Defense in Depth Layer 5: Host Security

"We have only two modes - complacency and panic."
— James R. Schlesinger

The host layer of security focuses on keeping host operating systems and workstations secure.   A host is any device/computer/server with a unique Internet Protocol (IP) address that is interlinked with another machine through an Internet connection.  Security at this layer is especially challenging as these devices are designed to multitask and interact with multiple applications and services simultaneously.  The following is a list of measures to support host security.

1. Host Vulnerability Assessment and Management
Host-based scanners can recognize system-level vulnerabilities including incorrect file permissions, registry permissions, and software configuration errors.  They also ensure that target systems comply with predefined company security policies.  

2. Host-Based IDS/IPS
Host-based intrusion detection systems (HIDS) consist of software agents installed on individual computers within the system.  The HIDS analyze traffic to and from the specific computer on which it is installed.  The HIDS can monitor activities that only an administrator should be able to implement.  It is also able to monitor changes to key system files and any attempt to overwrite these files as well as prevent Trojan or backdoor installation.

Host-based intrusion prevention systems (HIPS) are used to protect servers and workstations through software that runs between the system's applications and operating system.  The software is preconfigured to determine the protection rules based on intrusion and attack signatures.  The HIPS will catch suspicious activity on the system and will either block or allow the event depending on predefined rules.  It also monitors activities including application or data requests, network connection attempts, and read/write attempts.

3. Access Control and Authentication
Host-based access control grants or denies access depending on the IP address of the machine that requested access.  This system is the least intrusive to users because access is granted on the basis of the machine address.  User authentication allows access control on an individual user basis by utilizing user and passwords lists to provide the necessary authentication.

4. Host-Based Anti-Virus Protection
Anti-virus protection should ensure that updates to the required signature files for addressing new forms of malware are delivered as soon as possible.  A signature file contains information that anti-virus programs use to detect malware during a scan.  Signature files are designed to be regularly updated by the anti-virus application vendors and downloaded to the client computer.

5. Host-Based Firewall
Host-based firewalls can be used to reduce the attack surface on servers as well as to remove unwanted services and applications.  Host-based firewalls control incoming and outgoing network traffic on individual hosts.  The firewalls check each packet's source, destination address, port, type, etc., and then determine whether to allow them into the machine.  Host-based firewall software must be enabled and configured to block all inbound traffic that is not clearly required for the intended use of the device.

6. Host Hardening
Host hardening works with intrusion detection and is an important part of a secure architecture. It is especially important when it comes to public-facing or Internet-enabled servers such as email, web, or DNS servers.  The main function of host hardening is to harden key servers to ensure the confidentiality and integrity of the systems.  Host hardening measures include:  disabling unused services and user accounts, tightening security settings of required services and file systems, replacing vulnerable services with more secure alternatives, and removing unused tools, libraries, and files.

7. Port Control
It is important to block any unnecessary ports, restrict access to necessary ports whenever possible, and audit open ports to determine if required ports are being abused or if unnecessary ports have been opened.

8. Patch and Security Update Management
It is important to keep up to date on all security related patches and updates. The most commonly exploited security vulnerabilities are widely known and already have patches and updates which address them.  The expected result is to reduce the time and money spent dealing with vulnerabilities and their exploitation.

9. Logging and Auditing
Critical areas of the host can be logged, and the logs can be audited for any unusual activity.  As hosts communicate with each other, the transferred packets are logged to the system log.  Logged information can be monitored for traffic analysis and debugging assistance.

10. Lockdown Mode
Lockdown mode is a security setting used to disable direct user access to a host.  When direct user access is disabled, the host must be managed from the server.  This ensures that the security policies and access controls defined on the server are always enforced, and users are not able to bypass security by logging into the host directly.

Next time, we’ll continue the Defense in Depth journey by discussing application layer security.

Thanks for reading!

Jen

Defense in Depth Layer 4: Internal Network Security

"Do not figure on opponents not attacking; worry about your own lack of preparation."

- Book of the Five Rings

This is the sixth post in in the series/semester.  The next step in our journey through the Defense in Depth model of security is the internal network.  Internal network security deals with authenticating network users, authorizing access to the network resources, and protecting the information that flows over the network.  There are various tools here to protect the network from potential attackers and traffic that should not be there.  The following is a list of key elements for internal network security.

1. Vulnerability Assessment and Management
Network services should be assessed and tested for vulnerabilities on a regular basis.  The purpose is to discover possible attack vectors to each host and device on the network and to address them in a way that makes an attack more difficult.

2. Network Segmentation
The process of network segmentation splits the network into sub-networks or network segments.  Network segments are created to control the flow of traffic between hosts on different segments  In addition to improving performance by reducing congestion and containing network problems, segmenting the network improves security by ensuring that only appropriate traffic is forwarded between segments and that the internal network structure is not visible from the outside. 

3. Network-Based IDS/IPS
The internal network layer, like the perimeter layer, works in conjunction with IDS/IPS.  As we discussed in the last blog post, the intrusion detecting system is in place to identify and proactively respond to problems while the intrusion prevention system allows for an automated response to potential security breaches.

4. Internet Protocol Security (IPSec)
IPSec is a set of protocols for securing IP communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic, public keys to be used during the session.  It can be used in protecting data flows between a pair of security gateways (network-to-network) or between a security gateway and a host (network-to-host). 

5. Network Access Control (NAC)
NAC restricts the availability of network resources to endpoint devices that comply with a defined security policy.  NAC restricts the data that each individual user can access and can also implement anti-threat applications such as firewalls, anti-virus software, and spyware-detection programs.  NAC also regulates and restricts the things individual subscribers can do once they are connected.

6. Access Control and Authentication
Access control is the means of controlling what a user or device can and cannot access. Authentication is the method used to identify a user or device.  Access control and authentication measures have evolved to include ID and password, digital certificates, security tokens, smart cards, and biometrics.   Access control lists (ACLs) block traffic and ensure that only those individual IP addresses can access systems and services.

7. Network-Based Anti-Virus Protection
Network based anti-virus software can eliminate viruses and worms before they reach other layers.

8. Network Communication Encryption
Encryption can defend network communications in three ways:
-An encrypted link can be constructed so that a third party cannot see its contents while data is in transit.
-An encrypted link can be constructed so that data cannot be modified while it is in transit without the modifications being detected.
-An encrypted link can be constructed to ensure the sender’s identity.

9. Network Analytics and Monitoring
Network traffic flow can be analyzed to determine patterns and identify potential risks.  This can be done through packet sampling, port scanning, behavior anomaly tracking, threat detection, rogue traffic quarantine, and network event management.

Next time, we’ll discuss security at the host layer.  

Thanks for reading!

Jen

Defense in Depth Layer 3: Perimeter Security

“Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place, be transported halfway across the planet in seconds, and be stolen without your knowledge.” — Bruce Schneier

Image retrieved from v3.co.uk

The perimeter of the network is the part that touches the outside world.  Therefore, it is essential to strengthen defenses along the edges of the network to promote comprehensive protection.  The perimeter is the network's border where data flows in from, and out to, other networks, including the Internet.  Perimeter defense allows authorized data to enter while blocking suspicious traffic, and it is handled by several different components, outlined below.

1. Border Router
The border router is the last controllable router before an untrusted or external network, e.g. the Internet.  Since all Internet traffic passes through the border router, it is a practical place for filtering.  It is the first and last line of defense.

2. Demilitarized Zone (DMZ)
A DMZ is a small network that provides public services with low security.  It is a neutral area that is created outside the firewall between a company’s network and an external network, e.g. the Internet.  Web servers, for example, would not be protected by firewall because of the traffic it generates or that needs less protection.

3. Firewall
A firewall is a chokepoint device that decides which traffic is permitted and which is denied.  For perimeter defense, firewalls are available as software (installed inside a router) or as standalone hardware appliances.  A firewall can provide services such as the following:
-Stateful packet inspection – analyzes transactions to ensure inbound packets were requested
-Packet filtering – blocks data from specified IP addresses and ports
-Network Address Translation (NAT) – presents a single IP address representing multiple internal IP addresses to the outside world.

4. Intrusion Detection System (IDS)
An IDS is an alarm system that detects malicious and suspicious activities by analyzing network traffic.  If something unusual is detected, the IDS alerts the network administrator to take action to stop the event.  A network-based intrusion detection system is referred to as a NIDS.

5. Intrusion Prevention System (IPS)
An IPS is similar to an IDS, except that the IPS takes automatic and immediate defensive action without requiring action by the network administrator. 

6. Virtual Private Network (VPN)
A VPN provides perimeter security by encrypting the data sent between a business network and remote users over the Internet.  This creates a private tunnel through the Internet.

Perimeter defense measures are designed to fortify the network boundary.  While the components listed above do not constitute an exhaustive list, they give us an idea of what is required for perimeter security.  Once again, it is easy to see how this layer is actually layers within a layer.  These different technologies work in unison to create a protective barrier.  

Next time, we will discuss the internal network layer. 

Thanks for reading!

Jen  

Defense in Depth Layer 2: Physical Security

“Security is always excessive until it's not enough.”
— Robbie Sinclair, Head of Security, Country Energy, NSW Australia

The next layer of Defense in Depth (DID), working inward or upward, is physical security.  Preventing access to items that should remain secure may seem like a no-brainer, but physical security is often taken for granted, and complacency can lead to lax security efforts.  The purpose of physical security is to make it extremely difficult, if not impossible, for intruders to gain access to tangible assets such as personnel, servers, network equipment and cabling, computers, data storage devices, and other valuable resources.

This image, retrieved from http://technet.microsoft.com/library/dd365117.aspx, refreshes the memory of our DID layers.  

The Facilities Physical Security Measures Guideline by ASIS (http://www.abdi-secure-ecommerce.com/asis/ps-920-30-1854.aspx) suggests that there are eight main categories of physical security.  We will use these categories to address the layers of security within the physical layer:

1. Crime Prevention Through Environmental Design (CPTED)
-Uses architectural design and the physical environment as protection against opportunities for crime
-Relies on an awareness of how people use space for legitimate and illegitimate purposes
-Designed to support and control desired and acceptable behaviors
-Uses mechanical measures (locks, gates, etc.), organizational measures (teaching employees how to protect themselves and the spaces they occupy, routine activity theory/capable guardians), and natural/architectural measures (spaces are designed to be effective for users while at the same time deterring crime)

2. Physical Barriers and Site Hardening (keeping unwanted parties out)
-A physical barrier may be natural (fields, rivers, mountains) or structural (landscaping, ditches, walls, doors, roofs).
-Meant to physically and psychologically discourage unauthorized access
-Keeps people and property within a given area, e.g. keeps property from being thrown out the window to be retrieved later
-Directs pedestrian or vehicle traffic in predictable patterns
-Demonstrates a concern for security, e.g. indicates there are further security measures in store
-May delay access by determined attackers
-Includes protection for practical openings (doors and windows) and other openings (ducts, vents, utility channels, tunnels)
-Examples:  Fences (chain-link, barbed wire, ornamental, wooden, concrete, etc.), planters, bollards, concrete barriers, steel barricades, gates, turnstiles, fortification with steel bars and wire mesh, etc.
-Site hardening includes protecting structural integrity against attacks and natural disasters and provides for redundancy of operating systems and utilities.

3. Physical Entry and Access Controls (allowing some people in and keeping others out)
Access control systems may be manual (use personnel to control access), machine-aided manual (i.e. metal detectors), or automated (use technology alone to control access).
-Access control barriers – doors, gates, turnstiles, elevators, etc.
-Electronic access control systems – require credentials, i.e. something you know, something inherent to you, and something you carry
-Personnel access control – tokens or other items in an employee’s possession, i.e. metal key, swipe card, photo ID card, password, PIN number, biometric features (fingerprint, iris/retinal patterns, speech)
-Locks – mechanical, electrified, electromagnetic, card-operated, biometric, key system, etc.
-Contraband detection – physical searches by security officers or trained canines, metal detectors, x-ray machines, explosive detectors, etc.
-Vehicle access control – placards, stickers, RFID tags, bar codes, etc.
-Procedures and controls – should address such issues as wearing of badges, number of access attempts allowed, list of prohibited materials, access hours and levels of access, authorized visitor access, etc.

Image retrieved from http://gcn.com/articles/2012/10/30/free-suite-tests-for-biometric-compliance.aspx.


4. Security Lighting
-May deter adversaries and suspicious activities
-Improved surveillance and security response
-Reduced liability
-Witness potential
-Useful both outdoors and indoors
-Intensity is a factor
-Many different lighting types and applications, i.e. continuous, standby, emergency, floodlight, LED, etc.
-Requires adequate power, mounting, and maintenance

5. Intrusion Detection Systems (Alarm Systems)
-Deter intruders when warning signs are posted
-Detect an impending or actual security breach
-Delay intruders by activating other physical barriers
-Respond by pinpointing location of intrusion and where the intruder has moved
-Examples:  position detection devices, motion detectors, sound detectors, vibration sensors, heat sensors, impact sensors
-Include alarm transmission, monitoring, and notification

6. Video Surveillance
-Systems are usually closed-circuit television (CCTV) systems.
-Detects activities that call for a security response
-Collects images of an incident for later review and evidence if needed
-Assists in alarm analysis
-There are a variety of considerations for camera types, requirements, and features, i.e. motion detecting, transport medium, length of storage, resolution, lighting, lens selection, etc.
-Requires adequate power, mounting, and maintenance

7. Security Personnel
-Implements, monitors, and maintains physical security measures
-May include Chief Security Officer (CSO), security manager, security officer, guard, etc.
             
8. Security Policies and Procedures
Although we discussed policies and procedures in last week’s post, it is important to note that special consideration should be given to physical security measures.
-Establish strategic security objectives and priorities
-Set forth responsibilities and expectations for all people in the organization
-Must be communicated effectively

At this point, it would be a good idea to briefly mention the concept of security convergence.  Security convergence is the integration of physical security and logical security (cybersecurity).  The theory is that a holistic approach to security will yield more benefits than either one alone will.  It provides a more streamlined approach to management that maximizes efficiencies.  We will revisit this topic at another time.  

Whew!  There was a lot of information to cover here.  Next time we will discuss perimeter security as we begin our move to the creamy nougat center of our DID layer model. (Blogging makes me hungry!)

Thanks for reading!

Jen

Defense in Depth Layer 1: Policies/Procedures/Awareness/Education

“People often represent the weakest link in the security chain and 

are chronically responsible for the failure of security systems.”
— Bruce Schneier

The outermost layer of the Defense in Depth (DID) strategy is formed by policies and procedures that govern a company’s information security practices as well as the awareness and education of these practices in general. 

Don’t cue the collective eye roll just yet!  While most people don’t appreciate the documentation of do’s and don’ts, policies and procedures serve an important purpose.  Security is everyone’s responsibility; making that fact known upfront can prevent many problems. 

Side Note:  Information security potentially begins at the hiring process.  It is important to hire people who are proactive, have good attitudes, and are willing to comply with company policies.  Once those people are hired, they should be properly trained and treated well.

1. The Purpose of Security Policies and Procedures
There are various reasons to create and implement security policies and procedures. 
-To establish the necessary requirements to prevent or minimize accidental or intentional unauthorized access and/or damage to company technology
-To provide consistent guidelines for best security practices
-To communicate the importance of security to all employees
-To establish minimum safeguards
-To satisfy regulations or laws

2. The Elements of a Solid Security Policy
The security policy should include the following components:
-Purpose
-Scope 
-Definitions and acronyms 
-Policy topics 
-Enforcement 
-Compliance 
-Revision history 
-Related policies and procedures 
-Contact information

3. Security Policy Topics
The tenets of Confidentiality, Integrity, and Availability should be upheld in all security efforts. In order to implement and maintain a successful security effort, certain topics should be addressed in the security policy to support these principles, including:
-Roles and responsibilities of all staff members 
-Handling confidential, sensitive, and proprietary information 
-Appropriate email and Internet usage 
-Instant messaging 
-Downloading and opening attachments 
-Responding to potential security threats and attacks 
-Proper use and maintenance of user names and passwords 
-Saving and backing up data 
-Hardware and software installation 
-System access and updates 
-Malware avoidance and protection
-Mobile device usage, BYOD, etc. 
-Removable media usage, e.g. USB storage devices 
-Remote access and telecommuting 
-Power irregularities 
-Data storage and disposal 
-Technology standards 
-Other best security practices as applicable

The Policies/Procedures/Awareness/Education efforts should be reevaluated on a regular basis in order to keep up with new threats and vulnerabilities and to prevent complacency.  In order for security efforts to be successful, they must be enforced; even better, they should be modeled by upper management and IT staff.

As the saying goes, the best defense is a good offense.  In the pursuit of information security, it makes sense to start by educating the users of the information to be secured.    With all the external threats out there, it would be tragic if the threat came from within in the form of an unaware or misinformed employee.

Next time, we’ll discuss how physical security measures can provide tangible protective barriers to secure information. 

Thanks for reading!

Jen

Defense in Depth: The Layered Security Solution

“Better to be despised for too anxious apprehensions, than ruined by too confident security.”— Edmund Burke

In order to maintain some cohesion throughout this blog experience, I have decided to focus on Defense in Depth (DID) as an information security solution.  I will begin by providing an overview of the DID structure, then subsequent postings will discuss each of the components in greater detail. 

There are several DID models out there, but most of them include the following general categories, listed from outermost to innermost layer:

1.       Policies/Procedures/Awareness/Education

2.       Physical

3.       Perimeter

4.       Internal Network

5.       Host

6.       Application

7.       Data

The following image, retrieved from http://technet.microsoft.com/en-us/library/cc512681.aspx, is a representation of these layers.

Each of these layers represents an opportunity to incorporate security into the information technology framework to make sure all the bases are covered, so to speak.  Taking a layered approach to security by including defense measures at each layer can greatly reduce the risk and effects of vulnerability, attacks, and intrusions, thereby saving a lot of time, money, and frustration. 

DID is historically based on a military strategy to bolster defenses so that one breach will only lead to more defense measures; such a strategy may exhaust the resources of the offense in the meantime, allowing key defensive resources to remain protected.  There are, however, advantages and disadvantages to this strategy.

DID’s main advantage is, of course, added security.  DID creates multiple layers of protection so that if one defensive measure fails, there are more behind it to continue protecting the assets.  This is especially important because a combination of many different kinds of security tools is required to provide protection from modern threats;  there is no single solution for the information security problems being faced today.

DID’s main disadvantage is complexity.  Implementing security at every layer takes a lot of planning and valuable resources.  It is important to consider if and how security measures can work together as well as the maintenance, administration, and monitoring that is required for each.  DID must achieve a balance between protection capability and cost, performance, and operational considerations.

Overall, DID is really an application of best practices; this approach to information security makes a lot of sense.  More equals better in most cases, right?  But the important question to answer is “More of what?”  That is what we will seek to find throughout this blog series.     

Join me next time to learn about how policies and procedures provide the hard outer shell to the DID structure. 

Thanks for reading!

Jen

An Introduction

Welcome, and thank you for visiting my blog!  As the name implies, I will be pursuing a deeper understanding of Information Security by exploring relevant topics on a weekly basis.  Please feel free to comment on any of the posts.  

Best regards, 

Jen