Chapter 8. Layer upon Layer (Defense in Depth) (3/5)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Layer upon Layer (Defense in Depth) ◾ 129

any way impact production; those decisions had to be thoroughly vetted with management.

We doubt anyone really knows what information was lost by the breach, but we can tell you

the cost of ﬁ xing the problem was more than doubled because the security team did not have

the authority to isolate, update, or shut down systems. Yes, there is the potential they may

make a few bad decisions from time to time, but they’ll learn from them. It is always better

to be safe than sorry.

Defense-in-depth objectives for local enclaves tend to focus on boundary access points.  is

is perfectly reasonable, but it shouldn’t be the sole emphasis. Insider threats must also be taken

into consideration. Objectives must encompass technical, people, and operational elements.  is

includes the processes required to achieve operational excellence, high assurance identity manage-

ment, and timely incident response.  ese processes are supported by superior personnel super-

vision, and eﬀ ective access, logging, and monitoring controls. Having an enclave under a single

governing authority is a big advantage because it facilitates rapid directed responses and can be

subject to direct supervision and monitoring.  e hosted and hybrid environments split these

functions among multiple authorities.

Shared-Risk Environments

Before moving on to hosted and hybrid environments, it is important to introduce the concept

of shared risk. Systems that connect across enclave boundaries (e.g., an in-house laptop connect-

ing to a hosted mail server) have a certain level of trust extended to them.  is trust is usually

extended by mutual agreement between the controlling security authorities of each enclave and is

typically based on an audit of each party’s security policies and practices.  e problem with this

arrangement is that audits are only a snapshot in time; the security state of systems is under con-

tinuous change as applications and updates are applied.  e possibility exists that at some point

in time, one or more of the systems involved in cross-enclave connections will develop a vulner-

ability that exposes the other interconnected systems to potential exploitation. When shared risk

exists in an environment, defense-in-depth objectives must address this exposure to ensure that

the protection level of one system is not compromised by vulnerabilities in one of the systems it

interconnects with.

Hosted Objectives

 ere are two scenarios for hosted environments: consumer and provider.

Consumer Scenario

A fully hosted environment has no in-house enclave; all services are delivered to the consumer

(end user) through a networked connection. Microsoft’s Business Productivity Online Standard

Suite (BPOS) is an example of this type of service. Small and medium-size businesses can receive

e-mail, instant messaging, Web conferencing, and collaboration services via the Internet; no in-

house systems (other than end-user laptops or PCs) are required.  is simpliﬁ es but does not

eliminate defense-in-depth objectives. Technological controls for host systems and applications,

personnel training, and contract management processes are still required. Additional objectives

may apply, depending on business type, data value, and applicable regulations, but the following

list is common.

TAF-K11348-10-0301-C008.indd 129TAF-K11348-10-0301-C008.indd 129 8/18/10 3:08:40 PM8/18/10 3:08:40 PM

130 ◾ Security Strategy: From Requirements to Reality

1. Limited and secured host access points

2. Limited and controlled application execution

3. Secure host operations

4. Excellence in service provider management

 ese objectives address the people, technology, and operational aspects of this scenario.  e

primary emphasis is on the security of the end-user system, which includes a competent and

knowledgeable operator.

Limited/Controlled Host Access Points and Application Execution

 e ﬁ rst two objectives are technology based, so they will be covered together.

For the most part, the standard technological controls and control settings installed with the

operating system are suﬃ cient to limit and secure host access.  ese include:

Protocol-level protections against malformed packets, SYN, and fragmentation attacks ◾

Port-level protections such as selective response, packet ﬁ lters, and stateful ﬁ rewalls ◾

Socket-level protections such as IPSec and SSL ◾

Application-level protections like data execution prevention, sandboxing, code signing, user ◾

account control, ﬁ le integrity checks, and ﬁ le permissions

Some supplemental controls are warranted; antivirus and anti-spam controls are pretty stan-

dard.  e inclusion of other controls depends primarily on the value or sensitivity of the data

retained on the system. It is not unusual, for example, to include full-disk encryption on laptops

to guard against data loss from laptop thefts.

Secure access to hosted services is pretty much a standard feature in online products. Secure

Socket Layer with certiﬁ cate authentication is typical.  e real challenge in this scenario (or for

that matter any of these scenarios) is the unlimited access systems have to other potentially dan-

gerous content.  ese include the threat of system compromise from malware in downloaded ﬁ les

or message attachments, as well as code implanted by a hacker sponsored or compromised website.

 e latter are commonly called attack sites—sites that attempt to infect your system with malware

when you visit.  ese attacks are diﬃ cult to detect, and in many cases the owner of the site may

not be aware of the attack code.  e Storm worm was one of the ﬁ rst pieces of malware to use this

technique, but many have followed suit, including the Beladen attack code (implanted on 40,000

websites), hacks to Facebook applications that redirect the user to an attack site, and the Nine Ball

attack code, which is also an attack site redirect.

Addressing the malicious content issue is a two-edged sword. If the goal of a fully hosted envi-

ronment is to eliminate the need for in-house IT staﬀ , adding site-ﬁ ltering or health-monitoring

applications like Cisco’s NAC or Microsoft’s NAP to your end-user systems is not going to be

an acceptable solution.  e alternative—code execution controls, malware detection, and user

education—is somewhat less eﬀ ective but doesn’t require in-house staﬀ either.

Many of the code execution controls are standard features of the operation system (OS); oth-

ers come standard with the applications. For example, beginning with Windows XP SP2, Data

Execution Prevention (DEP) became a standard feature of the OS. DEP uses a combination of

hardware and software technologies that prevent code execution in memory areas designated for data

storage. DEP primarily protects against buﬀ er overﬂ ows and other types of attacks that attempt to

subvert the exception-handling processes in the OS. Most modern browser applications include code

TAF-K11348-10-0301-C008.indd 130TAF-K11348-10-0301-C008.indd 130 8/18/10 3:08:40 PM8/18/10 3:08:40 PM

Layer upon Layer (Defense in Depth) ◾ 131

execution protections as well.  e best known protection is the Java sandbox, which limits what Java

scripts downloaded to the browser are allowed to do. In Windows Vista, Microsoft introduced a sim-

ilar mechanism—Mandatory Integrity Control (MIC)—which deals with ActiveX-based malware.

MIC limits the execution privileges of code downloaded by the browser—any code! It accomplishes

this by assigning a low integrity level to downloaded ﬁ les. Low integrity ﬁ les cannot modify ﬁ les or

settings with higher integrity; like the Java sandbox, MIC allows the code to run but prevents it from

doing any damage. Unfortunately, these controls do not extend to other Internet-facing applications;

malicious code downloaded via an e-mail attachment or in Instant Messenger executes with full user

privilege, and if the user is logged in as administrator, it runs with full administrator privileges!

Secure Host Operations

 is objective could just as easily be labeled “superior user training” because it is mostly about

training your personnel to use their computing resources securely. Users must be able to recog-

nize and deal appropriately with abnormal or suspicious behaviors.  is includes social engineer-

ing (e.g., phishing) attacks, malware proliferation, viruses, root kits, and so on. We suspect the

person who came up with the adage “You can’t ﬁ x stupid” was a computer support professional.

Computers are tools to most people; they need them to get their work done. When computers

work well, the “if it ain’t broke don’t ﬁ x it” mentality usually prevails. When they don’t work well,

people start looking for ways to ﬁ x the problem, which usually includes altering or disabling sys-

tem or application security features. Your best defense against this type of behavior is education.

Smart users do not make dumb decisions. Teaching users how to securely operate their systems

should be one of your key defense-in-depth objectives.

Excellence in Service Provider Management

 e previous topics have dealt with the security of information within your direct control.  is

topic deals with data security and compliance issues for data that is outside your direct control

(i.e., stored at the service provider). Assuring compliance with organizational, regulatory, and

legal requirements for this data requires a well-deﬁ ned and expertly administered service provider

management program. However, it is rare to ﬁ nd such a program even among companies that have

been using outsourced services for some time. It is also rare to ﬁ nd any security-related service

levels in hosted service contracts.

 ere are a number of possible explanations for these issues.  e most obvious one is lack of

expertise or understanding. Computers, networks, services, and the like are complex; the ten-

dency, especially among small and medium-size businesses, is to simply trust the expertise of the

provider and to accept the audit reports the provider supplies as proof. Two other common causes

are time and the lack of contract management skills. Ensuring the security of oﬀ -premise data and

contracted services requires a consistent and thorough eﬀ ort, but most companies do not have

dedicated resources for the task. Instead, the task becomes an ancillary duty for someone (which

usually means it gets attention only when it needs attention). From an information security stand-

point, this is unacceptable. Regardless of the physical location of the data, it is still your data, and

you bear the ultimate responsibility for its security and compliance.

It’s not just a matter of resources and time either; it’s also a matter of skills. Outsourced IT

services have some unique aspects to them; the people managing them need to be properly trained

to deal with these ambiguities. For example, how do you align and validate your security and

compliance requirements with those of your providers?

TAF-K11348-10-0301-C008.indd 131TAF-K11348-10-0301-C008.indd 131 8/18/10 3:08:40 PM8/18/10 3:08:40 PM

132 ◾ Security Strategy: From Requirements to Reality

Service providers achieve proﬁ tability by delivering commoditizing services to a large audi-

ence.  e approach leaves little room for customization, especially when customer-speciﬁ c security

requirements are involved. Nonetheless, it is your responsibility to prove that the contracted ser-

vice complies with your requirements.  e simplest way to do this is to map your requirements to

the practices and audit requirements of the provider. For example, if your security policy requires

failed logons to be logged: (1) Does the provider log failed authentications? (2) Is this functionality

regularly audited to prove it works properly? (3) Can you get a copy of the audit report? (4) Can

you get a report of the logged events for compliance reporting purposes? Chances are the provider

already does all four things:  e terminology may not be the same, and the methodology may be a

little diﬀ erent, but the net result is the same: What they do meets your compliance requirements.

 e only remaining caveat is whether or not you can get that information when you need it, and

that requirement should be part of your service-level agreement with your provider.

Summary

Defense-in-depth objectives for consumers of hosted services are focused on two things: the end-

user device and service provider contract management. Standard operating system and applica-

tion security controls are usually suﬃ cient to secure locally stored data, provided users are trained

in secure computer operations. Ensuring the security and compliance of information processed,

transferred, and stored by a service provider requires well-deﬁ ned service-level requirements and a

consistent, thorough service contract management program.

Provider Scenario

 e provider’s environment is an in-house enclave (it is an environment under the control of a

single authority) with an interesting twist. In addition to the in-house objectives, the provider

must include objectives for application, data transit, and data storage security. Application objec-

tives are required because the consumer is authorized direct access to the application and for

all practical purposes bypasses perimeter, network, and host protections.  e provider must also

guard against unauthorized data exchanges (leakage) between service consumers and deal with

shared-risk threats from vulnerable (improperly secured) end-user systems. Finally, the providers

must be able to prove they are meeting their security Service Level Agreement (SLA).

Before discussing speciﬁ c service provider security objectives, it’s important to diﬀ erentiate

between the various types of services.  is section discusses two principal service environments:

shared and dedicated. In a shared service environment, services are provided to customers through

a common set of resources. Customer data is processed, transported, and stored on systems that

are used by any number of other customers. Web conferencing is an example of a shared service.

Customers may have an individually assigned conference center, but they are using the same appli-

cation, network facilities, and storage all the other customers are using. By contrast, a dedicated

service provides a mixture of applications, networking, and storage services for a single customer.

Traditional hosting services are a good example; the systems at the service provider are primarily

an extension of the customer’s network that is operated and maintained by the service provider. In

a fully dedicated environment, the applications, networking, and storage involved are dedicated

to a single customer; they are not shared across multiple customers.  e only thing that is shared

are support services (trouble ticketing, monitoring, backup, etc.). Fully dedicated environments

are not the norm; they are typically reserved for sensitive or high security applications, such as

ﬁ nancial services and the military. Most dedicated services provide a dedicated application that

TAF-K11348-10-0301-C008.indd 132TAF-K11348-10-0301-C008.indd 132 8/18/10 3:08:40 PM8/18/10 3:08:40 PM

Layer upon Layer (Defense in Depth) ◾ 133

shares network and storage facilities with other customers—for example, a dedicated mail server

that shares network and SAN storage with other dedicated customer servers. (See Figure 8.3.)

In the case of Web applications, the customer may share the Web service as well.  e distin-

guishing attribute is addressing; dedicated services are extensions of the customer’s network and

therefore provide network addressing that is either on the customer’s network or in the customer’s

name space. With these distinctions in mind, let’s move on to the defense-in-depth objectives that

are unique to service providers.

 ese additional defense-in-depth objectives might be expressed as

1. Uncompromising application security

2. Exceptional customer data isolation

3. Shared-risk mitigation

4. Superior accountability

 ese objectives address the technology and operations aspects that are unique to this scenario.

 e primary emphasis is on data security for shared services.  ere simply cannot be any data

disclosure across customer boundaries, and the provider must be able to prove there wasn’t in the

event an accusation be raised.

Uncompromising Application Security

Becoming an authorized user on a system is one of the most productive ways to attack it.  ere’s

no need to overcome external network and host protections; your identity gives you direct access

Customer A

application servers

Customer B

application servers

Customer C

application servers

Storage area network

Figure 8.3 Shared storage scenario.

TAF-K11348-10-0301-C008.indd 133TAF-K11348-10-0301-C008.indd 133 8/18/10 3:08:40 PM8/18/10 3:08:40 PM

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 8. Layer upon Layer (Defense in Depth) (3/5)

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 8. Layer upon Layer (Defense in Depth) (3/5)