Home Articles IT security: the Danish pastry approach

    IT security: the Danish pastry approach

    0

    aa17-aug-sep-2006-it-security-the-danish-pastry-approach

    You’re in a bind – the IT guy keeps yammering on about security and the scare stories fill the press, but the costs seem excessive. With no water-tight guarantees, most security ‘solutions’ look like expensive snake oil. Could the solution be concealed within a popular baked confectionery? Colin Lewis thinks so.

    As in so many other areas, having a ‘Plan B’ can help. Just like the ads for a certain Danish Pastry, ‘layer upon layer upon layer’ is what we need to look for in our search for effective IT security.

    Let’s look at what these layers might be, then see why the layered approach not only offers superior protection, but can also contain costs and ensure we really get value. Poor value is a common complaint, and a legitimate one. The slow leak of wasted money can hurt a business as surely as a high level security breach.

    1. Physical Security

    Many exploits depend on gaining direct access to a particular machine. Lock the door to the server room, and you immediately slash the risk of these attacks. Good physical security is not outrageously difficult, but does require some thought. Is there a false ceiling or floor that could allow the locked door to be easily bypassed? Have your computer room walls extended from concrete below to concrete above (use steel mesh if airflow is required). You won’t be completely secure, but that doesn’t matter unless you are a particularly juicy target. The key or pass to the computer room should be different to the one for access to the general office area, meaning an attacker has two separate hurdles to overcome.

    2. Firewall

    For attacks from outside, a Firewall represents a useful layer that can greatly limit an intruder’s options. Firewalls range from almost free to many thousands of dollars, but the value they offer depends almost entirely on how well they are configured. Unfortunately, a good configuration is a moving target, and will vary depending on how your company uses its internet connection. The rule of thumb is to block everything, then just open up the bare minimum needed to support the functions you need. It will need adjusting over time.

    3. Identity Management

    Simply, this is the system that provides confidence that the user-ID given rights to something is being operated by the right person. It’s no good restricting use of administrative tools to the LANLORD login if everyone knows the password to that account. In a well-designed system, there should be no need for anyone to know any password other than their own, including tech support staff.

    Enforce limits on concurrent logins, activate ‘intruder lockout’ options, enforce reasonable password length, complexity and age, consider the use of token or biometric systems if the value of your data warrants it. Once a user has authenticated, what they are authorised to do should be limited to what they need to do their job. Re-authentication to various systems should be avoided if possible to minimise the use of sticky-notes to keep track of multiple identities and passwords. Our potential attacker, whether in the office or on the internet, now needs to find a valid account with sufficient rights for the attack planned, and has a limited chance of guessing the password in time, or obtaining the necessary token (or fingerprint!).

    4. Anti-virus

    It’s about time to cue the layer most people think of when considering security – the Anti-Virus package. Anti-virus software is better at detecting old viruses than new, so having the up-to-date patterns from the vendor is critical. When assessing a package, the speed with which new patterns are made available after a new virus is detected, the ease of updating frequently (can you get an incremental update, or do you have to download the entire pattern file every time?), and the ease of ensuring all computers are protected should be primary considerations. Plenty of attacks are not viral, so this tool is insufficient on its own.

    5. Robust software

    Having less vulnerable software to start with is another layer of defence. While arguments about reasons for differing levels of vulnerability abound (“it’s not exploited much because it’s not popular” or “the architecture is inherently less secure”) the real issue is that some software is compromised more than the average, and some less. Look for the less. You will find that many Open Source products have an excellent track record on security; at least include them on your initial product selection lists.

    6. Up-to-date patches

    As vulnerabilities are found (or worse, exploited), patches or updates for software are released and should be applied promptly. It can be prudent to wait a day or three in case the patch itself has serious flaws. Subscribe to the security update notification services available for the products you use. Go one further and subscribe to a respected independent security advisory service, such as SANS (www.sans.org).

    7. Anti-Spam / Anti-Spyware

    Although these products are generally not as mature as anti-virus, they can assist by eliminating a helpful proportion of the threats. Anti-spam can use a similar concept to anti-virus patterns, either blocking matching items (black list), or allowing matching items and blocking everything else (white list). White lists certainly stop more spam, but the risk of missing an important message is much higher. The black list approach relies heavily on the quality of the list – DIY is too much effort, so a subscription service can be helpful, but only if it is rapidly responsive to changes. The other major anti-spam approach uses rules to identify spam on-the-fly. Those that use a probabilistic method (e.g. Bayesian filtering) seem to be more satisfactory in practice. Anti-spyware tends to be more reactive, to remove pests that have crept through your other defences.

    8. Logging & Auditing

    Most systems provide some logging capability, for troubleshooting or auditing purposes. This can uncover suspicious activity before damage is done, but only if the logs are actually looked at or even (shock!) analysed. To help reduce the time involved, Intrusion Detection, Intrusion Prevention or log analysis systems can at least partially automate this task.

    9. Processes

    Sound practices reliably followed will ensure that chinks don’t appear in our armour. A simple oversight can be disastrous, as several of our carefully-crafted defences can be bypassed at once. A wireless access point introduced by a staff member can allow direct access for an intruder to the internal network, and simultaneously offer the opportunity to gather user-ID and password information, or piggy-back on a legitimate session.

    10. User Common Sense

    Our final and arguably most important layer is User Common Sense, which is, as Voltaire reminds us, not common at all. Users who respond appropriately to potential threats provide the kind of protection that simply cannot be implemented as a technology (at least, not yet). (See: “Some rules of thumb”.)

    Training can alert employees to some of the more subtle ploys and help them understand enough of ‘how things work’ to make good judgements. But in the end, it will still be a judgement. The best approach is to make sure IT responds very promptly, so that when users are unsure, they’ll bother to call.

    Putting it Together

    You will have noticed that none of these defences are sure-fire guaranteed 100 percent solutions. A few rules will help us, however. First is the Pareto Principle, or the 80/20 rule. In this context, a 20 percent solution (cost-wise) can afford 80 percent of the protection of the ‘best’ solution. Perhaps we should stretch that a bit, and look for a 95 percent or 99 percent solution. The last one percent of performance can cost as much as the first 90 percent.

    The next principle that helps us is the miracle of compounding. A small protective effort at each layer snowballs to offer a robust defence against internal, external, intentional and accidental compromises of our systems and data. A one percent chance of failure compounded over our ten layers of protection equals a one in 100 quintillion chance of failure.

    If you can find a single security product that, used in isolation, offers a one in 100 quintillion chance of failing, buy shares in it! Feel free to dispute the failure probabilities; compounding still works.

    Don’t shell out megabucks for the state-of-the-art top-of-the-line whiz-bang product that comes complete with gold-plated tamping woggles and high-tensile sprunion pins; you’ll have nothing left for other defences and sooner or later it will turn out that your sprunion pins are easily bypassed with a blunt stick. Instead, consider all the layers of protection together. If that means you can only afford the silver-plating instead of the gold, so be it – your overall level of protection is still stronger. If one defence is compromised, the others are likely to hold until you can strengthen the weak point. This way, your spend is always optimised because you always focus it on the weak point. A stronger lock is a waste of money if your door frame is balsawood.

    Another factor in our favour is the criminal cost/benefit analysis. I learnt while at uni that if my old no-gears, footbrake-only, cracked-saddle excuse for a bike was unlocked next to a shiny new bike with 10 gears, centre-pull brakes, lights, drink bottle holder and alloy everything (OK, it’s a long time since I was at university), then unless the newer bike had a really good lock, mine was safe, being a less attractive target.

    While some hackers like the intellectual challenge, the crackers who are in it for money are a bigger concern. If our IT systems, while not perfectly secure, have multiple layers of protection, all but the most determined attacker will go looking for greener pastures. “Firewall! OK, I’ll have to use a different method. Bother! The password isn’t ‘password’. Aaaghh! They’ve applied the patch. D%$#@%! They’re not even running that other software. They’ve probably got someone actually checking the activity logs too – better go elsewhere before we get nabbed”


    Some rules of thumb…

    • A chain letter sent via email is still a chain letter.
    • No one in Nigeria is giving away vast amounts of money.
    • Banks do not require you to visit a website and re-enter your personal details to avoid account closure.
    • A pop-up message should always be read before clicking a button to dismiss.

    All of these potential threats can be easily dealt with using just a moment’s thought and a modicum of intelligence.


    Test the advice

    Next time your IT person or IT provider asks you to shell out, check which layer of your Danish pastry it represents. If you already have something there, but gaps elsewhere, consider whether you’re strengthening the weakest link, or gold-plating the strongest.


    Lather, rinse, repeat…

    Apart from regular anti-virus updates, and regular patches, it is important to periodically audit your system.

    Are processes still valid? Are they still being followed? Have configurations been ‘watered-down’? Have new threats arisen requiring additional defensive measures?

    A physical or social-engineering penetration test is often conducted with only the senior authorising executive being aware it will take place – people tend to follow the rules more closely if they know they’re being watched. It is essential that the agreement is clear about what the tester will and won’t do or attempt to do, set out in writing, signed by both the tester and the senior executive authorising the test. Remember, the difference between a cracker and a security expert is permission.

    Colin Lewis is a specialist in IT Risk Management at Horwath. He typically works with senior management and boards to help them get better value from their IT investments, keep their suppliers honest and understand what their IT staff is doing.

    [email protected]