.
TOC Notes on
Protecting Digital Information 		Case
Case Analysis:

-1- The Fugitive hardly needs our endorsement to sustain its well deserved fame. What is important is to realize how the best movies do not solely rest on our suspending disbelief. They also convey important real life lessons in memorable scenes.
In the scene in question, the hero needs access to some medical records. Granted the action happens before HIPAA was enacted but consider that the hero:

  • has, being a doctor himself, a thorough understanding of the procedures involved in retrieving the targeted information
  • impersonates a cleaning service employee, getting into the relevant hospital office after hours
  • performs mundane acts, like dusting the venitian blind slats of this office windows, when under observation by other staff members, including the bored eyes of passing security personnel (please verify this last detail!)
This is reality, not fiction. The security rule of HIPAA recognizes this by listing not only technical safeguards (such as passwords) but also physical safeguards (such as facility access controls) and administrative ones (such as workforce clearance procedures). All three types had to be violated by our hero in order to succeed and the major weakness he exploited was common indifference for and by, staff employed in underpaid jobs such as janitors and security guards.

-2- For confirmation, listen to what Gary Rivlin has to say about Mark Seiden, a very real security expert :

  • he is "something of a supergeek", cognizant of security systems
  • he "has a closetful of uniforms [...] gathered rummaging through thriftshops and browsing on eBay"
  • "he finds that if he carries a clipboard and looks officious, no one bothers to question his presence"
Picking locks, wriggling above dropped tile ceilings, as suggested in the article, make for more movie stuff. The point is that the combination of all three factors is deadly.

-3- As you expect from someone who earns a living from vulnerability testing, Marc Seiden declares: "If you're serious about creating a secure system, you need two people to do it: someone who sets it up and one who checks it". Readers familiar with software development will recall that companies indeed split their engineering workforce into "developpers" and "testers". For asking an engineer to fully test a program he or she has just brought to working condition is like asking a mother to acknowledge her new baby is not the most beautiful: it runs counter to nature.
However other lessons from software development should be remembered:

  • creating two opposing teams generates friction over who is the best. Software developpers tend to look down on testers. Outsourcing vulnerability testing is a way to avoid this problem. Outsourcing security enforcement is another but can never be done 100%.
  • vulnerability testing, like any safety net, creates a moral hazard, as the security team come to rely on testers to find flaws they should have eliminated in the first place

-4- While both colorful halves of the case draw attention away from pure technical security, one must stress again that there is no security if it is not encompassing. For example vulnerability testing must also include using remote computers to hack into the target system.

-5- Mark Seiden has a last lesson to teach us. "Basically you can't prevent a determined adversary who has unlimited resource from breaching security. What you want to do is to prevent yourself from being taken and not know about it."
Indeed activity logging and log safekeeping are vital tasks to minimize damage, learn on how to improve prevention and decrease legal responsability for the organization. In fact employees themselves are a major source of computer crime and quite a few are caught, not in the act, but in the subsequent effort of falsifying the damning records.

General Comments:

-1- Whether they implement HIPAA or GLBA, official rules teach us one cannot dissociate security from privacy. Looking back at chapter I-1 Identity Theft, one confirms this by experience: the exposures of consumer ID's at CardSystems and LexisNexis were both the result of direct criminal activity against their respective computers.
This fact justifies our overall plan, which addresses liabilities with respect to privacy issues in the first half and vulnerabilities with respect to security issues in the second half.

-2- Speaking of information systems vulnerabilities, we cannot stress enough that digital information does not escape from traditional threats.
Only an integrated approach to security, including personnel hiring and physical security, can deliver the required level of security and compliance.

-3- Unfortunately, if they do not decrease the relevance of traditional threats, new technologies create new sources of threats.

  • networked computers work by maintaining open communication ports and listening on them for legitimate input requests. The associated threat comes from the ease with which the corresponding applications can be fooled by malicious requests and by the unchecked multiplication of these applications. This is of course the legacy of a time when microcomputer operating system and tool designers did not bother about security
  • however history seems to repeat itself with the developping market of smart cellular phones and personal digital assistants (PDAs). See Oct 2004 report for sale by Forrester
  • the emergence of voice transmission over the Internet (VOIP) is likewise opening a new frontier as decribed by Ken Belson, New York Times, Aug 2004
  • wireless networks, including widely marketed Bluetooth (IEEE 802.15.1) and wi-fi (IEEE 802.11b, g and n), provides hackers with new entry points for eavesdropping on communications, gaining access to unsuspected servers and even setting up pseudo corporate servers.
  • while previous examples are based on new communication and mobility options, the same applies to:
    • new software tools and applications. For instance the Google desktop bar tool, which allows searches to include local files, was subject to a security flaw, since repaired, analyzed in Dec 2004 by the Computer Security Lab at Rice University.
    • new storage tools. It is much easier to carry sensitive information out of premises on a USB memory key than on a hard disk

-4- Even more troubling, one must realize security itself creates new risks:

  • accumulation of sensitive data in one place for better protection attracts thieves just like bank vaults do: "because that is where the money is".
  • traditional security guard uniforms and their digital equivalents (certificates) can be stolen and used by the thief to gain easy access to more valuable data
  • entrusting users with passwords and other means of access creates opportunities for social engineering, the new, fashionable term for confidence games

-5- As stated in chapter I-1 Id Theft, the highest level of data security is achieved when data is not present in the first place. Those executives with enough power or influence to change "the traditional way of doing things" in an organization must keep this obvious truth in mind.
Security is rarely a concern when an information system is first developped. Success is what ultimately attracts and rewards attackers. At this later stage, it is hard to dispute the necessity of data as used by the system and the question which arises is how to protect this data in the future. Yet a correct risk analysis would consider if another version of the system could provide similar results without some of the sensitive data to protect, thereby yielding higher profits by lowering both costs and risks.
One must appreciate that the executive whose position depends on the existence of the data to be protected will never suggest a solution based on suppressing this data.

-6- So far we have stressed the link between privacy and security. But security goes well beyond the need for implementing data privacy. Security is also required to ensure data integrity, a universal concern.
First by requiring the CEO and the CFO of public companies to acknowledge their responsabilities on "internal controls" the Sarbanes-Oxley Act of 2002 (see section 302) has given data integrity, without which internal controls are meaningless, a high priority. Second since many private companies need either to become public or to be acquired by a public company to secure their future, they too must pay attention to what implementing SOX mandates means for them.

-7- In summary:

  • GLBA and similar privacy laws mandate security for customer information. See 16 CFR 314.3: "develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue"
  • SOX mandates security for financial and accounting information. See proposed SEC rule release 33-8138: "ensure that companies have processes designed to provide reasonable assurance that the company's transactions are properly authorized; the company's assets are safeguarded against unauthorized or improper use; and the company's transactions are properly recorded and reported"
  • Common sense mandates security for Intellectual Property assets, which includes the work products of R&D,
It makes sense for an organization to consider security as encompassing all data on principle.

-8- While privacy laws often include similar details, let us take advantage of SOX to highlight two important aspects of implementing security:

  • periodic evaluation: this is inherent to the regular schedule of forms 10Q and 10K which SOX requires to prepare based on an "evaluation, with the participation of the issuer's principal executive officer or officers and principal financial officer or officers, or persons performing similar functions, of the effectiveness, as of the end of the period covered by the report, of the design and operation of the issuer's disclosure controls and procedures and the issuer's internal controls and procedures for financial reporting"
  • disclosure of internal fraud: this is inherent to the public access to forms 10Q and 10K and the requirement that auditors and the board audit committee be told of "any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal controls and procedures for financial reporting"

Solutions:
The solution to achieve better security is to use a combination of a methodology and technical tools.

-1- Overall approach
While ISO 17799 is much more complete, we follow HIPAA as providing a better value (see guidance documents).
However, before going down each individual item, including administrative safeguards, organizational requirements and policies and procedures, one should have a global model of how to address security.

We propose the medieval castle as the metaphor for a global security model. This metaphor conveys two important perspectives:

  • the castle is an economic center, living
    • in symbiosys with the surrounding territories, organized and managed by the castle and supporting its economy
    • under the constant threat of attacks, coups de main rather than all out war
  • the castle is made to be succesfully defended by
    • a series of concentric walls culminating with the central keep
    • mobile forces to go and reinforce any area under attack
The first perspective stresses the necessary integration of local economic life and local security in a world which expects very little protection from higher levels of government. This is the context in which business organizations normally operate today if one looks not at violent crime but at economic fraud and Internet security.
The second perspective shows the solution to the following paradox. In order to be protected, the whole system must be surrounded by a fence but economics dictate that a fence which would surround everything is too costly. The solution is to organize several lines of defense whose costs are kept manageable because the greater the protection, the higher in value and the less in volume it has to protect, leaving peasants and fields unprotected and putting the lord's treasure inside the keep.
This concentric security model is not new to computer science. The MULTICS computer project in the late 1960's took security as a design requirement and came up with the notion of "rings" of decreasing privileges (to download an assessment of overall security for MULTICS, see the report by Karger and Schell).
One can think of other metaphors taken for example from ordinary law enforcement (police) or human biology (viruses). Such analogies can be useful, in particular to enrich one's understanding of specific aspects of security. We will stick to the medieval castle as more encompassing.

-2- Following our metaphor, security management must be assumed at a high level of corporate responsability, as it was for castle defense management.
Whatever the title involved, the executive in question must have an understanding of:

  • management of information systems - it covers the data to protect, some of the potential attacks and the technical remedies , but also
  • human resources - so much depends on personnel
  • law - compliance is a stated goal
  • the business of the organization - security must be integrated into business life rather than appearing as an obstacle to it
The understanding described above may be wished to be "good", in fact it only needs to be "appropriate to [organization] size and complexity" to borrow from GLBA. The CEO of a small business might be best positioned to take this responsability directly although he or she has little formal knowledge outside the nature of the business. On the other hand, the executive responsible for security in a large corporation without an intimate knowledge of HR matters, personally or through direct reports, would be more dangerous than useful.

The security officer (to use a title) must further report to the CEO and the CEO must be personally convinced of the importance of the mission, something SOX helps to achieve. Our metaphor conveys the situation: the lord not convinced that defenses were a high priority would not have enjoyed his castle for long.
Reporting to the CEO is not due to the size of implementation costs, as high costs do not always deliver high security. The Maginot Line represented a major defensive expense for France but did not prevent the June '40 German attack which simply went around it by invading Belgium. At the other extreme a few geese were all that was needed to alert the Romans on time that the Gauls had scaled the Capitol at a point deemed unassailable.
The reason for reporting to the CEO is the need for integrating business and security. A low level voice will write unimplementable and unimplemented reports, become an unwitting tool to reinforce internal fiefdoms in the name of security or focus on some narrow interpretation of security, never able to challenge established procedures and authorities unless a crisis has already occurred. This is how top managers at Morton Thiokol brushed aside an engineer when he voiced his concerns on O-ring failure at cold temperatures, leading to the loss of the Challenger shuttle.

-3- Integrating security within the business itself enables the organization to pursue three major advantages.

  • share costs with business continuity implementation, a self-interested business imperative
    The walls and stores of the castle made it a refuge against natural catastrophes as well as enemies. In the same way, good security planning will make an information system stronger against unintended interruptions. For example assume a server stops working in view of fire, flood or a virus attack: backup measures will have a lot in common.
  • decrease other business costs:
    Based on a security plan, one should be ready to negotiate downward any insurance premium covering the consequences of a security lapse.
    We already mentioned in the chapter on marketing that list scrubbing when required for compliance might also be used to decrease duplicate and other wasteful communications with prospects.
    Another example would be the progressive reduction or elimination of consumer data bases through the use of tEC, the ePrio technology for interactive marketing introduced in chapter II-2 on marketing.
  • increase customer, employee and shareholder satisfaction, the three pillars of business success
    Well designed security should have a visible component which projects strength and order, two positive ways to market the business. Many medieval castles, such as the Rhine burgs, remain tourist attraction to this day. Business integration can of course go beyond public relations.
    As a counter-example take the issuance of multiple passwords to employees according to a silo structure, a method at the same time inefficient, irritating and giving evidence of an outdated organization.
    A special case should be made for tEC. By showing prospects and customers that the organization do not, indeed cannot, compile profile information the organization escapes the legal sleaziness oozing from the phrase "We may change our Privacy Policy from time to time", especially when burried at the end of a lengthy privacy notice.

-4- Security planning should push decision making down to operational units while retaining central responsablity.
The first practical step to take in application of the castle metaphor is to:
list and classify the data inside the organization according to the degree of protection they deserve. Some authors suggest four levels: public, internal, confidential and restricted. One should rather set the number of classes according to the complexity of the organization.
In so doing one must distinguish:

  • what is to be protected and at what level of protection, a corporate responsability, and
  • what a unit needs to operate, a unit responsability
A castle economy would have been quickly stifled by trying to force everything inside the keep. Yet organizations tend to stifle their innovation spirit by requiring their units submit to a higher level of security than they want. Conversely operational units tend to break rules without thinking about consequences. The case of CardSystems is exemplary: sensitive consumer information was kept against its own rules for "research purposes" (source: CardSystems CEO).
A sound security policy should charge operational units for direct costs of security while promoting ways for units to move at their choosing to the lowest possible level. Going back to CardSystems, a rather simple process could have transform highly sensitive data into a sanitized version good enough for research purposes.
Sound security will in fact increase the probability of a breach while decreasing overall risks and losses. This is counter-intuitive and requires some investment in public and internal communication so that the image of the company is not indiscriminately damaged. Another metaphor can help: car front ends which buckle and bend against an obstacle appear less safe than those which keep rigid and yet are safer because they better absorb shock energy.

Having a stake in the keep is a way to gain prestige. Units may also seek more protection for their data than planned by corporate policy. Such moves must be resisted for they lower security. While customer information and company accounts are sensitive, administrative power over security parameters need even more protection. In the realm of physical security Mark Seiden has pointed out how absurd it is to store masterkeys behind a simple lock though they will open very secure locks.

-5- Security is based on documentation of policies and logging of events.
Required by law, documentation of policies should be seen as what it really is: a best practice to:

  • efficiently propagate information to all concerned, especially for personnel training
  • enable continuous improvements by comparing planned and actual implementation
Event logging similarly is a best practice to:
  • capture actual behavior to support comparaison with plans
  • efficiently trace perpetrators after the fact

-6- Human Resources related policies
It is now possible to give due consideration to the Human Resources component of security. And first to recognize that good security involves everyone all the time. As impopular this fact can be for all concerned, one must remember how castle life was carried under constant threats from attacks. This fact unfortunately cannot be taken as a starting point, i.e. as an order from on high, for such orders will be ignored by most, but as an objective: what policies can result in securing everyone's participation? As usual any recommendation made below must be scaled to the size of the organization concerned.

  • The first step is to understand the need for vetting employees. According to a report from the UK Financial Services Authority, "there is evidence that organised crime groups deliberately target financial services firms in order to place staff to commit financial crime, in particular identity theft. It is therefore imperative that firms have a comprehensive vetting policy and follow it in recruiting employees." See the tools for background checks in the chapter I-1 on ID theft
    .
  • Second all employees must receive appropriate security training, whose cost and effectiveness are directly related to overall personnel management. The following is bad:
    • too much hiring - initial training is undercut by the natural wish of new hires to survive orientation with minimum mental stress
    • too little hiring - old timers have a tendency to become more relaxed over security matters especially if security is good (prolonged peace is bad for feudal lords)
    • too many leaving - departing employees are a potential security risk as they have inside knowledge but no longer depend on the prosperity of the organization
    The answer is to make security information readily available on the organization intranet, provide incentives to all for applying security measures and make security clearance easily cancellable.
    .
  • Third sensitive data management should be segmented according to access privilege.
    For each dataset, one can distinguish four level of privileges:
    • have no access to the data
    • use the data
    • record the data
    • administer clearance relative to the data (no access, read only, read/write, declare permissions)
    For a given privilege level, the lower the number of authorized employees, the higher the security attached to the corresponding data. Accordingly, for a given dataset, the higher the privilege level, the lower the number of employees who should enjoy it. The net result implements the data classification previously mentioned from an internal threat perspective.
    Further workset and time segmentation can enhance this effect: an employee reading permissions to a dataset may for example be restricted to an appropriate subset during official working hours, e.g. limit line manager access to HR data to direct and indirect reports from 9:00 am to 5:00pm.
    Looking back to access privileges, one can appreciate three facts:
    • any employee can be characterized by the list of his or her access privileges
    • actual access privilege lists are fewer by far than the total number of potential combinations, even in small organizations
    • actual access privilege lists are fewer than the total number of employees, as employees share duties, especially in large organizations
    Actual access privilege lists are therefore used to define "roles" in the organization. Data security administration can then be simplified by assigning a role to each employee.
    As an illustration of role-based management, accounting fraud makes it particularly important to ensure that the person(s) authorized to record data do not report to who take(s) decisions based on the data. See SEC release 33-8138 requiring "the plan of organization for separating duties concerned with record-keeping from duties concerned with operations or asset custody."
    This of course highlights the ultimate contradiction of the public company who awards stock options to the CEO for a significant fraction of the total compensation: by construction all the employees whose recordkeeping influences the value of the company stock ultimately report to the CEO.
    The same methodology will apply to physical security, governing access to work areas, offices and individual computers. A special case must be made for remote access privileges, since it increases the risk of external interference.
    .
  • Fourth security must appear as instinctive as possible even though common experience tells us that a lot of rules appear petty, rigid and an insult to those acting under them.
    This is no easy task but we offer four mitigating factors:
    • try to make most limitations invisible to users. For example employees loose neither sleep nor temper because they are given an office (or a desk) key and not a master key because they have no need for the extra clearance
    • make sure that visible limitations receive a hearing from those who will have to follow them. This step has the extra advantage to get the input of those with relevant experience and will do much to eliminate ignorance-based pettiness and improve overall design. See the European law transposed into the UK Information and Consultation regulations
    • recast all limitations into privileges. People are naturally inclined to receiving privileges and others do not resent privileges really justified by the nature of the work (eg. a masterkey)
    • cultivate a sense of risk-based fraternity. Employees operating in high risk situations routinely accept high levels of codified behavior and appreciate the bonding which comes from this common acceptance. This could be the case for example of the small community of high clearance security administrators.
    Tying trust to function together with access segmentation and concentric levels of security should severely limit the number of positions which will reward criminal activities by employees and increase the length of time needed by a career criminal to infiltrate an organization as far as the equivalent of the keep.
    .
  • Fifth make everyone understand the risks of social engineering.Phishing does not target private individuals only, any employee can be an unwitting victim as well.
    The first counter-measure is to tie the security clearance of an employee to personal factors so that any phishing request will appear suspicious: if I am only given a key to my desk, I might think twice before lending it to someone I do not know since nobody should need open my desk.
    The second counter-measure is to have clear and simple rules for emergency situations, taking again HIPAA for our model. Confidence games indeed like to create or fake such situations to prey upon the desire of people to help in case of crisis. "I am Dr X calling from the emergency room. Mr Y's doctor is not available, the nurse on call does not answer, I need access to Mr Y's record NOW, can you give me the password to the patient record system ? Mr Y's life is at risk!".
    .
  • Sixth make sure everyone understand ethics is just a fancy name for good old common moral sense. Surely self-dealing, conflict of interest and sheer greed should need no explanation beyond a few telling anecdotes. I offer a simple, well known test: if a business decision would not stand wide public disclosure, one should think twice before implementing it.
    A famous but now forgotten example happened in 1994 when Metromail, a data broker now owned by credit report agency Experian, cut costs by hiring prison inmates. "Metromail's practice of hiring felons in a Texas prison to do data entry also has put consumers as risk. In 1994, a convicted rapist memorized an Ohio woman's personal data and wrote her a threatening letter. The woman proceeded to trash the company, appearing on talk shows such as Geraldo Rivera's, according to Marc Klaas, president of the Klaas Foundation for Children in Sausalito, Calif. Her lawsuit against Metromail is pending. As a result of those controversies, Metromail's chairman and chief executive retired and R.R. Donnelley relinquished control of Metromail when it went public in spring 1996" (see CIO 1997 article on ethics).
    .
  • Seventh attach sanctions to security policies. Care should be taken that sanctions, or compliance incentives to follow Safe Harbor vocabulary, are not enforced before their existence has been fully justified and debated (see fourth step). They should also be proportional to the offense, for example involving the loss of those privileges which have been abused.
    Unfortunately there is a need to "put on the books" explicit, ultimate sanctions such as firing for cause in case of named security breaches. This protects the organization against having to prove criminal intent when it suspects it, relying instead on documenting the breach, the relevant written policy and its sanction, and the prior consent of the employee as a condition of employment. Security policies are best implemented as a detailed role-based document directly enforced by software. A simpler "acceptable use policy" should be the indispensable minimum.
    .
  • Eight make sure that pay is commensurate to responsabilities. This of course is a sore point for cost conscious organizations for some responsabilities, tied to low level positions such as cleaning, delivery and patrolling, are counter-intuitive, often outsourced and normally provided for minimum pay.
    One can offer two arguments to change such dangerous practices:
    • were a CEO of a large corporation to advertise for a secretary with checking privileges and no screening, wouldn't he or she encounter a similar abundance of candidates happy to get rock bottom compensations? But screening alone cannot be the solution when one deals with a large number of positions to fill each year.
    • were this CEO go for business to an unsafe country, wouldn't he or she insist on being provided with the very best personal security, from armor to bodyguards ? Yet security threats can hold a business to ransom in more dangerous ways.
    The recommended practive of giving better salaries to low level employees with high responsabilities does not have to be out of control. When coupled with access segmentation and concentric levels of security, the practice would simply offer rewarding jobs to a limited number of employees and help stabilize low level staff with the hope of promotion.

-7- Final measures Once in place a security policy needs to be evaluated and constantly improved. There is a need for balancing two evaluation methods proposed by security consultants: risk management and security defense penetration testing. Classify security risks in three categories:

  • probable risks should be measured using quantitative risk management techniques (see chapter I-2 on credit fraud)
  • risks too big or too rare to be properly shouldered by the organization alone should be covered by appropriate insurance
  • unknown risks, which escape risk management, should be revealed through penetration testing, giving free rein to creative thinking
Using an external, independent audit to check risk management and security policy is a good way to solve the conflict of interest of the CEO mentioned in point three of Human Resources related policies.
Using an external, independent company to do penetration testing is the best way to ensure creativity is not self-censuring.

The final measure is to draw security conditions for subcontractors, suppliers and partners. It seems reasonable to try to extend similar measures, policies, enforcement clauses and periodic audits. This of course is made much more difficult by the adversorial and adhoc contract negotiation process and the inevitable tradeoffs between costs and security.
One point at least is certain: expert lawyer advice is indispensible. When the COO of Suez decided in February 2005 to conduct a security audit of its subsidiary Electrobel, he somehow overlooked that minority shareholders of Electrobel might see this as self-dealing and landed himself in legal trouble (see story in the International Herald Tribune).

Tools available:
One should assume at this point the "security officer" has developped a consistent, well accepted security framework which clearly defines the defensive architecture and the roles and privileges of the employees. The following is meant to supply the security officer with relevant tools to inform the design and allow the implementation of this defensive architecture.
The abundance of tools, the heavy emphasis on SOX compliance with which they are promoted make it difficult to do justice to individual products and companies. We will simply rely on keyword based searches to give the reader a headstart in each category. An expert understanding of the principles behind each one is outside of our scope.

  • access security
    Rule enforcement depends on personnel background checking, physical security tools such as locks and keys and user identification tools.
    Administering user identification however is a challenge in itself past a certain organization size, especially in view of complex segmentation policies as outlined above. Three related types of software tools are available to address the issue:

  • network security
    At the risk of being obvious we preface this paragraph by observing that the most secure network computer is the one not connected to a network at all, or at least not connected to the Internet, at the very least not directly connected to the Internet. In keeping with this straightforward approach, one relies on:
    • computer port monitoring, to limit the number of active applications making use of the network and of active ports opened for traffic
    • multi-tiered architecture, in direct application of the castle metaphor with its concentric walls
      • segregating database computers from web servers, with firewalls for extra protection
      • isolating web servers and web clients from direct contact with Internet born traffic using firewalls and proxy servers
    • secure communications to shield legitimate traffic from outside interference, relying on
      • virtual private networks (VPN) or more simply on
      • SSL protocol
    • server redundancy, from simple storage duplication to entire computer center replication
    Firewalls can be implemented on separate hardware (see Google search) but smaller organizations or less protected units or large organizations can use software to this effect (see Google search). The more flexible the firewall rules to authorize or deny traffic between outside (IP and port) and inside (IP, port, protocol and application), the better. When firewalls are used between more than two layers (e.g. the three tier model: Internet/web server/data server), selecting a different type for each interface increases security since attacks would need multiple breaching methods.

    Given this defensive architecture, which implements the data classification previously mentioned from an external threat perspective, network administration must enforce constant vigilance against:
    • network leaks, such as unsecured coverage of public areas by a corporate wi-fi network
    • computer infestation by viruses, worms and other trojans
    • especially client computer infestation by malicious keyloggers (aka keyrecorders)
    For a good source of information on viruses and other pests, see the Computer Security Resource Center at the National Institute of Standard and Technologies (NIST). This resource also maintains a list of all anti-virus software vendors.
    While indispensible, anti-virus softwares have a major flaw: they operate by combing network traffic for the "signature" of known pests. By design there is necessarily a delay between the release of a new pest and the corresponding update in the signature database. For network managers who want to protect their networks even on "day zero", real time traffic behavior analyzers can provide a solution (see Mirage Network for example).
    Whether used in real time or for delayed analysis, network traffic analyzers are a useful tool for network performance tuning as well as for compliance (see Google search).

  • data security
    There are three sides to data security: Access to data is mediated through access security. However data encryption further protects it against:
    • access by persons without the corresponding decryption key
    • accidental or criminal possession of a copy, eg. via a lost or stolen archival tape
    There are two downsides to consider:
    • key management is in itself a difficult task since the distribution of keys to their owners must be made more secure than access to the data they are supposed to protect.
    • good encryption/decryption schemes take significant amount of processing power
    See results from this Google search from a start. For a feel about the difficulty of achieving a real increase in security, see a report on standard Oracle features For those who like to know about the latest advances, we point to quantum cryptography, an innovative solution which can for example secure the distribution of secret keys beyond the more common approach of public key exchanges.

    We take this opportunity to remind the security officer of the issue of policing personal mobile devices with significant storage capabilities: laptops, PDA's, USB keys... While a blanket rule against storing any company information on these devices, easily lost, easily stolen, might encounter considerable difficulties (see above HR step four), a systematic encryption policy together with a sensible segmentation of company information might do the trick. Associated costs run up to $50 per device, a reasonable sum for a privileged few.

  • tamper evident systems
    Prompted by the requirements of the DOD and other government agencies, various computers have been redesigned to be tamper proof. This feature can be added as a form of physical security but more intringuing is the less demanding requirement of being tamper evident.
    Suppose an organization wants to set up a high level of integration with a long term partner, whether a supplier or a business customer. Suppose further that this partner cannot or will not be entrusted with some proprietary data or computing capabilities. Asking this partner to house a tamper evident computer provided by the organization might be an efficient contractual way to resolve the issue. Tamper evidence can be accomplished simply and inexpensively with a sealed enclosure. This practice is commonly used with hosting services.
    Further security can be added when the activity of this tamper evident computer is shielded by another computer run by the partner using tEC, the ePrio technology. While the tamper evident computer protects the organization's secrets from the partner, tEC ensures that it leaks no information to the outside without prior, explicit authorization by the partner, thus protecting the partner from the organization.

  • indirect measures
    While above measures directly protect an information system, it is useful to review other types of measures.
    Decoys have been widely use throughout history to redirect attackers either to traps or at least to worthless targets.
    Marketing list resellers for example spike their lists with false addresses under their control to detect forbidden usage. One may adopt this inexpensive measure for protected address lists.
    Honeypots are network resources with no actual operational usage and whose access can only be illegitimate. Combined with good logging, these decoys will yield precious information on would be perpetrators, their methods and possibly their origins.
    There is no limit to the imagination. If a security officer suspects internal misbehavior, he or she may want to fake some company gossip and make it accessible only to unauthorized network users, a combination of sort of the two previous methods.
    Log analysis software allows network or data managers to spot suspicious activities and help stop the damage to operational resources if any. A Google search illustrates the practicality of cost sharing between compliance and normal business activities. It happens that log analysis is also very useful to optimize Internet based marketing.

  • Outsourced services
    The use of external security audits (Google search), penetration testing (Google search) and computer network-related insurance (Google search) have already been mentioned.
    More generally medium size businesses which need a highly professional security but does not have the resources to develop and manage such an environment for itself might want to check the offer of so called managed security services (Google search).

a link to an organisation, public or private, does not represent an endorsement
and no compensation has been received nor sollicited by the author for its inclusion.
August 2005
Copyright © 2005 Philippe Coueignoux. All rights reserved.