I got the idea for essential practices from my friend and colleague, Dr. Peter Tippett.
He pointed out that one of the things that senior management looks to the security staff for is advice on where to spend the next security dollar. We each have a way of answering this. Some of us do it by the "seat of the pants:" those of you who are pilots have been taught how unreliable that is.
Some advocate 'best security practices,' but because of cost and other constraints we quit long before we get there.
Some employ formal risk assessment. However, few of us have the necessary knowledge, skills and abilities necessary to employ this expensive measure, one that is much better at justifying expenditure than telling us what to spend on.
Peter proposed essential practices as a method for answering this question. Let me explain what is meant by this expression.
I teach at the Naval Postgraduate School where my students are warriors. Since they understand the concept of "force protection," I use it to teach computer security.
In force protection, "first you dig a hole." This rule is so important that Caesar is said to have sacked generals who permitted the troops to eat or sleep before they dug a hole.
In modern warfare we call this hole a fox-hole. Fox-holes are about 0.8 effective. If the artillery shell or the grenade lands in the fox-hole, it does not help. However, if either is a "near-miss" then the hole offers protection.
Now most of you have seen the movie, Patton. You know that General Patton required that even the cooks and the doctors wear their steel pots. Again, a steel pot will not protect you from a direct hit but it improves the effectiveness of the fox-hole.
So, there are two pieces of equipment that all the troops carry into the field. The first is the steel pot and the second is the entrenching tool. Each costs about $15-. The helmet liner costs more.
What about body armor? About 0.8 effective, complements the hole and the steel pot. However, it costs not tens of dollars but hundreds. In the first Iraq War we heard stories of Mom hocking the family homestead to pay for it. However, the price has now fallen by half or more. Does it now qualify as "essential?"
So, anyone can dig a hole with available resources, It is about 0.8 effective. It complements the steel pot.
There are analogous IT security measures that:
- can be done by anyone
- with available resources
- are about 0.8 effective
- and which complement one another
For example, if a fox-hole is a primitive fortification, then an IT analogy might be a free software firewall like the one provided by Microsoft in Windows. We accept that it is limited in its effectiveness. Anti-virus software might be analogous to the steel pot. A hardware firewall that cost hundreds of dollars might, like the body armor, be questionable. However, one that costs tens of dollars and protects a SOHO network, an application server, or even an enterprise desktop probably qualifies.
In the rest of this chapter we will identify a number of qualifying IT security measures. Some will be fairly obvious, at least once they have been identified. A few will be surprising and one or two will be controversial. You will find that many will be measures that you already have in place but each of you will find one or two on the list that you have overlooked There will be some items on the list that you have considered and rejected; I will ask you to reconsider them.
Here is one of the obvious ones, changing default passwords. This one is so obvious that one really not have to call it out. However, if one reads the Verizon Data Breach Incident Report (VDBIR), one finds that there must be a very large number that have not been changed. Surely it meets the definition.
User and management awareness training may or may not qualify, depending upon how one values the time of the users and managers and how well one uses it. On the other hand, many recent breaches have relied, at least in part, on duping users.
Formal risk acceptance makes the cut. It is used when, for business reasons, management elects to accept, rather than mitigate, a risk. The risk acceptance document is written by the security staff and signed by line management. The security staff describes the risk and the reason for accepting it and a business executive, with sufficient resources and authority to mitigate the risk if he wished, signs it. Its life is the shorter of a specified duration, the tenure of the signing executive, or one year.
Explicit assignment of security roles and responsibilities and supervision to ensure that they are carried out is both effective and efficient. When people fail to do what we expect, it is far more often the result of our failure to communicate the expectation than it is a failure of motive on their part. It is essential both in the sense of our definition and in the sense of necessary.
Unique user identifiers make our list. Again, while the motivations for shared IDs have all but vanished, the Verizon Data Breach Incident Report suggests that they persist and contribute to breaches. It is ironic that the most frequently shared IDs are privileged ones (can you say "root?"), the one's where accountability is the most important.
Similarly, we should be using strong passwords, not so much because we are seeing a lot of brute force attacks, but because accountability requires that we be able to take the possibility that there the password is compromised off the table.
Anti-virus and personal firewalls would appear here on the list. We used them as examples above. However, there a few more things to say about them.
The personal hardware firewall changes the policy of the personal system from permissive to restrictive. It hides personal system vulnerabilities, some of which will never be identified, much less fixed, from the Internet. Of course, say firewall in most enterprises and the network managers go ballistic; they are certain that any firewall will break applications.
However, I give away personal firewalls as hospitality gifts. If I am your guest for the weekend, I will bring and install a Linksys. I have yet to break an application. Indeed firewalls and applications are increasingly aware of one another and configure themselves as necessary.
But ranking with AV and firewalls, I put backup. It is important because our storage is fragile and our data friable. In addition, it is a measure that protects us against those threats that we can not anticipate. We use it because computers do nothing quite so well as they make cheap, dense, portable copies of data.
Having decided to make backup copies of our data, we should encrypt the backup copies. The more copies of the data, the more persistent it is but the greater the probability that it will leak. We have also seen tens of cases in which we are unable to account for a clear-text backup copy. Most of the software that we use for backup has an encryption feature. Backup software with an encryption feature is not that much more expensive than that without it.
Next is a practice that is clearly on the list but often over looked, time-out to a lock-word protected screen-saver. The lock-word need only be long enough to resist a guessing attack lasting minutes to tens of minutes. This simple measure greatly reduces risk on machines in public or employee-only spaces. It does not impose a burden even in secure spaces. It is an option on most popular operating system. However, the control is not always easy to find. For example on Windows 7 it is under "personalization." In Mac OS X, it is the second option in System Preferences.
A practice that is not quite so obvious is end-to-end encryption. By end-to-end, I mean client to application. I am going to argue that anyone can do it and, thanks to Netscape and Cisco/Linksys, with available resources. Yes, SSL, SSH, and IPSec are ubiquitous. All remote desktop servers include it. It is the essence of virtual private networks, VPNs, and virtual local area networks, VLANs. If a server does not support one of these, one need only put a proxy in front of it.
A related practice is to terminate VPNs on the application, not on the perimeter and not on the operating system. On the client-side, the VPN is hidden under the application name or icon. On the server-side, the application hides network and operating system vulnerabilities from the client and the encryption hides application vulnerabilities from all but authenticated users. The encryption hides the client from enterprise network users.
By policy and practice, store sensitive data, including books of account, payment card information (PCI), personally identifiable information (PII), and intellectual property (IP), on enterprise servers. Resist, with policy and controls, the creation of arbitrary copies on desktops and portable devices. Yes, I know that the users claim that they need those copies in order to get their jobs done. However, that is a service level issue. Given the speed and coverage of modern networks, this is clearly less necessary than it was last year and will be even less so next year.
Prefer application-only access to data, the need to look up an associate's e-mail address or phone number should not confer the privilege to copy the enterprise directory.
Note that if the sensitive data is on the servers, then that is where the control ought to be. First there will be fewer control points and that will reduce administrative effort. Perhaps more important, access controls on the servers are much more reliable, more resistant to bypass, than those on clients.
If one is going to use Wi-Fi, and almost everyone does, one should encrypt the air side. WPA2, the standard protocol, IEEE 802.11i-2004, is supported in all modern Wi-Fi equipment but any is better than none. The burden is in distributing the key among the using devices. The size of this burden is a function of the number of devices using the wireless network. As in any encryption scheme, the key is most vulnerable when it is being distributed. All key distribution protocols leak. but none leak nearly so much as Wi-Fi without encryption. [This use is so fundamental that the RIAA and MPAA have advocated making it a criminal offense not to use it, but that is a subject for another day.]
Dial in only using VPNs and via ISPs, never direct to the enterprise. Said another way, get rid of dial-in. The Verizon Data Breach Incident Report shows that a significant number of breaches exploit dial ports installed by or for the convenience of support personnel. That is in part because operating dial-in securely requires knowledge, skills, abilities, and resources that are beyond all but a few specialized enterprises. Yes, I understand that many of your users work from locations with no broadband access; for them dial-in may be necessary. However, that does not say that it is necessary for you to operate it. Users should dial-in to an ISP and access your applications and systems via the Internet.
Those VPNs, indeed all VPNs should terminate on the applications, not on the perimeter and not on operating systems. Encryption should always terminate on the application rather than the network perimeter or the operating system. This simplifies its use and improves its effectiveness.
Patch broadly in preference to early. Said another way, convert patching from an unplanned, to a planned activity. It turns out to be dramatically more efficient to patch most, or even many, of your systems in ninety, or even one hundred and eighty days than a few in a hours or days.
Patch wisely. In a year in which 2200 vulnerabilities were reported, roughly one in a hundred were exploited. Said another way, not all vulnerabilities are problems, not all problems are the same size. Would you not rather have patched the twenty than the 2200?
Lock down your systems. Hide the operating system and any other capability to install or modify programs. I can hear the moans from here. Most of you are professionals or para-professionals; many of you exploit such capabilities and some of you even need them. However, no executives and few managers need these privileges. Few administrative or clerical users need them. Change the default and dramatically reduce your vulnerability. Microsoft provides powerful tools for locking down systems and administering locked-down systems. Few of us use them well.
Finally, layer your defenses. As your resources grow in value and your adversaries in power, push your defenses out and push your valuables down in the ground. Between the Internet and the crown jewels, there should be several, say four, layers. Tunnels, VPNs, that bypass those layers, should lead to limited and contained privileges and capabilities.
Now that is my list. Peter’s list might be somewhat different. However, my Jesuits who taught me in prep school, taught me that, for the sake of completeness all such lists should end with “other.”
Many of these practices you may have already implemented. One or two may not apply to you. There may be other practices that qualify as essential that I have not identified. Make your own list. Order it. Work your list. Most of these things can be done in six months or so. Focus on essential practices before moving on to more expensive measures that require more expensive justification processes. In the meantime, cover those measures with risk acceptances.
These measures are so fundamental, so efficient, so “essential” that we must get them done before we even take time to consider other measures. I will argue that measures that are 0.8 effective and cost tens of dollars per seat are so efficient as to qualify as "essential." Because efficient can be defined as cheaper than all of the alternatives, including that of doing nothing, these measures qualify as efficient by two definitions.
As with all controls, there will be exceptions to these rules but the exceptions should be manageable and we ought to be managing them down in both scope and number.
I understand that "anyone can do them with available resources" does not translate to "easy." Depending upon the size of the enterprise and the style of its management instituting even essential practices can still be very difficult.
The use of "Essential Practices" is a method. It is a method for allocating our scarce resources. It is a method for answering the management question, "Where should we spend our next security dollar?" It is method that characterizes us professionals, ensures our efficiency, and earns us the big bucks.