Feed on
Posts
Comments

Now and then I get engaged in discussion regarding if security should be driven by business or by risk. Meaning that either security issues should be risen when business wants a new function or changes in an existing function or security should only be risen as an effect of riskanalysis.

This is not a simple question that is easy to answer and as all other architects I give the same answer: It depends!

I have the opinion that security should not be a problem but a way to do business securely. For exampel: If a business function wants to use credit cards in their daily business my job is NOT to say nay at first but try to find why and how we can do it securely. Way to often I meet with CSO´s or CIO´s that has a nay per default and by that takes the business development to a halt directly.

By this I do not say that everything goes. I say that everything should be considered and if it can be justified it should be implemeneted if it is good for business.

More often then not the nay sayers tends to work more with a riskanalysis driven security approach then a business driven. But still: Security is only a property on any given process, piece of information, application or hardware. Security is not something in itself.

When looking at the requirements for PCI DSS it is quite obvious that you need a more or less hack proof setup. This is all good and well but during the latest years changes has been done in how a hacker works. Now it is not only the operating system that is attacked but the database engine also. Therefor you should read about exploits on the database engines also before making a selection. You could choose an insecure database but make very well sure that you have compensating controls in place. And remember, a firewall that allows traffic to the database is NOT a compensating control.

Today I hade the great opportunity to have a very long talk with one of Microsofts malware investigators regarding how they work and what kind of routines they have. Sadly I am not allowed to say anything about the details but what I can say is that they have a very, very deep knowledge of security threats, malware and trends in malware business. One interesting point is that many of their cases has their origin in blue screens of death on servers, clients etc. So if you ever have an unexplained BSOD it could very well be some malicious code running on your server. Just remember that Microsoft do NOT conduct legal investigations. If you have that need do contact a company that do this kind of work.

Keep up the great work, guys and girls!

You now have the value of every asset. Lets start with the hard stuff: Deciding what assets to protect first. Even if it sounds simple to just make a list from certain criterias the dependencies between resources have made this a lot harder. Virtualization will not make it easier.

WSSRA SA states that factors you could use are: Financial value of the asset, Cost to build the asset, Cost to protect the asset, Cost to support the asset, Cost to recover the asset and Value of the asset to competition. Even if I agree with this I would also like to state that there also are a other areas to concider: Internal Politics, Employees Competence, Enterprise Strategy and the possibility for a workflow to continue other “soft” measurement. Of this the Workflow is the most important to concider. The danger when only looking att the high cost areas is that you select only the parts of every workflow that is the most critical. For a short amount of time that could be enough but if there will be a prolonged outage the importance of smaller parts of the workflow will be more critical. So the deliverables of this process will not only be: Data Classification List, Tier Identification List, Asset Valuation List, Asset Prioritization List but also Important Dataflow List.

The process for determine the assests to protect is named Asset Assessment and Valuation. First thing is to identify the assets you have. In my last post I defined the criterias for identifing assets. Lets take a closer look on the assets and determine what parts of an asset that really needs to be protected. Take a firewall like Microsoft ISA for example. The assets could be devided into hardware, software and configuration. The value of the hardware is rather easy to determine. The software will actually not have any value if you have the media and the license in another place. The configuration is another matter. If you do not have a backup the value is athe cost for recreating the configuration. But you also have the cost of changing that and other assets configuration and passwords to make sure you do not have a security breach based on your configuration getting out in the wild.

Your other assets are you intellectual property like trade secrets, databases with customer information. The value of this is harder to measure. One way is to measure is to calculate the time it takes to recreate the information. In the case of trade secrets the value could be as much as the companys net worth. Just imagine the value of the recepie of a famous soda. Customer information that are stolen also have the worth of all the legal actions that will be the result of a breach. This could stretch to millions of euros.

In WSSRA the valuation is based of the following four parameters: Physical Value, Business Value, Indirect Value and Competitive Value. The description is quite a bit unclear on how to really value the loss of data. Lets make a try to value a database containing creditcard numbers using the following parameters:

Scenario: A database server is stolen when it is under transit from one datacenter to another. The database server has Windows 2003 R2 installed and SQL Server 2005 Enterprise Processor licenses. It containes one database with 2 000 records. Each is a unique customer for the company.

Physical Value:
Server 12 000 €
Software 0 € (licenses still in safe)
Support 20 h x 46 € = 920 € (to change passwords on databases and servers)
Replacement 20 h x 46 € = 920 € (to install and configure a new server)

Business value:
Information 10 000 € (the data shows some interesting information that is usable for competitors)

Indirect Value:
Lost of creditcard numbers (400 x 50 €) + (1 600 x 5 €) = 28 000 € (some credit cards has a higher cost in case of loss)
Fraud costs 200 x 500 € = 100 000 € (10% of the cards will be used for fraud that costs 500 €)
Lawsuits 1 200 x 5 000 € = 6 000 000 € (Personal information was included with the credit cards)
Fines 30 000 € (fines from credit card companies and goverment)

Competitive Value:
Creditcards 2 000 x 4 € = 8 000 € (blackmarket for verified and usable creditcards)

Total:
12 000 € + 920 € + 920 € + 10 000 € + 28 000 € + 100 000 € + 6 000 000 € + 30 000 € + 8 000 € = 6 441 840 €

Quite a cost, is it not?

IT-Architecture is all about having a common language to describe an IT-environment. WSSRA SA defines a few words that are commonly used throughout the document: Assets, People, Process.

Assets are divided into two groups: Data asset and Tier Asset.

Data assets are the information stored within your databases, your spreadsheets and your worddocuments. That is the data you are aware of. But you also have the data stored in printer buffers on large printers, backup tapes, test environments and probably also on several laptops throughout your company.

Tier assets are hosts (servers or clients) or devices (singel use appliance like a firewall och printer). You could spell it out as every gadget that either stores, transports or consumes data.

When looking at WSSRA it derivates the protection of data from the following letters: CIA, confidentiality, integrity and availability. To be able to understand this you should include the three phases data can exist in: storage, transport or consumption (used). On every piece of information or on every piece of hardware you should always ask yourself: Is the data stored, transported or used here? If any of the answers is yes you should apply either confidentiality, integrity or availability here in form of encryption, signing or clustering to give some easy examples.

People are the guys and gals working within your company. You have all the operators/administrators who possible will have access to all your information, management who probably also has all access, the common employee that has limited access, the customers that should have none or limited access, the service personel who should have no or limited access, the consultants that should have access depending on their task and everybody else that moves within the corridors. All of these should be adressed by a policy dictating what is allowed and what is not allowed. They should also be responsible to abide and keep updated of changes in policy.

Process is all the task that are pointed to keep everything secure: Asset Assesment and Valuation, Security Risk Identification, Security Risk Analysis and Security Risk Remediation and Development.

Asset Assesment and Valuation is about finding the data and gadgets to protect and setting a price on the information and gadgets in your company. Everything has a price. It could be the value of your company but it still has a price. Almost all data are recreatable. But it could take your staff to the longest 75% of the time it took to produce it the first time.

Security Risk Identification is the process to identify the risk currently in effect and keeping updated on new risks.

Security Risk Analysis is the process to analyse the risks and set a figure for them to actually happen, like once in five years or 20%.

Security Risk Remediation and Development is about handling the risk identified as a threat. Not doing anything is actually a way to handle a risk. Determine which risks to handle is a complete other issue that I will write about another day.

I frequently follow a blog at ITToolBox named “A day in the life of a security investigator”. His latest blog entry discussed the top ten errors that investigators often do. If you ever think of starting out in this business you should know these by heart. You could find them here: http://blogs.ittoolbox.com/security/investigator/archives/top-ten-investigative-booboos-14576

Last few weeks I have found quite a lot of companies hiring consultants with knowledge about WSSRA, Windows Server System Referency Architecture. Even if I like the concept of architecture it could be qute hard to grasp sometimes for an inexperienced person. During the following weeks I will write short notes about key concepts regarding WSSRA Security Architecture to put this in perspective of the real world. Read more about WSSRA on http://www.microsoft.com/wssra

Here is a nice link for PCI DSS information. It is quite useful as a startingpoint for your PCI DSS certification.
http://pcianswers.com/2007/02/17/pci-awareness-month

PCI DSS

Are you using credit cards at your website or in some other parts of your business? PCI DSS stands for Payment Card Industry Data Security Standard and is a rather technical approach how you should protect your information. The fees and fines if you loose the credit cards are really high.

How should you proceed with a PCI DSS certification? First you should contact an auditer to get a first audit of your business. This auditer should be your reference during the whole process. Next is to either read a lot about security from all aspects or bring in knowledgeble consultants in the area to help you understand PCI DSS in according to your business. The auditer should give you the category they think you belong to.

The things that has to be made in the first part are:
* Finding the data.
* Finding where it flows.
* Finding all the hiding places in logs, temp files etc.
* Deciding where data should recide if needed at all.
* Do risk assesments regarding this.
* Start solving all the problems.
* Make a new audit.

I will not lie to you. Becoming PCI DSS compliant could be very costly. But in the same time you get a higher security all together in your systems. I have worked quite a long time with this compliance and even if the data is more or less the same the interpretations of PCI DSS within every organization is different every time. One way to solve a problem is not always the same. It all depends on how you use the data and how you trust your employees.

« Newer Posts - Older Posts »