Entries from August 2008
A recent engagement and publication reminded me of the criticality of limiting the ability of systems within an organization. To be specific – servers should have a limited amount of services operating on them; these systems should have restricted access (inbound and outbound); chaining of servers and services must be avoided.
While this is fairly well published by NIST, NSA, CIA, PCI DSS (the standard), ISACA, and non-technical professional groups such as the IIA, there is a propensity for network operators and firewall operators to not enforce these restrictions. Why – a common few reasons include:
- The objective of network and server operators is to provide services – eliminating services is against the grain
- A lack of clarity in what services are required by each system (and some services that require excessive services and access, i.e. Microsoft Exchange) make it hard to confidently clean-up servers
- Firewall and security people would love the idea of restricting by source-destination and service; however, if the server/application owners cannot articulate what services in which direction are necessary then the ACLs cannot be put in place without breaking the network
The importance of eliminating these services was recently highlighted by the extremely talented folks over at Sense Post. Their 2008 Black Hat Presentation is here regarding “reDuh“. A tool that simply allows one to create a “TCP circuit through validly formed HTTP requests”. The tool is free with registration. Simply put this tool shows the threat in allowing one server to access another server without restriction “because it is inaccessible from the firewall”.
Security professionals and operators should consider the following:
- Services should be limited, and the availability of virtual systems the ability to test company specific setups is possible – security can restrict until true security is achieved
- When acquiring technology you (the buyer) should not send the check until you get the absolute list of services (applications) and ports (inbound and outbound) required to make the application work
- Evaluations should consider the chaining effect – What can be done from X, Y, and Z server. Most times security is a single line in the sand, and such follies lead to disaster.
The intent of restricting by server and service is not to inconvenience, but instead to leverage the existing security technology to the optimal state. Once the public facing systems are secured an effort should be done to segment out the end user networks.
Generally this control applies to PCI DSS Sections 1.3.1, 1.3.2, .1.3.3, 1.2, 1.4, and 2.2
Other ideas?
James DeLuccia IV
**Please join me at the CSO Executive Seminar Series on PCI Compliance & Application Security on September 10th, New York City
Categories: Compliance · IT Controls · PCI DSS · Payment Card Industry Data Security Standard
There are advantages to eliminating complexity in technology environments. I strongly detail the advantages in my book (ahem) and as recently at several professional association conferences. CSO interviewed me on this topic and you can find my thoughts and those of Jeremy Moskowitz (King of free) and Keith Gosselin here.
Assuming you have skimmed the aforementioned sources…I would also add the following to the body of knowledge – deconstructing the technology infrastructure is a necessary and continuous process that must be embraced by business and accepted by those managing the technology components. Let me explain further:
Technology is a horizontal layer placed upon business units that are organized vertically. A single router may serve the entire enterprise, or a single office branch. The focus of the business shifts as the global market shifts – central operations migrated to complete global outsourced centers and again to now insource (in country) centers. Main frame shifted to desktops which again shifted to the internet web app model and perhaps again to SDD thin client laptops connecting wirelessly into the office. The office itself has disassembled from a single “Sears Tower” building to a global workforce operating in offices, homes, and coffee shops.
Net net…the needs of business shifts to respond to the market (and, yes that market can and does include the employees) requirements, and technology – and everything that goes along with it (compliance, security, CIA, etc…) must be responsive. Through a reduction in complexity the agility of the enterprise is enhanced and consequently the security, integrity, and operational sufficiency are considered ideal – for the moment.
Again, check out the article – some great tactical ideas and post your comments below.
Best regards,
James DeLuccia IV
Categories: Compliance · IT Controls · Security
Back from Scotland and wow what a country! Beyond the brilliant countryside and exquisite architecture I noted two interesting facts relevant to our subject at hand.
The first is the absolute (seeming) lack of technology for the farmers and majority of the country. Having spent over seven days cycling across the nation I was instantly struck by the appearance, or lack thereof. It was only after noting the country inn receptions using Facebook, and every Pub accepting credit cards did the inclining of technology appear. The second observation is their extreme concern for security.
While I was enjoying the countryside the U.K. Parliament was debating the passing of legislation that would make businesses liable for identity theft. This is unlike any law in form anywhere in the world. Roughly it will place the onus upon those that were the victims of a breach (the business) to get ahead of any criminal activities. An interesting approach to a problem that has not been solved adequately or evenly anywhere.
This legislative initiative is joined by the recent publication of the Final Poynter review on the HMRC data loss, and numerous imposed fines by the FSA.
The importance of sound control environments and mitigating the threats of technology are more clear to me today than before my holiday, and reinforces the absolute necessity of everyone to step it up a notch.
Warm Regards,
James DeLuccia
Categories: Compliance
