Friday, September 7, 2007

Applying real-life principles to technology

It's amazing how much we in technology don't learn from our counterparts in the physical world. Let us take, for example, banks. The physical bank is built to withstand significant attack. Even if we look back a hundred years, banks were built with vaults, gates, and other protection mechanisms. So ask yourself why we don't apply that same principle to securing our 'digital' assets... our data-stores. I'm going to analyze for everyone's benefit the points that the digital can take from the physical. I'd dive into why we don't take the queue from the physical security folks - but that turns into a bit of a philosophical rant (which I will admit, I will write about at least a little).

So let's take a would-be bank robber's point of view into a bank. Pick a bank, any bank really, and you'll notice that going outside in you will encounter the following things:
  1. proper site planning to keep the getaway (escape route) as complex and difficult as possible
  2. well fortified structure of the building
  3. surveillance cameras
  4. armed guards at the entry
  5. properly separated internal chamber of the building (separated entryway from bank main lobby)
  6. properly separated and secured teller stations (where the cash, at least some of it, is)
  7. properly separated back office
  8. silent alarm triggers strategically placed where the tells can reach without being spotted
  9. outer vault door locked by a key held by bank manager or designee
  10. highly fortified, hardened outer vault door
  11. separated inner vault (with all the trimmings such as hardened steel, etc)
  12. non-descript inner-vault chamber compartments
  13. tagged (booby trapped) loot in case it's stolen to help track it and identify the thieves
Now, I'm no banking security expert, so these thirteen (13) things are just ones that I have observed with the naked eye when in a bank, and from a tour I was privileged to get. That's a lot of theft deterrent! Are we applying the same principles to securing our digital assets? I can say with a high degree of accuracy that a vast majority of the corporations out there don't protect their digital assets nearly as well. Now, there may be reasons such as your data not being of as much value, or simply not knowing where the digital assets are which need to be protected -- but that's absolutely no reason to weasel out of it.
I will analyze the above thirteen (13) observed physical security measures of a bank, and parallel them with digital or 'cyber' security technologies. The numbers above will match up to the digital equivalent in the analysis below, so pay attention.

  1. system design to disallow easy exit with stolen data
    • a system which disallows servers to initiate communications to the Internet; if a cracker breaks into your server, forces a shell, and wants to ftp the stolen data somewhere off the system your network firewall had better disallow that!
  2. hard outer perimeter
    • firewall rules limiting exposure of internal servers, networks, and users; properly configured access lists or firewall rules to allow only absolutely necessary exposure of services to the outside world
  3. digital surveillance at the perimeter
    • at least an IPS to filter for anomalous traffic patterns, or at very last pattern-based filtering and alerting (with blocking) mechanisms... some way to notify the security operations team something is wrong
  4. enforcement points at your outer points
    • IPS at your perimeter, NAC controls to keep just anyone from plugging in and rummaging around... these are the very very basics
  5. separation of services (a la DMZ, or zones)
    • (see #7)
  6. separation of services (see above)
    • (see #7)
  7. separation of services (see a pattern here?)
    • DMZs, containers, or whatever you'd like to call them; compartmentalize, segregate and filter access into different segments or zones on your network. Servers accessible to users should be on a separate network segment from servers used by administrators for all-access to out-of-band management, which should be kept separate from router and switch networks... segregate, segregate, segregate
  8. internal processes to notify security of a potential issue before it becomes a breech
    • workflows, ticketing systems, "response team" phone numbers... anything which can give users who see suspicious activity on your network a simple way of contacting your security operations team
  9. separation of privileges on digital systems (least-privilege model, with master-key kept secret)
    • separate data administrators from data users; the database administrator should have no reason to read the user_full_info table in its entirety, only administer rights to that database, table, etc; take away all privileges which are not explicitly required to perform work function!
  10. separated server networks
    • separated (logically at least, physically and logically at best) subnets and containers for servers, away from subnets for general users; these of course should be firewalled and have an IDS/IPS at the gateway into and out of them
  11. separated server farms acting as data containers
    • containers for databases, file-servers, and other sensitive servers which are kept well guarded and away from being accessible by the general public via firewall rules and anomaly detection devices such as an IPS
  12. non-identifiably labeled asset tags
    • server labels which look more like USSRVWIN0001A and less like FINANCE_FILESERVER to keep potential thieves guessing and grasping while your detection mechanisms work their magic
  13. false data to trigger alerts if/when used outside the organization
    • fraud teams and credit bureaus create 'fake identities' which look perfectly real and indistinguishable from others in the system, that when used trigger a fraud alert... brilliant!
Now, the sad fact here is that as security professionals we haven't really learned much (or haven't applied it, if you prefer) to the digital world. Why? There are a myriad of excuses including poor budgets, poor management, inability to execute or affect change... but whatever your excuse it's exactly that, an excuse. We as IT pros should learn from the physical nature of the world, and how protected storage is done in 'real life'. If you don't like my bank vault example, use an old medieval castle - same concepts! You'll see that the same principles have been applied for hundreds of years in the application of physical security. Let's hope it doesn't take us that long to figure it out in the IT world...

Good luck.

No comments: