Do you want to know a secret? Security isn’t about hacking, nasty malicious software, or the vulnerability of the day. Security is about maintaining a system and process that provides access to critical data without exposing your company or customers to excessive risk. Auditing is one of the most important aspects of maintaining that system, because it provides the opportunity to test assumptions about the security posture of networked systems and compare that posture with standards and regulations. Auditors ask the questions “How do you know that you are secure?” and “Can you prove that your security technology works?”
The purpose of this excerpt is to introduce the key principles of auditing.
Auditing the security of a company requires that you have a good general understanding of what security is and what it is not. To understand security, it is critical that you realize that security is a process, not a product. Security is not a race with a finish line at the end, as you can never be 100 percent secure no matter how much money or time you spend on it. It’s just not possible to anticipate every vector of attack; but, with the appropriate planning and protective strategies in place, high levels of security can be achieved. Cisco is, fortunately, in a unique position to help companies achieve their security goals by providing the tools necessary to embed security features into many aspects of the network. This means security can be leveraged as a system to better map to the policies, procedures, and more importantly, the business drivers that cause companies to want to safeguard their assets.
To understand security and to audit it as a system, you need to be able to identify how everything ties together conceptually. Security is a broad topic, and one of the few in information technology that literally touches all aspects of a business. From the data center to the break room, every function of a business has its own list of things that need to be protected from a certain level of risk. Managing risk is one of the most important factors in developing a strategy for protecting people, technology, and data. To focus security efforts and to make them manageable, it helps to break down the various aspects of security into the five pillars of security. Figure 1-1 shows the five pillars.
The first step in protecting your company’s assets is to assess the environment. Most people (thrill seekers excluded) wouldn’t try to walk across a busy intersection with a blindfold on because not being able to see if the light is red or green could lead to a bad day. Understanding the business environment and direction helps identify the areas that the business deems most important and subsequently the most sensitive to disruption of services or theft. Much of what an auditor is asked to do in assessing risk requires sufficient knowledge of how the organization operates. Assessments document and identify potential threats, key assets, policies and procedure, and management’s tolerance for risk.
The assessment process involves asking pointed questions. Just as if you were building a house, you would first start by surveying the land (available technology) to determine how suitable it is to build on. You would also need to know if the area is prone to flooding (threats). How often does it flood (threat frequency)? Do you have the appropriate permits (laws and regulations)? What are the job site rules (policy and procedure)? What technology can you use to quickly and effectively build (technological components)? These questions and many more help the business plan a strategy for accomplishing its goals. Asking similar questions of the company’s security enables you to examine various scenarios to identify weaknesses in defenses or procedures. What is the probability that you will be hacked tonight and have a “CNN moment” tomorrow? It’s hard to say without a thorough assessment of the business and technology.
Assessments are not something that are done once and then forgotten. As the business needs change and new services and technologies are introduced, regularly scheduled reassessments should be conducted. Doing this gives you an opportunity to test policies and procedures to ensure that they are still relevant and appropriate.
Many engineers focus on technology when they think of prevention. True prevention is more than a firewall or a security appliance: It encompasses administrative, operational, and technical controls. Prevention is not just accomplished through technology, but also policy, procedure, and awareness.
Policy must be documented and enforced with strict rules and consequences for violation. Documented procedures that utilize good security practices can help prevent misconfiguration, which is one of the most common methods that attackers use to compromise a system. Helping users understand what is and is not permissible, in addition to consistent and fair enforcement, goes a long way to lowering the overall risk to a company.
Too often, organizations fixate on trying to prevent bad things from happening when in reality, they simply can’t stop everything. The magic box that Vendor X sells you can never anticipate all vectors of attack. This is where the concept of defense in depth comes into play. Defense in depth assumes that no control is perfect, so it helps to layer defenses so that you can compensate for known or unknown weaknesses in a technology or control. Technical security controls such as a firewall or intrusion prevention systems provide an important role in keeping a network secure, but they are not a silver bullet that you can plug in and expect to solve all of your security problems. Expect individual security controls to fail, but plan for the event by using multiple levels of prevention.
Your car’s alarm system is one form of detection. Balancing your checkbook at the end of the month is another form of detection. Detection is how you identify whether or not you have a security breach or intrusion. Without adequate detection mechanisms, you run the risk of not knowing whether your network has been compromised. Dr. Eric Cole, author of Network Security Bible, said it best: “Prevention is important, but detection is a must.”1 If you can’t detect a compromise, then you run the risk of having a false sense of trust in your prevention techniques.
One example of the importance of detection can be seen in the 1996 disclosure by Ohio University of hackers who gained access to systems that resulted in the loss of over 137,000 Social Security numbers. These miscreants had total access and control for over a year! Obviously, detection mechanisms were either nonexistent or were not properly monitored. Of course, the worst example I have heard about that highlights poor detective controls is from the United States Department of Agriculture, who announced in 2007 that it exposed over 150,000 farmers’ Social Security numbers because its database became live in 1981. Because no one can say for sure when it was actually connected to the Internet, over the 26 years it was active, it is estimated that the data was easily accessible for well over 10 years. Not a good thing!
Detective controls help to identify security incidents and provide visibility into activities on the network. It’s important to detect an incident early so that you can formulate an appropriate reaction to recover services as quickly as possible.
When prevention and detection are effective, reaction time is greatly reduced. No one wants to find out that they have a breach, but if you do have a compromise you need to do something about it now! Reaction is the aspect of security that is most concerned with time. The goal is to minimize the time from detection to response so that exposure to the incident is minimized. Fast reaction depends on prevention and detection to provide the data and context needed to recognize a security breach. Of course, just knowing about a compromise doesn’t help if you haven’t planned out in advance what to do. This planned and coordinated response is called incident handling. Some companies have a dedicated incident-handling team that can move in at a moments notice to reduce exposure time. Not everyone has the budget for these types of teams. Even if your company doesn’t have a dedicated team, some forethought and planning can mean the difference between everyone falling all over themselves trying to figure out what to do next and restoring key services.
Automated response through technology is an important tool that reduces your reaction time to a security incident. But as good as automated response technologies are, you still need skilled people to handle the incident to ensure that the incident is real and not a hiccup on the wire. How quickly and efficiently incidents are handled is one of the most important tests to the effectiveness of a company’s security program. When the alarms go off, how you react can make all of the difference in the world!
When your company has an eCommerce system that simply must be available to your customers or it processes hundreds of thousands of dollars in sales a minute, downtime is relatively easy to quantify. Recovery is where you play detective to determine what went wrong so that you can get the systems back on line without opening up the same vulnerability or condition that caused the problem in the first place. Do you patch the exploited vulnerability and recover the data from backup or do you have a bigger flaw in security controls that allowed the incident to occur? What was the reason that the system was compromised? How did the technical controls fail? Was there a misconfiguration? The recovery phase doesn’t end with bringing the system back online. There is also the post-mortem aspect that determines what changes need to be made to processes, procedures, and technologies to reduce the likelihood of this type of vulnerability in the future. As an auditor, you must ensure that the organizations you audit have a plan for recovery that addresses these issues.