an organization, security staff may still not have an accurate picture of the potential threats facing their infrastructure. Properly managing and controlling the use of semi-managed devices has emerged as a key challenge in security management.

Chapter 9

196

Information Classification Information classification is the process of labeling different types of information and establishing appropriate controls for each type. Commercial and military institutions use different classification schemes; the most common categories in commercial classifications are:

• Public

• Sensitive

• Private

• Confidential

By categorizing information, appropriate controls can be placed on information without having to apply a most-restrictive policy that protects all information as if it were equally important.

Public Information The public classification is reserved for information that, if disclosed publicly, would not have an adverse affect on the organization. For example, information provided in press releases would not contain information that requires any unusual level of protection.

Sensitive Information Sensitive information should not be publicly disclosed, but if it were, the disclosure would not have serious adverse affects on the organization. Information about project plans, work schedules, orders, inventory levels, and other operational data by itself could not be used against an organization. It is conceivable that a competitor could piece together competitive intelligence about a firm by examining large amounts of such operational information.

Private Information Private information is about customers, clients, patients, employees, and other persons who have dealings with an organization. The disclosure of private information could adversely affect those individuals; organizations may be subject to fines or other legal proceedings for violating regulations regarding the protection of private information. Examples of private information include:

• Employee records

• Protected healthcare information

• Financial records

• Social Security numbers, driver’s license numbers, and other identifying information

Depending on the industry, organizations could be subject to a range of regulations governing the protection of private information. The health care and financial services industries are subject to comprehensive regulations in the United States; the European Union (EU) has established broad privacy protections that apply to all businesses.

Chapter 9

197

Confidential Information Confidential information requires significant controls because the disclosure of this information could have a significant impact on an organization. Some of the typical types of confidential information include:

• Trade secrets • Negotiation details • Strategic plans • Intellectual property, such as algorithms and product designs

Like private information, confidential information should be protected with well-defined access controls and clear lines of responsibility.

Although many of the same measures may be used to protect confidential and private information, they are fundamentally different and should not be linked with regards to security policies and procedures. Private information, for example, may be subject to specific audit requirements that are not relevant to protecting confidential information. Similarly, some confidential information may be protected with stronger, and more costly, measures than required for private information. These two categories should always be managed as separate entities.

Security Auditing and Monitoring IT auditing became much more common with the advent of the Sarbanes-Oxley Act. The goal of this and related regulations is to preserve the integrity of business information. To meet that objective, you must have procedures and systems in place that protect information and you must periodically review those systems and procedures to ensure they are functioning adequately. Thus, regular IT audits are much more thorough than may have been conducted in the past.

Audit Controls Auditing begins with policies. Policies may be defined by an organization on it own or as part of compliance with regulations. Regardless of the motivation for policies, the role of auditing is to ensure that they are appropriate for the objective and sufficiently implemented. Some of the most important areas that should be verified in audits include:

• Information classification • Access controls appropriate for information classifications • Adequate perimeter and network defenses • Adequate host defenses • Adequate review of content, both entering and leaving the network • Sufficient training on security measures • Backup and recovery procedures • Appropriate security management practices, such as separation of duties and rotation of

duties Auditing is an in-depth review of security policies and procedures. Auditing may be regular but is still infrequent; day-to-day monitoring is also required.

Chapter 9

198

Security Monitoring Monitoring can be time consuming unless tools are used to help sift through the volumes of log data that can be generated in even a moderate-sized network. The difficulties arise from the range of events that should be monitored, including system events, application events, and user events. Some of the most common are:

• System performance metrics, such as number of processes, CPU utilization, storage utilization

• Login attempts and failures

• Applications executed and functions executed within enterprise applications

• Changes to OS configurations

• Errors generated by applications

• Files read, modified, and deleted

• Attempts to access unauthorized resources

In isolation, any one of these events may not be indicative of a serious breach. However, in conjunction with other events, these may warrant closer examination and may indicate a breach. One of the greatest challenges in information security today is integrating data from the variety of security mechanisms already in place. Firewalls, routers, intrusion prevention devices, access control systems, OSs, anti-malware solutions, and content-filtering applications can all generate large quantities of data, some of which can be quite useful if it is identified and integrated with other information in a timely manner.

Security Management and Risk Assessment Risk assessment is primarily a function of security management. The goal of risk management is to identify risks to IT infrastructure, prioritize those risks, and implement mitigation strategies to bring the risks within acceptable levels. As that list of tasks implies, you cannot eliminate risks, but you can reduce their likelihood. Prioritizing also implies that you might not be able to adequately reduce the potential for all risks. Risk management often entails balancing needs against limited resources.

Thinking of risk management in terms of SOM allows you to view risks in terms of services provided and not just in terms of specific pieces of infrastructure. For example,

• Data storage management is more than just providing disk space; it includes backup and archive services and access control management. Security risks in this service include breaches of access controls and theft of backup media.

• Communication services such as email, instant messaging, and voice over IP (VoIP) depend on network infrastructure and so share common risks, such as DoS attacks.

• Application services, such as Web servers and J2EE and .Net application servers, can provide a wide range of services but are subject to risks such as host intrusions, information theft, and application tampering.

Chapter 9

199

Mitigation strategies within service-oriented should address the full service, and this often entails detailed mitigation strategies based on the particulars of an implementation. For example, standby servers in a different location being used to mitigate the risk of a compromised email server shutting down communications services. If the primary email server were to fail, email records within the domain’s DNS entries could be updated and email re-routed to the alternative server. Controlling risks is closely aligned with another security management function: business continuity management.

Security Management and Business Continuity Management Information security is often described in terms of three characteristics: confidentiality, integrity, and availability. It is the last characteristic that is the subject of business continuity. From a SOM perspective, business continuity is a broad topic that includes information security but is not limited to it.

Security professionals should contribute to business continuity plans for a number of reasons:

• Systems availability is subject to threats such as DoS attacks; business continuity planning should take into account countermeasure to mitigate the impact of a such an attack.

• Business continuity often includes plans for redeploying operations to an alternative site; electronic and physical security measures must be in place at these sites as well as at the primary site.

• During a business disruption, data may be moved between servers or entire facilities. The data must be protected in transit.

Another area in which security professionals are required is compliance with government regulations.

The defense-in-depth approach is considered a security best practice but it does come at a price: multiple security solutions must be managed. In addition, to gain the most from these point solutions, the information from them should be coordinated. The key activities within this area include:

• Ensuring both network and host-based defenses are kept up to date with signature files and patches

• Coordinating information from multiple sources, such as perimeter defenses and host-based defenses

• Ensuring procedures dictated by security policies are in place and enforced across countermeasures

• Properly configuring new devices and software during the implementation phase of a project

• Ensuring mechanisms are in place to support incident response

The last example is one in which systems managers may be asked to play a major role because incident response can require a rapidly executed and well-coordinated plan to contain the impact of a security breach.

Chapter 9

200

Incident Response An incident response plan is like an insurance policy: no one wants to have to use it, but everyone is glad to have one when it is needed. A security incident can take on many forms, including:

• A virus infection of multiple devices or critical servers • The discovery of a significant number of Trojan horse programs • Infections with keyloggers • A DoS attack on a network device • An attempt to break into a server • An attempt to steal information for a database • The discovery of a botnet within an organization’s network • Loss of a notebook or other mobile device containing sensitive, private, or confidential

information Incident response planning has two dimensions—one addresses procedures and the other addresses the human resources element of the problem.

Incident Response Procedures When an event occurs, the logical challenge is to determine how to respond. The solution should be governed by an incident response policy that includes:

• Guidelines on containing the potential damage of the incident • Persons to notify, including both IT and business executives and managers • Procedures for contacting information security personnel with knowledge of forensic

procedures who can help gather evidence • Procedures for securing compromised devices and preserving evidence

There are a few issues related to human resources that should be kept in mind when designing an incident response plan:

• The need for incident response training • The need for separation of duties • The benefits of post-incident analysis

Training and Incident Response Users, technical staff, and management should all be trained in incident response procedures. For many, it may be as simple as directing them to call the service desk when something suspicious appears. This suspicious activity could be something as clear as a warning from a local antivirus program indicating malware has been detected to something less obvious, such as sluggish performance from a device for no apparent reason (this could indicate a spyware or Trojan horse infection that is using the device for other purposes).

Chapter 9

201

Technical staff, especially front-line service desk support and systems administrators should be trained on how to respond according to the severity of an incident. For example, minor incidents, such as a virus infection on a single device, might call for a basic response using a procedure defined for relatively predictable incidents. For major incidents, such as a DoS attack that is blocking access to critical servers, front-line technical staff should know how to enlist additional help to deal with the problem.

Executives and managers should understand the implications of various types of attacks with regard to the impact on business operations as well as legal responsibilities with regards to reporting the incident and complying with government regulations.

Separation of Duties There is something strange about the fact that it is more prudent to trust two or more individuals than it is to trust one, but that is the idea behind separation of duties. This is especially important when responding to security incidents. One of the activities of incident response is to collect and preserve evidence. It is not unheard of for someone working for an organization to be involved with crimes against that organization. If an employee or contractor perpetrated an incident, that person may be involved with the incident response.

For example, a database administrator is someone with the keys to the proverbial kingdom when it comes to large volumes of business information. If someone were stealing customer credit card data from a database and a security monitor on the network detected unusual activity on a database server, the first person to call would be the database administrator. The potential problem is clear; the solution is to have at least two knowledgeable individuals respond to an incident.

Response Evaluation Security breaches are disruptive and potentially costly, but they are also opportunities to improve security measures. A post-incident evaluation can provide valuable information about:

• How attackers breached security mechanisms • Which security mechanisms worked and which did not • If attack techniques were not anticipated • Whether monitoring and logging were adequate to diagnose the incident • Vulnerabilities in applications, OSs, or network devices • Vulnerabilities in policies and procedures

The goal of the post-incident evaluation is to improve the quality of security, not simply to place blame. Managing information security is difficult and a breach does not necessarily imply negligence or disregard for policies and procedures.

Summary Security management is one of the most multi-faceted areas of systems management. It ranges from the broad issues of managing security information down to the detailed practice of threat and vulnerability assessment. In addition to day-to-day activities such as monitoring systems, applications, and users, systems administrators and security professionals must manage an array of security mechanisms deployed in such a way as to provide multiple layers of defense.