Data Security For the Business Owner

How and Why for non-IT Professionals

Eric Vought <>
$Id: BusinessDataSecurity.dbxml,v 1.67 2007/05/19 00:06:11 evought Exp $ Copyright © 2007 Eric Vought

Legal Notice
Some of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this text, and I was aware of the trademark claim, the designation is appropriately marked on first appearance. Unless otherwise noted, references to specific tools and applications in this article are presented only as examples of what is available and not as endorsements. The reader is encouraged to read reviews and research additional alternatives for his or her self. I am not a lawyer and nothing in this document is to be construed as offering qualified legal advice. All Rights Reserved. This document may not be reproduced in whole or in part, in any form (beyond that copying permitted by Sections 107 and 108 of the U.S. Copyright Law), without written permission of the author. Copyright and permission of accompanying graphics and stylesheets as noted in those files.

This document is a data security primer for non-technical business owners, including explanations of risk management, basic security concepts, and development of a sound security strategy.

Table of Contents
Preface ............................................................................................................................. 2 Goals ........................................................................................................................ 2 Audience ................................................................................................................... 3 Approach .................................................................................................................. 3 "Real World" Risks ............................................................................................................ 3 Building Safety .......................................................................................................... 3 Keeping People Out .................................................................................................... 4 Screening and Trust .................................................................................................... 4 Insurance Policies Mitigate Loss ................................................................................... 5 Data Security Is Also Risk Based .................................................................................. 5 Cybercrime and the State of the Internet ................................................................................. 6 The Internet Is Not Magic ............................................................................................ 6 The Goals of Internet Criminals .................................................................................... 6 Common Cybercrime .................................................................................................. 7 Things Are Not Hopeless ........................................................................................... 10 First Principles ................................................................................................................. 11 Secure the Perimiter .................................................................................................. 11 Guard Your Secrets ................................................................................................... 12 Create a Defense In Depth ......................................................................................... 12 Security By Obscurity Is Not Effective ......................................................................... 13


Business Data Security

Exploits and Vulnerabilities ........................................................................................ Keep Your Eyes Open ............................................................................................... Building a Data Security Strategy ........................................................................................ First Steps ............................................................................................................... Your IT Professionals ................................................................................................ Document Retention and Protection ............................................................................. Documentation, Policies, Audits— How Much, How Often .............................................. An Incident Response Plan ......................................................................................... Making IT and Security Purchases ............................................................................... Your Network Layout ........................................................................................................ The Network Perimiter .............................................................................................. Employee PCs - The IT Battleground ........................................................................... Network Services - Sharing and Editing Files ................................................................ Internet Services and Communication ........................................................................... Conclusions ..................................................................................................................... Frustrations .............................................................................................................. Glossary .......................................................................................................................... Bibliography ....................................................................................................................

13 14 14 14 16 18 18 22 27 32 36 39 46 50 50 50 51 63

Data security, the protection of business information and associated computer networks, is a highly technical field which is often associated with black magic by non-technical professionals. This situation is not helped by a communications gap between IT professionals and business owners. Business owners are not trained to understand the technical concepts and computer professionals cannot explain risks in concrete business terms. Uninformed business owners cannot avoid dangers and capitalize on opportunities in a rapidly changing technical landscape. Frequently, critical issues are ignored and money is spent on ineffective solutions. This document: • explains security in terms of risk-management, • reports on the current state of the Internet, • describes fundamental security concepts in concrete, non-technical terms, • develops basic data security strategies from first principles, • presents example business cases where security versus opportunity trade-offs are made, • and concludes by encouraging a "security mindset" where technology concerns are incorporated into day-to-day business decisions. This document will not turn the reader into an IT professional, much less a security professional. What it can do, however, is better equip you to evaluate how data security affects your business and communicate with technical professionals and vendors you hire to secure your data. It will also, hopefully, help you to recognize the snake-oil salesmen who offer ineffective solutions to problems you may not even have. Some parts of this document, those describing current electronic threats to your business, may seem alarmist. These reports should alarm you: the current state of Internet security is very poor and some authorities would say desperate. Most people are unaware of the ways in which systems are routinely compromised. Vendors have a vested interest in keeping these facts quiet or no one would use their products or services. Fortunately, however, prudence and care can elimate the most common threats and


Business Data Security

make trouble even for sophisticated attackers. The biggest threat on the Internet is ignorance and the fact that most computer users do not take even basic precautions. Safely navigating large cities requires streetsense and awareness; the Internet is no different. As our world changes, businesses that become streetsmart will have a competitive advantage over those that do not. Although I provide links to examples of products or technologies, I stear clear of providing steps to accomplish tasks, use products, or secure particular types of systems (such as tightening down a Windows XP™ computer or using encryption in Microsft Outlook™). Technology changes rapidly and my goal here is to teach concepts that are independent of particular products. Specific technical solutions are best handled by IT staff for larger businesses or technology specific howtos for SOHO professionals.

This article is targetted at small to medium-sized business owners. Much material applies to Small Office/ Home Office (SOHO) users, particularly background information, basic security strategies, and much of the discussion on desktop and communications security. SOHO readers who are not connected with or do not work within a larger organization will find that discussions of policy, management, and organization, as well as network architecture and services will not directly apply to them and will likely skip or skim those sections. Owners or managers of larger businesses will find that discussions of security plans here are necessarily simplified. Medium to large organizations have complex and varied networks with legacy technologies and layers of existing policy which cannot be treated in one document. In these cases, the glossary and bibliography will help you to find other sources of information. Given the concepts presented here and the help of competent specialists, it is hoped that a manager can learn what they need to know about their own system to manage it effectively.

The information presented here is extensive— do not try to absorb it all at once and do not expect to change your business overnight. Take it in steps. I recommend reading through once at a high level to absorb the contents and skim the detail. Then start through again. I have worked to provide extensive references, links, and a glossary. Focus on the parts that are most important to your business, explore the references and talk to your IT people. If you find that your IT staff or consultants will not work with you, get new ones. Try to learn and improve something each week. The end goal is to turn the Internet from an unknown source of risk to something which can be understood and capitalized on.

"Real World" Risks
The goal of security is not to combat risk for its own sake, but to maximize business opportunity. Outside of cyberspace, your business must balance risks in order to remain profitable. When you see business opportunities, you identify risks, determine how likely they are, how much damage they may cause, what may be done to lower or avoid the risks, and, ultimately, whether the opportunities are worthwhile. Sometimes outside experts, such as lawyers, market experts, or insurance agents, are consulted to assess the risks or suggest ways to protect the business. Sometimes the business must change the way it operates to avoid liability or comply with regulations. In any case, the overriding goal is never to combat risk for its own sake but rather to maximize opportunity and create a successful business.

Building Safety
Buildings are required to have basic safety features such as lighted exit signs. In some locations it is forbidden to use a corded vacuum cleaner during business hours in an area with pedestrian traffic. In other


Business Data Security

locations, this is left to the discretion of the business ower. The business owner must balance the likelihood of a pedestrian being injured by tripping against the need to run the vacuum. Given the high damage awards for personal injury lawsuits and the low cost of push-powered carpet sweepers, this is probably an easy choice. The cost of installing a backup lighting system in a small office occupied only during the day is not so easily justified.

Good risk management focuses on effective solutions to tangible problems. I was recently startled by the presence of a sprinkler system in a hotel common room. The room was made entirely of brick and concrete and its only contents were a large swimming pool. The cost of safety systems must be balanced by risk analysis. The sprinklers were an ineffective solution to a non-existant problem.

Keeping People Out
Your business most likely has to deal with a variety of physical security issues. You must lock your business to protect its own property, such as its equipment, product inventories, any cash or deposits, financial instruments such as checkbooks and stock certificates, records, etc, from theft or vandalism. You may also have to protect property which belongs to third parties, such as rented furniture or equipment or items held on consignment. In all likelihood the entire building is rented and your business might be liable for any damage. In one of the great injustices of our legal system, a business is sometimes held liable when a trespasser injures themselves on business property. It is possible that a business property may be used by a third party for illegal acts such as storing contraband in an otherwise legitimate warehouse. I have seen many instances of teenagers consuming drugs and alcohol on unsecured construction sites. A business may have to spend significant effort to install locks, fences, and cameras to keep people out. Sometimes the mere presence of a lock and a "No Tresspassing" sign is enough to reduce the potential liability.

Sometimes the greatest risk of an incident of any kind is loss of customer or investor confidence, even when direct financial damage is minimal [Lemos-2007a]. Like building safety, the expense of physical security must be balanced by the risks and potential cost of a break-in. It makes no sense to spend $10,000 on a safe to contain $2,000 in valuables. On the other hand, all potential costs must be weighed. Even if the monetary value of stolen equipment is low or it is well insured, how much business will be lost before it can be replaced? Will a break-in and business delay raise insurance rates and lower customer confidence?

Screening and Trust
Parts of your business are more sensitive than others. You would not ask the same people to negotiate with clients or give you legal advice that you hire to answer the phones. This is both a question of trust and of competence. Your legal counsel is trained and licensed to practice law. You probably went through some screening or interview process to select a lawyer that you were comfortable with, even if that was only flipping through the yellow pages and talking to some of them on the phone. As you develop your business relationship, you may trust them to perform tasks with less intervention. Only certain employees have access to your financial information, including your bank balance, the ability to write checks, business credit accounts and so forth. These employees have a background, such as a


Business Data Security

CPA license or business course, which makes them appropriate choices for their assigned tasks. If you are prudent, you check on their work regularly, going over accounts and reports, checking invoices and balances and, generally making sure that you are not being taken advantage of. When employees leave, you must ensure that important records and items stay behind and that they no longer have access to accounts they worked with during their employment.

You should be aware of who has access to your electronic information, what their disclosure policies are, and how it might affect your business. If you deal with sensitive information, you may have to perform background checks on applicants. This may include drug screening, records checks, and checking references. Employees who have gone through ths screening will have access to parts of your business that others do not.

Insurance Policies Mitigate Loss
Are your information assets insured? What happens if your records are destroyed? Your business most likely has a number of insurance policies, including general liability, equipment protection, fire, key man and so forth. While building safety and physical security attempt to prevent loss from occuring, insurance reduces loss after the fact. The desired balance between prevention and cure is often unclear, but the common element is that both are based on estimate of risk and probable loss. Insurance premiums and policy coverages are based on statistical estimates of the likelihood of loss and the amount of that loss. Insurance companies wager that the amount that they will gain from your premiums will earn more than they will pay you in the event of a claim. In return, you gain the piece of mind in knowing that a disaster will not financially ruin your business.

Data Security Is Also Risk Based
Data security is no different from any other business risk assessment. What do you have to lose? What will it cost to protect your systems? Where is the best return on investment?

The precautions a business has taken will often be judged with hindsight, possibly by a jury, after an incident has occured. When data confidentiality agreements or federal regulations like HIPAA require you to take "reasonable precautions" they are telling you that you will be judged after the fact, by a jury. When an incident actually occurs, your policies will be examined under a microsope through the lense of hindsight. Your job, then, is to balance the probability and cost of a lawsuit against the cost of your security. You can never be certain your systems are secure, just like you can never be certain your business will not suffer a fire or an on-the-job injury. At some point, you decide what is reasonable, roll the dice, and take your chances. As with any other business risk, you need to find a balance between preventing loss and mitigating loss after the fact. Security systems such as passwords and firewalls prevent loss. Some types of insurance mitigate digital losses: some policies provide "data loss" protection, your liability insurance might provide protection against breach-of-security suits, etc. Backup and data recovery systems also help to mitigate loss after the fact.


Business Data Security

Cybercrime and the State of the Internet
The Internet Is Not Magic
The Internet does not change the laws of economics or fundamental business practices. Although the Internet is often touted as "changing all the rules," a more critical look shows that this is seldom the case. Businesses, whether they use the Internet or not, must still market their services to customers, must still make reasonable margins, deliver real or perceived value, and compete successfully against other businesses trying to do the same thing. Similarly, crime on the Internet is generally an extension of real world crime or is readily analogous to real world crime. It was the erroneous belief that the Internet was fundamentally different, that it changed the rules of business, which lead to the dot-com bust. Very shaky ventures attracted enormous investments based on the idea that the magic of the Internet would make them profitable. This did not happen. What the Internet does do is change the parameters of time and space. OK, back up; what does that mean? • The Internet is globally connected. Many more people, potential customers and potential criminals, now have access to your business. Similarly, global competitors now have access to your traditional customer base. • The Internet is always open for business. Customers are not accustomed to having online businesses close shop at dark and roll down an iron grate. This means that your Internet facing applications are accessible and open to attack at all hours. • Suddenly everything is smaller: a one hundred page proposal with exibits can be sent to a client in seconds and will fit on a single thumb-sized USB drive. On the other hand, someone can walk out with your entire customer contact list the same way. • Things happen faster on the Internet. You can sell CDs to ten customers on the Internet faster than you can process one customer at your cash register. You can submit insurance claim forms in seconds instead of days. You can get responses from regulatory agencies by email in the course of a single business day instead of a week by mail. On the other hand, several thousand people can attempt to break into your online store in the course of a single night. • Because anyone can access anything from anywhere, it can be very difficult to determine who actually did so at a specific time. Tracking criminals and sorting legitimate purchases from fraudulant ones can be difficult, especially when the criminals are clever.

The Goals of Internet Criminals
The motives of criminals on the Internet are no different from any other criminals: • Simple theft. Make a fraudelent purchase and get away with it. • Steal sensitive data to make theft easier. Real thieves steal credit cards, raid mail boxes, and print fake IDs. Internet thieves steal or forge the electronic equivalents. • Espionage: government, corporate, or personal. Governments spy on each other, businesses want to get hold of each others' client lists, research, and proposals, people want to spy on their rivals. Internet espionage is easier than going through dumpsters, but has the same goals.


Business Data Security

• Revenge. Disgruntled employees may keep a grudge against a business, so can rival businesses, or exspouses. Any of those might have or might be able to obtain the information necessary to do damage. • Embezzlement, insider trading, or other stock fraud. • Thrill. Just like spray-painting the side of a bridge, someone may damage your website just for pleasure. There is an underground of young hackers who think it is cool to break into companies and brag about it. • Cover their tracks. Just like hiding contraband in someone else's warehouse, a criminal may use your legitimate business as a base of operations for some other illegal scheme. The criminal could be one of your own employees downloading illegal files or attacking another system.

Common Cybercrime
So, how common is crime on the Internet and what form does it take?

Crime Statistics
According to the 2006 FBI Internet Crime Report [FbiIc3-2006] the FBI Internet Crime Complaint Center processed 200,481 Internet-related crime complaints, a number which is down somewhat from 2005 but more than double 2003 figures. Complaints supported 86,279 criminal investigations at the federal, state, or local level. The complaints were varied, including auction fraud, non-delivery of goods, credit card fraud, computer intrusions, SPAM, and child pornography. Almost all involved financial loss, with a total loss of $198.4 million (up slightly from last year). The FBI and Computer Security Institute perform a yearly survey of computer security professionals in US organizations (companies, government agencies, medical institutions, etc.). The 2006 Computer Crime and Security Survey [GordonEtAl-2006] polled 616 such professionals on the number and type of incidents experienced, security budgets, protections in place, and so forth for 2005. Among its findings is that the top four threats, viruses, unauthorized computer use, theft of equipment, and theft of intellectual property (in order) account for 74% of losses. Fifty-two percent of respondants reported unauthorized use of their systems in the twelve month period and 9% reported more than 10 such incidents. Total losses from the 313 respondents willing to provide figures were estimated at over $52 million. A disturbing trend is the number of respondents who claimed substantial loss from insiders. Reported financial damages and number of successful attacks have noticeably decreased against previous years, but the survey is skewed toward companies with security policies in place (they have dedicated security personnel and have been in contact with CSI) who have presumably been improving their defenses. This offsets bad news in other quarters and demonstrates that companies can make progress given time. Interestingly, 22% of those surveyed were in organizations with from 1-99 employees, so small to medium businesses were well covered. The survey notes that per employee expenditures on security are much higher in smaller organizations (by total revenue), something we will talk about with respect to regulation compliance later on.

Identity Theft
Identity theft and credit card fraud are currently handled and reported by a variety of agencies and reported statistics are not normally separated according to online and offline categories. What is clear, however, is that theft or misuse of credit card numbers and fraudulent applications for credit cards is rapidly rising and wholesale theft of private data fuels the crisis. Perhaps the largest such data theft involved TJX, the owner of TJ Max™ and other stores, and the loss of 45.6 million credit card numbers [Vijayan-2007a]. Several break-ins occured starting in July 2005 but were not noticed for over a year. It has become common to see vendors expose tens of thousands of private


Business Data Security

customer records including names, addresses, social security numbers, and financial information due to security breaches. This creates vulnerabilites for online merchants who may be liable to charge-backs and fees from fraudulently made purchases. It also exposes business cardholders whose accounts may have high limits and high purchase volumes where fraudulent use may escape immediate attention. Vendors who lose data in this manner may be the target of lawsuits and may lose their merchant status.

Governments do not hold a monopoly on espionage. A related topic is of stalking, spying, and espionage. When people think of spies, they immediately think of secret government agents, but the truth is that businesses and private individuals spy on each other all of the time. Getting hold of a competitor's proposals, trade secrets, client contacts, or price lists can yield a tremendous market advantage and many businesses are not above bending or breaking the law in order to do so. In my time as a defense industry contractor, the threat of competitors stealing proprietary data was only slightly less than that of foreign governments. Private individuals may attempt to steal or leak proprietary data in order to affect or guess changes in stock prices. Insider trading is a constant subject of SEC investigations and although it is not new to the electronic world, data networks certainly open up new opportunities for exploitation. Pretexting, made famous by the recent Hewlett Packard Board of Directors scandal [Krazit-2006], is the practice of impersonating a person or entity in order to obtain more information about them. The actual impersonation is often done over the phone, but the initial investigation is generally performed using the Internet. Enough information can be gathered on the Internet to successfully impersonate the target over the phone, to say, the phone company, or a bank, and then copies of personal records can be obtained. Internet investigation companies sell services using pretexting to individuals wishing to investigate a rival or competitor. This information can then be used for a variety of illegal purposes. In many areas, law enforcement is hard pressed to identify specific laws that pretexters violate, although lawmakers are working to draft specific bills. It is not clear whether companies may be held liable for giving out information to pretexters or for using insufficient verification of customer identity.

Silent Crimes
The FBI report only counts reported Internet crime. Many businesses and computer users may suffer from security compromises and not be aware of the damage. In the past, viruses and malware would damage or destroy target systems leaving obvious signs of their presence. Today, a virus or intruder is just as likely to quietly copy data and leave a back door open so they can return at will. Attackers install key loggers which track the computer's use and look for sensitive information like passwords and account numbers.

An attacker may visit your system repeatedly and use your computer for illegal acts without leaving any sign of their presence. Many PCs are turned into so-called zombies which are remotely controlled to perform a number of illegal tasks, including sending commercial SPAM, engaging in bank fraud (phishing schemes), Denialof-Service (DoS) attacks against security companies, government agencies, and public infrastructure, and attempting to break into new systems. A company called CipherTrust1 tracks approximately 250,000 new zombies each day. Security company Symantec reports that more than six million computers are now under remote control [Bbc-2007a], although some experts put the number much higher, perhaps as much as one quarter of Internet connected systems [Weber-2007].


Business Data Security

Corporate networks are not immune to the zombie threat. Even fortune 500 companies have been embarrased by SPAM-spewing zombies on their networks, sometimes brought in by contractor-owned laptops [Krebs-2007]. A worrying development is the creation of web sites by crime syndicates selling sophisticated toolsets, including technical support, and subscriptions for upgrades. These toolkits allow the purchaser to set up malware on their own or someone else's website to infect visitors; they then get paid for information collected from the victims [Vijayan-2007b]. Because of this, malware silently delivered by websites is rising sharply and is increasingly being delivered by legitimate business or government web sites which have been hacked themselves [Bbc-2007b].

SPAM, or unsolicited bulk messages, are now a significant chunk of all Internet traffic. A compilation of statistics from 2006 by Don Evett puts SPAM at 40% of all emails, or 12.4 billion messages per day [Evett-2007]. This figure is rising exponentially and is beginning to place significant stress on the capacity of Internet infrastructure. SPAM today is mostly sent from PCs that have become zombies. Most SPAM advertises pornography, illegal business scams, stock fraud, fake products, phishing schemes, or other items of a questionable nature. Nevertheless, many computer users respond to such emails and even attempt to make purchases, visit sites, or participate in illegal ventures.

SPAM, continues to be sent because it works: enough users participate in the schemes it advertises to make sending the SPAM worthwhile. SPAM causes a number of problems to a business, not the least of which is simply the time lost to sorting through junk. Personally, I receive over ten SPAM messages for each legitimate email and use a variety of filters to prevent it from reaching my mailbox. SPAM messages which may contain bulky images slow down networks, increase time spent downloading messages, and increase network mail storage. Aside from the mere nuisance, however, SPAM is actively dangerous: it can deliver viruses, tempt employees to open dangerous attachments, expose financial information, visit sites which will attack their computer, or participate in illegal activities. Another business aspect of SPAM is the marketting side; extreme care must be taken when using email as a marketting tool to avoid antagonizing customers already sick of SPAM or landing the company mail server on a SPAM blacklist.(emv 20070424) I'd like to find a reference here about an accidently RBL'ed company.

Beware virus warnings! It is not uncommon to receive emails reporting a new virus threat that is not detected by virus scanners which request that you take action, such as deleting files on your hard drive or installing attached patches. In many cases, following these instructions will damage your system or compromise your security. I have received many calls from clients, relatives, or friends asking me what to do afterwards, and usually “Reinstall your system.” is the only answer. Recently, a large virus outbreak was fueled by just such an email [Keizer-2007]. Always check with a trusted security professional or with the website of your security vendor before acting on any security warning and do not forward the email to others. Never follow links provided in the email to security sites; always type them in yourself or use your own bookmarks. Malware: spyware, viruses, trojan horses, and so forth, is a common and growing problem. Part of this stems from the desire of many computer users to try dozens of new tools and games on their (or their employer's) computer. Part of it stems from deep-seated flaws in the Windows operating system which makes it easy for malware hiding in these programs to take control of the computer. Part stems from


Business Data Security

unscrupulous vendors who include malware in their products in attempts to collect marketting data, prevent users from running competing products, display advertisements to users or direct them to advertisements on the web. Sometimes these products are not explicitly designed to cause harm, but they contain bugs which damage infected computers or open up security vulnerabilities which are exploited by other attackers. Sony, for instance, included a root-kit on a large number of music CDs which silently installed itself on a PC used to play the music. The root-kit was intended to prevent the user from copying the songs and report information about the user's listening habits to Sony but opened up security holes which others could use to break into affected computers [Kantor-2005]. The fix released by Sony opened up more security holes and resulted in an outbreak of viruses tailored to PCs that had been used to play Sony music. Equally disturbing is the fact that security companies, who considered Sony a “legitimate” vendor, were slow to react and slower still to add the Sony root-kit to their malware detectors [Schneier-2005].

Not-me Syndrome
Many businesses believe that they are not at risk because they do not have anything in their network to interest an attacker. This is a dangerous myth.

Your business may not be of direct value to an attacker, but it may be a stepping stone to other illegal acts. Collateral damage is a problem. I was once called in to a real estate appraisals business because their mail server suddenly went down. They had recently lost their system administrator and had not yet obtained a new one. Upon investigation, I determined that their server had not merely failed but had been deliberately destroyed. Suspicion immediately fell on the previous system administrator, but I was eventually contacted by CERT2, the Computer Emergency Response Team, with information that the mail server had been used to attack a government system. The attacker had broken into this business' server, used it to attack another site, then destroyed the server and its logs in order to cover their tracks. The attacker had entered through a vulnerability in out of date mail server software. Due to the destruction of the logs, we were never able to determine where the attacker came from. The attack cost the business downtime, IT service costs, and expensive security upgrades to prevent a reccurence. Perhaps as importantly, the breach allowed someone to successfully attack a government system and get away with it. In recent years, I was responsible for the maintenance of a number of server systems running web sites, email, and other services for small businesses. The servers would record thousands of attempted attacks per day. Most of the attacks attempted to exploit weaknesses in software we were not running, and I used tools to filter the logs down to the dozen or so attacks per day which I would examine and file reports on. A sizable portion of these attacks were from east asian countries and I would seldom receive responses to my reports. The responses I received from US and european network administrators, large and small companies, generally stated that their security had been breached, often by operators from East Asia, and their systems had then been used to attack dozens of others, including those under my care. The US Department of Defense has reported incessent atempts by attackers from certain asian countries to breach military security, possibly with foreign government support, and unwary businesses may often be used as springboards in those efforts. (emv 20070424) Can probably find a reference here on the DoD issues.

Things Are Not Hopeless
This all may seem very depressing, and indeed it should. A survey of "real world" criminal activity, such as the increase of shoplifting or convenience store robberies, may seem depressing as well, however, and


Business Data Security

businesses did survive and flourish before the advent of computers. Many businesses protect themselves against traditional criminal activities as a matter of standard practice; banks, for instance, have done business through small slots for decades and indeed a chinese payroll clerk invented this defense thousands of years ago. Businesses can and will develop standard defenses against Internet crime and those which do will enjoy a competitive advantage against those which fail to adjust.

You don't need to outrun the bear, you just need to outrun your friend. It is not necessary and indeed not possible to protect your business from all attackers. It is only necessary to make your business a difficult enough target that criminals will look for easier marks. The success of The Club™3, an auto theft deterrent which locks a car steering wheel, is not that it prevents theft. Indeed, there are several known techniques to bypass them. Many thieves are lazy by nature and do not want to expose themselves to detection longer than necessary. If two cars are sitting next to each other and only one of them is protected, the unprotected car will be stolen every time. Of necessity this leads to an arms race and security is not a matter which can be solved once and forgotten. By applying basic principles, however, and incorporating them into business planning, your enterprise will automatically adjust to new and developing threats.

First Principles
In this section, we will discuss basic security principles. These principles apply to many situations outside of data security, including physical security, warfare, biological defense against infection and so forth. Data security is complex and requires significant training, but it is not magic. By understanding basic security principles you can better communicate with professionals you hire to help you, better evaluate the claims of vendors, balance business risks and opportunities, and use safer practices in your daily work. We will approach these concepts with real-world, physical examples, and then demonstrate computer equivalents in later sections.

Secure the Perimiter
You probably have valuable items in your house. At the very least, you will have electronic equipment like an entertainment center, important documents, perhaps expensive jewelry. These items would interest a thief. When you go out, you probably lock your door. Locking the door secures the perimiter of your house and makes it difficult for the thief to enter. Even if a thief gets past the lock, it has increased the time they spend getting into your home, increased their likelihood of getting caught, and raised the penalties they would receive (Breaking and Entering). In some locales, the mere presence of a lock or security device doubles applicable fines and sentences for theft or vandalism.

Perimiter security is only as good as its weakest point. The lock on the door may not be effective if other parts of the perimiter, the outside of your house, are not secure. If your garage door is unlocked, you have unlocked ground floor windows, perhaps a basement door, etc., the expensive deadbolt on your front door is useless. The Manhattan Project physicist Richard Feynman worked at Los Alamos during World War II. The Los Alamos National Laboratory was a Top Secret facility with access controlled by armed guards. One day, Feynman discovered that there was a hole in the outside fence. People were using the hole to get back and


Business Data Security

forth to town without going through the security checkpoint. Feynman reported the hole but was ignored. He then walked out of the hole and back in through the checkpoint. He repeated this several times before the guard grew suspicious and noticed that Feynman kept going in but never came out. Finally, the hole was fixed [FeynmanEtAl-1985]. It is tempting to ignore holes in your perimiter security, but by the time someone acts responsibly and reports them to you, you can bet that other people of less character have noticed as well.

Guard Your Secrets
If you lock your door and leave the key on the top of the frame or under the mat, your lock will not be effective. Likewise, if you give copies of your key out to unreliable or unscrupulous individuals or do not change the lock when you move in, you can no longer limit access to your home.

Locks, no matter how sophisticated, are only as effective as the secrets which protect them. Your key is a secret which is supposed to be known only to you and tells the lock that you are authorized to enter. The same principle applies to combination locks. If you never change the combination from the manufacturer's setting or use a number (such as birth date or anniversary) that someone else can readily look up or guess, the lock will not protect your valuables.

Create a Defense In Depth
If the armed guard had been the only security feature at Los Alamos, the hole in the outer fence would have compromised the entire facility and the entire Manhattan Project. Of course, the fence was not the only obstacle a potential spy had to deal with. First of all, the existence of the Manhattan Project and the purpose of the laboratory was a secret. The buildings and important rooms had locks. The scientists were sworn to secrecy. Documents were locked in safes. In a small group of people, an intruder, particularly one without appropriate ID, would be quickly identified. All of these features worked together to protect the project. This is a defense in depth. Similarly, at your home you may have a gated fence. You might have a dog or an alarm system. Perhaps there is a neighborhood watch. Your most valuable possessions might be in a wall safe and perhaps photos, serial numbers, or appraisals are stored in a bank safety deposit box so that you can provide them to law enforcement or your insurance agent. The important thing is that multiple levels of security act together to deter or slow down an intruder. If one defense fails, other defenses must still be dealt with. Sometimes layers of defense can stop an intruder and sometimes they only limit damage. Perhaps an intruder who jimmies your lock can steal your DVD player but not your jewelry.

Often, several simple or inexpensive layers of security are much more effective than one complicated or expensive layer. A simple lock and an inexpensive alarm may be more effective than an expensive lock and no alarm. The alarm will also protect you when the intruder breaks a window. When planning, beware silver bullet solutions which claim to solve all of your problems in one go. It only takes one simple mistake elsewhere to bypass your expensive protection. Simpler solutions have the added benefit of being easier to understand, easier to verify, and sometimes harder to penetrate. Blocking your door with a heavy iron bar may be crude but it is simple, cheap, and effective.


Business Data Security

Always put together an overall security plan first. You can go back later and upgrade individual pieces. Get the most out of security by making it do double duty. Putting valuables in a safe and storing insurance documents with your bank will help protect you from fire as well as theft. Getting to know your neighbors can keep you informed on all kinds of issues. You will find similar ways that data security can be used to achieve other business goals.

Security By Obscurity Is Not Effective
When you go to a hardware store and buy a deadbolt for your front door, you will probably find that it meets certain industry standards, such as ANSI/BHMA A156.5-2001 and it is probably UL listed. It is based on a standard design which has been thoroughly tested. Any thief can look up detailed information, but in the end, they still have to exert a minimum amount of force or effort to overcome the lock. When writing a letter, the writer can read the same sentence many times without realizing it is wrong; they already know how they intend it to read. Someone else reading the letter will notice the mistake right away. Similarly, security planners will routinely overlook critical details which are obvious to someone else. Good security is built on simple, standard, well tested components that many eyes have looked at and many people, designers, security experts, and thieves, have tried to break. Security by obscurity is a defense that depends on an attacker not knowing how it works to be effective. A one-time battle plan dependent on surprise may fool the enemy, but a security plan must fool the enemy every day, time and time again. Any flaw, no matter how small, no matter how secret, will be discovered.

In general, more eyes means tighter security. A manufacturer claimed that their fingerprint scanning door lock based on "proprietary technology" had not been broken in months of testing. A team from the TV show MythBusters found three ways to bypass the lock in just a couple of days. Perhaps the DeathStar could have been saved by better operational security, or maybe they should have let the MythBusters folks review the blueprints before building[MythBusters-2006].

Exploits and Vulnerabilities
Knowing the difference between exploits and vulnerabilities is important in assessing security and the level of risk. A vulnerability is a potential hole in your security, such as a second-floor window which swings outward. An exploit of that vulnerability might involve a ladder and a prybar. It may be that there are multiple ways to exploit a particular vulnerability or that it is only a potential problem with no known exploit. Often, detecting a vulnerability gives you time to fix it before an attacker becomes aware of it and figures out how to use it to their advantage. A zero-day exploit is one where a vulnerability and a publicly known exploit are discovered at the same time, usually because the bad guys were the first to find it. The hole in the fence at Los Alamos is a good example of a zero-day exploit— the hole was in common use before it was discovered by security and fixed. A defense-in-depth can sometimes prevent certain exploits and lessen the risk of a vulnerability. With our second-floor window example, controlled access to the property with a fence and a guard shack might make it rather difficult to sneak in with a ladder or a prybar.


Business Data Security

Keep Your Eyes Open
In security, paranoia is an asset. Noticing suspicious patterns and odd details is important to protecting your business. You would probably be suspicious if someone you did not recognize was leafing through files in your office or called you and asked for your credit card number. Maybe you would find it odd if an employee you were paying minimum wage suddenly had a $500 watch or you ran into a client when one of your salespeople was supposed to be meeting them for lunch. If you are prudent, you probably go over accounts or budgets and expenses on a regular basis. Noticing odd behavor is not a basis for flying off the handle— unusual things happen; certainly, however, questions might be asked. Once you are familiar with data security, you will also be able to notice when things are out of place in the electronic world.

Careful records are critical to establishing patterns and reconstructing events when a problem is discovered. Having safe copies of records prevents tampering and fraud. I once had an employee who had repeatedly violated company policy. Notes of this and a disciplinary warning were placed in the employee record. The employee, who was responsible for filing, quietly removed the notes. They were not aware that management routinely copied employee records and stored them in a safe.

Be assertive and ask questions. When I worked at the Pentagon, we were trained to avoid a common attack. Most secure facilites have a phone on the outside so a visitor can call to have an authorized person let them in. One technique is for an intruder to walk up and pretend to be talking to someone inside the facility. When an authorized person arrives, they say, "Oh, hang on, someone else just showed up." and follow the new arrival in. Authorized personnel are uncomfortable about challenging the intruder. Management and personnel need to be trained to be assertive and ask questions in all security situations and any time something smells fishy. Often, a manager who has their credentials challenged will punish the employee. This is counter-productive and will allow an attacker to bluster their way through defenses. Instead, managers should expect to be challenged and discipline those who do not follow established procedures.

Building a Data Security Strategy
In this section, we will begin to develop a top-down security strategy for your business, looking at what needs to be protected, how to begin developing security policies, responding to incidents, and making sound purchases. In later sections, we will explore how attackers attempt to breach your networks and access your data, applying basic security principles to making their job harder.

First Steps
One of the first things you need to think about in the context of data security is what you want technology to accomplish for your business. Is your website an essential part of your sales effort or are most of your leads generated from referrals? What technology makes the biggest difference in your daily productivity? What technologies actually detract? By asking questions like this, you start to get a basis for making risk decisions— how far you are willing to stick your neck out to support certain IT strategies and how much protection is worthwhile. If a piece of technology does not improve your ability to do business, why take on expense and risk?


Business Data Security

Another good starting point is figuring out where you are now in the security scheme of things. Doubtless you have some interest in securing your business and are putting effort toward that end or you would not be reading this. That immediately puts you ahead of some. The COBIT® IT management standard uses a maturity model which generally describes where a business is on the road to IT nirvanna:

COBIT® IT Maturity Model
0: Non-Existant 1: Initial 2: Repeatable 3: Defined 4: Managed 5: Optimised [Itgi-2005 pp 18] Notice that this is not expected to be an instantaneous transition, nor are you expected to sit down, write hundreds of policies, and figure out how to implement them. Rather, policies and practice evolve together in a feedback loop. As you figure out what works for your business, the best practices become policy. As you get better at implementing, monitoring, and adjusting those policies, your IT structure will become more mature, robust, and valuable. A more detailed description of what the various stages mean for overall IT management is given on page 50 of the standard, but COBIT® also provides a specific scale for IT security on page 122. Since the descriptions are long, I will only quote two levels here, the beginning and end of the process: Management processes are not applied at all. Processes are ad-hoc and disorganized. Processes follow a regular pattern. Processes are documented and communicated. Processes are measured and monitored. Good practices are followed, automated, and steadily adjusted.

1 Initial/Ad Hoc
The organisation recognises the need for IT security. Awareness of the need for security depends primarily on the individual. IT security is addressed on a reactive basis. IT security is not measured. Detected IT security breaches invoke finger-pointing responses, because responsibilities are unclear. Responses to IT security breaches are unpredictable.

5 Optimised
IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimised and included in an approved security plan. Users and customers are increasingly accountable for defining security requirements, and security functions are integrated with applications at the design stage. Security incidents are promptly addressed with formalised incident response procedures supported by automated tools. Periodic security assessments are conducted to evaluate the effectiveness of implementation of the security plan. Information on threats and vulnerabilities is systematically collected and analysed. Adequate controls to mitigate risks are promptly communicated and implemented. Security testing, root cause analysis of security incidents and proactive identification of risk are used for continuous process improvements. Security processes and technologies are integrated organisation wide. KGIs and KPIs for security management are collected and communicated. Management uses KGIs and KPIs to adjust the security plan in a continuous improvement process.


Business Data Security

The most difficult work is in the middle. Ad hoc policies are difficult to automate and waste time discussing small details. The overhead of a formal (but sensible) policy can be made up in automation and reduction of friction, but a sensible policy cannot be written unless backed by experience and research. Before reaching stage 4, you do not have enough information to really do adequate risk analysis in many cases, but before reaching stage 3, ad hoc processes and general chaos reduce the utility of the information that is gathered. Because of all of this, climbing the hump is hard, but it does get easier, especially when leaning on established industry best practices and learning from the mistakes of others.

Your IT Professionals
The people that care for your computers have your business in their hands more so than any other professional, such as an accountant or a lawyer. Their job is arcane, difficult to oversee, and requires them to have access to disparate parts of your enterprise. Like a doctor, there is only so much you can do to check up on them and then you just have to let them do the job. As such, perhaps the most important quality in choosing an IT professional is trust. As businesses are becoming overwhelmingly committed to electronic documents, essentially all of a business' information passes through the purview of the top-level system administrator. They have direct access to the hardware, the software, and the network. They have the skills of a hacker, or they would not be able to secure your systems. Even if you use low-level protection like encryption and passwords to protect documents, they have the ability to either simply override the protections or snoop on you to discover the passwords. It might take time, but if they are determined, they can do it4. Happily, most professionals are more interested in doing their jobs. Information security and systems administration is a demanding discipline that often comes with limited recognition or reward. Those that succeed do so because of a dedication and work ethic which drives them to master the skills and keep up with changing technology. IT professionals take personal pride in the systems they maintain.

Business people work with people every day. IT people deal with machines. This leads to half of the communication problems. Active participation and open communication is the best way to reduce the threat of a rogue IT professional. By making the effort to understand and involve yourself you not only have a better chance of noticing potential problems, but you build trust and professional respect. Because of their dedication to a hard-edged technical discipline, many good IT professionals are somewhat antisocial and apolitical. They may also be brutally frank. Remember that IT deals with machines which never compromise and always take things literally. This often leads to misunderstandings with business people who work on a very different level. IT people often present options and risks very differently than other professionals. Managers usually present a small number of options (often three) and their business risks. They clearly identify the option they recommend (often the last one). When several managers are in a meeting together, discussion usually converges on two options until the person in authority decides between them. IT people often present one solution, then present variations on that solution, sometimes getting quite complex and quickly confusing management. They are not presenting their alternatives as realistic options but to demonstrate why their preferred solution (the first one) is correct. When you get several IT people together, the solutions being discussed seem to diverge rapidly instead of working toward consensus. This is an education problem with IT professionals. This style of argument is how IT people (and other scientists) check their arguments and get feedback. Because technology does not compromise, they need

But see the discussion starting in the section called “Shared Folders and Files” about storing documents on untrusted computers or where the administration is not trusted.


Business Data Security

to know (and demonstrate) that their solution is rigorously correct. They do not realize that management does not (and should not) care as long as they have done their job. IT professionals need to change their presentation style and adapt to your vocabulary, explaining the minimum you need to understand to make a business decision. Unfortunately, many IT people will not change and you will need to deal with this problem from time from time, dragging them away from theory and back to the real concern: what is the bottom line? At the same time, even if the presentation is wrong, the presenter is identifying real risks, and you must not tune them out until you understand what it is they are trying to say, no matter how frustrating that might be.

A good go-between, a professional in multiple fields, can translate IT-speak and present alternatives in a digestible manner, smoothing communications. One way to improve the situation is to find a translator: someone who understands enough of both your field and IT to summarize the issues. These are usually IT people who have a degree in something other than Computer Science who see technology as a tool, who have had to focus on practical application rather than theory. As an example, I have a background in ecology and did work with simulations in college. I wrote programs, but only as a means to an end; they were tools for answering questions. If the programs could not be explained in non-IT terms, they were useless. A good go-between does not have to be an expert in either field, they just have to be able to ask the right questions and understand the answers. These are the people you want in your top-level IT positions, trouble-shooting problem projects, and dealing with security incidents. They are hard to find, and hard to recognize, but they do exist. This type of professional can also be deliberately trained. When my simulation experience landed me a job in the Pentagon working with strategic analyses, the first thing my boss did was put me on the floor with the Air Force analysts. I was hired as a programmer, but I spent those first weeks as a user, a customer, of the software I was eventually to maintain and redesign. I had to learn the terminology, processes, and needs of the people I was hired to serve before I was allowed to do my job. I went from there to building small tools, essentially templates or jigs, for very specific problems. Finally, when they felt I had learned enough to get by I was allowed to work with the larger systems, but I still spent considerable time on the floor with the pilots. By taking a promising IT person and putting them in with your regular staff, making them learn your business, you may end up with someone who can give you the feedback you need in a form you can use. You can also go the other way, by having one of your employees work part-time as an IT-liason to bridge the language gap and make IT solutions better targeted, easier to understand, and more practical. Choosing someone to put into this role takes care; doing it sucessfully takes someone whose ego won't get in the way of learning a new and unfamilar field and having to build the respect of the professionals they have been thrown in with. You also have to beware the advice of the hobby IT professional who may set up computers or networks at home and second-guesses IT's claims of cost or risk; techniques which work for two or even ten computers do not scale to one hundred. They may have a point, but take it with a grain of salt. Once you have a good go-between, they need to split their time so that they can keep up to date with both camps and remain relevant. If you do not have enough to go around, you can have one person consult to multiple teams or departments: walk the beat, sit in on meetings, review documents, and conduct diplomacy. I have seen this work very well and is somewhat like the Of Counsel position in a law firm5. IT expertise is critical to your business, but individual IT people, whether in house or outsourced, should not be allowed to become indispensible. Good documentation, maintenance records, and problem tracking

Sometimes this can happen by itself, as someone with cross-over expertise lands naturally in the role of an unofficial diplomat. Your first step in finding a go-between may be determining whether one is already there and how you can make better use of their skills.


Business Data Security

help someone else pick up a task when needed. Sometimes employees have the mistaken impression that being indispensible creates job security. In reality it locks them into a job with no chance of advancement and will eventually lead to trouble. For the employer, there is always the worry about the inevitable job change, illness, family emergency, or other sudden crisis that can cripple an unprepared business. A vendor which has you locked in has no reason to negotiate and little need to deliver quality service.

Not involving yourself in IT is like not being involved in the company finances— you are inviting someone to take advantage of you. It may very well be that you are thinking “I don't have time to involve myself in IT.” That may well be true, but like accounting, you just may not be able to afford not to be involved. If you are reading this document, you already know that the world is changing. There is no way to turn back the clock and learning to compete in the new environment means fitting IT into your overall strategy. Finding the right balance is hard, but it must be found.

Document Retention and Protection
Document retention rules apply to more than just electronic data, but many small businesses may not have coherent policies. Often rules for certain types of files, such as financial information, employee records, or health information, are set by law. Other information may be controlled by contractual privacy policies or confidentiality agreements. These rules usually specify the minimum and maximum time that documents may be stored and who may access the documents. You may wish to implement specific policies to retain or destroy outdated documents which fall under no particular rules in order to avoid costly document production in response to subpoenas [SoleckiRosenberg-2004]. In all cases, you should consult books and attorneys with coverage of the laws in your area. We will discuss technologies for solving these problems elsewhere, but the first step is identifying what types of documents may require special treatment. You probably already handle some paper documents specially by locking them up, using a shredder to dispose of them, etc. Extend this to electronic documents and think about what documents may need: • to have restricted access, • to be securely deleted, • to be retained or deleted on a schedule, • to be protected when sent over the Internet, • to be protected from tampering or alteration, • to have notarization or proof of service

Documentation, Policies, Audits— How Much, How Often
Small Setups
The simple fact is that if your business is more than one person, and probably even if it isn't, basic documentation on your network, computer configuration, and security is a necessity. If your setup is not


Business Data Security

documented, you will have trouble getting help when you need it. Consultants will waste precious time figuring out how things were supposed to work instead of fixing problems.

A doctor needs a good case history to treat a patient; a computer maintenance record fills the same need and allows a professional to diagnose problems more effectively. At a minimum for a small setup: • Document the hardware, software, and versions on each system. • Store license keys and warranty information for easy access along with dates of purchase and installation. • Document the changes made to a system to get it ready for use so you can follow the same steps when repairing or setting up new systems. • Store installation CDs, restore disks, and program disks so they may be easily located. • Keep track of when maintenance is performed (virus scanning, updates, backups, repairs, etc.) or, if run automatically, note when they are run and how often they are checked. If outside consultants do these things for you, insist that they provide this documentation for your files on every service. You never know if you will need to use a different vendor for some reason, and having your own copy is a good precaution. For similar reasons, make sure you control the software disks, installation keys, and warranty information. These would be good things to lock in a safe in case of fire or other incident. You can make copies of the disks for everday use. For Internet-facing machines, such as a company web or mail server, document what services you run and keep safe copies of system settings. This will help you restore them if an intruder alters them and may provide clues as to how they got in. Administrators should keep a journal of changes and events; I typically added a bulletted list to the end of each day's charge sheet and kept a more detailed journal online. The journal provides an easy point for someone new to pick up. System logs need to be backed up too, and, if possible, immediately written to a different machine to keep an intruder from altering them. Use some form of problem tracking or trouble ticket software to monitor problems and ongoing resolution. There are many web-based systems at all price ranges (e.g. Best Practical Solution's RT6). The important thing is that you can tell quickly what problems need to be solved, how long they have been open, and make sure recently fixed problems have been resolved satisfactorily. A printout can be gone through quickly in a meeting. The system will also allow notes to be added to problem reports so that someone can look back and see how a similar problem had been solved or whether a certain type of problem is occuring frequently. You can make such a system do double duty by using it to track non-IT problems as well.

Make sure each PC, workstation, or server is easily identifiable. The easiest way to do this is with property tags and ID numbers. Non-removable tags or engravings also make tracking stolen equipment much easier. Documentation is not useful if it is not checked periodically. Incorrect information is worse than none at all. Sit down and check maintenance records to see that they have been updated and that maintenance is actually being done on schedule. It is easy for schedules to slip while dealing with day-to-day emergencies. Look at vendor invoices to make sure they identify the machine, report what was done and why. If you do not understand, ask questions.


Business Data Security

Gibson Research's7 Shields Up8 is a website which will run a quick test of a SOHO PC and produce a security report. There are automated tools for detecting vulnerabilities in PCs and servers. Nessus9 is one of several such products. Using one on a regular basis and fixing reported problems will go a long way toward making your systems more secure. The bad guys have access to the same tools and running them will be one of their first steps.

Larger Setups and Standards Compliance
If you have a larger setup or have to comply with external standards such as HIPAA, or the Payment Card Industry Data Security Standard (PCI DSS) your documentation needs will be more complex. The cost of regulatory compliance can be high, particularly where the legal landscape is changing. Recently passed regulations have not had the time to be interpeted by the courts and some laws, such as state consumer protection laws, may be triggered without a business' awareness, merely by serving an out-ofstate customer (e.g.: California SB 1386 [CaSenate-2003]). Small and medium-sized businesses without a dedicated compliance department can be hard pressed to stay informed, let alone compliant. A more proactive approach may be in order. Even where you are not specifically required to conform to a particular high-level industry standard, using one, such as COBIT®, ISF Standard of Good Practice, or ISO/IEC 17799:2005, as the basis for your policies can yield many advantages: • useful guidance for policy development so you do not need to start from scratch • milestones to measure progress and plan improvement • a common framework and vocabulary for working with IT and security professionals, partners, and vendors, including some “canned” policy or auditting products. • preparation for future regulatory changes • reducing the threat of being sideswiped by non-compliance to laws you are unaware of and allowing you to defend policies by referring to accepted best practice • new opportunities such as eligibility for contracts and increased customer confidence [Harbert-2006, Itgi-2006] Some of the most important things that are required by standards are: • IT security is recognized at the business level and accounted for in strategic planning. • Clearly defined responsibility for overall IT security and for each system. This can range from a single individual responsible for all security and systems (in a very small setup) to a group responsible for overall security and individual “ownership” of individual critical systems. Standards encourage different security roles to be distributed among different people, so that the people validating security are not the people providing it. • That information and systems be graded according to their value or need for protection, that regular risk analysis be performed, that security resources be allocated accordingly, and that emplaced security is examined and audited regularly.
7 8 9


Business Data Security

• Controls for restricting access to systems and information to those with a need to access them, protection of information within the business from inadvertant disclosure, and safeguards for information in transit to and storage by third parties. • A defined process for keeping systems up to date and for approving changes to systems, policies, and procedures, including testing systems changes before implementation. • That breaches of security, suspected breaches, and suspected vulnerabilities are reported. • Staff education in security practices and requirements including clearly written and consistently enforced policies in acceptable use of computers, networks, information, and company-owned software. • Physical security to prevent direct access to critical systems and information. [Isf-2005a SM1.2, Itgi-2005 pp 119-122, Dhhs-2003, PciSsc-2006] So the bottom line, then, is that these policies need to be written in some form and some record needs to be made whenever they are implemented. For businesses on the small end of the range, reading and trying to implement these standards can seem daunting. A small business is unlikely to have an “IT Steering Committee” or any kind of complex approval process for software changes, beyond, perhaps, John and Susan sitting down over lunch. PCI DSS, HIPAA, and ISO 17799 make some allowance for small and medium-sized businesses. Cobit®, aside from its other virtues, makes assumptions about the size and structure of the business. Even if a process is simple and informal, it is still worth documenting and recording the decisions made. Like the process itself, the documentation will not be very complex. Regarding John and Susan, for instance, the following might be sufficient: Met with Susan today to discuss the changes to the backup system. Showed her the research I had done on Acme Corp's product, including favorable security reviews. She expressed reservations over committing to a single vendor, but we both agreed their product would best fit into our current structure, particularly the accounting system. Decided to go ahead with purchase and rollout. — John. It documents an approval process, records that research was done, (printouts of reviews can be added to the file) and details the reasons for and against the decision. Not only is this a step toward standards compliant procedures, but it means that a year or two down the road you can look back at the file and see why a particular change was made. All too often, people are afraid to challenge old systems because they do not remember why the decision was made and that those reasons may no longer be relevant (perhaps because the old accounting system is no longer used). Lastly, the document is simple and adds little overhead. Many other requirements can initially be filled in a similar fashion. In a small business, it is unlikely that there will be many systems, categories of information, or classifications of employees which need to be documented. Workflows will be short and simple. Documents and policies can grow with the business and as problems are discovered. One complexity which should not be ignored is the fact that Information Security records themselves are a category of document which may need special handling! For instance, HIPAA requires that security policies and records must be retained for six years [Dhhs-2003 §164.316b2i]. Documents that contain sensitive security information may need to be protected, and documents such as logs which may accidentally contain personal, confidential, or otherwise sensitive information may need to be protected, redacted, or deleted on a schedule. Frequency and type of audits varies widely on the needs of the organization, budget constraints, and perceived risks, but there are some rules of thumb.


Business Data Security

Many tools, such as virus/malware scanners, vulnerability scanners, and intrusion detection systems can be run daily without intervention but someone must actually look at the output in order for them to be effective. Some tools can automatically send reports to a central location, such as an administrator's email, (emv 20070424) example? and this should be looked for when selecting tools. The difference between a successful and a failed run should be immediately obvious, especially if many systems are being scanned, otherwise problems will be lost in noise. Quick checks of security status can be performed at a weekly meeting. As noted above, a printout from a problem tracking application is an effective and efficient way to view recent activity and outstanding issues. A more thorough check of maintenance records, security reports, and other documents can happen monthly, with a full top-down audit quarterly. The frequency of external audits depends on many issues. First, external auditors tend to be expensive, so there is no sense in bringing in an outside auditor without having done a full internal audit first. Why pay someone to catch mistakes you might have fixed yourself? Instead, use the external auditor to verify your internal procedures and find problems that would never have crossed your mind at all. How often you do it depends on whether you have any requirements to maintain a certification; if so, you will likely need an external audit on a regular (say yearly) schedule and may have the threat of random spot checks. If you are not required to audit on a schedule, then you need to look at how the cost of the service affects your budget and how quickly your procedures change. If you have relatively stable procedures and regular internal audits, it may make more sense to spend the time and money on other security needs and bring an outsider in less frequently. No matter what you decide, make sure an auditor you hire is aware of your security goals, resource limitations, and the threats you are intending to address so they can concentrate their effort where it will give you the most benefit. There is no sense in paying money to have them point out problems you have no intention or capability of fixing.

I like to set up an internal web page with all of the security policies clearly laid out. Employees should bookmark this page in their web browser. During an audit, if they cannot remember a specific policy, they can quickly navigate to the required page and demonstrate that they know how to find the needed information. This also helps with the inevitable nervousness that going through an audit brings and makes sure the employee responds with the most current policy. The obvious exception to this is backup and recovery procedures which must be printed and bound so that they can be accessed when computers and networks are not functioning. An external auditor may examine many things. They will examine your policies and a representative sample of your records and documents. They want to know whether your policies are sound and whether you actually follow them consistently. They will likely quiz random employees to see if they know and understand your policies and their responsibilities. Depending on the type of audit, they may also examine your physical layout and security (are cabinets locked, unoccupied terminals logged out, can a security monitor be seen by someone on the other side of the desk?), or try to break into your network or computers. Good security auditors will try “human enginering” to trick your employees into violating security. When preparing for an audit, you must anticipate these tactics and ensure that everything is in order.

An Incident Response Plan
No matter how good your security is, you will eventually have to deal with an incident. Various regulations require you to have a documented Incident Response Plan [Dhhs-2003 §164.308a6, PciSsc-2007 §12.9, CaSenate-2003], but provide little guidance as to how to organize or implement such a plan. Common IT management standards also offer little help [Isf-2005a SM5.4, Itgi-2005 DS5.6, DS8], with ISO 17799 providing the most detail [IsoIec-2005 §13]. The Computer Emergency Response Team Coordination Center10 (CERT/CC) provides a detailed handbook on organizing a Computer Security Incident Response


Business Data Security

Team or CSIRT [SeiCm-2001]. The discussion here will provide an overview focusing on practical rather than organizational matters. A security incident may take many forms: • A physical break-in where equipment or media is missing or may have been accessed. • An attempted network or computer break-in. • A successful computer or network break-in. • A virus or malware infection. • Missing (lost or stolen) media or hardware. • Unauthorized access to documents or data by an employee, vendor, or third party. • A Denial-of-Service In some cases, you may not be able to tell whether confidential data was actually accessed or copied and may need to assume the worst, at least until the incident can be completely investigated. Attempted accesses should be reported, even though they were not successful. Reporting attacks to appropriate authorities, beginning with the owner of the network which originated the attack, can help other organizations locate and close security holes and may temporarily eliminate an attacker. An attacker who fails to gain entry repeatedly only needs to succeed once. Make sure that security rules are modified to block or monitor repeated access attempts from the same source. If (as is likely), there are too many attempts to report, choose the attacks which target software and services you run and therefore concern you the most. When a security incident is discovered, there are three immediate goals:

Immediate Goals
Contain the Damage Restore Services Stop the spread of an infection, close the hole an intruder is using to enter, and protect data from unauthorized access. Get computers, systems, or services back into (safe) operation so that business can continue. This may mean that services operate in a degraded (slower or reduced functionality) mode until complete repairs can be made and security reestablished. Any data which can identify the attacker, the means of entry, or the amount of data they may have accessed should be preserved for later analysis.

Preserve Evidence

Make sure that the appropriate points of contact for reporting incidents are well posted. An internal webpage is probably a good idea and gives you a place to post advisories and reporting guidelines. If you or your security vendor relies on computer-based reporting and tracking, make sure there is also an alternative, since problems involving computer, network, or account failures will need to be reported too. Implicit in these goals is a means to actually identify and report the problem in the first place. This requires some point of contact(s) who is/are assigned to incident response and available, preferably 24/7. Problems may also be reported by automated systems which may be set up to page or otherwise notify on-call administrators. These personnel start an incident report and classify the problem. Next, they refer to policy


Business Data Security

to determine what other members of IT, Security, and Management need to be involved and how quickly. Then, if the problem is legitimate, they attempt to satisfy the three immediate goals. The group of Security, IT, and Management who are involved in handling security breaches are the Incident Response Team, sometimes referred to as a Computer Emergency Response Team (CERT) or Computer Security Incident Response Team (CSIRT). We use the acronym CSIRT here. In the early stages of dealing with a security breach, a heavy-handed approach is often safer and easier. For instance, it may be simplest to remove a compromised machine from the network and temporarily install a different machine for an employee. This will give your CSIRT time to examine the machine properly and make sure that the threat is completely removed. Anti-virus programs will try to remove a detected infection, but the truth is that they are not often successful. A virus may very well make changes or install software that the anti-virus cannot detect or cannot safely undo. Similarly, a hacker having broken into a web server can hide changes in many subtle places which might provide a means of reentry. A complete reinstall is safe, thorough, and may even be faster than attempting repairs. The heavy handed approach, however, means that you must budget for some spare hardware and make sure that documents are backed up regularly, both of which will protect you from other kinds of incidents as well. Remember that replacement hardware is temporary and need not be as fast or fancy as the original system.

Act quickly and decisively: A PC can always be restored to a network and accounts reenabled after they are shown to be safe. You will not be able to recover confidential data that has been copied to somewhere beyond your control. The heavy-handed approach should also be taken with possibly compromised accounts. If you have reason to believe that an account has been compromised or has been used for unauthorized access to data, lock it, and seriously consider locking all accounts used by the same person until you can interview the employee, scan their PC, laptop, etc., for malware, and change their passwords or credentials. Overzealousness should not be a problem as long as everything you do is reversible, your investigative process is streamlined, and you keep people informed of what actions are being taken and why. Once a compromised system has been isolated, data should be gathered for later examination. Some of this can be gathered from the live machine with computer forensics software or hardware to examine memory. In particular, you can record what programs are run and where they attempt to connect to. Live forensics programs have serious limitations, however, and can be hoodwinked by infections which have gained deep control over the operating system [Higgins-2007]. Any relevant network or other access logs should also be copied and stored along with applicable physical security information such as check-in/check out times and CCTV footage if local access is suspected. Almost immediately, a copy of the hard-drive should be made (an image). In fact, it is best to make two, one to preserve untouched for law enforcement (if applicable) and one to actively examine. Then the hard drive can be wiped clean, reinstalled, and put back to use. One attraction of virtual machine (VM) technology is that the “hard drive” the operating system is running on is not real, but is in fact a drive image stored in a file. That image can be copied or reset to an earlier (and safe) state quickly and easily making cleanup from break-ins fast and efficient. When gathering evidence, be careful to keep a documented chain of custody; record who handles each piece and what tests are run. Print and store output of all procedures. If at all possible, ensure that all actions have an additional witness present. Your legal counsel will likely have additional advice for preparing evidence which can be used by law enforcement. Throughout this process, be careful with communication about the incident. Ensure that team members verify the identity of who they are communicating with (employees, IT staff, vendors, authorities, etc.) and protect the privacy of the communication. Impersonation to obtain security information is common. Information leaks can start rumors and undermine the handling of an incident before an investigation can


Business Data Security

be completed. They may also inform an attacker of the progress of an investigation. The CSIRT should control the release of information to ensure that it is accurate, complete, and does not compromise security. [BrownleeGuttman-1998 pp 5-6, West-BrownEtAl-2003 pp 106-110] After the initial stages, incident response can take any of several directions, depending on what was compromised, how it was compromised, and whether it can reasonably be expected to happen again. This is where clear policy and clearly defined responsibilities are critical, and their exact form depends on the size and type of business you run. Your overall goal, however, will be the same: comply with all regulations and privacy rules to resolve the incident and prevent recurrence with as little disruption as possible. The CSIRT team is not there to play policeman unless there is something to be gained. What you do next will depend on some of the following questions:

Follow-up Questions
• How did the incident occur? Is this incident related to other incidents? • What permanent changes need to be made to prevent recurrence? Is it covered by a support agreement or contract? Is this a technological or a policy problem? • How was the problem discovered? Could it have been discovered sooner? Should a warning or advisory be issued? • Was the incident a result of a broken policy or agreement? Does action need to be taken? • Is there enough evidence to involve a 3rd party such as a security organization or law enforcement and pursue the criminal? • Was, in fact, confidential data compromised? Could it have been copied somewhere outside of business control? Can the thief potentially read/use the data, or is it strongly encrypted? • If data was compromised, who does it belong to? What other parties must we inform to comply with regulations and contractual obligations (e.g. customers, credit card companies, vendors with confidentiality agreements, etc.). Do we have contractual liabilities? • If our data was compromised or destroyed, what can we do to mitigate the loss? Is a loss covered under an insurance policy? • Were sensitive records modified or destroyed (billing records, account information, contracts, access logs, employee records, etc)? What can we do to identify fraudulent records and restore them? Is our backup and recovery system working? • Was our system used to attack other systems (such as visitors to our web site)? Did these attacks succeed? Who do we need to inform? • Do we need to make a public statement or control negative publicity? The answers to these questions should result in a list of action items to be passed on to other parts of the company, such as IT changes, policy updates, legal actions, press releases, and so forth as necessary. In a small company, of course, these actions will be handled mostly by the same people wearing different hats. The team should also produce a clear and concise report of the incident and a summary of the actions taken for the record. A heavy-handed approach is appropriate early on, but the response should be more reasoned as the incident is investigated. In particular, be careful to differentiate between a possible inside job, a violation of policy, and simple human-error. If management is too quick to hand out blame, less incidents will be reported in the future.


Business Data Security

Each set of regulations you must comply with will have its own slightly different set of definitions for what constitutes a compromise, when, and whom you must inform. As an example, regulations may only care about incidents in which certain combinations of data are released, such as addresses and social security numbers linked to first and last names (e.g. California SB 1386 [CaSenate-2003]). Either these details must be codified in your own policy, or you simply need to have your policy refer to the relevant sections of the regulations and go through them as needed. For serious breaches, you will need legal counsel to help you navigate this minefield. As you go through the process, you will likely build up boilerplate letters and forms to streamline many of the steps. In addition to complying with regulations, you may need to coordinate with outside agencies such as other CSIRTs to: • Report software vulnerabilities. • Obtain technical support. • Help track or apprehend the criminal. • Obtain more information about the attacker such as means of entry, whether data might have been stolen, and what it might have been used for from other ongoing investigations. • Warn others of attacks which may have been made from your network or infections passed on. • Obtain outside review of proposed solutions. In order for interoperation to work, you will need to give thought to confidentiallity arrangements, preferably beforehand. What information can you share with an outside agency? What confidential information might need to be redacted from incident reports or logs? What limits on use of the information do you need to communicate to the outside agency? You must also make sure you have prepared legitimate points of contact with the most likely outside agencies so you can maintain the privacy and integrity of the communications [BrownleeGuttman-1998 pp 5-6, 11-14, SeiCm-2001, West-BrownEtAl-2003 pp 112-115]. At the end of the process, one last set of questions should be asked:

• What is the approximate cost of this incident? • Were the actions taken timely and appropriate? Could the reponse have been improved? • Did the Incident Response Plan work? Are the roles and responsibilities appropriate? Does the plan need adjustment? • Did the CSIRT have the resources needed to do its job efficiently? What might make the job easier? A brief treatment of these questions, perhaps directly including comments by team members or employees involved in the incident, should go in an after-action report to be filed with the incident and be considered in future responses.

The US-CERT Vulnerability Database11 is a good source for information on current threats. There is a mailing list available for daily announcements. You should also check regularly with your software and security vendors for problems and fixes.


Business Data Security

In addition to clean-up after incidents occur, the CSIRT in most organizations is also responsible for tracking developing threats by monitoring announcements of security agencies, vendors, and peer organizations, informing IT staff, and drafting warnings or advisories for distribution to employees, customers, and other stakeholders.

Making IT and Security Purchases
Avoiding the Lemons
When I was younger, I went on a mission with my dad to buy a used car. We took my uncle along, who owned a repair business, and took a look at several “deals”. I remember one in particular, a blue Ford sedan of some description with low mileage and a decent price. My father talked to the salesman while my uncle poked around the car. The salesman was expounding the virtues of the vehicle when he noticed what my uncle was doing. “Is he a body man?” the seller asked. “Yep.” my dad answered. The salesman immediately gave up the pitch. Many years later, I think back to that car when making purchase decisions. Aside from sound policies, security awareness and training, threat tracking, one aspect of proactive security is sound IT purchasing and deployment. This is not an easy subject and there is no magic formula, especially when a business is bound by legacy systems and a need for compatibility with customers, vendors, and government agencies. There are many snake-oil salesmen. Common products are released to market much too soon and, as a consequence, rife with vulnerabilities. The problem can be illustrated by the Secustick™, a password-protected USB memory stick which is supposed to erase itself after several failed access attempts. The device was used by many organizations for sensitive data— until it was demonstrated that its security was simplistic and could be broken with minimal time and effort [Tweakers-2007]. Noted security expert Bruce Schneier discusses this device in his column, Security Matters, the general poor quality of security technology, and the difficulty of IT customers in separating the wheat from the chaff, comparing the industry to the used car market. In general, he says, in any industry where the seller knows more about the product than the buyer, good products are undercut and people tend to buy lemons: Take the market for encrypted USB memory sticks. Several companies make encrypted USB drives— Kingston Technology sent me one in the mail a few days ago— but even I couldn't tell you if Kingston's offering is better than Secustick. Or if it's better than any other encrypted USB drives. They use the same encryption algorithms. They make the same security claims. And if I can't tell the difference, most consumers won't be able to either. —[Schneier-2007] In this section, I try to improve your chances of “getting it right,” but in general: • Don't lock heads with technology zealots; different technologies, different approaches, have their place. • If it ain't broke, don't fix it; do not rush to embrace brand new technology. • Use a defense in depth; do not bet everything on one product. • Consider product failure in your risk analysis; what happens if you need to switch vendors or downgrade due to an intractable problem? I will mainly focus on security-specific software, but much of the discussion will apply to products containing security features and IT decisions generally.


Business Data Security

Simple, Proven, Standard
What's In a “Standard”? There is a lot of confusion between the words standard, de-facto standard, open, and open source. These terms are discussed individually in the glossary, but we will discuss them in relation to IT purchases here. Standards are published specifications which anyone can examine. Open standards are maintained by some form of group consensus and licensed so that anyone, even direct competitors of the publisher or submitter, can comment on them or use them. A standard provides the benefits of peer review and interoperability: a potential user can depend on the process to provide some guarantee that compliant products meet some level of quality and function the same as other compliant products. Interoperability allows the user an out if a product they depend on turns out to not meet their needs due to quality, legal concerns, security, scalability, or cost. De-facto standards, products or practices in common use throughout the industry but not specifically defined, do not give the customer any of the benefits of an open standard and may lead to vendor lock-in. Specifications which are encumbered by intellectual property licenses, non-compete agreements, or non-disclosure agreements are not “standards” for our purposes here, since they do not benefit from peer review or interoperability. To be useful, a standard must allow and encourage open competition. Open source products, products whose source code is publicly available and group maintained, have the aspects of peer review and group control, but are not themselves “standards” and may or may not interoperate with other products. Many open source products, however, are also standards compliant. For instance, the popular Apache Web Server implements the Hypertext Transfer Protocol (HTTP) and the Common Gateway Interface (CGI) standards, among others, and does essentially the same job as any other web server. Linux™ closely follows the UNIX™ operating systems standards and Linux applications can easily run on other UNIX systems such as Sun Solaris™ or Apple's OS X™. Standards, like any process involving humans, are not perfect. In the groups I have been involved with, hundreds of emails can sometimes be spent arguing over details which eventually get tabled and left ambiguous in the specification because no one can agree on a single approach. Industry guidelines or recommendations fill gaps until the standard catches up and, in the meantime, customers experience incompatibilities and headaches. In the end, however, standards help customers get what they want and know what they are getting. Generally, people are concerned about three aspects of security technology: cost, functionality, and effectiveness. Only two of those can be effectively judged by most consumers. Cost, or, at least, price, is an easy item to judge. Features is a little bit tougher, particularly if unwilling to take vendor claims at face value. Fortunately, it is relatively easy to find press reviews for many products which will describe basic features and ease of use. Ease of use impacts Total Cost of Ownership (TCO) by affecting support and training costs. Ease of use also impacts effectiveness to the extent that a product which is difficult to use or understand will probably not be used properly. Reviews of product effectiveness, especially competent ones, are much harder to find. Press reports stick to features and price in reviews because they require less expertise to write, do not require expensive labs, are faster to market, and do not lose the reader in the first paragraph. Not only is the effectiveness of a security product hard to judge, it is also hard to get right. Security requires expertise, a disciplined process, and rigorous testing, all of which is expensive. Leaning on established, standard, technology helps, but even when using a standard, an encryption algorithm, for instance, the vendor must make sure that their implementation of the standard is correct and nothing in the product around it undermines the security. Independent certification raises costs even further. If a product


Business Data Security

is competing on price, features, and effectiveness, an effective product must sacrifice somewhere, and features is a good place to cut since a simpler product is also easier to test. A corrolary here is that a product which is priced well and has an array of features is probably not well tested— the books have to balance. Many commodity software and hardware products are released well before they are ready and are tested by consumers, with a steady stream of bug-fixes, security patches, and driver updates. A disturbing trend is the number of such products, especially short-lived consumer hardware, where the vendor does not even bother to fix the software problems, expecting the consumer to just upgrade to the newest hardware. I have several such paperweights on my desk right now. The prudent shopper, therefore, looks for the simplest products that will do the required job. Remember that simple components working together make up a defense in depth (see the section called “Create a Defense In Depth”). In many cases, you will find that the extra features are not needed and may just make products harder to use and understand. Other than reading like something out of Mission Impossible, there is no real advantage to a self-destructing memory stick versus one which merely uses strong encryption. A self-destructing drive protects the data if the wrong password is entered; an encrypted drive, by being simpler, also protects the data if the drive is taken apart. Products which include security features like built-in encryption have historically been very weak (e.g. zip-file or Word document encryption). Many times these features are an afterthought and are not given as much attention as the rest of the system. The vendor may not even have the in-house expertise to do the job right. It is therefore better to get simpler applications and use dedicated external tools to provide security. This also offers the option of changing those tools if you find that they do not suit your needs. On the other hand, integrated security features are easy and convenient; it is much easier to check a box saying “encrypt this” then to remember to run an extra program. The best of both worlds may be applications which provide a framework for 3rd party plugins so that the “encrypt this” checkbox runs the tool of your choice. As an example, Firefox does not have built-in anti-phishing protection, but I know of at least three Firefox addons which do and have chosen one I find useful. I also use a 3rd party plugin to provide encryption in the Macintosh Mail application I use. The applications and plugins remain simple and dedicated to their tasks while retaining convenience. Look for products that have been audited by independent labs, have in-depth security reviews, or feedback by security professionals. This will necessarily steer you away from the newest whiz-bang technology and toward the cars that have a good track record and high resale value. It is often better to let others blaze the trail and simply learn from their mistakes. Take statistics-based security reviews with a spoonful of salt (“X product had 79 vulnerabilities last year, while Y product had 32. Y is more secure.”). Statistics can be twisted to serve almost any purpose and that class of report is often highly slanted: How serious were the reported problems? How many were actually exploited? Were the problems self-reported or independently found? Do the numbers include bundled software? How fast were serious versus minor problems fixed? What counts as a separate vulnerability? etc. These reports can provide useful insights, but, unless you have time to check all of the underlying assumptions, be wary of them. Favor products that implement or use standards compliant technology. From a security standpoint alone, this yields several advantages: peer review, group control, interoperability. I have harped on peer review quite a bit. Group control gives the business a chance to participate in the process (if necessary or desired), and protects the competition needed to make interoperability meaningful. Interoperability is critical from two directions. First, interoperability allows customers to switch tracks if one product or technology fails to meet their needs. If a database system is found to be insecure and cannot (or will not) be fixed, you must be able to get your data out of it and into another product. You must also, with as little disruption as necessary, get a new database product to fit into your IT structure, such as an online ordering sytem. If a customer has no real ability to do this, then a vendor has no pressing need to test their product, offer timely support, compete over price, or virtually anything else.


Business Data Security

With a de-facto standard, the definition of the technology is not written down and is only really understood by the primary vendor. Whenever a competitor gets close to figuring out how it works, the vendor simply makes slight changes in the technology in order to break competing products; while good for the vendor, it is never good for the customer. Microsoft Word™ is the classic example of this kind of practice. Second, without interoperability, a monoculture may develop. A monoculture is a situation where everyone's defenses are identical to everyone else's, in this case because they are all running the same software. An attack which works on one system works just as well on any other, and infections spread very quickly— resulting in the Irish Potato Famine or the current situation with Internet worms. With standards in place and marketplace competition, different businesses have somewhat different software. The software is interoperable, but is unlikely to have the exact same problems. One of the reasons that Linux systems, for instance, are not as vulnerable to attacks is because of different distributions (“flavors”) of Linux. Linux systems are just different enough that an attacker must treat them individually rather than launching fully automated attacks. This is not to suggest that every business can drop Windows and use alternative systems (or even that this is entirely desirable), but it is food for thought: sometimes change is good and sometimes just the clear threat of alternatives can force vendors into line. One place where standards compliance is starting to change the nature of threats is with Internet browsing. The increase in market share of non-Internet Explorer browsers (e.g. Firefox, Safari, Opera, etc.) is encouraging web designers to make their pages work with more than one browser. Businesses are better protected because Firefox users are immune to IE-specific threats and vice-versa. As the numbers continue to change, attackers have to work harder to affect the same numbers of people and increased competition is driving all of the web browsers to improve.

The Limits of Detection, Repair, and Forensics Software
This discussion deserves its own section just because it concerns claims often made by product vendors and generally misunderstood by customers. I touched on this issue in the section called “An Incident Response Plan” when discussing forensics. Specifically, there are clear limits to what malware detection, repair, and forensics software (even hardware) can do. Specifically, once a system has been compromised, that is, an attacker has gained administrative access, then, by definition, you no longer control that system.

Once an attacker controls a system, no information from it and no operation on it, including the functioning of any security software, can be entirely trusted, no matter how simple the problem appears to be. The only safe course is to boot a safe copy of the operating system and system files, preferably from unwritable media. Essentially, administrative control of an operating system allows the attacker to change reality. They can alter system files, device drivers, security settings, etc., limited only by their imagination. They can force file browsers, virus scanners, or intrusion detection systems to see only what they are allowed to see. Sure, in many cases, simple viruses will not go to these lengths, but attacks are becoming more sophisticated, and it is quite possible for an attacker to offer up a red herring to a repair program while keeping the real danger hidden. Recent discoveries have demonstrated ways to hide in “safe” parts of Windows Vista designed to prevent users from copying copyrighted files (DRM). Ways have even been discovered to hide from hardware-based memory scanner [Higgins-2007]. Network-based scanning and forensics software has even more difficulties, specifically software designed to analyze a system to determine if it complies with security policies (anti-virus software, current OS updates, etc.), and software used to remotely diagnose problems. These products can be actively dangerous if they are allowed to generate a sense of complacency. This category of software relies on support from the local machine. If the machine is hijacked, it is not difficult for the attacker to answer “Yes, I'm fine.” to any question asked of it. It is like screening someone at an airport by asking, “Are you carrying a bomb?”


Business Data Security

That is not to say that these categories of software are entirely useless, just that their use falls quite short of their marketting descriptions. Further, their shortcomings are not due to flaws in their manufacturing; they are fundamental to the nature of the tool. Network analysis tools can catch accidental mistakes, like forgetting to update a machine or plugging a foreign laptop into the network. When they detect a problem, such as an infection, the results can be depended on insofar as a problem really exists. Tools can be set up to automatically page administrators or quarantine dangerous PCs. They cannot be depended on to correctly identify an infection, remotely repair a compromised system, or locate a clever attacker, and must be backed up by regular direct examinations of the individual machines. Part of the reason for their popularity is that a true remote solution to the problem would be a tremendous time and money saver, allowing much greater centralization of support resources, earlier detection times, and faster incident response. In practice, however, the solutions are just not workable. Similarly, forensic tools run on the local machine can provide useful information as long as it is clearly understood that the attacker is calling the shots and time can be dedicated to unravelling layers of deception. On the other hand, most businesses can probably do just as well by making a safe copy of the disk and leaving it to dedicated security experts with the tools, techniques, and expertise to perform that kind of analysis. Meanwhile, wiping and reinstalling (despite its implications for downtime) is the safest repair technique. Downtime can be reduced if a spare of a critical system can be set and ready to go. Then you just have to transfer data. Imaging and restoration software is also a great help. If you are restoring documents that can contain macros or scripts to a system that was infected (e.g. Office documents), be sure to scan them for viruses first or you may have to do it again.

Freeware versus Open Source
Here we discuss a bit about the differences between “Freeware” and open source software (which is sometimes called “Free Software”. This can be confusing and has implications for security. Freeware is often blamed for security problems, and rightly so. Freeware, as used here, includes a whole host of downloadable gizmos, games, and gadgets which many computer users cannot resist. Some of these programs are actually free and some of them start out free then request payment in some fashion (after a time period, to access more features, to remove advertisements, etc: “shareware”). Many of these programs are advertisement supported and are essentially the source of much adware, spyware, trojan horses, and so forth. There are good and useful programs in the mix as well, but finding them takes some detective work. Spyware programs attempt to detect the bad apples but require constant updates to keep up with new problems. Open source, which has been called “Free Software” at times, is a very different beast. The Free Software moniker has been explained as “Free as in Freedom, not Free as in beer”, referring to the ability to view and share source code, but due to confusion with Freeware, open source has become the preferred term. Open source is a type of software that is developed by a group effort, consisting of some mix of individuals, companies, non-profit foundations, and government organizations. These groups contribute time, money, equipment, and direction to the project in return for free access to the product. Open source products of one sort or another underlie much of the structure of the Internet, such as the Domain Name Service (DNS) backbone, most of the Internet web and mail services. Commercial products are sometimes hybrids of open and closed source: Apple's OS X runs on top of the free BSD UNIX operating system, LinkSys™ uses the free Linux operating system in many of its consumer router products, as does Tivo™ in its personal video recorder, and even Microsoft uses BSD code in its Windows networking stack. Contrary to many opponents of open source (generally companies facing competition from open source products), project development tends to be a very controlled process where changes are carefully approved and anyone can view both the current state and the complete history at any time. This makes sneaking in deliberate backdoors very difficult and often makes finding and removing security holes an easy process. Contrary to many open source zealots, open source is not universally better. There are many more open source products in existence than closed source, and many are of poor quality or have


Business Data Security

languished because of lack of interest. In these cases, progress is slow and fixes to problems may not happen. Sometimes commercial products are better designed because they benefit from a single point of view instead of degenerating into arguments about different approaches. Open source often approaches problems differently than common products and there can be a significant learning curve. In general, however, open source processes do quite well for most purposes and the projects which survive are of very high quality. The availability of source code drives competition for support contracts or customization. Sometimes you will find that alternative products approach things differently because a different way is actually safer and more efficient for some users. In any case, I would seldom recommend that a company “take the plunge” unless their is a significant business need, but slow incorporation of open source products, especially at the server level, can reduce costs, open opportunities, and reduce vendor lock-in. As an aside, I myself hated UNIX/Linux until one point in college where I forced myself to use it exclusively for three weeks: writing papers, email, and so forth. Once I got an idea why the system worked the way it did (there was no OpenOffice back then and UNIX was designed at a university level with an emphasis on scientific and technical writing), it gave me a lot of insight into different ways to approach even tasks as mundane as office work. Those insights still serve me today as I write a large technical document on a system (Apple OS X) with UNIX underpinnings. Different tools for different jobs.

Your Network Layout
In this section, we describe common components of a business network and how they relate to security. If you have a very small business and few computers, one component may do double duty and take the place of several others; we will discuss this where appropriate. Figure 1, “Network Layout” shows common network components.

Figure 1. Network Layout


Business Data Security

Network Components
Internet. The Internet is often pictured as a cloud because the protocols it uses are designed to not care about how they get from point A to point B. If you are in California sending data to New York, it might go by way of Illinois, Texas, or anywhere in between. This makes the Internet highly resilliant in the face of network failures, but it also means you have little or no control over your data once it leaves your own network. Encryption technologies, such as SSL in web browsers, helps to protect your data as it crosses the great unknown. Internet Clients. Somewhere out there are PCs owned by your clients and customers which need access to your services, such as your company website, online store, or real estate database. Some of these PCs may have been compromised by viruses or hackers; some of them may be hackers. Your challenge is to protect yourself and your users from fraud while still making your services easy and convenient to use. Internet Servers. Also out there in the cloud are the Internet services your business uses, such as vendor websites, email from business partners, and so forth. Perhaps your own web site, email, or other services are hosted on a third party server. As with customer PCs, 3rd party services may be illegitimate or may have been taken over by the bad guys, so the benefit of outside services is always balanced by some element of risk. Router/Firewall. A router connects one network to another. A router is like the on/off ramp to a highway. It connects a collection of local roads to a public expressway. Routers form the interchanges and junctions which allow data to find its way across the world. A large organization may have several routers connecting different sections of its network. A small organization generally only has one, connecting its internal network, or Intranet, to the Internet. Most routers designed to connect to the Internet contain security software to deny unwanted traffic and protect the local network; this is called a firewall, or specifically, a hardware firewall. The firewall is your first line of defence against the outside world. A firewall may be included in other consumer network products such as DSL Modems and wireless access points, but products vary greatly in sophistication and quality. DMZ Servers. The DMZ or Demilitarized Zone is an area in between the internal network and the outside world. The term refers to the land-mined stretch of land between North and South Korea. The DMZ is a dangerous in-between space used to house the services, such as web sites and email, your network provides to the Internet at large. Simple firewalls may only allow a single computer in the DMZ, a DMZ Host, and provide no protection to it at all. Higher end firewalls support an entire network of servers and can provide them with configurable protections from attack; note that PCI DSS requires specific protections for DMZ servers [PciSsc-2006 § 1.3)]. PCs. Of course, your network contains PCs, where your employees actually do their work. Although your PCs are protected by a firewall (you do have a firewall, don't you?) from direct attack, PCs are often used to connect to services on the Internet such as web pages and email and bring things back with them, including viruses and the aptly named trojan horse programs. In addition, PCs, in the hands of a shady employee, can be a source of attack themselves. Lastly, PCs, especially laptops, can be stolen with all of their data. PCs can also mount a battery of defensive software, including virus and spyware detectors, their own, software-based, firewalls, layers of roles and permissions in the operating system, and document encryption. Intranet Services. Besides PCs, you probably have some servers, PCs, or devices that provide services to the inside of your network, such as some shared files or maybe a printer. Consumer products such as printers or hard drives that simply plug into a network have come a long way, so even small shops may have network servers without even thinking of the computer inside. Larger business may have shared databases and applications for payroll, accounting, claims processing, etc. Protecting shared resources, especially those containing confidential data, is important. Many networks also have some system for centralized storage of usernames and passwords, determining who is allowed on the network and who is not. 33

Business Data Security

Dialup or Remote Employees. Many businesses provide some way for employees to connect to the business network from home or while on the road. Sometimes this is a convenience for telecommuters, and sometimes it is a necessity for travelling sales staff or for on-call technical staff who need to troubleshoot problems from remote. Sometimes this is dialup, Virtual Private Network (VPN), or products like GotoMyPC™12. Sometimes it happens without the company's knowledge. At several large organizations where I have contracted, the IT staff found and removed illicit dialup connections on a regular basis. gotomypc creeps into companies under the radar. Remote connection can be a productivity boost, but it also presents problems because it allows a potentially compromised employee PC to connect to the inside of your network and spread viruses, not to mention that a virus-infected PC will probably report the employee's password to its controller. Sneakernet. Toting disks back and forth, often affectionately called sneakernet, is another way for data to get out of your business and for viruses to get in. Unfortunately, employees will often resort to it if remote connections (e.g. dialup) are not allowed or other security restrictions are too tight. Disks, USB drives, and whatnot are easily misplaced or stolen. USB drives with built-in encryption can reduce the danger of lost or stolen devices. Wireless Access Points. Wireless networking, Wi-Fi™ or Airport™ networks are a very convenient way to link computers and peripherals like printers. No wiring has to be run and devices can be freely moved around, which is especially convenient for laptops. On the other side, wireless traffic can be snooped on and wireless networks can be broken into more easily than getting through a firewall, so caution is in order [Lemos-2007b]. For laptops with wireless support (or bluetooth®, a similar technology for connecting keyboards, phones, and so forth) your computer can be hijacked when you are in a public place, such as a cafe or hotel lounge, unless you protect yourself. WEP, the encryption used in first-generation wireless networking equipment, has been cracked and is essentially useless. You should (and may be required to) either upgrade old equipment to something that supports WPA or WPA2, or rearrange your network so that it does not depend on the security of the encryption (see the section called “Disappearing Boundaries”) [TewsEtAl-2007, PciSsc-2006 § 4.1.1]. As mentioned above, some networks may be much simpler than this, especially for SOHO workers, telecommuters, or sattelite offices. Figure 2, “SOHO Network Layout” shows a different setup, much closer to what my own home office looks like.


Business Data Security

Figure 2. SOHO Network Layout

, , : Internet, Internet Clients, and Internet Servers have not changed from the previous example. The changes are explained below.

SOHO Network Components
Wireless Access Point. A combined wireless access point, firewall, and print server, such as the Apple Airport Base Station, or any number of products from Linksys™, D-Link™, etc. Many of these have one or more wired network ports as well as the wireless capability. Shown here, the printer would be connected to a USB port on the access point, the main PC and Internet service by network cables. Remember to change the default administration password as soon as you get your device. Hosting Provider. In this example, there is no DMZ, and no services are provided by the local network. Instead, there is a web hosting provider who provides email, domain registration, and a web site. In all likelihood, there are many businesses with web sites and email all running on the same remote server (“shared hosting” as opposed to “dedicated hosting” which is more reliable and secure but much more expensive). The web site may be an e-commerce site or it may just be informational, with the business doing its sales directly, through e-bay, an online contract brokerage, or some other venue. This network may also have a dial-in or VPN connection to a larger corporate network, or perhaps several for an independent contractor. Office PC. This is the main PC of the office. It is the newest and fastest computer and has a good deal of storage. Files are shared to the network, and a CD/DVD burner is used for backups. Wireless PC. One or more PCs, some of them may be laptops, connect to the network wirelessly. Wireless technology is becoming a popular choice in homes and especially rented space where it avoids unsightly cables or punching through drywall to connect computers. Maybe you have an older PC in a back room. Maybe your spouse does the books on the bedroom PC. Perhaps you sit on the table and work with your laptop. The wireless computers use the shared storage from the main PC and the printer shared from the wireless access point.


Business Data Security

One problem we are all guilty of in home office situations is that one or more machines may be used for both home and business purposes. You or your family members may play games, store music and photos, watch movies, do school work, or just keep up with email on the same computer. This type of mixing endangers business data; you are likely to visit more sites, come into contact with more programs, and have lowered defences when working with personal things and a security problem can compromise your business too. Sometimes, we do not have enough spare cash or space to separate everything out properly. There are, however, some things that can make it safer. If you do not have space for another real computer, get a virtual one. Products like VMWare™13 or Virtual PC™14 let you run another copy of your OS on top of your real computer, like a computer in a window. This can let you separate one world from another and keep security problems on one side from endangering everything else. Failing that, create separate accounts (user names) for everyone who uses the computer and, preferably, a separate account for business work. This makes it harder, for instance, for a security problem in your web browser while checking out the latest NBA stats from scooping up your latest sales report. Lastly, encrypt your business data. I will talk about this in the section called “Protecting Documents”. A shared hosting site can be a security risk. Because your hosting provider uses the same server to handle more than one client's email and web site (often several hundred on one computer), a security problem with one client can spill over and affect others. It also means that a simple hard drive failure will take hundreds of sites down at one go. Do not store confidential data on your web host longer than you need to and back your web site up frequently. Encrypting confidential email is probably a good bet as well. Take care when accessing your web host: always make sure that SSL encryption is working in your browser and if you use FTP to move files back and forth, ask your service provider how to use a secure connection like SSH (Putty15 is a common Windows program).(20070429 emv) FIXME: Put reference here to later discussion on change control.

The Network Perimiter
The Front Gate - Firewalls and Routers
The firewall is your first line of defense. It is set up to only allow certain traffic in or out. In most office environments, no one in the outside world should be allowed to contact your desktop machines (a "denyall" firewall). Any attempts to connect to them are turned away. Business systems that have to interact with the outside world like a web or mail server (assuming you host your own) need special rules and are placed in a special area called a DMZ. The DMZ is a dangerous space in-between your network and the hostile outside world. Your desktop machines are allowed to contact outside services, such as websites or email, but they must also get information back. When you open a web page, your browser sends a request to the web site. This establishes a connection between your computer and the web server. When your firewall receives the request from your computer, it passes it on to the web server, but first, it writes it down in a table. The web server receives the request, looks up the correct page and sends back a response. When the response comes back, the firewall checks to see if there is a valid connection between your computer and the web site. Only data which was actually requested is allowed to come back through. Once the request comes back, the connection is broken16. Firewalls are often configured to let any connection out and all requested data back in. There are many reasons, however, to restrict outgoing traffic to just what your employees really need to do their work.
13 14 15 16 This is called “stateful packet inspection” and, although this is the way that firewalls should be set up, consumer hardware may not be capable of it or may need custom settings to do it properly.


Business Data Security

Network services like web and email are associated with numbered ports. Ports are just what they sound like: a hole in a particular spot to let things pass in and out. Every time data goes through your firewall in either direction, you poke a small hole through your defenses, like opening the gate in a castle. It is aways possible that the soldier coming in could be an intruder in a stolen uniform or that the person going out is an escaped prisoner. Some services, particularly those using a protocol called UDP, make it particularly hard to sort out what incoming data was really requested and what was not. By limiting the number of openings, telling the firewall which ports can be opened and which are nailed shut, you limit your exposure. Another reason to limit outgoing data is a component of a defense in depth. Once an intruder gets into your network, they will need to get data back out unnoticed. Malware will often try to send bulk mail. By limiting your employees to sending email through your own mail system, you stop these programs from functioning. The remote control software which makes zombies work uses something called Internet Relay Chat (IRC). Denying the use of IRC prevents zombies from phoning home. By limiting an attacker's options you make their jobs harder and their failed attempts may be noticed. A balance must be struck between protecting your network and allowing your employees to use convenient tools. I have often used tools to send email to my pager to notify me of problems or tell me when long jobs completed. Blocking outgoing email (without providing an alternative) would have interfered with my (atypical) duties. Finding the correct balance is often a process of trial and error.

The Back Door - Employees On the Go
The firewall works great when employees work at the office behind its protection. It can be a severe nuisance when an employee is working at home or on travel and needs to access email and business files. A number of solutions exist for allowing employees access to the inside of the network from another location, including dial-up, Virtual Private Network (VPN), and products like GotoMyPC™. These technologies have varying levels of protection, some of which can be quite good, but they all open holes in your network which might be exploited by bad guys and they all let an unprotected and possibly infected computer connect to the inside of your network. Sometimes this kind of connection cannot be avoided, such as when an employee needs remote access to a mainframe, factory automation system, system administration, or custom network services that cannot be done any other way. Remote access should never be granted without some thought, however, and other means to access documents and email should be considered as well. Instead of letting employees in, it is also possible to move the data out: to a server in your DMZ, or further, to a vendor's server. Email is easily solved with webmail systems or with a technology called IMAP, which, unlike traditional POP accounts, leaves all email, including user-created folders, on the server to be accessed from anywhere. Remote email can and should be secured using SSL, the same technology which protects online shopping sites; otherwise, it is trivial for others to snoop. Documents can be stored using Content Management Systems (CMS) which allow employees to upload, download, edit, and share documents. A new service called Google Apps™17 even provides web-based office tools so that remote employees do not need office applications. Of course, nothing comes without trade-offs. By moving data out, you remove the protection of your firewall and expose it to attack. If you use a vendor's service to store documents, you are completely dependent on them for security, backup, and so forth. A reputable vendor with a good track record, however, may have the resources and expertise to do a better job at security than you can. Make certain you can get your documents back and move them to another vendor if you need to. Another advantage to moving shared data out is that you can separate your data into sensitive and nonsensitive. Most of your day to day business documents would probably do you less harm if lost or stolen. Many real-estate companies these days publish their current listings on the web, so there is hardly a reason to protect the databases sent to agents in the field. Some documents, on the other hand, would be hard to replace and would be of great interest to others. Perhaps they contain proposals, business plans, legal


Business Data Security

advice, research data, etc. Perhaps you handle confidential data such as medical information or trade secrets for someone else. Whatever it is, your sensitive documents deserve an extra level of protection. You can achieve this by moving your non-sensitive data to an outside accessible system and leaving your sensitive data inside the firewall. If, for some reason, someone needs a copy of an important document, you can make it accessible just once, then remove it immediately.

All your security is worthless if you let the data walk out the door. Which leads me to another point about employees working from home: If you handle sensitive data for someone else, don't let them do it. Period. The news is full of stories (e.g. [Lazarus-2006]) of laptops or CDs being stolen from work-at-home employees with thousands or even hundreds of thousands of confidential records. This is in the news now, but it is not a new problem. If you must transfer confidential data, encrypt it. There are a number of tools for protecting data on stolen computers or for encrypting portable drives, but they are not perfect, so it is best that they not be stolen.

Controlling Web Sites
Another decision often made at the Firewall level is whether to block particular web sites. This is often done to enforce company policies on inappropriate use of the Internet such as preventing employees from viewing or searching for obscene pictures. Another purpose can be to block sites which have been listed as illegitimate or dangerous in online databases. Blocking inappropriate web use can sometimes have a dramatic effect on reducing network bandwidth use. Data archiving policies may also lead you to blocking external email services like Hotmail and Gmail in order to prevent employees from using personal email for businesss communications. If an employee discusses a financial transaction or a personnel problem using a personal email service, for instance, you may not be able to provide that email in response to a subpoena. In addition, use of personal email for a business communication can bypass any security measures you have in place to protect business email. Personal email use at work has both advantages and disadvantages; while being a potential distraction, it may be less of a distraction to others than use of an office phone for personal business. Additionally, forcing employees to always use official email may create confusion as to when an employee is communicating officially and when they are not; an employee would not use company letterhead to send a letter to their child's school, and they should not use a company email address for that purpose either. In many cases, I have seen companies deal with this by having the employee place a clear disclaimer in an email that they are speaking in a personal capacity. In the end, which approach you take may not matter as much as having a clear policy which is consistently enforced. The recent argument over emails in the Department of Justice attorney firing scandal indicates that White House policy on email use is neither clear nor consistent and it has gotten them in trouble regardless of underlying issues [Rasch-2007]. Web site blocking can stop casual viewers but has limitations. New sites are added all the time, so no blocking list can ever be complete. Innocent sites often end up in blocking lists by mistake. Certain users often have particular needs to access specific blocked sites; your HR employees and your nursing staff are probably looking for very different things when they search for "breast". There are several web services which help users bypass web blockers, which must themselves be blocked. It must be understood that maintaining the block list will be an ongoing task, but the mere attempt may be enough to establish a consistent policy for purposes of disciplining employees who deliberately violate it.

No Trespassing
Just like "No Trespassing" or "Authorized Personnel Only" signs in and around your business property, public and private computer resources should also be identified. Prominent warnings should be placed on private computing resources, such as internal web sites and computer login screens. Confidential or


Business Data Security

restricted access materials should be clearly identified. These warnings should refer to company policies on appropriate computer use and are also great places to put important announcements. By making these notices prominent, the ignorance defense becomes untenable.

Disappearing Boundaries
Due to the increasing interconnectedness of our online business dealings, the boundaries of the corporate network are nowhere near as clear as they used to be. Telecommuters connecting from home or the road, wireless access, contractor laptops, PDAs, offsite service-personnel, and so forth, mean that a business network may have almost as many doors as walls. Any of these doors can be a potential entry point for an intruder or an infection, or a potential way for confidential documents to leave. A hostile computer on a local network can do much damage. First of all, they can snoop on any unencrypted communications, even capturing passwords to network services. Secondly, they can play a very old trick called a man-in-the-middle attack by pretending to be a trusted server and stealing confidential data even from encrypted connections. This is related to phishing and is a technique commonly used by phishers when users are expecting to connect to secure sites. Most people are familiar with the idea of providing a username and password to identify themselves to a service, such as a website or email provider. Prior to the recent phishing scams, few people have given thought to making sure the service provider is who they claim to be. We will see more applications supporting this kind of validation and making failures more obvious to users as time goes on, but users must also learn to be suspicious about who they are giving their information to. As these changes occur, there are different opinions on how to best adjust the network and keep it safe. In the end, much of it will depend on the needs of the business. Some of the solutions entail moving nonsensitive data out of the firewall (discussed in the section called “The Back Door - Employees On the Go”), moving untrusted connections (e.g. wireless) and computers (contractors) out of the firewall or to a special part of the network, and beefing up the defenses of all the individual PCs and servers (trust-nothing systems). This problem and its solutions are well discussed in the Information Security Forum's Report, The Disappearance of the Network Boundary ([Isf-2005b]). In essence, by moving wireless connections or untrusted computers outside the firewall or to a special restricted zone inside the network, you can limit these PCs to accessing specific services and specific, more secure, applications. As an example, you can force laptops using outdated wireless cards and faulty encryption (WEP) to use only services which use their own encryption by simply denying them access to anything else. Contractors can be allowed to connect to only those services which allow them to perform their specific tasks, browse allowed websites, check their email and nothing more. Viruses they may carry in stay on their own PCs. Setups like this can be created using an additional hardware firewall used to connect your untrusted network to your main business systems. Newer firewall equipment can create multiple network zones with different restrictions and the same effect can be had with a UNIX/Linux/BSD system, multiple network cards, and customized firewall settings (not for the faint of heart). Eventually, tools to do this will be commonplace. In all cases, the changes in network boundaries force us to beef up local defenses and more seriously consider a defense-in-depth, including encryption of all network traffic, even locally.

Employee PCs - The IT Battleground
Installing Programs
Inside the network, there are, of course, employee computers. Depending on what type of business you have and how big it is, you may also have file servers, network printers, point-of-sale terminals, automated paint mixers, and what have you. Because there is such an unbelievable variety of networks, we have no choice but to gloss over much of the detail.


Business Data Security

The employee's computer or "workstation" has been a source of contention since the first days of its existence. The very term, which should perhaps be "employer's computer" typifies the conflict. Employees always want more; employers are (or should be) trying to reign in abuses and hold on to their tenuous control. The problem is that today's personal computers, which are primarily Windows systems, make it very easy for the user to not only move data around, but also programs which change the way the system works. These programs have complete control over the computer, and if they contain malware, such as virus, they can spread like wildfire. Nowadays, even documents, such as email or spreadsheets, can contain programs ("macros") which can infect a system. Application security settings will block some of these attacks, but when security gets in the way of what a user wants to do, they will happily disable it. It is common for programs or websites to instruct users to disable security settings in order to get a feature to work. Because technology has changed so quickly, most computer users simply have no way of knowing what actions are safe and what are not. When they are risking their own PC at home, it is one matter. When their actions can disrupt a corporate network, it is another. Another issue is with corporate help desks. The more the employee changes the computer, the less they will be able to get help. The helpdesk support or local IT person simply has no way of understanding how the system has been changed, what may be causing the problem, and how to undo it. Applications on Windows very often interfere with each other. In a large company I worked with it would take months of testing for them to add applications to their PC desktops in order to sort out problems with all of their other required applications. Besides exposing a PC to malware, employees who install programs can open a company up to licensing issues and liability. A program you bought one copy of for a special task may spread around the network. Users may bring in software they use at home and install it on a company PC. Users may download and install pirated software. A surprise BSA audit can lead to substantial fines. UNIX™, a traditional business operating system, and PC systems derived from it, like Linux™ and Mac OS X™, have a decades-old and well tested multi-level security which allows an administrator to set up the computer and restrict what a user can do with it. Microsoft introduced a similar system with Windows NT™ and its security has been improving in recent years. In fact, Windows Group Policies, setting permissions for groups of users on a network and enforcing them on individual PCs, is a powerful tool in large companies. Even when the same person owns and uses the computer, setting up a separate administrator and user account limits the amount of damage that a virus can do. An alternative or addition to locking down systems is the use of virtual machines or imaging software which can quickly restore the state of the system to some earlier point. When a user makes a change and the system stops working, the system is reset and the change is wiped out. This can be especially useful when the employee has a legitimate need for more freedom (such as testing out new software). The downside is that, if they do not carefully back up their documents, they will be lost on every reset. This works particularly well in lab settings where users have network home directories; all of their files are saved elsewhere and the workstations themselves are expendable. As with many security issues, you must strike a balance between protecting your network and letting employees customize their tools. Different people work and organize in different ways, and sometimes using a different tool can make large productivity gains for particular people, especially if they are building on prior experience. Having a selection of approved options and knowing when to make exceptions can go a long way.

Security Fixes
It seems that there is a constant stream of security holes and bug fixes which need to be downloaded and applied. Not installing patches in a timely manner exposes your systems to unwarranted risk and most systems (Windows™, Linux™, Macintosh™, etc) have automated systems for downloading new updates. Many serious virus outbreaks attack systems which should have been patched.


Business Data Security

On the other side, new patches sometimes break things, especially if you have a complicated software setup. Large companies generally solve this problem by having a test machine which is updated first. If the test machine works, the rest of the PCs can be updated. Regular backups make it easier to undo a bad update as well. A very common but largely unreported problem with small business and home users is how to safely set up a new PC. I recently helped to set up a new machine which came with Windows XP Service Pack 2 (released in 2004). There have been hundreds of security patches for Windows XP since that time. A new PC connected to the Internet without those updates can be broken into within minutes, much less time than it takes to download all of the new software required to protect it. Microsoft provides tools for large companies to centrally manage updates without connecting to the Internet, but small businesses are out of luck. Apple allows you to download all of their latest patches on one computer, put them on a disk and move them to the new computer without connecting the new computer to the network. With Windows, I had to use an obscure third-party tool18 to accomplish this.

Virus and Spyware Detection
For Windows PCs, anti-virus and spyware protection programs are simply required. They are primarily designed to find malicious programs once they are on your system, but some also catch incoming viruses in emails and downloads before they can do damage. Once a virus is on your computer, these tools provide options to try to remove them. Unfortunately, the only completely safe method of removing an infection is to reinstall the system and it is a good idea to keep good backups of your documents. For non-Windows systems, like Macintosh and Linux, viruses do not exist and spyware is rare. This is partly due to lower market share making them less valuable targets and partly due to security conscious design making them more difficult targets, but there is no reason why malware may not become a problem in the future. I run anti-virus software on my Macintosh computer primarily to keep from sending viruses to Windows users by accident. Malware detectors are useless without constant updates. They can only detect problem programs once a security researcher detects them "in the wild" and adds them to a list. There are a number of products out there, a couple of which are completely free and of good quality.

Software Firewalls
Controlling the changes a user can make to the computer is one way of limiting the spread of infections or security violations. Another is to try to prevent infections from getting off the computer. Individual PCs can run their own firewall called a software firewall. Like a hardware firewall, a software firewall limits what traffic can get in and out and adds an additional layer of protection. Software firewalls slow down the spread of viruses inside your network, make it harder for attackers who have compromised one computer to attack another, and make it more difficult for spyware to phone home. If a PC is badly compromised, an attacker will simply turn the firewall off, so the protection is not absolute. Windows PCs since XP™ Service Pack 2, Macintosh computers with OS X, and any recent Linux or UNIX systems all come with software firewalls. There are commercial packages for Windows XP which replace the substandard built-in firewall. Businesses with Macintosh systems will likely want to spend some effort customizing its firewall which is very powerful but not set up well out of the box.

Passwords, Biometrics, and Keychains
Password management has always been a difficult problem for non-technical users and even for many technical users. A good password is difficult to guess and easy to remember. These do not go well together. Computer users should not use the same passwords for different purposes, should change them frequently,


Business Data Security

and should not have a new password be based on an old password (e.g. oldpassword2). Oh, and passwords should not be written down. If an employee actually tries to follow this advice, they will quickly have a dozen or more cryptic passwords for different accounts and, unless they have a photographic memory, will be calling their local IT person to have a password reset on a daily basis. Memorable Passwords One simple technique for creating easy to remember yet difficult to guess passwords is one I have used for years. Take a quote or phrase: When the wind is southerly I know a hawk from a handsaw. —William Shakespeare Take its initials, including proper capitalization and punctuation: WtwisIkahfah. It looks like gobbledygook, would never be cracked by an automated password guesser (dictionary attack), and is still memorable. After a few times, typing it becomes automatic. Playing with numbers and punctuation a little makes the technique even better: “To be or not to be, that is the question.” could become: 2bon2btit? Use a phrase you will remember, but not one that someone would obviously associate with you, like a motto or favorite saying. If chosen well, you can even provide a reminder hint in programs which allow it so you can remember what quote you chose. For instance, "mad" might be a good reminder for the first quote if you know Shakespeare (the preceding line is “I am mad but north north-west.”) What more often happens is that a user has one password they use for everything, and, when forced to change it, they tack a new number on the end of it. If they need anything more complicated (their software forces them to have a complex password), they write the password down somewhere near the computer. This is an unworkable situation. As we discussed in "Guard Your Secrets", a lock is useless if the attacker can readily obtain or guess the key. Some people propose biometric security to replace passwords. Biometrics means that the "password" is based on some unique characteristic of a person, such as a fingerprint, voice print, or a retinal pattern. The idea is that a biometric is unique, the user cannot forget it, and an attacker cannot easily steal it. It is an interesting idea, but most current plans are hopelessly optimistic. The first problem is that a user can in fact lose a biometric or may not have one in the first place. I went to school with a girl who had no hands and thus, no fingerprints. A significant number of war veterans are now entering the work force who are missing limbs. ADA rules might expose a business to liability if they excluded a potential employee from access due to an inability to use the security system. The second problem is that biometrics are not exact. Taking measurements is a messy business. They must be taken quickly, the employee is not exactly positioned each time, and the device has to take into account minor changes such as dirty hands, stress or illness affecting voice, or a dirty lense. The measurements must have a fair margin of error to ever let anyone in. On the other side, the security device has to detect and deny reproductions such as voice recordings, photographs of a retina, or a gel mockup of a finger. Generally what happens is the device denies legitimate employees on an irregular basis and allows attackers to bypass security. As reproductions get more sophisticated, fooling even devices designed to detect a heartbeat or capillary action, the problem becomes harder. Fingerprint scanners have gotten a lot of negative attention from security researchers, being susceptible to balistics gel mockups, transparencies, and even food-grade gummy-gel fingers [MythBusters-2006, MatsumotoEtAl-2002] all of which are inexpensive and not obvious even when the security checkpoint is watched. The third and most serious problem is that people leave copies of their biometrics everywhere they go and have no way of changing them once the bad guys get a copy. Bad guys can record voices, lift fingerprints, pick up traces of DNA, or position cameras to catch retinal or iris patterns. If you lose a credit card, you can cancel it and get a new account number. How do you change a fingerprint? Biometrics will not solve


Business Data Security

the password problem any time soon. One common security rule of thumb is that authentication uses two things: something you have (or are) and something you know, such as a username and a password, or a debit card and a pin number. In that sense, perhaps biometrics are best used in place of the user name rather than the password. One good solution to the many passwords problem is a keychain or password vault. In one of my companies, we had a computer lab. We had a number of locks, on server cabinets and media safes, that several people needed access to. Rather than give everyone copies and try to keep track of them, we bolted a locking cabinet to the wall, put the required keys inside, and gave each authorized employee a key to the cabinet. When they needed a specific key, they went to the key safe, signed out the key, and returned it when done. The same general idea can be done with software. Web browsers generally allow you to store usernames and passwords for websites so you do not have to type them in. You must then only remember the password to your computer account or web browser and the website passwords can be quite cryptic or even random, such as "g6%0knpoi2", which an attacker will never guess. In theory, passwords for mail, shared folders, printers, and what have you can be stored in this way. The downside to this approach is that all of the passwords are in one place, and, if they can be stolen, the attacker has everything. The password storage used by Microsoft Internet Explorer and Outlook, for instance, can be raided by spyware. The Firefox web browser stores its own passwords, and if some options are turned on, is generally safe. On the Macintosh system, there is a feature called the Keychain which stores usernames, passwords, and certificates for all applications. The passwords are protected by encryption and are unlocked by a single password. You can also store secure notes, to safely record account numbers or safe combinations, for instance. The biggest security features are first, that the keychain can be set to automatically lock itself in a variety of circumstances, and second, that access to passwords is restricted to the application that created them. If your Solitaire application starts asking for your email passwords, for instance, the Keychain will ask you for permission. This stops many types of spyware in its tracks. It looks like Microsoft is slowly moving in this direction and it may be the shape of things to come. A last valuable tool is a smartcard or similar device. The employee carries a creditcard or USB drive sized device which is attached to the computer when they log in. They must also generally type a PIN number. They cannot login without the device and the device will not work without the PIN. Login is simpler and thieves must both steal the device and guess the number. Of course, some process has to be in place for dealing with employees who lose their smartcard, but an old card is easy to cancel and new cards are not expensive.

Protecting Documents
A PC is an easy target of attack from multiple directions. Spyware infections or remote break-ins can be used to slurp documents over the network. Employees commonly leave themselves logged in when they leave their work area, so someone who can physically access the machine can copy files and install spyware. An attacker might steal the harddrive or the entire computer, especially in the case of an employee's home office computer or a laptop. I have seen one case where an entire floor of an office building was cleaned out by thieves with a truck over a weekend. Since renovations had been going on that week, an extra truck and an extra work crew were simply not noticed. At several companies where I have contracted, laptops were often stolen during broad daylight by both employees and intruders. Even without theft, data can be exposed under standard warranty replacement contracts. When a harddrive fails and is turned in for replacement, it may very well be repaired and resold as a refurbished drive, complete with your confidential data [Sullivan-2006]. Once the harddrive has failed, it is too late to delete critical information and hardware erasure methods will void your warranty. The only way to protect these documents is to encrypt them before the hardware fails. Hardware which is being sold can be erased before the sale. Broken hardware past its warranty can be dealt with easily by, for instance, drilling holes through the harddrive and its platters. This can be a great way to get out frustration.


Business Data Security

Deleted files do not actually go away. They can be retrieved by a knowledgable computer user. When deleting confidential files, it is important to realize that nothing is actually erased. All that happens is that the space taken up by the file is marked as free for reuse. It may be minutes or months before the space is actually written over by a new document. In the meantime, there are a number of tools which can be used to recover the deleted data and hackers are familiar with them. Formatting disks works the same way; the table of contents is cleared but all of the actual data is left as it is. In order to safely destroy documents, they must be overwritten first and then deleted. A number of tools exist to do this, normally referred to as secure deletion, and they will overwrite a document multiple times with gibberish to make them very difficult to recover. The best way to protect an important document is to encrypt it. Encryption is a complex subject, but, in short, encrypting a document scrambles it using a code and only someone who knows the code can make sense of it. Typically, you supply a password when encrypting and use the same password to get your document back. Different encryption tools have different strengths. Like physical locks, there are tradeoffs between complexity (how long it takes to encrypt/decrypt your data) and how much effort the attacker has to go through to break the encryption. Breaking encryption usually involves large amounts of computer processing, and, because computers get cheaper with time, it makes sense to use encryption which is stronger than you need today to make sure it cannot be broken tomorrow. Generally, the "proprietary" encryption built into many applications (e.g. MS Word, PK-Zip) is rather weak; someone can decode the document quickly even without your password. As with deadbolts, there are published standards for good encryption, such as IDEA or AES-256, which are well tested. Data Hygiene: Cleaning Previously Deleted Files When you are moving to an encrypted file solution, whether it involves encrypting individual files or whole folders, you need to securely delete any old copies on your hard drive. This includes any old copies of confidential data you may have already unsecurely deleted and which thieves can readily access. How do you get rid of those? There are two decent solutions, neither of which is very complicated. The first involves wiping the entire drive with a security tool, reinstalling, and copying the files (now encrypted) back. This is essentially the nuclear bomb solution which is crude and extraordinarily effective at removing any leftover traces of just about anything, but may be too disruptive, especially if you have a few machines to change over and people needing to get work done in the meantime. You might still apply this solution whenever the machines are reinstalled in the normal course of maintenance. The second solution is not quite as effective, but is simple and a bit less destructive. Essentially, you want to force the system to overwrite any free space on the drive, erasing leftover data. Just create a really big file, filling most of the drive, and securely delete it. On PCs, there are tools to do this for you. CIPHER.EXE on Windows XP and Windows Server OSes, and the Disk Utility on OS X ("Erase Free Space"). This technique does not necessarily wipe out old file names and so forth (if you use names and social security numbers or some other sensitive data in your file names) and has mixed results on Linux/UNIX systems [GarfinkleMalan-2006]. For the truly paranoid (or the truly bound by litigious clients) this second technique can even be used periodically as part of a data-hygiene policy. Encrypting individual files is difficult enough that it may lead to unsafe practices if it is your only solution. First, it is inconvenient to have to encrypt/decrypt individual documents. Second, you need to worry about cleaning up readable (called cleartext) copies you or your office program may make while working on them. A safer and more convenient method is to encrypt whole folders or whole drives. Tools will decrypt


Business Data Security

the files automatically as you use them. You can use a single password, or some tools let you store a key on a removable device you can lock up at night. You can work on multiple files at once and cleanup is easier. Different products accomplish this in different ways with somewhat different security, convenience, and performance tradeoffs. Ok, if you have all of your important documents encrypted, what happens when one of your employees is run over by a bus? How do you access all of their encrypted documents? The low-tech solution is one I have employed many times. When working on a client's systems, I would simply print out the top level passwords for a system (the root password) and have them put the paper in a safe. If I left their service or was otherwise unavailable, they had access to their systems. The root password could be used to reset any of my other passwords even if they did not know them. It is also simple to store the password to a password file or keychain in this manner. This works well for managing a few critical passwords that only change on a scheduled basis, but is more difficult when more users are involved and they are encouraged to change their passwords frequently. Enter something called key escrow. Key escrow is a process where multiple passwords can be used to access the same data. Typically, an employee would have one password they used for their encrypted folder and an administrator would have a master password which could access the folders of all employees. Tools which implement key escrow, such as Windows XP's Encrypted File System or the Macintosh encrypted home folders, are becoming common. The downside, of course, is you again have a single password which can do great damage in the hands of an attacker. One last consideration is data hygeine. There are a number of places that your confidential data may end up by accident which need to be cleaned up from time to time, such as your web browser's cache files, your operating system's virtual memory, and free space on your hard drive. Web browser's have options to clear private data, which can be used every so often, or the browser's files can be placed in an encrypted folder. Virtual memory (also called paging or swap) is an operating system feature where the hard drive is used to keep the system running when you run out of real memory. Applications and data that are not being used are moved to the slow disk drive to clear space in the fast system memory for applications that need it. In the process, confidential data such as passwords and sensitive documents you are editting may get saved on the disk where atackers can find it. Operating systems can be set up to encrypt virtual memory (configurable on Windows Vista, Apple's OS X, Linux; 3rd party tools on XP). Clearing hard drive free space is discussed in Data Hygiene: Cleaning Previously Deleted Files.

Backing Up Documents
For the most part, back up and recovery is not a security concern per se and is a complex subject in its own right. We will touch on some security specific issues here. Backing up documents is important to protect yourself against attackers who may want to destroy data instead of or in addition to copying it. Many attackers will not draw attention to themselves by destroying data on any large scale, but tampering with data, particularly financial records or log files, is a serious issue. Regular backups will allow you to compare copies of records and detect discrepencies. In the case of log files, they contain valuable forensic evidence that will help you and the authorities in investigating a crime. Any attacker gaining access to a system will attempt to alter or destroy them. It is critical that logs be written to a remote location, which is a feature in many software or hardware tools. Mirroring or high availability systems (RAID) which make copies of data across several disk drives are not backup systems for purposes of security. Mirrored hard drives are clones of each other; if an important document is deleted or modified on one drive, it will immediately be deleted or modified on the other, leaving no one the wiser. A backup system must take snapshots of files at a particular point in time so that documents can be restored to some previous state when they are needed. Backing up encrypted files can be tricky. You either need to store passwords with the backups (since they change over time) or store the data unencrypted. In either case, the backups must be physically secure or a


Business Data Security

thief will simply steal them instead of the computer. I have seen many cases where companies store backup tapes unlocked right on top of the system being backed up. Not only does this make a thief's job easy, it guarantees that a fire which destroys the computer destroys the backup as well19. Small, fire-resistant media safes are convenient and inexpensive protection for small businesses. Storing data unencrypted prevents problems when the passwords get separated from the data or if the tool you used to encrypt them is no longer used. PCI/DSS requires that backups containing customer account information (the PAN, or Primary Account Number, specifically) be encrypted [PciSsc-2006 § 3.4]. In this case, you will want to deliberately store the data and passwords in separate, secure, locations. Media safes and secure offsite storage may be good options for protecting your media and both can protect from fire, accident, and other losses.

Test your backups or they might not be there when you need them. Oh, and test your backups occasionally. An administrator at a Canadian agency recently wiped out an accounting system with $38 billion in accounts by accident and then found out that the backup tapes were unreadable [Maxcer-2007]. I'll bet he's looking for work.

Network Services - Sharing and Editing Files
Between the PC and the firewall, there may be a wide range of network services, but mostly they come down to ways to collaborate- sharing and editing files, which is where we will focus our attention.

Network Authentication
When you get past the smallest of networks and the individual PC, there has to be some way to know whether someone belongs on the network at all. At home, I have two computers which are used by the same people. I just create the same accounts on both computers with the same passwords. Sharing files is not hard. The computer in the living room allows anyone to connect that is on the inside network and can provide the proper username and password. Someone would be hard pressed to plug a new computer in without my knowing. This setup quickly becomes unworkable as the number of PCs grows. Keeping passwords and accounts up to date across more than a handful of computers is a pain. Forgetting to remove people who should no longer have access is dangerous. This is generally solved by some sort of network authentication system which keeps track of the accounts and passwords, allowing one change to affect everything which needs changing. When someone sits down at a PC, the PC checks with the network system to see if the person is allowed access. The same thing happens when someone tries to access a shared file. It is also possible to find out when someone plugs an unauthorized computer (e.g. a laptop) into the network. There are a number of different ways to do this and secure it. Regardless of your setup, an important thing to note is you need to have a defined policy for departing employees. Just as many companies have an exit checklist to make sure employees have turned over required paperwork, files, and keys when they leave, you should have a checklist making sure that all of their accounts, passwords, and access rights have been terminated, and that their electronic documents have been transferred for someone else to sort through and file. It is a simple thing which can save much potential grief. Systems appearing on the network can be handled a number of ways. Network services can be set up to only communicate with known PCs. This can be done by several methods and trades some complexity

I was once bitten myself when we brought backup tapes back onsite to restore a server after a lightning strike and data loss. At that very moment, a pipe broke above us and flooded the computer room. The resultant electrical chaos destroyed the backup. If you use offsite storage, make a copy to bring back onsite.


Business Data Security

for added security. Unknown computers can be quarantined, restricted, or simply treated as guests, able to access web sites and email for the benefit of contractors or other visitors with laptops.

Shared Folders and Files
It is not enough for employees to be able work on documents stored on their own PCs. They must also be able to share documents with other employees, look up old documents, and collaborate on the production of new documents. Once again, there are many different technologies to do this, and, to the extent possible, we will ignore them except where it matters to security. Whether people share files from their PCs, the files are placed in a central server, or they are stored on a vendor's site, from a security point of view, the basic problem with sharing documents is how to let the people that need access get it while denying access to everyone else. This is usually accomplished with one of two basic processes. The first is through Access Control Lists (ACLss). ACLs are sets of rules about what individuals or groups can do specific things to a particular resource, such as add documents to a folder, or read a sales report. The combination of individuals, groups, and different types of permissions in many systems can be quite powerful, such as saying that everyone in Accounting has full access to a folder, except Contractors. George (a contractor), can read documents and nothing else. Different systems provide different protections and amounts of detail. By setting up appropriate groups and folder permissions, the access controls on individual files may seldom need to be mucked with. The second process is through workflows. A workflow is a sequence of steps, from start to completion, that some document goes through as part of a business process, such as producing a proposal. Individuals have roles in this process, such as editting, reviewing, approving, and sending the document. After the customer receives it, it may go through another round of changes before being filed for reference in contract negotiations. Workflow automation, typically built into Content Management Systems, shows team members what stage the document is in, what their assigned role is, and what their assigned action items are. At each stage, the individuals have different access rights to the document according to their role in the project. In all likelihood, only team members (and their superiors) will have any access at all, and some team members only late in the process. There are often arguments about which system is better. Like most such arguments, they miss the point. Both are good systems and have their uses. Access Control Lists are better at managing files or records that do not change very often and do not have distinct owners, such as client histories or past proposals. ACLs are generally centrally managed and keeping track of permissions for changing team structures involves a lot of interaction with system administration. Workflow systems tend to be more efficient for documents that are being created or actively worked with. Applications usually let teams or managers assign permissions for the projects they own, so less technical support is needed. What generally happens is that businesses end up with a file server of some type which uses folders and ACLs and then provide another system for discussion and collaboration. Lotus Notes™ is a popular system in many organizations, especially technical ones, for project interaction, but these days there are many options at many price ranges. A problem in both of these systems is that access rules are hierarchical. Administration staff can access any document on the system, and, in workflow systems, managers generally can as well. This access is necessary if someone is to be able to fix problems or access documents when their owner is suddenly unavailable. Aside from issues of trust, however, a compromised master password or broken security system lets an attacker take anything they want. In essence, this is no different from physical files in that there is usually a master key to all offices and physical security can generally open locked cabinets and secure areas. The difference is that, with electronic systems, an attacker can access the system locally or remotely, and carry out (or modify) large amounts of data without arousing suspicion. We will talk about some solutions to this problem as we go.


Business Data Security

Encrypting Shared Documents
Encrypting shared documents is one way to get around the untrusted computer problem. A document can be encrypted with a password and the password given out to the people that need to access the document. Then, even if someone gains control of the computer where the document is stored, they will not be able to read it. Doing this systematically means that you can store sensitive documents on untrusted sites where the administration is outsourced, such as a shared web hosting provider. As a rule, sharing a single password, such as by encrypting a Word document and emailing it to everyone, is a bad idea. If a password is potentially compromised, everyone's password has to be changed, and distributing the new password (safely) is difficult. Two technologies make this easier. The first is called Public Key Cryptography, which we will talk about in detail in (emv20070510)FIXME:. In this system everyone has a key or certificate that belongs to just them. They use this key in encrypting/ decrypting files. The second is key escrow. We talked about key escrow in the section called “Protecting Documents”. In theory, one file can be encrypted so that any number of peoples' keys will unlock them. A document author can simply select names from an addressbook or company directory, encrypt the document, and store it in a shared folder. If necessary, the list of people able to read the file can be changed. Again, as long as all of the encryption/decryption is done locally, the remote server does not have to be trustworthy because even someone with administrative control cannot read the file. In practice, group-level encryption becomes messy and unsafe when the number of people needing access is large, when ownership of documents changes over time, or group membership changes. In these cases, either the owner ends up being a gatekeeper (“Can you give me access to ...?”), or there is a push for a more central management of access rights. In the first case, we have the owner disbursing new encryption keys or special copies of the document on a regular basis, at which point, why outsource document handling? In the second case, we end up in another “One Ring to rule them all” situation, which is precisely what we were trying to avoid [LioyEtAl-1997]. As usual, we end up making trade-offs. For archival information where the number of people needing access is relatively large, specified by groups whose members change, and centrally administered, it makes more sense to use centrally-managed encryption, despite the security implications. Where more protection is needed, other solutions, such as restricting physical access, may be necessary. For workflowlike situations, where a document is actively worked by a small team, individually managed encryption is more feasible, and often, since the data is current, the documents may be more sensitive. In situations where data is accessed by automated systems (an online storefront accessing stored credit card information, for instance), applying encryption effectively is very difficult. It is not practical to have an employee sitting there entering a password everytime a customer checks out and needs to use the same credit card they did last time. The storefront needs to be able to access the customer data without any intervention. If the credit card information is encrypted, the application must be able to decrypt it, and, therefore, anyone gaining control of the application can read the records no matter what security is in place. Security is only as strong as the weakest point in the perimiter. A handy solution to this dilemma is to use the customer's password to encrypt the data. The customer has to give you their password to check out, anyway, so their experience is not changed. An attacker gaining control of the system has no way of knowing what the customer's password is (there are ways to check a password without actually storing it anywhere; trust me on this20), so they cannot read the information. They might be able to copy small amounts of data over time (as customers log in and check out), but you have made their job much harder.

For the overly curious, one way is to apply a math operation to it (a hash) and store the result. When they give you their password next time, see if you get the same result. Another way is to use their password to encrypt something. If they can read it, they have the right password.


Business Data Security

The interesting side-effect is that no one can read the customer's card information without the customer's password. That includes your own employees if they get any bright ideas on selling stolen credit card numbers. Once the purchase is completed, the card information is locked away. It also means that the customer him or her self can not access the card information if the password is forgotten. In this case, delete the information, and have them enter their credit card number again the next time they purchase. Make sure you encrypt only what you need to, minimizing inconvenience, and take the opportunity to explain how you are protecting them from identity theft.

Restricting Network or Physical Access
Another way to protect sensitive shared documents is to restrict where they can be accessed. We already mentioned the possibility of splitting documents based on sensitivity, with some residing inside and some outside the firewall, in the section called “The Back Door - Employees On the Go”. Here, we examine some other ways to restrict access. If you have an online storefront and a database of customer information, you can put the customer database on its own computer and severely restrict access to that computer (in fact, PCI/DSS requires this [PciSsc-2006 § 1.3.4, § 9.1, etc.]). In particular, it is possible to put the database on its own network section, have it only respond to specific connections from your online storefront and internal order tracking system (to which it is directly wired) and only allow administration from its own keyboard (presumably in a locked room). If it must be remotely administered (remote emergency management), force connections to come through a specific administrator workstation so that someone must go through multiple, logged, levels of security to gain access, and even then, they do not need to be able to see customer data to fix a software outage. In this way, an attacker is hemmed in. A remote breach of the storefront can only do things the store is normally allowed to do, such as accessing customer records one at a time with a password, rather than copying them all at once, and there is seldom a reason to display a whole account number back to a customer. Inside attacks are similarly blunted: Internal order processing doesn't need to see whole customer card information, (once it has been sent through the card processing system and confirmed) and an employee would need physical access to get anything more (Smile for the camera!). A determined and resourceful attacker can still do damage, but it will take serious work, your pool of suspects will be smaller, and your evidence will be of higher quality. Other sensitive documents can also be physically restricted. At the Pentagon, the classified information was on a completely separate network; there were no physical connections to the Unclassified network and someone had to physically sit at a Classified computer to access restricted data. Moving information from one system to the other (by disk) required going through the responsible officer who had to examine the data and the disk. Moving data without permission was severely disciplined. Perhaps you do not handle information which can determine the fate of countries, but you may very well have documents that can sink your business if improperly used. It may be worth asking yourself: do I really need this available outside the office? Can the people on the team come here to work on this document? Do I really want to face liability if this walks out the door? The best network defense is sometimes a pair of scissors: clip the network cable. If you do have restricted machines, you will need to get some information in and out (like reference sources in and completed documents out), but will need control over it. UNIX/Linux based systems are particularly good at controlling access to external disks and devices. You can specify exactly who may do what with CDs or the ubiquitous USB drives. This is a much less messy solution than gluing USB ports shut (which companies have done). You can assign one or more gatekeepers to make copies of documents when people need them. Of course, all of this is a lot of work, may be expensive, and is in direct opposition to recent trends in telecommuting. Particularly as gas prices reach record highs, employees have a tremendous incentive to work at home. We also work in markets that are increasingly globalized; it is not always practical to bring


Business Data Security

people to the same location to work on a document. As usual, what you choose depends on the value of your data, the risks of its exposure, and the business opportunities you want to take advantage of. No one can make that choice for you, and, in the end, there may be no perfect answer.

Internet Services and Communication
In order to function, employees need to be able to communicate with the outside world and use services from other businesses. Increasingly, these services and communications are provided by the Internet.

Restricting Use
Even when employees are allowed to access documents, you may want to restrict what they can do with it. Access controls and encryption does not seem to be worth much when an employee can put an unprotected copy on a disk and take it home, or forward a sensitive email. Once you send a document to a client or vendor, none of your network protections come into play. The solution to this dilemma, or so many vendors claim, is a technology called Digital Rights Management or DRM.

Inevitably, as your data security plan progresses, you will encounter frustrations once you leave the safety of your own network. Implementing a policy of secure email and document encryption will only get you so far when the companies you communicate with do not use them. Protecting your confidential data may seem hopeless when the vendors and agencies you must entrust it to in the course of business are compromised on a regular basis. This difficulty is one of the reasons there is so much quality free security software available. Many individuals, companies, and agencies have realized that increased use of these technologies benefits them and have donated time and money to making them widely available. For the most part, however, use of protective technologies for Internet communication to prevent forgeries, tampering, and disclosure is rare, even though the technology has been widely available for more than a decade. This is mostly due to consumer ignorance of how Internet criminals operate and how technology can work against them. The fact that law enforcement has tried to associate the use of encryption with criminals and terrorists does not help the situation. In reality, the use of technologies to prevent forgery alone can make a large difference in Internet communication. SPAM can be sent without forging emails, but the ability to forge sender addresses makes it much harder to stop. If SPAMers had to use legitimate domains and servers to send their mail, zombie botnets would be less useful and domains which sent SPAM could be blacklisted from mail servers. Without the ability to easily forge emails, email phishing schemes would virtually disappear. Initiatives like the Sender Policy Framework21 for identifying which computers are allowed to send email for an Internet domain and personal solutions like digitally signing email, allow the receiver of an email to have greater confidence that what they receive is legitimate. We have SSL and digital certificates to tell us that the website we are entering our credit card information into is who we think it is, but people commonly open attachements in emails that claim to be from friends or colleagues with no real way to know where it came from. As for encryption in emails, regulations, confidentiality agreements, or self-preservation may lead you to protect data in transit. We do not write financial data on the outside of a postcard and stick it in a mailbox.


Business Data Security

Yet, encryption does not help if the receiver cannot read it. It can be difficult to convince a business partner to adopt a security practice in order to work with you. Do not count out the low-tech solutions. In some cases, old-fashioned mail or personal service may be the safer option. Compromises in vendor and agency security present a difficult problem. Selecting trustworthy vendors, considering the widespread nature of the problems, requires something akin to psychic powers. Even if that could be done consistently, you cannot refuse to provide data to government agencies. Two techniques can be of help. One is using unique data with each vendor. Some banks allow the creation of one-time credit card numbers which can be used for a single transaction. It is also possible to use a unique email address for each vendor you work with. Watching where this unique data turns up tells you who is selling or exposing your private data and the facts may surprise you. Another good technique is making sure you have confidentiality agreements protecting important data and relationships. Boilerplate text may do in many cases. It may make another organization think more seriously about your documents, and, at the very least, it gives you a basis for a legal action if your data is stolen. As a whole, the solution will require outreach, activism, lawsuits, and time. Consumers need to know the nature of the problems they face and that they have choices for protecting themselves. Until public policy and caselaw makes entities responsible for data leaks and for illegal use of their equipment, many businesses will not take action. At present, for instance, merchants who are the victims of credit card fraud pay the brunt of costs and fees, leaving those who actually lose the data little incentive to improve. Over time, standard practices will develop and caselaw will begin to take those practices as a matter of course. In the meantime, tenaciousness and creativity will have to do.

Access Control Lists A list of individuals or groups allowed to access a particular resource in a specific way, for instance, write to a document, or delete documents in a folder. Common controlled actions are Create, Read, Update, and Delete, or CRUD. ACLs can usually include basic rules, such that, for instance, all members of Accounting can access a document, except Contractors. ACLs are usually centrally managed; teams are limited in their ability to manage document access rights. An Apple trademark that is commonly used to refer to wireless networking or WiFi (techically the 802.11x networking standards). A short-range radio technology for connecting to computer peripherals, such as mice, keyboards, PDAs, cellphones, and headsets. Like wireless networking, bluetooth can be hijacked if left on or used in public places, although its short range makes attacks more dificult. A collective of remotely controlled, infected PCs (zombies) that are controlled as a unit. A botnet can consist of thousands or tens of thousands of PCs and can carry out coordinated Distributed Denialof-Service DDoS attacks against a single target. Botnets can also be hired out to collect information, send SPAM or conduct other illegal activities. Control Objectives for Information and related Technology or COBIT® is a set of best practices for information management created by the Information Systems Audit and Control Association (ISACA)22, and the IT Governance Institute (ITGI)23, initially published in 1992. Version 4.1 will be published in May of 2007. The






Business Data Security

current version is 4.0 [Itgi-2005] COBIT® is a standard for overall management and control of information technology in a business, including risk management, cost and quality control, and our present interest, security. COBIT provides a specific section in its standard to deal with information security policy which is tied into the overall IT process [Itgi-2005 pp 119-122], although other sections, such as providing continuous service, are certainly relevent. An additional document, the COBIT® Security Baseline is divided into 39 essential steps for securing the business [AliPabrai-2005, Itgi-2004] which add detailed guidance to the COBIT base standard. These steps concentrate on process and procedure more than specific technology, allowing a business to choose (and document!) techniques which best fit their needs. CSIRT An acronym for Computer Security Incident Response Team, sometimes referred to as an Incident Response Team or Computer Emergency Response Team (CERT). A CSIRT is the group of Security, IT, Legal, Public Relations, and Management personnel that are involved or can be involved in responding to a security incident. An Incident Response Plan should lay out the responsibilities of the members of a CSIRT and the situations in which they are called in or must be informed of an incident. A practice or technology which is in common use and has become a psuedo-standard, although it has no official design, definition, or consensus. One of the most frequently cited examples of a defacto standard is the Microsoft Word™ file format. Word .doc files are used everywhere for exchange of documents, but there is no written specification for what the inside of the document looks like and, in fact, the format has changed several times over the years, leading to data exchange problems. De-facto standards lock customers into a single vendor and product line since competitors cannot (are not allowed to) provide compatible products24 The Open Document Format, by contrast, a recent ISO standard, is a simple, concise standard approved by a consortium of companies and supported by multiple products. Underspecified document formats can have real security impacts. While I was working at the Pentagon, an officer moved a Word document containing unclassified data from the classified network to the unclassified network (which are physically separated) by a floppy disk. Unknown to him, Word documents (at the time) scooped up random information from the hard drive when they are created and his file contained classified information hidden in the document but visible to someone who knew how to look at the raw data. When this was discovered, security personnel had to scrub a number of computers which had come into contact with the classified data. The peer review process which leads to a public standard is designed to eliminate design flaws of that nature or at least make them known to potential users with special needs. De-facto standards have the advantage of being driven by a single developer and coherent point of view rather than being designed by a

de-facto standard


Business Data Security

committee. This is a particular advantage with developing completely new technologies. Sometimes, these products become real published standards at a later date, such as UNIX™, and Adobe PDF™. This can lead to a best-of-both-worlds situation where a well designed and market-tested product is maintained and slowly extended by a standards body. defense in depth A defense which consists of multiple integrated layers where the strength of the whole is greater than the sum of its parts. Attempts to exploit some weaknesses may be prevented or limited by other defenses. A single layer defense by contrast, even when strong, can often be bypassed completely when the defenders make a single mistake. Elements of a data security defense in depth include keeping attackers out of your network, denying them access to your PCs even if they are on the network, and encrypting sensitive documents so that they are useless even if they are stolen. An attack which causes some service to stop functioning rather than attempting to take control of it. A Denial-of-Service attack on a website, for instance, would make it unusable or slow for legitimate customers. Vulnerabilities leading to DoS tend to be more frequent and easier to exploit than actually taking control of a computer, though of less use to the attacker. A Distributed Denial-of-Service (DDoS) is a coordinated attack by many computers at once against a single target. DDoS usually involves a colection of zombies (or botnet) and is done for purpose of ideology, revenge, or extortion. The fact that the attacks come from many distinct, innocent sources makes them difficult to counter. The individual contribution of one infected PC is small and may not be detected by the owner's Internet Service Provider, but the combined effect is devestating and sustained attacks can bankrupt businesses with bandwidth charges and lost revenue. DMZ A small network provided by a firewall for Internet services, such as web and mail servers, to reside. These servers must be exposed to the Internet so that customers may access them, but should have at least limited protection. The DMZ is more dangerous than the inside of the firewall, so more effort needs to be taken to make sure the servers are secure. Consumer grade firewalls often limit the DMZ to a single PC, called the DMZ host which has minimal or no protection. DMZ stands for Demilitarized Zone, although the full name is never used. It refers to the land-mined no-man's land between North and South Korea and underlines the fact that it is a dangerous space between the internal network and the hostile Internet. DRM a technology which aims to restrict the particular uses a file, document, or media item may be used for. For example, it may be used to restrict viewing to certain computers, certain people, prevent copying, forbid editting, cause documents to expire, or track usage. Its flaw is that, in order for legitimate users to access a document, the document must contain the information necessary to read it (by definition). DRM relies on security by obscurity and restricting



Business Data Security

content viewing and editing to specific applications which know the secret handshake for unlocking the document. The application then reads and enforces restrictions encoded in the document. DRM functions well if-and-only-if the secret is not known. Once that secret is revealed, all protected documents are compromised. exploit A means of effectively using a vulnerability to bypass security or cause damage. For example, a vulnerability might be a bug in a web browser. An exploit would be a web page which uses the bug to send a malicous program to the user. See zero-day exploit. A unique identifying number for an encryption key or certificate. Basically, the fingerprint is a quick way of verifying that you are using the correct key and that it really belongs to who you think it does. For example, if you want to send someone confidential information, you can look up their public key (see Public Key Cryptography) in a directory. To make sure that the key in the directory is correct (and not fraudulent), you can look at the key's fingerprint and verify it by some other method, such as calling the person on the phone, checking the back of their business card, seeing if it is listed on their web page, and so forth. Once you have verified the key the first time, you can add it to your own key ring and tell your application that you trust it. Similarly, you should list your key's fingerprint prominently to make it easier for people to verify your public key. Controls traffic between an inside network (Intranet), such as a home or business, and an outside network, such as the Internet. A firewall keeps unwanted traffic out and protects computers on the inside. A hardware firewall is built into a router or other device. A software firewall is a second line of defense running directly on the server or PC it protects, only allowing traffic to or from certain applications (e.g. a web browser). A firewall may provide for a DMZ to provide limited protection for Internet services such as an online store. The Health Information Portability and Accountability Act is a US Federal Law [Usc-1996] which, for our purposes, places requirements on the use, disclosure, retention, and protection of private health records. In particular, the Security Rule (issued in 2003) lays out three types of safeguards required for compliance, the Administrative Safeguards (defined policies, management, and auditing), the Physical Safeguards (restricting access to records and equipment), and the Technical Safeguards (technological protections for networks, computers, and communications) [Dhhs-2003]. Businesses may be required to comply with HIPAA if they manage private health information (obviously including medical organizations, but can also include components of organizations managing information related to employee health plans) or subcontractors of such businesses. For the most part, the HIPAA Security Rule avoids making specific technology requirements (which would quickly become obsolete) by stating what must be accomplished, rather than how it must be accomplished such as requiring that networks must be protected from intrusion and that documents must be able to be verified to prevent tampering. The organization must further document their actual practices and self-audit on a regular basis.





Business Data Security

A number of related documents are available from the US Health and Human Services Web Site25. image A drive image or image is a complete copy of a hard drive or a partition on a hard drive, including the raw filesystem, all files, free space, and deleted files. Images are used in backup and recovery to quickly restore a hard drive from a backup. It is common, for instance, for a system administrator to have an image of a new system with Windows and standard applications rather than installing each system individually. Images are also used in computer forensics to allow security personnel or law enforcement to examine a stored copy of a hard drive and all of its contents. An internal network, such as a business or home. Intranets are connected to other networks, such as the Internet, by a router. The Information Security Forum26 Standard of Good Practice for Information Security [Isf-2005a] is a standard of information security best practices published by an international consortium. Although they use the term “information security” to describe the document, they are more focused on digital data than ISO/IEC 17799:2005. Like other security standards, they avoid committing to specific technical recommendations, concentrating more on policy and practice. They do, however, do a good job of keeping up with changing security issues, such as instant messaging and recent virus threats in the current (4.1) version. This document also does an excellent job of not getting bogged down in jargon (either its own or computer/technical). The ISF standard overlaps with and is complementary to aspects of both COBIT® and ISO/IEC 17799:2005. ISO/IEC 17799:2005 An international business process standard for best practices in information security. Note that this is a broader term than “data” security and includes information in any form, such as paper and security of physical storage. The standard provides guidance on risk management processes, policy development, management and approval structures, access controls and classification levels, monitoring and auditing. Like most such standards, it concentrates more on what to manage than precisely how and avoids specifying specific controls or technologies [IsoIec-2005] This standard overlaps with and is complementary to aspects of both COBIT® and the ISF Standard of Good Practice. ISO/IEC 17799 was first published in 2000 as an international standardization of the British Standard (BS) 7799-1:1999, and will be renamed to ISO/IEC 27002 in 2007. key escrow key escrow can be used to mean any of several different technologies. As used in this paper, it means a process where multiple passwords are used to access the same document or data. Each password works individually, so you can set up an employee password and a master password, for instance, so that sensitive data can be accessed even if the employee is not available (or no longer works for you). In a sense, key escrow trades one issue for another, in that it creates a single master password which can fall into the wrong hands. The master

Intranet ISF Standard of Good Practice


Business Data Security

passwords should be used very seldom, so that they are not likely to be captured, and different passwords should be used for different sets of data to minimize damage if a password leaks (or is misused). key logger A program which tracks the use of a computer, recording typing, web sites visited, and especially, capturing usernames and passwords. Keyloggers either record the data locally and must be retrieved periodically (has been common in Internet cafes and copy centers) or will automatically send their information to their controller. Key loggers may be installed by malware or directly by someone with access to the computer, including, in some cases, by employers to track employee use of a computer. A general term for software that violates privacy, breaches security, and damages computers, including viruses, spyware, and trojan horses. The distinction between these types is blurring because one type of malware will often enable and spread other kinds. The attacker performs as an intermediary between two parties without their being aware of it; the attacker can copy and modify secure communications at will. Alice and Bob are trying to communicate securely. Malory poses as Bob and she gives Mallory the password they will use. Mallory makes up a new password to give to Bob. Mallory now takes all coded messages from Alice, reads them, reencodes them, and sends them on to Bob, doing the same going in the reverse direction. Mallory can also modify the messages at any time without anyone the wiser. In phishing schemes, the attacker poses as a banking site, tricks the user into logging into the fake site, and passes the name and password on to the real bank, sending the user the bank's responses. The attacker can now monitor and modify any of the user's banking activities. To the user, everything looks normal. Network services have a number of ways to reduce the chance of a man-in-the-middle attack, but many of them involve authenticating the two ends of the conversation in some way, and user vigilence is essential. Making sure that the URL and SSL certificate are correct for a secure website, noting suspicious communications, calling a colleague to verify that an encryption key belongs to them (by verifying its fingerprint, a unique identifying number), and so forth, will quickly derail attackers. open The Carnegie Mellon Software Engineering Institute's Open Systems glossary defines “open” as follows: The specification of a component is open if (1) its interface specification is fully defined and available to the public, and (2) this specification is maintained by a group consensus process. —[SeiCm-2007] An “open system” is a system made up of components which are wellspecified and, at least theoretically, interchangable. Most disagreements in the definition of “open” center on the definition of “publicly available”. Open does not necessarily imply “free”. For




Business Data Security

instance, source code to a system may be “open” to and controlled by the consensus of a very select group or implementation of an “open” standard may require licensing of patents or other legal issues (e.g. GIF, MP3, AAC). The word is often used as a marketting ploy and should be treated with a degree of skepticism. See further discussion under standard and open source. open source Open source is a system and a movement of distributed software development where full source code for systems is publicly available and effort is advanced by the donations of many individuals and organizations. In many ways, this is actually not a new system, but closely mirrors the way much of the Internet infrastructure was developed in the university systems and scattered corporate laboratories. Contrary to popular conception, many contributors to open source are not hackers in garages, but rather professionals who are funded by their organizations to work on public projects. Among the benefits to the organization are that individual efforts are multiplied, products are peer reviewed, and the organization is not solely responsible for future maintenance. If support is needed, it can be purchased from multiple competing sources or provided in house. A large pool of open source code acts as a ready base for customized software. Open source is not to be confused with “public domain”, which is noncopyrighted. Open source is copyrighted, but under a license which provides for modification and redistribution, generally under “sharealike” terms which mean that you must license changes under the same terms you received them— giving back to the common pool. (Open source products may be freely used alongside commercial and proprietary works.) There are a number of nearly open source “shared source” or “community source” licenses which are more restrictive and may result in a contributor losing access to their own work or coming under other surprising restrictions. The Open Source Initiative maintains a definition of what constitutes an open source license and approves individual licenses for use in the community [Osi-2006]. The most well-known open source license is the General Public License, or GPL, which is currently being revised into its 3rd version with broad industry input. The main goals include improving protection against patent-litigation, a growing concern with software of all kinds. Because of the many-eyes approach, open source can be more secure than closed-source software. It is also much more difficult to sneak backdoors into a peer-reviewed and heavily change-controled process. However, there are always good and bad products, and, since open source projects ae visible from the moment of inception, there are many projects which are not ready for public use by any but the most adventurous. High-profile and long-term open source projects like Linux and the Apache web server rival any other product for quality and will often receive large donations of funding, equipment, or functionality from diverse sources. As a noted example, the SELinux Role-Based Security module now included in most Linux systems was developed and donated by the National Security Agency.


Business Data Security

Payment Card Industry Data Security Standard

A data security standard for merchants who handle credit card data maintained by the PCI Security Standards Council. The individual card service providers (e.g. Visa, Mastercard) determine which entities must comply and enforce compliance. The standard defines requirements for providing a secure network, creating document retention policies, restricting access to data, and so forth. The PCI DSS takes an “as little as possible for as short a time as possible” approach to storing private customer data. See the PCI DSS FAQ online [PciSsc-2007] or the standard itself [PciSsc-2006]. A scheme whereby a forged email is sent purporting to be from a business you have a relationship with (a bank or vendor, for instance) with the intent of taking you to a fake internet site and getting you to provide personal information which is then used to steal money or goods. A typical scheme involves telling the recipient that something is wrong with their account and that they need to verify sensitive account information. Phishing is currently one of the most lucrative Internet crimes. The practice of impersonating a person or entity in order to obtain more information about them, such as impersonating a phone customer to get copies of phone records or impersonating a boss to get a password changed. Among hackers and security professionals, this is also known as human engineering. A system of encryption where everyone has a public key and a private key (each is a file). The public key is used to encrypt a document, while the private key is used to read it. The public key is published freely, but the private key must be hidden (and generally requires a password to be used). The wonderful thing about this system is that you do not need to worry about how to get a secret password to someone. After all, if you could get a password to someone secretly and safely, why not send the whole document that way? In this case, yo can just send someone your public key without worrying about anyone intercepting it. Public Key Cryptography is especially useful in secure email systems. Public Key Cryptography can also be used for digital signing, also called non-repudiation. A person uses their secret key to sign a document and anyone else can use that person's public key to verify the signature. The signature proves that the document was signed and has not been changed. Digital signatures can be used to run digital notary services which can prove that a particular document existed at a specific time and has not been altered by anyone else.



Public Key Cryptography


A set of programs installed on a computer to let someone take full control of it and hide their presence. Often delivered by a trojan horse or similar. A device which routes traffic between two networks. You can think of a router as a highway interchange or on-ramp. A router will often function as a firewall. Private, uniquely identifying information or objects used to gain entry or access information. In security or cryptographic terms, a secret




Business Data Security

can include a physical key, the combination to a lock, a password, an encryption key, an access card or other device. Often, identifying information such as a social security number or mother's maiden name are treated as secrets by businesses, but they are inherently insecure since you must give out the same information many times in order to do business. security by obscurity Keeping elements of a security plan secret in order to increase security and prevent attackers from finding flaws, such as the design of encryption algorithms or the source code of a program or operating system. Often, the secrecy acts as no more than a speed bump to an attacker and the benefit of standard, peer-reviewed and proven defense far outweighs the temporary advantage. Criminals have many ways of finding flaws in secret systems, including stealing source code from vendors, and there are many of them looking. The design of a security system should assume that the attackers know all secrets with the exception of the actual keys or passwords. Security by obscurity can add to an otherwise secure system, such as by hiding from the attacker which standard defense is being used in order to slow down automated tools. A high-tech, whiz-bang solution to everything in one box. Many vendors like to tell you that their product and their product alone will fix all of your problems. In most cases, they produce a single point of failure where one mistake nullifies all of your security. As an example, if you have an expensive product to keep Internet hackers out, what happens when the attacker gets physical access to your PC? or hijacks the dialup account of your employee? or steals your salesperson's laptop? or is an employee? It is often better to have a defense in depth where multiple simpler defenses interlock to protect the whole. Transferring documents by disk (floppy, CD, USB drive, etc.) and foot-power (sneakers). Often used by employees to avoid technical problems or security restrictions, it can also be used to increase security by avoiding sending sensitive documents over the Internet. A term for bulk unsolicited email, usually commercial, and can be compared to physical junkmail. Unlike postal junkmail, however, email recipients and operators of mail servers pay the postage, making it possible for SPAMers to send millions of messages at little or no cost. Also unlike postal junkmail, a large percentage of SPAM content is illegal. The term comes from a 1975 Monty Python skit27 as related to something which is repeated endlessly and cannot be gotten rid of. Hormel Foods has tried unsuccessfully in court to block the use of the term SPAM since they hold the trademark in their canned meat product. spyware Software that covertly monitors the user's actions, particularly websurfing habits, mainly for marketting purposes. Spyware is usually contained in and installed as part of irreputable freeware or shareware software that can be downloaded. The primary difference between spyware and a trojan horse is that the intent of spyware is commercial, not to commit criminal acts or damage the computer per se. The line becomes blurred because poorly written spyware

silver bullet




Business Data Security

often does damage or becomes a means of infection by accident. Like viruses or trojan horses, spyware will often take steps to make its removal difficult. standard When used without an article, as in “standard practice” or “standard technology”, I am referring to common or customary use, which may include de-facto standards. Otherwise, “a standard” is a published specification for a technology, product, or practice. In order to be effective, a standard must provide some means for measuring conformance, whether a particular implementation meets the standard, such as a measure of effectiveness for a security standard or of interoperability for a product standard. In general, standards bodies accept specifications only for existing products or practices (providing proof of viability), and specifications will often begin in a trade consortium and wend their way up through national and then international standards bodies as they gain adoption. An open standard is one where the specification is publicly available, maintained by group consensus, and available for any interested party to implement. Patents and other legal restraints can be significant barriers to open standards. In the past, companies have pushed for their specifications to be adopted by the industry only to turn around and threaten law suits for patent infringement after it acheives widespread use (e.g. GIF, MP3). Standards organizations have begun to adopt rules requiring participants to grant patent rights to the standards body and standards implementors. Often, these rights are under “Reasonable and NonDiscriminatory” (RAND) policies, which seek to prevent the holder from using patents for trade-restraint and enforce broad-licensing. Despite this, RAND compatible-policies can still cause problems for broad standards adoption, typically preventing adoption by open source systems (due to license incompatibility) and often harboring dangerous fine print. Any RAND-patent licenses or covenants-not-tosue should be examined by an attorney to ensure that they provide adequate protection. A better solution is to stick to standards which require full and open patent licensing terms. Standards encourage choice in the marketplace by ensuring that consumers can purchase interchangable products, are assured a level of quality, and can avoid vendor lock-in. Choice among standards (having multiple standards which do the same thing) is often bad, causes marketplace confusion, and can encourage vendor lock-in. trojan horse Historically, the Trojan Horse was a large wooden statue that Odysseus tricked the Trojan army into taking inside their city. At night, Achaen soldiers came out of the horse and ended a ten year siege in several bloody hours. In computer terms, a trojan horse is a program or file which you are tricked into downloading thinking it is something else, such as a card game or a video file. When used, the trojan horse invades your computer and leaves the gates open for a follow-on attack. A trojan horse differs from a virus in that it has no means to spread, although it may download other tools once it is installed. A simulated computer running inside a real computer. A virtual machine (VM) appears to have its own hard drive, operating system,

virtual machine


Business Data Security

and applications, but they actually exist as files on the real computer running them (the host). For instance, it is possible for a Windows Vista host computer to run two virtual machines each with Windows XP and a web server. The appeal of virtual machines is that they can be created and destroyed quickly and easily when needed, that they can be moved from server to server, and that they allow services to be separated for greater security and reliability. Instead of one server with a database and a webserver, you can run two VMs, one with a web server and the other with the database. Failure of one VM will not cause the other to fail and an attacker who gains control of one cannot necessarily access the other machine or the host. A problem with a virtual machine can sometimes be fixed by destroying and recreating it from a backup, which is a simple process. The downside of virtual machines is that they are slower than real computers and use more disk space, so total hardware is more expensive. You must also typically pay for a software license (operating system and applications) for each virtual machine rather than each computer. Some operating systems have licenses prohibiting them from being used in virtual machines (e.g. Mac OS X, some versions of Windows Vista), while others (Linux, FreeBSD) can be used at no additional cost. Virtual Private Network An encrypted connection over the Internet between two networks, often used for telecommuters to connect to their corporate office. A VPN is usually started on a user's home PC or firewall device and connects to a business firewall on the other end. The connection creates a kind of “tunnel” between the two networks, acting like the user's home PC is connected directly to the business, while at the same time, preventing someone from eavesdropping on the traffic. VPNs can be convenient and quite effective, but must be used with caution; a home user with a usecured wireless access point can accidentally give their entire neighborhood direct access to your business network via a VPN connection. A biological virus invades a cell and turns it into a mini virus factory. The copies of the virus then go to invade other cells. Computer viruses attach to computer programs in order to copy themselves. Modern computer viruses can also infect office documents like memos and spreadsheets and spread via email because common office programs (e.g. MS Office) contain macros which act like mini programs. Viruses cannot infect pure text, plain email, or documents without scripts or macros. Viruses spread by email will typically read the recipient's address book and mail copies of itself to other people. Virus scanners detect viruses by looking for specific patterns (fingerprints or signatures) in the infected program. For this reason, virus scanners can only detect viruses which have already been discovered or that are very similar to known viruses. New viruses will not be detected until an update is available from the vendor. Modern viruses modify the PC they infect to hide themselves and prevent removal, even from virus scanning software. For this reason,



Business Data Security

it is often neccessary to reinstall the operating system to completely remove a virus once it infects your system. vulnerability A weakness in a security design or procedures which could potentially be exploited, on purpose or by accident. A vulnerability can exist for some time without a known way of effectively exploiting it, or an exploit may be discovered at the same time. See exploit and zero-day exploit. Wired Equivalent Protection, a standard for encrypting firstgeneration wireless networks (802.11b), it was intended to make wireless networking as secure as wired networking. It did no such thing, for the simple reason that wireless networks can be tapped from a considerable distance and wired networks cannot. Today, WEP encryption has been cracked and is essentially useless [TewsEtAl-2007], and users should either upgrade to newer equipment using WPA or WPA2 encryption, or structure their network so that wireless networks are not trusted (see the section called “Disappearing Boundaries”). connecting computers and peripherals with radio-based networks. Wireless networking usually refers to the technology commonly called Airport™ (an Apple trademark) or WiFi™ and technically the 802.11x standards. Recently, people have also begun using wireless network to refer to cellphone networks and cellphone-based Internet. There are several different standards of WiFi which operate at different speeds and radio frequencies. This is confusing to many consumers. A brief comparison is provided on webopedia28. For our purposes, it is important to note that 802.11b, one of the older standards which is still in common use, uses security (WEP) which is now effectively useless against attackers with standard tools [TewsEtAl-2007]. Wireless networks avoid costly wiring and are very convenient, especially for small businesses leasing space, and especially for travellers with laptop computers. However, there are a number of security issues with wireless networks, including readily available tools for breaking into and snooping on them. When using your laptop in a public place, it is possible to have your laptop hijacked if you accidently leave wireless on (vendors have acted to reduce this problem). Using public wireless networks may allow others to record your Internet traffic, including email and web pages visited; using SSL to access web pages and email makes this much more difficult. workflow A workflow is the sequence of steps that a particular document goes through in the course of a business process, from start to completion. For example, a press release may go through one or more stages of drafting and review, require final approval, get published, then archived. In workflow automation, roles are defined, such as owner, editor, reviewer, and approver, individuals are assigned to roles, and the roles are given appropriate access rights to the document as it passes from one stage to the next. Members of a workflow team are often given the ability to assign roles to other individuals; for instance,


wireless networking


Business Data Security

a document's owner may assign reviewers. Contrast this to ACLs, where access rights are typically centrally managed. WPA WPA and WPA2 are encryption standards for newer wireless networking protocols. They replace the insecure WEP encryption used in first-generation wireless networks and are still considered safe. Wireless networks, however, are fundamentally less secure than wired networks, so it is always a good idea to structure your network so that wireless networks are not trusted (see the section called “Disappearing Boundaries”) See WPA. A vulnerability and an effective exploit discovered at the same time. Zero-day exploits in 3rd party software are extremely dangerous since it will take time for vendors to produce an update fixing the vulnerability and, in the meantime, attackers may freely use the exploit. Often, the only effective solution is to close or reduce services in some manner to deny access to the vulnerability while security experts attempt to fix the problem. For example, users can temporarily turn off javascript in their web browsers to avoid an exploit which uses javascript. A computer infected by malware which is under remote control. A zombie will be made to perform illegal tasks for its controller, such as sending SPAM, breaking into other computers, Distributed Denialof-Service (DDoS) attacks, and so forth. A zombie also generally includes a key logger as well.

WPA2 zero-day exploit


[AliPabrai-2005] Certification Magazine29. MediaTec Publishing, Inc. “The CobiT Security Baseline30”. Uday O. Ali Pabrai. July 2005. [Bbc-2007a] BBC News31. BBC. “Malicious code rise driven by web32”. The number of new pieces of malicious software has doubled in the last year with the web being used increasingly to distribute the code, a report says. March 19, 2007. [Bbc-2007b] BBC News33. BBC. “'Surge' in hijacked PC networks34”. April 25, 2007. [BrownleeGuttman-1998] N. Brownlee and E. Guttman. “Request for Comments: 2350 - Expectations for Computer Security Incident Response35”. Internet Engineering Task Force. June 1998. RFC: 2350. [CaSenate-2003] California State Senate. “California Information Practice Act of 2003”. SB 1386. September 26, 2002. This bill became law in 2003. The text of the law is available online36.
29 30 31 32 33 34 35 36


Business Data Security

[Dhhs-2003] The Federal Register. National Archives and Records Administration. 45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule37. February 20, 2003. 68. 34. [Evett-2007] Top Ten Reviews. TopTenReviews, Inc. Don Evett. “Spam Statistics 200638”. January 18, 2007. [FbiIc3-2006] Internet Crime Complaint Center 2006 Internet Fraud Crime Report39. January 1, 2006 - December 31, 2006. National White Collar Crime Center. Federal Bureau of Investigation. FBI Internet Crime Complaint Center. Washington D.C.. 2007. [FeynmanEtAl-1985] Richard Phillips Feynman, Ralph Leighton, and Edward Hutchings. Edward Hutchings. Surely you're joking, Mr. Feynman!. adventures of a curious character / Richard P. Feynman as told to Ralph Leighton. W.W. Norton. New York. 1985. 0393019217. [GarfinkleMalan-2006] “One Big File Is Not Enough: A Critical Evaluation of the Dominant Free-Space Sanitization Technique”. Simson L. Garfinkle and David J. Malan. 2006. A copy of this paper is available from the authors, or on the web40. [GordonEtAl-2006] 2006 CSI/FBI Computer Crime and Security Survey. Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn, and Robert Richardson. Federal Bureau of Investigation. Computer Security Institute. Copyright © 2006 Computer Security Institute. 2005. The report can be obtained online by following links from and registering.. [Harbert-2006] IQ Magazine41. Cisco Systems, Inc.. Tom Harbert. Mick Wiggins. “Combining Security and Regulatory Compliance42”. Using best practices for network security sets a course to time savings, asset protection, and sales to big customers. 3rd Quarter 2006. [Higgins-2007] Dark Reading43. Light Reading, Inc.. New York, NY. Kelly Jackson Higgins. “How to Cheat Hardware Memory Access44”. February 27, 2007. [Isf-2005a] Information Security Forum. The Standard of Good Practice for Information Security. 4.1. Copyright © 2005 Information Security Forum. January, 2005. The standard can be obtained online from http:// Registration is required. As of the time of this writing, their site will not function if javascript is not enabled. [Isf-2005b] Information Security Forum. ISF Digest: The Disappearance of the Network Boundary. Copyright © 2005 Information Security Forum. April, 2005. The report can be obtained online from http:// Registration is required. As of the time of this writing, their site will not function if javascript is not enabled. [IsoIec-2005] ISO. Information Technology - Security Techniques. Code of practice for information security management. 2005. ISO. Geneva Switzerland. ISO/IEC 17799. 2005. Copies can be obtained from the ISO Online Store45. [Itgi-2004] IT Governance Institute. COBIT® Security Baseline. An Information Security Survival Kit. IT Governance Institute. Rolling Meadows, Illinois. 2004. 1-893209-79-2. Note that a PDF is available online46 with site registration. The download PDF has several pages of ads and membership material at the front— it is the correct document.
37 38 39 40 41 42 43 44 45 46


Business Data Security

[Itgi-2005] IT Governance Institute. COBIT® 4.0. Control Objectives Management Guidelines Maturity Models. IT Governance Institute. Rolling Meadows,Illinois. 2005. 1-933284-37-4. Note that a PDF is available online47 with site registration. [Itgi-2006] Cobit® Focus48. IT Governance Institute. Rolling Meadows,Illinois. IT Governance Institute. “HarleyDavidson: Using COBIT to Simplify Compliance”. pp 8-9. December 2006. 2. Copyright © 2006 IT Governance Institute. This issue available in PDF form online49. Note that the table of contents is wrong, the article begins on page 8. [Kantor-2005] USA Today50. USA Today. Andrew Kantor. “Sony: The rootkit of all evil?51”. November 17, 2005 5:00 PM. Copyright © 2005 USA Today. [Keizer-2007] ComputerWorld52. ComputerWorld, Inc.. George Keizer. “Massive spam shot of 'Storm Trojan' reaches record proportions53”. It's the biggest spam blast in the last year. April 12, 2007. Copyright © 2007 ComputerWorld, Inc.. [Krazit-2006] ZDNet News54. CNet Networks, Inc.. Tom Krazit. “FAQ: The HP 'pretexting' scandal55”. September 6, 2006, 4:42 PM PT. Copyright © 2006 CNet Networks, Inc.. [Krebs-2007] Security Fix56. The Washington Post Company. Brian Krebs. “Fortune 500s Unwittingly Become Spammers57”. March 29, 2007; 11:11 AM ET. Copyright © 2007 The Washington Post Company. [Lazarus-2006] The San Francisco Chronicle58. Hearst Communications, Inc.. David Lazarus. “Data theft may hurt workers59”. August 16, 2006. Copyright © 2006 Hearst Communications, Inc.. This article appeared on page C - 1 of the San Francisco Chronicle. [Lemos-2007a] SecurityFocus™60. SecurityFocus™. Robert Lemos. “Consumers dump breached retailers, says study61”. April 11, 2007. Copyright © 2007 SecurityFocus. [Lemos-2007b] SecurityFocus™62. SecurityFocus™. Robert Lemos. “Report: TJX thieves exploited wireless insecurities63”. May 4, 2007. Copyright © 2007 SecurityFocus. [LioyEtAl-1997] Antonio Lioy, Fabio Maino, and Marco Mezzalama. “Secure Document Management and Distribution in an Open Network Environment”. Polytecnico di Torino, Dip. di Automatica e Informatica. Torino, Italy. 1997. [MatsumotoEtAl-2002] Proceedings of SPIE Vol. #4677, Optical Security and Counterfeit Deterrence Techniques IV. T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino. “Impact of Artificial Gummy Fingers on Fingerprint Systems”. Copies of this paper can be obtained from the author by email64 or online from
47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64


Business Data Security Cryptome.org65. There is also a summary of the findings in the May 15th, 2002 Crypto-Gram Newsletter66 from Counterpane Internet Security, Inc. [Maxcer-2007] TechNewsWorld™67. ECT News Network™. Chris Maxcer. “Fail-Safe System Fails in Alaska's Data Debacle68”. March 21, 2007 2:30 AM PT. Copyright © 2007 ECT News Network, Inc.. [MythBusters-2006] MythBusters. Beyond International. Crimes and Myth-Demeanors 2. August 23, 2006. 4. 59. An online summary of this episode is available in the Online Wikipedia69. [Osi-2006] Open Source Initiative70. Open Source Initiative. Open Source Initiative. Open Source Definition71. July 7, 2006 3:49. Copyright © 2006 Open Source Initiative. There is also an annotated version72 with some additional rationale. [PciSsc-2006] Payment Card Industry Data Security Standard73. 1.1. PCI Security Standards Council, LLC. PCI Security Standards Council, LLC. Wakefield, Ma . September 2006. [PciSsc-2007] PCI Security Standards Council™74. PCI Security Standards Council, LLC. The PCI Security Standards Council Frequently Asked Questions - General Information75. PCI Security Standards Council, LLC. PCI Security Standards Council, LLC. Wakefield, Massachusettes . April 17, 2007. Copyright © 2007 PCI Security Standards Council, LLC. [Rasch-2007] SecurityFocus™76. SecurityFocus™. Mark Rasch. “The Politics of E-Mail77”. April 17 2007. Copyright © 2007 SecurityFocus. [Schneier-2005] Wired78. CondéNet, Inc. Bruce Schneir. “Real Story of the Rogue Rootkit79”. November 17 2005 2:00 AM. Copyright © 2005 CondéNet, Inc. [Schneier-2007] Wired80. CondéNet, Inc. Bruce Schneir. “How Security Companies Sucker Us With Lemons81”. April 19, 2007 2:00 AM. Copyright © 2007 CondéNet, Inc. [SeiCm-2001] CERT Coordination Center82. Carnegie Mellon Software Engineering Institute. Pittsburgh, PA 15213-3890. Software Engineering Institute Carnegie Mellon. CERT® Coordination Center Incident Reporting Guidelines83. Jul 30, 2001. Copyright © 2001 Carnegie Mellon University. [SeiCm-2007] Software Engineering Institute - Carnegie Mellon84. Carnegie Mellon Software Engineering Institute. Pittsburgh, PA 15213-3890. Software Engineering Institute Carnegie Mellon. Open Systems Glossary85. March 20, 2007 8:38:06. Copyright © 2007 Carnegie Mellon University.
65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85


Business Data Security

[SoleckiRosenberg-2004] Law Journal Newsletters - Employment Law Strategist. ALM Properties, Inc.. Albert J. Solecki, Jr. and Melissa G. Rosenberg. “Workplace E-mail86”. Employers Beware!. 12. 7. November 2004. Copyright © 2004 ALM Properties, Inc.. [Sullivan-2006] The Red Tape Chronicles87. MSNBC. Bob Sullivan. “'I just bought your hard drive'88”. June 5, 2006 3:00 am CT. Copyright © 2006 [TewsEtAl-2007] Erik Tews, Ralph-Philipp Weinmann, and Andrei Pyshkin. “Breaking 104 bit WEP in less than 60 seconds89”. Technische Universität Darmstadt, Fachbereich Informatik. Hochschulstrasse 10 Darmstadt D-64289. April 3, 2007. [Tweakers-2007] Tweakers.net90. “Secustick gives false sense of security91”. April 12, 2007 08:59. Copyright © 2007 This article is translated from the Dutch. [Usc-1996] HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 104,191 USC. 1996. The text of the law is available online92. [Vijayan-2007a] ComputerWorld93. ComputerWorld, Inc. Jaikumar Vijayan. “TJX data breach: At 45.6M card numbers, it's the biggest ever94”. It eclipses the compromise in June 2005 at CardSystems Solutions. March 29, 2007. Copyright © 2007 ComputerWorld, Inc. [Vijayan-2007b] ComputerWorld (Australia)95. IDG Communications, Inc. Jaikumar Vijayan. “Hackers offer subscription, support for their malware96”. Organised hacking gangs set up malware subscription sites. April 5, 2007 08:17:16. Copyright © 2007 IDG Communications, Inc. [Weber-2007] BBC News97. BBC. Tim Weber. “Criminals 'may overwhelm the web'98”. 25 January 2007. [West-BrownEtAl-2003] Moira J. West-Brown, Don Stikvoort, Klaus-Peter Kossakowski, Georgia Kilcrece, Robin Ruefle, and Mark Zajicek. Handbook for Computer Security Incident Response Teams (CSIRTs)99. 2. Carnegie Mellon Software Engineering Institute. Pittsburgh, PA 15213-3890. April 2003. Copyright © 2003 Carnegie Mellon University. Thanks to Bruno Vernay for the CSS template I started from for the HTML version. Many thanks to the folks at OASIS and everyone else who makes DocBook a wonderful tool.

86 87 88 89 90 91 92 93 94 95 96;838771320;fp;16;fpid;0 97 98 99