1

Data Security For the Business OwnerHow and Why for non-IT Professionals

Eric Vought <evought@pobox.com>$Id: BusinessDataSecurity.dbxml,v 1.67 2007/05/19 00:06:11 evought Exp $

Copyright © 2007 Eric Vought

Legal Notice

Some of the designations used by manufacturers and sellers to distinguish their products areclaimed as trademarks. Where those designations appear in this text, and I was aware of thetrademark claim, the designation is appropriately marked on first appearance. Unless otherwisenoted, references to specific tools and applications in this article are presented only as examples ofwhat is available and not as endorsements. The reader is encouraged to read reviews and researchadditional alternatives for his or her self.

I am not a lawyer and nothing in this document is to be construed as offering qualified legaladvice.

All Rights Reserved. This document may not be reproduced in whole or in part, in any form(beyond that copying permitted by Sections 107 and 108 of the U.S. Copyright Law), withoutwritten permission of the author. Copyright and permission of accompanying graphics andstylesheets as noted in those files.

Abstract

This document is a data security primer for non-technical business owners, including explanationsof risk management, basic security concepts, and development of a sound security strategy.

Table of ContentsPreface ............................................................................................................................. 2

Goals ........................................................................................................................ 2Audience ................................................................................................................... 3Approach .................................................................................................................. 3

"Real World" Risks ............................................................................................................ 3Building Safety .......................................................................................................... 3Keeping People Out .................................................................................................... 4Screening and Trust .................................................................................................... 4Insurance Policies Mitigate Loss ................................................................................... 5Data Security Is Also Risk Based .................................................................................. 5

Cybercrime and the State of the Internet ................................................................................. 6The Internet Is Not Magic ............................................................................................ 6The Goals of Internet Criminals .................................................................................... 6Common Cybercrime .................................................................................................. 7Things Are Not Hopeless ........................................................................................... 10

First Principles ................................................................................................................. 11Secure the Perimiter .................................................................................................. 11Guard Your Secrets ................................................................................................... 12Create a Defense In Depth ......................................................................................... 12Security By Obscurity Is Not Effective ......................................................................... 13

Business Data Security

2

Exploits and Vulnerabilities ........................................................................................ 13Keep Your Eyes Open ............................................................................................... 14

Building a Data Security Strategy ........................................................................................ 14First Steps ............................................................................................................... 14Your IT Professionals ................................................................................................ 16Document Retention and Protection ............................................................................. 18Documentation, Policies, Audits— How Much, How Often .............................................. 18An Incident Response Plan ......................................................................................... 22Making IT and Security Purchases ............................................................................... 27

Your Network Layout ........................................................................................................ 32The Network Perimiter .............................................................................................. 36Employee PCs - The IT Battleground ........................................................................... 39Network Services - Sharing and Editing Files ................................................................ 46Internet Services and Communication ........................................................................... 50

Conclusions ..................................................................................................................... 50Frustrations .............................................................................................................. 50

Glossary .......................................................................................................................... 51Bibliography .................................................................................................................... 63

PrefaceGoals

Data security, the protection of business information and associated computer networks, is a highlytechnical field which is often associated with black magic by non-technical professionals. This situationis not helped by a communications gap between IT professionals and business owners. Business ownersare not trained to understand the technical concepts and computer professionals cannot explain risks inconcrete business terms.

Uninformed business owners cannot avoid dangers and capitalize on opportunities in a rapidly changingtechnical landscape. Frequently, critical issues are ignored and money is spent on ineffective solutions.This document:

• explains security in terms of risk-management,

• reports on the current state of the Internet,

• describes fundamental security concepts in concrete, non-technical terms,

• develops basic data security strategies from first principles,

• presents example business cases where security versus opportunity trade-offs are made,

• and concludes by encouraging a "security mindset" where technology concerns are incorporated intoday-to-day business decisions.

This document will not turn the reader into an IT professional, much less a security professional. What itcan do, however, is better equip you to evaluate how data security affects your business and communicatewith technical professionals and vendors you hire to secure your data. It will also, hopefully, help you torecognize the snake-oil salesmen who offer ineffective solutions to problems you may not even have.

Some parts of this document, those describing current electronic threats to your business, may seemalarmist. These reports should alarm you: the current state of Internet security is very poor and someauthorities would say desperate. Most people are unaware of the ways in which systems are routinelycompromised. Vendors have a vested interest in keeping these facts quiet or no one would use theirproducts or services. Fortunately, however, prudence and care can elimate the most common threats and

Business Data Security

3

make trouble even for sophisticated attackers. The biggest threat on the Internet is ignorance and the factthat most computer users do not take even basic precautions. Safely navigating large cities requires street-sense and awareness; the Internet is no different. As our world changes, businesses that become street-smart will have a competitive advantage over those that do not.

Although I provide links to examples of products or technologies, I stear clear of providing steps toaccomplish tasks, use products, or secure particular types of systems (such as tightening down a WindowsXP™ computer or using encryption in Microsft Outlook™). Technology changes rapidly and my goalhere is to teach concepts that are independent of particular products. Specific technical solutions are besthandled by IT staff for larger businesses or technology specific howtos for SOHO professionals.

AudienceThis article is targetted at small to medium-sized business owners. Much material applies to Small Office/Home Office (SOHO) users, particularly background information, basic security strategies, and much ofthe discussion on desktop and communications security. SOHO readers who are not connected with or donot work within a larger organization will find that discussions of policy, management, and organization,as well as network architecture and services will not directly apply to them and will likely skip or skimthose sections. Owners or managers of larger businesses will find that discussions of security plans hereare necessarily simplified. Medium to large organizations have complex and varied networks with legacytechnologies and layers of existing policy which cannot be treated in one document. In these cases, theglossary and bibliography will help you to find other sources of information. Given the concepts presentedhere and the help of competent specialists, it is hoped that a manager can learn what they need to knowabout their own system to manage it effectively.

ApproachThe information presented here is extensive— do not try to absorb it all at once and do not expect to changeyour business overnight. Take it in steps. I recommend reading through once at a high level to absorbthe contents and skim the detail. Then start through again. I have worked to provide extensive references,links, and a glossary. Focus on the parts that are most important to your business, explore the referencesand talk to your IT people. If you find that your IT staff or consultants will not work with you, get newones. Try to learn and improve something each week. The end goal is to turn the Internet from an unknownsource of risk to something which can be understood and capitalized on.

"Real World" RisksTip

The goal of security is not to combat risk for its own sake, but to maximize business opportunity.

Outside of cyberspace, your business must balance risks in order to remain profitable. When you seebusiness opportunities, you identify risks, determine how likely they are, how much damage they maycause, what may be done to lower or avoid the risks, and, ultimately, whether the opportunities areworthwhile. Sometimes outside experts, such as lawyers, market experts, or insurance agents, are consultedto assess the risks or suggest ways to protect the business. Sometimes the business must change the way itoperates to avoid liability or comply with regulations. In any case, the overriding goal is never to combatrisk for its own sake but rather to maximize opportunity and create a successful business.

Building SafetyBuildings are required to have basic safety features such as lighted exit signs. In some locations it isforbidden to use a corded vacuum cleaner during business hours in an area with pedestrian traffic. In other

Business Data Security

4

locations, this is left to the discretion of the business ower. The business owner must balance the likelihoodof a pedestrian being injured by tripping against the need to run the vacuum. Given the high damage awardsfor personal injury lawsuits and the low cost of push-powered carpet sweepers, this is probably an easychoice. The cost of installing a backup lighting system in a small office occupied only during the day isnot so easily justified.

Tip

Good risk management focuses on effective solutions to tangible problems.

I was recently startled by the presence of a sprinkler system in a hotel common room. The room was madeentirely of brick and concrete and its only contents were a large swimming pool. The cost of safety systemsmust be balanced by risk analysis. The sprinklers were an ineffective solution to a non-existant problem.

Keeping People Out

Your business most likely has to deal with a variety of physical security issues. You must lock yourbusiness to protect its own property, such as its equipment, product inventories, any cash or deposits,financial instruments such as checkbooks and stock certificates, records, etc, from theft or vandalism. Youmay also have to protect property which belongs to third parties, such as rented furniture or equipmentor items held on consignment. In all likelihood the entire building is rented and your business might beliable for any damage.

In one of the great injustices of our legal system, a business is sometimes held liable when a trespasserinjures themselves on business property. It is possible that a business property may be used by a thirdparty for illegal acts such as storing contraband in an otherwise legitimate warehouse. I have seen manyinstances of teenagers consuming drugs and alcohol on unsecured construction sites. A business may haveto spend significant effort to install locks, fences, and cameras to keep people out. Sometimes the merepresence of a lock and a "No Tresspassing" sign is enough to reduce the potential liability.

Tip

Sometimes the greatest risk of an incident of any kind is loss of customer or investor confidence,even when direct financial damage is minimal [Lemos-2007a].

Like building safety, the expense of physical security must be balanced by the risks and potential cost of abreak-in. It makes no sense to spend $10,000 on a safe to contain $2,000 in valuables. On the other hand,all potential costs must be weighed. Even if the monetary value of stolen equipment is low or it is wellinsured, how much business will be lost before it can be replaced? Will a break-in and business delay raiseinsurance rates and lower customer confidence?

Screening and Trust

Parts of your business are more sensitive than others. You would not ask the same people to negotiatewith clients or give you legal advice that you hire to answer the phones. This is both a question of trustand of competence. Your legal counsel is trained and licensed to practice law. You probably went throughsome screening or interview process to select a lawyer that you were comfortable with, even if that wasonly flipping through the yellow pages and talking to some of them on the phone. As you develop yourbusiness relationship, you may trust them to perform tasks with less intervention.

Only certain employees have access to your financial information, including your bank balance, the abilityto write checks, business credit accounts and so forth. These employees have a background, such as a

Business Data Security

5

CPA license or business course, which makes them appropriate choices for their assigned tasks. If youare prudent, you check on their work regularly, going over accounts and reports, checking invoices andbalances and, generally making sure that you are not being taken advantage of. When employees leave, youmust ensure that important records and items stay behind and that they no longer have access to accountsthey worked with during their employment.

Tip

You should be aware of who has access to your electronic information, what their disclosurepolicies are, and how it might affect your business.

If you deal with sensitive information, you may have to perform background checks on applicants. Thismay include drug screening, records checks, and checking references. Employees who have gone throughths screening will have access to parts of your business that others do not.

Insurance Policies Mitigate Loss

Tip

Are your information assets insured? What happens if your records are destroyed?

Your business most likely has a number of insurance policies, including general liability, equipmentprotection, fire, key man and so forth. While building safety and physical security attempt to prevent lossfrom occuring, insurance reduces loss after the fact. The desired balance between prevention and cureis often unclear, but the common element is that both are based on estimate of risk and probable loss.Insurance premiums and policy coverages are based on statistical estimates of the likelihood of loss and theamount of that loss. Insurance companies wager that the amount that they will gain from your premiumswill earn more than they will pay you in the event of a claim. In return, you gain the piece of mind inknowing that a disaster will not financially ruin your business.

Data Security Is Also Risk BasedData security is no different from any other business risk assessment. What do you have to lose? Whatwill it cost to protect your systems? Where is the best return on investment?

Tip

The precautions a business has taken will often be judged with hindsight, possibly by a jury, afteran incident has occured.

When data confidentiality agreements or federal regulations like HIPAA require you to take "reasonableprecautions" they are telling you that you will be judged after the fact, by a jury. When an incident actuallyoccurs, your policies will be examined under a microsope through the lense of hindsight. Your job, then,is to balance the probability and cost of a lawsuit against the cost of your security.

You can never be certain your systems are secure, just like you can never be certain your business will notsuffer a fire or an on-the-job injury. At some point, you decide what is reasonable, roll the dice, and takeyour chances. As with any other business risk, you need to find a balance between preventing loss andmitigating loss after the fact. Security systems such as passwords and firewalls prevent loss. Some typesof insurance mitigate digital losses: some policies provide "data loss" protection, your liability insurancemight provide protection against breach-of-security suits, etc. Backup and data recovery systems also helpto mitigate loss after the fact.

Business Data Security

6

Cybercrime and the State of the Internet

The Internet Is Not Magic

Tip

The Internet does not change the laws of economics or fundamental business practices.

Although the Internet is often touted as "changing all the rules," a more critical look shows that thisis seldom the case. Businesses, whether they use the Internet or not, must still market their services tocustomers, must still make reasonable margins, deliver real or perceived value, and compete successfullyagainst other businesses trying to do the same thing. Similarly, crime on the Internet is generally anextension of real world crime or is readily analogous to real world crime.

It was the erroneous belief that the Internet was fundamentally different, that it changed the rules ofbusiness, which lead to the dot-com bust. Very shaky ventures attracted enormous investments based onthe idea that the magic of the Internet would make them profitable. This did not happen.

What the Internet does do is change the parameters of time and space. OK, back up; what does that mean?

• The Internet is globally connected. Many more people, potential customers and potential criminals,now have access to your business. Similarly, global competitors now have access to your traditionalcustomer base.

• The Internet is always open for business. Customers are not accustomed to having online businessesclose shop at dark and roll down an iron grate. This means that your Internet facing applications areaccessible and open to attack at all hours.

• Suddenly everything is smaller: a one hundred page proposal with exibits can be sent to a client inseconds and will fit on a single thumb-sized USB drive. On the other hand, someone can walk out withyour entire customer contact list the same way.

• Things happen faster on the Internet. You can sell CDs to ten customers on the Internet faster than youcan process one customer at your cash register. You can submit insurance claim forms in seconds insteadof days. You can get responses from regulatory agencies by email in the course of a single business dayinstead of a week by mail. On the other hand, several thousand people can attempt to break into youronline store in the course of a single night.

• Because anyone can access anything from anywhere, it can be very difficult to determine who actuallydid so at a specific time. Tracking criminals and sorting legitimate purchases from fraudulant ones canbe difficult, especially when the criminals are clever.

The Goals of Internet CriminalsThe motives of criminals on the Internet are no different from any other criminals:

• Simple theft. Make a fraudelent purchase and get away with it.

• Steal sensitive data to make theft easier. Real thieves steal credit cards, raid mail boxes, and print fakeIDs. Internet thieves steal or forge the electronic equivalents.

• Espionage: government, corporate, or personal. Governments spy on each other, businesses want to gethold of each others' client lists, research, and proposals, people want to spy on their rivals. Internetespionage is easier than going through dumpsters, but has the same goals.

Business Data Security

7

• Revenge. Disgruntled employees may keep a grudge against a business, so can rival businesses, or ex-spouses. Any of those might have or might be able to obtain the information necessary to do damage.

• Embezzlement, insider trading, or other stock fraud.

• Thrill. Just like spray-painting the side of a bridge, someone may damage your website just for pleasure.There is an underground of young hackers who think it is cool to break into companies and brag about it.

• Cover their tracks. Just like hiding contraband in someone else's warehouse, a criminal may use yourlegitimate business as a base of operations for some other illegal scheme. The criminal could be one ofyour own employees downloading illegal files or attacking another system.

Common CybercrimeSo, how common is crime on the Internet and what form does it take?

Crime Statistics

According to the 2006 FBI Internet Crime Report [FbiIc3-2006] the FBI Internet Crime Complaint Centerprocessed 200,481 Internet-related crime complaints, a number which is down somewhat from 2005 butmore than double 2003 figures. Complaints supported 86,279 criminal investigations at the federal, state,or local level. The complaints were varied, including auction fraud, non-delivery of goods, credit cardfraud, computer intrusions, SPAM, and child pornography. Almost all involved financial loss, with a totalloss of $198.4 million (up slightly from last year).

The FBI and Computer Security Institute perform a yearly survey of computer security professionals in USorganizations (companies, government agencies, medical institutions, etc.). The 2006 Computer Crime andSecurity Survey [GordonEtAl-2006] polled 616 such professionals on the number and type of incidentsexperienced, security budgets, protections in place, and so forth for 2005. Among its findings is that thetop four threats, viruses, unauthorized computer use, theft of equipment, and theft of intellectual property(in order) account for 74% of losses. Fifty-two percent of respondants reported unauthorized use of theirsystems in the twelve month period and 9% reported more than 10 such incidents. Total losses from the313 respondents willing to provide figures were estimated at over $52 million. A disturbing trend is thenumber of respondents who claimed substantial loss from insiders.

Reported financial damages and number of successful attacks have noticeably decreased against previousyears, but the survey is skewed toward companies with security policies in place (they have dedicatedsecurity personnel and have been in contact with CSI) who have presumably been improving their defenses.This offsets bad news in other quarters and demonstrates that companies can make progress given time.Interestingly, 22% of those surveyed were in organizations with from 1-99 employees, so small to mediumbusinesses were well covered. The survey notes that per employee expenditures on security are muchhigher in smaller organizations (by total revenue), something we will talk about with respect to regulationcompliance later on.

Identity Theft

Identity theft and credit card fraud are currently handled and reported by a variety of agencies and reportedstatistics are not normally separated according to online and offline categories. What is clear, however,is that theft or misuse of credit card numbers and fraudulent applications for credit cards is rapidly risingand wholesale theft of private data fuels the crisis.

Perhaps the largest such data theft involved TJX, the owner of TJ Max™ and other stores, and the lossof 45.6 million credit card numbers [Vijayan-2007a]. Several break-ins occured starting in July 2005 butwere not noticed for over a year. It has become common to see vendors expose tens of thousands of private

Business Data Security

8

customer records including names, addresses, social security numbers, and financial information due tosecurity breaches. This creates vulnerabilites for online merchants who may be liable to charge-backs andfees from fraudulently made purchases. It also exposes business cardholders whose accounts may havehigh limits and high purchase volumes where fraudulent use may escape immediate attention. Vendorswho lose data in this manner may be the target of lawsuits and may lose their merchant status.

Tip

Governments do not hold a monopoly on espionage.

A related topic is of stalking, spying, and espionage. When people think of spies, they immediately thinkof secret government agents, but the truth is that businesses and private individuals spy on each other allof the time. Getting hold of a competitor's proposals, trade secrets, client contacts, or price lists can yielda tremendous market advantage and many businesses are not above bending or breaking the law in orderto do so. In my time as a defense industry contractor, the threat of competitors stealing proprietary datawas only slightly less than that of foreign governments.

Private individuals may attempt to steal or leak proprietary data in order to affect or guess changes instock prices. Insider trading is a constant subject of SEC investigations and although it is not new to theelectronic world, data networks certainly open up new opportunities for exploitation.

Pretexting, made famous by the recent Hewlett Packard Board of Directors scandal [Krazit-2006], is thepractice of impersonating a person or entity in order to obtain more information about them. The actualimpersonation is often done over the phone, but the initial investigation is generally performed using theInternet. Enough information can be gathered on the Internet to successfully impersonate the target overthe phone, to say, the phone company, or a bank, and then copies of personal records can be obtained.Internet investigation companies sell services using pretexting to individuals wishing to investigate arival or competitor. This information can then be used for a variety of illegal purposes. In many areas,law enforcement is hard pressed to identify specific laws that pretexters violate, although lawmakersare working to draft specific bills. It is not clear whether companies may be held liable for giving outinformation to pretexters or for using insufficient verification of customer identity.

Silent Crimes

The FBI report only counts reported Internet crime. Many businesses and computer users may suffer fromsecurity compromises and not be aware of the damage. In the past, viruses and malware would damage ordestroy target systems leaving obvious signs of their presence. Today, a virus or intruder is just as likelyto quietly copy data and leave a back door open so they can return at will. Attackers install key loggerswhich track the computer's use and look for sensitive information like passwords and account numbers.

Tip

An attacker may visit your system repeatedly and use your computer for illegal acts withoutleaving any sign of their presence.

Many PCs are turned into so-called zombies which are remotely controlled to perform a number ofillegal tasks, including sending commercial SPAM, engaging in bank fraud (phishing schemes), Denial-of-Service (DoS) attacks against security companies, government agencies, and public infrastructure, andattempting to break into new systems. A company called CipherTrust1 tracks approximately 250,000 newzombies each day. Security company Symantec reports that more than six million computers are now underremote control [Bbc-2007a], although some experts put the number much higher, perhaps as much as onequarter of Internet connected systems [Weber-2007].

1 http://www.ciphertrust.com/

Business Data Security

9

Corporate networks are not immune to the zombie threat. Even fortune 500 companies have beenembarrased by SPAM-spewing zombies on their networks, sometimes brought in by contractor-ownedlaptops [Krebs-2007].

A worrying development is the creation of web sites by crime syndicates selling sophisticated toolsets,including technical support, and subscriptions for upgrades. These toolkits allow the purchaser to set upmalware on their own or someone else's website to infect visitors; they then get paid for informationcollected from the victims [Vijayan-2007b]. Because of this, malware silently delivered by websites isrising sharply and is increasingly being delivered by legitimate business or government web sites whichhave been hacked themselves [Bbc-2007b].

SPAM

SPAM, or unsolicited bulk messages, are now a significant chunk of all Internet traffic. A compilationof statistics from 2006 by Don Evett puts SPAM at 40% of all emails, or 12.4 billion messages per day[Evett-2007]. This figure is rising exponentially and is beginning to place significant stress on the capacityof Internet infrastructure. SPAM today is mostly sent from PCs that have become zombies. Most SPAMadvertises pornography, illegal business scams, stock fraud, fake products, phishing schemes, or otheritems of a questionable nature. Nevertheless, many computer users respond to such emails and even attemptto make purchases, visit sites, or participate in illegal ventures.

Tip

SPAM, continues to be sent because it works: enough users participate in the schemes it advertisesto make sending the SPAM worthwhile.

SPAM causes a number of problems to a business, not the least of which is simply the time lost to sortingthrough junk. Personally, I receive over ten SPAM messages for each legitimate email and use a varietyof filters to prevent it from reaching my mailbox. SPAM messages which may contain bulky images slowdown networks, increase time spent downloading messages, and increase network mail storage. Asidefrom the mere nuisance, however, SPAM is actively dangerous: it can deliver viruses, tempt employees toopen dangerous attachments, expose financial information, visit sites which will attack their computer, orparticipate in illegal activities. Another business aspect of SPAM is the marketting side; extreme care mustbe taken when using email as a marketting tool to avoid antagonizing customers already sick of SPAMor landing the company mail server on a SPAM blacklist.(emv 20070424) I'd like to find a reference hereabout an accidently RBL'ed company.

Malware

Caution

Beware virus warnings! It is not uncommon to receive emails reporting a new virus threat that isnot detected by virus scanners which request that you take action, such as deleting files on yourhard drive or installing attached patches. In many cases, following these instructions will damageyour system or compromise your security. I have received many calls from clients, relatives, orfriends asking me what to do afterwards, and usually “Reinstall your system.” is the only answer.Recently, a large virus outbreak was fueled by just such an email [Keizer-2007]. Always checkwith a trusted security professional or with the website of your security vendor before acting onany security warning and do not forward the email to others. Never follow links provided in theemail to security sites; always type them in yourself or use your own bookmarks.

Malware: spyware, viruses, trojan horses, and so forth, is a common and growing problem. Part of thisstems from the desire of many computer users to try dozens of new tools and games on their (or theiremployer's) computer. Part of it stems from deep-seated flaws in the Windows operating system whichmakes it easy for malware hiding in these programs to take control of the computer. Part stems from

Business Data Security

10

unscrupulous vendors who include malware in their products in attempts to collect marketting data, preventusers from running competing products, display advertisements to users or direct them to advertisementson the web.

Sometimes these products are not explicitly designed to cause harm, but they contain bugs which damageinfected computers or open up security vulnerabilities which are exploited by other attackers. Sony, forinstance, included a root-kit on a large number of music CDs which silently installed itself on a PC used toplay the music. The root-kit was intended to prevent the user from copying the songs and report informationabout the user's listening habits to Sony but opened up security holes which others could use to break intoaffected computers [Kantor-2005]. The fix released by Sony opened up more security holes and resultedin an outbreak of viruses tailored to PCs that had been used to play Sony music. Equally disturbing is thefact that security companies, who considered Sony a “legitimate” vendor, were slow to react and slowerstill to add the Sony root-kit to their malware detectors [Schneier-2005].

Not-me Syndrome

Many businesses believe that they are not at risk because they do not have anything in their network tointerest an attacker. This is a dangerous myth.

Tip

Your business may not be of direct value to an attacker, but it may be a stepping stone to otherillegal acts. Collateral damage is a problem.

I was once called in to a real estate appraisals business because their mail server suddenly went down.They had recently lost their system administrator and had not yet obtained a new one. Upon investigation,I determined that their server had not merely failed but had been deliberately destroyed. Suspicionimmediately fell on the previous system administrator, but I was eventually contacted by CERT2, theComputer Emergency Response Team, with information that the mail server had been used to attack agovernment system. The attacker had broken into this business' server, used it to attack another site, thendestroyed the server and its logs in order to cover their tracks.

The attacker had entered through a vulnerability in out of date mail server software. Due to the destructionof the logs, we were never able to determine where the attacker came from. The attack cost thebusiness downtime, IT service costs, and expensive security upgrades to prevent a reccurence. Perhaps asimportantly, the breach allowed someone to successfully attack a government system and get away with it.

In recent years, I was responsible for the maintenance of a number of server systems running web sites,email, and other services for small businesses. The servers would record thousands of attempted attacksper day. Most of the attacks attempted to exploit weaknesses in software we were not running, and I usedtools to filter the logs down to the dozen or so attacks per day which I would examine and file reports on.A sizable portion of these attacks were from east asian countries and I would seldom receive responsesto my reports. The responses I received from US and european network administrators, large and smallcompanies, generally stated that their security had been breached, often by operators from East Asia,and their systems had then been used to attack dozens of others, including those under my care. The USDepartment of Defense has reported incessent atempts by attackers from certain asian countries to breachmilitary security, possibly with foreign government support, and unwary businesses may often be used asspringboards in those efforts. (emv 20070424) Can probably find a reference here on the DoD issues.

Things Are Not HopelessThis all may seem very depressing, and indeed it should. A survey of "real world" criminal activity, suchas the increase of shoplifting or convenience store robberies, may seem depressing as well, however, and

2 http://www.cert.org/

Business Data Security

11

businesses did survive and flourish before the advent of computers. Many businesses protect themselvesagainst traditional criminal activities as a matter of standard practice; banks, for instance, have donebusiness through small slots for decades and indeed a chinese payroll clerk invented this defense thousandsof years ago. Businesses can and will develop standard defenses against Internet crime and those whichdo will enjoy a competitive advantage against those which fail to adjust.

Tip

You don't need to outrun the bear, you just need to outrun your friend.

It is not necessary and indeed not possible to protect your business from all attackers. It is only necessaryto make your business a difficult enough target that criminals will look for easier marks. The success ofThe Club™3, an auto theft deterrent which locks a car steering wheel, is not that it prevents theft. Indeed,there are several known techniques to bypass them. Many thieves are lazy by nature and do not want toexpose themselves to detection longer than necessary. If two cars are sitting next to each other and onlyone of them is protected, the unprotected car will be stolen every time.

Of necessity this leads to an arms race and security is not a matter which can be solved once and forgotten.By applying basic principles, however, and incorporating them into business planning, your enterprise willautomatically adjust to new and developing threats.

First PrinciplesIn this section, we will discuss basic security principles. These principles apply to many situations outsideof data security, including physical security, warfare, biological defense against infection and so forth. Datasecurity is complex and requires significant training, but it is not magic. By understanding basic securityprinciples you can better communicate with professionals you hire to help you, better evaluate the claimsof vendors, balance business risks and opportunities, and use safer practices in your daily work. We willapproach these concepts with real-world, physical examples, and then demonstrate computer equivalentsin later sections.

Secure the PerimiterYou probably have valuable items in your house. At the very least, you will have electronic equipment likean entertainment center, important documents, perhaps expensive jewelry. These items would interest athief. When you go out, you probably lock your door. Locking the door secures the perimiter of your houseand makes it difficult for the thief to enter. Even if a thief gets past the lock, it has increased the time theyspend getting into your home, increased their likelihood of getting caught, and raised the penalties theywould receive (Breaking and Entering). In some locales, the mere presence of a lock or security devicedoubles applicable fines and sentences for theft or vandalism.

Tip

Perimiter security is only as good as its weakest point.

The lock on the door may not be effective if other parts of the perimiter, the outside of your house, are notsecure. If your garage door is unlocked, you have unlocked ground floor windows, perhaps a basementdoor, etc., the expensive deadbolt on your front door is useless.

The Manhattan Project physicist Richard Feynman worked at Los Alamos during World War II. The LosAlamos National Laboratory was a Top Secret facility with access controlled by armed guards. One day,Feynman discovered that there was a hole in the outside fence. People were using the hole to get back and

3 http://www.amazon.com/Original-Club-1000-Anti-Theft-Device/dp/B0000CBILL

Business Data Security

12

forth to town without going through the security checkpoint. Feynman reported the hole but was ignored.He then walked out of the hole and back in through the checkpoint. He repeated this several times beforethe guard grew suspicious and noticed that Feynman kept going in but never came out. Finally, the holewas fixed [FeynmanEtAl-1985].

It is tempting to ignore holes in your perimiter security, but by the time someone acts responsibly andreports them to you, you can bet that other people of less character have noticed as well.

Guard Your SecretsIf you lock your door and leave the key on the top of the frame or under the mat, your lock will not beeffective. Likewise, if you give copies of your key out to unreliable or unscrupulous individuals or do notchange the lock when you move in, you can no longer limit access to your home.

Tip

Locks, no matter how sophisticated, are only as effective as the secrets which protect them.

Your key is a secret which is supposed to be known only to you and tells the lock that you are authorizedto enter. The same principle applies to combination locks. If you never change the combination from themanufacturer's setting or use a number (such as birth date or anniversary) that someone else can readilylook up or guess, the lock will not protect your valuables.

Create a Defense In DepthIf the armed guard had been the only security feature at Los Alamos, the hole in the outer fence wouldhave compromised the entire facility and the entire Manhattan Project. Of course, the fence was not theonly obstacle a potential spy had to deal with. First of all, the existence of the Manhattan Project and thepurpose of the laboratory was a secret. The buildings and important rooms had locks. The scientists weresworn to secrecy. Documents were locked in safes. In a small group of people, an intruder, particularlyone without appropriate ID, would be quickly identified. All of these features worked together to protectthe project. This is a defense in depth.

Similarly, at your home you may have a gated fence. You might have a dog or an alarm system. Perhapsthere is a neighborhood watch. Your most valuable possessions might be in a wall safe and perhaps photos,serial numbers, or appraisals are stored in a bank safety deposit box so that you can provide them to lawenforcement or your insurance agent.

The important thing is that multiple levels of security act together to deter or slow down an intruder. Ifone defense fails, other defenses must still be dealt with. Sometimes layers of defense can stop an intruderand sometimes they only limit damage. Perhaps an intruder who jimmies your lock can steal your DVDplayer but not your jewelry.

Tip

Often, several simple or inexpensive layers of security are much more effective than onecomplicated or expensive layer.

A simple lock and an inexpensive alarm may be more effective than an expensive lock and no alarm.The alarm will also protect you when the intruder breaks a window. When planning, beware silver bulletsolutions which claim to solve all of your problems in one go. It only takes one simple mistake elsewhere tobypass your expensive protection. Simpler solutions have the added benefit of being easier to understand,easier to verify, and sometimes harder to penetrate. Blocking your door with a heavy iron bar may be crudebut it is simple, cheap, and effective.

Business Data Security

13

Tip

Always put together an overall security plan first. You can go back later and upgrade individualpieces.

Get the most out of security by making it do double duty. Putting valuables in a safe and storing insurancedocuments with your bank will help protect you from fire as well as theft. Getting to know your neighborscan keep you informed on all kinds of issues. You will find similar ways that data security can be usedto achieve other business goals.

Security By Obscurity Is Not EffectiveWhen you go to a hardware store and buy a deadbolt for your front door, you will probably find that itmeets certain industry standards, such as ANSI/BHMA A156.5-2001 and it is probably UL listed. It isbased on a standard design which has been thoroughly tested. Any thief can look up detailed information,but in the end, they still have to exert a minimum amount of force or effort to overcome the lock.

When writing a letter, the writer can read the same sentence many times without realizing it is wrong;they already know how they intend it to read. Someone else reading the letter will notice the mistake rightaway. Similarly, security planners will routinely overlook critical details which are obvious to someoneelse. Good security is built on simple, standard, well tested components that many eyes have looked at andmany people, designers, security experts, and thieves, have tried to break.

Security by obscurity is a defense that depends on an attacker not knowing how it works to be effective.A one-time battle plan dependent on surprise may fool the enemy, but a security plan must fool the enemyevery day, time and time again. Any flaw, no matter how small, no matter how secret, will be discovered.

Tip

In general, more eyes means tighter security.

A manufacturer claimed that their fingerprint scanning door lock based on "proprietary technology"had not been broken in months of testing. A team from the TV show MythBusters found three waysto bypass the lock in just a couple of days. Perhaps the DeathStar could have been saved by betteroperational security, or maybe they should have let the MythBusters folks review the blueprints beforebuilding[MythBusters-2006].

Exploits and VulnerabilitiesKnowing the difference between exploits and vulnerabilities is important in assessing security and thelevel of risk. A vulnerability is a potential hole in your security, such as a second-floor window whichswings outward. An exploit of that vulnerability might involve a ladder and a prybar.

It may be that there are multiple ways to exploit a particular vulnerability or that it is only a potentialproblem with no known exploit. Often, detecting a vulnerability gives you time to fix it before an attackerbecomes aware of it and figures out how to use it to their advantage. A zero-day exploit is one where avulnerability and a publicly known exploit are discovered at the same time, usually because the bad guyswere the first to find it. The hole in the fence at Los Alamos is a good example of a zero-day exploit— thehole was in common use before it was discovered by security and fixed.

A defense-in-depth can sometimes prevent certain exploits and lessen the risk of a vulnerability. With oursecond-floor window example, controlled access to the property with a fence and a guard shack mightmake it rather difficult to sneak in with a ladder or a prybar.

Business Data Security

14

Keep Your Eyes OpenIn security, paranoia is an asset. Noticing suspicious patterns and odd details is important to protectingyour business. You would probably be suspicious if someone you did not recognize was leafing throughfiles in your office or called you and asked for your credit card number. Maybe you would find it odd if anemployee you were paying minimum wage suddenly had a $500 watch or you ran into a client when oneof your salespeople was supposed to be meeting them for lunch. If you are prudent, you probably go overaccounts or budgets and expenses on a regular basis. Noticing odd behavor is not a basis for flying offthe handle— unusual things happen; certainly, however, questions might be asked. Once you are familiarwith data security, you will also be able to notice when things are out of place in the electronic world.

Tip

Careful records are critical to establishing patterns and reconstructing events when a problem isdiscovered. Having safe copies of records prevents tampering and fraud.

I once had an employee who had repeatedly violated company policy. Notes of this and a disciplinarywarning were placed in the employee record. The employee, who was responsible for filing, quietlyremoved the notes. They were not aware that management routinely copied employee records and storedthem in a safe.

Tip

Be assertive and ask questions.

When I worked at the Pentagon, we were trained to avoid a common attack. Most secure facilites have aphone on the outside so a visitor can call to have an authorized person let them in. One technique is for anintruder to walk up and pretend to be talking to someone inside the facility. When an authorized personarrives, they say, "Oh, hang on, someone else just showed up." and follow the new arrival in. Authorizedpersonnel are uncomfortable about challenging the intruder.

Management and personnel need to be trained to be assertive and ask questions in all security situationsand any time something smells fishy. Often, a manager who has their credentials challenged will punishthe employee. This is counter-productive and will allow an attacker to bluster their way through defenses.Instead, managers should expect to be challenged and discipline those who do not follow establishedprocedures.

Building a Data Security StrategyIn this section, we will begin to develop a top-down security strategy for your business, looking at whatneeds to be protected, how to begin developing security policies, responding to incidents, and makingsound purchases. In later sections, we will explore how attackers attempt to breach your networks andaccess your data, applying basic security principles to making their job harder.

First StepsOne of the first things you need to think about in the context of data security is what you want technologyto accomplish for your business. Is your website an essential part of your sales effort or are most of yourleads generated from referrals? What technology makes the biggest difference in your daily productivity?What technologies actually detract? By asking questions like this, you start to get a basis for making riskdecisions— how far you are willing to stick your neck out to support certain IT strategies and how muchprotection is worthwhile. If a piece of technology does not improve your ability to do business, why takeon expense and risk?

Business Data Security

15

Another good starting point is figuring out where you are now in the security scheme of things. Doubtlessyou have some interest in securing your business and are putting effort toward that end or you would notbe reading this. That immediately puts you ahead of some. The COBIT® IT management standard uses amaturity model which generally describes where a business is on the road to IT nirvanna:

COBIT® IT Maturity Model

0: Non-Existant Management processes are not applied at all.

1: Initial Processes are ad-hoc and disorganized.

2: Repeatable Processes follow a regular pattern.

3: Defined Processes are documented and communicated.

4: Managed Processes are measured and monitored.

5: Optimised Good practices are followed, automated, and steadily adjusted.

[Itgi-2005 pp 18]

Notice that this is not expected to be an instantaneous transition, nor are you expected to sit down, writehundreds of policies, and figure out how to implement them. Rather, policies and practice evolve togetherin a feedback loop. As you figure out what works for your business, the best practices become policy. Asyou get better at implementing, monitoring, and adjusting those policies, your IT structure will becomemore mature, robust, and valuable.

A more detailed description of what the various stages mean for overall IT management is given on page50 of the standard, but COBIT® also provides a specific scale for IT security on page 122. Since thedescriptions are long, I will only quote two levels here, the beginning and end of the process:

1 Initial/Ad Hoc

The organisation recognises the need for IT security. Awareness of the need forsecurity depends primarily on the individual. IT security is addressed on a reactivebasis. IT security is not measured. Detected IT security breaches invoke finger-pointingresponses, because responsibilities are unclear. Responses to IT security breaches areunpredictable.

5 Optimised

IT security is a joint responsibility of business and IT management and is integratedwith corporate security business objectives. IT security requirements are clearlydefined, optimised and included in an approved security plan. Users and customersare increasingly accountable for defining security requirements, and security functionsare integrated with applications at the design stage. Security incidents are promptlyaddressed with formalised incident response procedures supported by automatedtools. Periodic security assessments are conducted to evaluate the effectivenessof implementation of the security plan. Information on threats and vulnerabilitiesis systematically collected and analysed. Adequate controls to mitigate risks arepromptly communicated and implemented. Security testing, root cause analysis ofsecurity incidents and proactive identification of risk are used for continuous processimprovements. Security processes and technologies are integrated organisation wide.KGIs and KPIs for security management are collected and communicated. Managementuses KGIs and KPIs to adjust the security plan in a continuous improvement process.

Business Data Security

16

The most difficult work is in the middle. Ad hoc policies are difficult to automate and waste time discussingsmall details. The overhead of a formal (but sensible) policy can be made up in automation and reductionof friction, but a sensible policy cannot be written unless backed by experience and research. Beforereaching stage 4, you do not have enough information to really do adequate risk analysis in many cases,but before reaching stage 3, ad hoc processes and general chaos reduce the utility of the information that isgathered. Because of all of this, climbing the hump is hard, but it does get easier, especially when leaningon established industry best practices and learning from the mistakes of others.

Your IT ProfessionalsThe people that care for your computers have your business in their hands more so than any otherprofessional, such as an accountant or a lawyer. Their job is arcane, difficult to oversee, and requires themto have access to disparate parts of your enterprise. Like a doctor, there is only so much you can do tocheck up on them and then you just have to let them do the job. As such, perhaps the most importantquality in choosing an IT professional is trust.

As businesses are becoming overwhelmingly committed to electronic documents, essentially all of abusiness' information passes through the purview of the top-level system administrator. They have directaccess to the hardware, the software, and the network. They have the skills of a hacker, or they wouldnot be able to secure your systems. Even if you use low-level protection like encryption and passwordsto protect documents, they have the ability to either simply override the protections or snoop on you todiscover the passwords. It might take time, but if they are determined, they can do it4.

Happily, most professionals are more interested in doing their jobs. Information security and systemsadministration is a demanding discipline that often comes with limited recognition or reward. Those thatsucceed do so because of a dedication and work ethic which drives them to master the skills and keep upwith changing technology. IT professionals take personal pride in the systems they maintain.

Tip

Business people work with people every day. IT people deal with machines. This leads to halfof the communication problems.

Active participation and open communication is the best way to reduce the threat of a rogue IT professional.By making the effort to understand and involve yourself you not only have a better chance of noticingpotential problems, but you build trust and professional respect. Because of their dedication to a hard-edgedtechnical discipline, many good IT professionals are somewhat antisocial and apolitical. They may alsobe brutally frank. Remember that IT deals with machines which never compromise and always take thingsliterally. This often leads to misunderstandings with business people who work on a very different level.

IT people often present options and risks very differently than other professionals. Managers usuallypresent a small number of options (often three) and their business risks. They clearly identify the optionthey recommend (often the last one). When several managers are in a meeting together, discussion usuallyconverges on two options until the person in authority decides between them.

IT people often present one solution, then present variations on that solution, sometimes getting quitecomplex and quickly confusing management. They are not presenting their alternatives as realistic optionsbut to demonstrate why their preferred solution (the first one) is correct. When you get several IT peopletogether, the solutions being discussed seem to diverge rapidly instead of working toward consensus.

This is an education problem with IT professionals. This style of argument is how IT people (and otherscientists) check their arguments and get feedback. Because technology does not compromise, they need

4But see the discussion starting in the section called “Shared Folders and Files” about storing documents on untrusted computers or where theadministration is not trusted.

Business Data Security

17

to know (and demonstrate) that their solution is rigorously correct. They do not realize that managementdoes not (and should not) care as long as they have done their job. IT professionals need to change theirpresentation style and adapt to your vocabulary, explaining the minimum you need to understand to makea business decision. Unfortunately, many IT people will not change and you will need to deal with thisproblem from time from time, dragging them away from theory and back to the real concern: what is thebottom line? At the same time, even if the presentation is wrong, the presenter is identifying real risks, andyou must not tune them out until you understand what it is they are trying to say, no matter how frustratingthat might be.

Tip

A good go-between, a professional in multiple fields, can translate IT-speak and presentalternatives in a digestible manner, smoothing communications.

One way to improve the situation is to find a translator: someone who understands enough of both yourfield and IT to summarize the issues. These are usually IT people who have a degree in something otherthan Computer Science who see technology as a tool, who have had to focus on practical application ratherthan theory. As an example, I have a background in ecology and did work with simulations in college. Iwrote programs, but only as a means to an end; they were tools for answering questions. If the programscould not be explained in non-IT terms, they were useless.

A good go-between does not have to be an expert in either field, they just have to be able to ask theright questions and understand the answers. These are the people you want in your top-level IT positions,trouble-shooting problem projects, and dealing with security incidents. They are hard to find, and hard torecognize, but they do exist.

This type of professional can also be deliberately trained. When my simulation experience landed me a jobin the Pentagon working with strategic analyses, the first thing my boss did was put me on the floor withthe Air Force analysts. I was hired as a programmer, but I spent those first weeks as a user, a customer,of the software I was eventually to maintain and redesign. I had to learn the terminology, processes, andneeds of the people I was hired to serve before I was allowed to do my job. I went from there to buildingsmall tools, essentially templates or jigs, for very specific problems. Finally, when they felt I had learnedenough to get by I was allowed to work with the larger systems, but I still spent considerable time on thefloor with the pilots.

By taking a promising IT person and putting them in with your regular staff, making them learn yourbusiness, you may end up with someone who can give you the feedback you need in a form you can use.You can also go the other way, by having one of your employees work part-time as an IT-liason to bridgethe language gap and make IT solutions better targeted, easier to understand, and more practical. Choosingsomeone to put into this role takes care; doing it sucessfully takes someone whose ego won't get in the wayof learning a new and unfamilar field and having to build the respect of the professionals they have beenthrown in with. You also have to beware the advice of the hobby IT professional who may set up computersor networks at home and second-guesses IT's claims of cost or risk; techniques which work for two or eventen computers do not scale to one hundred. They may have a point, but take it with a grain of salt.

Once you have a good go-between, they need to split their time so that they can keep up to date withboth camps and remain relevant. If you do not have enough to go around, you can have one personconsult to multiple teams or departments: walk the beat, sit in on meetings, review documents, and conductdiplomacy. I have seen this work very well and is somewhat like the Of Counsel position in a law firm5.

IT expertise is critical to your business, but individual IT people, whether in house or outsourced, shouldnot be allowed to become indispensible. Good documentation, maintenance records, and problem tracking

5Sometimes this can happen by itself, as someone with cross-over expertise lands naturally in the role of an unofficial diplomat. Your first step infinding a go-between may be determining whether one is already there and how you can make better use of their skills.

Business Data Security

18

help someone else pick up a task when needed. Sometimes employees have the mistaken impression thatbeing indispensible creates job security. In reality it locks them into a job with no chance of advancementand will eventually lead to trouble. For the employer, there is always the worry about the inevitable jobchange, illness, family emergency, or other sudden crisis that can cripple an unprepared business. A vendorwhich has you locked in has no reason to negotiate and little need to deliver quality service.

Tip

Not involving yourself in IT is like not being involved in the company finances— you are invitingsomeone to take advantage of you.

It may very well be that you are thinking “I don't have time to involve myself in IT.” That may well betrue, but like accounting, you just may not be able to afford not to be involved. If you are reading thisdocument, you already know that the world is changing. There is no way to turn back the clock and learningto compete in the new environment means fitting IT into your overall strategy. Finding the right balanceis hard, but it must be found.

Document Retention and ProtectionDocument retention rules apply to more than just electronic data, but many small businesses may not havecoherent policies. Often rules for certain types of files, such as financial information, employee records, orhealth information, are set by law. Other information may be controlled by contractual privacy policies orconfidentiality agreements. These rules usually specify the minimum and maximum time that documentsmay be stored and who may access the documents. You may wish to implement specific policies to retainor destroy outdated documents which fall under no particular rules in order to avoid costly documentproduction in response to subpoenas [SoleckiRosenberg-2004]. In all cases, you should consult books andattorneys with coverage of the laws in your area.

We will discuss technologies for solving these problems elsewhere, but the first step is identifying whattypes of documents may require special treatment. You probably already handle some paper documentsspecially by locking them up, using a shredder to dispose of them, etc. Extend this to electronic documentsand think about what documents may need:

• to have restricted access,

• to be securely deleted,

• to be retained or deleted on a schedule,

• to be protected when sent over the Internet,

• to be protected from tampering or alteration,

• to have notarization or proof of service

Documentation, Policies, Audits— How Much, HowOften

Small Setups

The simple fact is that if your business is more than one person, and probably even if it isn't, basicdocumentation on your network, computer configuration, and security is a necessity. If your setup is not

Business Data Security

19

documented, you will have trouble getting help when you need it. Consultants will waste precious timefiguring out how things were supposed to work instead of fixing problems.

Tip

A doctor needs a good case history to treat a patient; a computer maintenance record fills thesame need and allows a professional to diagnose problems more effectively.

At a minimum for a small setup:

• Document the hardware, software, and versions on each system.

• Store license keys and warranty information for easy access along with dates of purchase andinstallation.

• Document the changes made to a system to get it ready for use so you can follow the same steps whenrepairing or setting up new systems.

• Store installation CDs, restore disks, and program disks so they may be easily located.

• Keep track of when maintenance is performed (virus scanning, updates, backups, repairs, etc.) or, if runautomatically, note when they are run and how often they are checked.

If outside consultants do these things for you, insist that they provide this documentation for your files onevery service. You never know if you will need to use a different vendor for some reason, and having yourown copy is a good precaution. For similar reasons, make sure you control the software disks, installationkeys, and warranty information. These would be good things to lock in a safe in case of fire or otherincident. You can make copies of the disks for everday use.

For Internet-facing machines, such as a company web or mail server, document what services you run andkeep safe copies of system settings. This will help you restore them if an intruder alters them and mayprovide clues as to how they got in. Administrators should keep a journal of changes and events; I typicallyadded a bulletted list to the end of each day's charge sheet and kept a more detailed journal online. Thejournal provides an easy point for someone new to pick up. System logs need to be backed up too, and, ifpossible, immediately written to a different machine to keep an intruder from altering them.

Use some form of problem tracking or trouble ticket software to monitor problems and ongoing resolution.There are many web-based systems at all price ranges (e.g. Best Practical Solution's RT6). The importantthing is that you can tell quickly what problems need to be solved, how long they have been open, and makesure recently fixed problems have been resolved satisfactorily. A printout can be gone through quicklyin a meeting. The system will also allow notes to be added to problem reports so that someone can lookback and see how a similar problem had been solved or whether a certain type of problem is occuringfrequently. You can make such a system do double duty by using it to track non-IT problems as well.

Tip

Make sure each PC, workstation, or server is easily identifiable. The easiest way to do this iswith property tags and ID numbers. Non-removable tags or engravings also make tracking stolenequipment much easier.

Documentation is not useful if it is not checked periodically. Incorrect information is worse than none atall. Sit down and check maintenance records to see that they have been updated and that maintenance isactually being done on schedule. It is easy for schedules to slip while dealing with day-to-day emergencies.Look at vendor invoices to make sure they identify the machine, report what was done and why. If youdo not understand, ask questions.

6 http://www.bestpractical.com/rt/index.html

Business Data Security

20

Tip

Gibson Research's7 Shields Up8 is a website which will run a quick test of a SOHO PC andproduce a security report.

There are automated tools for detecting vulnerabilities in PCs and servers. Nessus9 is one of several suchproducts. Using one on a regular basis and fixing reported problems will go a long way toward makingyour systems more secure. The bad guys have access to the same tools and running them will be one oftheir first steps.

Larger Setups and Standards Compliance

If you have a larger setup or have to comply with external standards such as HIPAA, or the PaymentCard Industry Data Security Standard (PCI DSS) your documentation needs will be more complex. Thecost of regulatory compliance can be high, particularly where the legal landscape is changing. Recentlypassed regulations have not had the time to be interpeted by the courts and some laws, such as stateconsumer protection laws, may be triggered without a business' awareness, merely by serving an out-of-state customer (e.g.: California SB 1386 [CaSenate-2003]). Small and medium-sized businesses withouta dedicated compliance department can be hard pressed to stay informed, let alone compliant.

A more proactive approach may be in order. Even where you are not specifically required to conform toa particular high-level industry standard, using one, such as COBIT®, ISF Standard of Good Practice, orISO/IEC 17799:2005, as the basis for your policies can yield many advantages:

• useful guidance for policy development so you do not need to start from scratch

• milestones to measure progress and plan improvement

• a common framework and vocabulary for working with IT and security professionals, partners, andvendors, including some “canned” policy or auditting products.

• preparation for future regulatory changes

• reducing the threat of being sideswiped by non-compliance to laws you are unaware of and allowingyou to defend policies by referring to accepted best practice

• new opportunities such as eligibility for contracts and increased customer confidence

[Harbert-2006, Itgi-2006]

Some of the most important things that are required by standards are:

• IT security is recognized at the business level and accounted for in strategic planning.

• Clearly defined responsibility for overall IT security and for each system. This can range from a singleindividual responsible for all security and systems (in a very small setup) to a group responsible foroverall security and individual “ownership” of individual critical systems. Standards encourage differentsecurity roles to be distributed among different people, so that the people validating security are notthe people providing it.

• That information and systems be graded according to their value or need for protection, that regular riskanalysis be performed, that security resources be allocated accordingly, and that emplaced security isexamined and audited regularly.

7 http://www.grc.com/intro.htm8 https://www.grc.com/x/ne.dll?bh0bkyd29 http://www.nessus.org/

Business Data Security

21

• Controls for restricting access to systems and information to those with a need to access them, protectionof information within the business from inadvertant disclosure, and safeguards for information in transitto and storage by third parties.

• A defined process for keeping systems up to date and for approving changes to systems, policies, andprocedures, including testing systems changes before implementation.

• That breaches of security, suspected breaches, and suspected vulnerabilities are reported.

• Staff education in security practices and requirements including clearly written and consistentlyenforced policies in acceptable use of computers, networks, information, and company-owned software.

• Physical security to prevent direct access to critical systems and information.

[Isf-2005a SM1.2, Itgi-2005 pp 119-122, Dhhs-2003, PciSsc-2006]

So the bottom line, then, is that these policies need to be written in some form and some record needs tobe made whenever they are implemented. For businesses on the small end of the range, reading and tryingto implement these standards can seem daunting. A small business is unlikely to have an “IT SteeringCommittee” or any kind of complex approval process for software changes, beyond, perhaps, John andSusan sitting down over lunch. PCI DSS, HIPAA, and ISO 17799 make some allowance for small andmedium-sized businesses. Cobit®, aside from its other virtues, makes assumptions about the size andstructure of the business.

Even if a process is simple and informal, it is still worth documenting and recording the decisions made.Like the process itself, the documentation will not be very complex. Regarding John and Susan, forinstance, the following might be sufficient:

Met with Susan today to discuss the changes to the backup system. Showed her theresearch I had done on Acme Corp's product, including favorable security reviews. Sheexpressed reservations over committing to a single vendor, but we both agreed theirproduct would best fit into our current structure, particularly the accounting system.Decided to go ahead with purchase and rollout. — John.

It documents an approval process, records that research was done, (printouts of reviews can be added to thefile) and details the reasons for and against the decision. Not only is this a step toward standards compliantprocedures, but it means that a year or two down the road you can look back at the file and see why aparticular change was made. All too often, people are afraid to challenge old systems because they do notremember why the decision was made and that those reasons may no longer be relevant (perhaps becausethe old accounting system is no longer used). Lastly, the document is simple and adds little overhead.

Many other requirements can initially be filled in a similar fashion. In a small business, it is unlikely thatthere will be many systems, categories of information, or classifications of employees which need to bedocumented. Workflows will be short and simple. Documents and policies can grow with the businessand as problems are discovered.

One complexity which should not be ignored is the fact that Information Security records themselvesare a category of document which may need special handling! For instance, HIPAA requires thatsecurity policies and records must be retained for six years [Dhhs-2003 §164.316b2i]. Documents thatcontain sensitive security information may need to be protected, and documents such as logs which mayaccidentally contain personal, confidential, or otherwise sensitive information may need to be protected,redacted, or deleted on a schedule.

Frequency and type of audits varies widely on the needs of the organization, budget constraints, andperceived risks, but there are some rules of thumb.

Business Data Security

22

Many tools, such as virus/malware scanners, vulnerability scanners, and intrusion detection systems canbe run daily without intervention but someone must actually look at the output in order for them to beeffective. Some tools can automatically send reports to a central location, such as an administrator's email,(emv 20070424) example? and this should be looked for when selecting tools. The difference between asuccessful and a failed run should be immediately obvious, especially if many systems are being scanned,otherwise problems will be lost in noise.

Quick checks of security status can be performed at a weekly meeting. As noted above, a printout froma problem tracking application is an effective and efficient way to view recent activity and outstandingissues. A more thorough check of maintenance records, security reports, and other documents can happenmonthly, with a full top-down audit quarterly.

The frequency of external audits depends on many issues. First, external auditors tend to be expensive,so there is no sense in bringing in an outside auditor without having done a full internal audit first. Whypay someone to catch mistakes you might have fixed yourself? Instead, use the external auditor to verifyyour internal procedures and find problems that would never have crossed your mind at all. How oftenyou do it depends on whether you have any requirements to maintain a certification; if so, you will likelyneed an external audit on a regular (say yearly) schedule and may have the threat of random spot checks.If you are not required to audit on a schedule, then you need to look at how the cost of the service affectsyour budget and how quickly your procedures change. If you have relatively stable procedures and regularinternal audits, it may make more sense to spend the time and money on other security needs and bringan outsider in less frequently. No matter what you decide, make sure an auditor you hire is aware of yoursecurity goals, resource limitations, and the threats you are intending to address so they can concentratetheir effort where it will give you the most benefit. There is no sense in paying money to have them pointout problems you have no intention or capability of fixing.

Tip

I like to set up an internal web page with all of the security policies clearly laid out. Employeesshould bookmark this page in their web browser. During an audit, if they cannot remember aspecific policy, they can quickly navigate to the required page and demonstrate that they knowhow to find the needed information. This also helps with the inevitable nervousness that goingthrough an audit brings and makes sure the employee responds with the most current policy. Theobvious exception to this is backup and recovery procedures which must be printed and boundso that they can be accessed when computers and networks are not functioning.

An external auditor may examine many things. They will examine your policies and a representativesample of your records and documents. They want to know whether your policies are sound and whetheryou actually follow them consistently. They will likely quiz random employees to see if they know andunderstand your policies and their responsibilities. Depending on the type of audit, they may also examineyour physical layout and security (are cabinets locked, unoccupied terminals logged out, can a securitymonitor be seen by someone on the other side of the desk?), or try to break into your network or computers.Good security auditors will try “human enginering” to trick your employees into violating security. Whenpreparing for an audit, you must anticipate these tactics and ensure that everything is in order.

An Incident Response PlanNo matter how good your security is, you will eventually have to deal with an incident. Various regulationsrequire you to have a documented Incident Response Plan [Dhhs-2003 §164.308a6, PciSsc-2007 §12.9,CaSenate-2003], but provide little guidance as to how to organize or implement such a plan. Common ITmanagement standards also offer little help [Isf-2005a SM5.4, Itgi-2005 DS5.6, DS8], with ISO 17799providing the most detail [IsoIec-2005 §13]. The Computer Emergency Response Team CoordinationCenter10 (CERT/CC) provides a detailed handbook on organizing a Computer Security Incident Response

10 http://www.cert.org

Business Data Security

23

Team or CSIRT [SeiCm-2001]. The discussion here will provide an overview focusing on practical ratherthan organizational matters.

A security incident may take many forms:

• A physical break-in where equipment or media is missing or may have been accessed.

• An attempted network or computer break-in.

• A successful computer or network break-in.

• A virus or malware infection.

• Missing (lost or stolen) media or hardware.

• Unauthorized access to documents or data by an employee, vendor, or third party.

• A Denial-of-Service

In some cases, you may not be able to tell whether confidential data was actually accessed or copied andmay need to assume the worst, at least until the incident can be completely investigated.

Attempted accesses should be reported, even though they were not successful. Reporting attacks toappropriate authorities, beginning with the owner of the network which originated the attack, can helpother organizations locate and close security holes and may temporarily eliminate an attacker. An attackerwho fails to gain entry repeatedly only needs to succeed once. Make sure that security rules are modifiedto block or monitor repeated access attempts from the same source. If (as is likely), there are too manyattempts to report, choose the attacks which target software and services you run and therefore concernyou the most.

When a security incident is discovered, there are three immediate goals:

Immediate Goals

Contain the Damage Stop the spread of an infection, close the hole an intruder is using to enter,and protect data from unauthorized access.

Restore Services Get computers, systems, or services back into (safe) operation so thatbusiness can continue. This may mean that services operate in a degraded(slower or reduced functionality) mode until complete repairs can be madeand security reestablished.

Preserve Evidence Any data which can identify the attacker, the means of entry, or the amountof data they may have accessed should be preserved for later analysis.

Tip

Make sure that the appropriate points of contact for reporting incidents are well posted. Aninternal webpage is probably a good idea and gives you a place to post advisories and reportingguidelines. If you or your security vendor relies on computer-based reporting and tracking, makesure there is also an alternative, since problems involving computer, network, or account failureswill need to be reported too.

Implicit in these goals is a means to actually identify and report the problem in the first place. This requiressome point of contact(s) who is/are assigned to incident response and available, preferably 24/7. Problemsmay also be reported by automated systems which may be set up to page or otherwise notify on-calladministrators. These personnel start an incident report and classify the problem. Next, they refer to policy

Business Data Security

24

to determine what other members of IT, Security, and Management need to be involved and how quickly.Then, if the problem is legitimate, they attempt to satisfy the three immediate goals. The group of Security,IT, and Management who are involved in handling security breaches are the Incident Response Team,sometimes referred to as a Computer Emergency Response Team (CERT) or Computer Security IncidentResponse Team (CSIRT). We use the acronym CSIRT here.

In the early stages of dealing with a security breach, a heavy-handed approach is often safer and easier.For instance, it may be simplest to remove a compromised machine from the network and temporarilyinstall a different machine for an employee. This will give your CSIRT time to examine the machineproperly and make sure that the threat is completely removed. Anti-virus programs will try to remove adetected infection, but the truth is that they are not often successful. A virus may very well make changes orinstall software that the anti-virus cannot detect or cannot safely undo. Similarly, a hacker having brokeninto a web server can hide changes in many subtle places which might provide a means of reentry. Acomplete reinstall is safe, thorough, and may even be faster than attempting repairs. The heavy handedapproach, however, means that you must budget for some spare hardware and make sure that documentsare backed up regularly, both of which will protect you from other kinds of incidents as well. Rememberthat replacement hardware is temporary and need not be as fast or fancy as the original system.

Tip

Act quickly and decisively: A PC can always be restored to a network and accounts reenabledafter they are shown to be safe. You will not be able to recover confidential data that has beencopied to somewhere beyond your control.

The heavy-handed approach should also be taken with possibly compromised accounts. If you havereason to believe that an account has been compromised or has been used for unauthorized access todata, lock it, and seriously consider locking all accounts used by the same person until you can interviewthe employee, scan their PC, laptop, etc., for malware, and change their passwords or credentials. Over-zealousness should not be a problem as long as everything you do is reversible, your investigative processis streamlined, and you keep people informed of what actions are being taken and why.

Once a compromised system has been isolated, data should be gathered for later examination. Some of thiscan be gathered from the live machine with computer forensics software or hardware to examine memory.In particular, you can record what programs are run and where they attempt to connect to. Live forensicsprograms have serious limitations, however, and can be hoodwinked by infections which have gained deepcontrol over the operating system [Higgins-2007]. Any relevant network or other access logs should alsobe copied and stored along with applicable physical security information such as check-in/check out timesand CCTV footage if local access is suspected.

Almost immediately, a copy of the hard-drive should be made (an image). In fact, it is best to make two, oneto preserve untouched for law enforcement (if applicable) and one to actively examine. Then the hard drivecan be wiped clean, reinstalled, and put back to use. One attraction of virtual machine (VM) technologyis that the “hard drive” the operating system is running on is not real, but is in fact a drive image stored ina file. That image can be copied or reset to an earlier (and safe) state quickly and easily making cleanupfrom break-ins fast and efficient.

When gathering evidence, be careful to keep a documented chain of custody; record who handles eachpiece and what tests are run. Print and store output of all procedures. If at all possible, ensure that all actionshave an additional witness present. Your legal counsel will likely have additional advice for preparingevidence which can be used by law enforcement.

Throughout this process, be careful with communication about the incident. Ensure that team membersverify the identity of who they are communicating with (employees, IT staff, vendors, authorities, etc.)and protect the privacy of the communication. Impersonation to obtain security information is common.Information leaks can start rumors and undermine the handling of an incident before an investigation can

Business Data Security

25

be completed. They may also inform an attacker of the progress of an investigation. The CSIRT shouldcontrol the release of information to ensure that it is accurate, complete, and does not compromise security.[BrownleeGuttman-1998 pp 5-6, West-BrownEtAl-2003 pp 106-110]

After the initial stages, incident response can take any of several directions, depending on what wascompromised, how it was compromised, and whether it can reasonably be expected to happen again. Thisis where clear policy and clearly defined responsibilities are critical, and their exact form depends on thesize and type of business you run. Your overall goal, however, will be the same: comply with all regulationsand privacy rules to resolve the incident and prevent recurrence with as little disruption as possible. TheCSIRT team is not there to play policeman unless there is something to be gained. What you do next willdepend on some of the following questions:

Follow-up Questions

• How did the incident occur? Is this incident related to other incidents?

• What permanent changes need to be made to prevent recurrence? Is it covered by a support agreementor contract? Is this a technological or a policy problem?

• How was the problem discovered? Could it have been discovered sooner? Should a warning or advisorybe issued?

• Was the incident a result of a broken policy or agreement? Does action need to be taken?

• Is there enough evidence to involve a 3rd party such as a security organization or law enforcement andpursue the criminal?

• Was, in fact, confidential data compromised? Could it have been copied somewhere outside of businesscontrol? Can the thief potentially read/use the data, or is it strongly encrypted?

• If data was compromised, who does it belong to? What other parties must we inform to complywith regulations and contractual obligations (e.g. customers, credit card companies, vendors withconfidentiality agreements, etc.). Do we have contractual liabilities?

• If our data was compromised or destroyed, what can we do to mitigate the loss? Is a loss covered underan insurance policy?

• Were sensitive records modified or destroyed (billing records, account information, contracts, accesslogs, employee records, etc)? What can we do to identify fraudulent records and restore them? Is ourbackup and recovery system working?

• Was our system used to attack other systems (such as visitors to our web site)? Did these attacks succeed?Who do we need to inform?

• Do we need to make a public statement or control negative publicity?

The answers to these questions should result in a list of action items to be passed on to other parts of thecompany, such as IT changes, policy updates, legal actions, press releases, and so forth as necessary. Ina small company, of course, these actions will be handled mostly by the same people wearing differenthats. The team should also produce a clear and concise report of the incident and a summary of the actionstaken for the record.

A heavy-handed approach is appropriate early on, but the response should be more reasoned as the incidentis investigated. In particular, be careful to differentiate between a possible inside job, a violation of policy,and simple human-error. If management is too quick to hand out blame, less incidents will be reportedin the future.

Business Data Security

26

Each set of regulations you must comply with will have its own slightly different set of definitions for whatconstitutes a compromise, when, and whom you must inform. As an example, regulations may only careabout incidents in which certain combinations of data are released, such as addresses and social securitynumbers linked to first and last names (e.g. California SB 1386 [CaSenate-2003]). Either these detailsmust be codified in your own policy, or you simply need to have your policy refer to the relevant sectionsof the regulations and go through them as needed. For serious breaches, you will need legal counsel tohelp you navigate this minefield. As you go through the process, you will likely build up boilerplate lettersand forms to streamline many of the steps.

In addition to complying with regulations, you may need to coordinate with outside agencies such as otherCSIRTs to:

• Report software vulnerabilities.

• Obtain technical support.

• Help track or apprehend the criminal.

• Obtain more information about the attacker such as means of entry, whether data might have been stolen,and what it might have been used for from other ongoing investigations.

• Warn others of attacks which may have been made from your network or infections passed on.

• Obtain outside review of proposed solutions.

In order for interoperation to work, you will need to give thought to confidentiallity arrangements,preferably beforehand. What information can you share with an outside agency? What confidentialinformation might need to be redacted from incident reports or logs? What limits on use of the informationdo you need to communicate to the outside agency? You must also make sure you have prepared legitimatepoints of contact with the most likely outside agencies so you can maintain the privacy and integrityof the communications [BrownleeGuttman-1998 pp 5-6, 11-14, SeiCm-2001, West-BrownEtAl-2003 pp112-115].

At the end of the process, one last set of questions should be asked:

Port-Mortem

• What is the approximate cost of this incident?

• Were the actions taken timely and appropriate? Could the reponse have been improved?

• Did the Incident Response Plan work? Are the roles and responsibilities appropriate? Does the planneed adjustment?

• Did the CSIRT have the resources needed to do its job efficiently? What might make the job easier?

A brief treatment of these questions, perhaps directly including comments by team members or employeesinvolved in the incident, should go in an after-action report to be filed with the incident and be consideredin future responses.

Tip

The US-CERT Vulnerability Database11 is a good source for information on current threats. Thereis a mailing list available for daily announcements. You should also check regularly with yoursoftware and security vendors for problems and fixes.

11 http://www.kb.cert.org/vuls/

Business Data Security

27

In addition to clean-up after incidents occur, the CSIRT in most organizations is also responsiblefor tracking developing threats by monitoring announcements of security agencies, vendors, and peerorganizations, informing IT staff, and drafting warnings or advisories for distribution to employees,customers, and other stakeholders.

Making IT and Security Purchases

Avoiding the Lemons

When I was younger, I went on a mission with my dad to buy a used car. We took my uncle along, whoowned a repair business, and took a look at several “deals”. I remember one in particular, a blue Fordsedan of some description with low mileage and a decent price. My father talked to the salesman whilemy uncle poked around the car. The salesman was expounding the virtues of the vehicle when he noticedwhat my uncle was doing. “Is he a body man?” the seller asked. “Yep.” my dad answered. The salesmanimmediately gave up the pitch. Many years later, I think back to that car when making purchase decisions.

Aside from sound policies, security awareness and training, threat tracking, one aspect of proactive securityis sound IT purchasing and deployment. This is not an easy subject and there is no magic formula,especially when a business is bound by legacy systems and a need for compatibility with customers,vendors, and government agencies. There are many snake-oil salesmen. Common products are released tomarket much too soon and, as a consequence, rife with vulnerabilities.

The problem can be illustrated by the Secustick™, a password-protected USB memory stick which issupposed to erase itself after several failed access attempts. The device was used by many organizationsfor sensitive data— until it was demonstrated that its security was simplistic and could be broken withminimal time and effort [Tweakers-2007]. Noted security expert Bruce Schneier discusses this device inhis column, Security Matters, the general poor quality of security technology, and the difficulty of ITcustomers in separating the wheat from the chaff, comparing the industry to the used car market.

In general, he says, in any industry where the seller knows more about the product than the buyer, goodproducts are undercut and people tend to buy lemons:

Take the market for encrypted USB memory sticks. Several companies make encryptedUSB drives— Kingston Technology sent me one in the mail a few days ago— but evenI couldn't tell you if Kingston's offering is better than Secustick. Or if it's better than anyother encrypted USB drives. They use the same encryption algorithms. They make thesame security claims. And if I can't tell the difference, most consumers won't be ableto either.

—[Schneier-2007]

In this section, I try to improve your chances of “getting it right,” but in general:

• Don't lock heads with technology zealots; different technologies, different approaches, have their place.

• If it ain't broke, don't fix it; do not rush to embrace brand new technology.

• Use a defense in depth; do not bet everything on one product.

• Consider product failure in your risk analysis; what happens if you need to switch vendors or downgradedue to an intractable problem?

I will mainly focus on security-specific software, but much of the discussion will apply to productscontaining security features and IT decisions generally.

Business Data Security

28

Simple, Proven, Standard

What's In a “Standard”?

There is a lot of confusion between the words standard, de-facto standard, open, and open source.These terms are discussed individually in the glossary, but we will discuss them in relation to ITpurchases here.

Standards are published specifications which anyone can examine. Open standards are maintainedby some form of group consensus and licensed so that anyone, even direct competitors of thepublisher or submitter, can comment on them or use them. A standard provides the benefits of peerreview and interoperability: a potential user can depend on the process to provide some guaranteethat compliant products meet some level of quality and function the same as other compliantproducts. Interoperability allows the user an out if a product they depend on turns out to not meettheir needs due to quality, legal concerns, security, scalability, or cost. De-facto standards, productsor practices in common use throughout the industry but not specifically defined, do not give thecustomer any of the benefits of an open standard and may lead to vendor lock-in.

Specifications which are encumbered by intellectual property licenses, non-compete agreements, ornon-disclosure agreements are not “standards” for our purposes here, since they do not benefit frompeer review or interoperability. To be useful, a standard must allow and encourage open competition.

Open source products, products whose source code is publicly available and group maintained,have the aspects of peer review and group control, but are not themselves “standards” and may ormay not interoperate with other products. Many open source products, however, are also standardscompliant. For instance, the popular Apache Web Server implements the Hypertext TransferProtocol (HTTP) and the Common Gateway Interface (CGI) standards, among others, and doesessentially the same job as any other web server. Linux™ closely follows the UNIX™ operatingsystems standards and Linux applications can easily run on other UNIX systems such as SunSolaris™ or Apple's OS X™.

Standards, like any process involving humans, are not perfect. In the groups I have been involvedwith, hundreds of emails can sometimes be spent arguing over details which eventually gettabled and left ambiguous in the specification because no one can agree on a single approach.Industry guidelines or recommendations fill gaps until the standard catches up and, in themeantime, customers experience incompatibilities and headaches. In the end, however, standardshelp customers get what they want and know what they are getting.

Generally, people are concerned about three aspects of security technology: cost, functionality, andeffectiveness. Only two of those can be effectively judged by most consumers. Cost, or, at least, price, isan easy item to judge. Features is a little bit tougher, particularly if unwilling to take vendor claims at facevalue. Fortunately, it is relatively easy to find press reviews for many products which will describe basicfeatures and ease of use. Ease of use impacts Total Cost of Ownership (TCO) by affecting support andtraining costs. Ease of use also impacts effectiveness to the extent that a product which is difficult to useor understand will probably not be used properly. Reviews of product effectiveness, especially competentones, are much harder to find. Press reports stick to features and price in reviews because they requireless expertise to write, do not require expensive labs, are faster to market, and do not lose the reader inthe first paragraph.

Not only is the effectiveness of a security product hard to judge, it is also hard to get right. Securityrequires expertise, a disciplined process, and rigorous testing, all of which is expensive. Leaning onestablished, standard, technology helps, but even when using a standard, an encryption algorithm, forinstance, the vendor must make sure that their implementation of the standard is correct and nothing in theproduct around it undermines the security. Independent certification raises costs even further. If a product

Business Data Security

29

is competing on price, features, and effectiveness, an effective product must sacrifice somewhere, andfeatures is a good place to cut since a simpler product is also easier to test.

A corrolary here is that a product which is priced well and has an array of features is probably not welltested— the books have to balance. Many commodity software and hardware products are released wellbefore they are ready and are tested by consumers, with a steady stream of bug-fixes, security patches,and driver updates. A disturbing trend is the number of such products, especially short-lived consumerhardware, where the vendor does not even bother to fix the software problems, expecting the consumer tojust upgrade to the newest hardware. I have several such paperweights on my desk right now.

The prudent shopper, therefore, looks for the simplest products that will do the required job. Rememberthat simple components working together make up a defense in depth (see the section called “Create aDefense In Depth”). In many cases, you will find that the extra features are not needed and may just makeproducts harder to use and understand. Other than reading like something out of Mission Impossible, thereis no real advantage to a self-destructing memory stick versus one which merely uses strong encryption.A self-destructing drive protects the data if the wrong password is entered; an encrypted drive, by beingsimpler, also protects the data if the drive is taken apart.

Products which include security features like built-in encryption have historically been very weak (e.g.zip-file or Word document encryption). Many times these features are an afterthought and are not given asmuch attention as the rest of the system. The vendor may not even have the in-house expertise to do the jobright. It is therefore better to get simpler applications and use dedicated external tools to provide security.This also offers the option of changing those tools if you find that they do not suit your needs. On the otherhand, integrated security features are easy and convenient; it is much easier to check a box saying “encryptthis” then to remember to run an extra program. The best of both worlds may be applications which providea framework for 3rd party plugins so that the “encrypt this” checkbox runs the tool of your choice. As anexample, Firefox does not have built-in anti-phishing protection, but I know of at least three Firefox add-ons which do and have chosen one I find useful. I also use a 3rd party plugin to provide encryption inthe Macintosh Mail application I use. The applications and plugins remain simple and dedicated to theirtasks while retaining convenience.

Look for products that have been audited by independent labs, have in-depth security reviews, or feedbackby security professionals. This will necessarily steer you away from the newest whiz-bang technology andtoward the cars that have a good track record and high resale value. It is often better to let others blazethe trail and simply learn from their mistakes.

Take statistics-based security reviews with a spoonful of salt (“X product had 79 vulnerabilities last year,while Y product had 32. Y is more secure.”). Statistics can be twisted to serve almost any purpose and thatclass of report is often highly slanted: How serious were the reported problems? How many were actuallyexploited? Were the problems self-reported or independently found? Do the numbers include bundledsoftware? How fast were serious versus minor problems fixed? What counts as a separate vulnerability?etc. These reports can provide useful insights, but, unless you have time to check all of the underlyingassumptions, be wary of them.

Favor products that implement or use standards compliant technology. From a security standpoint alone,this yields several advantages: peer review, group control, interoperability. I have harped on peer reviewquite a bit. Group control gives the business a chance to participate in the process (if necessary or desired),and protects the competition needed to make interoperability meaningful. Interoperability is critical fromtwo directions.

First, interoperability allows customers to switch tracks if one product or technology fails to meet theirneeds. If a database system is found to be insecure and cannot (or will not) be fixed, you must be able toget your data out of it and into another product. You must also, with as little disruption as necessary, geta new database product to fit into your IT structure, such as an online ordering sytem. If a customer hasno real ability to do this, then a vendor has no pressing need to test their product, offer timely support,compete over price, or virtually anything else.

Business Data Security

30

With a de-facto standard, the definition of the technology is not written down and is only really understoodby the primary vendor. Whenever a competitor gets close to figuring out how it works, the vendor simplymakes slight changes in the technology in order to break competing products; while good for the vendor,it is never good for the customer. Microsoft Word™ is the classic example of this kind of practice.

Second, without interoperability, a monoculture may develop. A monoculture is a situation whereeveryone's defenses are identical to everyone else's, in this case because they are all running the samesoftware. An attack which works on one system works just as well on any other, and infections spreadvery quickly— resulting in the Irish Potato Famine or the current situation with Internet worms. Withstandards in place and marketplace competition, different businesses have somewhat different software.The software is interoperable, but is unlikely to have the exact same problems. One of the reasons thatLinux systems, for instance, are not as vulnerable to attacks is because of different distributions (“flavors”)of Linux. Linux systems are just different enough that an attacker must treat them individually rather thanlaunching fully automated attacks. This is not to suggest that every business can drop Windows and usealternative systems (or even that this is entirely desirable), but it is food for thought: sometimes change isgood and sometimes just the clear threat of alternatives can force vendors into line.

One place where standards compliance is starting to change the nature of threats is with Internet browsing.The increase in market share of non-Internet Explorer browsers (e.g. Firefox, Safari, Opera, etc.) isencouraging web designers to make their pages work with more than one browser. Businesses are betterprotected because Firefox users are immune to IE-specific threats and vice-versa. As the numbers continueto change, attackers have to work harder to affect the same numbers of people and increased competitionis driving all of the web browsers to improve.

The Limits of Detection, Repair, and Forensics Software

This discussion deserves its own section just because it concerns claims often made by product vendors andgenerally misunderstood by customers. I touched on this issue in the section called “An Incident ResponsePlan” when discussing forensics. Specifically, there are clear limits to what malware detection, repair, andforensics software (even hardware) can do. Specifically, once a system has been compromised, that is, anattacker has gained administrative access, then, by definition, you no longer control that system.

Caution

Once an attacker controls a system, no information from it and no operation on it, including thefunctioning of any security software, can be entirely trusted, no matter how simple the problemappears to be. The only safe course is to boot a safe copy of the operating system and systemfiles, preferably from unwritable media.

Essentially, administrative control of an operating system allows the attacker to change reality. They canalter system files, device drivers, security settings, etc., limited only by their imagination. They can forcefile browsers, virus scanners, or intrusion detection systems to see only what they are allowed to see. Sure,in many cases, simple viruses will not go to these lengths, but attacks are becoming more sophisticated,and it is quite possible for an attacker to offer up a red herring to a repair program while keeping thereal danger hidden. Recent discoveries have demonstrated ways to hide in “safe” parts of Windows Vistadesigned to prevent users from copying copyrighted files (DRM). Ways have even been discovered to hidefrom hardware-based memory scanner [Higgins-2007].

Network-based scanning and forensics software has even more difficulties, specifically software designedto analyze a system to determine if it complies with security policies (anti-virus software, current OSupdates, etc.), and software used to remotely diagnose problems. These products can be actively dangerousif they are allowed to generate a sense of complacency. This category of software relies on support fromthe local machine. If the machine is hijacked, it is not difficult for the attacker to answer “Yes, I'm fine.” toany question asked of it. It is like screening someone at an airport by asking, “Are you carrying a bomb?”

Business Data Security

31

That is not to say that these categories of software are entirely useless, just that their use falls quite shortof their marketting descriptions. Further, their shortcomings are not due to flaws in their manufacturing;they are fundamental to the nature of the tool. Network analysis tools can catch accidental mistakes, likeforgetting to update a machine or plugging a foreign laptop into the network. When they detect a problem,such as an infection, the results can be depended on insofar as a problem really exists. Tools can be setup to automatically page administrators or quarantine dangerous PCs. They cannot be depended on tocorrectly identify an infection, remotely repair a compromised system, or locate a clever attacker, and mustbe backed up by regular direct examinations of the individual machines.

Part of the reason for their popularity is that a true remote solution to the problem would be a tremendoustime and money saver, allowing much greater centralization of support resources, earlier detection times,and faster incident response. In practice, however, the solutions are just not workable.

Similarly, forensic tools run on the local machine can provide useful information as long as it is clearlyunderstood that the attacker is calling the shots and time can be dedicated to unravelling layers of deception.On the other hand, most businesses can probably do just as well by making a safe copy of the disk andleaving it to dedicated security experts with the tools, techniques, and expertise to perform that kind ofanalysis. Meanwhile, wiping and reinstalling (despite its implications for downtime) is the safest repairtechnique. Downtime can be reduced if a spare of a critical system can be set and ready to go. Then you justhave to transfer data. Imaging and restoration software is also a great help. If you are restoring documentsthat can contain macros or scripts to a system that was infected (e.g. Office documents), be sure to scanthem for viruses first or you may have to do it again.

Freeware versus Open Source

Here we discuss a bit about the differences between “Freeware” and open source software (which issometimes called “Free Software”. This can be confusing and has implications for security.

Freeware is often blamed for security problems, and rightly so. Freeware, as used here, includes a wholehost of downloadable gizmos, games, and gadgets which many computer users cannot resist. Some ofthese programs are actually free and some of them start out free then request payment in some fashion(after a time period, to access more features, to remove advertisements, etc: “shareware”). Many of theseprograms are advertisement supported and are essentially the source of much adware, spyware, trojanhorses, and so forth. There are good and useful programs in the mix as well, but finding them takes somedetective work. Spyware programs attempt to detect the bad apples but require constant updates to keepup with new problems.

Open source, which has been called “Free Software” at times, is a very different beast. The Free Softwaremoniker has been explained as “Free as in Freedom, not Free as in beer”, referring to the ability to viewand share source code, but due to confusion with Freeware, open source has become the preferred term.Open source is a type of software that is developed by a group effort, consisting of some mix of individuals,companies, non-profit foundations, and government organizations. These groups contribute time, money,equipment, and direction to the project in return for free access to the product. Open source products ofone sort or another underlie much of the structure of the Internet, such as the Domain Name Service (DNS)backbone, most of the Internet web and mail services. Commercial products are sometimes hybrids of openand closed source: Apple's OS X runs on top of the free BSD UNIX operating system, LinkSys™ uses thefree Linux operating system in many of its consumer router products, as does Tivo™ in its personal videorecorder, and even Microsoft uses BSD code in its Windows networking stack.

Contrary to many opponents of open source (generally companies facing competition from open sourceproducts), project development tends to be a very controlled process where changes are carefully approvedand anyone can view both the current state and the complete history at any time. This makes sneakingin deliberate backdoors very difficult and often makes finding and removing security holes an easyprocess. Contrary to many open source zealots, open source is not universally better. There are manymore open source products in existence than closed source, and many are of poor quality or have

Business Data Security

32

languished because of lack of interest. In these cases, progress is slow and fixes to problems may nothappen. Sometimes commercial products are better designed because they benefit from a single point ofview instead of degenerating into arguments about different approaches. Open source often approachesproblems differently than common products and there can be a significant learning curve. In general,however, open source processes do quite well for most purposes and the projects which survive are of veryhigh quality. The availability of source code drives competition for support contracts or customization.Sometimes you will find that alternative products approach things differently because a different way isactually safer and more efficient for some users.

In any case, I would seldom recommend that a company “take the plunge” unless their is a significantbusiness need, but slow incorporation of open source products, especially at the server level, can reducecosts, open opportunities, and reduce vendor lock-in.

As an aside, I myself hated UNIX/Linux until one point in college where I forced myself to use itexclusively for three weeks: writing papers, email, and so forth. Once I got an idea why the system workedthe way it did (there was no OpenOffice back then and UNIX was designed at a university level with anemphasis on scientific and technical writing), it gave me a lot of insight into different ways to approacheven tasks as mundane as office work. Those insights still serve me today as I write a large technicaldocument on a system (Apple OS X) with UNIX underpinnings. Different tools for different jobs.

Your Network LayoutIn this section, we describe common components of a business network and how they relate to security. Ifyou have a very small business and few computers, one component may do double duty and take the placeof several others; we will discuss this where appropriate. Figure 1, “Network Layout” shows commonnetwork components.

Figure 1. Network Layout

Business Data Security

33

Network Components

Internet. The Internet is often pictured as a cloud because the protocols it uses are designed tonot care about how they get from point A to point B. If you are in California sending data to NewYork, it might go by way of Illinois, Texas, or anywhere in between. This makes the Internet highlyresilliant in the face of network failures, but it also means you have little or no control over your dataonce it leaves your own network. Encryption technologies, such as SSL in web browsers, helps toprotect your data as it crosses the great unknown.Internet Clients. Somewhere out there are PCs owned by your clients and customers which needaccess to your services, such as your company website, online store, or real estate database. Some ofthese PCs may have been compromised by viruses or hackers; some of them may be hackers. Yourchallenge is to protect yourself and your users from fraud while still making your services easy andconvenient to use.Internet Servers. Also out there in the cloud are the Internet services your business uses, suchas vendor websites, email from business partners, and so forth. Perhaps your own web site, email,or other services are hosted on a third party server. As with customer PCs, 3rd party services maybe illegitimate or may have been taken over by the bad guys, so the benefit of outside services isalways balanced by some element of risk.Router/Firewall. A router connects one network to another. A router is like the on/off ramp to ahighway. It connects a collection of local roads to a public expressway. Routers form the interchangesand junctions which allow data to find its way across the world.

A large organization may have several routers connecting different sections of its network. A smallorganization generally only has one, connecting its internal network, or Intranet, to the Internet. Mostrouters designed to connect to the Internet contain security software to deny unwanted traffic andprotect the local network; this is called a firewall, or specifically, a hardware firewall. The firewallis your first line of defence against the outside world. A firewall may be included in other consumernetwork products such as DSL Modems and wireless access points, but products vary greatly insophistication and quality.DMZ Servers. The DMZ or Demilitarized Zone is an area in between the internal network andthe outside world. The term refers to the land-mined stretch of land between North and South Korea.The DMZ is a dangerous in-between space used to house the services, such as web sites and email,your network provides to the Internet at large. Simple firewalls may only allow a single computer inthe DMZ, a DMZ Host, and provide no protection to it at all. Higher end firewalls support an entirenetwork of servers and can provide them with configurable protections from attack; note that PCIDSS requires specific protections for DMZ servers [PciSsc-2006 § 1.3)].PCs. Of course, your network contains PCs, where your employees actually do their work.Although your PCs are protected by a firewall (you do have a firewall, don't you?) from direct attack,PCs are often used to connect to services on the Internet such as web pages and email and bringthings back with them, including viruses and the aptly named trojan horse programs. In addition,PCs, in the hands of a shady employee, can be a source of attack themselves. Lastly, PCs, especiallylaptops, can be stolen with all of their data.

PCs can also mount a battery of defensive software, including virus and spyware detectors, their own,software-based, firewalls, layers of roles and permissions in the operating system, and documentencryption.Intranet Services. Besides PCs, you probably have some servers, PCs, or devices that provideservices to the inside of your network, such as some shared files or maybe a printer. Consumerproducts such as printers or hard drives that simply plug into a network have come a long way, soeven small shops may have network servers without even thinking of the computer inside. Largerbusiness may have shared databases and applications for payroll, accounting, claims processing,etc. Protecting shared resources, especially those containing confidential data, is important. Manynetworks also have some system for centralized storage of usernames and passwords, determiningwho is allowed on the network and who is not.

Business Data Security

34

Dialup or Remote Employees. Many businesses provide some way for employees to connectto the business network from home or while on the road. Sometimes this is a convenience fortelecommuters, and sometimes it is a necessity for travelling sales staff or for on-call technical staffwho need to troubleshoot problems from remote. Sometimes this is dialup, Virtual Private Network(VPN), or products like GotoMyPC™12. Sometimes it happens without the company's knowledge.At several large organizations where I have contracted, the IT staff found and removed illicit dialupconnections on a regular basis. gotomypc creeps into companies under the radar.

Remote connection can be a productivity boost, but it also presents problems because it allows apotentially compromised employee PC to connect to the inside of your network and spread viruses,not to mention that a virus-infected PC will probably report the employee's password to its controller.Sneakernet. Toting disks back and forth, often affectionately called sneakernet, is another way fordata to get out of your business and for viruses to get in. Unfortunately, employees will often resortto it if remote connections (e.g. dialup) are not allowed or other security restrictions are too tight.Disks, USB drives, and whatnot are easily misplaced or stolen. USB drives with built-in encryptioncan reduce the danger of lost or stolen devices.Wireless Access Points. Wireless networking, Wi-Fi™ or Airport™ networks are a veryconvenient way to link computers and peripherals like printers. No wiring has to be run and devicescan be freely moved around, which is especially convenient for laptops. On the other side, wirelesstraffic can be snooped on and wireless networks can be broken into more easily than getting througha firewall, so caution is in order [Lemos-2007b]. For laptops with wireless support (or bluetooth®,a similar technology for connecting keyboards, phones, and so forth) your computer can be hijackedwhen you are in a public place, such as a cafe or hotel lounge, unless you protect yourself.

WEP, the encryption used in first-generation wireless networking equipment, has been cracked and isessentially useless. You should (and may be required to) either upgrade old equipment to somethingthat supports WPA or WPA2, or rearrange your network so that it does not depend on the securityof the encryption (see the section called “Disappearing Boundaries”) [TewsEtAl-2007, PciSsc-2006§ 4.1.1].

As mentioned above, some networks may be much simpler than this, especially for SOHO workers,telecommuters, or sattelite offices. Figure 2, “SOHO Network Layout” shows a different setup, muchcloser to what my own home office looks like.

Business Data Security

35

Figure 2. SOHO Network Layout

, , : Internet, Internet Clients, and Internet Servers have not changed from the previousexample. The changes are explained below.

SOHO Network Components

Wireless Access Point. A combined wireless access point, firewall, and print server, such as theApple Airport Base Station, or any number of products from Linksys™, D-Link™, etc. Many ofthese have one or more wired network ports as well as the wireless capability. Shown here, the printerwould be connected to a USB port on the access point, the main PC and Internet service by networkcables. Remember to change the default administration password as soon as you get your device.Hosting Provider. In this example, there is no DMZ, and no services are provided by the localnetwork. Instead, there is a web hosting provider who provides email, domain registration, and a website. In all likelihood, there are many businesses with web sites and email all running on the sameremote server (“shared hosting” as opposed to “dedicated hosting” which is more reliable and securebut much more expensive). The web site may be an e-commerce site or it may just be informational,with the business doing its sales directly, through e-bay, an online contract brokerage, or some othervenue. This network may also have a dial-in or VPN connection to a larger corporate network, orperhaps several for an independent contractor.Office PC. This is the main PC of the office. It is the newest and fastest computer and has a gooddeal of storage. Files are shared to the network, and a CD/DVD burner is used for backups.Wireless PC. One or more PCs, some of them may be laptops, connect to the network wirelessly.Wireless technology is becoming a popular choice in homes and especially rented space where itavoids unsightly cables or punching through drywall to connect computers. Maybe you have an olderPC in a back room. Maybe your spouse does the books on the bedroom PC. Perhaps you sit on thetable and work with your laptop. The wireless computers use the shared storage from the main PCand the printer shared from the wireless access point.

Business Data Security

36

One problem we are all guilty of in home office situations is that one or more machines may be used forboth home and business purposes. You or your family members may play games, store music and photos,watch movies, do school work, or just keep up with email on the same computer. This type of mixingendangers business data; you are likely to visit more sites, come into contact with more programs, andhave lowered defences when working with personal things and a security problem can compromise yourbusiness too. Sometimes, we do not have enough spare cash or space to separate everything out properly.There are, however, some things that can make it safer.

If you do not have space for another real computer, get a virtual one. Products like VMWare™13 orVirtual PC™14 let you run another copy of your OS on top of your real computer, like a computer in awindow. This can let you separate one world from another and keep security problems on one side fromendangering everything else. Failing that, create separate accounts (user names) for everyone who usesthe computer and, preferably, a separate account for business work. This makes it harder, for instance, fora security problem in your web browser while checking out the latest NBA stats from scooping up yourlatest sales report. Lastly, encrypt your business data. I will talk about this in the section called “ProtectingDocuments”.

A shared hosting site can be a security risk. Because your hosting provider uses the same server to handlemore than one client's email and web site (often several hundred on one computer), a security problemwith one client can spill over and affect others. It also means that a simple hard drive failure will takehundreds of sites down at one go. Do not store confidential data on your web host longer than you need toand back your web site up frequently. Encrypting confidential email is probably a good bet as well. Takecare when accessing your web host: always make sure that SSL encryption is working in your browserand if you use FTP to move files back and forth, ask your service provider how to use a secure connectionlike SSH (Putty15 is a common Windows program).(20070429 emv) FIXME: Put reference here to laterdiscussion on change control.

The Network Perimiter

The Front Gate - Firewalls and Routers

The firewall is your first line of defense. It is set up to only allow certain traffic in or out. In most officeenvironments, no one in the outside world should be allowed to contact your desktop machines (a "deny-all" firewall). Any attempts to connect to them are turned away. Business systems that have to interactwith the outside world like a web or mail server (assuming you host your own) need special rules andare placed in a special area called a DMZ. The DMZ is a dangerous space in-between your network andthe hostile outside world.

Your desktop machines are allowed to contact outside services, such as websites or email, but they mustalso get information back. When you open a web page, your browser sends a request to the web site.This establishes a connection between your computer and the web server. When your firewall receives therequest from your computer, it passes it on to the web server, but first, it writes it down in a table. Theweb server receives the request, looks up the correct page and sends back a response. When the responsecomes back, the firewall checks to see if there is a valid connection between your computer and the website. Only data which was actually requested is allowed to come back through. Once the request comesback, the connection is broken16.

Firewalls are often configured to let any connection out and all requested data back in. There are manyreasons, however, to restrict outgoing traffic to just what your employees really need to do their work.

13 http://www.vmware.com/14 http://www.microsoft.com/windows/virtualpc/15 http://www.chiark.greenend.org.uk/~sgtatham/putty/16This is called “stateful packet inspection” and, although this is the way that firewalls should be set up, consumer hardware may not be capableof it or may need custom settings to do it properly.

Business Data Security

37

Network services like web and email are associated with numbered ports. Ports are just what they soundlike: a hole in a particular spot to let things pass in and out. Every time data goes through your firewall ineither direction, you poke a small hole through your defenses, like opening the gate in a castle. It is awayspossible that the soldier coming in could be an intruder in a stolen uniform or that the person going out is anescaped prisoner. Some services, particularly those using a protocol called UDP, make it particularly hardto sort out what incoming data was really requested and what was not. By limiting the number of openings,telling the firewall which ports can be opened and which are nailed shut, you limit your exposure.

Another reason to limit outgoing data is a component of a defense in depth. Once an intruder gets intoyour network, they will need to get data back out unnoticed. Malware will often try to send bulk mail.By limiting your employees to sending email through your own mail system, you stop these programsfrom functioning. The remote control software which makes zombies work uses something called InternetRelay Chat (IRC). Denying the use of IRC prevents zombies from phoning home. By limiting an attacker'soptions you make their jobs harder and their failed attempts may be noticed.

A balance must be struck between protecting your network and allowing your employees to use convenienttools. I have often used tools to send email to my pager to notify me of problems or tell me when longjobs completed. Blocking outgoing email (without providing an alternative) would have interfered withmy (atypical) duties. Finding the correct balance is often a process of trial and error.

The Back Door - Employees On the Go

The firewall works great when employees work at the office behind its protection. It can be a severenuisance when an employee is working at home or on travel and needs to access email and business files. Anumber of solutions exist for allowing employees access to the inside of the network from another location,including dial-up, Virtual Private Network (VPN), and products like GotoMyPC™. These technologieshave varying levels of protection, some of which can be quite good, but they all open holes in your networkwhich might be exploited by bad guys and they all let an unprotected and possibly infected computerconnect to the inside of your network. Sometimes this kind of connection cannot be avoided, such aswhen an employee needs remote access to a mainframe, factory automation system, system administration,or custom network services that cannot be done any other way. Remote access should never be grantedwithout some thought, however, and other means to access documents and email should be consideredas well.

Instead of letting employees in, it is also possible to move the data out: to a server in your DMZ, or further,to a vendor's server. Email is easily solved with webmail systems or with a technology called IMAP,which, unlike traditional POP accounts, leaves all email, including user-created folders, on the server tobe accessed from anywhere. Remote email can and should be secured using SSL, the same technologywhich protects online shopping sites; otherwise, it is trivial for others to snoop. Documents can be storedusing Content Management Systems (CMS) which allow employees to upload, download, edit, and sharedocuments. A new service called Google Apps™17 even provides web-based office tools so that remoteemployees do not need office applications.

Of course, nothing comes without trade-offs. By moving data out, you remove the protection of yourfirewall and expose it to attack. If you use a vendor's service to store documents, you are completelydependent on them for security, backup, and so forth. A reputable vendor with a good track record,however, may have the resources and expertise to do a better job at security than you can. Make certainyou can get your documents back and move them to another vendor if you need to.

Another advantage to moving shared data out is that you can separate your data into sensitive and non-sensitive. Most of your day to day business documents would probably do you less harm if lost or stolen.Many real-estate companies these days publish their current listings on the web, so there is hardly a reasonto protect the databases sent to agents in the field. Some documents, on the other hand, would be hardto replace and would be of great interest to others. Perhaps they contain proposals, business plans, legal

17 http://www.google.com/a/

Business Data Security

38

advice, research data, etc. Perhaps you handle confidential data such as medical information or trade secretsfor someone else. Whatever it is, your sensitive documents deserve an extra level of protection. You canachieve this by moving your non-sensitive data to an outside accessible system and leaving your sensitivedata inside the firewall. If, for some reason, someone needs a copy of an important document, you canmake it accessible just once, then remove it immediately.

Tip

All your security is worthless if you let the data walk out the door.

Which leads me to another point about employees working from home: If you handle sensitive data forsomeone else, don't let them do it. Period. The news is full of stories (e.g. [Lazarus-2006]) of laptops or CDsbeing stolen from work-at-home employees with thousands or even hundreds of thousands of confidentialrecords. This is in the news now, but it is not a new problem. If you must transfer confidential data, encryptit. There are a number of tools for protecting data on stolen computers or for encrypting portable drives,but they are not perfect, so it is best that they not be stolen.

Controlling Web Sites

Another decision often made at the Firewall level is whether to block particular web sites. This is oftendone to enforce company policies on inappropriate use of the Internet such as preventing employees fromviewing or searching for obscene pictures. Another purpose can be to block sites which have been listedas illegitimate or dangerous in online databases. Blocking inappropriate web use can sometimes have adramatic effect on reducing network bandwidth use.

Data archiving policies may also lead you to blocking external email services like Hotmail and Gmailin order to prevent employees from using personal email for businesss communications. If an employeediscusses a financial transaction or a personnel problem using a personal email service, for instance, youmay not be able to provide that email in response to a subpoena. In addition, use of personal email for abusiness communication can bypass any security measures you have in place to protect business email.

Personal email use at work has both advantages and disadvantages; while being a potential distraction, itmay be less of a distraction to others than use of an office phone for personal business. Additionally, forcingemployees to always use official email may create confusion as to when an employee is communicatingofficially and when they are not; an employee would not use company letterhead to send a letter to theirchild's school, and they should not use a company email address for that purpose either. In many cases, Ihave seen companies deal with this by having the employee place a clear disclaimer in an email that theyare speaking in a personal capacity. In the end, which approach you take may not matter as much as havinga clear policy which is consistently enforced. The recent argument over emails in the Department of Justiceattorney firing scandal indicates that White House policy on email use is neither clear nor consistent andit has gotten them in trouble regardless of underlying issues [Rasch-2007].

Web site blocking can stop casual viewers but has limitations. New sites are added all the time, so noblocking list can ever be complete. Innocent sites often end up in blocking lists by mistake. Certain usersoften have particular needs to access specific blocked sites; your HR employees and your nursing staff areprobably looking for very different things when they search for "breast". There are several web serviceswhich help users bypass web blockers, which must themselves be blocked. It must be understood thatmaintaining the block list will be an ongoing task, but the mere attempt may be enough to establish aconsistent policy for purposes of disciplining employees who deliberately violate it.

No Trespassing

Just like "No Trespassing" or "Authorized Personnel Only" signs in and around your business property,public and private computer resources should also be identified. Prominent warnings should be placedon private computing resources, such as internal web sites and computer login screens. Confidential or

Business Data Security

39

restricted access materials should be clearly identified. These warnings should refer to company policieson appropriate computer use and are also great places to put important announcements. By making thesenotices prominent, the ignorance defense becomes untenable.

Disappearing Boundaries

Due to the increasing interconnectedness of our online business dealings, the boundaries of the corporatenetwork are nowhere near as clear as they used to be. Telecommuters connecting from home or the road,wireless access, contractor laptops, PDAs, offsite service-personnel, and so forth, mean that a businessnetwork may have almost as many doors as walls. Any of these doors can be a potential entry point for anintruder or an infection, or a potential way for confidential documents to leave.

A hostile computer on a local network can do much damage. First of all, they can snoop on any unencryptedcommunications, even capturing passwords to network services. Secondly, they can play a very old trickcalled a man-in-the-middle attack by pretending to be a trusted server and stealing confidential data evenfrom encrypted connections. This is related to phishing and is a technique commonly used by phisherswhen users are expecting to connect to secure sites. Most people are familiar with the idea of providing ausername and password to identify themselves to a service, such as a website or email provider. Prior tothe recent phishing scams, few people have given thought to making sure the service provider is who theyclaim to be. We will see more applications supporting this kind of validation and making failures moreobvious to users as time goes on, but users must also learn to be suspicious about who they are givingtheir information to.

As these changes occur, there are different opinions on how to best adjust the network and keep it safe.In the end, much of it will depend on the needs of the business. Some of the solutions entail moving non-sensitive data out of the firewall (discussed in the section called “The Back Door - Employees On theGo”), moving untrusted connections (e.g. wireless) and computers (contractors) out of the firewall or to aspecial part of the network, and beefing up the defenses of all the individual PCs and servers (trust-nothingsystems). This problem and its solutions are well discussed in the Information Security Forum's Report,The Disappearance of the Network Boundary ([Isf-2005b]).

In essence, by moving wireless connections or untrusted computers outside the firewall or to a specialrestricted zone inside the network, you can limit these PCs to accessing specific services and specific,more secure, applications. As an example, you can force laptops using outdated wireless cards and faultyencryption (WEP) to use only services which use their own encryption by simply denying them access toanything else. Contractors can be allowed to connect to only those services which allow them to performtheir specific tasks, browse allowed websites, check their email and nothing more. Viruses they may carryin stay on their own PCs.

Setups like this can be created using an additional hardware firewall used to connect your untrusted networkto your main business systems. Newer firewall equipment can create multiple network zones with differentrestrictions and the same effect can be had with a UNIX/Linux/BSD system, multiple network cards, andcustomized firewall settings (not for the faint of heart). Eventually, tools to do this will be commonplace.

In all cases, the changes in network boundaries force us to beef up local defenses and more seriouslyconsider a defense-in-depth, including encryption of all network traffic, even locally.

Employee PCs - The IT Battleground

Installing Programs

Inside the network, there are, of course, employee computers. Depending on what type of business youhave and how big it is, you may also have file servers, network printers, point-of-sale terminals, automatedpaint mixers, and what have you. Because there is such an unbelievable variety of networks, we have nochoice but to gloss over much of the detail.

Business Data Security

40

The employee's computer or "workstation" has been a source of contention since the first days of itsexistence. The very term, which should perhaps be "employer's computer" typifies the conflict. Employeesalways want more; employers are (or should be) trying to reign in abuses and hold on to their tenuouscontrol.

The problem is that today's personal computers, which are primarily Windows systems, make it very easyfor the user to not only move data around, but also programs which change the way the system works.These programs have complete control over the computer, and if they contain malware, such as virus, theycan spread like wildfire. Nowadays, even documents, such as email or spreadsheets, can contain programs("macros") which can infect a system. Application security settings will block some of these attacks, butwhen security gets in the way of what a user wants to do, they will happily disable it. It is common forprograms or websites to instruct users to disable security settings in order to get a feature to work. Becausetechnology has changed so quickly, most computer users simply have no way of knowing what actions aresafe and what are not. When they are risking their own PC at home, it is one matter. When their actionscan disrupt a corporate network, it is another.

Another issue is with corporate help desks. The more the employee changes the computer, the less theywill be able to get help. The helpdesk support or local IT person simply has no way of understandinghow the system has been changed, what may be causing the problem, and how to undo it. Applicationson Windows very often interfere with each other. In a large company I worked with it would take monthsof testing for them to add applications to their PC desktops in order to sort out problems with all of theirother required applications.

Besides exposing a PC to malware, employees who install programs can open a company up to licensingissues and liability. A program you bought one copy of for a special task may spread around the network.Users may bring in software they use at home and install it on a company PC. Users may download andinstall pirated software. A surprise BSA audit can lead to substantial fines.

UNIX™, a traditional business operating system, and PC systems derived from it, like Linux™ and MacOS X™, have a decades-old and well tested multi-level security which allows an administrator to setup the computer and restrict what a user can do with it. Microsoft introduced a similar system withWindows NT™ and its security has been improving in recent years. In fact, Windows Group Policies,setting permissions for groups of users on a network and enforcing them on individual PCs, is a powerfultool in large companies. Even when the same person owns and uses the computer, setting up a separateadministrator and user account limits the amount of damage that a virus can do.

An alternative or addition to locking down systems is the use of virtual machines or imaging softwarewhich can quickly restore the state of the system to some earlier point. When a user makes a changeand the system stops working, the system is reset and the change is wiped out. This can be especiallyuseful when the employee has a legitimate need for more freedom (such as testing out new software). Thedownside is that, if they do not carefully back up their documents, they will be lost on every reset. Thisworks particularly well in lab settings where users have network home directories; all of their files aresaved elsewhere and the workstations themselves are expendable.

As with many security issues, you must strike a balance between protecting your network and lettingemployees customize their tools. Different people work and organize in different ways, and sometimesusing a different tool can make large productivity gains for particular people, especially if they are buildingon prior experience. Having a selection of approved options and knowing when to make exceptions cango a long way.

Security Fixes

It seems that there is a constant stream of security holes and bug fixes which need to be downloaded andapplied. Not installing patches in a timely manner exposes your systems to unwarranted risk and mostsystems (Windows™, Linux™, Macintosh™, etc) have automated systems for downloading new updates.Many serious virus outbreaks attack systems which should have been patched.

Business Data Security

41

On the other side, new patches sometimes break things, especially if you have a complicated softwaresetup. Large companies generally solve this problem by having a test machine which is updated first. Ifthe test machine works, the rest of the PCs can be updated. Regular backups make it easier to undo a badupdate as well.

A very common but largely unreported problem with small business and home users is how to safely setup a new PC. I recently helped to set up a new machine which came with Windows XP Service Pack 2(released in 2004). There have been hundreds of security patches for Windows XP since that time. A newPC connected to the Internet without those updates can be broken into within minutes, much less timethan it takes to download all of the new software required to protect it. Microsoft provides tools for largecompanies to centrally manage updates without connecting to the Internet, but small businesses are out ofluck. Apple allows you to download all of their latest patches on one computer, put them on a disk andmove them to the new computer without connecting the new computer to the network. With Windows, Ihad to use an obscure third-party tool18 to accomplish this.

Virus and Spyware Detection

For Windows PCs, anti-virus and spyware protection programs are simply required. They are primarilydesigned to find malicious programs once they are on your system, but some also catch incoming virusesin emails and downloads before they can do damage. Once a virus is on your computer, these tools provideoptions to try to remove them. Unfortunately, the only completely safe method of removing an infectionis to reinstall the system and it is a good idea to keep good backups of your documents.

For non-Windows systems, like Macintosh and Linux, viruses do not exist and spyware is rare. This ispartly due to lower market share making them less valuable targets and partly due to security consciousdesign making them more difficult targets, but there is no reason why malware may not become a problemin the future. I run anti-virus software on my Macintosh computer primarily to keep from sending virusesto Windows users by accident.

Malware detectors are useless without constant updates. They can only detect problem programs once asecurity researcher detects them "in the wild" and adds them to a list. There are a number of products outthere, a couple of which are completely free and of good quality.

Software Firewalls

Controlling the changes a user can make to the computer is one way of limiting the spread of infections orsecurity violations. Another is to try to prevent infections from getting off the computer. Individual PCscan run their own firewall called a software firewall. Like a hardware firewall, a software firewall limitswhat traffic can get in and out and adds an additional layer of protection. Software firewalls slow down thespread of viruses inside your network, make it harder for attackers who have compromised one computerto attack another, and make it more difficult for spyware to phone home. If a PC is badly compromised,an attacker will simply turn the firewall off, so the protection is not absolute.

Windows PCs since XP™ Service Pack 2, Macintosh computers with OS X, and any recent Linux or UNIXsystems all come with software firewalls. There are commercial packages for Windows XP which replacethe substandard built-in firewall. Businesses with Macintosh systems will likely want to spend some effortcustomizing its firewall which is very powerful but not set up well out of the box.

Passwords, Biometrics, and Keychains

Password management has always been a difficult problem for non-technical users and even for manytechnical users. A good password is difficult to guess and easy to remember. These do not go well together.Computer users should not use the same passwords for different purposes, should change them frequently,

18 http://www.autopatcher.com/

Business Data Security

42

and should not have a new password be based on an old password (e.g. oldpassword2). Oh, andpasswords should not be written down. If an employee actually tries to follow this advice, they will quicklyhave a dozen or more cryptic passwords for different accounts and, unless they have a photographicmemory, will be calling their local IT person to have a password reset on a daily basis.

Memorable Passwords

One simple technique for creating easy to remember yet difficult to guess passwords is one I haveused for years. Take a quote or phrase:

When the wind is southerly I know a hawk from a handsaw.—William Shakespeare

Take its initials, including proper capitalization and punctuation: WtwisIkahfah. It looks likegobbledygook, would never be cracked by an automated password guesser (dictionary attack), andis still memorable. After a few times, typing it becomes automatic.

Playing with numbers and punctuation a little makes the technique even better: “To be or not tobe, that is the question.” could become: 2bon2btit? Use a phrase you will remember, but notone that someone would obviously associate with you, like a motto or favorite saying. If chosenwell, you can even provide a reminder hint in programs which allow it so you can remember whatquote you chose. For instance, "mad" might be a good reminder for the first quote if you knowShakespeare (the preceding line is “I am mad but north north-west.”)

What more often happens is that a user has one password they use for everything, and, when forced tochange it, they tack a new number on the end of it. If they need anything more complicated (their softwareforces them to have a complex password), they write the password down somewhere near the computer.This is an unworkable situation. As we discussed in "Guard Your Secrets", a lock is useless if the attackercan readily obtain or guess the key.

Some people propose biometric security to replace passwords. Biometrics means that the "password" isbased on some unique characteristic of a person, such as a fingerprint, voice print, or a retinal pattern. Theidea is that a biometric is unique, the user cannot forget it, and an attacker cannot easily steal it. It is aninteresting idea, but most current plans are hopelessly optimistic.

The first problem is that a user can in fact lose a biometric or may not have one in the first place. I wentto school with a girl who had no hands and thus, no fingerprints. A significant number of war veterans arenow entering the work force who are missing limbs. ADA rules might expose a business to liability if theyexcluded a potential employee from access due to an inability to use the security system.

The second problem is that biometrics are not exact. Taking measurements is a messy business. Theymust be taken quickly, the employee is not exactly positioned each time, and the device has to takeinto account minor changes such as dirty hands, stress or illness affecting voice, or a dirty lense. Themeasurements must have a fair margin of error to ever let anyone in. On the other side, the securitydevice has to detect and deny reproductions such as voice recordings, photographs of a retina, or a gelmockup of a finger. Generally what happens is the device denies legitimate employees on an irregular basisand allows attackers to bypass security. As reproductions get more sophisticated, fooling even devicesdesigned to detect a heartbeat or capillary action, the problem becomes harder. Fingerprint scanners havegotten a lot of negative attention from security researchers, being susceptible to balistics gel mockups,transparencies, and even food-grade gummy-gel fingers [MythBusters-2006, MatsumotoEtAl-2002] all ofwhich are inexpensive and not obvious even when the security checkpoint is watched.

The third and most serious problem is that people leave copies of their biometrics everywhere they go andhave no way of changing them once the bad guys get a copy. Bad guys can record voices, lift fingerprints,pick up traces of DNA, or position cameras to catch retinal or iris patterns. If you lose a credit card, youcan cancel it and get a new account number. How do you change a fingerprint? Biometrics will not solve

Business Data Security

43

the password problem any time soon. One common security rule of thumb is that authentication uses twothings: something you have (or are) and something you know, such as a username and a password, or adebit card and a pin number. In that sense, perhaps biometrics are best used in place of the user namerather than the password.

One good solution to the many passwords problem is a keychain or password vault. In one of mycompanies, we had a computer lab. We had a number of locks, on server cabinets and media safes, thatseveral people needed access to. Rather than give everyone copies and try to keep track of them, we bolteda locking cabinet to the wall, put the required keys inside, and gave each authorized employee a key tothe cabinet. When they needed a specific key, they went to the key safe, signed out the key, and returnedit when done.

The same general idea can be done with software. Web browsers generally allow you to store usernamesand passwords for websites so you do not have to type them in. You must then only remember the passwordto your computer account or web browser and the website passwords can be quite cryptic or even random,such as "g6%0knpoi2", which an attacker will never guess. In theory, passwords for mail, shared folders,printers, and what have you can be stored in this way. The downside to this approach is that all of thepasswords are in one place, and, if they can be stolen, the attacker has everything. The password storageused by Microsoft Internet Explorer and Outlook, for instance, can be raided by spyware. The Firefox webbrowser stores its own passwords, and if some options are turned on, is generally safe.

On the Macintosh system, there is a feature called the Keychain which stores usernames, passwords, andcertificates for all applications. The passwords are protected by encryption and are unlocked by a singlepassword. You can also store secure notes, to safely record account numbers or safe combinations, forinstance. The biggest security features are first, that the keychain can be set to automatically lock itself ina variety of circumstances, and second, that access to passwords is restricted to the application that createdthem. If your Solitaire application starts asking for your email passwords, for instance, the Keychain willask you for permission. This stops many types of spyware in its tracks. It looks like Microsoft is slowlymoving in this direction and it may be the shape of things to come.

A last valuable tool is a smartcard or similar device. The employee carries a creditcard or USB drive sizeddevice which is attached to the computer when they log in. They must also generally type a PIN number.They cannot login without the device and the device will not work without the PIN. Login is simpler andthieves must both steal the device and guess the number. Of course, some process has to be in place fordealing with employees who lose their smartcard, but an old card is easy to cancel and new cards are notexpensive.

Protecting Documents

A PC is an easy target of attack from multiple directions. Spyware infections or remote break-ins canbe used to slurp documents over the network. Employees commonly leave themselves logged in whenthey leave their work area, so someone who can physically access the machine can copy files and installspyware. An attacker might steal the harddrive or the entire computer, especially in the case of anemployee's home office computer or a laptop. I have seen one case where an entire floor of an officebuilding was cleaned out by thieves with a truck over a weekend. Since renovations had been going onthat week, an extra truck and an extra work crew were simply not noticed. At several companies where Ihave contracted, laptops were often stolen during broad daylight by both employees and intruders.

Even without theft, data can be exposed under standard warranty replacement contracts. When a harddrivefails and is turned in for replacement, it may very well be repaired and resold as a refurbished drive,complete with your confidential data [Sullivan-2006]. Once the harddrive has failed, it is too late to deletecritical information and hardware erasure methods will void your warranty. The only way to protect thesedocuments is to encrypt them before the hardware fails. Hardware which is being sold can be erased beforethe sale. Broken hardware past its warranty can be dealt with easily by, for instance, drilling holes throughthe harddrive and its platters. This can be a great way to get out frustration.

Business Data Security

44

Tip

Deleted files do not actually go away. They can be retrieved by a knowledgable computer user.

When deleting confidential files, it is important to realize that nothing is actually erased. All that happensis that the space taken up by the file is marked as free for reuse. It may be minutes or months before thespace is actually written over by a new document. In the meantime, there are a number of tools whichcan be used to recover the deleted data and hackers are familiar with them. Formatting disks works thesame way; the table of contents is cleared but all of the actual data is left as it is. In order to safely destroydocuments, they must be overwritten first and then deleted. A number of tools exist to do this, normallyreferred to as secure deletion, and they will overwrite a document multiple times with gibberish to makethem very difficult to recover.

The best way to protect an important document is to encrypt it. Encryption is a complex subject, but, inshort, encrypting a document scrambles it using a code and only someone who knows the code can makesense of it. Typically, you supply a password when encrypting and use the same password to get yourdocument back. Different encryption tools have different strengths. Like physical locks, there are tradeoffsbetween complexity (how long it takes to encrypt/decrypt your data) and how much effort the attacker hasto go through to break the encryption. Breaking encryption usually involves large amounts of computerprocessing, and, because computers get cheaper with time, it makes sense to use encryption which isstronger than you need today to make sure it cannot be broken tomorrow. Generally, the "proprietary"encryption built into many applications (e.g. MS Word, PK-Zip) is rather weak; someone can decode thedocument quickly even without your password. As with deadbolts, there are published standards for goodencryption, such as IDEA or AES-256, which are well tested.

Data Hygiene: Cleaning Previously Deleted Files

When you are moving to an encrypted file solution, whether it involves encrypting individual filesor whole folders, you need to securely delete any old copies on your hard drive. This includes anyold copies of confidential data you may have already unsecurely deleted and which thieves canreadily access. How do you get rid of those? There are two decent solutions, neither of which isvery complicated.

The first involves wiping the entire drive with a security tool, reinstalling, and copying the files (nowencrypted) back. This is essentially the nuclear bomb solution which is crude and extraordinarilyeffective at removing any leftover traces of just about anything, but may be too disruptive, especiallyif you have a few machines to change over and people needing to get work done in the meantime.You might still apply this solution whenever the machines are reinstalled in the normal course ofmaintenance.

The second solution is not quite as effective, but is simple and a bit less destructive. Essentially, youwant to force the system to overwrite any free space on the drive, erasing leftover data. Just createa really big file, filling most of the drive, and securely delete it. On PCs, there are tools to do thisfor you. CIPHER.EXE on Windows XP and Windows Server OSes, and the Disk Utility on OS X("Erase Free Space"). This technique does not necessarily wipe out old file names and so forth (ifyou use names and social security numbers or some other sensitive data in your file names) and hasmixed results on Linux/UNIX systems [GarfinkleMalan-2006].

For the truly paranoid (or the truly bound by litigious clients) this second technique can even beused periodically as part of a data-hygiene policy.

Encrypting individual files is difficult enough that it may lead to unsafe practices if it is your only solution.First, it is inconvenient to have to encrypt/decrypt individual documents. Second, you need to worry aboutcleaning up readable (called cleartext) copies you or your office program may make while working onthem. A safer and more convenient method is to encrypt whole folders or whole drives. Tools will decrypt

Business Data Security

45

the files automatically as you use them. You can use a single password, or some tools let you store a key ona removable device you can lock up at night. You can work on multiple files at once and cleanup is easier.Different products accomplish this in different ways with somewhat different security, convenience, andperformance tradeoffs.

Ok, if you have all of your important documents encrypted, what happens when one of your employeesis run over by a bus? How do you access all of their encrypted documents? The low-tech solution is oneI have employed many times. When working on a client's systems, I would simply print out the top levelpasswords for a system (the root password) and have them put the paper in a safe. If I left their serviceor was otherwise unavailable, they had access to their systems. The root password could be used to resetany of my other passwords even if they did not know them. It is also simple to store the password to apassword file or keychain in this manner.

This works well for managing a few critical passwords that only change on a scheduled basis, but is moredifficult when more users are involved and they are encouraged to change their passwords frequently. Entersomething called key escrow. Key escrow is a process where multiple passwords can be used to access thesame data. Typically, an employee would have one password they used for their encrypted folder and anadministrator would have a master password which could access the folders of all employees. Tools whichimplement key escrow, such as Windows XP's Encrypted File System or the Macintosh encrypted homefolders, are becoming common. The downside, of course, is you again have a single password which cando great damage in the hands of an attacker.

One last consideration is data hygeine. There are a number of places that your confidential data may endup by accident which need to be cleaned up from time to time, such as your web browser's cache files,your operating system's virtual memory, and free space on your hard drive. Web browser's have optionsto clear private data, which can be used every so often, or the browser's files can be placed in an encryptedfolder. Virtual memory (also called paging or swap) is an operating system feature where the hard driveis used to keep the system running when you run out of real memory. Applications and data that are notbeing used are moved to the slow disk drive to clear space in the fast system memory for applications thatneed it. In the process, confidential data such as passwords and sensitive documents you are editting mayget saved on the disk where atackers can find it. Operating systems can be set up to encrypt virtual memory(configurable on Windows Vista, Apple's OS X, Linux; 3rd party tools on XP). Clearing hard drive freespace is discussed in Data Hygiene: Cleaning Previously Deleted Files.

Backing Up Documents

For the most part, back up and recovery is not a security concern per se and is a complex subject in itsown right. We will touch on some security specific issues here.

Backing up documents is important to protect yourself against attackers who may want to destroy datainstead of or in addition to copying it. Many attackers will not draw attention to themselves by destroyingdata on any large scale, but tampering with data, particularly financial records or log files, is a seriousissue. Regular backups will allow you to compare copies of records and detect discrepencies. In the caseof log files, they contain valuable forensic evidence that will help you and the authorities in investigatinga crime. Any attacker gaining access to a system will attempt to alter or destroy them. It is critical that logsbe written to a remote location, which is a feature in many software or hardware tools.

Mirroring or high availability systems (RAID) which make copies of data across several disk drives arenot backup systems for purposes of security. Mirrored hard drives are clones of each other; if an importantdocument is deleted or modified on one drive, it will immediately be deleted or modified on the other,leaving no one the wiser. A backup system must take snapshots of files at a particular point in time so thatdocuments can be restored to some previous state when they are needed.

Backing up encrypted files can be tricky. You either need to store passwords with the backups (since theychange over time) or store the data unencrypted. In either case, the backups must be physically secure or a

Business Data Security

46

thief will simply steal them instead of the computer. I have seen many cases where companies store backuptapes unlocked right on top of the system being backed up. Not only does this make a thief's job easy,it guarantees that a fire which destroys the computer destroys the backup as well19. Small, fire-resistantmedia safes are convenient and inexpensive protection for small businesses.

Storing data unencrypted prevents problems when the passwords get separated from the data or if the toolyou used to encrypt them is no longer used. PCI/DSS requires that backups containing customer accountinformation (the PAN, or Primary Account Number, specifically) be encrypted [PciSsc-2006 § 3.4]. Inthis case, you will want to deliberately store the data and passwords in separate, secure, locations. Mediasafes and secure offsite storage may be good options for protecting your media and both can protect fromfire, accident, and other losses.

Tip

Test your backups or they might not be there when you need them.

Oh, and test your backups occasionally. An administrator at a Canadian agency recently wiped out anaccounting system with $38 billion in accounts by accident and then found out that the backup tapes wereunreadable [Maxcer-2007]. I'll bet he's looking for work.

Network Services - Sharing and Editing FilesBetween the PC and the firewall, there may be a wide range of network services, but mostly they comedown to ways to collaborate- sharing and editing files, which is where we will focus our attention.

Network Authentication

When you get past the smallest of networks and the individual PC, there has to be some way to knowwhether someone belongs on the network at all. At home, I have two computers which are used by thesame people. I just create the same accounts on both computers with the same passwords. Sharing filesis not hard. The computer in the living room allows anyone to connect that is on the inside network andcan provide the proper username and password. Someone would be hard pressed to plug a new computerin without my knowing.

This setup quickly becomes unworkable as the number of PCs grows. Keeping passwords and accountsup to date across more than a handful of computers is a pain. Forgetting to remove people who should nolonger have access is dangerous. This is generally solved by some sort of network authentication systemwhich keeps track of the accounts and passwords, allowing one change to affect everything which needschanging. When someone sits down at a PC, the PC checks with the network system to see if the personis allowed access. The same thing happens when someone tries to access a shared file. It is also possibleto find out when someone plugs an unauthorized computer (e.g. a laptop) into the network. There are anumber of different ways to do this and secure it.

Regardless of your setup, an important thing to note is you need to have a defined policy for departingemployees. Just as many companies have an exit checklist to make sure employees have turned overrequired paperwork, files, and keys when they leave, you should have a checklist making sure that all oftheir accounts, passwords, and access rights have been terminated, and that their electronic documentshave been transferred for someone else to sort through and file. It is a simple thing which can save muchpotential grief.

Systems appearing on the network can be handled a number of ways. Network services can be set up toonly communicate with known PCs. This can be done by several methods and trades some complexity

19I was once bitten myself when we brought backup tapes back onsite to restore a server after a lightning strike and data loss. At that very moment,a pipe broke above us and flooded the computer room. The resultant electrical chaos destroyed the backup. If you use offsite storage, make a copyto bring back onsite.

Business Data Security

47

for added security. Unknown computers can be quarantined, restricted, or simply treated as guests, able toaccess web sites and email for the benefit of contractors or other visitors with laptops.

Shared Folders and Files

It is not enough for employees to be able work on documents stored on their own PCs. They must also beable to share documents with other employees, look up old documents, and collaborate on the productionof new documents. Once again, there are many different technologies to do this, and, to the extent possible,we will ignore them except where it matters to security.

Whether people share files from their PCs, the files are placed in a central server, or they are stored on avendor's site, from a security point of view, the basic problem with sharing documents is how to let thepeople that need access get it while denying access to everyone else. This is usually accomplished withone of two basic processes.

The first is through Access Control Lists (ACLss). ACLs are sets of rules about what individuals orgroups can do specific things to a particular resource, such as add documents to a folder, or read asales report. The combination of individuals, groups, and different types of permissions in many systemscan be quite powerful, such as saying that everyone in Accounting has full access to a folder, exceptContractors. George (a contractor), can read documents and nothing else. Different systems providedifferent protections and amounts of detail. By setting up appropriate groups and folder permissions, theaccess controls on individual files may seldom need to be mucked with.

The second process is through workflows. A workflow is a sequence of steps, from start to completion,that some document goes through as part of a business process, such as producing a proposal. Individualshave roles in this process, such as editting, reviewing, approving, and sending the document. After thecustomer receives it, it may go through another round of changes before being filed for reference incontract negotiations. Workflow automation, typically built into Content Management Systems, showsteam members what stage the document is in, what their assigned role is, and what their assigned actionitems are. At each stage, the individuals have different access rights to the document according to theirrole in the project. In all likelihood, only team members (and their superiors) will have any access at all,and some team members only late in the process.

There are often arguments about which system is better. Like most such arguments, they miss the point.Both are good systems and have their uses. Access Control Lists are better at managing files or recordsthat do not change very often and do not have distinct owners, such as client histories or past proposals.ACLs are generally centrally managed and keeping track of permissions for changing team structuresinvolves a lot of interaction with system administration. Workflow systems tend to be more efficient fordocuments that are being created or actively worked with. Applications usually let teams or managersassign permissions for the projects they own, so less technical support is needed.

What generally happens is that businesses end up with a file server of some type which uses folders andACLs and then provide another system for discussion and collaboration. Lotus Notes™ is a popular systemin many organizations, especially technical ones, for project interaction, but these days there are manyoptions at many price ranges.

A problem in both of these systems is that access rules are hierarchical. Administration staff can accessany document on the system, and, in workflow systems, managers generally can as well. This access isnecessary if someone is to be able to fix problems or access documents when their owner is suddenlyunavailable. Aside from issues of trust, however, a compromised master password or broken securitysystem lets an attacker take anything they want. In essence, this is no different from physical files in thatthere is usually a master key to all offices and physical security can generally open locked cabinets andsecure areas. The difference is that, with electronic systems, an attacker can access the system locally orremotely, and carry out (or modify) large amounts of data without arousing suspicion. We will talk aboutsome solutions to this problem as we go.

Business Data Security

48

Encrypting Shared Documents

Encrypting shared documents is one way to get around the untrusted computer problem. A document canbe encrypted with a password and the password given out to the people that need to access the document.Then, even if someone gains control of the computer where the document is stored, they will not be ableto read it. Doing this systematically means that you can store sensitive documents on untrusted sites wherethe administration is outsourced, such as a shared web hosting provider.

As a rule, sharing a single password, such as by encrypting a Word document and emailing it to everyone,is a bad idea. If a password is potentially compromised, everyone's password has to be changed, anddistributing the new password (safely) is difficult. Two technologies make this easier.

The first is called Public Key Cryptography, which we will talk about in detail in (emv20070510)FIXME:.In this system everyone has a key or certificate that belongs to just them. They use this key in encrypting/decrypting files.

The second is key escrow. We talked about key escrow in the section called “Protecting Documents”. Intheory, one file can be encrypted so that any number of peoples' keys will unlock them. A document authorcan simply select names from an addressbook or company directory, encrypt the document, and store itin a shared folder. If necessary, the list of people able to read the file can be changed. Again, as long asall of the encryption/decryption is done locally, the remote server does not have to be trustworthy becauseeven someone with administrative control cannot read the file.

In practice, group-level encryption becomes messy and unsafe when the number of people needing accessis large, when ownership of documents changes over time, or group membership changes. In these cases,either the owner ends up being a gatekeeper (“Can you give me access to ...?”), or there is a push for a morecentral management of access rights. In the first case, we have the owner disbursing new encryption keysor special copies of the document on a regular basis, at which point, why outsource document handling?In the second case, we end up in another “One Ring to rule them all” situation, which is precisely whatwe were trying to avoid [LioyEtAl-1997].

As usual, we end up making trade-offs. For archival information where the number of people needingaccess is relatively large, specified by groups whose members change, and centrally administered, itmakes more sense to use centrally-managed encryption, despite the security implications. Where moreprotection is needed, other solutions, such as restricting physical access, may be necessary. For workflow-like situations, where a document is actively worked by a small team, individually managed encryption ismore feasible, and often, since the data is current, the documents may be more sensitive.

In situations where data is accessed by automated systems (an online storefront accessing stored creditcard information, for instance), applying encryption effectively is very difficult. It is not practical to havean employee sitting there entering a password everytime a customer checks out and needs to use the samecredit card they did last time. The storefront needs to be able to access the customer data without anyintervention. If the credit card information is encrypted, the application must be able to decrypt it, and,therefore, anyone gaining control of the application can read the records no matter what security is in place.Security is only as strong as the weakest point in the perimiter.

A handy solution to this dilemma is to use the customer's password to encrypt the data. The customer hasto give you their password to check out, anyway, so their experience is not changed. An attacker gainingcontrol of the system has no way of knowing what the customer's password is (there are ways to check apassword without actually storing it anywhere; trust me on this20), so they cannot read the information.They might be able to copy small amounts of data over time (as customers log in and check out), but youhave made their job much harder.

20For the overly curious, one way is to apply a math operation to it (a hash) and store the result. When they give you their password next time, seeif you get the same result. Another way is to use their password to encrypt something. If they can read it, they have the right password.

Business Data Security

49

The interesting side-effect is that no one can read the customer's card information without the customer'spassword. That includes your own employees if they get any bright ideas on selling stolen credit cardnumbers. Once the purchase is completed, the card information is locked away. It also means that thecustomer him or her self can not access the card information if the password is forgotten. In this case,delete the information, and have them enter their credit card number again the next time they purchase.Make sure you encrypt only what you need to, minimizing inconvenience, and take the opportunity toexplain how you are protecting them from identity theft.

Restricting Network or Physical Access

Another way to protect sensitive shared documents is to restrict where they can be accessed. We alreadymentioned the possibility of splitting documents based on sensitivity, with some residing inside and someoutside the firewall, in the section called “The Back Door - Employees On the Go”. Here, we examinesome other ways to restrict access.

If you have an online storefront and a database of customer information, you can put the customerdatabase on its own computer and severely restrict access to that computer (in fact, PCI/DSS requiresthis [PciSsc-2006 § 1.3.4, § 9.1, etc.]). In particular, it is possible to put the database on its own networksection, have it only respond to specific connections from your online storefront and internal order trackingsystem (to which it is directly wired) and only allow administration from its own keyboard (presumably ina locked room). If it must be remotely administered (remote emergency management), force connectionsto come through a specific administrator workstation so that someone must go through multiple, logged,levels of security to gain access, and even then, they do not need to be able to see customer data to fixa software outage.

In this way, an attacker is hemmed in. A remote breach of the storefront can only do things the storeis normally allowed to do, such as accessing customer records one at a time with a password, ratherthan copying them all at once, and there is seldom a reason to display a whole account number backto a customer. Inside attacks are similarly blunted: Internal order processing doesn't need to see wholecustomer card information, (once it has been sent through the card processing system and confirmed) andan employee would need physical access to get anything more (Smile for the camera!). A determined andresourceful attacker can still do damage, but it will take serious work, your pool of suspects will be smaller,and your evidence will be of higher quality.

Other sensitive documents can also be physically restricted. At the Pentagon, the classified informationwas on a completely separate network; there were no physical connections to the Unclassified networkand someone had to physically sit at a Classified computer to access restricted data. Moving informationfrom one system to the other (by disk) required going through the responsible officer who had to examinethe data and the disk. Moving data without permission was severely disciplined.

Perhaps you do not handle information which can determine the fate of countries, but you may very wellhave documents that can sink your business if improperly used. It may be worth asking yourself: do I reallyneed this available outside the office? Can the people on the team come here to work on this document?Do I really want to face liability if this walks out the door? The best network defense is sometimes a pairof scissors: clip the network cable.

If you do have restricted machines, you will need to get some information in and out (like reference sourcesin and completed documents out), but will need control over it. UNIX/Linux based systems are particularlygood at controlling access to external disks and devices. You can specify exactly who may do what withCDs or the ubiquitous USB drives. This is a much less messy solution than gluing USB ports shut (whichcompanies have done). You can assign one or more gatekeepers to make copies of documents when peopleneed them.

Of course, all of this is a lot of work, may be expensive, and is in direct opposition to recent trends intelecommuting. Particularly as gas prices reach record highs, employees have a tremendous incentive towork at home. We also work in markets that are increasingly globalized; it is not always practical to bring

Business Data Security

50

people to the same location to work on a document. As usual, what you choose depends on the value ofyour data, the risks of its exposure, and the business opportunities you want to take advantage of. No onecan make that choice for you, and, in the end, there may be no perfect answer.

Internet Services and CommunicationIn order to function, employees need to be able to communicate with the outside world and use servicesfrom other businesses. Increasingly, these services and communications are provided by the Internet.

Restricting Use

Even when employees are allowed to access documents, you may want to restrict what they can do with it.Access controls and encryption does not seem to be worth much when an employee can put an unprotectedcopy on a disk and take it home, or forward a sensitive email. Once you send a document to a client orvendor, none of your network protections come into play.

The solution to this dilemma, or so many vendors claim, is a technology called Digital Rights Managementor DRM.

Conclusions

FrustrationsInevitably, as your data security plan progresses, you will encounter frustrations once you leave the safetyof your own network. Implementing a policy of secure email and document encryption will only get youso far when the companies you communicate with do not use them. Protecting your confidential datamay seem hopeless when the vendors and agencies you must entrust it to in the course of business arecompromised on a regular basis.

This difficulty is one of the reasons there is so much quality free security software available. Manyindividuals, companies, and agencies have realized that increased use of these technologies benefits themand have donated time and money to making them widely available. For the most part, however, useof protective technologies for Internet communication to prevent forgeries, tampering, and disclosure israre, even though the technology has been widely available for more than a decade. This is mostly due toconsumer ignorance of how Internet criminals operate and how technology can work against them. Thefact that law enforcement has tried to associate the use of encryption with criminals and terrorists doesnot help the situation.

In reality, the use of technologies to prevent forgery alone can make a large difference in Internetcommunication. SPAM can be sent without forging emails, but the ability to forge sender addresses makesit much harder to stop. If SPAMers had to use legitimate domains and servers to send their mail, zombiebotnets would be less useful and domains which sent SPAM could be blacklisted from mail servers.Without the ability to easily forge emails, email phishing schemes would virtually disappear. Initiativeslike the Sender Policy Framework21 for identifying which computers are allowed to send email for anInternet domain and personal solutions like digitally signing email, allow the receiver of an email to havegreater confidence that what they receive is legitimate. We have SSL and digital certificates to tell us thatthe website we are entering our credit card information into is who we think it is, but people commonlyopen attachements in emails that claim to be from friends or colleagues with no real way to know whereit came from.

As for encryption in emails, regulations, confidentiality agreements, or self-preservation may lead you toprotect data in transit. We do not write financial data on the outside of a postcard and stick it in a mailbox.

21 http://www.openspf.org/

Business Data Security

51

Yet, encryption does not help if the receiver cannot read it. It can be difficult to convince a business partnerto adopt a security practice in order to work with you. Do not count out the low-tech solutions. In somecases, old-fashioned mail or personal service may be the safer option.

Compromises in vendor and agency security present a difficult problem. Selecting trustworthy vendors,considering the widespread nature of the problems, requires something akin to psychic powers. Even ifthat could be done consistently, you cannot refuse to provide data to government agencies. Two techniquescan be of help. One is using unique data with each vendor. Some banks allow the creation of one-timecredit card numbers which can be used for a single transaction. It is also possible to use a unique emailaddress for each vendor you work with. Watching where this unique data turns up tells you who is sellingor exposing your private data and the facts may surprise you. Another good technique is making sure youhave confidentiality agreements protecting important data and relationships. Boilerplate text may do inmany cases. It may make another organization think more seriously about your documents, and, at thevery least, it gives you a basis for a legal action if your data is stolen.

As a whole, the solution will require outreach, activism, lawsuits, and time. Consumers need to knowthe nature of the problems they face and that they have choices for protecting themselves. Until publicpolicy and caselaw makes entities responsible for data leaks and for illegal use of their equipment, manybusinesses will not take action. At present, for instance, merchants who are the victims of credit card fraudpay the brunt of costs and fees, leaving those who actually lose the data little incentive to improve. Overtime, standard practices will develop and caselaw will begin to take those practices as a matter of course.In the meantime, tenaciousness and creativity will have to do.

GlossaryAccess Control Lists A list of individuals or groups allowed to access a particular resource

in a specific way, for instance, write to a document, or deletedocuments in a folder. Common controlled actions are Create, Read,Update, and Delete, or CRUD. ACLs can usually include basic rules,such that, for instance, all members of Accounting can access adocument, except Contractors. ACLs are usually centrally managed;teams are limited in their ability to manage document access rights.

Airport™ An Apple trademark that is commonly used to refer to wirelessnetworking or WiFi (techically the 802.11x networking standards).

bluetooth® A short-range radio technology for connecting to computerperipherals, such as mice, keyboards, PDAs, cellphones, and headsets.Like wireless networking, bluetooth can be hijacked if left on or usedin public places, although its short range makes attacks more dificult.

botnet A collective of remotely controlled, infected PCs (zombies) that arecontrolled as a unit. A botnet can consist of thousands or tens ofthousands of PCs and can carry out coordinated Distributed Denial-of-Service DDoS attacks against a single target. Botnets can also behired out to collect information, send SPAM or conduct other illegalactivities.

COBIT® Control Objectives for Information and related Technology orCOBIT® is a set of best practices for information managementcreated by the Information Systems Audit and Control Association(ISACA)22, and the IT Governance Institute (ITGI)23, initiallypublished in 1992. Version 4.1 will be published in May of 2007. The

Business Data Security

52

current version is 4.0 [Itgi-2005] COBIT® is a standard for overallmanagement and control of information technology in a business,including risk management, cost and quality control, and our presentinterest, security.

COBIT provides a specific section in its standard to deal withinformation security policy which is tied into the overall IT process[Itgi-2005 pp 119-122], although other sections, such as providingcontinuous service, are certainly relevent. An additional document,the COBIT® Security Baseline is divided into 39 essential steps forsecuring the business [AliPabrai-2005, Itgi-2004] which add detailedguidance to the COBIT base standard. These steps concentrate onprocess and procedure more than specific technology, allowing abusiness to choose (and document!) techniques which best fit theirneeds.

CSIRT An acronym for Computer Security Incident Response Team,sometimes referred to as an Incident Response Team or ComputerEmergency Response Team (CERT). A CSIRT is the group ofSecurity, IT, Legal, Public Relations, and Management personnel thatare involved or can be involved in responding to a security incident.An Incident Response Plan should lay out the responsibilities of themembers of a CSIRT and the situations in which they are called in ormust be informed of an incident.

de-facto standard A practice or technology which is in common use and has becomea psuedo-standard, although it has no official design, definition,or consensus. One of the most frequently cited examples of a de-facto standard is the Microsoft Word™ file format. Word .doc filesare used everywhere for exchange of documents, but there is nowritten specification for what the inside of the document looks likeand, in fact, the format has changed several times over the years,leading to data exchange problems. De-facto standards lock customersinto a single vendor and product line since competitors cannot (arenot allowed to) provide compatible products24 The Open DocumentFormat, by contrast, a recent ISO standard, is a simple, concisestandard approved by a consortium of companies and supported bymultiple products.

Underspecified document formats can have real security impacts.While I was working at the Pentagon, an officer moved a Worddocument containing unclassified data from the classified network tothe unclassified network (which are physically separated) by a floppydisk. Unknown to him, Word documents (at the time) scooped uprandom information from the hard drive when they are created andhis file contained classified information hidden in the document butvisible to someone who knew how to look at the raw data. Whenthis was discovered, security personnel had to scrub a number ofcomputers which had come into contact with the classified data. Thepeer review process which leads to a public standard is designed toeliminate design flaws of that nature or at least make them known topotential users with special needs.

De-facto standards have the advantage of being driven by a singledeveloper and coherent point of view rather than being designed by a

Business Data Security

53

committee. This is a particular advantage with developing completelynew technologies. Sometimes, these products become real publishedstandards at a later date, such as UNIX™, and Adobe PDF™. Thiscan lead to a best-of-both-worlds situation where a well designedand market-tested product is maintained and slowly extended by astandards body.

defense in depth A defense which consists of multiple integrated layers where thestrength of the whole is greater than the sum of its parts. Attemptsto exploit some weaknesses may be prevented or limited by otherdefenses. A single layer defense by contrast, even when strong, canoften be bypassed completely when the defenders make a singlemistake. Elements of a data security defense in depth include keepingattackers out of your network, denying them access to your PCs evenif they are on the network, and encrypting sensitive documents so thatthey are useless even if they are stolen.

Denial-of-Service An attack which causes some service to stop functioning rather thanattempting to take control of it. A Denial-of-Service attack on awebsite, for instance, would make it unusable or slow for legitimatecustomers. Vulnerabilities leading to DoS tend to be more frequentand easier to exploit than actually taking control of a computer, thoughof less use to the attacker.

A Distributed Denial-of-Service (DDoS) is a coordinated attackby many computers at once against a single target. DDoS usuallyinvolves a colection of zombies (or botnet) and is done for purpose ofideology, revenge, or extortion. The fact that the attacks come frommany distinct, innocent sources makes them difficult to counter. Theindividual contribution of one infected PC is small and may not bedetected by the owner's Internet Service Provider, but the combinedeffect is devestating and sustained attacks can bankrupt businesseswith bandwidth charges and lost revenue.

DMZ A small network provided by a firewall for Internet services, such asweb and mail servers, to reside. These servers must be exposed to theInternet so that customers may access them, but should have at leastlimited protection. The DMZ is more dangerous than the inside of thefirewall, so more effort needs to be taken to make sure the servers aresecure. Consumer grade firewalls often limit the DMZ to a single PC,called the DMZ host which has minimal or no protection.

DMZ stands for Demilitarized Zone, although the full name is neverused. It refers to the land-mined no-man's land between North andSouth Korea and underlines the fact that it is a dangerous spacebetween the internal network and the hostile Internet.

DRM a technology which aims to restrict the particular uses a file,document, or media item may be used for. For example, it may beused to restrict viewing to certain computers, certain people, preventcopying, forbid editting, cause documents to expire, or track usage.

Its flaw is that, in order for legitimate users to access a document,the document must contain the information necessary to read it(by definition). DRM relies on security by obscurity and restricting

Business Data Security

54

content viewing and editing to specific applications which knowthe secret handshake for unlocking the document. The applicationthen reads and enforces restrictions encoded in the document. DRMfunctions well if-and-only-if the secret is not known. Once that secretis revealed, all protected documents are compromised.

exploit A means of effectively using a vulnerability to bypass security orcause damage. For example, a vulnerability might be a bug in a webbrowser. An exploit would be a web page which uses the bug to senda malicous program to the user. See zero-day exploit.

fingerprint A unique identifying number for an encryption key or certificate.Basically, the fingerprint is a quick way of verifying that you are usingthe correct key and that it really belongs to who you think it does.For example, if you want to send someone confidential information,you can look up their public key (see Public Key Cryptography) in adirectory. To make sure that the key in the directory is correct (andnot fraudulent), you can look at the key's fingerprint and verify it bysome other method, such as calling the person on the phone, checkingthe back of their business card, seeing if it is listed on their web page,and so forth. Once you have verified the key the first time, you canadd it to your own key ring and tell your application that you trust it.Similarly, you should list your key's fingerprint prominently to makeit easier for people to verify your public key.

firewall Controls traffic between an inside network (Intranet), such as a homeor business, and an outside network, such as the Internet. A firewallkeeps unwanted traffic out and protects computers on the inside. Ahardware firewall is built into a router or other device. A softwarefirewall is a second line of defense running directly on the server or PCit protects, only allowing traffic to or from certain applications (e.g. aweb browser). A firewall may provide for a DMZ to provide limitedprotection for Internet services such as an online store.

HIPAA The Health Information Portability and Accountability Act is a USFederal Law [Usc-1996] which, for our purposes, places requirementson the use, disclosure, retention, and protection of private healthrecords. In particular, the Security Rule (issued in 2003) lays outthree types of safeguards required for compliance, the AdministrativeSafeguards (defined policies, management, and auditing), the PhysicalSafeguards (restricting access to records and equipment), andthe Technical Safeguards (technological protections for networks,computers, and communications) [Dhhs-2003]. Businesses may berequired to comply with HIPAA if they manage private healthinformation (obviously including medical organizations, but can alsoinclude components of organizations managing information related toemployee health plans) or subcontractors of such businesses.

For the most part, the HIPAA Security Rule avoids making specifictechnology requirements (which would quickly become obsolete)by stating what must be accomplished, rather than how it must beaccomplished such as requiring that networks must be protectedfrom intrusion and that documents must be able to be verified toprevent tampering. The organization must further document theiractual practices and self-audit on a regular basis.

Business Data Security

55

A number of related documents are available from the US Health andHuman Services Web Site25.

image A drive image or image is a complete copy of a hard drive or apartition on a hard drive, including the raw filesystem, all files, freespace, and deleted files. Images are used in backup and recovery toquickly restore a hard drive from a backup. It is common, for instance,for a system administrator to have an image of a new system withWindows and standard applications rather than installing each systemindividually. Images are also used in computer forensics to allowsecurity personnel or law enforcement to examine a stored copy of ahard drive and all of its contents.

Intranet An internal network, such as a business or home. Intranets areconnected to other networks, such as the Internet, by a router.

ISF Standard of Good Practice The Information Security Forum26 Standard of Good Practice forInformation Security [Isf-2005a] is a standard of information securitybest practices published by an international consortium. Althoughthey use the term “information security” to describe the document,they are more focused on digital data than ISO/IEC 17799:2005. Likeother security standards, they avoid committing to specific technicalrecommendations, concentrating more on policy and practice. Theydo, however, do a good job of keeping up with changing securityissues, such as instant messaging and recent virus threats in the current(4.1) version. This document also does an excellent job of not gettingbogged down in jargon (either its own or computer/technical).

The ISF standard overlaps with and is complementary to aspects ofboth COBIT® and ISO/IEC 17799:2005.

ISO/IEC 17799:2005 An international business process standard for best practices ininformation security. Note that this is a broader term than “data”security and includes information in any form, such as paperand security of physical storage. The standard provides guidanceon risk management processes, policy development, managementand approval structures, access controls and classification levels,monitoring and auditing. Like most such standards, it concentratesmore on what to manage than precisely how and avoids specifyingspecific controls or technologies [IsoIec-2005]

This standard overlaps with and is complementary to aspects of bothCOBIT® and the ISF Standard of Good Practice. ISO/IEC 17799was first published in 2000 as an international standardization of theBritish Standard (BS) 7799-1:1999, and will be renamed to ISO/IEC27002 in 2007.

key escrow key escrow can be used to mean any of several different technologies.As used in this paper, it means a process where multiple passwordsare used to access the same document or data. Each password worksindividually, so you can set up an employee password and a masterpassword, for instance, so that sensitive data can be accessed evenif the employee is not available (or no longer works for you). In asense, key escrow trades one issue for another, in that it creates a singlemaster password which can fall into the wrong hands. The master

Business Data Security

56

passwords should be used very seldom, so that they are not likely tobe captured, and different passwords should be used for different setsof data to minimize damage if a password leaks (or is misused).

key logger A program which tracks the use of a computer, recording typing,web sites visited, and especially, capturing usernames and passwords.Keyloggers either record the data locally and must be retrievedperiodically (has been common in Internet cafes and copy centers)or will automatically send their information to their controller. Keyloggers may be installed by malware or directly by someone withaccess to the computer, including, in some cases, by employers totrack employee use of a computer.

malware A general term for software that violates privacy, breaches security,and damages computers, including viruses, spyware, and trojanhorses. The distinction between these types is blurring because onetype of malware will often enable and spread other kinds.

man-in-the-middle The attacker performs as an intermediary between two parties withouttheir being aware of it; the attacker can copy and modify securecommunications at will.

Alice and Bob are trying to communicate securely. Malory posesas Bob and she gives Mallory the password they will use. Mallorymakes up a new password to give to Bob. Mallory now takes all codedmessages from Alice, reads them, reencodes them, and sends them onto Bob, doing the same going in the reverse direction. Mallory canalso modify the messages at any time without anyone the wiser.

In phishing schemes, the attacker poses as a banking site, tricks theuser into logging into the fake site, and passes the name and passwordon to the real bank, sending the user the bank's responses. The attackercan now monitor and modify any of the user's banking activities. Tothe user, everything looks normal. Network services have a numberof ways to reduce the chance of a man-in-the-middle attack, but manyof them involve authenticating the two ends of the conversation insome way, and user vigilence is essential. Making sure that the URLand SSL certificate are correct for a secure website, noting suspiciouscommunications, calling a colleague to verify that an encryption keybelongs to them (by verifying its fingerprint, a unique identifyingnumber), and so forth, will quickly derail attackers.

open The Carnegie Mellon Software Engineering Institute's Open Systemsglossary defines “open” as follows:

The specification of a component is open if (1) itsinterface specification is fully defined and availableto the public, and (2) this specification is maintainedby a group consensus process.

—[SeiCm-2007]

An “open system” is a system made up of components which are well-specified and, at least theoretically, interchangable.

Most disagreements in the definition of “open” center on the definitionof “publicly available”. Open does not necessarily imply “free”. For

Business Data Security

57

instance, source code to a system may be “open” to and controlled bythe consensus of a very select group or implementation of an “open”standard may require licensing of patents or other legal issues (e.g.GIF, MP3, AAC). The word is often used as a marketting ploy andshould be treated with a degree of skepticism. See further discussionunder standard and open source.

open source Open source is a system and a movement of distributed softwaredevelopment where full source code for systems is publicly availableand effort is advanced by the donations of many individuals andorganizations. In many ways, this is actually not a new system,but closely mirrors the way much of the Internet infrastructurewas developed in the university systems and scattered corporatelaboratories. Contrary to popular conception, many contributors toopen source are not hackers in garages, but rather professionalswho are funded by their organizations to work on public projects.Among the benefits to the organization are that individual efforts aremultiplied, products are peer reviewed, and the organization is notsolely responsible for future maintenance. If support is needed, it canbe purchased from multiple competing sources or provided in house.A large pool of open source code acts as a ready base for customizedsoftware.

Open source is not to be confused with “public domain”, which is non-copyrighted. Open source is copyrighted, but under a license whichprovides for modification and redistribution, generally under “share-alike” terms which mean that you must license changes under thesame terms you received them— giving back to the common pool.(Open source products may be freely used alongside commercial andproprietary works.)

There are a number of nearly open source “shared source” or“community source” licenses which are more restrictive and mayresult in a contributor losing access to their own work or coming underother surprising restrictions. The Open Source Initiative maintains adefinition of what constitutes an open source license and approvesindividual licenses for use in the community [Osi-2006]. The mostwell-known open source license is the General Public License, orGPL, which is currently being revised into its 3rd version with broadindustry input. The main goals include improving protection againstpatent-litigation, a growing concern with software of all kinds.

Because of the many-eyes approach, open source can be more securethan closed-source software. It is also much more difficult to sneakbackdoors into a peer-reviewed and heavily change-controled process.However, there are always good and bad products, and, since opensource projects ae visible from the moment of inception, there aremany projects which are not ready for public use by any but the mostadventurous. High-profile and long-term open source projects likeLinux and the Apache web server rival any other product for qualityand will often receive large donations of funding, equipment, orfunctionality from diverse sources. As a noted example, the SELinuxRole-Based Security module now included in most Linux systems wasdeveloped and donated by the National Security Agency.

Business Data Security

58

Payment Card Industry DataSecurity Standard

A data security standard for merchants who handle credit card datamaintained by the PCI Security Standards Council. The individualcard service providers (e.g. Visa, Mastercard) determine whichentities must comply and enforce compliance. The standard definesrequirements for providing a secure network, creating documentretention policies, restricting access to data, and so forth. The PCIDSS takes an “as little as possible for as short a time as possible”approach to storing private customer data. See the PCI DSS FAQonline [PciSsc-2007] or the standard itself [PciSsc-2006].

phishing A scheme whereby a forged email is sent purporting to be from abusiness you have a relationship with (a bank or vendor, for instance)with the intent of taking you to a fake internet site and getting youto provide personal information which is then used to steal money orgoods. A typical scheme involves telling the recipient that somethingis wrong with their account and that they need to verify sensitiveaccount information. Phishing is currently one of the most lucrativeInternet crimes.

pretexting The practice of impersonating a person or entity in order to obtainmore information about them, such as impersonating a phonecustomer to get copies of phone records or impersonating a boss toget a password changed. Among hackers and security professionals,this is also known as human engineering.

Public Key Cryptography A system of encryption where everyone has a public key and a privatekey (each is a file). The public key is used to encrypt a document,while the private key is used to read it. The public key is publishedfreely, but the private key must be hidden (and generally requiresa password to be used). The wonderful thing about this system isthat you do not need to worry about how to get a secret password tosomeone. After all, if you could get a password to someone secretlyand safely, why not send the whole document that way? In this case,yo can just send someone your public key without worrying aboutanyone intercepting it. Public Key Cryptography is especially usefulin secure email systems.

Public Key Cryptography can also be used for digital signing, alsocalled non-repudiation. A person uses their secret key to sign adocument and anyone else can use that person's public key to verifythe signature. The signature proves that the document was signed andhas not been changed. Digital signatures can be used to run digitalnotary services which can prove that a particular document existed ata specific time and has not been altered by anyone else.

root-kit A set of programs installed on a computer to let someone take fullcontrol of it and hide their presence. Often delivered by a trojan horseor similar.

router A device which routes traffic between two networks. You can thinkof a router as a highway interchange or on-ramp. A router will oftenfunction as a firewall.

secret Private, uniquely identifying information or objects used to gain entryor access information. In security or cryptographic terms, a secret

Business Data Security

59

can include a physical key, the combination to a lock, a password,an encryption key, an access card or other device. Often, identifyinginformation such as a social security number or mother's maiden nameare treated as secrets by businesses, but they are inherently insecuresince you must give out the same information many times in order todo business.

security by obscurity Keeping elements of a security plan secret in order to increase securityand prevent attackers from finding flaws, such as the design ofencryption algorithms or the source code of a program or operatingsystem. Often, the secrecy acts as no more than a speed bump to anattacker and the benefit of standard, peer-reviewed and proven defensefar outweighs the temporary advantage. Criminals have many ways offinding flaws in secret systems, including stealing source code fromvendors, and there are many of them looking. The design of a securitysystem should assume that the attackers know all secrets with theexception of the actual keys or passwords. Security by obscurity canadd to an otherwise secure system, such as by hiding from the attackerwhich standard defense is being used in order to slow down automatedtools.

silver bullet A high-tech, whiz-bang solution to everything in one box. Manyvendors like to tell you that their product and their product alone willfix all of your problems. In most cases, they produce a single point offailure where one mistake nullifies all of your security. As an example,if you have an expensive product to keep Internet hackers out, whathappens when the attacker gets physical access to your PC? or hijacksthe dialup account of your employee? or steals your salesperson'slaptop? or is an employee? It is often better to have a defense in depthwhere multiple simpler defenses interlock to protect the whole.

sneakernet Transferring documents by disk (floppy, CD, USB drive, etc.) andfoot-power (sneakers). Often used by employees to avoid technicalproblems or security restrictions, it can also be used to increasesecurity by avoiding sending sensitive documents over the Internet.

SPAM A term for bulk unsolicited email, usually commercial, and can becompared to physical junkmail. Unlike postal junkmail, however,email recipients and operators of mail servers pay the postage, makingit possible for SPAMers to send millions of messages at little or nocost. Also unlike postal junkmail, a large percentage of SPAM contentis illegal. The term comes from a 1975 Monty Python skit27 as relatedto something which is repeated endlessly and cannot be gotten rid of.

Hormel Foods has tried unsuccessfully in court to block the use ofthe term SPAM since they hold the trademark in their canned meatproduct.

spyware Software that covertly monitors the user's actions, particularlywebsurfing habits, mainly for marketting purposes. Spyware isusually contained in and installed as part of irreputable freeware orshareware software that can be downloaded. The primary differencebetween spyware and a trojan horse is that the intent of spyware iscommercial, not to commit criminal acts or damage the computerper se. The line becomes blurred because poorly written spyware

Business Data Security

60

often does damage or becomes a means of infection by accident. Likeviruses or trojan horses, spyware will often take steps to make itsremoval difficult.

standard When used without an article, as in “standard practice” or “standardtechnology”, I am referring to common or customary use, whichmay include de-facto standards. Otherwise, “a standard” is apublished specification for a technology, product, or practice. Inorder to be effective, a standard must provide some means formeasuring conformance, whether a particular implementation meetsthe standard, such as a measure of effectiveness for a security standardor of interoperability for a product standard. In general, standardsbodies accept specifications only for existing products or practices(providing proof of viability), and specifications will often begin ina trade consortium and wend their way up through national and theninternational standards bodies as they gain adoption. An open standardis one where the specification is publicly available, maintained bygroup consensus, and available for any interested party to implement.

Patents and other legal restraints can be significant barriers to openstandards. In the past, companies have pushed for their specificationsto be adopted by the industry only to turn around and threaten law suitsfor patent infringement after it acheives widespread use (e.g. GIF,MP3). Standards organizations have begun to adopt rules requiringparticipants to grant patent rights to the standards body and standardsimplementors. Often, these rights are under “Reasonable and Non-Discriminatory” (RAND) policies, which seek to prevent the holderfrom using patents for trade-restraint and enforce broad-licensing.Despite this, RAND compatible-policies can still cause problemsfor broad standards adoption, typically preventing adoption by opensource systems (due to license incompatibility) and often harboringdangerous fine print. Any RAND-patent licenses or covenants-not-to-sue should be examined by an attorney to ensure that they provideadequate protection. A better solution is to stick to standards whichrequire full and open patent licensing terms.

Standards encourage choice in the marketplace by ensuring thatconsumers can purchase interchangable products, are assured a levelof quality, and can avoid vendor lock-in. Choice among standards(having multiple standards which do the same thing) is often bad,causes marketplace confusion, and can encourage vendor lock-in.

trojan horse Historically, the Trojan Horse was a large wooden statue thatOdysseus tricked the Trojan army into taking inside their city. Atnight, Achaen soldiers came out of the horse and ended a ten yearsiege in several bloody hours. In computer terms, a trojan horse is aprogram or file which you are tricked into downloading thinking itis something else, such as a card game or a video file. When used,the trojan horse invades your computer and leaves the gates open fora follow-on attack. A trojan horse differs from a virus in that it hasno means to spread, although it may download other tools once it isinstalled.

virtual machine A simulated computer running inside a real computer. A virtualmachine (VM) appears to have its own hard drive, operating system,

Business Data Security

61

and applications, but they actually exist as files on the real computerrunning them (the host). For instance, it is possible for a WindowsVista host computer to run two virtual machines each with WindowsXP and a web server.

The appeal of virtual machines is that they can be created anddestroyed quickly and easily when needed, that they can be movedfrom server to server, and that they allow services to be separated forgreater security and reliability. Instead of one server with a databaseand a webserver, you can run two VMs, one with a web server and theother with the database. Failure of one VM will not cause the other tofail and an attacker who gains control of one cannot necessarily accessthe other machine or the host. A problem with a virtual machine cansometimes be fixed by destroying and recreating it from a backup,which is a simple process.

The downside of virtual machines is that they are slower thanreal computers and use more disk space, so total hardware ismore expensive. You must also typically pay for a softwarelicense (operating system and applications) for each virtual machinerather than each computer. Some operating systems have licensesprohibiting them from being used in virtual machines (e.g. Mac OSX, some versions of Windows Vista), while others (Linux, FreeBSD)can be used at no additional cost.

Virtual Private Network An encrypted connection over the Internet between two networks,often used for telecommuters to connect to their corporate office.A VPN is usually started on a user's home PC or firewall deviceand connects to a business firewall on the other end. The connectioncreates a kind of “tunnel” between the two networks, acting like theuser's home PC is connected directly to the business, while at the sametime, preventing someone from eavesdropping on the traffic. VPNscan be convenient and quite effective, but must be used with caution;a home user with a usecured wireless access point can accidentallygive their entire neighborhood direct access to your business networkvia a VPN connection.

virus A biological virus invades a cell and turns it into a mini virus factory.The copies of the virus then go to invade other cells. Computer virusesattach to computer programs in order to copy themselves. Moderncomputer viruses can also infect office documents like memos andspreadsheets and spread via email because common office programs(e.g. MS Office) contain macros which act like mini programs.Viruses cannot infect pure text, plain email, or documents withoutscripts or macros. Viruses spread by email will typically read therecipient's address book and mail copies of itself to other people.

Virus scanners detect viruses by looking for specific patterns(fingerprints or signatures) in the infected program. For this reason,virus scanners can only detect viruses which have already beendiscovered or that are very similar to known viruses. New viruses willnot be detected until an update is available from the vendor.

Modern viruses modify the PC they infect to hide themselves andprevent removal, even from virus scanning software. For this reason,

Business Data Security

62

it is often neccessary to reinstall the operating system to completelyremove a virus once it infects your system.

vulnerability A weakness in a security design or procedures which could potentiallybe exploited, on purpose or by accident. A vulnerability can exist forsome time without a known way of effectively exploiting it, or anexploit may be discovered at the same time. See exploit and zero-dayexploit.

WEP Wired Equivalent Protection, a standard for encrypting first-generation wireless networks (802.11b), it was intended to makewireless networking as secure as wired networking. It did nosuch thing, for the simple reason that wireless networks can betapped from a considerable distance and wired networks cannot.Today, WEP encryption has been cracked and is essentiallyuseless [TewsEtAl-2007], and users should either upgrade to newerequipment using WPA or WPA2 encryption, or structure theirnetwork so that wireless networks are not trusted (see the sectioncalled “Disappearing Boundaries”).

wireless networking connecting computers and peripherals with radio-based networks.Wireless networking usually refers to the technology commonlycalled Airport™ (an Apple trademark) or WiFi™ and technically the802.11x standards. Recently, people have also begun using wirelessnetwork to refer to cellphone networks and cellphone-based Internet.

There are several different standards of WiFi which operate atdifferent speeds and radio frequencies. This is confusing to manyconsumers. A brief comparison is provided on webopedia28. Forour purposes, it is important to note that 802.11b, one of the olderstandards which is still in common use, uses security (WEP) whichis now effectively useless against attackers with standard tools[TewsEtAl-2007].

Wireless networks avoid costly wiring and are very convenient,especially for small businesses leasing space, and especially fortravellers with laptop computers. However, there are a number ofsecurity issues with wireless networks, including readily availabletools for breaking into and snooping on them. When using yourlaptop in a public place, it is possible to have your laptop hijacked ifyou accidently leave wireless on (vendors have acted to reduce thisproblem). Using public wireless networks may allow others to recordyour Internet traffic, including email and web pages visited; using SSLto access web pages and email makes this much more difficult.

workflow A workflow is the sequence of steps that a particular document goesthrough in the course of a business process, from start to completion.For example, a press release may go through one or more stagesof drafting and review, require final approval, get published, thenarchived. In workflow automation, roles are defined, such as owner,editor, reviewer, and approver, individuals are assigned to roles, andthe roles are given appropriate access rights to the document as itpasses from one stage to the next. Members of a workflow team areoften given the ability to assign roles to other individuals; for instance,

Business Data Security

63

a document's owner may assign reviewers. Contrast this to ACLs,where access rights are typically centrally managed.

WPA WPA and WPA2 are encryption standards for newer wirelessnetworking protocols. They replace the insecure WEP encryption usedin first-generation wireless networks and are still considered safe.Wireless networks, however, are fundamentally less secure than wirednetworks, so it is always a good idea to structure your network so thatwireless networks are not trusted (see the section called “DisappearingBoundaries”)

WPA2 See WPA.

zero-day exploit A vulnerability and an effective exploit discovered at the same time.Zero-day exploits in 3rd party software are extremely dangeroussince it will take time for vendors to produce an update fixing thevulnerability and, in the meantime, attackers may freely use theexploit. Often, the only effective solution is to close or reduce servicesin some manner to deny access to the vulnerability while securityexperts attempt to fix the problem. For example, users can temporarilyturn off javascript in their web browsers to avoid an exploit whichuses javascript.

zombie A computer infected by malware which is under remote control. Azombie will be made to perform illegal tasks for its controller, suchas sending SPAM, breaking into other computers, Distributed Denial-of-Service (DDoS) attacks, and so forth. A zombie also generallyincludes a key logger as well.

Bibliography[AliPabrai-2005] Certification Magazine29. MediaTec Publishing, Inc. “The CobiT Security Baseline30”. Uday O. Ali

Pabrai. July 2005.

[Bbc-2007a] BBC News31. BBC. “Malicious code rise driven by web32”. The number of new pieces of malicioussoftware has doubled in the last year with the web being used increasingly to distribute the code, a reportsays. March 19, 2007.

[Bbc-2007b] BBC News33. BBC. “'Surge' in hijacked PC networks34”. April 25, 2007.

[BrownleeGuttman-1998] N. Brownlee and E. Guttman. “Request for Comments: 2350 - Expectations for ComputerSecurity Incident Response35”. Internet Engineering Task Force. June 1998. RFC: 2350.

[CaSenate-2003] California State Senate. “California Information Practice Act of 2003”. SB 1386. September 26,2002. This bill became law in 2003. The text of the law is available online36.

29 http://www.certmag.com30 http://www.certmag.com/articles/templates/cmag_department_sec.asp?articleid=1239&zoneid=43#31 http://news.bbc.co.uk/32 http://news.bbc.co.uk/2/hi/technology/6465833.stm33 http://news.bbc.co.uk/34 http://news.bbc.co.uk/2/hi/technology/6591183.stm35 http://www.ietf.org/rfc/rfc2350.txt36 http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Business Data Security

64

[Dhhs-2003] The Federal Register. National Archives and Records Administration. 45 CFR Parts 160, 162, and 164Health Insurance Reform: Security Standards; Final Rule37. February 20, 2003. 68. 34.

[Evett-2007] Top Ten Reviews. TopTenReviews, Inc. Don Evett. “Spam Statistics 200638”. January 18, 2007.

[FbiIc3-2006] Internet Crime Complaint Center 2006 Internet Fraud Crime Report39. January 1, 2006 - December 31,2006. National White Collar Crime Center. Federal Bureau of Investigation. FBI Internet Crime ComplaintCenter. Washington D.C.. 2007.

[FeynmanEtAl-1985] Richard Phillips Feynman, Ralph Leighton, and Edward Hutchings. Edward Hutchings. Surelyyou're joking, Mr. Feynman!. adventures of a curious character / Richard P. Feynman as told to RalphLeighton. W.W. Norton. New York. 1985. 0393019217.

[GarfinkleMalan-2006] “One Big File Is Not Enough: A Critical Evaluation of the Dominant Free-Space SanitizationTechnique”. Simson L. Garfinkle and David J. Malan. 2006. A copy of this paper is available from the authors,or on the web40.

[GordonEtAl-2006] 2006 CSI/FBI Computer Crime and Security Survey. Lawrence A. Gordon, Martin P. Loeb,William Lucyshyn, and Robert Richardson. Federal Bureau of Investigation. Computer Security Institute.Copyright © 2006 Computer Security Institute. 2005. The report can be obtained online by following linksfrom http://www.gocsi.com/press/20060712.jhtml and registering..

[Harbert-2006] IQ Magazine41. Cisco Systems, Inc.. Tom Harbert. Mick Wiggins. “Combining Security andRegulatory Compliance42”. Using best practices for network security sets a course to time savings, assetprotection, and sales to big customers. 3rd Quarter 2006.

[Higgins-2007] Dark Reading43. Light Reading, Inc.. New York, NY. Kelly Jackson Higgins. “How to Cheat HardwareMemory Access44”. February 27, 2007.

[Isf-2005a] Information Security Forum. The Standard of Good Practice for Information Security. 4.1. Copyright© 2005 Information Security Forum. January, 2005. The standard can be obtained online from http://www.isfsecuritystandard.com/index_ie.htm. Registration is required. As of the time of this writing, their sitewill not function if javascript is not enabled.

[Isf-2005b] Information Security Forum. ISF Digest: The Disappearance of the Network Boundary. Copyright© 2005 Information Security Forum. April, 2005. The report can be obtained online from http://www.securityforum.org/html/view_pub01.asp. Registration is required. As of the time of this writing, theirsite will not function if javascript is not enabled.

[IsoIec-2005] ISO. Information Technology - Security Techniques. Code of practice for information securitymanagement. 2005. ISO. Geneva Switzerland. ISO/IEC 17799. 2005. Copies can be obtained from the ISOOnline Store45.

[Itgi-2004] IT Governance Institute. COBIT® Security Baseline. An Information Security Survival Kit. IT GovernanceInstitute. Rolling Meadows, Illinois. 2004. 1-893209-79-2. Note that a PDF is available online46 with siteregistration. The download PDF has several pages of ads and membership material at the front— it is thecorrect document.

37 http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf38 http://spam-filter-review.toptenreviews.com/spam-statistics.html39 http://www.ic3.gov/media/annualreport/2006_IC3Report.pdf40 http://www.simson.net/clips/academic/2006.PET.bigfile.pdf41 http://www.cisco.com/web/about/ac123/iqmagazine/index.html42 http://www.cisco.com/web/about/ac123/iqmagazine/archives/q3_2006/COMP_sailingcompliance.html43 http://www.darkreading.com/default.asp44 http://www.darkreading.com/document.asp?doc_id=11829145 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39612&ICS1=35&ICS2=40&ICS3=46 http://www.isaca.org/TemplateRedirect.cfm?template=/ContentManagement/ContentDisplay.cfm&ContentID=20290

Business Data Security

65

[Itgi-2005] IT Governance Institute. COBIT® 4.0. Control Objectives Management Guidelines Maturity Models. ITGovernance Institute. Rolling Meadows,Illinois. 2005. 1-933284-37-4. Note that a PDF is available online47

with site registration.

[Itgi-2006] Cobit® Focus48. IT Governance Institute. Rolling Meadows,Illinois. IT Governance Institute. “Harley-Davidson: Using COBIT to Simplify Compliance”. pp 8-9. December 2006. 2. Copyright © 2006 ITGovernance Institute. This issue available in PDF form online49. Note that the table of contents is wrong,the article begins on page 8.

[Kantor-2005] USA Today50. USA Today. Andrew Kantor. “Sony: The rootkit of all evil?51”. November 17, 20055:00 PM. Copyright © 2005 USA Today.

[Keizer-2007] ComputerWorld52. ComputerWorld, Inc.. George Keizer. “Massive spam shot of 'Storm Trojan' reachesrecord proportions53”. It's the biggest spam blast in the last year. April 12, 2007. Copyright © 2007ComputerWorld, Inc..

[Krazit-2006] ZDNet News54. CNet Networks, Inc.. Tom Krazit. “FAQ: The HP 'pretexting' scandal55”. September 6,2006, 4:42 PM PT. Copyright © 2006 CNet Networks, Inc..

[Krebs-2007] Security Fix56. The Washington Post Company. Brian Krebs. “Fortune 500s Unwittingly BecomeSpammers57”. March 29, 2007; 11:11 AM ET. Copyright © 2007 The Washington Post Company.

[Lazarus-2006] The San Francisco Chronicle58. Hearst Communications, Inc.. David Lazarus. “Data theft may hurtworkers59”. August 16, 2006. Copyright © 2006 Hearst Communications, Inc.. This article appeared on pageC - 1 of the San Francisco Chronicle.

[Lemos-2007a] SecurityFocus™60. SecurityFocus™. Robert Lemos. “Consumers dump breached retailers, saysstudy61”. April 11, 2007. Copyright © 2007 SecurityFocus.

[Lemos-2007b] SecurityFocus™62. SecurityFocus™. Robert Lemos. “Report: TJX thieves exploited wirelessinsecurities63”. May 4, 2007. Copyright © 2007 SecurityFocus.

[LioyEtAl-1997] Antonio Lioy, Fabio Maino, and Marco Mezzalama. “Secure Document Management andDistribution in an Open Network Environment”. Polytecnico di Torino, Dip. di Automatica e Informatica.Torino, Italy. 1997.

[MatsumotoEtAl-2002] Proceedings of SPIE Vol. #4677, Optical Security and Counterfeit Deterrence TechniquesIV. T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino. “Impact of Artificial Gummy Fingers onFingerprint Systems”. Copies of this paper can be obtained from the author by email64 or online from

47 http://www.isaca.org/cobit.htm48 http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=31703&TEMPLATE=/ContentManagement/ContentDisplay.cfm49 http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=2842350 http://www.usatoday.com51 http://www.usatoday.com/tech/columnist/andrewkantor/2005-11-17-sony-rootkit_x.htm52 http://www.computerworld.com53 http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=901642054 http://news.zdnet.com/55 http://news.zdnet.com/2100-9595_22-6113011.html56 http://blog.washingtonpost.com/securityfix/57 http://blog.washingtonpost.com/securityfix/2007/03/fortune_500s_unwittingly_becom.html58 http://www.sfgate.com/59 http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/08/16/BUG1EKJ14T1.DTL60 http://www.securityfocus.com61 http://www.securityfocus.com/brief/48162 http://www.securityfocus.com63 http://www.securityfocus.com/brief/49664 mailto:tsutomu@mlab.jks.ynu.ac.jp

Business Data Security

66

Cryptome.org65. There is also a summary of the findings in the May 15th, 2002 Crypto-Gram Newsletter66

from Counterpane Internet Security, Inc.

[Maxcer-2007] TechNewsWorld™67. ECT News Network™. Chris Maxcer. “Fail-Safe System Fails in Alaska's DataDebacle68”. March 21, 2007 2:30 AM PT. Copyright © 2007 ECT News Network, Inc..

[MythBusters-2006] MythBusters. Beyond International. Crimes and Myth-Demeanors 2. August 23, 2006. 4. 59. Anonline summary of this episode is available in the Online Wikipedia69.

[Osi-2006] Open Source Initiative70. Open Source Initiative. Open Source Initiative. Open Source Definition71. July7, 2006 3:49. Copyright © 2006 Open Source Initiative. There is also an annotated version72 with someadditional rationale.

[PciSsc-2006] Payment Card Industry Data Security Standard73. 1.1. PCI Security Standards Council, LLC. PCISecurity Standards Council, LLC. Wakefield, Ma . September 2006.

[PciSsc-2007] PCI Security Standards Council™74. PCI Security Standards Council, LLC. The PCI Security StandardsCouncil Frequently Asked Questions - General Information75. PCI Security Standards Council, LLC. PCISecurity Standards Council, LLC. Wakefield, Massachusettes . April 17, 2007. Copyright © 2007 PCISecurity Standards Council, LLC.

[Rasch-2007] SecurityFocus™76. SecurityFocus™. Mark Rasch. “The Politics of E-Mail77”. April 17 2007. Copyright© 2007 SecurityFocus.

[Schneier-2005] Wired78. CondéNet, Inc. Bruce Schneir. “Real Story of the Rogue Rootkit79”. November 17 20052:00 AM. Copyright © 2005 CondéNet, Inc.

[Schneier-2007] Wired80. CondéNet, Inc. Bruce Schneir. “How Security Companies Sucker Us With Lemons81”. April19, 2007 2:00 AM. Copyright © 2007 CondéNet, Inc.

[SeiCm-2001] CERT Coordination Center82. Carnegie Mellon Software Engineering Institute. Pittsburgh, PA15213-3890. Software Engineering Institute Carnegie Mellon. CERT® Coordination Center IncidentReporting Guidelines83. Jul 30, 2001. Copyright © 2001 Carnegie Mellon University.

[SeiCm-2007] Software Engineering Institute - Carnegie Mellon84. Carnegie Mellon Software Engineering Institute.Pittsburgh, PA 15213-3890. Software Engineering Institute Carnegie Mellon. Open Systems Glossary85.March 20, 2007 8:38:06. Copyright © 2007 Carnegie Mellon University.

65 http://cryptome.org/gummy.htm66 http://www.schneier.com/crypto-gram-0205.html#567 http://www.technewsworld.com68 http://www.technewsworld.com/story/56414.html69 http://en.wikipedia.org/w/index.php?title=MythBusters_%28season_4%29&oldid=12713087770 http://opensource.org71 http://opensource.org/docs/osd72 http://opensource.org/docs/definition.php73 https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf74 https://www.pcisecuritystandards.org75 https://www.pcisecuritystandards.org/about/faqs.htm76 http://www.securityfocus.com77 http://www.securityfocus.com/columnists/440/178 http://www.wired.com79 http://www.wired.com/politics/security/commentary/securitymatters/2005/11/6960180 http://www.wired.com81 http://www.wired.com/politics/security/commentary/securitymatters/2007/04/securitymatters_041982 http://www.cert.org83 http://www.cert.org/tech_tips/incident_reporting.html84 http://www.sei.cmu.edu/opensystems/welcome.html85 http://www.sei.cmu.edu/opensystems/glossary.html#o

Business Data Security

67

[SoleckiRosenberg-2004] Law Journal Newsletters - Employment Law Strategist. ALM Properties, Inc.. Albert J.Solecki, Jr. and Melissa G. Rosenberg. “Workplace E-mail86”. Employers Beware!. 12. 7. November 2004.Copyright © 2004 ALM Properties, Inc..

[Sullivan-2006] The Red Tape Chronicles87. MSNBC. Bob Sullivan. “'I just bought your hard drive'88”. June 5, 20063:00 am CT. Copyright © 2006 MSNBC.com.

[TewsEtAl-2007] Erik Tews, Ralph-Philipp Weinmann, and Andrei Pyshkin. “Breaking 104 bit WEP in less than60 seconds89”. Technische Universität Darmstadt, Fachbereich Informatik. Hochschulstrasse 10 DarmstadtD-64289. April 3, 2007.

[Tweakers-2007] Tweakers.net90. Tweakers.net. Tweakers.net. “Secustick gives false sense of security91”. April 12,2007 08:59. Copyright © 2007 Tweakers.net. This article is translated from the Dutch.

[Usc-1996] HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 104,191 USC. 1996.The text of the law is available online92.

[Vijayan-2007a] ComputerWorld93. ComputerWorld, Inc. Jaikumar Vijayan. “TJX data breach: At 45.6M cardnumbers, it's the biggest ever94”. It eclipses the compromise in June 2005 at CardSystems Solutions. March29, 2007. Copyright © 2007 ComputerWorld, Inc.

[Vijayan-2007b] ComputerWorld (Australia)95. IDG Communications, Inc. Jaikumar Vijayan. “Hackers offersubscription, support for their malware96”. Organised hacking gangs set up malware subscription sites. April5, 2007 08:17:16. Copyright © 2007 IDG Communications, Inc.

[Weber-2007] BBC News97. BBC. Tim Weber. “Criminals 'may overwhelm the web'98”. 25 January 2007.

[West-BrownEtAl-2003] Moira J. West-Brown, Don Stikvoort, Klaus-Peter Kossakowski, Georgia Kilcrece, RobinRuefle, and Mark Zajicek. Handbook for Computer Security Incident Response Teams (CSIRTs)99. 2.Carnegie Mellon Software Engineering Institute. Pittsburgh, PA 15213-3890. April 2003. Copyright © 2003Carnegie Mellon University.

Thanks to Bruno Vernay for the CSS template I started from for the HTML version. Many thanks to thefolks at OASIS and everyone else who makes DocBook a wonderful tool.

86 http://www.goodwinprocter.com/getfile.aspx?filepath=/Files/publications/solecki_rosenberg_11_04.pdf87 http://redtape.msnbc.com88 http://redtape.msnbc.com/2006/06/one_year_ago_ha.html89 http://eprint.iacr.org/2007/12090 http://www.tweakers.net91 http://tweakers.net/reviews/68392 http://aspe.hhs.gov/admnsimp/pl104191.htm93 http://www.computerworld.com94 http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=901478295 http://www.computerworld.com.au96 http://www.computerworld.com.au/index.php/id;838771320;fp;16;fpid;097 http://news.bbc.co.uk/98 http://news.bbc.co.uk/2/hi/business/6298641.stm99 http://www.cert.org/archive/pdf/csirt-handbook.pdf