Silver jewelry

A security design framework is a structure on which all future security designs can be built. As a security designer, you should create a base security design framework on which your security designs can be built or you (or your design team) might end up with incomplete assessments, lack of follow-through, and an incomplete picture of the changing security landscape.    70-291   70-290    70-293   70-271    70-299

After this lesson, you will be able to

Describe the components of a security design framework.

Describe the process for creating a security design framework.

Identify the principles of information security design.

Explain the purpose of threat modeling.

Perform threat modeling.

Design a process for responding to incidents.

Design the use of segmented networks.

Design a process for recovering services.

Estimated lesson time: 80 minutes

Components of a Security Design Framework
A security design framework is a collection of items or components that should be considered when creating any information security design. Parts of a security design framework typically include the following concepts, which will be defined more fully in later sections:

Prevention, detection, isolation, and recovery.

The principles of information security design. These are concepts that should be reviewed when examining any IT process. If they can be applied, a more secure process will result.

Threat modeling. If you understand how a network or one of its components might be attacked, you can develop a better defense.

Incident response. When an attack occurs, what should be done?

Segmented network design. Isolating parts of the network can contribute to security. Each design should question the need for segmentation and propose how to isolate sensitive data and the computers that store or manage it.

Recovery processes. An attack, or even an accident, can mean the destruction of data, computers, or network infrastructure. Planning for the recovery of data, computers, and network infrastructure can prevent the loss from becoming a disaster.

Life-cycle review. Every security design has a life cycle. Security design, policy and procedure development, implementation of the security design, and management of the design and policies form the basis of a sound security framework. However, this is not a linear process. Each new product, process, and threat means re-analysis and possible revision. Security is not a job that is ever done.

Three characteristics of data—purpose, integrity, and sensitivity—will help you define a categorization scheme that can be used in all security designs. Categorizing data will help you determine the extent to which it should be protected. Think of these as the dimensions that define the data. Just as height, width, and depth define objects such as blocks and boxes, purpose, integrity, and sensitivity define data.

 Note  In the real world, data owners should be responsible for classifying data, but being familiar with the process will allow you to question or to assist the data owners.
 

Use the following guidelines to categorize and secure data:

Determine how the data is used (its purpose) and what will happen if the data is unavailable. Here, it’s important to identify what the data is used for. Some information gathered during the organization’s risk analysis process or in the development of the BIA will be of great assistance to you here. Data can then often be categorized by its purpose—its importance to the survival of the business.

Determine the impact of errors in the data. What will happen if the integrity of the data cannot be ensured? If my name is spelled incorrectly in your customer database, I might get annoyed. If my bill is incorrect, I can guarantee you I’ll be upset. But these issues are correctable and might be due to small clerical errors. If, however, every customer’s bill is only half of what it should be, there is a serious system error somewhere that will affect the company’s profitability and, likely, its ability to remain in business. Clearly, some data must be protected more securely than other data.

 Off the Record  An example of why determining the impact of errors is important is evident in the early use of computer-controlled radiation machines. These machines controlled the amount of radiation directed to a cancerous tumor by calculations based on an operator setting and an internal table. Unfortunately, because of system-design errors coupled with operator error, there have been cases of accidental megadoses of radiation burning a hole through a patient’s shoulder instead of merely destroying cancerous cells.
 

Determine the sensitivity of the data. What will happen if the data becomes available to unauthorized individuals? In government operations, data is often classified as secret, top secret, and for these eyes only, and the protection of the data is arranged accordingly. In a business, care should also be taken to classify the sensitivity of data and arrange for its protection. If there is not time to formally classify data, you should at least make yourself aware of the nature of sensitive data. Financial factors that might affect the stock market price of a company are, for example, more sensitive than information about employee vacation times (and even that depends on whose vacation time people might gain knowledge of).     70-290  MB6-508   70-291   350-001

For an organization to stay in business and maximize profits, its management must consider certain business drivers for each business activity the organization undertakes. Common business drivers that the security design must address include the following:70-294  mb2-631   70-640   70-297   70-630

• The initial and ongoing cost of security The real and perceived cost of security will always be a driving factor in the implementation of security.

• Legal requirements for security Legal requirements affect implementation of security and other IT operational aspects, and the impact of these legal requirements is increasing. Deciding how much security is necessary and convincing management to accept the recommendation is not an easy chore. However, current and proposed laws support the design and development of sound security practices. Consequently, legal requirements often can be an ally to security designers rather than a burden.

The impact security decisions will have on end users For purposes of considering the effect of security on end users, end user is defined as an individual who uses a system to obtain, manage, or distribute information but is not limited to employees who work directly for the company. Customers who access their banking or other information via the Internet, partners who cross gateways to access shared information, and public use of company Web sites are all examples of end users relying on information systems. Security designers must consider the impact that security policies will have on end users. For example, changing the password policy to require the use of symbols, letters, and numbers in password, when users were not required to do so before, can greatly upset a large number of users. If users are not warned that such a change is coming and told what they need to do to, the uproar and complaints can affect productivity and even force a roll-back to a less secure password policy.

How security will mitigate risk Risk is often defined as the probability of suffering a loss. Risk management involves identifying risk and deciding what to do about it. Even if a risk cannot be eliminated, it can be addressed. Mitigation of risk is one the goals of information security.

In addition to these common business drivers, the IT department has business drivers of its own to consider:

Maintaining interoperability The best security design might not be implemented because it failed to take into account the nature of all operating systems and applications that are part of the organization’s network.

Achieving security maintainability goals Any operations design must achieve certain maintainability goals, and this is even more important with security designs. Security devices and procedures that are not maintained will eventually become ineffective.

Addressing scalability needs Many security designs can be implemented in a test network or small business with great success, but are impractical or fail when rolled out across more extensive systems. While you can’t always forecast system growth, you can evaluate a security design in light of the environment it will be deployed in and simply assume moderate growth over time.

The guidelines that follow will help you analyze these business and IT-specific drivers. 

Identifying the Sources of Risk: It’s Not as Simple as It Seems
Many risk management experts caution that we should look for all sources of risk. They identify the sources of risk as people, processes, and technology. Other experts include things beyond our control, such as your ISP’s lax password policy that could be a risk to the security of your organization’s data. Identifying the sources of risk, however, is not always simple. SY0-101 70-272 70-630

In 1998, a small Midwestern consulting firm’s telephone system was rendered inoperable in the middle of a business day when the system administrator changed the account used to run the service for the software-based Private Branch Exchange (PBX) system. The change was made, in accordance with the PBX system documentation, to facilitate the delivery of voice mail directly to the employees’ mailboxes. However, when the PBX system was brought back on line, the phones were all dead. Fortunately, the administrator was able to determine that the problem could be rectified by granting the new account appropriate permissions on the database. Nowhere in the PBX system documentation was that step listed or even alluded to.

It is easy to see, after a loss occurs, how it happened. Yet if you had been evaluating the risks associated with the PBX, which source of risk would you have identified?

Was the source of the risk people related? The systems administrator has to make changes to systems configuration from time to time—did she make a mistake or proceed without all the information? Did the administrator make a change to the configuration without thinking of the possible consequences? If she had reviewed the process with others, she might have questioned why permissions were not being reassigned.

Was the source of the risk technical? The system might have failed because its configuration was in error. Wouldn’t a better design have warned the administrator that a change in accounts might cause a problem? New error messages in Microsoft Windows Server 2003 and Windows XP Professional seek to warn users and administrators of nonreversible operations, such as password resets, that might damage the ability to access critical data such as encrypted files. 70-297 70-640 mb2-631

Was the source of the risk process related? Should the operational procedures have been required to be tested or at least reviewed before they were implemented? Or, perhaps such a major change should have been made during less critical business hours.

Threats to Security Introduced by Security Maintainability Issues
Any operations design must satisfy maintainability goals, and this is even more important with security design. If security cannot be maintained, it might be eliminated. The following threats to security can result when security designers forget to consider maintainability:

If a security design has a high reliance on people following a written policy that cannot be enforced via technical controls, it is unlikely that adherence to the policy will continue over time.

If a technical control is difficult to maintain, its enforcement might weaken over time. If there is no way, for example, to prevent the introduction of modems into the network and strict restrictions on Internet access are enforced via the local area network (LAN) connection, users might use modems as alternative paths to access the Internet. In doing so, they breach security by avoiding filters, access controls, and logging.

When controls must be renewed and it is difficult to do so, business productivity will be disrupted. Can certificates be automatically reissued before they expire, or must new certificates be manually obtained? Who will manage the intrusion detection systems when the person who received training and cared for the intrusion detection systems for three years leaves the company?

Important Support for security maintainability is important. In Windows Server 2003, functions such as Group Policy can be used to reapply security settings on a periodic basis. Computer and user certificates can be automatically deployed. Security templates can be reapplied to stand-alone systems and used to audit security compliance. 70-294 70-647 70-291

Considerations for Determining How Security Design Affects End Users
To help you determine how a change in security can affect end users, ask yourself these questions: 1D0-410 70-431 70-299

How will a stronger password policy actually work at the end-user level? Will requiring a longer password mean more passwords are written on paper where unauthorized users might discover them? Will it mean loss of productivity or additional help desk labor because of an increased need to reset passwords?

What will adding an account lockout policy do to users? Account lockout policies lock accounts after a number of incorrect password attempts. The number of false attempts allowed is adjustable. Will the number of allowed attempts accommodate remote users, or will fumble-fingered sales personnel be unable to enter their orders because their account gets locked out? How long will the policy keep accounts locked out? Local users might be able to wait the 10 minutes or until the help desk can reset their account. Can the traveling executive seeking critical information on a dial-up line afford to waste that much time attempting to contact the help desk?

What will be the side-effects of moving to smart cards? What will happen when users forget their smart cards at home and attempt to use an office mate’s card? If restrictions on card removal (sessions are logged off when smart cards are removed) are set, two users cannot use the same smart card and maintain consecutive sessions. This solves a long-standing dilemma as well—that is, how to restrict each user to one session at a time on the network. These are positive side-effects that affect users. However, smart cards can also have a negative effect. In the Microsoft Windows 2000 environment, smart card certificate renewal is not automatic. This situation can have a major impact on end users because they must figure out how to renew certificates. Although this is not a difficult chore, it can be for some users. When thousands of users must do so, many of them will have problems. This will put a large strain on the help desk and might affect the productivity of the users, as after certificates expire users cannot work until they renew the certificate. In Windows Server 2003, you can implement automatic renewal. If you do not consider the impact of security on end users, you might miss this critical step.

Guidelines for Using the Security Design to Mitigate Risk
Follow these guidelines to incorporate risk mitigation strategies into your security design:

Look at IT operations with an eye to risk. This approach can help in the development of more secure systems.

Develop a risk model for IT operations as a part of any security framework.

Don’t limit risk modeling to the evaluation of potential security risks, but incorporate the development of a long-term risk management strategy into the company’s IT operations.

Find out who manages risk for the organization. You will find them to be a ready source of information on risks to your organization.

Incorporate other people’s knowledge about risks into security designs.

Require continuous risk assessment and response. Your security design should continually search for new risks and periodically evaluate known risks. Consider that viruses and worms, historically perceived as risks related to e-mail, are now spread by attacks against vulnerable services such as Web and database services exposed to the Internet. Modern malicious code is a blended threat and targets various segments of the computing environment, and as such, requires constant vigilance. ex0-100 70-291 SY0-101 70-270

Integrate risk management into all roles, including IT roles and those of every process owner. Process owners can take responsibility for identifying risks and managing them. If end users circumvent security, for example, by sharing passwords, they put systems at risk. Human Resources can be involved by ensuring that employees are aware of security risk factors, and if dictated by policy, by enforcing sanctions against people who do not comply.

When it comes to managing the security for the systems on a network, many administrators are tempted to install service packs and hotfixes the moment that they are released. Although such a strategy can keep you on the cutting edge of security, following the strategy blindly will eventually lead to cutting yourself. 70-284 70-272 70-630 70-297
Although Microsoft has excellent processes in place for testing its service packs and hotfixes, from time to time an update is withdrawn because it has unintended consequences that severely impact upon some customer’s systems. It is also possible that you may work in an environment that has a unique mix of applications. Microsoft cannot test for all eventualities and it is possible that a released hotfix or service pack may disable an important customized business application that your organization is dependent on. An ounce of prevention is worth a pound of cure, and a strategy of thoroughly testing hotfixes and service packs before you roll them out to your organization can save you hours, perhaps days, of mopping up operations if something goes wrong. It is also worth remembering that even though a hotfix may be able to be installed on a system, this does not mean that the hotfix should be installed on a system. Careful judgments should be made as to whether or not the hotfix is applicable and relevant for the environment that it might be deployed in. Finally, it is important to know how to get back from a position once you have arrived there. Even with thorough testing something can be missed, and having an effective rollback strategy before a service pack or hotfix is rolled out is much better than attempting to develop such a strategy once a hotfix is installed on production systems and is causing unforeseen problems.
IP Security (IPSec) is a network layer technology that is used to secure communications. IPSec encrypts the information carried by Internet Protocol (IP) datagrams. This means that even if these packets are captured, the data contained within the packets exists only in an encrypted form and cannot be read by the interceptor. IPSec has been supported natively since Microsoft Windows 2000. Microsoft Windows Server 2003 ships with three default IPSec policies that can be applied by means of Group Policy objects (GPOs) or local policy. These policies are as follows:

Client (Respond Only). When this policy is configured, the computer will use IPSec only if its communication partner requests that such a connection be established. The client itself will not request that IPSec be used.

Server (Request Security). When this policy is configured, the computer will request that its communication partner use IPSec. If the communication partner is unable to service this request, communication will continue in an insecure manner.

Secure Server (Require Security). When this policy is configured, the computer will communicate only with partners that support IPSec.

On top of this set of IPSec policies, specific policies can be created that are more specific. These policies can be restricted to specific hosts, subnets, and protocols. Custom policies can also be deployed by means of GPOs or local policy. 70-640 70-647 70-270 70-291

IPSec is considered by many to be the future of communication. Without IPSec, transmissions across a network are unencrypted. Such transmissions can be intercepted by packet sniffing utilities. This could potentially lead to valuable information falling into the hands of unauthorized parties. With IPSec, even if communication is intercepted, it cannot be read because the content is encrypted

Security templates are text files that store policy settings from the Security node in an Active Directory Group Policy. These text files can be imported and applied to GPOs, altering the settings in the GPO to conform to a particular security standard. Because they are text files, security templates are often far easier to manipulate than GPOs.  MB4-641  000-M26  70-448  000-209   MB4-640   352-001  642-524  HP0-M17

Security templates can be edited in two ways. The first is by using the Security Template snap-in of the Microsoft Management Console. This method is the simplest way to edit the templates because it displays them in a form that is similar to that of the Group Policy Editor. Because security templates are stored in text file format, you can also edit security templates by using a text editor such as Notepad. This method is far more complicated and requires detailed knowledge of the security template syntax. Unless there is a compelling reason to do so, use the Security Template snap-in, because editing by using Notepad might lead to inadvertent errors in a template which, when applied, could make a system insecure.

After a security template is created, it must be deployed before it can have any influence on the security configuration of a system. Security templates are generally deployed by importing them into a Group Policy object. Once they have been imported into a Group Policy object, that Group Policy object can then be applied to sites, domains, and organizational units. Security templates can also be deployed by importing them into local Group Policy objects on standalone systems that are not a part of the domain. This can be done by editing the local Group Policy object (gpedit.msc) or by importing the template using the secedit command.

The principles involved in deploying a security template across a domain are similar to the principles involved in deploying Group Policy objects. In general, deployment should be as specific as possible. Grouping target systems into organizational units or sites is far preferable to deploying GPOs with security templates applied at the domain level. This way only the systems that are the targets of these policies will have to process them, and systems for which the policies are not relevant will not be delayed. The more Group Policy settings that are applied within a domain to all machines, the longer those machines take during startup and logon to process all of the policies to reach a final configuration.

One of the advantages to using security templates to configure the security settings in Group Policy objects is that they provide a documented point of reference for determining what went wrong when unexpected results appear. The security configuration and analysis tool can be used to look into the expected results. An administrator can also diagnose where what was planned diverged from what actually happened. One of the most common problems that occurs when security settings are applied is that the rules of Group Policy inheritance are forgotten. Policies applied at the organizational unit level override those applied at the domain level, which in turn override those applied at the site level, which finally override those that are applied locally. This gets even more complicated when policies are applied with the “no override” and “block inheritance” settings. Understanding how these options work is the key to diagnosing problems that occur in the application of security templates.  HP0-M23  000-938   000-100  000-960  000-995  190-805  HP0-S16

Configuring Authentication for Web Users  920-221  70-299  70-541

Active Directory is a perfect way to store credentials for internal users because it can provide single sign-on authentication for a variety of network resources, including Web servers. If your organization provides an internal Web site, the Web site should authenticate users by using their existing Active Directory user accounts. If the Web site accesses information on the user’s behalf, such as querying a database to retrieve confidential benefits information, the Web site should access that information by using the user’s own credentials.

Active Directory is not the ideal way to store credentials for external users. Many organizations invite customers, potential customers, and partners outside the organization to access information, files, and data. Today, information is usually shared with external users by means of a Web site. If the Web site allows anyone on the Internet to access content, these Web users will be considered anonymous. However, the anonymous user’s requests must still be issued in the context of a valid security principal in order to access files and data.

Enabling anonymous authentication for earlier applications 70-643 156-215.1 642-444
Anonymous authentication allows users and network clients to be authenticated (but not necessarily authorized to access network resources) without providing any credentials. Unlike earlier Windows operating systems, in Windows Server 2003, anonymous users are not considered to be members of the Everyone group and therefore will not be authorized to use any network resources. However, there are some scenarios in which anonymous access needs to be granted to provide compatibility with systems prior to Windows 2000. Situations in which this access might be necessary include:
Remote Access Server (RAS) servers on Windows NT 4.0 use anonymous access to determine dial-in permissions.
Windows NT 4.0 might use anonymous access to enumerate shares or gather information from domain controllers.
Anonymous access might be used to enumerate shares and users in a one-way cross-forest trust.
Earlier operating systems might use anonymous access to change passwords in Active Directory. This is accomplished through the Pre–Windows 2000–compatible access group.
If you have earlier systems in your Windows Server 2003 domain, you will need to determine which resources need anonymous access. You can then enable anonymous access by performing one of the following tasks:
Add the Anonymous Logon security principal to the ACL that needs access. This is the preferred method for enabling anonymous access to resources because it is the most granular.
Enable the Network Access: Share That Can Be Accessed Anonymously security policy setting. This security policy setting contains a list of shares that can be accessed and is useful for enabling anonymous access to a specific share on multiple computers.
Enable the Network Access: Let Everyone Permissions Apply To Anonymous Users security policy setting. This setting causes unauthenticated users to be considered members of the Everyone group, which might authorize users to access network resources without being authenticated as valid users. This setting should only be enabled when absolutely necessary, because it creates a significant, exploitable vulnerability.
Caution Apply the Anonymous Logon, Network Access: Share That Can Be Accessed Anonymously, Network Access: Let Everyone Permissions Apply To Anonymous Users settings only to the OU or server that needs them. Enabling these settings at the domain level will decrease network security.
Using Multifactor Authentication
As described earlier in this chapter, multifactor authentication significantly increases authentication security. Windows Server 2003 supports multifactor authentication by using smart cards and can support a variety of other authentication mechanisms using non-Microsoft hardware and software.
Smart cards can be required for all users in an organization. However, because of the additional cost, smart cards are often assigned only for specific users. Often network administrators are required to use smart cards because their privileges on the network would provide an attacker significant opportunity. 70-631 MB7-515 642-811 70-643
To require a smart card for interactive logon, launch the Active Directory Users And Computers console. Double-click the user account to view the properties, and click the Account tab. In the Account Options list, select Smart Card Is Required For Interactive Logon.
Requiring smart cards for authentication can cause problems with existing applications. However, if an application includes the Certified for Windows Server 2003 logo, the application has been tested to ensure that it meets Microsoft security standards for Windows Server 2003. From a security perspective, an application that is identified as Certified for Windows Server 2003 meets the following criteria:
Support smart card logons. The application should work correctly with smart card authentication and will allow smart card authentication to a terminal service.
Provide secure credential management. Ensures that users will get appropriate prompting for credentials and storing credentials. Also means that the application can use Kerberos, NTLM, and Secure Sockets Layer (SSL) protocols. A user can also log on using a user principal name (UPN) format.
Can be run in a highly secure configuration. Applications can perform all primary functions in a highly secure configuration. In a highly secure configuration, applications cannot use the unsafe communication protocol NTLM; strong authentication and account policies are set; and group membership is restricted. A highly secure configuration is a system with a clean installation of Windows and with the predefined security template Hisecws.inf applied.
Provide secure network connections. Applications using network connections must not depend on protocols that are known to have vulnerabilities.
Practice: Adjusting Authentication Options
In this practice, you will secure authentication on a Windows 2003 Server by using security policy. You must be logged on to Computer1.cohowinery.com with an account that has administrative credentials to create and modify the default domain controller security policy. 642-061 70-526 MB7-517
Your company has recently updated its security policy. The new security policy specifically forbids using the LM authentication protocol to authenticate users in the cohowinery.com domain. To comply with the updated security policy, you will use the Domain Controller Security Policy console to ensure that LM authentication is not used on any cohowinery.com domain controller.