This chapter provides a thorough guide to many security issues. The authors encourage writing strong enforcement statements of acceptable use policies (AUPs) and provide examples of wordings and a best practices checklist. They cover how to limit authority and separate duties and how to pinpoint accountability. The chapter is from Network Security: The Complete Reference, by Mark Rhodes-Ousley, Roberta Bragg and Keith Strassberg; ISBN:0-072-22697-8, McGraw-Hill/Osborne, 2003.
In addition to log data, system activity and activity on the network can alert the knowledgeable administrator to potential problems. Just as systems and networks should be monitored so that repairs to critical systems and bottlenecks in performance can be investigated and resolved, knowledge of these same activities can mean that all is well, or that an attack is underway. Is that system unreachable due to a hard disk crash? Or the result of a denial of service attack? Why today is there a sudden surge in packets from a network that is too busy?
Some SIM tools seek also to provide a picture of network activity, and many management tools report on system activity. In addition, IDS systems, as described in Chapter 14, and protocol analyzers can provide access to the content of frames on the network.
No security toolkit is complete without its contingent of vulnerability scanners. These tools provide an audit of currently available systems against well-known configuration weaknesses, system vulnerabilities, and patch levels. They can be comprehensive, such as Retina Network Security Scanner; they can be operating system-specific, such as Microsoft's Security Baseline Analyzer or the Center for Internet Securities' scanners for Windows, Cisco, Solaris, and other systems; or they can be uniquely fixed on a single vulnerability or service such as eEye's Digital Securities Retina SQL Sapphire Worm tool. They may be incredibly automated, requiring a simple start command, or may require sophisticated knowledge or the completion of a long list of activities.
NASA Improves Security
Federal government offices have been notoriously lax in promoting and implementing sound security practices. The efforts of the National Aeronautics and Space Administration (NASA), however, prove how use of a simple, manual vulnerability scan can improve information security. The NASA CIO used known vulnerability lists and made a list of 50 of the most serious ones. The CIO deployed third-party products that tested NASA systems for these vulnerabilities in the summer of 1999. After scans, systems administrators were informed of any weaknesses in their systems and informed how to fix them. The goal? Fewer than one listed vulnerability per four computers scanned (or 0.25 vulnerabilities per scanned system). Initial scans did not meet this rate, but improvement was noted every quarter. The list was updated and scanning continued. By the end of the fiscal year 2001, the ratio was 0.097. NASA had exceeded its own goal.
The use of a vulnerability scanner can improve the security posture of a network. The interesting thing about this operation is that NASA concentrated on top vulnerabilities, rather than 'all' vulnerabilities. This made the project manageable, but also was a sound decision, because it's documentable that a small percentage of vulnerabilities is responsible for most successful intrusions.
Before using a vulnerability scanner, or commissioning such a scan, care should be taken to understand what the potential results will show. Even simple, single-vulnerability scanners may stop short of identifying vulnerabilities. They may, instead, simply indicate that the specific vulnerable service is running on a machine. More complex scans can produce reports that are hundreds of pages long. What do all the entries mean? Some of them may be false positives, some may require advanced technical knowledge to understand or mitigate, and still others may be vulnerabilities that you can do nothing about. For example, running a web server does make you more vulnerable to attack than if you don't run one, but if the web server is critical to the functioning of your organization, then it's a risk you agree to take.
While vulnerability scanning products vary, it's important to note that a basic vulnerability assessment and mitigation does not require fancy tools or expensive consultants. Free and low-cost tools are available, and many free sources of vulnerability lists exist. Operating system-specific lists are available on the Internet from operating system vendors.
The use of a freely downloadable "Self-Assessment Guide for Information Technology Systems" from the National Institute of Standards and Technologies is specified for all government offices. While some of the specifics of this guide may only be applicable to government offices, much of the advice is useful for any organization; and the document provides a questionnaire format that, like an auditor's worksheets, may assist even the information security neophyte in performing an assessment. Items in the questionnaire cover such issues as risk management, security controls, IT life cycle, system security plan, personnel security, physical and environmental protection, input and output controls, contingency planning, hardware and software maintenance, data integrity, documentation, security awareness training, incident response capability, identification and authentication, logical access controls, and audit trails.
The security management architecture of your network is important because it reinforces, controls, and makes whole the rest of your security framework. If security management is not properly controlled, it obviates all of the data and transaction controls placed elsewhere in the system. Security management controls span acceptable use enforcement, administrative security, accountability controls, logging, and audit -- a range of activities that has an impact on the entire network infrastructure.
Remember: this chapter is from Network Security: The Complete Reference, by Mark Rhodes-Ousley, Roberta Bragg and Keith Strassberg (McGraw-Hill/Osborne, ISBN 0-072-22697-8, 2003).