2.2 Administrative Countermeasures


2.2 Administrative Countermeasures

As mentioned, not all countermeasures need to be technical. Considering that the real unknown in network security is generally the people and not the technology, it is best to create a security policy that protects your information in a variety of ways. This section briefly discusses the types of administrative countermeasures that can be employed to add security to your network.

At the very highest level, the security policy itself could be considered an administrative control. Its existence creates the expectations for technology, facilities, and behavior with regard to information security. On an implementation basis, administrative controls are such things as personnel controls, security awareness training, testing, supervision, and other policy and procedures related to administrative tasks.

Personnel controls are procedures that control the interaction of employees and address any issues of noncompliance. The most common example of personnel controls are acceptable use policies (AUPs) that detail the appropriate use of network resources and consequences for violating the AUP.

Personnel controls typically seek to reduce risk on the network by controlling the work environment. One way to do this is by enforcing the separation of duties regarding critical business functions. For example, many companies have network administrators that perform all functions on the network from maintaining network security, providing technical support for users, and configuring applications. It is seldom realized how precarious a position this can put a company in. Not only does the administrator have complete access to the network, but also there are no outside checks on the administrator. Any action the administrator takes can be hidden or otherwise buried by the same network administrator. I have been to networks where the network administrator was actually using spare bandwidth and company computer resources to run his own independent business on the side. This is clearly unacceptable.

Before you start suspecting your network administrator, let me emphasize that most network administrators are conscientious, hard-working individuals who are overworked and underappreciated. When things are going well, they are forgotten; and when things turn sour, they are the first to get the finger pointed at them. Now that I have covered myself with any network administrators who may be reading this book, let me continue by saying that, whenever possible, the information security policy should support the separation of duties with regard to critical company resources. One common division of duties is breaking down network administration into three major functional roles: a network security administrator, an operations administrator, and a user administrator.

The network security administrator is responsible for enforcing the network security policy and reviews all logs and responds to all computer incidents. The operations administrator ensures that the servers and network devices are operating correctly and maintains applications and operating system patches on the servers. Finally, the user administrator is responsible for ensuring that users have the appropriate rights on the network to perform their required tasks.

Personnel controls may also address the issue of rotation of duties. Using the above example of separation of duties, periodically, the three network administrators who are fulfilling the role of security, operations, and user administrators should rotate assignments. This provides several tangible benefits in the area of information security. The first is that it encourages cross training. This allows greater availability of services should one of the other administrators quit, die, get sick, or go on vacation. The second tangible benefit is that it becomes much more difficult to conceal inappropriate actions when job responsibilities rotate. Let us assume that the person taking on the role of the security administrator considers engaging in some legally questionable behavior. His assumption is that because he has control over all of the security logs and reports, he can remove evidence of his behavior. This is much less likely to occur if the same administrator knows that in two weeks, another security administrator will take over his job for a period of time.

When rotation of duties has been implemented as an administrative countermeasure, the only way our suspect security administrator would be able to pull off his illegal scheme would be to get other network administrators rotating into the position to collude with him. That is, they must all agree to work together to perform any illegal or deceptive activity. The combination of separation of duties and rotation of duties works together to reduce, but not eliminate, the chance of this occurring.

Implementing a security policy can be an uphill battle if end users are not adequately trained in both application of security to their job and the necessity of information security. When users are expected to interact with security controls, they should be adequately trained in not only the proper execution of their tasks, but also the reasoning behind it. Consider a simple example that is common on many networks — password policies. Instead of simply rolling out a policy that requires passwords to be ten characters in length and contain non-alphabetic characters and leaving it at that, users should be instructed as to why it is important to use complex passwords and then shown how to create passwords that fit the policy and that they can still remember. Administrative controls should thus include procedures regarding the training of network users.

While users themselves can present a threat to the security of network information, most of the time it is not because they are malicious in nature. Users have their own bosses who expect them to get their work done, and they can be incredibly clever in circumventing security policies when they find that they interfere with their own ability to get their work done. This cultural tendency cannot be changed through administrative rules alone, but it is a start. Administrative controls should also create methods to remind users how information security is benefiting them, show them the benefits, and reward them for keeping the network secure. I have found through years of teaching that a bit of sincere appreciation and recognition goes a long way toward motivating people.

Testing is covered in Chapter 12, "Network Penetration Testing." Until then, it will suffice to say that the entire information security policy should be tested from time to time. This is to ensure that the policy is still relevant and that it is providing the level of protection that the framers of the policy had intended.

Finally, administrative controls can also include the personnel hierarchy of the organization. This is an important element in enforcing accountability for the behavior of security policy users. The expectation should be that managers are directly responsible for the actions of their subordinates.

Together, administrative controls are a good illustration of how technology alone will not be enough to protect your network. We can authenticate users using passwords, but if users choose bad passwords or write them down, what have we really accomplished? We can encrypt the accounting files using strong cryptography; but if the user in accounting shares the unencrypted file with their buddy in marketing, then again, our encryption has not failed but our information security policy has. Every technical solution offered in this book should be complemented by the appropriate administrative control, where appropriate.




Network Perimeter Security. Building Defense In-Depth
Network Perimeter Security: Building Defense In-Depth
ISBN: 0849316286
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Cliff Riggs

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net