Welcome to Volume 2, Issue 2 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
The editorial calendar at this time includes:
Previously published Newsletters with columns by Marcus Ranum, Stephen Kent, Bill Hancock, and Lisa Phifer are posted here.
TISC is about sharing clue, and so is the newsletter. I promise you we will provide something useful each issue. If we don't, complain directly to me. I'd also like to hear and share your comments on the columns we push, and on topics you'd like to read about or see at TISC.
In this issue, we have two columns, and both rely on analogues. In the first column, Char Sample and Ian Poynter draw a physiological analogy between the human body and a networked or e-organization. In the second column, I draw an historical analogy between security policy making in the 18th and 21st millenia. I hope you enjoy both.
Security systems are becoming increasingly complex. Consequently, designing and engineering your security system is also becoming a more complex task. We have all heard various security gurus say that security is more than the ìtechnology du jour,î but few people have offered a consistent framework for defining and designing a security system or any other system for that matter. This article will attempt to explain the role of a security system and how it relates to other systems. We will use the human body and the various systems that it contains as a metaphor for an organizationís security system and how the security system fits in and works with the other systems in the organization.
When we think of a human we do not think of all of the systems that make up the body, but rather we think of the individual who is more than a collection of the various systems. Similarly, when we think of an organization we do not think of its security infrastructure or assets, rather we think of its mission or primary business function. For example, when we think of banks we think of financial services and not their security systems. The security systems (both physical and logical) exist to support the entire organization and its security needs.
The complex system of the human body comprises many subsystems that rely on each other. When all of these subsystems are combined, the sum of the parts gives us a whole that has more value than the entire entity. For example, the whole personality and consciousness are more than just the central nervous system. They result from the central nervous system interacting with other systems and the external environment. Likewise, any system developed in an organization will reflect the need to interface its internal systems with the internal corporate environment and the external environment. This is especially true of a security system. An open internal corporate environment is more likely to result in an open security system. A more controlled environment leads to a more closed security system.
An extremely closed and controlled environment may give the appearance of a controlled security system. In reality this environment is subject to the same problems as the open environment if the security system was developed according to ìbest practicesî and ìleading practices,î rather than in the context of the environment in which the system resides.
If a security system could be compared to the human body, that system might be analogous to the circulatory system, with the firewall representing the heart. The circulatory system is clearly an important function in the body. If it does not work, then neither does the body. However, other systems can also cause the circulatory system to fail. The same can be said of the security system. If the security system does not work, then the organization fails (assets are stolen, secrets are lost), however other systems can cause the security system to fail. If the circulatory system ìfeedsî the other systems with nutrient rich, oxygenated blood through the arteries, then a failure of an artery would result in a loss of blood. If the security system carries clean data from one host to another, a failure in the ìarteryî of the security system would result in a loss of the integrity of the data.
What if another system stopped working? How would this effect the circulatory system? Take for example the respiratory system. It takes in fresh oxygen from the environment. The oxygen is absorbed into the bloodstream and distributed through the circulatory system. In an organization business data corresponds to the oxygen. Clearly business data is the lifeline of the organization. The organizationís eCommerce servers and customer support systems act as the respiratory system here. Sensitive data is handled differently from less valuable data. Just as the circulatory system uses veins to carry away ìusedî (de-oxygenated) blood, the security system must also address ìusedî (devalued or redundant) data. A mechanism is required to dispose of the data or else the data ìpoolsî on the server and eventually drags down the server (or slows down the system).
In the human body, the immune system acts to ward off intrusions. Overactive immune systems result in allergies or auto-immune diseases, where the bodyís systems actually overwhelm or even destroy themselves. In the organization, the incident response and audit systems act as the immune system. As these security systems grow to deal with more intruders, they too can overwhelm their administrators resulting in information overload. This can be as minor as hay fever for the administrators, but in extreme cases, it becomes a full-blown illness.
The musculo-skeletal system in the human body consists of bones, cartilage, muscles, tendons and ligaments. The muscles receive signals from the central nervous system, which provides movement instructions. Should the muscles lock or atrophy, the bones that are moved by the muscles are useless. Should a clot form, the muscle does not receive oxygenated blood and dies. The key servers in a business act as the muscles for the organization. Database, mail and other servers all act like the musculo-skeletal system. If a clot arises (think denial of service), these servers are rendered useless. The primary function of these servers is to serve information, not to provide security. The security system supports these servers, much like the circulatory system supports the musculo-skeletal system.
The excretory system in the human body removes waste. Should this system fail, all other systems will shutdown due to waste build up. Renal failure causes the circulatory system to fail, which leads to a failure of the respiratory system and eventually even death. The organizational parallel to the excretory system is the organizationís management. When the management fails to remove waste from the other systems, those systems become bogged down and must work harder to accomplish the same tasks. Waste in this case can include old or irrelevant data, or even poorly defined policies, processes and procedures. The systems are burdened with additional or excessive input that they were not designed to handle and ultimately they fail. This sort of scenario is most commonly observed in cases where one group must use the security system while another group works around the system.
All of the systems in the human body work together to create a whole entity that is more than the sum of the systems themselves. Similarly an organization is more than the sum of its various systems. When we acknowledge this fact, it leads to the realization that any system developed for an organization must recognize that the organization is the whole system. We must realize that any security system is simply a subsystem within the organization. It is a part of the whole and not the be all and end all.
No individual system can function independently, but rather it must survive in the confines of the human body (environment) and in conjunction with other systems. This is due in part to the fact that each system uses other systemsí outputs as its inputs. There is an interconnected-ness between the various systems that makes separating any of them a futile task. Observing a system outside the context of its environment provides some information, but the value of that information is questionable at best. This is true of any system. A closed security system in an open environment, while it may comply with all of the rules of good security, may in fact be just a collection of expensive equipment. If the security system is not used to support the environment and users continually work around it, or have their own alternate systems, then the ìwonderfulî closed system is useless. An example of this might be the proliferation of modems on a corporate network. Users cannot be fully blamed for their actions when they work around a system that was not designed with the organizationís mission in mind.
Much as we like to bemoan the involvement of those less understanding of security issues, we must not only involve them but also accommodate their primary objectives. This can be done through asystems engineering approach to security. This approach not only recognizes the systems environment, but also provides a framework for designing systems. Since security systems are interconnected elements, not a single technology or group of technologies, they are good candidates for the systems engineering approach to their design.
Using certain aspects of the systems engineering approach, such as quantification techniques, we can weigh and rank sub-optimal behaviors and mitigate the problems associated with them. Ranking this behavior quantitatively allows for a more objective review, setting aside the problems that arise with subjectivity.
We call this a holistic approach or ìsecurity from the inside out.î Using systems engineering techniques, we can develop a security system that is more in tune with the real needs of both the organization and its users. Weíll be covering our ideas and how to leverage them in more detail at our workshop, ìSecurity From the Inside Out: System Engineering For Security Systemsî at TISC 2000 in San Jose. We hope to see you there.
If Peter I the Great (1672-1725) were to be reincarnated today as a modern day security administrator, the Russian czar would no doubt drag his user community "kicking and screaming" into the new millennium in much the same ruthless manner as he did his reluctant and backward Mother Russia towards the end of the 17th century.
In some respects, the timing couldn't be better.
Czar Peter wouldn't need more than a glance at the sad state of enterprise security to conclude the time is come again for the cold, unforgiving touch of absolutism if security is ever to be taken seriously. Perhaps we need some serious consequences for our appropriate use policies and a healthy dose of fear of reprisal from an apathetic and persistently non-compliant user community, and who better than one of the most fearsome and autocratic rulers of the last millennium to guide us into the new?
Let's imagine how enterprise security might be implemented, Peter's way.
Appreciating almost intuitively the important role authentication plays in modern security, Peter I would find it remarkable (deplorable, actually) that such primitive methods as secret passwords continue to play any role whatever in authentication: he would ban these immediately. Biometrics would clearly appeal to Peter I, although he might choose unconventional ways to revoke biometric credentials when an employee is terminated: the body part is the root of the biometric, ergo it belongs to the enterprise. And biometrics would be everywhere: at desktops, on laptops, at entrances to corporate facilities, offices, cafeterias, restrooms and parking lots. Even vending machines. Peter would want to know everywhere you go, and when. For the good of the enterprise.
Peter I would quickly grok--yeah, Peteríd grok long before heíd click the START button--how biometrics, complemented with the right PKI and smart card technology, could provide a powerful national, corporate identity. A tiny chip that stores every behavior, feature, idiosyncrasy, no matter how irrelevant: how cool is that?
Key escrow? Under Peter's control, of course: surely the divine rights of kings and czars is enough to lay claim to root of authority?
Kings and czars are accustomed to and quite comfortable with proactive content monitoring, a thinly veiled euphemism for what Peter I would call surveillance. Having learned the importance and difficulty of keeping close watch on the streltsy, his sister Sophia, his forsaken wife Eudoxia, even his son, Alexis, Peter I would delight at how a strategically deployed content monitoring application can gather more intelligence, more effectively, than an army of secret police (better to save these precious resources for interrogations, anyway). He'd approve security policies asserting unconditional rights to use all information gathered for the good of the enterprise. No act or indiscretion would go unrecorded, and since storage is cheap, everything would be warehoused for now and future information mining. Employee privacy rights? Nyet, comrade. You want rights? We have this pogrom program: the policy, my dear Dmitri, is my way or the highway.
Once monitors are in place, how better to apply content filtering applications than to limit web sites employees may visit and to censor what employees read? And it's much more discrete than burning books and raising monasteries! Well, most employees can read, and while Peter was all in favor of reading, thereís strong evidence from his ìsuperficialî enforcement of Europeanization that he would favor such controls.
Any monarch turned administrator who spies extensively also worries about maintaininq and safeguarding sensitive information. Canít forget lessons learned dealing with those annoying steltsy and those 17th century bleeding-heart liberals, Astrakhan and Bulavin! Extensive use of network and host vulnerability scanners are wonderful modern-day replacements for security sweeps secret police routinely conducted during Peter's reign. Audits are also important. Our own 20th century data show us that insiders, left to their own devices, cause a great deal of the mischief and loss of networked information. Learning this, Peter I might remark, ìemployees are no better than the serfs and urbanites who provoked revolts in 1705-1708, now are they?î Peter I would argue vehemently that firewalls are useful still, especially if deployed obsessively, at every conceivable enforcement point. And complemented by such probes and intrusion monitors to call attention to even the slightest anomaly. One never knows when a branch of the army or the engineering department might change allegiances.
Benevolent, or malevolent?
History reveals that despite his Draconian practices, Peter exhibited certain almost benevolent behaviors. Once he had imposed his iron hand over Russia, he implemented state-supervised education, reformed government, raised industry, and introduced Western technology. The latter is especially true if we count flintlocks, mortars, and multi- cannon warships as technology of the times.
During my research, I found an interesting eulogy of Peter I: ìAs a ruler, Peter often used the methods of a despotic landlord--the whip and arbitrary rule. He always acted as an autocrat, convinced of the wonder-working power of compulsion by the state. Yet with his insatiable capacity for work he saw himself as the state's servant, and whenever he put himself in a subordinate position he would perform his duties with the same conscientiousness that he demanded of others.î
Was all Peter asked from his people that they do diligence to the state that provided for them? If so, is this so much to ask from a user community? Are any among the Draconian practices Peter would undoubtedly impose beyond reason for an enterprise security administrator to employ?
OK, that biometrics revocation notion is over the top.
A more introspective question anyone tasked with administering network security should ask is ìHow many of these lie in our future, whether or not we find them Draconian or Machiavellian? As you arm your company with the latest arsenal of identification-confirming, eavesdropping, watch- and safe-guarding applications in the name of improving security, ask yourself if you have invested a commensurate amount of time, technology and money into policy and oversight.