Mudge on Off-the-Shelf Firewalls

Take the dime, one thin dime. What is it? Most people will see it as part of the monetary system. That is, you use it to buy things. It can also be a screwdriver, a very slender shim or a decision-making tool (heads or tails?). Seeing it only as one-tenth of a dollar is an example of functional fixation: the inability to see a use for something other than its intended use. n Now take digital security, everything from firewalls to virus software and the like. Corporate America sees these solutions as a magic elixir, suitable for any environment. This is another unfortunate example of functional fixation. n This fixation is a problem because off-the-rack digital security is of limited value. Technically, an auditor could ask whether a corporation had a firewall and consider his work complete. Would that same auditor be doing his job if he had asked a bank if it had a vault and left it there? Hardly?he’d ask more questions: Is the vault locked? Who has the keys? What’s stored in it? When and why is it opened? Substitute “digital security” for “bank vault” and you’re starting to understand the need for security customization. n A bank cannot claim to be diligently protecting its customers simply because it possesses a

safe. Similarly, the notion that installing a commercially available firewall will instantly protect your company from the vagabonds of the Internet is ludicrous. How can a business address its unique security needs through third-party vendors that don’t know its business? A library, an automotive manufacturer, a financial institution and a telecommunications business each have unique security requirements. If an automotive manufacturer adopted the same security posture as a financial institution, it may be assuming an inappropriate degree of risk, which could mean either too much or too little. For example, a list of automotive dealers would not be as sensitive as a list of savings account customers, and therefore not at the same degree of risk and not worth the security investment.

Unfortunately, many CEOs and CIOs believe they have established adequate security measures by simply deploying a firewall. When asked if they have a firewall, they joyfully respond, “Yes!” The critical follow-up question?”Is your firewall configured to map your business model in risk mitigation?”?is seldom asked.

All Risks Are Not Created Equal

It makes good business sense to accept a modicum of risk, as long as the potential rewards outweigh the overall risks. If you choose to take larger risks, they should generate a higher potential yield. So how do you go about assessing, prioritizing and minimizing risk?

Understanding your business is the first step. From this understanding, you can determine what information is truly valuable. For a car maker, it might be the designs and specifications for next year’s line of vehicles; for a financial institution, it might be customer account and transaction data; and for a telecommunications company, it might be rate plan comparisons. Once you’ve correctly identified these crown jewels, you can analyze how to best access, track and protect them.

The next step is to measure the impact of various risks to your business. If you identify risk, but cannot determine and prioritize the potential impacts, it will be difficult to establish an effective and efficient plan to mitigate those risks.

There are numerous tools available to help evaluate business risk. In fact, the same mechanisms used for weighing business strategies often translate quite effectively to measuring digital security. I use a customized variant of a strategy analysis developed by Princeton, N.J.-based consultancy Kepner-Tregoe to evaluate R&D efforts at @Stake, the security services company where I work. This helps me weigh futures and functionalities of certain technologies and better determine threat analysis areas that need my team’s attention. We can then proactively help define our client corporations’ technology and security curves.

Protecting Frobnitz

Here’s a look at how we might evaluate a technology for security risk prior to deployment. We’ll look at a hypothetical infrastructure device called Frobnitz. Let’s say Frobnitz is deployed across a corporation to prioritize data transmissions on local networks based on whether or not the data originated from a company executive. First, we must ask why Frobnitz is being deployed in the first place. What are the business goals? How does it fit into the corporations’ business model? Security becomes more manageable when placed in the proper context.

The security solutions will be quite different if we consider two hypothetical conditions. The first situation has the device used internally by senior executives to improve network performance. In this case, the overall benefit is minimal, so neither the risk posture nor the expenditure to secure the device should be disproportionate. A minimum need for security translates into nominal investment.

In the second scenario, the executives are performing business critical tasks like board meetings and strategic planning sessions between headquarters and remote locations over the Internet and including executives from other companies. Corporate secrets would be compromised if a competitor broke into these communications. These examples show that even a small, but disperse user base offers an entry point into the corporation’s infrastructure.

Now, the analysis might continue with questions like:

How is Frobnitz managed across the network

Where is it deployed on the network?

What information can an attacker receive by watching this device?

What information can an attacker gain by analyzing network traffic?

What happens if the device is compromised or tricked?

How was the component designed?

How is it initially configured (how does it know who is an executive and who isn’t)?

What is the most restrictive configuration that will still meet the business need?

The next step in analyzing risk is to create attack scenarios around each of these questions. We continue brainstorming risk mitigation techniques and responses to threat questions relative to the amount of risk they present to the company, as well as the likelihood of an actual Frobnitz-related security breach. Armed with those conclusions, we can research a customized security posture.

Ring in the Risk

Another useful risk evaluation tool is a variation of a ring analysis. This starts with a particular “atomic point,” or item, and works outward in rings of accessibility. Let’s use CIO as an example. The core of CIO’s business could be viewed as its subscriber list; the valuable, targeted group CIO presents to its advertisers. If a competitor acquired this list, it could scoop up CIO’s readers, offering them various enticements. The competitor could then present itself to advertisers as the best means to reach those valued readers. The subscriber list is therefore a crown jewel worthy of securing.

During a security analysis, you would want to define the people at CIO who need access to the list in order to modify it, adding or subtracting subscribers. You would also define read-only access for certain employees, the areas from which employees can access this list, and other interdependencies. All of these factors would have degrees of risk and value attached to them.

Then we examine the core ring. How is the system running the source database secured? The next ring of accessibility might be the local network. Analysis of this ring should include determining how users are authenticated and held accountable. Will a Web developer, HR manager and salesperson all know how to treat the data in a secure and consistent fashion? This may call for degrees of data classification. At this point, it should become obvious how to configure the firewall, network and host systems. This ring analysis method of risk assessment and mitigation is most effective once you understand how the components fit into the corporate model.

The idea of using the same procedures to define business risk analysis and your company’s digital security infrastructure is long overdue. Whether you use a ring, financial or actuarial analysis to determine the appropriate security posture, there will undoubtedly be an increased understanding throughout the company when the results are in. Then, you will be able to truly maximize your returns against necessary risks.