From the perspective of a Computer Security Consultant
By: Mark Lachniet, CISSP, CISA, MCSE, MCNE, CCSE, LPIC-1, TICSA
The incredible growth in computing, and particularly networked computing, has spawned an entire industry dedicated to protecting these computing resources from fraud and abuse. In truth, computer security has always been an issue, dating back to the first "big iron" systems used in research and the financial industries, but it is only in the last decade or so that computer security has really come to the forefront of the average citizen’s attention. In the age of the Internet, with the seemingly endless assault of viruses, unsolicited SPAM e-mail, and online scams, computer security awareness has become a virtual necessity for online survival. Computer security awareness is now reinforced everywhere from elementary schools to CNN. At the same time, businesses and organizations everywhere have been forced to realize their dependence on computers to conduct business and take appropriate steps to reduce their risk, while meeting the many new rules and regulations established by government. As a result of this incredible and rapid technological change, a parallel computer security industry has also developed and grown to fill this need. This document is intended to provide a background on this industry from the personal perspective a practicing computer security consultant.
ABOUT THE AUTHOR
As noted above, this document represents the personal opinions and observations of the author alone, and does not necessarily reflect the opinions of my employer. Additionally, as any conservative security consultant will quickly state, I Am Not A Lawyer. Indeed, this phrase is so often written that a shorthand acronym of "IANAL" has become the de facto disclaimer in e-mail, online discussions and other forums. However, while most security professionals are not attorneys, a broad understanding of non-technical topics such as ethics, corporate governance, legislation and the legal system are essential for professional survival. In my role as Technical Director for the Security Services group at an international consulting firm, my research necessarily takes me from such obvious topics as analyzing the technical security of Internet connections to understanding the technological implications of criminal law, intellectual property, physical security, terrorism and even "cyber-warfare." Legal topics, in particular, are so important to computer security that I have frequently considered pursuing an education in law simply to become a more effective practitioner.
THE STATE OF COMPUTER SECURITY TODAY
Due to the wide variety of topics that interrelate to computer security, it is difficult accurately define the industry, let alone make sense of the myriad products and services that are available. Not only are there a wide variety of products and services available, there is also a distinct lack of consensus on what computer security is "all about." There are few universally accepted standards for security that can be used as a baseline, and conflicting opinions on best practices abound. Worse, many companies have jumped on the "security bandwagon" and market security services without a good understanding of how to professionally and ethically provide these services. As an example, one quite valid criticism of the security industry as a whole is that it uses F.U.D. (Fear, Uncertainty and Doubt) to frighten people into purchasing its services. Some analysts have even gone so far as to suggest that the security industry doesn’t really want to fix the problems, as it would be bad for business. Clearly, despite gradually increasing standardization and many advances, it is an industry that needs to be better defined and understood. In the following, a consultant’s perspective of the industry will be presented, with an emphasis on topics and issues that might be of interest to future and practicing attorneys.
A clear indicator of the quality of professional computer security consulting is an emphasis on the health of the whole organization rather than an emphasis on technology. When viewed from a holistic perspective, computer security isn’t so much about computers, but rather about risk management. As any CEO, corporate counsel or auditor might or will likely tell you, risk management is essential to the health of any organization. The leadership of every organization must regularly weigh the relative risks of a potential incident versus the cost of mitigating this risk. For example, an organization may weigh the chance of an accident occurring versus recurring costs when selecting an appropriate liability insurance policy. In computer security, the same types of decisions must be made, ideally with a rational and well-defined approach to identifying and quantifying these risks. Once these risks have been quantified, the organization can then make informed decisions on how to best allocate resources to deal with these risks. The conventional wisdom holds that risk can be mitigated through one of four responses – the organization can accept the risk, ignore the risk, mitigate the risk through controls, or transfer the risk to a third party such as an insurance carrier. For the most part, a security consultant is responsible for identifying and mitigating risks with technological and procedural remedies. Unfortunately, with the current state of computing, most organizations have little idea what their risks are, let alone the impact of having these risks realized. Without even this basic understanding of risk, the actions taken to address perceived computer security risks are often misguided at best, and outright counter-productive at worst. One valid question to ask, then, is why we have collectively lost our understanding of risk, especially as it pertains to technology?
The answer, at least in part, is the rapid pace of technological and social change that the western world has experienced over the past few decades. This computer revolution can be characterized by an unprecedented amount of technological change. From the early 1970’s, with the first practical roots of the Internet to today, our professional and personal lives have been increasingly tied to technology. Technology has changed the way we work, communicate and even perceive ourselves. Except for those on the wrong side of the economic "digital divide", personal computers are ubiquitous. We now have computer terminals in coffee shops, wireless access on airplanes and Internet access in many households. Similarly, computers are now a mandatory requirement for doing business. In many workplaces, having a network failure, with the subsequent loss of Internet browsing, file sharing and e-mail can be crippling. In the past few years, individual virus outbreaks such as the Code Red worm have been estimated to cost the global economy billions of dollars. Meanwhile, as our dependence on technology has increased, the complexity and difficulty of developing and maintaining these systems has also increased. For obvious reasons, the demands placed on technical support staff to understand, maintain and support these computing systems are significant. In many organizations, the technical staff is so busy that they barely have time to understand the basic functionality of the systems they must support, let alone the security needs of these systems. In short, the pace of technological change is so rapid that few information technology workers can keep up, and hence a security industry has grown to address this need.
Unfortunately, it is not only technology workers that have difficulty with this rate of change. Our fundamental institutions have also been slow to adapt to these monumental changes. Law enforcement, for example, is overwhelmed with cases to investigate and prosecute, despite increasing awareness and technological skill. This is further compounded by the worldwide nature of the Internet and difficult issues of jurisdiction. Within the legal system, a lack of consistent precedent and a generally low level of technological awareness by attorneys and judges hinder the consistent and equitable development and application of the law. Even in foreign policy and warfare, computer security comes into play. Many national governments, including the United States, have even begun to develop formal information warfare capabilities. Worse, due to the inexpensive and low-risk nature of computer hacking, terrorist groups are also researching ways to use computer attacks as a means of causing economic damage and achieving political goals. Considering the huge financial impact that an attack on our information infrastructure can create, it is clear that a great deal of work remains to be done in computer security. One could make the analogy that computer security today is somewhat like the "wild west" – there are simply too many bad guys and too few sheriffs to catch them all. In this environment, it is up to the organization to protect itself, and this is where a computer security consultant comes into play. To continue the metaphor, security consultants are the "hired guns" who can help to keep the bad guys at bay until help can arrive. Even this description, unfortunately, is a vast over-simplification of the issues, but will have to suffice for our purposes.
FUNDAMENTALS OF COMPUTER SECURITY
Computer security focuses on three primary factors known collectively as the "CIA triad": Confidentiality, Integrity and Availability. Confidentiality deals with the ability to protect information from unauthorized access. For example, the technical controls that stop an employee from opening their supervisor’s e-mail fall within the realm of confidentiality. Integrity, which is related to confidentiality, pertains to the ability to protect information from unauthorized changes. For example, the ability for a hacker to change the destination bank account number on a financial transaction while it is in transit would be an integrity concern. Lastly, availability pertains the ability to actually use the system in the way it was intended. Hardware failures, hacker Denial of Service (DoS) attacks, human error and acts of god can all contribute to a loss of system availability. To support security, work must be done on a variety of fronts, encompassing both technical and non-technical aspects. For example, while it is necessary for engineers to design and implement secure systems, it is equally important to provide user training, oversight, and guidance. By the same token, management must be made aware of their risks, and be able to make informed decisions on how to run their organizations. In the final analysis, computer security has implications for virtually every aspect of an organization in some way or another.
SECURITY CONSULTING SERVICES
To address the need for the confidentiality, integrity and availability of technological systems, security companies provide services on a number of fronts. For example, there are hardware and software vendors that produce tools such as network firewalls and intrusion detection systems. To assess risk, design secure systems and install security tools, consultants and integrators are used. For those companies that lack the time or expertise to perform the day-to-day work of maintaining systems, outsourced security companies can be used. For virtually every need, there is some company, somewhere, that can provide a matching service. Due to the prohibitively wide variety of services available, this article will focus specifically on the services generally performed by computer security consultants, with a specific emphasis on issues of interest to the legal profession. A full treatment of technological issues such as ease of use, performance, etc. is outside of the scope of this document. However, a few select security services will be discussed in the following document.
The first, and perhaps most common, way that consultants are used is to design secure systems. Security is most effective when it is planned for at inception, as opposed to being added as an afterthought after the system has been implemented. Design services can further be arbitrarily broken down into network design and system design.
In network design, the primary goal is to provide control and accountability for interconnected systems. For companies that connect to the Internet, a good network design is essential. Without a means of controlling access from the Internet, computer systems are at the mercy of a vast and faceless army of potential attackers. The primary component of a secure network design is a firewall. Put simply, a firewall is a device that connects different networks or devices and controls access between them. Although firewalls are typically thought of in relation to Internet connections, they are also necessary in other ways. Connections to the Internet are not the only source of risk – many organizations have network connections to branch offices, partner companies and vendors. These network connections to partners and vendors are of particular concern, and should be controlled with a firewall.
In general, any network that is outside of the administrative control or authority of the organization should be strictly controlled and monitored. This protection is necessary for both technical and potential liability reasons. For example, what liability would an organization assume if an incident occurred, such as a virus outbreak that caused extensive financial hardship? What responsibility would a partner have if they, themselves, were used as an unwitting third party in a network attack? Many organizations’ networks have connections to vendors, support staff and business partners. Unfortunately, these connections are frequently established without adequate thought about the implications of doing so. Because of this, it is probably only a matter of time before these types of issues start making their way to the courts. One way to deal with these issues is to have a mutually acceptable partnering agreement that clearly defines the roles and responsibilities of each party.
In addition to providing control, network design also touches on a number of other issues. For example, network access should require authentication – minimally a username and password – to uniquely identify users of the system. Similarly, the network should maintain logs of system activity to provide an audit trail for how the system is used. Here again, most networks are poorly designed in this regard. Ideally, a well-configured network will allow an analyst to clearly understand how it is being used, and to recreate a sequence of events in the event of a security compromise. Unfortunately, in most cases where a forensic analysis of a hacking incident is performed, network logging is not sufficient to reasonably determine what happened or who the attacker was. This logging information could make or break a case involving network attacks. In a similar vein, network logging – especially of web usage – can be important in instances involving inappropriate individual behavior. Consider a hypothetical situation where an employee was terminated for inappropriate computer usage. Perhaps they were fired because they spent too much time browsing the web and were unproductive, or they regularly accessed pornographic web sites while at work. If, for example, a suit were brought against a company that alleged unlawful termination, the existence of logging data could be instrumental in proving (or disproving) the allegations.
In many environments, even the best network design cannot protect an insecure host. For this reason, secure system design is also needed. System design deals with a smaller set of devices, usually one device or a set of functionally related systems (such as a database and a user workstation that accesses the database). Within this smaller scope, however, issues can range from software development (such as writing an operating system such as Windows 2000) to securing a web server prior to deployment. Due to the complexity of the many software systems that typically interact to provide computing systems, system design is just as important as any other aspect of computer security. Failure to apply due diligence in system design may have interesting technical and legal implications.
An excellent example of this can be found in the recent activity regarding Microsoft. Microsoft, as most people are aware, produces software that is used on a vast majority of computer systems, including Windows 2000 and Microsoft Office. The discussion and legal activity over the potentially monopolistic actions by Microsoft are still ongoing. Despite its best efforts, Microsoft software has a long history of security flaws, and has received much criticism in this regard. This combination of market dominance and security flaws has interesting implications for information security. In September, 2003, in a white paper entitled "Cyberinsecurity: The Cost of Monopoly" a number of respected security analysts make the case that computer security, if not national security, is at risk due to a Microsoft "monoculture." An attorney might question whether Microsoft has a responsibility to provide secure software, and if they are failing in this duty. Indeed, a lawsuit recently filed in Newport Beach, California makes exactly this assertion, and builds upon the claims of the white paper. As interpreted by this author, in this suit (filed both for an individual and as a potential class-action suit) it is asserted the Microsoft software is too complex for the average user, and that this ultimately leads to issues of consumer privacy not being adequately protected, among other issues. It seems unlikely that this will be the last lawsuit of its kind.
While in the ideal world, systems and networks are designed with security in mind, the real world is usually quite different. Systems are frequently added in an ad-hoc fashion, and only rarely is a useful analysis of the security implications of the system performed prior to implementation. Even in those organizations where a proper change control system is in place, new security vulnerabilities are discovered on a nearly daily basis. Thus, a computer system that once might have been adequately secure will quickly become vulnerable to attack if ongoing maintenance and monitoring of the system is not performed. As part of this maintenance, a formalized routine of updating software and testing for security flaws is essential. While simply being aware of software updates and quickly applying them will close the majority of security holes, it is not by itself sufficient to maintain security. A number of other issues – how the software is configured, how the various software components fit together, and how securely internally developed software is written – all contribute to the security posture of the organization. To assess security in a more holistic fashion, security assessments are used.
Once again, there are vast differences in the types and terminology of security assessments in the industry. To provide a standardized frame of reference, interested parties can refer to the Open Source Security Testing Methodology Manual (OSSTMM). This document, the result of an open collaboration of security professionals, attempts to provide guidance on the proper terminology, methodology, and ethical practices of security testing. The manual specifically differentiates between two types of security testing that are worth discussing here – Security Scanning, and Risk Assessment.
Security scanning, also known as a vulnerability assessment, concerns itself with the technical analysis of networks and devices in an attempt to identify security weaknesses. For example, an internal or external security consultant might be tasked with analyzing the security of an Internet web server or e-mail server. Typically these tasks are performed using the same tools and techniques that hackers use, but with an emphasis on prevention. As the saying goes, it is important to "hack yourself" before somebody else does. There are a wide variety of security scans that can be performed, ranging from the very simple (using an automated scanning tool and presenting the results) to the very complex (performing manual assessment of complicated application logic) and many shades in between. Ultimately, the goal is to identify technical vulnerabilities and map these to business risks. For example, a scan might reveal that an organization’s web server is vulnerable to misuse, whereby it could be used to anonymously store data. While this may not be a flaw that could result in a compromise of the system, there are still important implications to consider. What if the system was used to store child pornography? What if the system was used for the storage of pirated software or music? As an outcome of security scanning, the organization should be provided with a list of flaws to fix, as well as a ranking of the relative impact or priority of these flaws. With this information in hand, the organization can then fix some or all of the identified vulnerabilities and begin the cycle all over again.
A risk assessment, on the other hand, concerns itself with the overall health of the organization. Where a security scan focuses on technology, a risk assessment operates at a more macroscopic level. Although technology is a concern, the scope of a risk assessment typically includes issues such as policies, procedures, user training, documentation, organizational structure, physical security, governmental regulations, contractual requirements, insurance coverage and a host of other topics. In truth, technology is not the greatest factor in determining the security posture of the organization – people are. As such, an analysis of the controls and checks and balances of the computing environment is important. A risk assessment in the computer world is somewhat analogous to a yearly audit in the financial world. Just as most organizations have an external auditor certify their finances each year, proactive organizations have their security audited on at least an annual basis. Risk assessments are typically conducted by analysts with knowledge of the issues of the specific industry, such as finance or manufacturing. Once again, the findings of the risk assessment must be translated to the language of business so that it can be understood by senior management and acted on appropriately.
Regular security assessments, in addition to being a wise business decision, are increasingly being required by various regulatory and governmental agencies. While this author is not a legal expert in any of the following areas, a number of regulatory areas are worthy of the reader’s attention. For example, in the health care industry, the proposed security standards for the Health Insurance Portability and Accountability Act (HIPAA) call for all subject organizations to "assess its own security needs and risks and devise, implement and maintain appropriate security to address its business requirements." This is, in essence, a risk assessment. In the financial industry, the Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" in section 314.3 requires that subject organizations "develop, implement, and maintain a comprehensive written information security program that contains administrative, technical and physical safeguards." Clearly, this cannot be done without first analyzing the current environment with a process similar to a risk assessment. Due in part to the MCI / Worldcom incident, increased oversight of publicly traded companies in the United States has also resulted in an emphasis on computer security. Specifically, the Sarbanes-Oxley Act dictates that a corporation’s principal executive officer and financial officer personally certify their financial statements. As part of this financial certification, executive officers (as per section 302) must present "conclusions about the effectiveness of their internal controls" and also present an external assessment (section 404) of these conclusions. Due to the fact that virtually all financial data is generated from computer systems, controls on computer systems can be assumed to be a part of the required internal controls. Even in the absence of a formal regulation, the need for corporate entities to maintain adequate internal controls should be obvious. Failure to do so might result in legal action from shareholders if there appeared to be a lack of due care resulting in a financially significant security incident.
DISASTER RECOVERY PLANNING
Another area where security consultants are used is in helping organizations prepare for, and recover from, disasters. Especially in light of the events of September 11th, 2001, organizations have become increasing aware of their vulnerability to terrorist attacks, accidents and acts of God. Although it may not seem immediately obvious, the financial impact of losing access to buildings, telephones and computing resources can be significant. According to a Gartner report two out of five enterprises that experience a disaster go out of business within five years. A significant factor in any organization’s long-term health is how well they have planned in advance for such an occurrence.
Disaster Recovery (DR), and its parent process – Business Continuity Planning (BCP) requires technical skill and attention to detail. Although the planning process varies from organization to organization, the desired outcome is a documented methodology about how to respond to an incident. The scope of the project may be limited simply to recovering technology (such as computers) or may include the much broader steps required to recover the entire organization. Regardless of the outcome, a few steps are common in planning. First, the organization must assess itself through a risk assessment to identify areas of potential vulnerability. Second, the organization must map its business processes (such as marketing a product) to the technology required to support this process. This process mapping, usually performed as part of a Business Impact Analysis (BIA), involves extensive interviews with various parts of the organization such as technicians, workers, managers and executive officers. As an outcome of the BIA, a list of critical assets that must be recovered in the event of a disaster can be generated. With this information, the organization can then create a plan that will encompass the steps necessary to recover critical resources in the event of a disaster. The plan, when complete, must then be tested, and the organization must put in place a set of policies and procedures to maintain the plan in perpetuity.
Although greatly simplified for the sake of this document, disaster planning is a complex, time consuming and potentially expensive process to undertake. It is, however, essential for the long-term health of the organization. Sadly, many organizations have never done this work, or have done so in an inadequate way. As should be obvious, maintaining a disaster recovery plan is an essential control to address computer risk. As such, one could argue that it falls well within the requirements of previously mentioned regulations such as HIPAA, and failure to create and maintain one could have dire legal implications.
Another area where security consultants are frequently used is in assisting with a security incident. Unfortunately, even with the best planning and proactive risk management, incidents may happen and help may be required. This help can take many forms, ranging from simple informal advice to a formal forensic analysis. Two of the most common types of incidents that a consultant might be used for are situations involving employee termination, and analyzing a security incident after the fact.
Employee termination usually deals with situations where an organization has fired (or wishes to fire) an employee with significant knowledge or access to computing systems. In many cases, this is a network or system administrator who has made threats or otherwise caused concern within the organization. In situations where management has identified a significant risk, a consultant can assist in planning a well-reasoned approach to dismissing the employee. As might be obvious, the best time to discuss how to dismiss an employee is prior to dismissal, as it affords an opportunity to revoke system access in an organized way. In this capacity, a security consultant will typically work with the organization’s management to draft a list of tasks to perform. For example, the consultant will help identify all of the passwords that will need to be changed in servers, software, network devices, voice mail system and other technological systems. In addition, the consultant will help in evaluating the need to make more drastic changes. In the case of a network administrator, it is frequently the case that the individual has learned the passwords of other users as part of their job and it may be necessary for all users to change their passwords. A large part of this work is the methodical identification of all of the various systems that exist in the environment, and creating a list of changes to be made. In addition, an organization should identify all of the property in the possession of the employee ahead of time. This property may include physical items such as laptops, pagers, keys, security badges and computer equipment. It may also include less physical items such as intellectual property, organizational data, and other intangible assets. Working in combination with the organizations legal counsel and human resources department, the security consultant can then assist in obtaining property, securing the environment and evaluating future risk to the environment. A number of other steps, usually outside of the scope of the security engineer, such as performing an exit interview and signing an employee termination agreement should also be considered. Although a full analysis of employee termination procedures is outside of the scope of this article, it is clear that dealing with exposure from former employees through computer networks and the Internet is critical in managing risk.
Security consultants are also frequently called upon to investigate suspected computer security incidents. These incidents might range from the innocuous, such as SPAM, to the very serious, such as insider fraud. To address these needs, a variety of incident response services are available to help an organization that requires assistance. Unfortunately, as is frequently the case with computer security, these services are often delivered in a non-standard and possibly even harmful way. There have been many accounts of individuals who were entirely unprepared to investigate security incidents being sent into the field – sometimes even by law firms.
Considering that every security incident has the potential to make its way into the legal system, it is essential that responders are aware of incident response best practices and legal concepts such as the chain of custody. For example, computer investigators need to be aware of the effect that their actions will have on the evidence – are they modifying or deleting data? Are they following best practices in evidence collection? From a procedural sense, do they have a pre-defined methodology? Are they fully documenting their actions? Can they account for where the evidence has been, who has been responsible for it, and how it was protected? Are they gathering all of the data possible? Are they technically capable of interpreting the data they collect? In many cases, the ultimate answer to these questions is an unqualified "no." An omission in any one of these areas could become a problem during examination that might have profound effects on a case. This problem is further compounded by the fact that there is very little consensus in the law enforcement, legal and computer forensic communities on exactly what best practices actually are. In essence, due to a lack of formal standards, every action can be questioned and challenged in court. A well-informed attorney could easily use this lack of standardization, and the relative difficulty in explaining the underlying computer technology, to achieve their legal objectives. Unfortunately, until our legal institutions have addressed this problem and established adequate precedent, presenting computer evidence is an uncertain enterprise at best.
Computer security, new security-related regulations and laws, and particularly the various services provided by consultants are not well understood. As the industry struggles with establishing standards, best practices and common terminology, a great deal of uncertainty persists. At the same time, companies continue to market their wares and services in inconsistent, and sometimes difficult to understand, ways. At the frontier of this industry, there are trendsetters and consensus-builders that help to form and define a mature industry. At the other end of the spectrum, are companies that offer services without a solid understanding of the legal and technical issues. At the same time, increasing pressure from regulatory agencies and state and federal government are necessitating change. In all of this, the uncertainty and disconnect between technology and the legal system offers unique opportunities for individuals with a firm grasp of both industries. For computer security consulting firms, developing relationships with the legal community will be required, and for legal professionals an understanding of technology will be essential. The future of civil action on technology issues, perhaps in the form of negligence or class action suits, is interesting to say the least. Similarly, the implications for criminal law, with the lack of formal forensic standards and poor technical understanding, provides an opportunity for specialists to flourish. In all, it is a time of profound change for both the computer security and legal professions that leads one to recall the saying – "may you live in interesting times."
Mark Lachniet is a security analyst and Technical Director for the security practice at an international consulting firm. Mr. Lachniet holds a number of industry certifications including the Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP). Mr. Lachniet is a frequent presenter at organizations such as the Information Systems Audit and Control Association (ISACA) and the High Tech Crime Investigation Association (HTCIA). Mr. Lachniet holds a degree in English from Michigan State University and resides in Haslett, Michigan. Mr. Lachniet welcomes questions, comments and challenges on the content of this document and can be reached via e-mail at firstname.lastname@example.org.