108 ◾ Security Strategy: From Requirements to Reality
be determined. It is vitally important to fi x these objectives before moving on to the tactics for
achieving them. If your objectives are not fi xed, they will shift, and the results will be a tremen-
dous waste of time and money.
First Principles
In disquisitions of every kind there are certain primary truths, or fi rst principles, upon
which all subsequent reasoning must depend.
Alexander Hamilton
In the early 1300s while King Edward was busy putting down the Scottish Rebellion led by
William Wallace, the Welsh launched their own rebellion. King Edward had left the castles in
Wales sparsely defended: A mere 13 soldiers were stationed at Carmarthen, yet they were able to
ward off an attack by more than 300 Welsh rebels. is was possible because castles incorporated
a number of important tactical principles that gave the defenders a decided advantage. e follow-
ing sections detail the military and security “fi rst principles” we used to guide our reasoning and
tactical recommendations for the remainder of this book.
Now there are fi ve matters to which a general must pay strict heed. e fi rst of these
is administration; the second, preparedness; the third, determination; the fourth,
prudence; and the fi fth, economy.
Wu Ch’i
Observation Principle
Observation is the central principle of security. It acts as both a deterrent and a detector—a deter-
rent because people are less likely to intentionally do something wrong if they think someone will
see them doing it and a detector because observation is how we determine something is wrong (or
at least has the appearance of being wrong). Virtually every security measure is based on one or
both of these observation elements. We tend to think of observation in terms of vision, but this is
only partially correct. Physical security uses personnel and video cameras (CCTV) to monitor sen-
sitive areas, but it also relies on devices to expand or aid that vision—devices that detect (observe)
other activities such as a door opening, glass breaking, or something moving across a room.
Observation provides early warning of potential danger so that we can prepare defenses; pre-
sents evidence of an existing attack so we can respond; and gives us the information we need to
use our forces eff ectively against the key points of attack. You could think of these three functions
as reconnaissance, sentry, and command, respectively.
Off ensive units use reconnaissance to locate and engage the enemy; defensive units use recon-
naissance for early-warning purposes. By observing and assessing an enemy’s strength, readiness,
and attack plans, reconnaissance gives the defending force time to prepare and deploy appropriate
countermeasures. Modern military units use spies, recon teams, satellite imaging, and unmanned
drone aircraft for reconnaissance purposes. Similar techniques are used in the information secu-
rity realm. Reconnaissance information is gathered by organizations like AT&T, Microsoft, and
Symantec. ese groups track abnormal and malicious activity on the Internet to help organiza-
tions prepare for and respond to attacks. e Microsoft Malicious Software Removal tool is a
good example. Whenever the tool removes a malicious piece of software, it reports the IP address
of the host and the name of the malicious software to Microsoft so that outbreaks can be tracked
TAF-K11348-10-0301-C007.indd 108TAF-K11348-10-0301-C007.indd 108 8/18/10 3:08:06 PM8/18/10 3:08:06 PM
Tactics: An Introduction ◾ 109
by location and intensity. Several organizations compile reconnaissance information on emerg-
ing or potential threats, and post this information on the Internet for others to use. e SANS
Internet Storm Center is one such site; most of the major antivirus vendors provide this type of
information as well. In addition, a number of subscription services provide timely threat and
attack information, for example, the Websense and SurfControl Internet reat Databases. Some
Managed Security Service Providers (MSSPs) furnish this information as part of their manage-
ment service. ese services will proactively send warnings and alerts to their customer base if an
attack is imminent.
Sentries are deployed along the perimeter of an encampment in order to provide attack noti-
fi cation and to try and slow down the attacking force while defense forces rally. Sentry positions
were often enhanced with noisemakers or other devices designed to alert sentries to movement
along the perimeter. In IT we employ intrusion detection and other logical and physical perimeter
controls to protect our key data repositories and processing installations.
e command function will be discussed in the next section; here let it suffi ce to say that the
commander’s ability to make eff ective decisions when responding to an attack is based wholly on
what he or she or others can observe.
Observation is central to security. If we want to have a successful security management pro-
gram, we need observant people. We need to train people to be observant. is is more than
awareness training. Most awareness training is focused on process: “do this, don’t do that.” We
want people who can assess a situation and say, “What’s wrong with this picture?” ose people
won’t open an attachment on an unsolicited e-mail. ose are the people who will pick up the
handouts left behind in the conference room. And those are the people who will call the security
desk when they suspect something “just isn’t right.”
Whether defensive or off ensive, observation is one of the most important principles in tactics.
All our tactics should include an observation element that can alert us when an attack is imminent
or manifest. e tactics we employ must also be able to provide suffi cient information to direct
responses to the key points of attack.
Response Principle
Eff ective security is based on the ability to respond to wrongdoing; the quicker the response, the
less the damage. Response relies heavily on observation, but it is also tightly linked to the timeli-
ness principle. Whether primary or reserve forces, the ability to rapidly concentrate troops to repel
an attack is critical. At Carmarthen Castle wide corridors in the walls and wide walkways atop the
walls made it easy for troops to move from one attack point to another. Today attacks against IT
systems are highly automated, making it possible to compromise a large number of systems and
proliferate further attacks very rapidly. Consequently, our people, processes, and technology must
be equally effi cient at repelling these attacks through timely automated responses, reliable com-
munications, and near real-time alerting. e tactics we employ must also provide specifi c enough
information to facilitate quick and eff ective responses to the key points of attack.
Timeliness Principle
Timeliness refers to the appropriateness of the time interval between two events. e cell phone
is a great example; one of the things that is absolutely unacceptable is getting missed call or voice
mail notifi cations two or three days after the fact. ere is an appropriate time frame for deliv-
ering this information and two days isn’t it! It’s really a matter of the value or usefulness of the
TAF-K11348-10-0301-C007.indd 109TAF-K11348-10-0301-C007.indd 109 8/18/10 3:08:06 PM8/18/10 3:08:06 PM
110 ◾ Security Strategy: From Requirements to Reality
information that tends to decline over time. People call you because they want to talk to you now,
not because they want to wait two days for a return call. Timeliness ensures that information is
available and acted upon when it is most valuable. In the security realm timeliness means:
Information about control failures and security violations is reported in real time to some- ◾
one (or some process) that can take action on them.
Information about suspicious activities is logged and reported in real time to someone (or ◾
some process) that can take action when the activity exceeds established thresholds.
Information about security-related activities is logged in real time, preserved, and reviewed ◾
at reasonable intervals.
Information about threats or imminent attacks is delivered early enough for countermea- ◾
sures to be devised and deployed.
In reality, there are many other security time frames to consider, including process intervals for
antivirus signature updates, system patching, trouble ticket response and resolution, and disaster
recovery. Finally, timeliness applies to our people. People receive timely supervision, timely train-
ing (not months before the training is needed or months afterward), and timely recognition. e
eff ectiveness of our tactics depends on our ability to operate them in a timely manner. Timeliness
must be an integral part of our tactics and tactical planning.
Preparedness Principle
Ben Franklin once said, “By failing to prepare you are preparing to fail.” e authors couldn’t
agree more, and if we had to pick one thing that IT security is really bad at, this would be it. e
potential for DDoS (Distributed Denial of Service) attacks was known years before the fi rst one
was manifest, but no one really prepared for them. After the attack on Amazon, eBay, and Yahoo,
the threat became “real,” and the experts were all over it. is is the equivalent of waiting until
someone takes a shot at the president before you assign Secret Service agents to protect him.
Preparedness has three equally important elements: people, process, and technology. To man-
age security and security incidents eff ectively, you need skilled people, a proven process (i.e.,
Incident Response Plan, Disaster Recovery Plan, etc.), and the appropriate weapons (tools). Yet,
very few organizations have an employee skills management process or a viable security training
budget. Misconfi guration is the most common cause of security breaches involving fi rewalls, but
half of the fi rewall administrators Bill has interviewed over the years have never had any formal
training on the devices they are managing. e process side fares only slightly better; most com-
panies have some kind of incident response or event management process, fewer have a formal
(documented) plan, even fewer have a plan that has been tested, and very few have regular drills/
practices. In one instance, Bill was sitting in the War Room at a customer site when the Incident
Response Team was activated to deal with the Code Red worm. Team members were notifi ed by
e-mail and text message to call into the incident management conference bridge immediately. Two
hours later they were still trying to get critical resources to join the call; people had changed jobs,
left the company, changed cell phone numbers, and the plan had not been updated to refl ect those
changes (nor was there a process for maintaining notifi cation information).
e fi nal piece of preparedness is weaponry—the tools required to make the process work.
e process will tell you what needs to be done; the question is, “How fast can you get it done?” A
tale of two companies will serve to illustrate the point. e Network Intrusion Detection System
(NIDS) at Company A notifi ed IT security that a system infected with MSBlaster was attached
TAF-K11348-10-0301-C007.indd 110TAF-K11348-10-0301-C007.indd 110 8/18/10 3:08:06 PM8/18/10 3:08:06 PM
Tactics: An Introduction ◾ 111
to the internal network. Based on the NIDS information, the team was able to determine that
the system was attached to one of six network concentrators. By accessing each concentrator and
reviewing the ARP tables, they were able to narrow the system down to a particular port (elapsed
time: 30 minutes), but before they could trace the wiring from the concentrator to a physical port
in a conference room, the problem disappeared (meeting over!). Now, the investigation would
need to move to: Who scheduled the room? Who attended the meeting? Who connected to the
network? Instead, the investigation was terminated; better luck next time! Company B had the
same event show up on their NIDS. e IT security team opened up the network trace tool,
identifi ed and disabled the concentrator port in question, and mapped the port to a connection
in a conference room. en they opened up the black listing tool and added the system’s machine
(MAC) address to prevent any further network access (elapsed time: 8 minutes). Next they sent an
agent to the conference room to notify the user so that they could open a trouble ticket and get the
worm removed (total elapsed time: 20 minutes). Not only was this a timely and eff ective response,
but it was also quite the “wow” factor for all the meeting attendees—wow enough for everyone to
want to learn more about these tools. Preparedness is about being proactive and having the tactical
vision and understanding necessary to equip the security team with the skills, processes, and tools
they need to be successful. Preparedness provides tactical advantage.
A man surprised is half beaten.
omas Fuller
Gnomologia
Economy Principle
IT security professionals think of the economy principle in terms of control costs. e cost of
protecting data should be commensurate with value of the data. In other words you don’t spend
$100,000 on security to protect something worth $50,000. However, there is a military perspec-
tive for this principle that is far more valuable: economy of forces.
Observation and preparedness make it possible to economize on the forces required to repel
an attack. e story of the rebel attack on Carmarthen Castle in Wales is a perfect example of this
principle. irteen well-trained and disciplined soldiers, a large cache of weaponry, and excellent
observation and command processes defeated 300 rebels without a single casualty. You can also see
how this principle has played out in modern warfare; as warfare has progressed, fewer and fewer
troops are required to accomplish the mission. Some of this reduction is due to better training,
some to better weaponry (increased fi repower), but mostly it is due to observation. Laser targeting
is a great example. From great distances a soldier can “paint” an enemy position with a laser that
directs bombs to that position. Streaming video from drones helps direct artillery, mortars, and
other ordinance to specifi c targets, allowing a small force to rapidly advance on and overcome an
enemy position. On the defensive side this is equally true. A small force properly positioned and
supplied can repel a much greater force.
Economy of force is of great interest to CFOs and other executive managers looking for ways
to cut overhead expense, but this isn’t a common motivation for security departments. is is, in
our opinion, another big failure of our profession. Instead of focusing on high-value solutions like
expert observation and quick response, the industry has focused on layered technology. Please
don’t get us wrong; the authors are not against defense in depth; it is a very valid tactic. In fact,
we have dedicated an entire chapter to the topic (see Chapter 8). What we are saying is that it is
possible to achieve an adequate level of protection without overdoing it.
TAF-K11348-10-0301-C007.indd 111TAF-K11348-10-0301-C007.indd 111 8/18/10 3:08:06 PM8/18/10 3:08:06 PM
112 ◾ Security Strategy: From Requirements to Reality
Let’s take Network Intrusion Detection (NID), Host Intrusion Detection (HID), Application
Intrusion Detection (AID), and Data Intrusion Detection (DID) as examples. Security profes-
sionals understand that the closer the control is to the target, the more eff ective it will be; yet,
enterprises insist on investing huge amounts of money in Network and Host Intrusion Detection
systems (NIDS and HIDS). Why? We all understand that the primary target of an attacker is
data. We have also seen a major shift of attacks from operating system (OS) and network to
applications. Why aren’t we focusing on data and application intrusion detection systems (DIDS
and AIDS)? ese are much more valuable, especially in cloud-based scenarios where an attacker
with a stolen credit card can bypass all the network and host security controls and directly attack
the application and its data sources. NIDS and HIDS have very limited value in this scenario;
however, AID and DID systems would not only work, but would be far more accurate (have fewer
false positives) than their host and network counterparts. If we apply the principle of economy
of force, we can eliminate NID and HID systems, rid ourselves of tons of near worthless data,
and substantially reduce the time and/or computing power it takes to identify and respond to an
attack. Is this what the industry is emphasizing? No! Instead, the industry is saying that the way
to economize is to outsource the monitoring and analysis of all this worthless data to a managed
security service provider (MSSP). at may be cost reduction, but it’s not economy of force.
If you’re a security professional reading this, you’re probably thinking the authors are heretics,
and if you’re an executive manager you’re probably thinking we’re saviors. Actually, neither label
is correct. All we are trying to say is that our tactics need to focus on what really matters and on
what produces the best results. If you are sure your systems are well confi gured and are resistant to
attack, why do you care if there are malformed or attack packets on your network (provided they
aren’t impacting system performance)? Again, please don’t misinterpret what we’re saying: We are
not saying these packets should be ignored (the source should be tracked down and eliminated
if possible), but as long as they are not a threat to your data, they do not warrant an immediate
response. If our force is suffi ciently equipped to defend our prize possession (i.e., data), expending
resources on these other forms of intrusion detection is a complete waste.
Intrusion prevention has similar issues: It is looking for specifi c abnormal behaviors, but the
kinds of behaviors that put data at risk such as query return size aren’t within the scope of net-
work or host intrusion prevention systems. A good AIDS or DIDS would recognize and limit the
response or salt the response with bogus records (which could be used to detect and repel further
attacks). e obvious question is, “Where do you get AIDS and DIDS systems?” at’s a good
question: At this writing, a small number of companies off er Web application intrusion detection
solutions, and no one off ers DIDS solutions. at’s bad news for people looking for off -the-shelf
solutions. If you build software in-house, there is a decent body of research to help you add these
features to your software and data management solutions (see Chapter 11).
e economy principle focuses resources on the most eff ective and effi cient tactics and control
objectives. e principle balances technological costs with process and force economy to simplify
data protection tasks and reduce operational overhead.
Maintenance of Reserves (Coverage) Principle
Maintaining an adequate reserve force allows the respondent to react quickly to attacks and unex-
pected developments. In the military it is customary to keep about a quarter of the forces in
reserve. In a corporate context it’s easier to think of this principle as the coverage principle—
having suffi cient resources to eff ectively manage security operations, respond to attacks, and deal
with other unexpected events. Coverage begins with people. Nothing trumps a well-trained staff
TAF-K11348-10-0301-C007.indd 112TAF-K11348-10-0301-C007.indd 112 8/18/10 3:08:06 PM8/18/10 3:08:06 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.