Information security is often understood as having three objectives: protecting the confidentiality of information, preserving information integrity, and ensuring information availability; security measures often help to address more than one objective. However, as a result of changes in the way organizations use and deploy information, there is a growing need for additional security measures directed at protecting the confidentiality of information.
This chapter concludes the examination of information theft prevention by exploring
As information assets are used in new and more flexible ways, you must accompany those new uses with appropriate security to ensure confidentiality and privacy are not compromised.
Security measures are dictated by the value placed on information and the ways in which the information is used. For example, when information is stored on physical media, such as paper, security focuses on protecting the tangible assets that store the information. When information is transferred between secure systems, additional measures, such as encryption, are required. When confidential information is copied to unmanaged devices with unknown security profiles, even more security measures are required.
Patterns of information access and use have changed, creating new points of vulnerability. This, in turn, has created the need for additional countermeasures to mitigate the risk from those vulnerabilities. To understand the scope and extent of these changes, let's examine three factors shaping the development of an enhanced information security paradigm:
Securing information is not a new challenge. For generations, warring factions, competitive businesses, and most recently nation-states have taken steps to keep information confidential. Safes, or "iron chests" as they were called, were used to protect valuables from theft. Julius Caesar supposedly used a simple substitution cipher to communicate with his armies. Today, we use similar patterns for protecting our assets. If the asset is stationary, we lock it up; if we need to transmit information, we scramble it so that no one but the sender will understand it. This model has worked well and will continue to serve many of our needs but is not sufficient for protecting against information theft today.
Consider a simple example of protecting written information. The need to do so has existed throughout history and is just as relevant today as it was when people first started keeping secrets in written form. If you have written information that you want to keep confidential, you can use tried-and-true physical security measures. Papers and folders can be locked in office safes or stored in locked vaults protected by security guards and surveillance equipment. If people need access to the information, they must go to it. In the process, they would presumably pass through multiple checks to verify that they have legitimate access to the information and that they are not bringing in devices that could damage the medium (for example, scissors, matches, and so on). They would also have to demonstrate that they are authorized to view the information, perhaps by knowing the combination to the safe that stores the documents. Finally, measures would be in place to ensure that they do not remove information from the secure area in an unsecured way; for example, the person could not make notes, copy documents, or scan materials. This model for physical security has been applied to electronic information.
The common characteristics between the physical security example and electronic and optical data storage include:
Figure 8.1: Physical security measures, such as locked doors and motion sensors have analogs in electronic security, such as access controls and audit trails.
This model is effective when the information is restricted to the protected area established with safes, vaults, guards, and other measures. How can information be protected when it is no longer in the protected area? Encryption is the standard technique for protecting information when it is not within a trusted area.
When information is not within a trusted, secured zone, you must take additional steps to ensure it is not compromised. In broad terms, there are two points at which an attacker could steal or compromise information once it has left a secure area:
These require fundamentally different approaches.
You cannot prevent all possible ways in which an attacker might intercept information as it is transmitted from one secure point to another. For example, you cannot prevent an eavesdropper from gaining access to your ISP and monitoring your Internet traffic. Early wireless protocols are easily cracked. To complicate matters, someone could masquerade as you and engage in fraudulent activities using your identity.
Clearly, you need to deploy additional measures to protect your information and the integrity of your operations. At the very least, you want to ensure that the information remains confidential and that it is not changed in any way prior to receipt. Encryption, and related techniques such as message digests, provides the necessary protections, including:
Figure 8.2: Encryption and related technologies, such as VPNs, extend the scope of trusted zones over the Internet but do not ensure security on unmanaged devices.
Encryption protects information until it is decrypted. At that point, the level of protection provided by the decrypted data is based on the security of the area or the device that contains the information. If a secret message from an overseas diplomat is decrypted in a secured facility managed by an intelligence agency, there is probably little concern about the information leaking. It is a different matter if confidential legal documents are downloaded to an attorney's home PC, which happens to be shared with her teenage children who are fond of using peer-topeer file-sharing programs.
Remember one of the fundamental principles of information security: A system is only as secure as its weakest link.
Cryptography is the practice of developing secret codes to protect information. Modern ciphers, or algorithms used to encrypt data, employ parameters known as keys. Unless one knows the appropriate key, one cannot decrypt a message. All ciphers are vulnerable to brute-force attacks, which try all possible keys to find the one that decrypts a message. To mitigate this risk, cryptographers use keys so long that it is impractical to try all possible combinations. The only problem is that the definition of "impractical" changes over time.
Consider the Data Encryption Standard (DES) encryption algorithm. The algorithm was adopted as an ANSI standard in 1978 using 56-bit keys. DES continued as a popular encryption mechanism for both government and commercial use until 1988 when it was no longer endorsed by the National Security Agency (NSA). In 1998, the Electronic Frontier Foundation used a custom parallel computer and broke DES encryption in 3 days. (Details of the project are described in the book Cracking DES, available for free online at http://cryptome.org/cracking-des.htm). Another group of researchers cracked DES in 1997 using a distributed system that used computers on the Internet. (See "A Brute Force Search of DES Keyspace" at http://www.interhack.net/pubs/des-key-crack/ for more information.) DES is no longer used for secure communications and has been supplanted by several others, including:
The new encryption algorithms use such long keys that brute-force searching is not practical by today's standards. Other techniques, however, can be used to try to break code. These include:
Even with these techniques, modern ciphers are expected to withstand all but the most determined attacks. In the future, other techniques, perhaps based on quantum computing or another theoretically possible method, may make brute-force attacks on large key encryptions practical.
Device-centric security protects information as long as it is not transmitted outside of a secured zone that contains only secured devices and secured communication channels. Encryption protects information during transmission. What about information that has been transmitted from a secured device, over a secured channel, and decrypted on a device with unknown security measures?
Figure 8.3: Unmanaged devices are subject to a wide range of vulnerabilities.
There are several potential problems, including:
These problems occur because the security measures you have come to depend upon are device centric. Consider the common security mechanisms that Table 8.1 shows and the methods by which they enhance security.
Limit network traffic based on protocol, origin, and other properties
Intrusion prevention (network)
Detect and block attacks on network services
Intrusion detection (host)
Detect unauthorized changes to critical OS and application files
Block access to banned sites; detect unwanted content, such as spam and phishing messages
Filter network traffic for viruses, worms, Trojan horses, keyloggers, rootkits, and other malware to prevent it from reaching servers and workstations
Filter incoming email, instant messages, and other traffic that may contain malware—this is especially important for mobile devices that may not always have the protection of network-based antimalware solutions
Limit access to systems and information to known users and control the operations users are allowed to perform on various resources
Log information about important activities such as login failures, changes to OS parameters, and deleted or modified data
Table 8.1: Device-centric security measures and their functions.
These security measures are tied to devices that are under the control of organizations. You must add to this repertoire measures that apply to unmanaged devices as well.
On-demand security is based on the idea that security should be associated with information and devices rather than devices alone. It also entails the idea that security measures should not require elaborate installation and maintenance on access points to information.
The evolutionary precursor to on-demand security is VPN technology. VPNs are widely deployed for protecting a wide array of applications and data. VPNs are essential elements to many IT infrastructures. Although VPNs are useful and will continue to be so in many cases, there are some limitations, including:
Information security is a constantly developing field, so it should be no surprise that VPN technology can be improved. It is those improvements that distinguish on-demand security. The fundamental characteristics of on-demand security measures are:
Figure 8.4: On-demand security should provide session-level security that does not interfere with other operations.
The traditional model of information security is device centric. Security measures are deployed on networks, servers, and managed devices to protect the information that moves through those systems. Encryption technologies, such as VPNs, are used to protect information as it moves through unprotected channels, such as the Internet. When information moves from a trusted zone (such as a corporate headquarter network) to another trusted zone (such as a regional office), the information is always protected to the level dictated by organizational policies and implemented by IT procedures.
This model does not address how to secure data when it leaves a trusted zone and is made available in an unencrypted form on an unmanaged device. From a security perspective, you can say nothing definitive about the security of the client, except that you do not know whether your information is secure.
By definition, unmanaged devices are controlled by someone else. You cannot dictate security policies for those devices. Business partners may have higher risk tolerances when it comes to information security; employees may be perfectly comfortable running a personal computer without a firewall and with out-of-date antivirus programs. On-demand security has emerged as a means of balancing the need to protect information assets with the need to sometimes provide that information on devices that may be compromised. One of the first steps to implementing ondemand security is formulating the policies and procedures that will govern it uses.
On-demand security can be deployed in many ways and the methods that work best for one organization may not work for others. Customization of on-demand security can be broken down into two basic steps:
Although these two steps are outside of the technical realm that is often the focus of information security discussions, these are just as important. Remembering that any security system is only as strong as its weakest link, you must attend to the need for policies to drive implementations and the need for training to minimize the chances of unintentionally undermining the security measures put in place.
Security practices should be guided by policies. The policies, in turn, should be developed based on the needs, risk tolerances, and resources available to an organization. In the case of ondemand security, the factors that will influence the formulation of policies include:
The more information that is exposed to unmanaged devices, the greater the need for formal policies governing what security measures are required. Volume alone is not sufficient for determining security requirements. For example, if users are accessing internal Web sites that provide basic human resources information, submitting vacation requests, and performing other administrative functions, security requirements are lower than cases in which sensitive information is transferred to unmanaged devices. Sensitive information includes customer account information, personnel data, marketing plans, design documents, and other confidential or proprietary information. These are the type of factors that will drive the direction of security policies.
Several policies should be defined in relation to on-demand security:
These will provide the foundation for implementing on-demand security and related measures to minimize the threat of information theft.
A third-party access policy defines the requirements on external users and the limits to their potential use of information resources. This policy should begin with a definition of what general security measures are expected of third parties. The policy should not define how third parties implement security within their own infrastructures, but it can define the minimal levels of security expected. For example, the policy may state that third-party users agree to use basic security measures, such as firewalls and antivirus software, to protect any device used to connect to the target network and servers. Whether the third party uses personal firewalls on individual machines in addition to a network VPN or local antivirus or network-based antivirus measures is up to them.
The policy should also call for a description of how the third-party access will be used and for what business purpose. IT security personnel should review the plan to ensure that the plan does not create unnecessary risks. Third-party organizations should agree to notify the organization granting access if the employee, contractor, or consultant accessing the target system is terminated or for another reason no longer needs to use the target system.
The policy should define the responsibilities of application managers and systems managers responsible for systems with third-party access. These can include:
Some of these same principles apply to remote access policies as well.
A remote access policy generally applies to employees, contractors, and consultants who work both on and off site, or primarily off site. As with the third-party access policy, the goal is to ensure that those with access to the system understand their responsibilities and the limits of acceptable use as well as to define what is expected of IT staff in maintaining the security of remote access. The remote access policy should include:
Remote access policies also apply to mobile devices, but mobile devices have additional security issues that should be addressed in another policy.
The purpose of a mobile device policy is to define steps users should take to protect information on mobile devices, such as notebook computers, PDAs, and smart phones. The policy should address:
Mobile devices often use wireless network connections and are therefore subject to wireless communication policies.
A wireless communication policy should be designed to minimize the risk of rogue wireless devices accessing the network or attackers eavesdropping on communications between devices. A wireless communication policy should include:
The wireless policy may also include statements about the importance of not installing unapproved wireless access points, even for short periods of time. If they are not configured properly, they could become an avenue for stealing information. This is especially problematic when sensitive information is transmitted on wireless networks.
Not all information is equally important, useful, or confidential. An information sensitivity policy defines categories of information based on the amount of protection each group should be given. The military, for example, use a 5-category classification:
Commercial and non-military government agencies might use another scheme such as:
The information protection requirements of these categories vary from minimal, or even nonexistent, to extensive.
In this categorization scheme, public information is freely available outside the organization. Press releases, product catalogs, and regulatory filings are examples of public information.
Public information is not just what is freely disclosed; compulsory disclosures dictated by government regulations can fall into this category as well.
Public information does not require special protection.
Sensitive information is information that an organization would rather not have disclosed but would not cause significant harm if it were disclosed. For example, a company may be negotiating with several suppliers for office furniture and would rather keep the names of the bidders within the company; however, if the names of the bidders were revealed, it would have minimal impact on the company, perhaps by influencing how bidders respond knowing the competitive position of the other bidders. Sensitive information is protected with some measures of access controls but not subject to the level of control reserved for private and confidential information.
Private information is personal information about employees, customers, patients, clients, or others doing business with a company or agency. Private information includes:
In response to growing concern over the loss of privacy and the threat of identity theft, privacy regulations have increased. The response has come from all levels of government; from state to federal governments to transnational governing bodies, and includes:
Private data may be dictated by government regulation, but confidential information is often dictated by business requirements.
Confidential information includes trade secrets, strategic plans, pending marketing campaigns, and a host of other information that, if revealed, could cause serious harm to a company or agency. Information in this category requires the most stringent protection. Access to this information should be on a need-to-know basis. The copying and distribution of this information should be strictly controlled. Confidential information should not be revealed to individuals who have not agreed to non-disclosure terms defined by the owner of the protected information.
How organizations decide to categorize information will vary and, over time, may even vary within the organization itself. The important point of the information sensitivity policy is to establish a method for identifying different types of information with regards to sensitivity and to ensure that information is protected to the appropriate level. One of the measures typically taken to protect all categories of information when it must be transmitted to remote locations is to use a VPN.
A VPN policy defines when and how virtual private networking is used. Some key elements of a VPN policy are:
Policies are the starting point for defining an information security strategy. The advent of ondemand security requires a host of policies for technologies and practices that support ondemand security. On-demand security is easing the burden of implementing these policies, especially information sensitivity polices, but it does not eliminate the need for them. One important aspect of policies that can be overlooked is that users need to be made aware of the existence of policies and may need training on how to implement them.
Users can play an enabling role in acts of information theft. Choosing weak passwords, leaving confidential information unencrypted, and sharing accounts are all ways a well-planned security program may be compromised. Training users about information theft prevention should include:
These four areas form the foundation of securing information from the unintentional consequences of careless or uninformed user actions.
Once policies are defined, users should be made aware of them and the most relevant details, from their perspective, should be highlighted. Some elements of a security policy will not be relevant to users, such as systems administrators' responsibilities for monitoring logs, but others directly govern allowable user actions. For example, when a VPN is used to access the corporate network, users should not simultaneously surf the Web using another network connection. The most important topics to point out to users include statements governing:
The last point is especially important. Recent disclosures about laptop computer thefts have highlighted the need to protect confidential information on mobile devices.
Users of information must understand its sensitivity. It is not sufficient to protect access to information with elaborate authentication and authorization mechanisms if users copy or print controlled information and distribute it by other means. Consider the example of a health insurance company that contracts with a third-party claims processing company. To protect its customers' protected healthcare information, the insurance company may require multi-factor authentication, VPN-only access to database applications, and strict policies on the use of patient's healthcare information. An employee of the third-party claims processor prints reports, works on some in the office, and takes others home to work on but forgets his brief case on the subway ride home. The well-protected information is now exposed and out of the control of the companies responsible for it.
Employees, contractors, consultants, and business partners should be trained on:
Poor understanding of information sensitivity can render users of information the weakest link in the security system.
Users should not need to become experts in computer security, but they should have a basic understanding of the threats that exist. By now, most people are aware of viruses. They may not be aware of the technical details of how malware works or even the various types of malware, but they know that viruses exist and countermeasures are available to combat them. That is base level of understanding you should expect. The other areas that users should understand are:
Incident response requires its own well-defined policy and set of procedures that govern how IT staff should handle a security breach; however, in this context, the concern is with non-IT users who suspect a possible security incident. Users should understand the basics of responding to a possible security breach, including:
The burden of responding to security breaches rests with IT, the goal of user education is simply to ensure that IT's job is no more difficult than it is already.
Preventing information theft depends in part on an organization's preparation. Having welldefined policies and procedures in place, along with keeping users informed about security threats and their responsibilities to minimize those threats, is one element of a comprehensive information security practice. Another element is the technical measures taken to counter those threats.
As the previous sections of this chapter have demonstrated, there has been a fundamental shift in the way information is accessed and therefore, how it must be protected. Organizational policies that address new models of access, including the use of VPNs and on-demand security, are one part of the response to the evolving threat of information theft. The technical responses, implemented as part of the process of executing security policies, are the other component of the response. Let's turn our attention to best practices in comprehensive information security management with particular attention to deploying on-demand security systems.
A comprehensive program for preventing information theft should address security measures that protect devices that store and transmit information as well as measures that protect information when it moves from managed devices. Such a program can be divided into three areas:
Each area may be managed with a series of best practice measures.
Network security addresses two problems of protecting information: ensuring its confidentiality and integrity as it is transmitted and ensuring the network is not used to attack information or devices. Well-established components of network security are still relevant today, and include:
Some of these devices, especially content filters and proxies, are becoming more sophisticated in response to increasingly complex threats. A proxy, for example, acts as a gatekeeper between the secured network and the outside network. A traditional packet-filtering firewall does the same thing but at a lower level. As Figure 8.5 shows, the higher up in the network stack the countermeasure operates, the better it can assess threats.
Figure 8.5: One response to increasingly complex threats is to deploy countermeasures that work at higher levels of the OSI model network stack.
Best practices in network security require a combination of countermeasures, each designed to counter particular types of threats. Even with a protected network, it is important to deploy security measures to individual devices as well.
Managed devices are under the control of security policies and should take advantage of a variety of security measures. Client devices, such as workstations and notebook computers, should use all or most of the following:
Servers should deploy these same measures as well as additional measures, such as
With managed devices, IT can define and implement appropriate security measures for devices.
There are several core steps to protecting information before it is sent to an unmanaged device, these include:
Once the user has established a secure zone within the unmanaged device, the user can proceed to access applications and information. For additional security, information that must reside on the unmanaged device—for example, in a Web browser cache—should be encrypted. When the session terminates, all information related to the session should be purged from the unmanaged device.
On-demand security systems complement VPNs and other security measures taken to protect information security. Like VPNs, on-demand security devices can operate as appliances within the network. Unlike some VPNs, which require client software installation, on-demand security by its nature should be downloadable and configurable without administrative rights to an unmanaged device. Ideally, on-demand security components would be integrated with VPNs, minimizing the number of devices that must be supported.
Like other network appliances, the deployment of on-demand security devices requires:
On-demand security systems will require information about users and their authorizations.
Additional user attributes may be needed in organization directories (such as Active Directory— AD—or a LDAP directory) to allow for finely tuned policies controlling the features enabled on unmanaged devices. Advances in IT are creating new ways to steal and unintentionally leak information; however, similar advances are improving our ability to counter those threats.
Information theft is a legitimate concern for organizations. Personal information could leak leaving a company liable for violation of privacy regulation. Trade secrets could be stolen or exposed unintentionally, risking the loss of an important competitive advantage. IT professionals have deployed a wealth of security measures and defined policies to mitigate risks and adapted these as changing circumstances warrant. Today, the need to protect information extends beyond the network perimeter to home computers shared by employees and their children, customers accessing their accounts online, and business partners with varying degrees of security.
IT has long protected information assets, at first by controlling physical access to computers and then deploying basic access controls in shared computing environments. As networks proliferated, network security measures such as firewalls were added to create perimeter defenses. The perimeter is now more porous than ever, and IT professionals are responding with new security measures using on-demand security. Information security is no longer tethered to managed devices, security controls can go where information goes.