Section 8.2 Trust No OneThe Highest Security

   


8.2 Trust No One The Highest Security

graphics/fivedangerlevel.gif

Some computers contain data so confidential that they should trust no one. This means they should not have a connection to the Internet or even the organization's normal network, either directly or indirectly. It does not take a rocket scientist to know that highly classified data such as designs for nuclear missiles never should be accessible to the Internet, and the intelligence services follow this policy. Even the Weather Channel gets weather feeds over a completely separate network from the Internet, and its computers that receive this feed are on a network isolated from the rest of the organization.

Other organizations do not realize they should be following this policy, too, for certain data. The rule of thumb should be:

How much damage will be done if all of the data in question is compromised? Multiply the value of each datum by the quantity. Allow for the worst case scenario. Consider the organization's liability: How will a breach affect the organization regarding lawsuits, criminal negligence, adverse publicity, loss of funding, and so on?

It is clear that many large databases of confidential data have no business being on the Internet. Some examples of such data include the following:

  • Employee data

  • Patient medical data

  • Financial databases (banking, stock, and similar data)

  • Legal cases

  • Customer information (credit card data, passwords, etc.)

  • Security information

  • Any other information that does not need to be accessible from the Internet

In many cases, such databases should be on a computer in a locked room with no data access from outside of that room. In some cases, access via a private network not connected to the Internet (except, possibly, via a very carefully evaluated VPN) may be acceptable.

The state of California keeps financial information on all of its 265,000 state employees, including its governor, on a computer accessible from the Internet. This includes social security numbers, home addresses, and, most likely, bank accounts for those with direct deposit. If this data were to be compromised, the financial harm from identity theft alone could total millions of dollars. Even worse, employees in sensitive positions, such as judges, undercover police officers, and auditors, could be blackmailed, coerced, or even murdered. (Most people in positions like these take great pains to keep such information confidential.) The legal liability in the event of a breach is huge, as is the likelihood of the SysAdmin needing a new job.

Sadly, some of these things likely will come to pass. It was reported that on April 5, 2002, someone from Massachusetts came in to the California system over the Internet and accessed all of this data. I can almost hear the thunk of the heads rolling down the front steps of the Statehouse.


In other cases, very limited access may be acceptable, such as an e-commerce site's database of customer credit card numbers and other data. I describe my technique for doing this in "One-Way Credit Card Data Path for Top Security" on page 302. In essence, the technique is to create a special server as the only service listening on the network. This server will not offer a command to "dump the database"; thus it will be very hard for a cracker to compromise it. This technique can work equally well for other types of data, such as employee data, medical data, etc. For issues that are this important, have your security consultant evaluate your design and implementation.


   
Top


Real World Linux Security Prentice Hall Ptr Open Source Technology Series
Real World Linux Security Prentice Hall Ptr Open Source Technology Series
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 260

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net