BD&F Information Security

I had a discussion recently with a security manager when I came across the term “appetite for risk”. I never heard of this in information security and assumed it meant the level of risk an organisation is willing to accept.

That definition is vague because it treats the entire organisation as a single unit with one view of the risks involved in all its operations. I am interested in investigating how risk is viewed and would like to start with a small company which is experiencing growth along with changes to its appetite for risk.

To clarify, appetite in this term is not the same as ‘desire’ in the case of food. It is closer to tolerance of the various risks a company encounters.

The majority of companies are owned and operated by one person. In this scenario the appetite for risk with regard to information security can be very high. The IT systems used in these small businesses are usually machines placed in areas of the home where they can be easily shared with family members.

At this point, the business might not be entirely sure about its future prospects, it might be still testing the market, acquiring new customers, trying out a new product, getting to grips with the IT used. These all demand resources which are usually limited due to the number of people involved in the business. The appetite for risk is high because the concentration is on growing the business. The business is still in its infancy and information security would seem unnecessary.

I will disagree of course but also point to the basic security functions available through the operating system and applications software in use. The machines should be physically protected from as many domestic hazards as possible (heat, water, knocks and theft). All the business affairs can be assigned to a separate password-protected account. The documents on that account should be regularly backed up to an external drive. If the information is secret, it can be encrypted in the back up, on the everyday machine or in both places.

It is never too early to incorporate security into the operation. Doing this would help the business avoid avertable costs as it matures. A culture of security awareness keeps a business focused on protecting its data, developing new products that might usually be considered too insecure and enrols each member of staff as an additional guardian of the company’s information.

I will follow the development of the small company and the changing appetite for risk in my next post.

Photo by Norma Desmond

The previous six posts make up a Defence in Depth approach to securing an IT system and the data contained within. IT systems are essential to commerce in many parts of the world. Protecting all the components of these systems helps to safeguard the business’ secrets and maintain compliance with the laws that govern the security of data.

Layers
The Perimeter of the system is hard to define with the use of new communication tools that connect people to systems remotely. The system’s owner has to regularly define the boundary between the business’ system and that which is entirely out of his control.

Boundary defence will include securing access to the System. Machines should be locked away from unauthorised access. A home run business would avoid risks by locating the computer in a private part of the home. Scale this up to a large company and you get dedicated server centres with high security.

Networks are usually connected to the Internet and are protected primarily at that junction. Firewalls help control the type of traffic that comes into the home network but defending against the Web is not the end of network defence. Within a company there will be division of responsibilities and different rights of access which must be technologically defended.

The Host machines run different applications to serve the business. Some staff will have access to the finance applications, others to the HR. The machines need to be protected, access to the applications need to be protected and access to the data used by the applications must also be protected.

Some Applications such as an email program are used but all staff. Proper authentication is important to ensure that each person see only their account. These applications usually come with default settings which are common knowledge and need to be reset on installation.
 
Data Classification helps decide what to hide where. When a business is clear about which data must be kept secret, it makes it easier to allocate resources to protecting that data. Without a classification there will be an effort to protect all, nothing or the wrong things.

Additional Steps
Back up of essential data is a security step that ensures a business can continue running after a disaster. It can be a loss of power, machines, offices, natural disasters or anything that would deprive the business of its IT systems and data. An external storage device and a schedule for backing up data would provide a company with the means to recovery from many types of attacks and catastrophes.

Encryption is another defensive tool that would keep data private both in storage and transit. Many of the usually office applications have the function to save documents in an encrypted form. There are also Open Source encryption tools to help protect email, memory sticks and storage devices.

A Defence in Depth strategy for a business’ IT systems pays its way because it sets up barriers at each point between an external entity and the data that is the lifeblood of a business. This ensures that the company can keep hold of its secrets and in the event of a disaster, resume business without much interruption.

Photo by Adam Mulligan

Data is the basic component of an information system. It includes the intellectual property of a company, staff information and records of customer transactions. Data coming into an organisation is processed to facilitate the business operation.

To advise on the need to classify data requires a clear understanding of the risk associated with the exposure of each type of information.

It is normal to choose three classifications of data. There is public data such as the company’s history, news releases and published plans. Employee data is information that should stay within the company and not be exposed to the public. An example of this is a company strategy before it is announced to the public. Secret data is confined to certain sections of a company such as finance, research and HR.

These classifications come with different names and are not standardised across the industry. In each company one can find a customised data classification schema and different system configurations to support the levels of protection applied to each designation.

There are laws and standards that order the protection of customer data. These laws can be used to help decide what protection should be used for what type of data. A classification based on legislation can be more useful than one based on a subjective appraisal of what a piece of data is worth.

The Data Protection Act (DPA) and Payment Card Industry Data Security Standard (PCI DSS) are two relevant examples. DPA states what type of customer information should be kept from public exposure. Any data that can be used to identify a person should not be given out without consent. PCI DSS stipulates that cardholder data must be protected and gives very good prescriptions on how to achieve the required level of security.

A good starting point for classifying data takes into account what laws and standards govern the data taken in by the company and also what data does the company consider proprietary. In looking at the latter it is important to consider the triad of Confidentiality, Integrity and Availability.

That triplet can help a company classify a piece of data and decide what measures will be used to protect it. The use of encryption for stored data or data in transit will obviously be considered for Confidentiality. There are other methods to provide assurance of Integrity such as digital signatures and for Availability, protection of servers from attack and disaster.

The classification of data helps a company decide what resources to allocate to the protection of its information. There is the customary three-level approach which can be difficult to implement because it is subjective and it does not always address the requirements of legislation. This method is more suited to the intellectual property of a company.

Using the laws and standards to classify customer information is more useful because the legislation is aimed at the protection of customers and because the penalties can be quantified. This makes it easier to calculate a justifiable level of spending to achieve compliance.

Securing client applications involves both the application of security settings and the education of users. You can secure Internet Explorer through the use of administrative templates, as well as by configuring the security settings for the built-in security zones. Microsoft Office also has a set of administrative templates that you can use to control access to certain types of attachments, junk e-mail, and other potentially damaging content. Helping users understand how to safely download files from the Internet and how to safely open e-mail attachments is key to maintaining application security in your organization.

Internet Explorer Administrative Templates
Internet Explorer administrative templates help you enforce security requirements for workstations running Windows XP and prevent the exchange of unwanted content by means of the browser. Use the following practices to help secure Internet Explorer on the workstations in your environment:

Consider using the settings included in the Enterprise Client templates.

Ensure that requests to the Internet occur only in direct response to user actions.

Ensure that information sent to specific Web sites reaches only those sites unless specific user actions are allowed for transmitting information to other destinations.

Ensure that trusted channels to servers/sites, and the owners of the servers/sites on each channel, are clearly identified.

Ensure that any script or program that runs with Internet Explorer executes in a restricted environment. Programs delivered through trusted channels can be enabled to operate outside the restricted environment.

Internet Explorer Zones
In Internet Explorer, you can configure security settings for several built-in security zones: the Internet zone, the Local intranet zone, the Trusted sites zone, the Restricted sites zone, and the My Computer zone. The default settings for these zones in Windows XP Service Pack 2 are:

For the Internet zone, the default security level is Medium. This zone is intended for all content in Uniform Resource Locators (URLs) with fully qualified domain names.

For the Local intranet zone, the default security level is Medium-Low. This allows your user credentials (user name and password) to be passed automatically to sites and applications that need them. This site is intended for all Web sites on your local network in the same DNS domain as the client computer.

For the Trusted sites zone, the default security level is Low. This allows browsing of many Internet sites. This zone is empty unless specifically configured.

For the Restricted sites zone, the default security level is High. This zone is empty unless specifically configured and is often used by e-mail applications for viewing e-mail messages formatted in Hypertext Markup Language (HTML).

The My Computer zone (sometimes referred to as the Local Computer zone) is not displayed in the user interface by default. The security for this zone is set to Low by default. This zone is intended for content that is found on the local computer.

You should carefully evaluate the settings for each of these zones to ensure that they are appropriate for the level of security required in your environment.

Caution
Configuring Internet Explorer zone settings to values that are lower than the default settings may cause a computer to become vulnerable to attacks the default settings have been configured to prevent. Use caution when using templates to lower the security settings for zones.

Note
To further reduce the attack surface, the default security settings for these Internet Explorer zones have been increased in Windows XP SP2.

Windows XP SP2 Internet Explorer Security Enhancements
Windows XP Service Pack 2 (SP2) has added security features to Internet Explorer and has improved existing ones. These features help to make Web browsing more secure.

MIME-handling enforcement. Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) type information to decide how to handle files that have been sent by a Web server. Depending on the MIME type, Internet Explorer will process the Hypertext Transfer Protocol (HTTP) file requests differently. For example, an HTTP request for a JPEG file when received will be displayed, but an .exe file will result in the user being prompted for a decision on how to handle the file.

Consistency checks. Internet Explorer now requires that all file-type information that is provided by Web servers be consistent with the actual file content. The browser will enforce consistency between how a file is handled in the browser and how it is handled in the Windows Shell. Additionally, files are renamed in the Internet Explorer cache to enforce consistent handling of the files by all applications.

Stricter rules. In SP2, Internet Explorer will now follow stricter rules that are designed to reduce the attack surface for spoofing the Internet Explorer MIME-handling logic. If Internet Explorer receives a file with “text/plain” MIME type but the MIME sniff indicates that the file is actually an HTML, media, or executable file, Internet Explorer will not increase the privilege of the file compared with the server’s declared MIME type. If an incorrectly configured Web server hosts HTML files but sends text/plain as the content type in the HTTP header, Internet Explorer will show the file as plaintext rather than render the HTML.

Better security management. The overall security management for Internet Explorer has been improved with the addition of the following features:

Add-on management and crash detection

Add-on installation prompt

Download prompt

Pop-up manager

Internet Explorer Window restrictions

These features allow users and administrators to more easily obtain information about their security settings. Users and administrators can also easily retrieve the status of their browser add-ons and configure these add-ons. The clarity of information provided by the prompts for both download and add-on installation have been improved to help users make more informed security decisions about the required actions.

Local Machine zone restrictions. Internet Explorer treats pages differently depending on the locations from which they are opened. Pages that are opened from the Internet have applied restrictions that might prevent them from performing certain operations. Pages that are opened from the local machine are in the Local Machine zone and have fewer restrictions. The Local Machine zone is an Internet Explorer security zone, but it is not displayed in the settings for Internet Explorer.

Feature Control Security Zone settings. In an effort to improve the management of some security settings, SP2 has been built with Feature Control Security Zone settings. The zone settings provide users and administrators with more specific control for:

MIME sniffing

Security elevation

Windows restrictions

Group Policy settings. With the addition of the Feature Control Security Zone settings, SP2 has added new security policies that allow administrators to manage the new feature control settings by using Group Policy objects (GPOs). This change allows Group Policy administrators to uniformly configure the new Internet Explorer Feature Control settings for the computers and users that they manage.

Microsoft Outlook Security
If your organization uses Microsoft Outlook 98, Outlook 2000, Outlook 2002, or Office Outlook 2003 with a server that has server-side security, such as Microsoft Exchange Server, you can customize the security features to meet your organization’s needs.

You can use the Outlook Administrator Pack to control the types of attached files blocked by Outlook, modify the Outlook Object Model warning notifications, and specify user- or group-security levels. For example, you can modify the security settings for viewing various types of attachments, such as executable files and application data files, and apply those settings to specific groups of users of an Exchange server.

You can use the Outlook administrative template to configure security options for client computers by using Group Policy or local Group Policy. You can configure various settings in this template to customize Outlook security for your environment. For example, you can import the Microsoft Office Outlook 2003 (Outlk11.adm) administrative template into a GPO and use it to set the Outlook security level for macros to Low, Medium, or High for all clients affected by the GPO.

Outlook 2003 includes several security enhancements, including:

Warns the user before opening potentially dangerous file types.

Runs executable content in the Restricted Sites zone.

Uses antispam controls to reduce unsolicited e-mail.

Does not automatically load HTML content.

Prevents other applications from accessing address books.

Provides application programming interfaces (APIs) to prevent software from running.

More Information
The Outlook Administrator Pack is included in the Office 2003 Editions Resource Kit. You can download this resource kit from the Microsoft Office Online Web site.

Best Practices for Securing Applications
Consider the following best practices for securing applications on client computers on your organization’s network:

Educate users about how to download files from the Internet safely and how to open e-mail attachments safely. Ensure that users configure zones correctly in Outlook so that scripts and active content in HTML e-mail messages from the Internet zone will not be run. Users should not open e-mail attachments that they were not expecting, even from other users whom they trust.

Only install applications that are required for users to do their jobs. Each application that is installed can introduce additional security issues. To limit the number of security issues on client computers, install only applications that users must use to perform the tasks required by their jobs.

Implement a policy for updating applications. Keeping applications current with security updates is just as critical as keeping the operating system current. You can update Microsoft Office applications at the Microsoft Office Online Web site. You can also use Windows Server Update Services to update Microsoft Office applications.

Photo by smithi1

The computers that make up a business’ network will host different types of software depending on their role. Typically there are servers and client machines.

Servers can be further classed as web servers, email servers and network servers. Client machines are usually desktop computers with the software systems that are specific to users’ requirement. Additionally there are laptops and other mobile devices that make up a company’s network of machines.

All the machines run an operating system which comes with default security settings. The settings are there to protect from attacks that bypass the perimeter and network security defences. These types of attacks such as viruses and Trojans are aimed at the operating systems.

The operating systems on servers come with many services turned on by default. If your business is not using a service it should be turned off else you will be leaving an unmonitored hole for attackers to exploit.

On client machines the security updates must be current. These patches are automatically available but some require that the machine be restarted in order to complete installation. Client machines use software firewalls to control the types of traffic coming into the system. Again if a certain type of service is not needed in your business operations, for example Instant Messaging, turn it off.

Client machines can be centrally managed through software such as Microsoft’s Group Policy where protective policies can be set. You can have policies for mobile machines that are different when they are attached to the business’ network and when they are used remotely. Machines can also be restricted from installing unauthorised software.

Good security is the successful balancing of defence and usability. Full defence calls for completely limiting a machine’s ability to interact with the rest of the business’ network and the Internet. Full usability wants a connection to everything to allow users to freely call on services with no interruption.

It is important to fulfil the basic security requirements of updating anti-virus and anti-spyware software, monitoring network activity and using firewalls. Above this level security must be designed around the business functions of the network to allow users to work free of obvious restrictions.

Photo by patrick h. lauke