Program for legacy with a legacy dev tool
Ginny Seybold, 1925-2013

How to Conduct a Security Assessment

Editor's Note: Migrating HP 3000 sites must be responsible for security in more extended detail, once they move operations onto open enterprise environments. In the first of a series of articles, CISSP security expert Steven Hardwick of Oxygen Finance outlines the basic security concepts -- and how security controls fit together to provide an overall protection environment.

By Steven Hardwick

First in a Series

Security_guard_iconAs penalties increase for loss of data, more and more regulations are forcing organizations to protect it. Couple this with new technologies that are moving information into the cloud and a perfect storm is forming -- one that will force IT professionals to regularly evaluate the security status of their infrastructure. To aid this effort, this series will cover

1. Introduction to security controls
2. Overview of security regulations
3. Tips on conducting a security assessment

By understanding how security systems are built as a whole it will be easier to comprehend the myriad of requirements detailed in a security regulation. Sometimes it is difficult for IT professionals to see the woods when they are stood in front of a bunch of trees. Plus, taking a broader view can give a better understanding of the challenge and the potential solution. It is not always as simple as encrypting data or adding another firewall. 

Where to Start

The majority of security requirements are focused on protecting information. However, one additional asset that is often overlooked, especially in the commercial sector, is the people.

Once when conducting an audit, I noticed water sprinklers in the computer room. After asking the IT manager where the cut-off switch for the room was, he did not know, nor was it clearly marked. Consequently, if the water came down and someone was in the room, it was not obvious how to turn off the power. Fortunately, it's included in some requirements, but ensuring human safety is not the primary responsibility of the IT department. It's the data that must be protected.

The aspects of protecting data are divided into three areas

• Who/what can view the data (Confidentiality)
• Who/what can change the data (Integrity)
• How can authorized users/applications get to it (Availability)

Security regulations focus on one or maybe two of these categories. For example, PCI (credit card industry regulations) are very focused on confidentiality, whereas SOX (fiscal reporting) is focused on integrity. However, both include some of the other categories.

Another basic concept is that there is no silver bullet that will be a cure-all. Within even a medium-sized organization there may be over 30 different types of security controls. Furthermore, only a portion of them are specified, deployed or maintained by the IT department. Fortunately the security industry has made some sense of this by creating three types of security controls based on the general way they are implemented: Administrative, Technical, Physical.

Each control can be further divided in the way in which it is mitigating the security threat: Preventative, Detective and Corrective.

Our next order of business is to understand the general description of each of these delineations. Bear in mind, I am using a loose classification. Although most security controls clearly fall into one or the other, some are left to interpretation.

It's all in a name

First let's define the three different security control types, and then look how they can be further categorized

Administrative controls are policies and procedures that govern the security infrastructure. In most cases these are written documents that outline the behaviors that are expected. These documents can either be internally generated -- a work at home policy for example -- or an external requirement such as HIPAA.

As well as defining the behavior, in some cases the enforcement of the control is also included. One of the common complaints regarding HIPAA was that it had no enforcement. In the succeeding HITECH Act the US government added enforcement of the security controls it contained. 

Here are some general examples of Administrative controls 

  • Regulations (HIPAA, PCI, SOX)
  • Acceptable use policy
  • Disaster recovery policy
  • Non-disclosure and confidentiality agreements
  • Hosting contract (Particularly SLA terms defining availability)
  • Employee agreement -- return of all data and equipment
  • Equipment logs and maintenance records (includes security equipment such as firewalls)
  • Vacation policy

Why is vacation policy considered a security control? Firstly, ask any security professional what is the single weakest link in any security chain. The answer is almost certainly the people. When individuals do not take vacation they can easily burn out. This can cause fundamental mistakes that allow holes to be created in the security environment and put information or people at risk.

Secondly, if an employee goes on vacation, then another employee usually assumes their role. If the original employee is violating security policy, the new person may detected. I have personal experience where a situation of emails were discovered that exposed an employee who was routinely sending sales information to a competitor. The "vacation" in this case was that employee's interview. Another employee assigned to temporarily process the emails noticed that several had been sent to a competitor and notified the security team. Not only was the vacationing employee terminated with cause, but the company receiving the email was threatened with legal action -- and the offer of employment was withdrawn.

Physical controls are generally as they sound, those defined to secure the physical environment they control (sometimes called "Guns, Guards and Gates"). There are few, however, which typically fall into this category that may be overlooked. Here are some examples.

  • Building access controls (includes badges, video monitoring, security guards, locks, fire escapes)
  • Internal access controls (typically a subset of the overall building controls, but can include addition levels like fingerprint access control)
  • Monitoring equipment
  • Safety systems for information processing environment
  • Disaster recovery equipment (including cooling/heating systems0
  • Information disposal  (discussed as a specific case)

Over the past several years, information disposal security has grown in terms of what it controls. Originally this type of control was focused on hardcopy data. It included data shredders, for example. However, this has changed in two ways.

First, the bad guys have got more innovative. Most readers will have seen one of the cop shows where the rookie has go through the suspects garbage. Physical controls now include management of waste. Second, disposal of IT equipment is part of physical controls. There are countless stories where someone bought a used computer on eBay only to find tons of information on the hard drive. (I was once given a replacement hard drive for my laptop. It turned out it was an un-erased drive had previously belonged to the CEO. Needless to say, it was returned to the CIO. Why the CIO? He had clearance to receive the data.)

Technical controls are the section most IT guys view as security. (It's sometimes called logical controls.) This includeds firewalls, encryption, IPS, RAID arrays (for availability), and backup. This will be covered in a little more detail during Preventative, Detective and Corrective definitions. (the author has LOTS of examples of this control, but so to have most of the readers)

Going to the next level

Preventative controls, as the name suggests, stop any violation of the security policy. The definition is used to further define a control.

  • Administrative Preventative: Training. Most view this as a corrective action as it seems that training is only held after a breach has occurred. However, the training is actually being held to prevent future breaches.
  • Physical Preventative: Locks
  • Technical Preventative: Encryption

Detective controls are ones that are used to determine if a preventative controls has failed, or breached. They typically sit behind a preventative control and are aligned with its capability.

  • Administrative Detective: Log reviews
  • Physical Detective: Digital video recorder (This can either be for external or internal cameras)
  • Technical Detective: Intrusion Detection System (This is normally a component of an overall system)

Corrective controls come into play to stop a breach that is in process. This class of control works in concert with both preventative and detective to thwart the attack. Typically the detective control will activate the corrective control. The corrective control will then change the behavior of a preventative control to stop the attack. 

  • Administrative Corrective: Disaster recovery plan
  • Physical Corrective: Indecent response team
  • Technical Corrective: Intrusion Prevention System (typically linked to a firewall)

What this looks like in practice

Let's consider the deployment of a centrally managed data protection system. The diagram below shows some of the different controls that must be deployed to support it. (Click to see the details.)

Data Protection ControlsIn this example, a technical preventative control is being deployed. A technical detective control, the centrally managed policy and log server, will provide alerts if the security is breached. The technical response will be provided by the IPS. The management server will be housed in a datacenter that has physical access control. A video surveillance system can be used to detect unauthorized access and a response team alerted to correct any violations. Once deployed, to prevent misuse, users are trained on how to use the system. The system logs are routinely monitored to detect breaches and the response plan will detail how to respond.

As you can see from this simple example, several different departments (IT, facilities, legal, HR) would be involved in developing the complete set of controls. 

Next time: A review of different types of regulations, and why are there so many.