IT Security: A Plan Of Action

Managers in government agencies must realize that computer security cannot be left to providence. In fact, since Sept. 11, obligations to secure computing systems have expanded more quickly than at any time in the recent past under such schemes as the Critical Information Protection Program and, under President Clinton, Presidential Decision Directive 63. What’s more, in the past year or so, threats have scaled up in size, frequency and virulence.

Ten years ago, the information technology (IT) manager could keep a copy of his security plan on hand to show off after a breach had made security topic of the day.

Today, the destructive power of some cyber-attacks is too great to risk — many have the potential to make data unrecoverable. Internet Security Systems (ISS) reported late last year that “the damage from attacks is shifting from single Web site defacements to large-scale attacks affecting critical systems that are more damaging and costly.” A primary target is government sites with the U.S. government successfully deflecting more than 6,000 cyber-attacks, many of which were undisclosed to the general public, according to ISS.

The mandate is clear. Users must secure their networks and data or, eventually, the probabilities of attack will catch up to them. Furthermore, with government cyberspace defense funding coming down the line via the Department of Defense’s internal budgets and the Department of Homeland Security (DHS), there will likely be more resources available than ever.

The diligent user will understand the multi-dimensional nature of IT security and its development. An information security defense program is a means of protecting data from unauthorized access, theft, alteration or deletion while ensuring the user’s continued ability to access data as required.

Basics Of IT Security

The purpose of a data security program is to ensure four basic tenets:

• Confidentiality: Only authorized people should be able to see the data

• Integrity: Only authorized people should be able to change the data

• Availability: Authorized persons should be able to access the data whenever they are allowed to do so

• Accountability: Managers should be able to discover who has done what to the data

Compromises can be necessary to provide a level of security that does a fair job of keeping out intruders but does not make the information inaccessible to authorized users. A comprehensive security program must include written policies and procedures, access control systems, user authentication technologies, auditing systems, encryption and content security.

Get Buy-In From Above

An IT security program will require the top ranks of an agency to buy-in, and they can be convinced by articulating the department’s obligations under relevant regulations, the costs of being subject to a successful attack — and the funding available to pay for the IT security program. IT professionals should raise staff awareness about security in general and the program in particular. Goals should be articulated, as should the roles the staff and departments will play in achieving them. If these goals are achieved, the department or government body will be well oriented to development of an IT security program.

Plan Early To Measure Results

It will be necessary to set targets and define the milestone events that will delineate the development of an IT security program and counter-attack. The best IT security programs include the following milestones:

• system benchmarking and security assessment;

• security policy planning and development;

• deployment of security technologies and policies; and

• contingency planning.

System Benchmarking And Security Assessment

IT systems should be planned and blue-printed in detail like any other architecture — but they rarely are. Computer managers need to know the extent of their networks, the business processes (as animated by applications and services) they use and the depth of access of each user. And, they need an understanding of how it is all managed. Such understanding paves the way to proceed to the security audit phase with a comprehensive inventory in hand to allow managers to map mitigating technologies and policies to the most current version of the system.

“Security assessments are the only way you can tell if your network is close to being secure,” says Eric Johannson, principal at Inguide, a Massachusetts networking consultancy. “It’s not a guarantee of security, but it protects you from currently known problems and a degree of liability for future problems. Assessments also let you validate just how effective your security/administrative staff is. If you find vulnerabilities that are weeks or months old, you now have justifications for administrative discipline or possible dismissal of those people responsible for the systems.”

Users should not try it alone, and should not confuse a penetration test with a comprehensive system and security audit. Security is an odd process, amalgamating the oral history of hackerdom and crackerdom, information technology histories, criminal psychology, cryptography, computer science, knowledge of hardware, operating systems and applications software — and finance.

A competent information security consultant can analyze the extent of a network and the number and character of its vulnerabilities. A good one can price out the costs of minimizing or eliminating those exposures and discuss the options within a given price category. Overall, the purpose of this exercise is to define a balance between the available technologies, the costs of those technologies, perceived threats and the data’s true value to establish a cost-justifiable security architecture.

Security Policy Planning and Development

The budget for the project should line up roughly with expectations to secure the exposures uncovered in the initial assessment. If program continuity is established, it is time to develop an information security architecture and to establish a security policy — the protocol under which the organization or government entity will be required to operate. Policies include the basic IT security procedures (for management), rules (for employees) and standards (for the IT staff). Hopefully, they will become ingrained parts of the culture (see sidebar).

Deployment of Security Technologies and Policies

At last, the real work begins. Rolling out the security technologies is its own bear of a deployment and integration program. If the expertise doesn’t exist in-house, money must be budgeted to hire contractors. At this stage, most departments will be updating an existing architecture and working with technologies already deployed.

Rationalizing the existing information security architecture with new technologies will take a seasoned hand. Overall, there are many hardware and software components that make up the security architecture. These components or sub-systems will vary in size, capacity, processing power, and bandwidth capacity. The categories of security sub-systems are:

• Firewalls

• Network security systems (bulk encryptors, virtual private networks (VPN))

• Authentication systems (certificates, tokens, passwords)

• Remote access services

• Intrusion detection/response

• Audit systems

Many of these systems overlap in functionality. Firewalls and VPNs, for example, will have logging systems, though their resolution may be quite low and may not specify activity beyond basic logon/logoff data.

Authentication systems can have detailed audit trails that can follow a user down to each invocation of an application or data request. Cost-effectiveness must also be heeded, as well as elegance of administration/control and minimization of redundancy in functionality.

At the end of the deployment, reporting of security-related activity should be easily attainable by management and administrators, and line-managers should have one way to get that data and get it out to managers in a digestible format. At the end of the day, it’s infrastructure and it’s got to be managed. The system in place must allow relevant facts to be scanned and decisions to be made about its management.

Contingency Planning

If it can happen, it probably will. Contingency planning pays a bonus, in that it provides procedures to address unplanned outages, such as computer equipment failure and misguided back-hoes. It takes a broader imagination to implement effectively as the scope widens. Is the home office in a location that gets a lot of earthquakes? This is a threat that has nothing to do with cyber-attacks but the answer — placing a mirror image of the system in an off-site back-up — also provides a means of restoring a system in case of a successful cyber-attack.

A thorough contingency plan will include an impact analysis to delineate tolerable downtime for each business process and application to minimize loss exposures; and disaster recovery and business continuity strategies that will detail the technical and cost requirements each entails.

Each business process should be scored for its criticality, and cost estimates should be determined for outages of each process. The applications and services that animate those business processes have to be restorable and the time and cost of restoration must to be delineated.

Go Back To Step One

As security is a process more than anything else, the person charged with developing or rationalizing an IT security program will end this exercise with the same step by which it began — a security assessment. There are a number of companies that will do penetration tests, network assessment and audits. A good candidate is one with experience — and not the one that did the initial assessment.

Peter Cassidy is director of research for TriArche Research Group, Cambridge, Mass. A technology writer, commentator and, in 2002, a visiting scholar at MIT, Mr. Cassidy’s articles have appeared in international business publications such as The Economist, ForbesASAP and WIRED.

POLICY GUIDE

Inside A Basic Security Policy

Security policies should include the basic IT security procedures (for management), rules (for employees) and standards (for the IT staff).

PROCEDURES FOR MANAGEMENT:

• Labeling and origin information that tracks ownership and his tory of the document

• Scope and constituency that the security policy addresses

• Scope and resolution of the security activity reports that management can demand

• Flow schemes that route data of tiered criticality to managers

• Primary points of contact and responsibilities

• Detailed overview and discussion of user rules/policies and technical standards

• Instructions on conditions under which the policy can be updated

USER RULES/POLICIES (FOR THE RANK-AND-FILE USER):

• Intended and/or appropriate use

• Guides to authentication requirements such as passwords

• Guidelines for laptop usage and remote network connections

• Addition or removal of software guidelines for accessing unprotected programs or files

• Disciplinary actions for unauthorized or unacceptable behaviors, such as breaking into accounts, using weak passwords or end-running authentication procedures

FOR THE ADMINISTRATOR:

• Authority and conditions for monitoring user activity (e.g., e-mail, network traffic, other actions) using vulnerability testing tools

• Accessing protected programs or files

• Disciplinary actions for unauthorized and/or unacceptable behaviors, such as sharing/creating accounts and cracking passwords

A technical security standards document should include:

• Authorization and Access Controls
• Host Security Control Requirements
• Network Security Control Requirements
• Monitoring and Alert Management
• Internet and Intranet Access
• Data Backup, Backup Data Security and Restoration
• Move/Add/Change Management
• Auditing Functions
• Physical Security
• Management Accountability
  — Peter Cassidy