A SECOND OPINION

It’s a good idea to have your organization’s security policies and procedures, as well as the security plan, routinely reviewed by an independent trusted third party, one that is external to the organization. Such a review provides a fresh viewpoint on security. Security planning is too complex to entrust entirely to a single organization, even your own.

That said, slowing things down in the name of security isn’t necessarily problematic unless it significantly affects business and the bottom line. That is, we can’t take the attitude with security that it always comes at no performance cost to us. If implementing security means that high-impact application per- formance decreases and, at the same time, the company has no available bud- get to buy the needed hardware to speed things back up, you face a classic security trade-off. The historical response to this situation has been to reverse the security implementation because compromising on performance is some- thing people haven’t been willing to accept. But times have changed and, as a security planner, you need to work to sell security in such a way as to help peo- ple in the organization understand that this kind of performance sacrifice may be reasonable and that increased security is value, just as performance is value. Of course, we shouldn’t take this to extremes. I’m reminded of one PKI deployment in which so many CPU-intensive operations were required because of the paranoia of the security planners that it would take a user five minutes to log in to the system and, once logged in, the user would face intermittent delays of one minute or more as he or she was constantly re- authenticated to the system. In this example, the slightly enhanced security achieved by constantly re-authenticating the individual (in this case, through a CPU-intensive PKI digital signing operation) never seemed to me to justify this poor level of performance. Sometimes simple things can be done to improve security performance. In this PKI example, I suggested to the client that they develop an activity timer-based authentication mechanism whereby users would be re-authenticated only after a configurable timeout period, such as when the user didn’t do anything for five minutes. Such inactivity might indicate that the user has walked away from his or her computer without first logging out. This suggestion, along with several other enhancements, dramat- ically improved the performance of the application while meeting security planning objectives.

23. Physical Security: Locking Up

In Chapter 1, I described how a hacker walked unimpeded into a company conference center to wreak havoc. An effective security plan will address over- all building security, to include employee, visitor, and contractor access to the building and, once inside, any additional restrictions and controls needed to secure shared areas such as conference centers, conference rooms (where visi- tors or guests may be left unattended), data centers, and any other public- access areas.

You might decide to log physical access using a centralized building access system that would allow you to track any suspicious movement throughout the building. You might also, for example, choose to monitor physical access to sensitive areas by video and control access using combination locks, tokens, and biometrics. Keep in mind, though, that building access tokens can be lost and that many popular ones today use one-factor authentication. An example

of a simple building access token would be the common proximity identifica- tion badge. Such access control is insufficient for areas that require higher security because employees lose badges but don’t realize it for days. They then report the loss late to the security officer, giving a hacker plenty of time to make use of the badge. Combination locks are vulnerable because a casual observer can easily read the combination as someone enters it. To improve security, use two factors, such as a combination lock and a proximity badge. Add a biometric to improve things further. And don’t forget to disable build- ing access to all terminated employees.

When it comes to defining policies and procedures that apply to the physi- cal security architecture, you need to address who is allowed access to where, based on employee role, new employee orientation, and terminated employee exit procedures. But your policies can’t stop here. You also need them for all types of visitors and contractors including cleaning staff, repair people, clients, and customers. And don’t forget: You need to provide policies and procedures for both business hours and “after hours.”

24. Procurement: Be Discriminating

Procurement procedures can’t be casual, along the lines of “Hey, that’s a great freeware security program; let’s download it.” Freeware or any other ware might be fine, as long as you have a policy in place for where it can and cannot be used and a procedure for testing it and installing it.

I once downloaded a very interesting SNMP manager from the Internet to check out. I was a bit suspicious as I had noted it was coming from a part of an unknown developer and from a part of the world not particularly known for designing this type of software—not a problem in and of itself, but at the time I was aware that network-borne viruses were being aggressively developed there. After downloading this program and installing it, all of the firewall and IDS alarms on my test systems went wild. It seems this program was designed to take full network control over the computer and begin delivering content off the hard drive to a hacker.