Technical Controls
Malicious Software (malware)
Broadly malware is some unauthorised piece of running code that benefits the originator. Some types and delivery methods of malware include:
-
virus (self-replicates on the target but cannot self-propagate)
-
worm (self-replicates on the target and can self-propagate)
-
rootkit (hijacks the os in a transparent manner)
-
backdoor (circumvents access controls)
-
trojan (disguised content)
while their actions/payloads include:
-
spyware (harvests information)
-
adware (delivers unsolicited content)
-
ransomware (hijacks access controls)
-
scareware (offers deceptive advice)
-
enrollment into botnets
Routes of infection
-
infected media: any media that has been out of supervision should be considered suspect, this includes CDs, DVDs, emails, websites, etc.
-
access points: wireless, bluetooth, infrared ports, ...
-
active content and compromised network nodes
Methods of Technical Control
Aside from the typical, there are additional best practices to reduce risk (through some combination of reduction in impact, vulnerability, or likelihood):
-
maintaining recovery capability: typically a secure off-site grandfather-father-son model back-up (GFS - in which at least three generations of data are preserved) and backup integrity must be assured
-
anti-virus software
-
regular patching/updates
-
‘hardening’ systems by removing unnecessary features and applying secure (non-default) configurations
-
cryptography if appropriate and acceptable
-
ensuring communicating parties employ equivalent protections (this can be stipulated in contractual obligations)
-
maintaining sheep-dip machines for assessing untrusted sources
-
profiling and access control monitoring
-
network traffic control (eg. firewalls) and content scanning
-
intrusion detection systems (IDS), intrusion prevention systems (IPS), and automated responses to indicators of compromise (IoCs)
Cryptography
Cryptography refers to a series of related techniques for protecting information assets both in transit and at reset. The four main uses of cryptography:
-
Secrecy
-
Integrity
-
Verification
-
Non-repudiation
Cover time
Application of cryptography for secrecy should account for the ‘cover time’ of the asset. Cover time is the minimum time for which the information must remain secret: if an attacker could recover the information in less time than the cover time then a stronger encryption scheme will be necessary (and the inverse may be true, in which case the compute-cost of the scheme would be inefficient).
Policies for cryptographic use
Policies relating to cryptography will largely be based upon the RA and closely related to the information classification scheme. These policies should consider:
-
storage
-
transmission
-
cover time
-
performance costs of encryption
-
risks presented by loss of integrity/confidentiality
-
legislation on cryptography in relevant jurisdictions
-
key rotation and reuse
Intrusion monitoring and detection
Intrusion detection systems (IDS) and prevention systems (IPS) are collectively known as ‘protective monitoring’ or ProtMon. IDS is further divided into network originating (NIDS) and host originating (HIDS). This function is often provided by the security operations centres (SOCs).
ProtMon systems use automated tools to analyze log data, system activity, and network activity, configurations, and system operations to identify known patterns of behaviour (signatures) or to conduct statistical analysis to identify unusual activities which constitute ‘indicators of compromise’ (IoCs) requiring further investigation. They may also take automatic action on IoCs which can be a particular issue in IPS due to false positives from untrained systems.
Analysis is often performed by security information and event management (SIEM) systems. The primary functions of which are:
-
data collection and aggregation
-
data correlation
-
reporting/alerting
-
data retention
-
compliance analysis
-
tuning and development
-
assurance of continuous secure operation
Audit trails
An audit trail has four main uses:
-
determine current status
-
accountability: identify what actions have occurred and who is responsible
-
ensure compliance and demonstrate due diligence
-
provide a deterrent against internal attack
Networks
Networks consist of logical connections between entities distinguished by their ability to independently perform work.
Any access point to the network is considered an entry point. In addition to the security issues identified before and especially so in the case of wireless access points (WAP), IA functions have to consider:
-
network protocols are rarely designed in line with formal IA requirements
-
users may buy and install their own hardware (and this can be difficult to detect or prevent), the organization may permit user owned devices (BYOD).
-
default configurations are almost always insecure
-
users may connect to the ‘wrong’ networks (intentionally or accidentally)
The network must be subjected to protective monitoring for intrusion. Relevant log data must be securely collected and periodically reviewed.
Vulnerability analysis
The network should be subject to periodic vulnerability analysis (‘penetration testing’) which must be performed by a qualified person to identify any vulnerabilities which could affect the LA or BIA. It should be preceded by a suitably endorsed briefing document detailing:
-
the terms of engagement
-
the scope of testing
-
acceptable levels of disruption
-
acceptable levels of social engineering
-
acceptable tools/techniques
-
report format
-
timeliness of work
-
secure deletion of data obtained during the test
-
action upon discovering a vulnerability
-
use of a non-disclosure agreement
-
other clauses relevant to third-party engagements
Partitioning networks
Network partitioning (‘subnetting’ or ‘segmenting’) follows the principle of physical access control. This can be implemented physically (eg. cable separation) or logically (eg. VPNs) and is one method of limiting potential damage from incidents. Generally, any connection to an untrusted network should be protected by at least one firewall. Any other form of remote access (eg. email servers, wifi) should reside in a demilitarized zone (DMZ) which is between two firewalls. The DMZ is the typical logical gap where traffic is assessed before being allowed access to systems.
Network usage policy
The network usage policy is part of the ISMS and defines the purposes for which the network may and may not be used. It also defines the roles and individuals authorised to use it and the policy on access control.
Secure network management
In order to effectively manage the network, the organization must make the following network contextual information available:
-
assets
-
architecture - systems integration and interconnectivity
-
risks
-
countermeasures
-
third-party dependencies
Effective management will understand:
-
business processes that are supported by IT systems
-
policies for IT quality
-
relevant procedures and processes
-
the need for effective communication (inter-departmental as well as within IT)
-
applicable requirements
Real-time services
These can include CCTV, VOIP, and video-conferencing as well as general telephone systems which present entry points. Three main problems facing the IA function:
-
may use infrastructure under control of a third-party: can be protected using cryptographic controls
-
may use remote equipment (located away from business premises): cryptographic controls, physical controls, and security awareness relevant to mobile working
-
ensuring connections are only used by authorized parties: strong ID&A and mitigations on impact from compromised remote devices (eg. a quick remote-connection kill switch)
Cloud computing
Cloud solutions offer potential cost savings by leveraging economies of scale (reducing unit implementation/management costs and increasing availability) and taking advantage of speed of implementation. However, they present additional IA issues:
-
precise location of information assets may be unknown
-
status of assurance arrangements may be unknown/unverified
-
organization may have few rights to control information or those rights may be difficult to exercise
-
supplier’s terms and conditions may degrade or limit the organization’s rights and control over information or constitute a violation of the organization’s requirements
When choosing a supplier, the service must be covered by a contract which at a minimum covers:
-
privacy and confidentiality
-
any restrictions on the legal jurisdictions
-
restrictions on subcontracting
-
agreed service levels and penalties
-
data recoverability and handling
-
rights to review, monitor, and audit the service
-
process for dealing with security breaches
-
how changes to the service will be controlled and communicated
-
option to decline service modifications and ability to terminate the service
-
service termination arrangements (including return of information and secure destruction)
-
contract termination arrangements
-
supplier indemnity and liability