- Introduction
- Evaluating the Security Risk
- Making the Initial Assessment
- Probing the Network
- Security Documentation
- Summary
- Test Your Skills
Evaluating the Security Risk
In Chapter 1 we provided a method for assigning a numeric value to your system’s security risk based on several factors. In this section we will expand upon that system. Recall that we evaluated three aspects of your system:
- Attractiveness to attackers
- Nature of information
- Level of security
The system being evaluated was given a numeric designation between 1 and 10 for each of these factors. The first two are added together, and then the third number (level of security) is subtracted. The lower the number, the more secure your system; the higher the number the greater your risk. The best rating is for a system that:
- Receives a 1 in attractiveness to hackers (i.e., a system that is virtually unknown, has no political or ideological significance, etc.)
- Receives a 1 in informational content (i.e., a system that has no confidential or sensitive data on it)
- Receives a 10 in security (i.e., a system with an extensive layered, proactive security system complete with firewalls, ports blocked, antivirus software, IDS, anti-spyware, appropriate policies, all workstations and servers hardened, etc.)
This hypothetical system would get a score of 1 + 1 – 10, or -8. That is the lowest threat score possible. Conversely, the worst rating is for a system that:
- Receives a 10 in attractiveness (i.e., a well-known system that has a very controversial ideological or political significance)
- Receives a 10 in informational content (i.e., a system that contains highly sensitive financial records or classified military data)
- Receives a 1 in security (no firewall, no antivirus, no system hardening, etc.)
This system would get a 10 + 10 – 1, or a 19. Such a hypothetical system is, in effect, a disaster waiting to happen. As a systems administrator, you are unlikely to encounter either extreme. Evaluating system attractiveness to hackers is certainly quite subjective. However, evaluating the value of informational content or the level of security can be done with simple metrics.
To evaluate the value of the informational content on your systems, you have to consider the impact of such data being made public. What would be the worst-case scenario of that data being made public? Table 12.1 divides data into categories, based on worst-case impact, and gives examples of types of data that fit that specification.
TABLE 12.1 Value of data.
Value assigned |
|
Description |
1 |
Negligible, at most some personal embarrassment |
Non-sensitive data: video rental records, book sales records |
2-3 |
Slight loss of competitive advantage |
Low-level business data: basic process and procedure documents, customer contact lists, employee lists |
4-5 |
Significant loss of competitive advantage (business or military) |
More sensitive business data: business strategies, business research data, basic military logistical data |
6-7 |
Significant financial loss, significant loss of reputation, possible negative impact on operations |
Financial/personal data: Social Security numbers, credit card numbers, bank account numbers, detailed military logistical data, military personnel records, confidential health records |
8-9 |
Significant business profit loss, significant negative military/operational impact |
Sensitive research data/patent product data, classified military information |
10 |
Serious loss of life, danger to national security |
Top secret data, weapons specifications, troop locations, lists of agent identities |
You can use similar metrics to evaluate the security level of any network. Table 12.2 shows an example.
TABLE 12.2 Security measures taken
Value assigned |
|
Security Measure taken |
1 |
No security at all |
Many home users |
2 |
Basic antivirus software |
Many home users |
3 |
Antivirus, some security browser settings, basic filtering firewall |
Small office/home office users (SOHO) |
4 |
Level 3 plus routine patches and perhaps some additional security measures such as stronger browser security and anti-spyware |
Small business/schools |
5 |
Level 4 plus router hardening, strong password requirements, perhaps an IDS, basic policies about downloading, acceptable usage policies, sensitive servers hardened |
Networks with a full-time network administrator |
6-7 |
Level 5 with both IDS and anti-spyware, all unnecessary ports closed, subnets filtered, strong password policies, good physical security, encryption used for sensitive data, all servers hardened, back-up media destroyed appropriately, stateful packet inspection firewall on perimeter, Web servers located in a DMZ, packet filtering on all subnet routers, very extensive policies on all aspects of computer security |
Networks with a larger IT staff, possibly a full-time security professional |
8-9 |
Level 6-7 with regular internal and external security audits, hard drive encryption (such as Windows EFS), possible use of biometrics in physical security (finger print scan), extensive logging, background checks on all IT personnel, all workstations/servers completely hardened, all personnel wear security ID badges, all data transmissions encrypted |
Networks with a full-time security professional |
10 |
Level 8-9 plus security clearance for all IT personnel, monthly updates/patching/auditing, routine penetration testing, Internet usage extremely restricted or blocked altogether, no portable media (CD, floppy, etc.) on workstations, strong physical security including armed guards |
Military/research installations |
*This does not mean that this level should be found at these types of organizations; this is just where it is likely to be found. |
A few observations about Table 12.2 should be made here. The first is that Level 3 is actually the bare minimum any person should be using. Because both Windows 7 and Linux have built-in firewalls, there is no reason that even a home user would not achieve Level 3. Most organizational networks should be able to get a minimum standard of Level 5 or 6. It should also be noted that you probably will not find networks that fit exactly into one of these levels. However, this chart should give you some guidelines for how to evaluate the security level of these systems.
This system is somewhat simplistic, and parts of it are clearly subjective. It is hoped that this will form a basis for you as you begin working on security for your network. Having numerical values to evaluate your threat level can be a great assistance when assessing your security level. The real issue is that you have some quantifiable method for evaluating the security of a given system. This system is presented to you simply because there are very few similar systems in existence today. Most security evaluations are somewhat subjective. This numerical grading system (which is the invention of this author) is offered as a starting point. You should feel encouraged to expand upon it.