Implement application and system security - Benefit is company's application and system on which the application runs is free of vulnerability.

If a company wishes to move toward true end to end security, it has to focus on application and the system on which the application runs on. There is no use in having a secure system if the application that runs on it is vulnerable and thus providing an attack vector vice-versa.

Some of the questions that need to be raised for application/system security are:

1. Has the application/system been penetration tested?

2.  What is the failure mode of application/system i.e. fail-safe or fail-open?

3. Are there any serious vulnerabilities in application/system that needs to be patched and is the patch up to date? 

4. What ownership does the application runs as? Does it run as super-user, if so why should it run as privileged user?

6. Does application/system make connection to the Internet?

7. Does the application work well with anti-virus software?

8. Does the application run on a hardened system?

9. Does the application or system have access to confidential or proprietary data?

Answering the above questions will provide data points to work on to implement security. As an example for item #8: if the application does not run on a hardened system, then the system needs to be moved to a less secure state in order for the application to run, which is a risky decision, a careful risk/benefit analysis needs to be done before taking such a decision.

Security in general is a delicate dance. There is no one right solution. Company has to choose a security posture that best suits its risk profile and which maximizes the company's ROI savings.

Thought #25 - What are the ramifications of patching/hardening application/system?

Instant Messaging Security - Benefit is company has secured most often ignored channel of threat.

Security is as strong as the weakest link. Many corporates spend tons of money securing their application/hardware/infrastructure, but they forget to focus on seemingly trivial application like IM. IM users can send: unencrypted information, share files, share their on-line status and send audio/video with users across the Internet. As an example, user's on-line status can provide information about about the user's on-line behavior. People outside of organization can find out when a particular user logs in/out of the IM and can make a good guess whether user is logged in from home or office and hence determine location. Another example, If I knew that John just met a friend called Tom and was aware that John's buddy list did not have his name I can open an account tom234 and add John as buddy and fake Tom's identity to gain John's trust: this is easy because authentication is just tied to the on-line identity.

Many companies have come out with corporate version of messenger called enterprise messenger which works only within the company and not across the Internet. There are other vendors who make IM gateway manager which sit behind the firewall and administer IM traffic. There is a hybrid enterprise messenger solution which  works not only within the company but also across the Internet.

There is no one right answer about how to secure IM in a corporate setting. There are some minimal things that corporates can do to secure IM:

0. Policy: Have a policy about IM usage.

1.IM Gateway: Implement IM Gateway to help  log/monitor/administer IM traffic.

2. File Sharing: Block file sharing through IM.

3. Audio/Video: Block audio/video through IM.

At the near end of the spectrum deploy enterprise messenger solution which allows messaging only within the company. At the extreme end of the spectrum create a policy which disallows IM usage.

Thought #24 - Can IM be subject of SPAM?

Implement Security - Benefit is company has a notion of external and internal DNS servers which prevents attack against company's DNS servers.

DNS is a glue that binds the Internet. DNS maps IP to user friendly names. Let us imagine a world without DNS for a moment: To access Microsoft.com web site you need to type: http://207.46.130.108 -  how much fun it is to remember all those million IP addresses of all web sites?  Suppose if you type http://www.microsoft.com on browser and if your query is intercepted and a fake IP address is returned, the browser will connect to the fake IP. To take this to next level, what if you tried to connect to a banking web site and get a fake IP - your login/password can be potentially be compromised. Messing with IP address to name mapping is known as DNS spoofing which is relatively easy to do which makes DNS vulnerable.

These are the things we can do to protect DNS:

1. Avoid spoofing by encryption - Encrypt data transferred between master and slave servers: use a shared secret or RSA to encrypt data. Restrict zone transfers to known servers.

2. Don't list your private IPs of your zone - Disable ls query which lists all the servers in a particular zone.

3. Isolate internal DNS servers from external DNS servers - Use Split Horizon DNS architecture which in layman term means use 2 DNS servers:Internal DNS servers for intra-company query and to relay non-intra-company query to external DNS server. External DNS servers to service outside-world originating query for the zone's public IPs and to service the recursive non-intra-company query from the zone's internal DNS servers. The Split Horizon DNS can be implemented with a single DNS server in 9.x using views, but I would not reccommend a single DNS sever serving intra-company/outside-world query at any cost.

4. Prevent outside-world induced recursive query attacks -  Disable recursive query on the external DNS servers for outside-world originating queries.

5. Update/Patch software - Use recent version of BIND 9.x.

6. Configure your firewall - log/monitor/administer DNS traffic.

7. DNS registry check - Last but not the least, monitor your DNS registry at the root i.e. perform whois lookup regularly and make sure it returns the correct data.

Thought # 23 - Why are there only 13 root name servers?

Implement perimeter security - Benefit is company has a mechanism to police the traffic that enters the corporate network and prevent unwanted traffic.

Perimeter is the border of your corporate network this is where the corporate network connects to the Internet. This is the entry point of Internet traffic into your corporate network.

Gone are the days when just an access list on the border router prevented undesirable traffic. Welcome to the world of viruses, worms, trojans and denial-of-service.

Some of the best practices for perimeter security are:

1. Implement Committed Access Rate on the ISP router. This can prevent DOS coming from the internet to certain extent.

2. Implement  RFC 1918 and RFC 2827 filtering on the edge router. RFC 1918 filtering prevents packets with private IP address as source address being routed to the Internet and blocks packets with private IP address as source address coming from the Internet. RFC 2827 filtering prevents packets with non-inside source IP address going to the Internet and blocks packets with  inside source IP address entering from the internet.

3. Implement inline firewall which can police traffic.  Inline means active listening and blocking mode. Firewall with application level filtering capability is recommended. Series of two firewalls from  different vendors is recommended.

4. Deploy the public servers (external SMTP, external DNS and external WWW) in a separate zone called Demilitarized zone. This zone has lesser security level than the private network.

5. Implement Intrusion Detection System (IDS) or Intrusion Prevention System (IPS). IPS operates in inline mode.

6. If you are co-locating your servers at ISP, make sure their perimeter is secure before you co-locate.

7. If you have a remote office, make sure you connect to them only through VPN, same applies to remote users.

8. Use Network Address Translation to mask the internal IP address.

Thought # 22 - What does SPAN mode connectivity for IDS mean?

Remote access security - Benefit is the company can ensure that the employees connect securely to the corporate network and that they do not introduce any vulnerabilities into the network

The days are numbered where employees use POTS to connect to corporate network. Any external connection to your corporate network is an entry point for vulnerabilities. This is not a desirable connectivity solution anymore.

Virtual Private Network (VPN) is a technology that evolved to address the secure remote connectivity solution. There are many protocols that implement VPN and some are built into the OS. There are multitude of VPN protocols such as IPsec, PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol) and SSL.

If there are too many VPN users, dedicated VPN hardware is a choice. IPSec is a good protocol of choice which is supported by many VPN vendors. IPSec provides stronger encryption than PPTP, L2TP.

IPSec VPN is a good choice if the remote client base is large. IPSec can be used to tunnel data securely across two different locations.

If there are less number of users (the processing overhead is less), SSL VPN is a good option. SSL VPN has less maintenance overhead i.e. remote clients does not need any additional software installed. It works through the web browser. The advantage of SSL VPN can turn out to be disadvantage since users can connect from any unsafe computer which has a browser installed.

The choice of remote access solution depends on company's context. Here are some things to remember before implementing remote access:

1. Always provide secure access use VPN technology rather than POTS dial-in.

2. Large remote client user base, IPSec is a preferred protocol of choice.

3. If you want less staff maintenance overhead and higher remote client flexibility use SSL VPNs.

4. It is always a good idea for VPN policy to include anti-virus, firewall checks on the remote client in addition to authentication.

Thought #21 - How do you arrive at the optimal VPN policy?

Implement web security - Benefit is company is protected from one of the common attack entry points.

Though web security can be addressed under the umbrella of application security, the pervasiveness of web applications and its vulnerabilities prompted me to dedicate a separate section.

Web applications are one of most exploited class of applications. The very nature of being available over the network on a standard port makes it even more vulnerable.

These are some of the tips for implementing web security:

1. Keep your web server updated of the latest patches.

2. Disable directory listing in your web server.

3. Implement secure socket layer web server wherever possible. Make sure to use certificate from a trusted vendor and do not use self signed certificate for production web servers.

4. Disable web server modules that are considered to pose a security risk.

5.  Implement reverse-proxy or a load balancer to protect the real web server.

6. Implement high availability architecture.

7. Use network address translation to protect real web server IP address.

8. Run the web server in chroot jail and also make sure to run it under a non privileged ownership such as nobody.

9. Audit the CGI or other scripts for any vulnerabilities  before they are allowed to run on the web server.

Thought #20 - Why do many sites allow some configuration setting on despite the recommended setting is off. 

Operations security - Benefit is the company has a operational framework that is robust and is not vulnerable to threat agents.

The term operations security is a very broad concept. It can involve anything from system architecture to change control. For the purpose of this document, operations security involves three distinct parts:

- Production system architecture

- Production system integrity

- Life cycle management of application and/or system

The production system architecture should be designed robustly. The recommended solution is a high availability architecture where members operate in either clustered or load balanced fashion. The high availability architecture makes system less vulnerable to threat events. If a threat event has occurred on one or more members, there are other members that can handle the load.

Production system integrity can be maintained by using change control mechanism. No changes should be allowed on production system unless it is reviewed and has passed through the change control process.

Life cycle management of system/application should be performed with security in mind. When software or system is upgraded, it is critical to assess the security impact of such an action. The most desirable solution would be to integrate security specification in the development and testing of the system/application: by this we can make sure that robust system/applications are released to the production environment.

Thought #19 - Should penetration testing be a part of product testing?

Vulnerability management team - Benefit is company has a mechanism to act on newly discovered vulnerabilities and generate suitable action to mitigate the same.

Threat agents take advantage of vulnerabilities. Almost everyday new vulnerabilities are detected and some of the vulnerabilities are serious in nature. If these vulnerabilities are not addressed in a timely manner it will result in a threat event: which is threat agents taking advantage of vulnerability.

The Vulnerability Management Team (VMT) provides a pro-active vulnerability mitigation. Some of the typical tasks of VMT are:

- Pro-actively monitor vulnerabilities, for example tracking the latest CERT advisory.

- Work with application and system owners to make sure that vulnerabilities are addressed in a timely manner.

- Make a decision about when the vulnerability needs to be addressed or whether to be addressed at all and identify ramifications of addressing the vulnerability as an example what are the ramifications of patching the system.

VMT is a very important part of the security program. A system which may secure today will not be secure tomorrow without the VMT.

Thought #18 - How do you make a decision whether to address vulnerability or not?

Implement physical security - Benefit is company will eliminate another major source of security threat.

No amount of technical controls can provide adequate security unless physical environment of the company facility is well protected. Imagine, if someone could walk into the company office and walk away with a proprietary document, the ramification could be tremendous.

Physical security can be divided into three parts:

Administrative - This involves facility selection, site management  and personnel control.

Technical - This includes fire detection, suppression, intrustion detection and CCTV, HVAC and smart/dumb access card.

Logical -  This includes fencing, lighting, locks, guards and dogs.

To implement a good physical security we need permutations of the various above components. It is a good idea to design the facility that house the IT infrastructure with security in mind rather than implementing security as an afterthought. If designing is not an option select a site that meets most of your security needs.

Some of the physical security controls that are mandatory are smart/dumb access card to facility, HVAC and CCTV. It is a good idea to have a guard to monitor the facility round the clock if the company can afford it.

Thought #17 - What is the most important objective of physical security?

Security awareness training - Benefit is company will have employees who are conscious of security and will act as a catalyst to implementing security. This is will also minimize social engineering security threats.

Social engineering is defined as art and science of getting people to comply with your wishes. A simplistic example is to call up a user, pretend as an administrator and mention that there are some issues and ask for password and most likely the user will comply with the password request. What is the use of having the state of art firewall, if you have an employee who is ignorant enough to give out password of a critical system over the phone?

The goal of Security Awareness Training (SAT) is to make sure that employees are educated about company's security program. Some of the key things that needs to be communicated in SAT are:

1. Why is security important and relevant to all employees?

2. Good and bad security practices.

2. What are ramifications of the violation of security policy?

3. How can employees help to make security program a success?

4. How to report security violations?

It is important publicize the security program extensively (for example flyers) and also keep employees in the loop about the changes in the program - SAT will provide a good framework for the same. SAT should be designed to accommodate non-technical audience else it will dilute the purpose of SAT.

Thought # 16 - What is a good time for new employees to undergo SAT?

Implement spam control - Benefit is the company will prevent the entry of viruses and prevent other forms of attack such as phishing.

Spam refers to unwanted or junk emails. Spam is one of the mechanisms by which viruses enter. Spam is also a major source of phishing which dupes gullible users to give out their private information.

Spam control can be implemented in many ways. The simplest mechanism is  a spam filter at the user mailbox level. This method of spam control is inefficient because it depends totally on user's ability to create an efficient spam filter rule.  A centralized spam prevention software is another mechanism of spam prevention. Even more popular mechanism is to use a centralized spam prevention appliance. Another option is to outsource the spam prevention to an outside vendor: inbound mails to the company go through the outside vendor gateway where the spam gets filtered and the resulting clean mail, which is free of spam, reaches the company.  The spam control mechanism that a company chooses depends on its needs.

By implementing spam control, a company can not only prevent entry of virus, but also can save valuable employee time which otherwise would have been wasted in sifting through their mail box. It should be noted that spam is a type of denial of service (DOS) attack. Too many spams sent to a mailbox can overwhelm the user mailbox, making it harder to read legitimate emails and thus causing DOS.

Thought #15 - How can user awareness help them from being a victim of spam emails?

Constitute incident response team - Benefit is company is well equipped to handle any security breach incident

Many companies are not prepared well to handle security incidents. They try to mobilize resources to respond after the incident has happened: this type of panic mode response is not desirable.

Incident response team consists of team members drawn from cross functional teams. The incident coordinator should be a well seasoned security professional. The team members are well experienced in handling security incidents. The team has a preexisting relationship with legal department, public relations department of the company and also with law enforcement officials: this preexisting relationship will ease the escalation process during incident handling. As soon as a security breach incident is encountered, the team members group together and formulate a strategy for responding to the incident.

The incident response team has the following tasks:

- Assess the tangible and intangible damage due to the incident.

- Identify remedial actions, such as patching the systems.

- Asses whether the incident can cause in loss of faith or goodwill of customers

- Investigate the root cause of incident.

- Decide whether to involve law enforcement officials.

- Formulate a suitable public relations campaign about the incident.

- Identify legal and compliance ramifications of this incident.

- Keep the senior management updated about the status and seek their opinion when needed.

and so on..

Thought #14: Who makes the decision whether to make the incident public or not?

Implement anti-virus: Benefit is company can save money by minimizing and/or preventing system and/or user downtime.

Computer virus is a universal problem. Virus is defined as a malicious and destructive program designed to be passed unwittingly from machine to machine via floppy disks, downloading or other means. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself.

Anti-virus must be installed on every user's computer and should be manageable from a centralized console. The anti-virus software should be programmed to to run once every, week or month in order to update new signatures and to scan for any virus signatures it missed since the last update. It is a good idea to schedule the anti-virus software to run on user's desktop during work hours else most of the desktops would miss out the scanning, for example: run the anti-virus software at noon on first Monday of every month.

Anti-virus software should be installed on production systems too. It is a good idea to ensure that the anti-virus software will work smoothly with various other applications without affecting the performance of production systems. It is advisable to run on access virus scanner on production systems - on access scanner will check for virus in a file as soon as it is accessed.

Routine audits must be performed to make sure that all relevant production systems run anti-virus software.

Thought #13: Is two-tiered anti-virus solution a good idea?

Identity management policy - Benefit is there is an authentication, authorization and audit trail for users.

Identity Management (IM) is managing the user and group accounts. Identity management has three components: authentication, authorization and accounting. Authentication is who you are and authorization is what you can do. IM involves making sure that proper authentication mechanism is in place and a proper authorization profile is set.

There are multiple approaches for authentication:

- Single-factor authentication known as weak authentication,  is based on something you know: a good example is login and a password.

- Two-factor authentication known as strong authentication, is something you know plus something you have: a good example is an ATM card.

It is a good idea to use two-factor authentication since it is considered harder to break than login/password which is considered as one-factor authentication.

 A user having authorization to all the systems is not good either. User's authorization profile should be set based on user's clearance level.  Authorization profile should be mostly set on a need to know or need to use basis. Group accounts are very risky to have. It is a good idea to minimize the use of group accounts.

There are other critical aspects of IM such as account expiry and password expiry. It is critical to audit user accounts on a regular basis. An active user account  which continues to exist even after user has left the company is not desirable. Accounts should be forced to change the passwords on a regular basis. There has to be a mechanism  to enforce users to choose a strong password.

Last but not the least, all the authentication and authorization attempts should be logged, this is also known as accounting. Accounting provides the audit trail.

Thought #12:  How do you determine authorization profile of a user?

Proprietary information protection policy - Benefit is employees are educated about importance of handling proprietary information.

Earlier we described document classification policy: there is no use in classifying the documents unless we educate employees about how to handle proprietary information. Company needs have widely published Proprietary Information Protection Policy (PIPP) policy which outlines the information protection requirements. Some of the items in this policy are:

1. Identify PIPP team members who are responsible for driving this policy.

2. Regular audit by PIPP team members: as an example, walking by to employees desk during non business hours and identify any unattended confidential information on the desk and notify the employee of PIPP violation and advice them to be careful.

3. Make sure to educate employees about importance of tagging documents as confidential or under appropriate classification level, when they generate document.

4. Install separate printers for printing confidential documents and/or making sure confidential document print outs are not left un-attended in the general print area.

5. Installing document shredder or a bin for the purpose of disposing confidential documents.

The above list can grow based on company's context. The bottom line of PIPP policy is to educate employees about:  the importance of handling confidential documents, make them aware of the ramifications and police to a certain extent to identify violation of this policy.

Thought #11:  Social engineering is a big threat to security, can PIPP help to minimize such a threat?

Data backup policy - Benefit is company can rely on the backed up data in case of data loss, data corruption or a disaster

Data storage device failure, data corruption are fairly common. The lost data can severely impact company's existence as a going concern and/or can result in bad publicity for the company. If a critical customer data is lost it could result in a penalty or a lawsuit depending on the context.

The first step in creating a backup policy is identifying the data that needs to be backed up. It is important to perform this step because it can reduce the amount of data to be backed up and hence the cost of the back up.  This step also helps you classify the type of data i.e whether it a database or flat file: if this is a database backup, whether it needs a hot backup or a cold backup.

The next step is to determine the frequency of the back up: it depends on how frequently the data changes. The frequency of the backup determines the granularity of the data recovery point. In real world backup accomplished by suitably combining incremental backup and full backup.  There are many backup schemes such as Tower of Hanoi, Grandfather/Father/Son et. al. Choose the scheme that works best for you.

The third step involves identifying an off-site storage location for the backup tapes and logistics that is involved in the off-site storage and retrieval of the tape. Make sure that the off-site location is not very close to the data location, this will expose both the locations to similar disasters and defeats the purpose of the off-site storage.

The last and the final step is publish the backup plan so that customers (both internal or external) are aware of the backup plan and are agreeable with the backup plan - this will help to set their data recovery expectations right.

Thought #10 - What is a good time to run data backup job?

Implement sound personnel practice - Benefit is company has a better chance of minimizing internal threats.

It is well known fact that majority of threats are internal. Company employees often knowingly or unknowingly leak proprietary information. Imagine for a moment - confidential data in the hands of a disgruntled employee, the ramifications are tremendous.

Sound personnel practice involve many things:

Job description - This is the first step in the hiring process. Make sure to classify the security level of the job i.e. whether the job warrants exposure to critical data.

Background checks - Make sure you hire good people by running background checks on them. Moreover, hire people who have appropriate security clearance with respect to job classification.

Roles and responsibilities - As soon as employees are on board, define roles and responsibilities clearly. Determine their data access profile based on roles and responsibilities. Don't grant them access to more data than what is necessary to get the work done.

Cross training and job rotation - Cross train employees so that there is no single point of reliance. By rotating jobs you can prevent collusion, information hiding and cheating.

Following sound personnel practice does not imply that we distrust employees, it rather implies that we are selective about whom we trust and that we believe in processes that can help expose the violation of trust.

Thought #9: Why is mandatory vacation for employees is a good idea?

Implement change control - Benefit is company has a trail of changes that has been effected on its configuration and also will minimize any bad ramifications on its infrastructure.

Security is a function of configuration. Configuration in simplistic terms is a snapshot of arrangement of various things in an infrastructure. In a collection of servers, if one of the servers is upgraded: the upgrade task, however simple it may be, could have far reaching ramifications - good and bad. The objective of change control mechanism is to minimize any bad ramifications. Change control mechanism not only keeps track of changes to the existing configuration, but also will enable a company to roll back the changes if there are any issues. 

Change control mechanism should keep track of: date/time of change, duration of change, description of change,  business owner of  change, resources needed to implement change, systems/application affected, roll back procedure, list of approvers for change, security ramifications,  and last but not the least. justification for change. There could be other things that change control mechanism can keep track of depending on company's needs.

Change control mechanism can be simplistically implemented as a web based application. It is a good idea to follow up the change control by a postmortem report. Any change that  bypasses the change control mechanism should be discouraged and dealt with appropriately.

Thought #7:  Which division head is a mandatory approver for the change contorl?

Document retention policy - Benefits are company has a valid legal defense against  accusation of willful destruction of document and helps to conform with one of the section 1519 of SOX requirements.

I decided to separate this policy from the other policies due to the  emphasis given to this policy under section 1519 of SOX. The term document is generic to include E-Documents such as e-mail and web pages.

Following are the key drivers for document retention and destruction policy:  

1. If a company does not have a schedule of document retention and destruction, the opposing party can accuse the company of selective, willful destruction of documents and hence evidence. The jury might even award the case against a company

2. A schedule of document retention and destruction can help prevent damaging documents becoming available in future litigation.

3. SOX 1519 imposes criminal penalties: "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title imprisoned not more than 20 years, or both."

These are the guidelines that can be followed before establishing document retention and destruction program:

Industry standards - Get inputs  from others in similar trade for inputs about the retention time frame

Governmental requirements - As an example IRS can audit tax records up to 7 years

Possible litigation - If a company foresees a possible litigation, documents relevant to those litigation should be preserved for a reasonable time period.

Cost of retention and destruction program - Weigh pros and cons of spending too much money on the program vs. risks if this is not done.

Thought #6: When you destroy a document, what additional step do you need to perform?