- Email: [email protected]
Poking at the Borders
feature
“intercepts were retained on former President Jimmy Carter” 2. Permanent Resident Alien (Green card holders). 3. Companies incorporated in the US (whatever the nationality). 4. US flagged ships or planes. 5. Organizations or associations primarily composed of US persons.
The issue of whether the communications of a US person are protected outside the United States were clearly of concern to the author of a memo dated 23 June 1999. The memo formerly classified ‘Comint Umbria’, states, “Am I missing something here? The question is whether we can share non-minimized raw traffic collected by NSA. The answer is that we can share US person information only in accordance with the AG [Attorney General] guidelines. The
Poking at the Borders The Internationally-Minded Toad Matthew Pemble, IS Integration Ltd. Keeping your security relevant to your business requirements is a considerable pain in the timesheet, wallet and typing finger(s). One of the most intractable problems is correctly and adequately specifying the boundaries between different areas of function and control. Given the luxury of a well-funded start-up (difficult in these times of stock market panic) and clear specifications from the executive (choose your analogy from hen’s teeth, rocking-horse excrement and honest politicians), it is possible to craft a security policy, secure infrastructure, appropriate operating procedures and user training programme that minimize your exposure, maintenance workload and frequency of incidents. Fulfilling these requirements within resource and financial budgets, with an evolvedinfrastructure and inadequate and contradictory guidance from above is a very different prospect. The primary problem is that you, as a security officer or administrator, need to find and fix all procedural, technical and personnel issues in your organization,
“the attacker only needs to uncover a single area of vulnerability.” 10
whereas the attacker only needs to uncover a single area of vulnerability. The inherent complexity of large organizations and of all modern computer systems makes this a very unequal battle. Recently, there has been a significant trend for hackers to attack major multinationals through some of their sites in more far-flung domains: Microsoft Slovenia, Dell in Brazil and Silicon Graphics in Korea have all been targeted.
“the further away you are from corporate central, the more likely you are to spend your time doing ‘real work’” Some of this may be due to the proximity of the servers to the hackers, or it may be a collective realization that the further you are away from corporate central, the more likely you are to spend your time doing ‘real work’ (i.e. your immediate
AG guidelines do not provide for any blanket waiver. There are two questions that have to be answered with regard to US person information. Is it FI [foreign intelligence] related? Is the specific identity necessary to understand or assess the FI? How does one make either determination on a programmatic basis? Seems to be that legally speaking this is not a difficult question. Telling people something they don’t want to hear is the difficult part.” boss’ current pet project) rather than hunting, downloading and applying the latest security patches. Attrition.org's records show that the Brazilian Top Level Domain (TLD), in particular, saw a four-fold rise in the number of defacements between 1999 and 2000.
It could happen to you It might not be quite the scenario of your personal nightmares, but consider the following sketch: 1. It’s three in the morning, and your pager goes off. It is your ISP's network operations centre so, grumbling loudly, you call in. 2. “We’re afraid that your Brazilian subsidiary's website has been defaced. It isn't actually hosted with us, so you’re going to need to sort it out yourself.” 3. Thinking hard, you try to work out why this site isn't on your doubly hardened and triply protected secure server, watched over (at great expense), by some-one other than you. 4. In this case, the activities of Brazilian hackers cause your ISP, taking a lead from NASA, to regularly black-hole areas of Brazilian IP space and, as you are in the retail market, you need the local connectivity. 5. Grumbling loudly, you crawl into your clothes to start the long journey in, wondering where on earth you are going to find the access passwords for the Brazilian ISP at 03.00 GMT on a Sunday morning…
feature However, even if you do have tight control over all of your Internet-facing servers (local or hosted out), there are still significant problems to overcome in establishing and maintaining effective security. In particular, determining the security perimeter needs to take into account a wide variety of factors and, in an organization of any size, is likely to require the consideration of a large number of user groups and quite detailed granularity of access and service requirements, threat levels and incident handling. In many cases, not one but numerous security perimeters will be required, separating zones of differing risk and control.
“weakness can be anywhere in your organization” Although the example used — an international domain site as a point of weakness — they can be anywhere in your organization so a method of tracking and controlling as many areas of potential security risk as possible is necessary.
How much control do you need? ‘Granularity’ is the security term used to describe the degree of flexibility available in implementing security controls, but it also a useful method of approaching this sort of analysis. At the top level, you are likely to have internal users, partner organizations, customers, suppliers and ‘other’ (which can include everything from the press, through hackers, to potential future employees.) Here, access and service requirements can be tightly defined and, especially if your existing infrastructure allows for security gateways, control methods can be implemented. More problems are encountered when splitting these coarse user groups into finer gradations, while attempting to maintain ease of use and management for
the resulting operational systems. Access control methodologies such as Role-based and Rule-based systems do allow, if your applications permit, fine granularity within individual services (consider Unix or NTFS file permissions compared to the FAT file system), but the allocation of services is more complex and proper management of all the resulting systems is complex and inconsistent between vendors. If at all possible, a proper security policy description for each service needs to be obtained from the business sponsor — if you can find one! This should give you a basis to begin to plot…
“This should give you a basis to begin to plot…” Once the business requirements have been collected, collated and any conflicts sorted by management (following your helpful and detailed advice, of course), it is time to consider a risk analysis.
Analyse the risk Although there are plenty of horror stories about the time and expense required for risk analysis using formal systems such as CRAMM, you can choose from a range of formal and informal methodologies, even if the analysis is required for an ISO17799/ BS7799 security management scheme. Appropriately led, an informal corporate security analysis should be completed within a couple of days, many project analyses can be completed in half a day. The level of detail would vary, of course, but do not be unnecessarily discouraged by other people’s experiences.
Who is in control? Now, having requirements and risks, consider controls. This is a good point to make sure that you have a recent and accurate network diagram, representative if not complete. Considering only technical controls (you won't, surely, forget procedural and personnel controls, especially as
“Make sure that you use permit lists rather than deny lists” these rarely directly impact on budgets), you can consider boundary (on the perimeter), network (specialist security devices or equipment) and host-based technologies. Control over internal access to resources needs to be established. Some data resources are sensitive (key projects), have legal protection (person-identifiable data), or have had a significant cost of acquisition. Some other resources (that expensive A2 colour printer or your TCPconnected security cameras) need to be protected against accidental or malicious abuse. The safest way, from a security protection rather than a job protection pointof-view, is to be aggressive when constructing your Access Control Lists. Make sure that you use permit lists rather than deny lists, and only allow access for accounts which are included in the business sponsors’ service descriptions. You will quite quickly find out if users cannot access something that they actually need! Establishing an adequate security baseline, especially on an existing infrastructure, is a time-consuming and conflict-ridden occupation. It requires a tedious dedication to detail, plenty of work when others are enjoying a social life, and regular cooperation with management. You cannot guarantee results and you are likely to become a corporate Cassandra.
“you are likely to become a corporate Cassandra” Hopefully, your care and attention will limit the windows of opportunity for all the inevitable vulnerabilities and management will appreciate that your efforts are preventing your organization from getting all the wrong sort of press attention!
11
“intercepts were retained on former President Jimmy Carter” 2. Permanent Resident Alien (Green card holders). 3. Companies incorporated in the US (whatever the nationality). 4. US flagged ships or planes. 5. Organizations or associations primarily composed of US persons.
The issue of whether the communications of a US person are protected outside the United States were clearly of concern to the author of a memo dated 23 June 1999. The memo formerly classified ‘Comint Umbria’, states, “Am I missing something here? The question is whether we can share non-minimized raw traffic collected by NSA. The answer is that we can share US person information only in accordance with the AG [Attorney General] guidelines. The
Poking at the Borders The Internationally-Minded Toad Matthew Pemble, IS Integration Ltd. Keeping your security relevant to your business requirements is a considerable pain in the timesheet, wallet and typing finger(s). One of the most intractable problems is correctly and adequately specifying the boundaries between different areas of function and control. Given the luxury of a well-funded start-up (difficult in these times of stock market panic) and clear specifications from the executive (choose your analogy from hen’s teeth, rocking-horse excrement and honest politicians), it is possible to craft a security policy, secure infrastructure, appropriate operating procedures and user training programme that minimize your exposure, maintenance workload and frequency of incidents. Fulfilling these requirements within resource and financial budgets, with an evolvedinfrastructure and inadequate and contradictory guidance from above is a very different prospect. The primary problem is that you, as a security officer or administrator, need to find and fix all procedural, technical and personnel issues in your organization,
“the attacker only needs to uncover a single area of vulnerability.” 10
whereas the attacker only needs to uncover a single area of vulnerability. The inherent complexity of large organizations and of all modern computer systems makes this a very unequal battle. Recently, there has been a significant trend for hackers to attack major multinationals through some of their sites in more far-flung domains: Microsoft Slovenia, Dell in Brazil and Silicon Graphics in Korea have all been targeted.
“the further away you are from corporate central, the more likely you are to spend your time doing ‘real work’” Some of this may be due to the proximity of the servers to the hackers, or it may be a collective realization that the further you are away from corporate central, the more likely you are to spend your time doing ‘real work’ (i.e. your immediate
AG guidelines do not provide for any blanket waiver. There are two questions that have to be answered with regard to US person information. Is it FI [foreign intelligence] related? Is the specific identity necessary to understand or assess the FI? How does one make either determination on a programmatic basis? Seems to be that legally speaking this is not a difficult question. Telling people something they don’t want to hear is the difficult part.” boss’ current pet project) rather than hunting, downloading and applying the latest security patches. Attrition.org's records show that the Brazilian Top Level Domain (TLD), in particular, saw a four-fold rise in the number of defacements between 1999 and 2000.
It could happen to you It might not be quite the scenario of your personal nightmares, but consider the following sketch: 1. It’s three in the morning, and your pager goes off. It is your ISP's network operations centre so, grumbling loudly, you call in. 2. “We’re afraid that your Brazilian subsidiary's website has been defaced. It isn't actually hosted with us, so you’re going to need to sort it out yourself.” 3. Thinking hard, you try to work out why this site isn't on your doubly hardened and triply protected secure server, watched over (at great expense), by some-one other than you. 4. In this case, the activities of Brazilian hackers cause your ISP, taking a lead from NASA, to regularly black-hole areas of Brazilian IP space and, as you are in the retail market, you need the local connectivity. 5. Grumbling loudly, you crawl into your clothes to start the long journey in, wondering where on earth you are going to find the access passwords for the Brazilian ISP at 03.00 GMT on a Sunday morning…
feature However, even if you do have tight control over all of your Internet-facing servers (local or hosted out), there are still significant problems to overcome in establishing and maintaining effective security. In particular, determining the security perimeter needs to take into account a wide variety of factors and, in an organization of any size, is likely to require the consideration of a large number of user groups and quite detailed granularity of access and service requirements, threat levels and incident handling. In many cases, not one but numerous security perimeters will be required, separating zones of differing risk and control.
“weakness can be anywhere in your organization” Although the example used — an international domain site as a point of weakness — they can be anywhere in your organization so a method of tracking and controlling as many areas of potential security risk as possible is necessary.
How much control do you need? ‘Granularity’ is the security term used to describe the degree of flexibility available in implementing security controls, but it also a useful method of approaching this sort of analysis. At the top level, you are likely to have internal users, partner organizations, customers, suppliers and ‘other’ (which can include everything from the press, through hackers, to potential future employees.) Here, access and service requirements can be tightly defined and, especially if your existing infrastructure allows for security gateways, control methods can be implemented. More problems are encountered when splitting these coarse user groups into finer gradations, while attempting to maintain ease of use and management for
the resulting operational systems. Access control methodologies such as Role-based and Rule-based systems do allow, if your applications permit, fine granularity within individual services (consider Unix or NTFS file permissions compared to the FAT file system), but the allocation of services is more complex and proper management of all the resulting systems is complex and inconsistent between vendors. If at all possible, a proper security policy description for each service needs to be obtained from the business sponsor — if you can find one! This should give you a basis to begin to plot…
“This should give you a basis to begin to plot…” Once the business requirements have been collected, collated and any conflicts sorted by management (following your helpful and detailed advice, of course), it is time to consider a risk analysis.
Analyse the risk Although there are plenty of horror stories about the time and expense required for risk analysis using formal systems such as CRAMM, you can choose from a range of formal and informal methodologies, even if the analysis is required for an ISO17799/ BS7799 security management scheme. Appropriately led, an informal corporate security analysis should be completed within a couple of days, many project analyses can be completed in half a day. The level of detail would vary, of course, but do not be unnecessarily discouraged by other people’s experiences.
Who is in control? Now, having requirements and risks, consider controls. This is a good point to make sure that you have a recent and accurate network diagram, representative if not complete. Considering only technical controls (you won't, surely, forget procedural and personnel controls, especially as
“Make sure that you use permit lists rather than deny lists” these rarely directly impact on budgets), you can consider boundary (on the perimeter), network (specialist security devices or equipment) and host-based technologies. Control over internal access to resources needs to be established. Some data resources are sensitive (key projects), have legal protection (person-identifiable data), or have had a significant cost of acquisition. Some other resources (that expensive A2 colour printer or your TCPconnected security cameras) need to be protected against accidental or malicious abuse. The safest way, from a security protection rather than a job protection pointof-view, is to be aggressive when constructing your Access Control Lists. Make sure that you use permit lists rather than deny lists, and only allow access for accounts which are included in the business sponsors’ service descriptions. You will quite quickly find out if users cannot access something that they actually need! Establishing an adequate security baseline, especially on an existing infrastructure, is a time-consuming and conflict-ridden occupation. It requires a tedious dedication to detail, plenty of work when others are enjoying a social life, and regular cooperation with management. You cannot guarantee results and you are likely to become a corporate Cassandra.
“you are likely to become a corporate Cassandra” Hopefully, your care and attention will limit the windows of opportunity for all the inevitable vulnerabilities and management will appreciate that your efforts are preventing your organization from getting all the wrong sort of press attention!
11