1
Information Security: The Big Picture - SANS GIAC
© 2000
1
Information Security:
The Big Picture – Part II
Stephen Fried
2
Information Security: The Big Picture - SANS GIAC
© 2000
2
International Standards &
Policies
• Trusted Computer System
Evaluation Criteria (TCSEC –
Orange Book) (1985)
• Trusted Network Interpretation
(TNI) (1987)
•ITSEC
In most industries there is a common set of rules and procedures that govern that industry. The rules may be imposed by
the industry itself or they may be imposed by governmental and legal requirements. Examples of such standards in the
US would be the Uniform Commercial Code that governs commercial transactions across the United States, or various
national and local building codes that govern how structures are to be built.
Many attempts have been made to standardize the practices and policies across the security industry as well.
Unfortunately, because the information security field has been constantly evolving over the last several decades, there has
been no unified consensus on what constitutes good security practice, how those practices should be defined, and how
security should be measured. However, over the years several attempts have stood out as having considerable merit and
weight, and thus have risen to the level of standards. In some areas, such as government computer security, these
standards are mandatory. A side effect of these has been that private industry has picked up on them as well.
One of the first standard attempts was the Trusted Computer System Evaluation Criteria, or TCSEC. It is also known
as the Orange Book, because of the bright orange cover in its original printing. The TCSEC was developed by the US
government in the 1980’s to provide a standard for manufacturers as to what security features to build into new
government systems. It was also used as an evaluation criteria for the government to determine the degree of trust that
can be placed in a computer system. The TCSEC divided security into four levels, labeled A through D. Some of the
levels had several different sub-levels, so the highest rating a system could achieve was A1, while the lowest was level D.
Despite several problems with certifying and implementing the requirements in systems that were actually usable, the
TCSEC served its intended purpose for many years.
One shortcoming of the TCSEC was that it was valid only for stand-alone computers. If a computer was connected to a
network it was no longer eligible for TCSEC evaluation. Thus, in 1987 the US Government developed the Trusted
Network Interpretation to the TCSEC, or TNI. The purpose of the TNI was to provide interpretations of the TCSEC
for trusted computer and communication network systems.
One aspect of the TCSEC that gained wide criticism was that it addressed primarily confidentiality issues and largely
ignored integrity and availability issues. In addition, the TCSEC was a US government effort. Many countries,
particularly in Europe, felt it did not address international issues. As a result, several European countries developed the
International Technology Security Evaluation Criteria, or ITSEC. The ITSEC combined the Orange Book criteria
with several of its European counterparts. In addition, it covered the integrity and availability issues that the TCSEC
lacked.
3
Information Security: The Big Picture - SANS GIAC
© 2000
3
International Standards &
Policies
• Common Criteria
• BS7799
The Common Criteria represents the outcome of international efforts to align and develop the
existing European and North American security evaluation criteria. The Common Criteria project
harmonizes ITSEC, the CTCPEC (from Canada) and US Federal Criteria (FC) into the Common
Criteria for Information Technology Security Evaluation (CC). The purpose of the Common
Criteria is to evaluate products and systems and for stating security requirements in a standardized
way internationally. It is increasingly replacing national and regional criteria with a worldwide set
accepted by the International Standards Organization. Like the TCSEC, the Common Criteria has
seven assurance levels, labeled EAL1 up to EAL7. Each level has a rough counterpart in the
TCSEC. Currently, government agencies from Canada, France, Germany, the Netherlands, the
United Kingdom and the United States sponsor the project. The latest version has now been ratified
as ISO standard 15408.
The latest entry in the standards effort has come from the United Kingdom. The BS7799 standard
was developed in 1995 to provide a comprehensive set of controls comprising the best practices in
information security. It is intended to serve as a single reference point for identifying the range of
controls needed where information systems are used in industry and commerce. The latest revision
to BS7799 was published in 1999. Of all the international standards efforts, BS7799 seems to be
gaining the most support globally.
4
Information Security: The Big Picture - SANS GIAC
© 2000
4
Due Care
• Legalese
– Conducting business in a non-negligent
manner
– Doing what any “reasonable person” would
do under similar circumstances
– Usual and customary conduct
• English
– Doing what everyone else does that is
prudent and common to protect your
interests
In many aspects of security, you will meet up with the concept of due care. You can see some of the
legal definitions in the slide, but, in short, due care is the concept of implementing security measures
that are generally accepted to be prudent and common. If everybody is doing something, you should
be doing it, too.
Why is due care important? It gives you basic legal protection against negligence. If you have a
security incident and, for some reason, you get sued, you will need to be able to show that you at
least took the generally accepted and reasonable steps to secure your systems and information. This
doesn’t mean you need to have done everything possible and installed all the latest and greatest
security mechanisms, you just have to have taken the generally reasonable precautions.
Proving your due care efforts will not guarantee that you will successfully defend against any
lawsuits. It only means that you will probably not lose outright.
Practicing Due Care standards also does not mean that you will have an extremely effective security
defense. Remember, due care means you have taken basic, minimally accepted steps. It does not
mean that you have done all you could have done. To have an effective security program you will
have to do everything you can do to ensure complete coverage of all aspects of security protections.
Due care is a good place to start, but you don’t want to stop there.
5
Information Security: The Big Picture - SANS GIAC
© 2000
5
Policies
• The cornerstone of your security effort
• Should reflect your security stance
• Let people know what’s expected
• Define Rules of the Road
– Responsibility
– Accountability
–Consequences
• Should reflect your organization
• Should change as circumstances change
All organizations need to have a security policy. The security policy is where you define how your organization
feels about security and how those feelings affect the members of the organization. In effect, the security policy
becomes the cornerstone of the security effort. The security policy should reflect your security stance. Do you
support strong, restrictive security efforts (as most corporations do) or is your environment more open (like
many academic environments)? These answers will have a bearing on your overall stance and be reflected in
your policies.
Security policies also let people know what is expected of them. You can’t hold people responsible for
following the rules if they don’t know what those rules are. Clearly defined policies, when combined with an
effective awareness program, will go a long way toward enhancing your security efforts.
Security policies effectively define the rules of the road for your organization. First, they define who has
responsibility for what activities and who needs to take action based on those responsibilities. Second, they
define who has accountability for activities. Often, the people or groups responsible for executing a function are
acting on behalf of another group that has ultimate ownership and accountability for that activity. Your policies
should acknowledge this duality and account for it. Finally, the policies should explain the consequences for not
following the policies. These consequences may be monetary fines, disciplinary action, or even civil or criminal
penalties.
Your security policies should ultimately be a reflection of your organization, and you can learn a lot about an
organization by examining its security policies. You can tell what areas are important to the organization and
what areas they are less concerned about. You can learn if they are a permissive company or a restrictive one.
You can tell how they feel about Internet access, personal use of e-mail and computers, handling of sensitive
information, and a whole host of other organizational traits.
No matter how much effort you put into creating your security policies, and how complete you may feel they
are, you must leave room for change. Organizations change over time, and the way you feel about some aspects
of security may not be the way you feel a year or two from now. You need to leave room in your policies for
change. This change can come from within the security organization or it may come from your user or business
partner community. Whatever the source, you need to account for change in your policies.
6
Information Security: The Big Picture - SANS GIAC
© 2000
6
Security Through Obscurity
• Hiding security mechanisms in an
attempt to keep it secure
• Use trade secrets, patents, NDAs, etc.
• Will only delay, not stop, attacks
– The Bad Guys already know how to get in
– Provides a false sense of security
• Be cautious, but not paranoid
• Best security is open, available, and
verifiable
Many people believe that security is all about secrecy. The belief is that the more you keep
information about your security mechanisms hidden, the harder it will be for potential attackers to be
successful. This is commonly called “Security Through Obscurity.” We see this in many
examples in real life. Software companies won’t discuss the details of their product’s security for
fear it will be attacked. And some companies won’t discuss their security policies for fear of giving
away company secrets.
There are other ways to keep security information secret. Many products that use proprietary
algorithms will use patents or trade secret laws to hide their mechanisms. Some companies use Non-
Disclosure Agreements to protect their security processes from disclosure, and the list goes on.
However, these efforts fail to realize one of the basic truths about security and security mechanisms:
sometimes the best security mechanism is one that is out in plain view for all to see. The best
security in use today, from locks, to access controls, to encryption systems has been used for a
number of years. It has been reviewed by experts numerous times and been continuously refined
based on their findings. There are no secret keys, no back doors, and all known attacks have been
documented and hopefully corrected. Hiding the security mechanisms will only delay the bad guys
for a while, if at all. Worse yet, reliance on Security Through Obscurity provides a false sense of
security for the user. They may feel they are protected by the so-called “secret formula,” but in
reality they are relying on a possibly unproven technology or mechanism.
The moral of this story is that customers, vendors, and users of security should be cautious about the
secrecy of the mechanisms. They should have a solid understanding of how it works and have a high
comfort level that the mechanism fits its security needs. But they shouldn’t be too paranoid about the
secrecy of the process. Again, the best security available is open and available. It has been verified
by experts in the field and enjoyed extensive use and testing. Avoid Security Through Obscurity as
much as possible.
7
Information Security: The Big Picture - SANS GIAC
© 2000
7
Business Continuity
Planning
• “What if something bad happens?”
• Business Continuity vs. Disaster
Recovery
• Multiple layers, multiple plans
• Y2K – The Ultimate BCP
An important part of your operational strategy should be the formulation of a business continuity plan. The business continuity plan
answers the question, “What if something bad happened to my business?” The “something bad” may vary. It can be as simple as a disk
crash or as serious as a large building fire, but it means some sort of interruption to your business, and you better be prepared.
My office building sits right next to a major interstate highway in New Jersey. Three or four times a year some clown driving a tanker
truck of dangerous chemicals decides to flip over his rig on the highway. Occasionally, we even have to evacuate the building until the
chemicals are cleared away. Does my facility have a business continuity plan? You bet! Would we be able to continue our operation in
the event we were not able to return to the building for a few days? Yes, we would. A well-planned business continuity plan enables you
to anticipate emergencies instead of just reacting to them.
You may often hear the terms “Business Continuity” and “Disaster Recovery” used interchangeably, and in many cases they mean virtually
the same thing. However, there is a slight difference between the two. The term “Business Continuity” refers to the activities required to
keep your organization running during a period of displacement or interruption of normal operations. Even if your building burns down,
your customers still need their orders filled and your creditors still want their money. You need to be able to get back into operation as
quickly as possible. That’s business continuity.
“Disaster Recovery” is the process of rebuilding your operation or infrastructure after the disaster has passed. It is linked to your business
continuity plan, but it is a separate and distinct process. Once you have enacted your business continuity plan to keep your business
running during and after the disaster, you enact your disaster recovery plan to begin the process of getting your business back into
“normal” operation.
Business continuity planning can be an extremely complex task. For one thing, there are often multiple layers of planning. Starting
simply, you may have a plan for a disk or tape failure in your data center. Next, you might plan for a major application to crash,
potentially losing vital information. Next, you may plan for a major building fire or explosion in your data center.
Then, things get interesting. What if there is a nuclear explosion and your town is uninhabitable for the next century or so? A wild
example? Not if you work for the Chernobyl Power and Light Company. What if a truck bomb explodes in front of your building, killing
dozens of your employees. Sound farfetched? Not if you work for the Federal government in Oklahoma City. True, these may not be
everyday occurrences, but depending on your business, your location, or any number of other factors you may have to take these types of
situations into account. A complete, well-thought-out business continuity plan will have multiple layers and multiple plans to handle a
wide variety of situations.
Perhaps the most widely known business continuity plan was the Y2K effort. Unless you have been living in a cave for the past five years
or so, you know all about the Y2K planning effort. Many of you were probably involved in these efforts at your jobs. A major part of
Y2K planning was preparing for the worst. What if the power failed? What if the communication lines went dead? All these scenarios
had to be examined and dealt with, making Y2k possibly the largest business continuity planning effort in history.
8
Information Security: The Big Picture - SANS GIAC
© 2000
8
BCP Steps
1. Define Scope
2. Business Impact Analysis (BIA)
3. Recovery Strategy
4. Recovery Plan
5. Implement the Plan
6. Test the Plan
7. Modify the Plan (continuously)
There are a number of basic steps that have to be performed in order to create a good business continuity plan.
First, you have to define the scope of the plan. Are you worried about a single application failure or a major network outage? If you
make the scope too small you will need a separate plan for each individual element in your operation or organization. If you make the
scope too large you risk getting bogged down in too much detail and interdependency between parts of the plan.
Next, you must perform a Business Impact Analysis, or BIA. The BIA will help you determine the actual impact to your business
the defined disaster will have. The BIA should account for all the processes and organizations upon which the target area relies as
well as all the processes and organizations that rely on the target for their own operation. Once you have completed the BIA, you will
have a good idea how much effort you need to put into business continuity plans for the target area as well as the areas of dependent
operations.
Next you need to define your recovery strategy. This is the statement of overall intent with respect to business continuity. Do you
intend to recover fully or just write-off the lost part of the business? Do you want to use fully-redundant systems or just a few cold
spares? These issues define how you will approach your BCP and DR efforts.
Next you will develop the actual business continuity plan. This is the tactical, step by step process for enabling your business to
continue during an emergency. In the plan you will define who is responsible for what activities, when those activities should take
place, and how they should operate. The plan should be clear enough that anyone can pick it up and begin implementing it.
Next, you need to implement the plan. No, this doesn’t mean creating an actual disaster to see if your plan works, but it does mean
putting everything in place to make sure you are ready. Make sure people know what their responsibilities are and make sure all the
resources and equipment you need to enact the plan are in place before you need them. When the disaster hits it is too late.
Next, you need to test the plan. Again, you don’t need to create a real disaster, but you can simulate one well enough to see if your
plan works. Test if the right people are in the right place at the right time, and make sure they have all the resources they need to get
the job done. Testing the plan is the only way to ensure all will work well when an actual disaster strikes.
Once you test the plan you will undoubtedly find things that did not go strictly according to plan. Or, you may find that some
conditions have changed since the plan was originally developed. For these reasons you need to continuously modify the plan,
keeping up to date with whatever changes need to be accounted for.
By following these simple steps, you will be well on the way toward creating a robust business continuity plan.
9
Information Security: The Big Picture - SANS GIAC
© 2000
9
User and Role Based
Security (1)
• User Based – Access is assigned per
user
– Easy to understand
– Good for small groups of users & objects
• Role Based – Access is assigned by
“roles”
– Better for large numbers of users/objects
There are many methods of assigning access to systems and information in a computer system or
network. One method is called “User Based” security. In user based security, each user is given a
unique identity in the system. Each time the user tries to access an object, for example a file or a disk
drive, the user’s identity is checked against a list of the users that are allowed to access that object. If
the user is on the list, they pass. If the user is not on the list, their access is denied.
User based security works well in a variety of situations. It is also the easiest to understand. For each
object, all you need to do is come up with a list of people that are allowed to access that object.
Unfortunately, user-based access security begins to break down when you reach a high level of
objects and a large number of people that need to access those objects. For example, suppose you
have ten users and ten objects that they need to access. In the worst case (assuming you want the
tightest security possible) you would need 100 specifications (10 * 10) to make sure you covered
each person and each object. Maybe a hundred isn’t that bad, but if you have 150,000 users and a
couple of hundred thousand objects, it gets unmanageable pretty fast.
One answer to this problem is called “Role Based” security. With role-based security, each user is
assigned not only an ID on the system, but also a role to play. Each object is then given a list of what
user roles are allowed to access that object. For example, suppose you had roles for Secretary,
Engineer, and Accountant. Each user in your system would be assigned to one of those three roles.
Each object in the system would then be tagged as being accessible by Secretaries, Accountants, or
Engineers. You will still need to tag each item as to which role is permitted access, but role-based
access makes it a lot easier. Using our previous example of ten users and ten objects, we will now
split the users into the 3 roles. Assuming there are 3 secretaries, 3 engineers, and 4 accountants, each
object will then only need at most 3 entries, one each for Secretaries, engineers, and accountants.
This leaves a maximum of 30 entries, rather than the 100 in the previous example.
10
Information Security: The Big Picture - SANS GIAC
© 2000
10
User and Role Based
Security (2)
• As people change jobs, “roles” change
• As people enter and leave organization,
roles are assigned and removed
• As objects and applications change,
roles can be re-assigned accordingly
One of the big advantages of role-based security is that by assigning someone to a particular group,
access permissions to objects can be automatically assigned without changing any of the permissions
on the objects themselves. If a file is permitted to be viewed only by the Accountant group, by
assigning a user to the Accountant group you are automatically giving them permission to that file.
The better you determine and assign your roles, the better you can control access to your resources.
Second, as people change jobs and roles in your organization their access changes automatically.
When the secretary gets promoted to the Accounting department, by changing their role from
Secretary to Accountant, you automatically give them access to a completely different set of objects
quickly and easily.
Third, as people enter and leave the organization, their role in the access control mechanism will be
fairly straightforward and clear. Depending on the job they are doing, you assign them a role and off
they go. There is no need to determine what resources they need to access, that has already been
predetermined.
Finally, as objects and applications change, you can change the user roles that are allowed to access
those objects and applications. If you decide that the Engineers no longer need access to an object,
you don’t need to figure out what users are Engineers, you just remove access to the Engineer role.
Role-based security is not the last word in access control, but when used effectively it can be a
valuable tool in controlling access to resources on your network.
11
Information Security: The Big Picture - SANS GIAC
© 2000
11
Security Organizations
• Computer Security Institute (CSI) – www.gocsi.com
• System Administration, Networking, and Security
Institute (SANS) – www.sans.org
• International Information System Security Certification
Consortium (ISC)
2
– www.isc2.org
• Information Security Forum (ISF) –
www.securityforum.org
• Computer Emergency Response Team (CERT) –
www.cert.org
• Computer Incident Advisory Capability (CIAC) –
www.ciac.org
As you progress in the information security field there are a number of ways to get more involved in the security community. One way is through
association and memberships in any number of national or international organizations devoted to the advancement of the security profession. This slide
shows most of the more popular and reputable organizations. Please note that the information I have on these organizations was taken mostly from the web
sites of the various organizations themselves.
The Computer Security Institute (CSI) is a membership organization specifically dedicated to serving and training the information, computer and
network security professional. Since 1974, CSI has been providing education and aggressively advocating the critical importance of protecting information
assets. Information on CSI can be found at www.gocsi.com
The SANS (System Administration, Networking, and Security) Institute is a cooperative research and education organization through which more than
96,000 system administrators, security professionals, and network administrators share the lessons they are learning and find solutions for challenges they
face. SANS was founded in 1989. The core of the Institute is the many security practitioners in government agencies, corporations, and universities around
the world who invest hundreds of hours each year in research and teaching to help the entire SANS community. The SANS community creates three types
of products: system and security alerts and news updates, special research projects and publications, and in-depth education. SANS can be found at
www.sans.org.
The International Information System Security Certification Consortium (ISC)² is an international organization dedicated to the certification of
Information Systems Security professionals and practitioners. (ISC)² grants the "Certified Information Systems Security Practitioner" (CISSP) designation
to information systems security practitioners. Candidates are required to pass a rigorous CISSP examination and subscribe to the (ISC)² Code of Ethics.
(ISC)2 can be found at www.isc2.org.
The Information Security Forum (ISF) is an independent, not-for-profit association of the world's leading organizations who recognize the importance
of protecting their business information. The Forum undertakes an extensive work program, and provides members with the opportunity to develop best
practices and share a wealth of experience and expertise. Funded by a substantial membership fee, the Forum helps to ensure that members can adopt
leading edge security practices - without incurring the expense of developing individual solutions. ISF can be found at www.securityforum.org.
The CERT Coordination Center is part of the Survivable Systems Initiative at the Software Engineering Institute at Carnegie Mellon University. It was
started by DARPA (the Defense Applied Research Projects Agency, part of the U.S. Department of Defense) in December 1988 after the Morris Worm
incident crippled approximately 10% of all computers connected to the Internet. Originally, their work was almost exclusively incident response. Since
then, they have worked to help start other incident response teams, coordinate the efforts of teams when responding to large-scale incidents, provide
training to incident response professionals, and research the causes of security vulnerabilities, prevention of vulnerabilities, system security improvement,
and survivability of large-scale networks. CERT can be found at www.cert.org.
The Computer Incident Advisory Capability (CIAC) provides on-call technical assistance and information to Department of Energy (DOE) sites faced
with computer security incidents. CIAC also provides awareness, training, and education; trend, threat, vulnerability data collection and analysis; and
technology watch. CIAC was established in 1989 to serve the DOE Community. CIAC is one of two oldest response teams and is recognized nationally
and internationally for its contributions to the Internet community.
There are also many other organizations, associations and clubs that one can join to learn more about computer, network and information security.
12
Information Security: The Big Picture - SANS GIAC
© 2000
12
CISSP Certification
• Certified Information Systems Security
Professional
• Demonstrates basic competency in
information system security
• Based on the Common Body of
Knowledge
• Must pass exam to qualify
• Continuing education requirements
One way to demonstrate your knowledge of information security practices is by becoming a Certified Information
Systems Security Professional, or CISSP for short. The CISSP certification is a designation given to those security
practitioners that demonstrate a basic competency in various topics related to information security. The exam and the
certification program is administered by the International Information System Security Certification Consortium, or
(ISC)
2
.
The examination is based on knowledge in ten areas of security that every practitioner should know. The ten areas are:
• Access Control Systems and Methodology
• Computer Operations Security
• Cryptography
• Application & System Development
• Business Continuity & Disaster Recovery Planning
• Telecommunications & Network Security
• Security Architecture & Models
• Physical Security
• Security Management Practices
• Law, Investigations & Ethics
It is expected that a CISSP should have a general understanding of each of these ten areas. In order to receive a CISSP
certification, a candidate must pass a difficult 250 question multiple choice exam covering each of the ten areas. Once the
candidate passes the exam, he or she must obtain 120 credits of continuing security education in order to maintain the
certification.
The CISSP designation is not an indicator of how good a security person is, but it does give an indication of their basic
competence and their ability to understand and apply good security principles and concepts. Just as there are bad lawyers
that have passed the bar exam and bad accountants that have passed the CPA exam, a CISSP designation should not be
your only guideline as to the general knowledge and ability of a security person. But it is a good place to start.
13
Information Security: The Big Picture - SANS GIAC
© 2000
13
GIAC Certification
• Sponsored by SANS Global Incident
Analysis Center
• Geared toward industry practitioners
• Based on class learning and practical
experience
Another certification track is the Global Incident Analysis Center (GIAC) Certification Program. The
program was established by the SANS Institute to serve the people who are or will be responsible for
managing and protecting important information systems and networks. GIAC consists of a number of
courses, offered both in person and on-line, examinations, and practical experience.
Unlike the CISSP exam, in which candidates need only pass an examination to obtain certification,
GIAC candidates must also demonstrate applied knowledge before obtaining certification. GIAC
candidates create portfolios of materials proving that they have actually done many of the important
tasks that will be required of them on the job.
Like CISSP and other certifications, GIAC training and certification provides a value both to
professionals and their employers. For security and system professionals, GIAC offers added
confidence that they know what tasks need to be done first to protect their systems and that they have
the knowledge and skills needed to do those tasks. GIAC offers them continuous access to updated
information so they can keep their skills and knowledge current.