• 2.0 What is security?
• 2.1 Why is IT security necessary?
• 2.2 Why is a security policy needed?
• 2.3 Are your systems secure now?
• 2.4 How to go about improving security
  • 2.4.1 Bottom Up Approach to improving Security
  • 2.4.2 Top Down Approach to improving Security
    • 2.4.2.1 Overview
      • 2.4.2.1.1 Formal Risk Analysis Methods (e.g. MARION)
    • 2.4.2.2 Threats + impact + likelihood = risk
    • 2.4.2.3 Sources of threats
    • 2.4.2.4 Impact
    • 2.4.2.5 Constraints Analysis
    • 2.4.2.6 Risk summary
    • 2.4.2.7 Counter strategy & counter measures

---

2.0 What is security?

Continuity of operations and correct functioning of information systems is important to most businesses. Threats to computerised information and process are threats to business quality and effectiveness. The objective of IT security is to put measures in place which eliminate or reduce significant threats to an acceptable level.

Security and risk management are tightly coupled with quality management. Security measures should be implemented based on risk analysis and in harmony with Quality structures, processes and checklists.

What needs to be protected, against whom and how?

Security is the protection of information, systems and services against disasters, mistakes and manipulation so that the likelihood and impact of security incidents is minimised. IT security is comprised of:

Confidentiality: Sensitive business objects (information & processes) are disclosed only to authorised persons. ==> Controls are required to restrict access to objects.
Integrity: The business need to control modification to objects (information and processes). ==> Controls are required to ensure objects are accurate and complete.
Availability: The need to have business objects (information and services) available when needed. ==> Controls are required to ensure reliability of services.

A threat is a danger which which could affect the security (confidentiality, integrity, availability) of assets, leading to a potential loss or damage. 

2.1 Why is IT security necessary?

Most companies use electronic information extensively to support their daily business processes. Data is stored on customers, products, contracts, financial results, accounting etc. If this electronic information were to become available to competitors or to become corrupted, false or disappear, what would happen? What would the consequences be? Could the business still function?

• Customer information or accounting information could be disclosed, affecting credibility.
• This information could be used by (new) competitors to launch more effective marketing campaigns.
• Competitors could launch an invisible, but effective attack which would be difficult to prove. If such an attack disrupted customer service, destroyed some accounting data, it would reduce customer confidence and help competitors increase their market share.
• IT systems have been under attack for decades now, but never before were so many computers networked, never before have so many cheap automated information attack weapons been available to would-be enemies. If is often impossible or very difficult to know if you are under attack and from whom. Attacker sophistication has increased enormously in the last 5-10 years. In the last 2 years many automated attack tools have appeared on the Internet, making is much easier for ignorant attackers to cause considerable damage.
• Many of the weapons only available to the intelligence community a few years ago can be bought commercially.
• Virus development has continued at an alarming rate in the last few years, leaving few, if any companies untouched.
• System interconnection increases security risks significantly:

"The network is the computer" is a phrase coined by Sun Microsystems in the mid eighties, which is even truer now than then. Applications have moved from single systems (e.g. mainframes) to a multiple of co-operating modules across different systems. A typical example would be a client server application that consists of a PC client which passes via a UNIX gateway to access data on a mainframe. For such an application to be secure, the PC, UNIX, Mainframe and network need to be secured. Security in a client server environment is complicated by the use of completely different authentication mechanisms on each machine. A client-server application is classified at a security level based on the security of the weakest link in the chain of component elements. What is the point is a very secure mainframe if for example, passwords are kept in readable form on PCs or on a piece of paper stuck on the PC screen?

The following figures are included (source: Datapro Research) as example, to give an idea what is going on in the real world.

• Common Causes of damage : Human Error 52%, Dishonest people 10%, Technical Sabotage 10%, Fire 15%, Water 10% and Terrorism 3%.
• Who causes damage? Current employees 81%, Outsiders 13%, Former employees 6%.
• Types of computer crime: Money theft 44%, Damage of software 16%, Theft of information 16%, Alteration of data 12%, Theft of services 10%, Trespass 2%.

IT security requirements [itsec] are often specified in terms of:

Assurance: Confidence that a System behaves as expected (i.e. according to it's specification).
Identification / Authentication: When users or programs communicate with each other, the two parties must identify each other, such that they know who they are communicating with.
Accountability/Audit Trail: The ability to know who did what, when, where. Users are responsible and accountable for their actions. Automatic audit trail monitoring and analysis to detect security breaches.
Access Control: Access to specified resources can be restricted to certain entities.
Object Reuse: Objects used by one process may not be reused or manipulated by another process such that security may be violated.
Accuracy: Objects (information and processes) are accurate and complete.
Secure data exchange:

• Confidentiality: data should remain private during transmission.
• Integrity: data should remain accurate & complete during transmission.
• When sending email or when programs communicate with each other, authentication (see above) is required.
• In certain situations, it may be necessary to be able to prove where information came from. This is called non repudiation of origin. A sender may also require proof that the message was received by the intended receiver - non repudiation of receipt.

Digests, public key encryption, digital signatures and challenge-response are some of the methods used to achieve secure communication.

Reliability of service: Data and vital services are available when needed.

A system may not contain confidential data, but it must be available 24 hrs a day - so it has low data sensitivity, but high availability requirements. High availability systems always require better confidentiality to prevent "denial of service" attacks. For some systems, confidentiality (i.e. privacy or non disclosure of information) is more important that integrity (unauthorised modification of information), for others the reverse is true. Systems with different requirements need to be secured in different ways.

A balance should be found between too much security (very restrictive use, high cost) and too little security (unrestricted use, danger, low "visible" cost).

The value of information and processes should be known, the risks in the current environment analysed, so that an appropriate set of countermeasures can be implemented. A cornerstone of countermeasures is risk analysis and the security policy. 

2.2 Why is a security policy needed?

A security policy is a preventative mechanism for protecting important company data and processes. It communicates a coherent security standard to users, management and technical staff.

• A policy can be used to measure the relative security of current systems.
• A policy is important for defining interfaces to external partners.
• There are mandatory legal requirements as regards protection of customer and employee data.
• A policy is a prerequisite to quality control (ISO 900x). 

2.3 Are your systems secure now?

The British standards institute [bsi1] publish a list of ten key controls for checking if basic security is implemented. They are:

1. Information Security Policy Document
2. Allocation of security responsibilities
3. Information security education and training
4. Reporting of security incidents
5. Virus controls
6. Business continuity planning process
7. Control of proprietary copying.
8. Safeguarding of Company records.
9. Compliance with data protection legislation
10. Compliance with security policy.

How many of the above points exist in your current environment? 

2.4 How to go about improving security

How to improve security:

=> Knowing what data & processes need to be protected.
=> Recognising the threats, judging possible impacts.
=> Calculating the risks and deciding what risks are acceptable.
=> Counter measures: Developing a strategy to reduce the risk to an acceptable level, then implement, test and tune the strategy.

• Keep it simple. If security is very complicated, it is unlikely to be effective and likely to be expensive.
• Keep it coherent. It is better to have a minimum, coherent level of security than some systems highly protected and other dependant systems wide open.
• Keep to standards if possible (e.g. BSI, ITSEC, TCSEC), it will make choosing and evaluating systems easier and will allow easier definition of inter-company standards.

There are two basic approaches to improving security, Bottom Up and Top Down. 

2.4.1 Bottom Up Approach to improving Security

This approach is faster, but not very precise.

If you know what you want to protect, from whom and to what degree:

• Understand what current policies, network topology, operating procedures and user practices are in use.
• Consider creating an attack profile. i.e. if you were an attacker, how would you go about attacking the company? What networks/systems are visible via external network connections, modems etc.? Where are important systems kept, how physically accessible are they? How would you persuade employees to give you passwords? Trying to think like an attacker will open surprising possibilities (and hence weaknesses)!
• Summarise weaknesses in the previous 2 points, make a short list of what weaknesses and future threats are to be countered.
• Define an information policy (if not already existing). Classify information. Recognise what information is most important. Distribute it and educate users.
• Create a user policy, distribute it and educate users.
• Create technical guidelines for the secure installation, maintenance and production of your servers and networks (or other perceived weak points). Audit sensitive systems regularly. 

2.4.2 Top Down Approach to improving Security

2.4.2.1 Overview

This approach is methodical, more precise, but can be slow and have high initial costs. Where security needs to be "urgently" improved, it is suggested to use both methods in parallel i.e. use the bottom up approach for important "well known" systems and the top down approach to have a long term, precise policy, strategy and vision on security that is supported and understood by management.
The top down approach involves:

1. Asset Analysis: What needs to be protected? List information and processes (What are the important assets? Are they stored on computer? What are the financial implications of loss of these assets?). The measures taken to protect assets should correspond to the value of assets.
2. Analyse current security rules/policies/practices (if any).
3. Define basic Security Objectives: e.g. fix basic Availability, Confidentiality and Integrity objectives.
4. Threat Analysis: Before deciding how to protect a system, it is necessary to know what the system is to be protected against i.e. what threats are to be countered. e Identify Threats (employee vengeance, hackers, espionage, technical failures etc.). A list of sample threats is presented later. Threats tend to be general in nature.
5. Impact Analysis:
   • What is the impact or consequence (harm to business) if a threat, or a combination of threats is realised? This is very system specific, e.g. loss of company secrets, modification of accounting data, falsification of money transfers.
   • The impact should be judged by business experts, not technical experts.
   • The impact has two components, a short term impact (threat is short) and a long term impact (the threat persists, affecting the business in the long term). The total impact should be considered as a number (0-5) with a contribution for the short term and the long term.
     1. The impact is negligible
     2. The effect is minor, major business operations are not affected.
     3. Business operations are unavailable for a certain amount of time, revenue is lost, customer confidence is affected minimally (unlikely to lose customers).
     4. Significant loss to business operations or customer confidence or market share. Customers will be lost.
     5. The effect is disastrous, but the company can survive, at a significant cost.
     6. The effect is catastrophic, the company cannot survive.

6) Calculate Risk:

• What is the likelihood of a threat occurring (0-5)? Technical experts can probably judge better than business experts what the likelihood of a threat occurring is.
  1. The threat is highly unlikely to occur
  2. The threat is likely to occur less than once per year
  3. The threat is likely to occur once per year
  4. The threat is likely to occur once per month
  5. The event is likely to occur once per week
  6. The event is likely to occur daily

• risk = impact * likelihood
• The risk can have a minimum value of 0 (no risk) and a maximum of 25 (extremely dangerous risk). The greater the risk value, the more important it is to implement counter measures.
• An acceptable risk value needs to be set. All risks having a value higher than this number are unacceptable risks which must be countered. For this project, we (provisionally) set the acceptable risk = 15.

7) Constraints Analysis: Examine requirements outside of your control (national and international laws, corporate requirements, corporate culture, contractual requirements, budget).

8) Decide on a counter strategy:

• define Security Objectives.
• define Counter Measures (e.g. Policy, Roles, Processes, Responsibility, Mechanisms)
• Can risks be reduced to an acceptable level with this strategy? Are costs too high?
• If not can the remaining risk be economically insured?
• Otherwise redo the strategy.

9) Implementation:

• Develop Security policy and guidelines together with an information classification system.
• Define a security organisation (or modify the current organisation). Users, administrators and managers should have clearly defined roles/responsibilities and aware of them.
• Run pilot tests. Tune policies, processes & organisation according to results.
• Then secure systems on a wide scale.

10) Assurance: Re-evaluate risks and security strategy regularly (e.g. every 2 years). 

2.4.2.1.1 Formal Risk Analysis Methods (e.g. MARION)

The method described above is an ad-hoc, "obvious" method, not a formally approved methodology.  There are many formal methods. Marion is described below. THe European Security Forum also have an interesting one, but I've not examined it yet in detail.

A formal method known as MARION[1] for IT risk-analysis is a good starting point for a top-down risk analysis and implementation of security in an enterprise. This method was developed in France in 1984 and is designed to be practical, directly involving top management in an intensive analysis of the enterprise. By 1992, it had been used in over 800 projects, especially in France.

This public domain method is updated yearly together with statistics by the French computer security club CLUSIF (Club de la Securite Informatique Francais) and the insurance organisation APSAD (L'Assemble Pleniere de Societes d'Assurance Domage) in France.

The reader is referred to companies such as Coopers & Lybrand who carry out MARION risk analyses. See Appendix C for contact information. 

2.4.2.2 Threats + impact + likelihood = risk

Before deciding how to protect a system, it is necessary to know what the system is to be protected against i.e. what threats are to be countered. In the following sections different types of threats are presented.

Threats are divided up into the following categories: General, Identification / Authentication, Availability, Privacy, Integrity / Accuracy, Access Control, Repudiation, Legal.

In this section a table is presented containing: The threat (including description), the impact of the threat (a reference to the impact table), plus a number (0-5) and the likelihood of the threat occurring (number 0-5).

General Threats:
 

Threat	Impact (ref.)	Impact (0-5)	Likeli-hood (0-5)
Human error:
Accidental destruction, modification, disclosure, or incorrect classification of information.  Ignorance: Inadequate security awareness, lack of security guidelines, lack of proper documentation, lack of knowledge (e.g. system administrators).
Workload: too many or too few system administrators. Highly pressurised users.
Users may inadvertently give information on security weaknesses to attackers.
Incorrect system configuration.
The security policy is not adequate.
The security policy is not enforced.
The security analysis may have omitted something important, or be simply wrong!
2. Dishonesty: Fraud, theft, embezzlement, selling of confidential corporate information.
3. Attacks by Social engineering:  Attackers may use the telephone to impersonate employees to persuade users / administrators to give username/passwords/ modem numbers etc.  Attackers may persuade users to execute trojan horse programs.
4. Abuse of privileges / trust.
5. Unauthorised use of "open" terminals/PCs.
6. Mixing of test and production data or environments.
7. Introduction of unauthorised software or hardware.
8. Time bombs: software programmed to damage a system on a certain date.
9. Operating System Design errors: Certain systems were not designed to be highly secure (e.g. PCs, many UNIX versions).
10. Protocol Design errors: Certain protocols were not designed to be highly secure. Protocol weaknesses in TCP/IP can result in: Source routing, DNS spoofing, TCP sequence guessing e unauthorised access is achievable.  hijacked sessions and Authentication session / transaction replay are possible e Data is changed or copied during transmission.  Denial of service, due to ICMP bombing, TCP_SYN flooding, large PING packets, etc.
11. Logic bomb: software programmed to damage a system under certain conditions.
12. Viruses (in programs, documents and email attachments)

Identification/authorisation threats:
 

Threat	Impact (ref.)	Impact (0-5)	Likeli-hood (0-5)
1. attack programs masquerading as normal programs (Trojan Horses).
2. attack hardware masquerading as normal commercial hardware.
3. external attackers masquerading as valid users or customers.
4. internal attackers masquerading as valid users or customers.
5. attackers masquerading as helpdesk/support personnel.

Reliability of service threats:
 

Threat	Impact (ref.)	Impact (0-5)	Likeli-hood (0-5)
1. Major Natural disasters: Fire, smoke, water, earthquake, storms/hurricanes/tornadoes, power cuts etc. to systems.	Im7
2. Minor natural disasters (or short duration or causing little damage) .	Im8
3. Major Man-made disasters: War, Bombs, civil disturbance, dangerous chemicals, nuclear accidents, etc.	Im7
4. Equipment failure due to defective hardware, cabling, or communications system.	Im8
5. Equipment failure due to airborne dust (no or malfunctioning air-conditioning), or electromagnetic interference, or static electricity.	Im8
6. Denial of service
Network abuse: misuse of routing protocols to confuse and mislead systems.
Server overloading (processes, swap space, memory, "tmp" directories and overloading services)
Email bombing (message flooding).  Downloading or receipt (via email) of malicious Applets, ActiveX controls, macros, postscript files etc.
7. Sabotage: Malicious (deliberate) damage of information or information processing functions.
Physical destruction of network interface devices, cables
Physical destruction of computing devices or media.
Destruction of electronic devices and media by Electromagnetic radiation weapons.
theft
Deliberate electrical overloads or shutting off electrical power.
Virus and/or worms
Deletion of critical system files.

Privacy threats:
 

Threat	Impact (ref.)	Impact (0-5)	Likeli-hood (0-5)
1. Eavesdropping
Electromagnetic eavesdropping / Van Eck Radiation: Computers, keyboards, monitors, printers emit radiation which can be detected up to several hundred meters away and reconstructed.
Telephone, fax eavesdropping (via "clip-on", telephone bugs, inductive sensors or hacking the public telephone exchanges).
Network eavesdropping: unauthorised monitoring of sensitive data crossing the Internal network, unknown to the data owner (via "clip-on", inductive sensors, network sniffers, or hacking the public telephone exchanges).
Network eavesdropping: unauthorised monitoring of sensitive data crossing the Internet, unknown to the data owner (via "clip-on", inductive sensors, network sniffers, or hacking the public telephone exchanges).
Subversion of DNS to redirect Email or other traffic
Subversion of routing protocols to redirect Email or other traffic.
Reading information cached in client applications
Radio signal eavesdropping: Analogue mobile phones & cordless home phones are very easy to eavesdrop.
Rubbish eavesdropping: An attacker who analyses waste can often find interesting things. Are all confidential documents shredded?

Integrity/Accuracy threats:
 

Threat	Impact (ref.)	Impact (0-5)	Likeli-hood (0-5)
1. Malicious (deliberate) damage of information or information processing functions from external sources.
2. Malicious (deliberate) damage of information or information processing functions from internal sources.
3. Modification of information (deliberate).

Access Control threats:
 

Threat	Impact (ref.)	Impact (0-5)	Likeli-hood (0-5)
1. Password cracking: Access to password files, use of bad passwords (blank, default, easy-to-guess or rarely-changed passwords).
2. External access to password files, and sniffing of the network
3. attack programs allowing internal access to systems (backdoors).
4. attack programs allowing external access to systems (backdoors visible to external networks).
5. Unsecured maintenance modes, developer backdoors.
6. Modems are easily connected, allowing uncontrollable extension of the internal network.
7. Bugs in network software can open unknown/unexpected security holes. These holes can be exploited from external networks to gain access to the internal network. As software becomes increasingly complex, this threat grows.  8. Unauthorised physical access to System

Repudiation threats:
 

Threat	Impact (ref.)	Impact (0-5)	Likeli-hood (0-5)
1. Receivers of confidential information may refuse to acknowledge receipt.
2. Senders of confidential information may refuse to acknowledge the source.

Legal threats:
 

Threat	Impact (ref.)	Impact (0-5)	Likeli-hood (0-5)
1. Failure to comply with regulatory or legal requirements (e.g. failure to protect confidentiality of employee data).
2. Many countries' law forbids (also over the Internet) incitement to racism, gambling, money laundering or the use of, or distribution of, pornographic or violent material. You may be liable if internal users or attackers abuse the your systems to these ends.
3. Internal users attacking other sites: is the company liable to damages if an employee attacks another company?

2.4.2.3 Sources of threats

Threat source

1. Political espionage.

2. Commercial espionage. Since the end of the cold war, the entire intelligence community has undergone a significant shift from classical east-against-west spying to each-country-must-protect-its-economy. Former KGB and CIA employees are now working as freelance commercial intelligence services. Sources of such espionage are competitors (domestic and international).

3. Employees: Disgruntled employees and (former) employees.  Bribed employees.  Dishonest employees (possible at all levels: from top management down).  System & security administrators are "high-risk" users because of the confidence required in them. Choose with care.

4. Hackers: Beginners: know very little, use old, known attack methods  Braggers: Are learning a lot, especially from other hackers. They seek gratification by bragging about their achievements  Experts: High knowledgeable, self reliant, inventive, try to be invisible. They may provide tools/information to the braggers to launch attacks, which hide their own, more subtle attacks.

5. Contractors / vendors who have access (physical or network) to the systems.

6. Organised crime (with goals such as blackmail, extortion etc.).

7. Private investigators, "mercenaries", "free lancers".

8. Law enforcement & government agencies (local, national and international), who may or may not be correctly following legal procedures.

9. Journalists looking for a good story.

2.4.2.4 Impact

Impacts are very business specific, depending on the assets, the type of business, the current countermeasures (IT infrastructure). Impacts describe the effect of a threat. The impact may also depend on the length of time that business functions are disrupted.
The following is a list of some basic impacts, that company may be subjected to. It needs to be completed in detail by managers who understand the business in detail.
 

Ref.	Possible Impacts
Im1	Disclosure of company secrets, disclosure of customer data, disclosure of accounting data.
Im2	Modification of accounting data or customer data.
Im3	Attackers impersonating the company or it's customers.
Im4	Bad company publicity: hacker security breaches publicised.
Im5	Bad company publicity: customer information modified/deleted/publicised.
Im6	Bad division publicity: External attackers used a particular division as an entry point to the corporate network.
Im7	Major disruption of business functions.
Im8	Major disruption of the network.
Im9	Fraud
Im10	Loss of customer confidence (if the disruption lasts for a longer period of time, or occurs frequently, customers would probably be lost).
Im11	The company may be legally prosecuted (negligence, breaking the law or regulatory requirements)
Im12	Reduction of quality of service
Im13	Possible gains for competitors and thus loss of revenue.
Im14	The corporate network may be used as a base by attackers for attacking other sites.
Im15	The corporate network may distribute software containing attacker software.
Im16	Electronic fraud

2.4.2.5 Constraints Analysis

Examine requirements outside of your control:

• National, international laws on topics such as pornography, privacy of employee and customer data, libel etc. should be taken into account.
• Corporate requirements (mission, strategy etc.).
• Budget (unless money is no object!). 

2.4.2.6 Risk summary

Once the threats, impacts and corresponding risks have been listed and the constraints have been analysed, the significant business risks (or weaknesses) will be more evident, allowing a counter strategy to be developed.

It is advisable to summarise the risks to be countered together in one table. Likewise a summary of major strengths would show what has been achieved to date.

An example of the major risks/weaknesses list might be:

• Management do little to encourage and support security measures.
• There is an inadequate information security policy, information is not classified.
• Users are not security aware and generally use bad passwords. Unused terminals are rarely protected.
• Few computers are installed with homogenous, standard software. Most users install what they want on their machines.
• The Internet connection to the company is made by a weak Firewall, with few access control mechanisms, no audit log, no official policy and no monitoring/intrusion detection or incident response team.
• Certain servers are not kept in locked computer rooms, have no backup power circuit, air-conditioning or static/electromagnetic protection.
• Few computer operating procedures are documented.
• No off site tape backups are made.
• Employees are not identified adequately, visitors may roam unchecked (no visitor procedures, lack of building security).
• The building is in an earthquake zone, where minor quakes are expected every 30 years.
• The network control room is underground and may subject to flooding during major storms. 

2.4.2.7 Counter strategy & counter measures

Develop a strategy, based on the Risk Summary above to:

• eliminate risk, or
• reduce the risk to an acceptable level, or
• to limit the damage (reduce the impact of a threat), or
• or to compensate the damage (insurance).

Countermeasures typically involve: Security Policy, Security organisation (responsibility, roles & processes) and specific mechanisms.

1. Definition of security policies, to protect information based on the risk (see the "Policies" chapter). Policies reduce risk.
   • Definition of a corporate security policy.
   • Definition of policies on a project, system or business unit basis.
   • Distribution of policies to those effected.
2. Implementing Policies: Roles, Responsibility and organisation are required (see next chapter). A security organisation can reduce risk and limit damage.
   • The IT security organisation needs a clear statement of mission and strategy.
   • Definition of security roles & processes..
   • Users, administrators and managers should have clearly defined roles/responsibilities and aware of them.
   • User / support staff may require training to be able to assume the responsibilities assigned to them.
3. Define requirements on mechanisms: Effective use of mechanisms and processes to enforce security. Choosing appropriate security mechanisms together with secure operating procedures can reduce the risk. Requirements should be listed under the following (ITSEC recommended) headings. ITSEC also recommends that the strength of mechanisms and countermeasures should be rated as basic, medium or high.
   • Identification and Authentication
   • Accountability
   • Audit
   • Access Control
   • Object Reuse
   • Accuracy
   • Data Exchange
   • Reliability of Service
4. Define concrete Secure Operating Guidelines and controls for specific systems (see Part III).
5. Consider insuring against threats which cannot be covered by the above measures.
6. Assurance / constant vigilance:
   • Conduct regular audits of important systems. How effective are the countermeasures, do they require tuning?
   • Reconsider risks regularly. Are new threats more important, have some threats ceased? Risk and strategy should be reconsidered regularly (perhaps once every year or two).