Hal Berghel
SECURITY PRACTICES FOR THE MASSES
There are a number of different digital security models that come recommended by professionals and organizations in this ‘infosec' biz. Time-based security, principle of least privilege, defense-in-depth, baseline security, perimeter hardening, intrusion detection. intrusion prevention, etc. All attempt to circumscribe and quantify some measure of risk as the function of real or potential vulnerabilities and threats.
To illustrate the difference in strategies, consider time-based security (TBS) and the principle of least privilege (POLP). Time-based security uses time as the primary measure of risk. On this account, our safety margin increases with advance warning. As long as our advance warning exceeds the sum of the detection and response times, we should remain protected. The greater the inequality, the greater the safety margin.
Conversely, principle of least privilege relies on controls. POLP holds that security varies inversely with the degree of control given an application or user. The idea comes from physical security – the employees have keys to their desks, the supervisor has the sub-master for their area of authority, and the general manager has the master keys.
Perhaps the most visual reinforcement of POLP in the digital world for many of us is found in the task manager of Windows Vista. You may have noticed that in XP/2003 services and applications ran at the same priority level as the local user who invoked them– if the user were logged in as administrator, the invoked services and applications ran at the highest level, Session ID=0. This is a breach of the POLP, since most of the applications do not need to run at that level. This lead to the infamous “shatter” attacks against Windows. In Vista , only the kernel Windows services run at Session ID=0, user-invoked services and applications always start at a lower (e.g., non-0) level. This particular implementation of POLP falls under the rubric of “service hardening.” The curious may easily verify POLP presence in Vista and absence in XP within Task Manager. (Hit <CTL-ALT-DEL> and enable “Session ID column” from “view”.)
There are organizations that promote specific security standards such as the Control Objectives for Information and related Technology (COBIT), the Federal Information System Controls Audit Manual (FISCAM), the Certified Information Systems Auditors (CISA), the BSI 7799/ISO 17799/ISO 27001 standards for best practices, to name but a few. In each case, these standards map to government legislation or mandates such as Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLB), the Health Insurance Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA), etc. to provide standards by means of which one might determine compliance. A good overview of the issues may be found in the NIST Handbook, available online at csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf.
The BETTER-THAN-NOTHING Security Model
To enrich our security model landscape, I offer the following modest example: the “Better-than-Nothing” Security Model. I came up with this in the immediate post-Y2k time-frame as a result of two simultaneous events: (1) Windows NT and 2000 were suffering from some severe security vulnerabilities (buffer overflows, simple file sharing/”null session” attacks, NTLM password attacks, unauthorized Guest account logins, elevated privilege hacks, and so forth); and (2) the innovation of administering security policy through Active Directory and domain controllers. (1) became an enormous and very costly problem, while (2) was both difficult to understand and nearly impossible to implement completely and correctly in the early years. Many of my clients asked for inexpensive partial solutions that didn't require re-training their IT staff, and my vision of a security model that was better than doing nothing was born. I originally focused on XP.
Here's the way it worked. I'd encourage clients to undertake some basic risk management assessment by assessing the cost and relevance of known threat vectors for their IT infrastructure. Then, I'd provide a spectrum of alternatives to mitigate this risk within the local security policy, ranging from “make sure it can't ever happen” to “try to avoid if it doesn't break anything.” The client could then pick and choose based on their own assessment. Together with colleagues, we made all of this interactive on my Better-than-Nothing Security Practices website. I'll return to this in a moment.
To illustrate, consider Windows simple file sharing. This service was originally enabled by default in Windows OSs. What are the implications in leaving this open? On the positive side, files and folders may be shared in networked workgroups. On the negative side, workgroup simple file sharing isn't part of the Active Directory structure and access is not controlled. Thus, if one computer in the workgroup is compromised, all file shares on all computers in the workgroup that have simple file sharing enabled are also compromised – a really big problem for sensitive information. So, the spectrum runs from leave it on to shut it off. For those who needed some file sharing but with greater control, we encouraged them to consider using the Access Control List (ACL) feature that is available for every folder. This is a middle ground that may fall within the organizations comfort zone.
The next step is to show the client how to accomplish this, so we offered the step-by-step instructions. To wit,
1. Disable Simple File Sharing
2. Change Access Privileges to Hard Drives
While this was a more labor intensive approach to managing file sharing security through AD and a domain controller, it led to the same results: closing a security hole. For XP we offered explanations and recommendations for a wide variety of security issues from password protection to disabling memory dumping and Dr. Watson. Figure 1 illustrates how one would implement the instructions in Table 1within the registry editor.
TABLE 1: Howe to prevent Dr. Watson from storing debugging files
Figure 1: Instructions 1-6 of Table 1 from the perspective of the Registry Hive
BTNSP ONLINE
After the initial foray into XP security, I added BTNSP for web browsers, 802.11 wireless infrastructures, and firewalls. I even added BTNSP for Linux, and dabbled with the idea of RFID and Bluetooth, though I never got them ready for prime time. The same general interactive format was followed throughout. Of course, the computing and network world changes rapidly, so the original motivation for BTNSP for XP to help organizations administer security through local security policy was replaced by their need for simple and useful security guides for other aspects of their IT infrastructure. At this point, implementing security policy for entire domains through Active Directory is the norm in the enterprise. However, BTNSP may provide a useful checklist for AD administrators, and it remains relevant for SoHo users who do not have domain controllers.
While originally only used internally in my lab, and later by my clients, BTNSP is now available online via my website at www.berghel.net/btnsp. (see Figure 2)
Figure 2: The long awaited, much-heralded, highly-sought-after Better-than-Nothing Security Practices website at www.berghel.net/btnsp. It's no Shrek sequel, but it's free.
So this is my belated 10-year anniversary gift to readers of Digital Village . I hope you find Better-than-Nothing Security Practices lives up to its name.
Enjoy.
Acknowledgements: Many thanks to former employee and friend, Jacob Uecker, for adding structure to my ruminations in the early years. Additional thanks to Paul Braeckel and Jiang Hong Song for their ongoing contributions to the Website.
URL PEARLS
Time-based Security is presented in a book of the same name by Winn Schwartau. Information about COBIT may be found on the ISACA website at www.isaca.org. FISCAM is promoted by the General Accounting Office – see www.gao.gov/special.pubs/ai12.19.6.pdf. , CISA is an ISACA certification for information systems auditors at www.isaca.org/cisa.
The ISO/IEC 17799 standard (to be updated and renamed soon) is a popular international information security standard based upon the earlier British Standards Institute 7799 standard. Details may be found online at www.standardsdirect.org/iso17799.htm or iso-17799.safemode.org, as well as the BSI and ISO websites at www.bsi-global.com/ and www.iso.org, respectively.
THE DIGITAL VILLAGE : A 10 YEAR RETROSPECTIVE, TWO YEARS LATE
It's hard for me to believe that by the time this goes to press, this column will be in its thirteenth year! I would have offered this brief retrospective on the 10 th anniversary of Digital Village were it not for the fact that I hadn't noticed the 10-year mark until two years after the fact.
In the first column I wrote: “Welcome to the first installment of The Digital Village. In this new column we will try to become a reliable source of information on modern digital network technologies, particularly from the client side, and the use of those technologies for the betterment of society. We will strive for a balance between depth and breadth, currency and perspective, which most Communications readers will find interesting.
Occasionally, as in this installment, we'll wax philosophic. But mostly we will attempt to provide information on cyberspace and its tools, which we hope will be useful to our readers in maintaining currency and perspective. Occasionally, we will ask others to join us as guests.” The list of titles reveals that we've been faithful to our vision.
There were a few personal milestones along the way. The second column was the first one in which I offered a companion interactive Website. The digital politics column was the first one that offered a critique of popular websites. Incidentally, it is about the time that I started the annual ACM Webbie Award Competition to recognize the ACM student chapters for exceptional chapter Websites. The column on email in 1997 was my first to have a companion blog (although the word ‘blog' hadn't come into my vocabulary at that point). The April, 2004 column on phishing was the first to have a companion software download site – a practice I have since abandoned by the way because of the hassles involved in maintaining the site and DRM. I'm pleased to report that several of these columns have been reprinted elsewhere, several have been reviewed and reported on in the professional literature, several have made the ACM's digital library's top 10 download list, and there have been over 200,000 downloads of the preprints of these columns from my Website. Even the title, Digital Village , has become widely popular. As I write this, my Google search produced 212,000 hits.
So there you have it, a two-year-late brief 10-year retrospective of this column. Thanks to all of the Communications of the ACM readers who have helped make this column successful for the past 12 years. Special thanks to CACM EiC Diane Crawford for making this column possible, and for in-house editor Tom Lambert for improvements that escaped my attention.
Hal Berghel is an educator, administrator, inventor, author, columnist, lecturer and sometimes talk show guest. He is both an ACM and IEEE Fellow and has been recognized by both organizations for distinguished service. He is the Associate Dean of the Howard R. Hughes College of Engineering at UNLV, and his consultancy, Berghel.Net, provides security services for government and industry.