Information security architecture: an integrated approach to security in the organization

Half Title Page

AU1549_half title page 11/18/05 12:30 PM Page 1

Second Edition

Information

Security

Architecture

AU1549_C000.fm Page i Wednesday, May 7, 2008 10:37 AM

AU_sec 6 series 11/18/05 12:55 PM Page 1

AUERBACH PUBLICATIONS

www.auerbach-publications.com

To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401

E-mail: [email protected]

Asset Protection and Security Management

Handbook

POA Publishing

ISBN: 0-8493-1603-0

Building a Global Information Assurance

Program

Raymond J. Curts and Douglas E. Campbell

ISBN: 0-8493-1368-6

Building an Information Security Awareness

Program

Mark B. Desman

ISBN: 0-8493-0116-5

Critical Incident Management

Alan B. Sterneckert

ISBN: 0-8493-0010-X

Cyber Crime Investigator’s Field Guide

Bruce Middleton

ISBN: 0-8493-1192-6

Cyber Forensics: A Field Manual for

Collecting, Examining, and Preserving

Evidence of Computer Crimes

Albert J. Marcella, Jr. and Robert S. Greenfield

ISBN: 0-8493-0955-7

The Ethical Hack: A Framework for Business

Value Penetration Testing

James S. Tiller

ISBN: 0-8493-1609-X

The Hacker’s Handbook: The Strategy Behind

Breaking into and Defending Networks

Susan Young and Dave Aitel

ISBN: 0-8493-0888-7

Information Security Architecture:

An Integrated Approach to Security in the

Organization

Jan Killmeyer Tudor

ISBN: 0-8493-9988-2

Information Security Fundamentals

Thomas R. Peltier

ISBN: 0-8493-1957-9

Information Security Management Handbook,

5th Edition

Harold F. Tipton and Micki Krause

ISBN: 0-8493-1997-8

Information Security Policies, Procedures,

and Standards: Guidelines for Effective

Information Security Management

Thomas R. Peltier

ISBN: 0-8493-1137-3

Information Security Risk Analysis, 2nd

Edition

Thomas R. Peltier

ISBN: 0-8493-3346-6

Information Technology Control and Audit

Fredrick Gallegos, Daniel Manson,

and Sandra Allen-Senft

ISBN: 0-8493-9994-7

Investigator’s Guide to Steganography

Gregory Kipper

ISBN: 0-8493-2433-5

Managing a Network Vulnerability

Assessment

Thomas Peltier, Justin Peltier, and John A. Blackley

ISBN: 0-8493-1270-1

Network Perimeter Security:

Building Defense In-Depth

Cliff Riggs

ISBN: 0-8493-1628-6

The Practical Guide to HIPAA Privacy and

Security Compliance

Kevin Beaver and Rebecca Herold

ISBN: 0-8493-1953-6

A Practical Guide to Security Engineering

and Information Assurance

Debra S. Herrmann

ISBN: 0-8493-1163-2

The Privacy Papers: Managing Technology,

Consumer, Employee and Legislative Actions

Rebecca Herold

ISBN: 0-8493-1248-5

Public Key Infrastructure:

Building Trusted Applications and

Web Services

John R. Vacca

ISBN: 0-8493-0822-4

Securing and Controlling Cisco Routers

Peter T. Davis

ISBN: 0-8493-1290-6

Strategic Information Security

John Wylder

ISBN: 0-8493-2041-0

Surviving Security: How to Integrate

People, Process, and Technology,

Second Edition

Amanda Andress

ISBN: 0-8493-2042-9

A Technical Guide to IPSec Virtual

Private Networks

James S. Tiller

ISBN: 0-8493-0876-3

Using the Common Criteria for IT Security

Evaluation

Debra S. Herrmann

ISBN: 0-8493-1404-6

OTHER INFORMATION SECURITY BOOKS FROM AUERBACH

AU1549_C000.fm Page ii Wednesday, May 7, 2008 10:37 AM

Title Page

AU1549_title page 11/18/05 12:28 PM Page 1

Boca Raton New York

Information

Security

Architecture

An Integrated Approach to

Security in the Organization

Second Edition

Jan Killmeyer

AU1549_C000.fm Page iii Wednesday, May 7, 2008 10:37 AM

LOC Page Published in 2006 by

Auerbach Publications

Taylor & Francis Group

6000 Broken Sound Parkway NW, Suite 300

Boca Raton, FL 33487-2742

© 2006 by Taylor & Francis Group, LLC

Auerbach is an imprint of Taylor & Francis Group

No claim to original U.S. Government works

Printed in the United States of America on acid-free paper

10 9 8 7 6 5 4 3 2 1

International Standard Book Number-10: 0-8493-1549-2 (Hardcover)

International Standard Book Number-13: 978-0-8493-1549-7 (Hardcover)

Library of Congress Card Number 00-040399

This book contains information obtained from authentic and highly regarded sources. Reprinted material is

quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts

have been made to publish reliable data and information, but the author and the publisher cannot assume

responsibility for the validity of all materials or for the consequences of their use.

No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic,

mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and

recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com

(http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC) 222 Rosewood Drive,

Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration

for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate

system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only

for identification and explanation without intent to infringe.

Library of Congress Cataloging-in-Publication Data

Tudor, Jan Killmeyer

Information security architecture: an integrated approach to security in the organization / Jan

Killmeyer Tudor.

p. cm.

Includes bibliographical references and index.

ISBN 0-8493-1549-2 (alk. paper)

1. Computer security. 2. Computer architecture. I. Title.

QA76.9.A25 T83 2000

005.8--dc21 00-040399

Visit the Taylor & Francis Web site at

http://www.taylorandfrancis.com

and the Auerbach Publications Web site at

http://www.auerbach-publications.com

Taylor & Francis Group

is the Academic Division of Informa plc.

AU1549_Discl.fm Page 1 Tuesday, November 29, 2005 10:18 AM AU1549_C000.fm Page iv Wednesday, May 7, 2008 10:37 AM

v

Dedication

This book is dedicated to the memory of my father, Fred J. Killmeyer, Jr.,

and the honor of my mother, Gladys Killmeyer Gillespie, whose love, inspi￾ration, and devotion to their children provided me with the courage to take

on and complete the challenge of writing this book.

AU1549_C000.fm Page v Wednesday, May 7, 2008 10:37 AM

AU1549_C000.fm Page vi Wednesday, May 7, 2008 10:37 AM

vii

Contents

1 Information Security Architecture ..................................................... 1

Why an Architecture? ........................................................................................ 2

Incident....................................................................................................... 3

Client/Server Environments ......................................................................... 6

Overview of Security Controls................................................................... 11

The Threat ............................................................................................... 11

The Risks.................................................................................................. 12

Incident..................................................................................................... 12

The Controls ............................................................................................ 14

The Strategic Information Technology (IT) Plan ..................................... 17

Summary ........................................................................................................... 22

Getting Started.................................................................................................. 22

2 Security Organization / Infrastructure............................................. 25

Learning Objectives ......................................................................................... 25

The Security Organization............................................................................... 26

The Executive Committee for Security ..................................................... 29

The Chief Information Officer .................................................................... 29

The Chief Financial Officer ......................................................................... 31

The Security Officer..................................................................................... 32

The Security Team....................................................................................... 33

Security Coordinators or Liaisons............................................................. 35

Departmental Management ........................................................................ 36

Network and Application Administrators ................................................ 37

Human Resources........................................................................................ 37

Legal Counsel ............................................................................................... 37

Help Desk...................................................................................................... 39

Audit.............................................................................................................. 39

Internal Audit........................................................................................... 39

External Audit.......................................................................................... 41

Component Audits .................................................................................. 42

Compliance Audits.................................................................................. 42

System Users................................................................................................ 42

Centralized versus Decentralized Security Administration........................ 43

AU1549_C000.fm Page vii Wednesday, May 7, 2008 10:37 AM

viii

Information Security Architecture

Information and Resource Ownership...........................................................45

The Strategic Information Technology (IT) Plan ..........................................49

Chapter Summary.............................................................................................54

Getting Started: Project Management .......................................................56

Deliverables ..................................................................................................71

Password Parameters .............................................................................72

Notes ..................................................................................................................75

3 Security Policies, Standards, and Procedures ................................. 77

Introduction.......................................................................................................77

Learning Objectives..........................................................................................77

The Information Security Policy.....................................................................81

Information Security Policy Acknowledgment Form ...................................82

Network Usage Policy ......................................................................................82

E-Mail Policy......................................................................................................83

Internet Policy...................................................................................................87

Internet Risk..................................................................................................88

Process for Change...........................................................................................90

Security Standards ...........................................................................................91

Standards Organizations..................................................................................92

Security Procedures .........................................................................................96

Chapter Summary.............................................................................................97

Getting Started..................................................................................................98

Notes ..................................................................................................................99

4 Security Baselines and Risk Assessments ...................................... 101

Information Security Assessment: A Phased Approach ............................102

High-Level Security Assessment (Section I)................................................103

Assessing the Organization of the Security Function............................103

Assessing the Security Plan......................................................................104

Assessing Security Policies, Standards, and Procedures .....................104

Assessing Risk-Related Programs ............................................................104

Security Operations (Section II) ...................................................................105

Security Monitoring ...................................................................................105

Computer Virus Controls ..........................................................................106

Microcomputer Security ...........................................................................107

Compliance with Legal and Regulatory Requirements..............................108

Computer Operations (Section III) ...............................................................108

Physical and Environmental Security......................................................108

Backup and Recovery................................................................................109

Computer Systems Management .............................................................110

Problem Management................................................................................110

Application Controls Assessments...............................................................111

Access Controls..........................................................................................112

Separation (or Segregation) of Duties .....................................................113

Audit Trails .................................................................................................114

AU1549_C000.fm Page viii Wednesday, May 7, 2008 10:37 AM

ix

Contents

Authentication ........................................................................................... 114

Application Development and Implementation..................................... 116

Change Management ................................................................................. 117

Database Security...................................................................................... 117

Network Assessments............................................................................... 119

Emergency Response ................................................................................ 120

Remote Access........................................................................................... 121

Gateways Separating the Corporate WAN and Lines of Business ....... 122

Current and Future Internet Connections .............................................. 122

Electronic Mail and the Virtual Office..................................................... 123

Placement of WAN Resources at Client Sites ......................................... 124

Operating System Security Assessment ................................................. 125

Windows NT ............................................................................................... 125

Telecommunications Assessments ......................................................... 132

Summary ......................................................................................................... 136

5 Security Awareness and Training Program..................................... 139

Program Objectives........................................................................................ 139

Employees Recognize Their Responsibility for Protecting the

Enterprise’s Information Assets .............................................................. 139

Employees Understand the Value of Information Security .................. 140

Employees Recognize Potential Violations and Know Who

to Contact ................................................................................................... 142

Incident................................................................................................... 142

Forms of Attack ..................................................................................... 143

The Level of Security Awareness among Existing Employees

Remains High.............................................................................................. 146

Program Considerations................................................................................ 147

Effectiveness Is Based on Long-Term Commitment of Resources

and Funding................................................................................................ 147

Benefits Are Difficult to Measure in the Short Term ............................. 148

Scoping the Target Audience.................................................................... 149

Incident................................................................................................... 151

Effectively Reaching the Target Audience .............................................. 154

Security Organizations.............................................................................. 159

Summary ......................................................................................................... 160

Getting Started — Program Development................................................... 161

6 Compliance ...................................................................................... 165

Level One Compliance: The Component Owner ........................................ 166

Level Two Compliance: The Audit Function............................................... 167

Level Three Compliance: The Security Team ............................................. 172

Line of Business (LOB) Security Plan .......................................................... 173

Enterprise Management Tools...................................................................... 173

Summary ......................................................................................................... 176

AU1549_C000.fm Page ix Wednesday, May 7, 2008 10:37 AM

x

Information Security Architecture

7 Pitfalls to an Effective ISA Program ............................................... 179

Lack of a Project Sponsor and Executive

Management Support.....................................................................................180

Executive-Level Responsibilities..............................................................180

Executive Management’s Lack of Understanding

of Realistic Risk...............................................................................................181

Lack of Resources...........................................................................................182

The Impact of Mergers and Acquisitions on Disparate Systems..............183

Independent Operations throughout Business Units ................................186

Discord Between Mainframe versus Distributed

Computing Cultures .......................................................................................188

Fostering Trust in the Organization .............................................................190

Mom-and-Pop Shop Beginnings ....................................................................191

Third-Party and Remote Network Management .........................................192

The Rate of Change in Technology...............................................................196

Summary..........................................................................................................197

Getting Started................................................................................................199

8 Computer Incident / Emergency Response.................................... 201

Introduction.....................................................................................................201

Learning Objectives........................................................................................201

CERT®/CC.........................................................................................................203

CSIRT Goals and Responsibilities.................................................................203

Reactive Services............................................................................................205

Alerts and Warnings...................................................................................205

Incident Handling.......................................................................................206

Vulnerability Handling...............................................................................207

Artifact Handling........................................................................................207

Incident Response Handling Methodology .................................................208

Reporting .........................................................................................................209

Incident Classification....................................................................................213

Triage ...............................................................................................................213

Identification ...................................................................................................215

Incident Analysis ............................................................................................216

Incident Response ..........................................................................................218

Incident Response Coordination ..................................................................219

Key Organizations......................................................................................220

Containment....................................................................................................221

Eradication ......................................................................................................223

Recovery..........................................................................................................224

Notification......................................................................................................224

Development of the CSIRT.............................................................................226

Issues in Developing a CSIRT ........................................................................230

Funding........................................................................................................230

AU1549_C000.fm Page x Wednesday, May 7, 2008 10:37 AM

xi

Contents

Management Buy-In................................................................................... 231

Staffing and Training ................................................................................. 231

Policy Development................................................................................... 233

Legal Issues ................................................................................................ 234

Reevaluation of CSIRT Operations .......................................................... 236

Chapter Summary .......................................................................................... 236

Getting Started................................................................................................ 236

Notes................................................................................................................ 237

9 Conclusion........................................................................................ 239

APPENDIXES

A-1 Information Security Policy......................................................... 243

A-2 Information Security Policy Acknowledgment Form................. 259

A-3 Network Computing Policy .......................................................... 263

A-4 E-Mail Security Policy................................................................... 267

A-5 Internet Policy .............................................................................. 271

A-6 Security Lists ................................................................................. 275

A-7 Security Standards and Procedures Manual Table of Contents ... 277

A-8 Anti-Virus Update Procedure....................................................... 283

B-1 Security Assessment Workplan.................................................... 287

B-2 Application Security Assessment................................................. 301

B-3 Network Security Assessment Workplan..................................... 309

B-4 Windows NT Assessment Workplan ............................................ 321

B-5 Telecommunications Security Assessment Workplan ................ 327

C-1 Computer Incident/Emergency Response Plan .......................... 331

C-2 Sample Line of Business Security Plan........................................ 337

D Intrusion Checklist ....................................................................... 365

AU1549_C000.fm Page xi Wednesday, May 7, 2008 10:37 AM

AU1549_C000.fm Page xii Wednesday, May 7, 2008 10:37 AM

xiii

Preface

Since the time the first edition of this book was published in 2000, so much

has occurred in the field of computer system and network security. The

Internet continues to modify and affect the way in which one does busi￾ness. New national and international laws and regulations related to com￾puters, networks, and Internet usage have been drafted, recommended,

rejected, modified, and some eventually enacted. The ever-increasing pro￾gression and speed of new hacker techniques and system and network

exploits have resulted in the ongoing development of a national infrastruc￾ture to deal with such issues. The world situation related to terrorism has

increased the threats against our nation from a physical security perspec￾tive as well as against digital communications. The security budgets of the

military, public and private industry, and government and educational sec￾tors have significantly increased to meet the burgeoning challenges and

requirements created by change over the past several years.

While security challenges have increased, so has our response to those

challenges in the form of more sophisticated security technology, cooper￾ation between consortia designed to communicate quickly and freely those

effective techniques for combating security vulnerabilities, responding to

incidences, and exposing hacking and attack efforts. Additionally, there is

an increased appreciation and acceptance that user security awareness

and cooperation are necessities. It is well-known that many successful

attacks go unpublished and unqualified due to embarrassment, the need

for confidentiality, and potential liability; however, the computing society

has become much more willing to work cooperatively with each other to

provide a force multiplier against computer security concerns.

Why is this book necessary? There is a wealth of organizations, publica￾tions, certifications, technologies, software, precautions, regulations, and

procedures, all designed to guide us in becoming effective at security man￾agement. This book is necessary because security management has

become an overwhelming task to first understand and then to manage, a

task that feels nearly impossible to the newcomer in the field of security

and a task overwhelming the already overburdened manager seasoned in

security management. It is not getting any easier. The information security

AU1549_C000.fm Page xiii Wednesday, May 7, 2008 10:37 AM

xiv

Information Security Architecture

field itself is reaching a stage of maturity. The security manager, however,

is paralyzed by the hundreds to several thousand very specific vulnerabili￾ties, and security management to him can appear as an insurmountable task.

This book is designed to incorporate the knowledge gained through the

past decade as well as more recent methods that have pushed the security

life cycle from infancy through development and now to a more mature,

understandable, and manageable state. Those in the field of security who

have lived through and responded to the successful attacks, disasters, and

recoveries are willing to cooperate and share their experiences by devel￾oping the tools, checklists, processes, organizations, and publications to

enable the computing community to stay in front of the vulnerability

freight train. This book attempts to simplify security by providing under￾standable and organized methods and by guiding the reader to the avail￾able and most effective resources. Security management is about under￾standing the beast and being organized and equipped to tame it.

The original publication of this book is still valid in its approach to

developing an effective Information Security Architecture (ISA). To the five

original components of an ISA, however, three components (items 6

through 8 below) have been added:

1. Security organization/infrastructure

2. Security policies, standards, and procedures

3. Security baselines/risk assessments

4. Security awareness and training programs

5. Compliance

6. Monitoring and detection

7. Computer incident/emergency response

8. Disaster recovery/business continuity planning

In addition, the threat has changed. It has become larger; and with that

increase, the potential losses have become more substantial. To a much

greater degree, our national infrastructure is now the target. The national

infrastructure includes the information infrastructure that is interrelated

with a set of critical infrastructures that support our society (such as gov￾ernment, emergency services, water supply systems, energy, transporta￾tion, telecommunications, banking and finance, and public health).1 A dis￾ruption to these critical infrastructures through the information

infrastructure spells disaster for our nation. We rely on the information

infrastructure to provide accurate and timely control of all other critical

infrastructures.

Technology has changed. Organizations are implementing wireless net￾works with personal digital assistants capable of sending and receiving e￾mail. New operating systems such as Windows XP are available; and for

those on older operating systems, there is the need for research into

AU1549_C000.fm Page xiv Wednesday, May 7, 2008 10:37 AM