Developer Product Briefs
Plan Your Defense Strategy
Concentrate on awareness, process, readiness, and privacy as you put your security plan into action.
Plan Your Defense Strategy
Use these keywords and establish a security process of workflow patterns, procedures, and standards.
by Danielle Ruest and Nelson Ruest
November 1, 2004
Security. It's the biggest buzzword in IT today. No wonder. We face one attack after another from the Internet. Internal security threats used to be much more common than external ones, but that's changed. More and more of the attacks you must face today come from outside your corporate network. But the way to deal with these threats remains the same. You need to carefully put into place a security strategy that helps you prevent threats and deal with them when they arise.
Sure, you say. Everyone has a security strategy and everyone enforces it. If that's the case, then why are worms such as Slammer and Netsky still propagating? If everyone has such a great security strategy in place, why are large corporations brought to their knees with a viral infection? If everyone is so keenly aware of the security threats, why do users still open unknown e-mail messages with unknown attachments?
It's obvious that hackers and malicious users will not go away. It's also obvious that even though we've all raised our level of consciousness on security issues, it's still not enough. We must get together and do something about it, both individually and as an industry. This is starting to happen. Take Microsoft, for instance. Every Microsoft user has suffered to some degree in the last few years just because he or she is a Microsoft customer. Microsoft is a prime target for malicious hackers for a couple reasons.
First, some people resent Microsoft's success enough to continually attack its products. We can't tell who these people are, the animosity of some of the company's competitors and community of users might have something to do with it. Second, like most software vendors, Microsoft has been quite slack in the past on good coding practices and has left numerous holes in its softwareholes that were just waiting for someone to exploit. For example, more than 800 patches and hot fixes exist for all of Microsoft's products. That's a lot of patches.
Put the two together, and you have a serious security issue. The problem isn't so much that Microsoft suffers when someone exploits a potential hole; it's that Microsoft's customers suffer. This is what makes it so painful for all of us. Hackers who attack Microsoft have an impact on the company's reputation, but in the end, the Microsoft user community is the target of all this malicious intent. That's just pure evil.
Nevertheless, some good has come out of this. Microsoft has finally begun to take this threat seriously and make its software better and more secure. Just look at what's coming with Service Pack 2 for Windows XP (see "Patching Windows Security"). The entire service pack is oriented toward security. By default, the millions of business and home users of Windows XP will have a secure installationright out of the box. Now, if that isn't a change in philosophy, what is? It's no wonder Microsoft has taken so much time and invested so much effort in making sure the service pack works right the first time. The service pack will go a long way toward making even the home system a more difficult targetfor systems using XP, that is.
Once again, Microsoft's detractors will say the service pack is a ploy on Microsoft's part because it wants to force everyone to upgrade to XP to make more money. Be that as it may, do you know any companies that are in business to continually fix and update older versions of their products? The car industry provides a good example. It is extremely rare and only for significant security risks that car manufacturers will recall an older version of a car model to make significant repairs on it at their own cost. Most of the time, once the warranty is over, you're on your own. Yet, people haven't stopped buying cars because of this policy. Why should we think it would be different with the software industry? Software security is not and has never been only the manufacturer's responsibility. Users must be responsible at some point, too.
Given this state of affairs, what can you do to make your IT world more secure, especially if you've decided to use Microsoft technologies as part of your system stack? For one thing, you can get more serious about security. You've probably heard it all before, but it's true. To live in a more secure world is not impossible. Despite the ravages from some of the more recent worms and vulnerability exploits, some companies emerge unscathed from all attacks. What do they do differently from everyone else? They use a specific strategy and they invest in security. To make it simpler to proceed, we present 10 keywords in our series of articles (see the sidebar, "10 Security Keywords") that can help make your world a little more secure than it is today.
The first keyword is awarenessas in raising your user community's level of awareness about security. For example, one of the most important things your users need to know is not to open attachments from unknown senders. You must communicate to your users how to examine an unknown e-mail message. Here's an example of what they need to know when they receive an e-mail from an unknown sender:
- First, is there an attachment? If so, proceed with caution.
- Second, does the name of the sender mean anything? If you receive a message from email@example.com, you should be aware that Microsoft's policy is never to send attachments from such an e-mail address. Many other vendors also use the same policy.
- Third, what does the e-mail address look like? Outlook has the ability to show not only the name of the sender, but also the e-mail address used to send the message. You should train users to examine this e-mail address before doing anything with a message (see Figure 1).
- Fourth, what is the subject line? Subject lines that start with "Re:" are in response to another, original message. Get your users to take note and ask themselves if they have sent a message with this subject before.
If users can't answer all these questions satisfactorily, they should destroy the message. Of course, this doesn't always work, but it works most of the time. In addition, this entire strategy works only if users see the preview pane in the message box and make a habit of looking at the message through this pane before moving on. This means your corporate messaging client configuration must show the preview pane. It must also be set not to mark messages as read once a user moves from one message to another, because many viruses are waiting for that event to perform their malicious acts.
Communicating these types of issues to users on a regular basis should be part of a comprehensive user awareness program that you implement. This program should aim to demystify security for all audiences in your network. It should not only provide messages on a regular basisa monthly program works for most organizationsbut it should also provide content for each audience that's tailored to the group's technical expertise level.
For example, a message on reading unknown e-mails should explain to users how to identify potential threats; for managers, it should highlight the business cost of viruses; for technicians, it should explain how the threat works; and for support personnel, it should explain how to correct the problem and remove the threat if activated. Numerous sources of this kind of information can help address the different audiences you must reach (see Resources).
Work with your internal communications group to implement your communications program. You'll be surprised at how many ideas the team has to make it more effective. You can then publish the information on your intranet home page or simply e-mail it to everyone.
Build a Core Process
The second keyword is process. Processes consist of workflow patterns, procedures, and standards. This means structuring the way you deal with security issuesfrom the way you install servers and workstations, to the way you manage patches, to the way you respond to security issues when they arise. This also includes the processes that surround attacks and reactions to attacks. For example, if you want your communications program to work properly, you need to supplement it with policies, procedures, and system configurations. The integration of all of these comprises a security communications process.
Processes are at the core of defense planning. They should cover these aspects of your defense plan:
- Threat assessment: This process should include a description of the different attack types and a rating system identifying the likelihood of a given attack type occurring in your network. It should also include two response strategies: proactive and reactive. You use proactive response when you hear about a potential threat and you want to make sure you're prepared for it. You use reactive response, of course, when you have been affected by a threat. You can use different approaches for both (see Figure 2).
- Risk assessment: This process should include an identification and categorization of potential risks to both your business and your IT operations. One of the easiest ways to perform the categorization is to calculate risk using this formula:
risk = asset value * risk factor
For example, an asset valued at $1 million with a risk factor of 0.2 has a risk value of $200,000. This means you can invest up to $200,000 to protect that asset and reduce its risk factor. Once you've calculated your risk factors, you should prioritize all the risks you have identified and address them in order.
- Monitoring procedures: This process is your watchdog process. It focuses on watching network activity. For this you'll need proper monitoring software such as Microsoft Operations Manager or another similar tool. These tools monitor events on your servers and alert you when an untoward event occurs. You can supplement this monitoring strategy with additional tools. For example, if you have critical files that need extra protection, you can use special software to monitor the status of those files. One such tool is Tripwire for Servers (see Resources), which monitors any changes to server configurations or files.
- Attack reaction plan: This plan should clearly identify the members of the response team, the procedures they should use to respond to different event types, and the escalation procedures they should use to pursue attackers and deal with more complex threats.
- Recover program: In the event of a devastating attack, you should have a process in place to recover your systems and any lost data. This is part of your business continuity planning.
All these processes should be based on standard operating procedures that are clearly documented and easy to follow when the time comes.
To go along with the processes you have prepared, you must be ready to respond, so readiness is the third keyword. Three different situations require a response. The first is when a problem occurs. Your team must be ready to act, sometimes with only a few moments' notice. When an attack occurs, you must be ready to shut down everything if necessary.
The second situation involves a known security flaw. If you are aware of a security flaw and you don't respond to it, you're asking for trouble. More and more of the security threats organizations face today stem from known flaws that have not been patched as soon as the fixes were available. It's hard to believe, but many organizations still don't have a patch management strategy in place (see "Manage Patches and Updates").
The final situation doesn't arise from an event or a security flaw, but it requires a response nonetheless. You must proactively do what it takes to secure your systems. If this means removing administrative rights from senior management staff, so be it. In today's Windows 2000, Windows XP, and Windows Server 2003 world, there's no reason for anyone to operate a productivity environment with administrative credentials. If this means going head to head with management or users with "political" clout, then do it. If you don't, you're leaving yourself open to attack and the rising costs incurred when security breaches happen.
The fourth keyword is privacy. One of the most important aspects of security is the protection of private information such as your social security number, your tax identification number, your credit card numbers, and so on. With the massive integration of private information in electronic form, it's becoming much easier for malicious individuals to obtain personal information.
In addition, privacy laws are constantly changing as they try to adapt to electronic information dissemination mechanisms. It pays for individuals to keep abreast of privacy and other issues. Several specialized Web sites can help in this regard (see Resources). It is a good idea to include information about current privacy issues in the monthly security newsletter you send to your users.
But privacy does not only occur outside your network. Your own users have a right to their privacy. One common breach of privacy is when support personnel ask users for their passwords. Passwords are highly private information. Because of the complexity of maintaining and remembering multiple passwords (does anybody really have only one password?), users often use password schemes to make the passwords easier to remember. As soon as users give away one password, the recipient can guess the scheme, rendering all the passwords compromised. One of the key points in your security newsletter should be that users should never give their passwords to anyone at all, for any reason, ever.
These first keywords focus on the human aspects of security. Our other articles in this Security Special Report delve into both human and technical aspects. "Serious Perimeter Security" deals specifically with securing the perimeter, a boundary that's becoming more and more nebulous as technologies and our use of them evolve.
About the Authors
Danielle Ruest and Nelson Ruest (MCSE, MCT) are multiple book authors focusing on systems design, administration, and management. They run a consulting company that concentrates on IT infrastructure architecture and change and configuration management. You can reach them at firstname.lastname@example.org.