Understanding Security
The most fundamental skill in securing computers and networks is understanding the big picture of security. By understanding the big picture of how to secure computers and networks as well as the limitations of security, you can avoid spending time, money, and energy attempting impossible or impractical security measures. You can also spend less time resecuring assets that have been jeopardized by poorly conceived or ineffective security measures.
Granting the Least Privilege Required
Always think of security in terms of granting the least amount of privileges required to carry out the task. Excess privileges serve no useful business or technical proposes and can lead to users, administrators, or attackers taking advantage of them.
Defending Each Network Layer
Imagine the security of your network as an onion. Each layer you pull away gets you closer to the center, where the critical asset exists. On your network, defend each layer as though the next outer layer is ineffective or nonexistent. The aggregate security of your network will increase exponentially if you defend vigilantly at all levels.
Reducing the Attack Surface
Attackers are functionally unlimited and thus possess unlimited time, while you have limited time and resources. (The concept of being functionally unlimited is detailed in Chapter 2, Understanding Your Enemy. ) An attacker needs to know of only one vulnerability to successfully attack your network, while you must pinpoint all your vulnerabilities to defend your network. The smaller your attack surface, the better chance you have of accounting for all assets and their protection. Attackers will have fewer targets, and you will have less to monitor and maintain.
Avoiding Assumptions
Making assumptions will generally result in you overlooking, prematurely dismissing, or incorrectly assessing critical details. Often these details are not obvious or are buried deep within a process or technology. That is why you must test everything! You might also want to hire a third party to assess the security of your network or applications. Some organizations might even have legal or regulatory compliance statutes that require them to undergo this type of evaluation.
Protecting, Detecting, and Responding
When you think about securing a computer or a network, think about how you can protect the asset proactively, detect attempted security incidents, and respond to security incidents. This is the security life cycle. By looking at security from this perspective, you will be better prepared to handle unpredictable events.
Securing by Design, Default, and Deployment
When you design networks, ensure that the following criteria are met:
Your design is completed with security as an integral component.
Your design is secure by default.
The deployment and ongoing management of the implementation maintains the security of the network.
By accomplishing these three goals, you can address security proactively and natively rather than reactively and artificially.
The 10 Immutable Laws of Security
In 2000, Scott Culp of the Microsoft Security Response Center published the article The Ten Immutable Laws of Security on the Microsoft Web site, which you can read at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/essays/10imlaws.asp. Despite that the Internet and computer security are changing at a staggering rate, these laws remain true. These 10 laws do an excellent job of describing some of the limitations of security:
Often attackers attempt to encourage the user to install software on the attacker s behalf. Many viruses and Trojan horse applications operate this way. For example, the ILOVEYOU virus succeeded only because unwitting users ran the script when it arrived in an e-mail message. Another emerging class of applications that attackers prompt a user to install are spyware applications. Once installed, spyware monitors a user s activities on his computer and reports the results to the attacker.
A securely installed operating system and the securely procured hardware that it is installed on is referred to as a Trusted Computing Base (TCB). If an attacker can replace or modify any of the operating system files or certain components of the system s hardware, the TCB can no longer be trusted. For example, an attacker might replace the file Passfilt.dll, which is used to enforce password complexity with a version of the file that also records all passwords used on the system. If an operating system has been comprised or you cannot prove that it has not been compromised, you should no longer trust the operating system.
Once an attacker possesses physical access to a computer, you can do little to prevent the attacker from gaining administrator privileges on the operating system. With administrator privilege compromised, nearly all persistently stored data is at risk of being exposed. Similarly, an attacker with physical access could install hardware or software to monitor and record keystrokes that is completely transparent to the user. If a computer has been physically compromised or you cannot prove otherwise, you should not trust the computer.
An attacker who can execute applications or modify code on your Web site can take full control of the Web site. The most obvious symptom of this is an attacker defacing an organization s Web site. A corollary to this law is that if a Web site requests input from the user, attackers will use bad input. For example, you might have a form that asks for a number between 1 and 100. While normal users will enter numbers within the specified data range, an attacker will try to use any data input he feels will break the back-end application.
Even if a network design is thoroughly secure, if users and administrators use blank, default, or otherwise simple passwords, the security will be rendered ineffective once an attacker cracks the password.
One constant on all networks is that you must trust the network administrators. The more administrative privileges an administrator account has, the more the administrator must be trusted. In other words, if you do not trust someone, do not give him administrator privileges.
No encryption algorithm will protect the ciphertext from an attacker if she possesses or can gain possession of the decryption key. Encryption alone is not a solution to a business problem unless there is a strong component of key management and unless users and administrators are vigilant in protecting their keys or key material.
New computer viruses, worms, and Trojan horses are always emerging and existing ones evolving. Consequently, antivirus software can become outdated quickly. As new or modified viruses are released, antivirus software is updated. Antivirus software that is not updated to recognize a given virus will not be able to prevent it.
Two issues related to security that are often confused are privacy and anonymity. Anonymity means that your identity and details about your identity are completely unknown and untraceable, while privacy means that your identity and details about your identity are not disclosed. Privacy is essential, and technology and laws make achieving it possible. On the other hand, anonymity is not possible or practical when on the Internet, or when using computers in general.
Although technology can secure computers and computer networks, it is not and will never be a solution in and of itself. You must combine technology with people and processes to create a secure computing environment.
The 10 Immutable Laws of Security Administration
As a follow-up to his article on security, Microsoft s Scott Culp wrote The Ten Immutable Laws of Security Administration, which you can find at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/essays/10salaws.asp. These 10 laws address the security issues that network administrators must contend with, issues entirely separate from the day-to-day security concerns of users:
Because attacks on computer networks often cannot be seen, felt, or heard, it is easy for users and administrators to place them out of their minds. With attacks far from one s mind, it is difficult to see the need for security. Unfortunately, after a security incident takes place, the need for security is frequently still dismissed and the breach regarded as a one-time incident. Attackers will attempt to compromise the security of your network. It is not a question of if or when it is a question of how frequently. You must protect your networks against attackers, detect their attempts to compromise your network, and respond when security incidents do occur.
For most users and administrators, the more difficult or invasive a security measure is, the more likely they are to ignore it, forget it, or subvert it. Ideally, security should be transparent to users and administrators. When the security measure requires a user or an administrator to change his behavior, you should create clear and easy-to-follow procedures for completing the task in question and explain your rationale for implementing the security measure.
After a security update is announced and the vulnerability is explained, a race begins between attackers attempting to exploit the vulnerability and administrators attempting to apply the security update. If you do not keep up with applying security updates, an attacker will exploit one of the known vulnerabilities on your network.
Although installing security updates will prevent exposure to newly discovered vulnerabilities, installing security updates in and of itself will not result in a secure computer. For a computer to be secure, it is essential that the base operating system be securely configured.
Security is an ongoing effort. The security administrator must remain vigilant to attacks and attackers who constantly strive to increase the level of sophistication of their attacks. An infinite number of potential attackers exist, and they have infinite time on their hands to crack your network. Attackers have little to lose and need to know only one exploit. Security administrators, on the other hand, have a finite amount of time and resources to defend their organization s network. A security administrator is defeated when a single attack is successful against the network.
Because of the mythic qualities surrounding attackers much like the monster under the bed it is easy to push the possibility of attackers out of one s mind. Unlike the monster under the bed, attackers do exist and they do attack networks. In movies, attackers break powerful encryption algorithms; in real life, they guess simple passwords and exploit mundane, known vulnerabilities.
Although a security expert can secure a network, it will not remain secure if it is not well managed from the CIO, to the security administrator, to the end user.
The more complex a network is, the greater the chance for administrators to misconfigure computers, lose track of the configuration of computers, and fail to understand how the network really works. When in doubt, keep it simple.
You will never avoid all security risks. It would be too costly and impractical. Claims of unbreakable security stem from ignorance or arrogance.
Although it is essential to ensure the bits and bytes on your network are configured securely, doing so will not prevent rogue administrators, poor processes, careless users, or apathetic managers.