In This Chapter
Recognizing security risks
Carrying out required security tasks
Managing user identity
Using detection and forensics programs
Coding data
Creating a security plan
Security is a fundamental requirement if you're implementing true service management. You may think that someone else in your organization is responsible for security. Think again. Don't leave security to an independent department somewhere in the bowels of IT. This chapter shows you how, overall, security has to be baked into service management.
Unless you're fresh out of college, you know that before 1995, IT security wasn't a significant problem, so very little money was spent on it. By 2004, organizations around the world were spending more than $20 billion on IT security, and that figure is expected to rise to $79 billion by the end of 2010. What happened?
Our guess is that you already know what happened. The Internet happened, letting computers connect remotely to hundreds of millions of other computers and giving lots of bad guys ample opportunity to launch a new career. The bad guys got better at breaking into IT networks, so the cost of stopping them escalated.
Note
IT security is a very awkward area of service management for three reasons:
Almost all applications are built without any consideration for security.
IT security delivers very few benefits beyond reducing the risk of security breaches.
Measuring the success of any IT security investment is very difficult.
Before describing any IT security products or processes, we expand on these points.
When software developers design a system, they don't incorporate security features that might keep that system and its data more secure.
Historically, developers didn't need to add security features, because computer operating systems had a built-in security perimeter based on login identity and permissions (rules specifying what programs users could run and what data files users could access). With the advent of networks, however, an operating system could be artificially extended to work across a network.
Note
PCs had no security at all initially, but a password-and-permissions system was added for networkwide security based on login. In IT security circles, this system is called perimeter security because it establishes a secure perimeter around the network, the applications it runs, and the data stored within. Many of the security products that organizations deploy, such as firewalls and virtual private networks (VPNs, which are encrypted communication lines), are also perimeter-security products. They improve the security of the perimeter, which is a bit like plugging holes in the castle walls.
Currently, the IT industry faces a problem: Security approaches (including perimeter security) are becoming less effective. To understand why, you must know how security threats arise.
About 70 percent of security breaches are caused by insiders (or by people getting help from insiders). This statistic is based on surveys of organizations that suffer breaches, but the truth is that no one is sure exactly what the figure is. Insiders rarely get caught, and proving insider involvement usually is impossible when a security attack comes from a computer outside the organization.
Warning
Nevertheless, the possibility that insiders will open a door for hackers or mount an inside attack makes it clear that perimeter security on its own will never be enough.
The outside threat is best described this way:
Hackers can be very talented engineers. They use specially designed, very sophisticated software tools to gain access and subvert systems.
Hackers can have networks of thousands of compromised PCs under their control. Such networks, called botnets, are extremely powerful.
Hackers may have channels through which they can sell an organization's data. A whole economic ecosystem has been built around the sale of stolen data.
Some hackers have financial channels through which they can extort money with impunity.
Hackers are guns for hire and may be hired by your competitors to perform industrial sabotage.
In summary, both inside and outside threats are real and may be formidable. How do you protect against them?
The type of protection you need depends on what you're trying to prevent. Here's a list of bad things that can happen:
Denial-of-service (DOS) attack: Drowning some external connection service (such as a Web server) in an avalanche of traffic, thereby preventing the service from working. Normally, the aim is to extort money ("We'll stop when you pay us") or to damage the service out of sheer delinquency.
Resource theft: Stealing computer equipment, particularly laptops.
Firewall breach: Breaking through a firewall to access servers on the corporate network directly. Not all firewalls work perfectly, and those that do can be misconfigured.
Virus infection: Implanting a virus on some computer in the network to open a back door into the network. Many such viruses can be planted in many ways.
Software mischief: Using password-cracking software or known security weaknesses in some software (any kind accessed via the Internet) to gain access to the network.
Social engineering: Persuading an inside user to reveal his password.
Warning
Hackers sometimes call users, pretending to be the service desk, and trick them into revealing their passwords.
Data theft: Stealing any data that commands commercial value, such as financial details on customers, commercial secrets, or financial results.
Data destruction: Destroying or corrupting data in an attack.
Resource hijacking: Taking control of some of an organization's computers to run malevolent software, such as a program that sends out spam.
Fraud: Interfering with legitimate business applications to perpetrate a fraud, such as causing money to be sent to fraudulent accounts or redirecting ordered goods to temporary pickup addresses.
You can't block all attacks — and when we say that, we mean it. If you analyze the last four items in the preceding list, you quickly see that no simple solution can address these threats. A hacker can mount a successful attack in many ways, and unless you have an unlimited security budget, you can't block all those efforts completely.
Tip
You can reduce the risk of a successful attack, however. Here are a few methods:
Anti-DOS technology: Neutralize DOS attacks (which are purely external threats) by investing in appropriate technology. You can use different products — both software and hardware based — depending on the kind of attack you're trying to protect against.
Physical and personal security: Guard against resource theft by adding physical security in the office and employing personal vigilance outside the office.
Firewall maintenance: Apply the right level of diligence to maintaining firewalls.
White-listing: Stop all viruses by white-listing: telling the system exactly what software is allowed to run on any server in the network and blocking all other software. (For more information, see "HIPS and NIPS," later in this chapter.)
Automatic login termination: Reduce the risk of password cracking by automatically terminating login attempts after a certain number of tries.
Most people in IT security know that the best they can do for any computer network is significantly reduce the risk of a successful attack. Therefore, IT security is an exercise in risk management.
In general, follow these steps to reduce the risk of suffering security breaches:
Authenticate all people accessing the network.
Frame all access permissions so that any given user has access only to the applications and data that she's been granted specific permission to access.
Authenticate all software running on any computer — and all changes to such software.
You need to automate and authenticate software patches and configuration changes, as well as manage security patches in a proactive way.
Formalize the process of requesting permission to access data or applications.
Monitor all network activity, and log all unusual activity.
In most cases, you should deploy intruder-detection technology.
Log all user activity and program activity, and analyze it for unexpected behavior.
Encrypt, up to the point of use, all valuable data that needs extra protection.
Regularly check the network for vulnerabilities in all software exposed to the Internet or external users in any way.
If you read these steps and don't think that they'll be too hard to carry out, you don't know how complex it is to implement all these rules across a large network. Very few networks come close to this level of protection.
The reality of IT security is that point solutions usually are put in place to cover specific vulnerabilities. Thus, companies use firewalls to protect the internal network from the Internet, antivirus software to protect individual computers against known viruses, and VPNs to protect external connections coming into the network. Such security products reduce the risk of specific threats but don't constitute an integrated approach to IT security. Right now, that approach doesn't exist outside the realm of government organizations such as the National Security Agency, and it may not exist inside such organizations, either.
But some important products can make a significant contribution to building an integrated IT security platform. They come in three categories:
Identity management
Detection and forensics
Data encryption
We discuss these products separately in the following sections.
We discuss identity management systems in conjunction with the configuration management database in Chapter 18, focusing on the way systems capture data for use by other service management applications. The role of an identity management system is much wider, of course.
Note
Identity management's primary goal is managing personal identity information so that access to computer resources, applications, data, and services is controlled properly. Identity management is the one area of IT security that offers genuine benefits beyond reducing the risk of security breaches.
The benefits of identity management come in three flavors:
Improved security: Such security improvements clearly have some financial value by virtue of the security breaches they prevent, but attaching a meaningful figure to that value is difficult.
Directly reduced costs: Direct cost reductions come from the following benefits:
Improved user productivity: Productivity improvement results from simplification of the sign-on interface (see "Single sign-on," later in this chapter) and the ability to get access rights changed quickly. Productivity is likely to improve further where you provide user self-service.
Improved customer and partner service: This benefit is the same as the simplified procedures described in the preceding paragraph, but delivered to partners and customers.
Reduced help desk costs: Reductions in help desk costs usually contribute significantly to overall cost reduction, mostly because IT doesn't have to field so many calls about forgotten passwords.
Reduced IT costs: Identity management enables automatic provisioning — providing or revoking users' access rights to systems and applications. Provisioning happens whether you automate it or not. When provisioning is manual, normally it's carried out by members of the IT operational staff or departmental staff. Considerable time and cost savings are possible when you automate the process (see "Provisioning," later in this chapter).
In this section, we cover the various aspects of an identity management program.
Identity data generally is scattered around systems. Establish a common database or directory as a first step in gaining control of this information. This step involves inputting data and gathering data from various user directories.
An identity management system must integrate effectively with other applications to exchange identity information. In particular, it must have a direct interface to the human resources system — the place where new joiners and leavers are first recorded. It also must have a direct interface with supply-chain systems (if partners and suppliers are to use corporate systems) and customer databases (if customers require access to some systems), although customer identity management normally is handled by a separate component of an identity management system.
When you require authentication stronger than passwords, the identity management system must work with products that provide that authentication, such as biometric systems (fingerprints, handprints, iris verification, and the like) and identity token systems.
When you link all systems that use identity information, you can automate provisioning. If this process is automated, a single status change (of an employee or anyone else with access rights) can be defined in the identity management system and sent across all affected systems from that point.
Implementing a new application or changes in department business processes may affect the access requirements of individual users or user roles. Provisioning cuts across departments, possibly involving human resources, IT, and other departments.
Tip
When the process is automated, errors in providing users a broader level of access than necessary occur far less frequently or not at all. Providing broad levels of access happens frequently in manual provisioning, because it's easier to specify broad access than to specify a much more detailed granular level of access. Additionally, an automated process never fails to revoke former employees' access to the network.
When provisioning is complex, perhaps requiring approvals by several people in different departments, it requires a workflow arrangement. Ideally, you base the provisioning process on user self-service backed by a well-thought-out approval process.
Single sign-on means providing all users an interface that validates identity as soon as a user signs on anywhere; this interface requires the user to enter a single password. Thereafter, all systems should know the user and her permissions.
Note
Some single-sign-on products don't provide the full gamut of identity management capabilities, but all identity management products deliver single-sign-on capability.
Rather than being assigned to individuals, permissions are often assigned to roles (accounts clerk, sales assistant, programmer, and so on). Therefore, single sign-on also means capturing information about the administration hierarchy. Single sign-on naturally goes with portal technology, with the user having a Web-based initial interface that provides access to all applications that he's entitled to access. Thus, single sign-on may need to interface with a portal product.
Another benefit that identity management confers is a reduction in security administration costs. Security administrators no longer have to make manual authorization grants in dozens of systems; the identity management system handles that workflow automatically. This arrangement is particularly useful for organizations that have distributed security administration over several locations, because it enables security administration to be centralized.
After you centralize all user data, you can generate useful reports on resource and application use or carry out security audits. If you're having problems with internal hacking, for example, you can check a log that lists every user's activity (see the following section). Also, if you have logging software for databases and files, you can monitor who did what to any item of data and when, including who looked at specific items of data. This audit capability is important for implementing data privacy and data protection compliance.
In this section, we discuss three specific groups of IT security products:
Activity logs
Host-based intrusion protection systems and network-based intrusion protection systems
Data audit
Note
No one — intruder or legitimate user — should be able to use those resources without leaving evidence. You want to detect any illegitimate activity as soon as it happens, but in many situations, you can separate the legitimate from the illegitimate. If you don't detect an attack while it's happening, at least you have a record of what took place.
Many logging capabilities are included in operating systems, applications, databases, and devices such as hardware firewalls and network monitors. A cost is associated with invoking logging capabilities: Turning on logging requires the system to write log records constantly, and it also involves creating a process to manage and archive such data until it's no longer needed.
Log files often provide some evidence of how fraud was perpetrated, however. Perpetrators of digital fraud often escape justice simply because the victim doesn't have sufficient evidence to prove what they did.
Host-based intrusion protection systems (HIPS) and network-based intrusion protection systems (NIPS) are the same thing: a collection of capabilities that make it difficult for intruders to penetrate a network. These systems can include the following elements:
System and log-file monitors: This software looks for traces of hackers in log files. The monitors can watch login accounts, for example, and issue alerts when account permissions change — often an indication that something untoward is going on.
Network intrusion-detection systems (NIDS): These security programs monitor the packets of information that travel through a computer network, looking for any telltale signs of hacker activity. The effectiveness of a NIDS depends on its capability to sort real dangers from harmless threats and legitimate activity. An ineffective NIDS raises too many false alarms and, thus, wastes time.
Digital deception software: This software deliberately misleads anyone who's attempting to attack the IT network. It can range from the simple spoofing of various service names to setting up traps known as honeypots or honeynets. (For more information, see the nearby sidebar "Fooling attackers by spoofing.")
Warning
Setting traps is unusual and can be expensive. It's normally done by government sites or by companies that suspect digital industrial espionage.
White-listing software: This software inventories valid executable programs running on a computer and prevents any other executables from running. White-listing severely hampers hackers, because even if they get access to a computer, they can't upload their own software to run on it. White-listing software reports on any attempt to run unauthenticated software. It also stops virus software stone dead.
Unified threat management: This central function takes information from all the preceding components and identifies threats by analyzing the combined information.
Although databases log who changed any data, they normally don't log who read any piece of data. But read data is easily stolen. Enthusiasm for filling this gap increased considerably after the Sarbanes-Oxley legislation was enacted in 2002, specifically demanding that financial data be secured from unauthorized eyes. Consequently, a series of software products that log who looks at what quickly came into existence. These products generally are referred to as data audit products.
The IT world has a whole set of encryption techniques that can be regarded as completely safe. Thus, you can easily encrypt data and ensure that only the intended recipient can decrypt it.
You could encrypt everything. You could encrypt data when you write it to disc, when you send it down a wire, when you send it through the air by radio, and so on. Encrypting everything in a comprehensive way considerably reduces your exposure to data theft. Hackers wouldn't be able to cover their tracks, because they'd never be able to decrypt the log files.
Note
Encryption poses a performance penalty, however, so focus encryption on specific data that needs protection.
Think about how you use encryption. A fairly recent case of data theft included data that was encrypted until it was delivered to the application that needed to use it. At that point, the data was decrypted for use — and that's exactly where the hacker struck. The loss could have been prevented if the application itself had controlled the decryption on a record-by-record basis.
Because of the complexities it adds, encryption is used less frequently than perhaps it should be. The media have covered many cases of stolen laptops containing valuable data — including military secrets. Those thefts wouldn't have been problems if all the data on those laptops had been encrypted properly.
This book isn't IT Security For Dummies, so we won't go into creating a comprehensive IT security strategy. We do want to provide some pointers, though:
In most circumstances, IT security needs to be approached from a risk management perspective. If your organization has risk management specialists, involve them in IT security planning.
IT security monitoring has no simple key performance indicators, but be aware of what similar organizations spend on IT security. That way, you have some awareness of the level of investment. Similarly, it makes sense to keep track of time lost due to any kind of attack — a useful measurement of cost that you may be able to reduce over time.
You need identity management for many reasons, and identity management offers many benefits. Give priority to improving identity management if your current capability is poor.
Try to create general awareness of IT security risks by educating and warning staff members about specific dangers (such as social engineering; refer to "Types of attacks on IT assets," earlier in this chapter).
Regularly have external IT security consultants check your company's IT security policy and IT network.
Determine specific IT security policies for change management and patch management, and make sure that policies are well understood by your service management staff.
Stay abreast of news about IT security breaches in other companies and the causes of those breaches.
Review backup and disaster-recovery systems in light of IT security. Apart from anything else, IT security breaches can require complete application recovery.
When a security breach occurs on a specific computer, the applications running on that computer will likely have to be stopped. Consequently, security breaches can be the direct causes of service interruptions and can contribute to lower service levels. Also, data theft resulting from a security breach could result in a real or perceived breach of customers' trust in your organization.
All you can do right now, however, is reduce the risk of such occurrences. Current IT security technology doesn't allow for integration and, hence, a higher level of maturity.