A Taxonomy of Loss
The widespread commercial use of the internet has led to an increasing focus on systems security. Media driven hype and a lack of independent information can make the true level of threat to an organization difficult to determine. Adopting a structured approach to the analysis of computer system security risks and allows an organization to more effectively balance their operational requirements against the potential for loss, whether that loss involves physical equipment, information or reputation.
This article discusses the components of a computer system, the types of attack to which they are exposed, some typical defence mechanisms and some weaknesses in the standard defences. The information and concepts shown can form a starting point for the development of suitable security and operational strategies to assist organizations to obtain the maximum value from their investments in computer systems.
Recent years have seen the explosive growth of the internet; the number of web hosts has grown from under 19 thousand in August 1995 to nearly 700 million in June 2012 [Netcraft]. Many organizations are joining this lemming-like rush to connect, fearing the prediction that ‘anyone not on the internet will be out of business in five years’ (even though we’ve been hearing this for about five years and it has yet to be true).
This flight to join the networked world leads to poorly planned decisions and predictable adverse consequences. These consequences include; lack of scalability, missing functionality and poor integration with office systems.
Weak, or non-existent security is another common problem; a poorly secured network is an invitation to attack. One high visibility attack is the defacement of web pages; in a two year period in the mid-2000's between 10 and 20 web sites per day were reported as defaced [Attrition], your turn may be next. Recent FBI data indicated that over 90% of surveyed organizations had detected some security breach with 74% reporting financial losses as a result [FBI].
Although this paper has a particular focus on internet security, the problems and concepts discussed apply equally to internal systems security.
Why all the classifications?
The groupings shown in this paper are not intended as a formal taxonomy; the groups are neither complete (some elements are missing) nor deterministic (it is not always clear to which grouping an element belongs).
These classifications are a starting point for an analysis of the risks to which a particular system is exposed. Psychological research indicates that formalised thinking approaches are less prone to error or omission than looser, heuristic methods. A structured approach, using these or some other set of classifications is likely to produce a more complete security profile of an organization, with a correspondingly improved support from all levels within the organization.
I am not suggesting that these groupings are the best or even adequate in all situations. I am saying that a formal approach to a security analysis will produce better results.
Elements of the Computing Environment
Just as a computer system is more than the computers themselves, so the risks to which a system is exposed are more than just physical.
Considering all the elements that contribute to the worth of a system helps reveal these different risks.
The value of a computer system rests in its utility to an organization. This value is represented by the capital cost of the equipment and software; the business information managed by the system and the outputs (reports, email, web pages) produced by the system.
Each system component has different associated security risks ranging from purely physical theft to the intangible cost of customer satisfaction and confidence.
The purely physical structures; processors, disk drives, memory, monitors etc.
The applications required to use the hardware; operating system, database, web server, email.
The information used by and stored on the computer system; documents, spreadsheets, databases etc.
The interconnection mechanism to allow information exchange and access to shared resources; wiring, network hubs and switches, routers, firewalls
The (usually) independent systems which carry the remote part of computer networks; PSTN, ISDN, frame relay, ATM
A computer system which is unused is of no value. Appropriate training, system reliability and availability all contribute to the overall useability of the system.
Any event which compromises the usability of a computer system reduces the value of that system and can be regarded as a direct cost to the organization.
The User Population
Each section of the user population places unique demands on a computer system and have different perspective on the value and cost of the system.
The distribution of users can reflect a range of security risks which must be addressed and a variety of sometimes conflicting interests which must be reconciled.
May rely on the computer system to perform their daily work. Generally only require access to those services that are appropriate to their work function.
Have specific business outcomes, such as sales targets or unit profits, to achieve.
Business units require different types of access and services from the computer system. For instance, only the finance group uses the general ledger system, the sales force requires remote or roaming access.
Have wider, strategic views of the business objectives. Without the active support of key senior managers, most computer systems initiatives fail to achieve their potential.
Responsible for providing access to sections of the computer systems to end users and for managing the performance of the system. Systems managers face a major challenge in balancing the needs of disparate users against the limited resources available.
The different specific computer systems (database, desktop, email, web, network) also present different security and value issues.
Customers, suppliers etc
Need to communicate with the organization through the web page, email, shared databases or information archives.
Any external connection to a computer system represents a major security risk; it can also represent significant added value.
The black hats. Seek to compromise computer systems; sometimes your own users are the attackers.
Types of Loss
A security breach doesn’t have to mean something stolen; any type of action that reduces the value of a computer system can be seen as a loss.
Considering different types of loss leads to a better understanding of the potential problems which a computer system can present for an organization.
Hardware can be stolen (laptop computers are a favourite), software pirated, data such as customer information copied (including credit card details), networks and communications systems misused by internal or external people for nefarious ends.
Software can be modified to subvert systems policies, data can be intercepted and corrupted during network transmission or forged to appear to come from a different source.
Attacking any of the sub-systems can compromise access to the computer system.
You may be held responsible for any misuse of your computer systems. This can range from access to inappropriate web content by staff to an attacker using your systems to attack a third party.
In addition to physical defences such as locked or isolated computer rooms, many organizations adopt sound basic security measures to protect their investments.
These basic strategies are not always sufficient.
Basic security processes
As a first step, all access to internal computer systems should require authentication by at least an account code and password.
Acceptable use policies
Written guidelines covering the use of internal and external computer systems including web browsing, email use.
A properly configured firewall can control the types of traffic allowed between the internal network, public interfaces (such as the organizations own web and email servers) and the internet.
On workstations and servers to prevent known virus programs from damaging files or spreading to other systems.
A recent, verified backup is essential is any recovery operation.
All of these elements can be characterised as fixed defences and suffer from the inadequacies of fixed defences throughout history. The Great Wall of China, the Maginot Line and the Berlin Wall were each seen as a total security solution; this proved to be overly optimistic.
Problems with fixed defence strategies
Using the historical analogy of a defensive wall we can draw comparisons with computer system defences.
Imperfections in the Defence
Walls cannot defend against all attacks; they can be undermined with tunnels, knocked down, scaled and avoided.
Virus protection software cannot protect against new viruses, firewalls cannot protect against internal attacks or attacks using allowed traffic types.
Maintaining a large defensive wall is very expensive; the supply chain requirements are enormous and there is a great temptation to regard the mere presence of the wall as sufficient defence. Attackers have the ability to choose their point and time of attack; defenders have to be ready for anything.
Computer systems evolve, new weaknesses are discovered and new applications are deployed. Maintaining strong security in the face of competing budgetary requirements and a dynamic business environment is difficult at best and perhaps impossible without the commitment of the organization’s senior management.
The Need for Commerce
Even the highest and strongest walls need gates. The requirements of trade and communications means that a wall is never as solid as you might wish.
Computer systems serve the needs of the organization. The power and potential of the connected world requires the free flow of some information between systems. It is difficult to determine legitimate traffic from some intrusion attempts.
Insider Assisted Attacks
A border is a political fiction; in practice the people of each side of the wall often have more in common with each other than with their respective rulers and actively work together to by-pass the interference of the troops supposed to be defending them against each other.
Various studies suggest that 60-80% of computer system security breaches involve someone from within the organization. External attacks are a real threat but ignoring the problems of internal security is a serious mistake.
Beyond the Wall
The fixed defence mechanisms and procedures described above are an essential starting point for any computer systems security implementation.
This section describes additional approaches which can enhance the overall security of a computer system. Each of these approaches warrants a more detailed explanation than can be given here.
Defence in depth
Most security systems rely on a perimeter defences such as firewalls to protect the core computing systems from external attack. If the attacker is an employee or can gain access to part of the internal network, they are largely free to launch additional attacks at leisure.
A layered approach to security, including internal systems layers, extends the protection of systems to within the organizational structure without substantially impeding normal systems use. This can seem overly paranoid, but a large proportion of security breaches are committed by or with the assistance of people within the target organization.
The dynamic nature of modern business, and in particular the computing environment, means that the comprehensive security policy of today may not longer be adequate tomorrow.
Regular reviews of the security status are essential to ensure that any additions or modifications to the computer systems are supported.
Changes in the business environment may shift the balance of risk and reward for some operations. A computer systems security policy must always be driven by the requirements of the organization rather than attempt to constrain the organization within the comfort zone of the systems staff.
Most server applications can generate log files of all the requests to which they respond. These log files can be examined for traffic patterns which may indicate either attempted or actual breaches of the security policy.
The log file monitoring processes are a form of intrusion detection system, although the analysis of log archives can only reveal an attack after it has occurred.
- Internet proxy server logs can show all the web sites which users are accessing. These can be checked for possible ‘inappropriate’ content in breach of acceptable use guidelines.
- Web server logs can show attempts to access known server vulnerabilities. These logs will also show those portions of your web site that are most in use (which pages are requested).
- Firewall logs can show attempted access to restricted ports. A pattern of such attempts may indicate a concerted effort to attack a computer system.
Publishing selected information from such log analyses can promote self-censorship amongst the user population; if they know someone is watching, they are less likely to misbehave.
There are significant privacy issues which you should consider before undertaking any traffic analysis. Even if you choose not to publish any results of a log analysis, you should ensure that all users are aware that such logs are collected.
Information is log files is not always accurate. A sophisticated attacker can conceal their actions behind a false address or identity. Server logs can reveal an attack but are not sufficient to completely identify the attacker.
Testing and Auditing
Keys features of the security system can be tested to ensure that security policies are being observed and that defence systems are functioning correctly.
- In many cases passwords can be checked for easily guessed values.
- Expired and unused accounts can be suspended or removed.
- Firewall systems can be checked for correct operation.
- Server operating systems and application software can be checked for required upgrades.
A program of regular audits can reveal potential security problems before the attackers have the opportunity to exploit them.
Intrusion Detection Systems
Intrusion detection systems (IDS’s) monitor traffic in real-time and generate alarms if they detect a pattern which indicates that an attack is occurring.
- Log File Monitors (LFM) examine log files generated by network services for patterns which indicate an attack. LFMs require detailed knowledge about the format of the log files being examined.
A live monitor may depend on specific features in the application being monitored.
- Network Intrusion Detection Systems (NIDS) monitor network traffic to detect attacks.
NIDS are usually installed on an internet firewall and can only monitor the traffic passing through that device. NIDS can be open to subversion by avoidance and concealment techniques and are subject to the integrity of the system on which they execute.
- System Integrity Verifiers (SIV) detect changes to system files which may indicate that a successful attacker has left a backdoor entry mechanism for later exploitation.
An effective SIV will monitor several different attributes of system files, including the file size and timestamp and multiple checksum values. These values are compared to a reference database which must be stored securely and updated whenever a legitimate change is made to the system.
- Deception Systems (decoys, lures, fly-traps, honeypots) present fake interfaces which emulate weaknesses in order to entrap attackers.
The value of a deception hosts to a normal organization is debatable. Although legal sanctions are available, there is little return for the time and effort required to prove the identity of any attacker.
IDS’s are highly complex systems requiring detailed configuration and maintenance. IDS’s can have problems with false positives and slow or stealth attacks.
The Value Proposition
Does a detailed security policy for their computer systems add to the worth of an organization?
Can you operate in a connected world without one?
Naturally, it depends on the organization involved. The value of investing in the initial development of a security policy and the on-going costs of implementation and maintenance are determined by the requirements of the particular business.
We can identify different attitudes:
Approaches to security
Small businesses often have no internal network and use only dial-up internet access. They tend to ignore security, relying on personal trust and physical isolation of sensitive data.
Medium sized businesses with substantial internal networks may a permanent internet service and take basic steps to secure their systems. They generally lack the staff to implement or maintain a sophisticated security infrastructure.
Large businesses rely on detailed policies and procedures. Many systems support functions are outsourced to suppliers (with the conflict of interest which this implies). Although large businesses may have the resources to implement good security infrastructure, the complexity and bureaucracy of these environments can restrict the flexibility and responsiveness required to protect
A proper computer systems security policy is part of the organizational infrastructure in the modern world and can be regarded as a type of insurance against the hostile denizens of the internet.
Active management support is essential for any computer systems security policy to be effective.
An appropriate management response to computer systems security concerns includes:
- Recognize the value to the organization of reliable information systems, both internally and externally;
- Create a security policy which is appropriate for your organization;
- Ensure that sufficient resources are available to implement the policy;
- Follow through on the implementation with regular review and update;
The Wrong Response
Don’t be like this:
The 7 Top Management Errors that Lead to Computer Security Vulnerabilities.
As determined by the 1,850 computer security experts and managers meeting at the SANS99 and Federal Computer Security Conferences held in Baltimore May 7-14, 1999 [SANS]
1. Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.
2. Fail to understand the relationship of information security to the business problem – management understand physical security but do not see the consequences of poor information security.
3. Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed.
4. Rely primarily on a firewall.
5. Fail to realize how much their information and organizational reputations are worth.
6. Authorize reactive, short-term fixes so problems re-emerge rapidly.
7. Pretend the problem will go away if it is ignored.
A computer systems security policy must address the organizational value of systems, not just the financial value of the assets themselves.
Adopting a structured approach to security policies can assist in:
- Identifying all the area of potential exposure and the possible methods of addressing these;
- Identifying those groups within the organization with an interest in the operation of the computer system;
- Contributing to an environment which understands the organizational value of computer systems and the need to maintain security procedures.
No computer systems security policy, no matter how detailed and complete, can protect against all present and future threats. However, an appropriately detailed policy, supported by user training and regular review can substantially reduce the level of exposure.
"Defence in depth, and overkill paranoia, are your friends." - Bennett Todd, Mordor.net.
 Lemmings don’t actually throw themselves off cliffs. Populations of the Norway lemming (lemmus lemmus) occasionally migrate in search of food, easily crossing rivers and streams. Mass drownings can result from attempts to cross seas. This blind and sometimes self-destructive herd instinct is perhaps a more appropriate analogy for the internet age.
[Attrition] Web defacement statistics www.attrition.org (possibly no longer current)
[CERT] Computer Emergency Response Team www.cert.org
[FBI] CyberCrime congressional statement www.fbi.gov/pressrm/congress/congress00/cyber032800.htm
[FCA] Fred Cohen & Associates www.all.net
[Netcraft] Web host survey www.netcraft.com/survey
[Robert Graham] Intrusion Detection FAQ www.robertgraham.com/pubs
[SANS] SANS Institute Online www.sans.org/newlook/home.htm
[W3C] World Wide Web Consortium www.w3.org/Security/Faq