Security Series #1: Principles of Cyber Security

Today I’m starting a series of blog posts on cyber security. Before getting to various topics, I thought it could be useful to remind everyone some of the security principles that are the most useful to help you achieve a higher level of security, whichever technology you’re going to use.

Core attributes of cyber security: confidentiality, integrity, availability

First, cyber security has 3 core attributes whose initials form the CIA acronym:

• Confidentiality: keeping secrets secret
• Integrity: maintaining the accuracy and consistency of data and not allowing unauthorized people to modify data and systems
• Availability: making sure data and systems are available when you need them

A note on confidentiality: maintaining confidentiality is an interesting challenge today if you consider the wide use of social networks where employees have leaked information directly or indirectly about their organization (think about these companies under attack where employees tweeted en masse that their PC was not working anymore; it was easy to deduce that an attack had occurred). Add on top of that the existence of WikiLeaks and you will probably agree with me that confidentiality is harder today.

How do you achieve cyber security?

Well, before answering that questions, please take a look at this picture.

If you wonder what the sentence written on the door means, here is the translation: THIS DOOR MUST ALWAYS BE KEPT CLOSED.

Now, imagine that you are trying to protect something valuable which is inside that building… and answer those questions:

• Is your valuable asset well protected?
• How can you improve your protection?
• If I change the door with a bigger door with several locks, will my security increase significantly?

Did you answer the questions? Please do before reading below.

OK.
So you probably have realized that leaving this door open is exposing your valuable asset. Also changing the door with a stronger door is not going to fix anything as the issue here is that the door is not closed, not the door itself.
If you look carefully you will see that the door is equipped with a mechanism to close it automatically, which fails because of a diet cola can being put between the door and the ground… This shows that someone knew people could go through the door and not close it. So they added more technologies which was not useful as one person put the can and made the entire system fail…

 

Security is a combination of People, Processes, and Technologies

So, in order to achieve security we need to combine 3 key elements:

• People
• Processes
• Technologies

The most important part is probably the processes: being organized for security, having rules and procedures (‘this door should be closed at all times’).

Then comes people: making them aware of the risks, the importance of following rules and applying processes (‘this building hosts valuable assets that people entering the building could steal, read the signs asking you to close the door, close the door, don’t block the door…’)

And finally, probably the least important yet required ingredient to our recipe is technologies. Technologies are changing every day so probably the safest long term investment in terms of cyber security is in the processes and people dimensions. Then you should support them by applying the right technologies du jour.

So coming back to cyber security what do processes, people and technologies really mean? Here are some examples:

• Processes: risk management, update management, configuration management…
• People: employees, contractors, administrators (and high privileges accounts owners), developers (who can introduce vulnerabilities in their applications), users, insiders…
• Technologies: not only security technologies like firewalls, antimalware, security updates management solutions, IPS, IDS, SIEM… but also any technology you’re using has to be resistant to attacks

Key Security Principles

Going further there are a few security principles that are always good to have in mind:

• Security is a journey, not a destination. So there is nothing like absolute security. Whatever the level of security you reach there will be always ways to exploit what you’re not covering. The purpose of risk management is to help you decide how high to set the bar
• Cyber security is all about risk management: a risk is the negative result of the exploitation of a vulnerability by a threat to get access to one of your assets. If an attack has an occurrence rate of once a year which would cost you 1,000 dirhams per incident, would you purchase a solution that costs 10,000 dirhams a year to avoid this incident? No.
• You should have a defense in depth approach: you should always assume that any line of defense you will put in place can be vulnerable at some point of time. So, if it fails you might be in a difficult position. This is why defense in depth recommends to have at least two defenses that need to be breached to get access to any asset.
• Least privilege: you should only use your privileged account to do tasks that require these privileges (and privileged accounts like administrators account should be provided only to a limited number of people who need them, have been trained on the risks of having their credentials stolen, and use a standard user account for normal activities)
• Attack Surface Reduction: the less you have exposed the less you will have to protect and the less the attacker will have the opportunity to find a flaw. So if you don’t need it, don’t install it. For instance, if you’re installing a virtualization server with Hyper-V, just chose the Server Core installation of Windows (this is a minimal installation without many components, IE being one of those that don’t get installed. Server Core can dramatically reduce the number of security updates required.)
• Isolation: it’s almost guaranteed that one day you will have to face a security incident, the impact of which is going to be limited by your ability to contain the incident. This containment is the purpose of isolation. Design your information system to have several zones that you can isolate from each other if needed. Design it also for resilience so that it can stand incidents in a robust way.
• Auditing / traceability: after an incident it’s important to understand what happened. To be able to do that you need to have put in place the right level of auditing to be able to trace what happened and what was done. Of course, if someone compromises your system up to becoming the admin (which means nothing can be done to stop them) they will be able to destroy the evidence. That’s why good auditing comes with shipping the security events to a location where the local admin does not have privileges (think of a server where you can add security events but not read or modify them.)
• Need to know: access should be granted only to resources that are needed for someone’s to accomplish their mission. If someone does not have access to a piece of information, they cannot leak it to unauthorized people.
• Separation of duties: people who can do whatever is possible (administrators, root users, supervisors) should have their actions monitored by auditors who should be in a different team.
• Rotation of duties: administrators should change their scope of administration regularly to allow other administrators to know how to administer their servers and to uncover bad actions they could have done (due to blackmailing or corruption.)
• Positive security: there are 2 ways to do security.
  One is to look at something and verify if it’s not bad. Everything else is deemed OK. That’s the antivirus approach and it is an approach doomed to fail as it is impossible to list all the things that are bad.
  On the other hand, another approach that I call positive security looks at something and if it known to be good accepts it, and if not, rejects it. This is the way firewalls and whitelisting of applications work. Every time you have a choice between the 2 approaches, please choose the positive security as it is far more secure.

Finally, what is the most difficult: to attack or to defend?

Well, it’s to defend! And it’s famously known as the defender’s dilemma: a defender needs to protect everything to the right level while the attacker only needs to exploit ONE weakness to compromise the enterprise.
So now you know where the real heroes are!

 

Stay tuned for the next post in the series. Looking forward to hear your thoughts.