|Sign-Up for Free Exclusive Services:||Portals|||||eNewsletters|||||Web Seminars|||||dataWarehouse.com|||||DM Review Magazine|
|Covering Business Intelligence, Integration & Analytics||Advanced Search|
Surveillance is an Information Security Solution
Once you realize a threat, it makes perfect sense to protect yourself or your organization from being impacted by that threat. Hence, security is effectively threat management against threats that have made themselves apparent. However, you cannot protect yourself or your organization from unknown threats. Attempting to protect yourself from imagined threats is simply an academic exercise. Until your protective mechanisms are tested, you cannot be assured that your attempt was successful.
Given that we cannot protect our organizations from unknown or attempted threats, one precaution we can take is to prepare for the possibility that our stuff may get stolen. However, we have learned that we can quickly take measures to locate what has been stolen, thereby increasing the odds of recovery. These measures are often less expensive than attempting to block all threats in advance of their occurrence.
For example, Lo Jack in cars or embedded RFID tags can help police identify the location of stolen goods shortly after a theft is reported. We can apply similar principles to information security and ensure that enough forensic evidence is available so that we can stop the misuse of our digital assets once we notice that a breach has occurred. And, like the physical world examples, capturing this forensic evidence is often simpler and less expensive than implementing the mechanisms that attempt to stop the inevitable from occurring.
In the digital world, there are many ways that confidential data may find its way into the hands of those that would use it for criminal purposes or economic gain. The worst-case scenario is that one of our own trusted employees acts against the organization. The reason this is the worst case is because our internal staff must be trusted, to a certain degree, with our data in order for them to complete their tasks; therefore, it is harder and more expensive to develop forensics on their movements and use of the data.
An alternate scenario that we can better plan for is that an external entity identifies and exploits a hole in our security measures. With proper planning, there is usually enough forensic evidence left behind in these types of breaches that law enforcement can identify and capture the individual responsible for act. What's most unfortunate are cases where perpetrators get away simply because the organization they attacked had not taken enough logging measures to provide law enforcement with the information they needed to do their job effectively.
Logging is a Hacker's Fingerprints
The key to capturing and preparing forensic evidence is logging and auditing. Logging captures meta data about an event that occurred, such as a new hard drive installation into a key server or packets from a particular IP address received at a certain time and date. While this sounds simple, in high-volume or high-performing environments, logging must be introduced carefully to ensure that current processing volumes are not impacted. Additionally, logging creates a significant amount of new artifacts that have varying retention rates. Moreover, logs often provide their greatest value when they are correlated.
Unfortunately, digital theft is not as easily recognized as physical theft. The items removed are copies of the original, but have the same intrinsic value as the original. Because the items removed were copies, we may not realize that a theft occurred unless we analyze our logs on a consistent basis using pattern analysis to identify known patterns of theft. Of course, we could also find that our data was stolen through more public means, such as if one of our customers or employees was the victim of identity theft which was traced back to our organization. In either case, once a theft has been identified, it is the log data and the correlation techniques that will provide us with the additional details we need to successfully bring the culprit to justice.
The Data Security Hierarchy
To assist my clients in understanding the issues surrounding logging and auditing, I have developed the Data Security Hierarchy (see Figure 1). This hierarchy illustrates the various levels of interacting components that provide access to data and the dependencies between them. The difficulty in developing a consistent and reusable logging framework for an organization is that each organization has data accessible through many different levels of the hierarchy. Each level introduces a new way for data to be siphoned off, but more importantly, any level built on top of that level is immediately susceptible to attack regardless of the security measures taken at that level. The lower layers of the hierarchy undermine any measures taken at higher levels of the hierarchy.
Figure 1: The Data Security Hierarchy
At each layer of the stack, your information is vulnerable to certain types of attacks. For example, at the lowest levels of the stack, your data can be siphoned off directly through the use of wireless or wired interceptors. Layer 2 of the stack, which includes firewalls, routers, bridges and removable media, may be one of the most heavily studied and well-fortified. However, with all this research and focus, data is still being lost through this level. How? Through the holes created by a less-fortified application being developed on top of Layer 2. Ultimately, Layer 2 is just a pass-through for binary data and has no knowledge that what is passing through is confidential.
In fact, it would take exhaustive funds and time to ensure that each of these seven layers is fully secured, and even then, they could still be circumvented by human intervention. However, an appropriate level of logging and auditing can be introduced at each of these layers to identify suspicious behavior. For example, the appearance of a removable media device on a server represents a suspicious event. Having the operating system log the attachment and removal of this device along with any copy operations to or from that device would provide us with enough forensic content to examine whether this was a friendly or malicious act.
Any person capable of reaching a critical server probably understands the logging architecture and may know how to circumvent it. However, these issues will become less influential over time, as operating system security is enhanced to separate control by role. For example, there may be administrators that can only impact services, while a security administrator may be required to change logging configurations. These types of separations force collusion among employees in order to achieve what can be done today by one rogue employee with a little technical savvy.
As mentioned earlier, the data security hierarchy provides a model against which logging and auditing can be prescribed and implemented. Each layer introduces greater opportunity for loss of data confidentiality. In our dealings with clients, we have found that the most blatantly ignored hole is in Layers 6 and 7 of network and database applications. This is because many third-party tools are introduced at this layer, which does not offer significant logging capabilities. Database security is often highly coarse-grained; that is, should someone require one field within a table, often the entire table is made available. If that table contains Social Security numbers and the individual only requires the employee start date, the organization now has introduced an unmanaged risk of confidentiality. Additionally, without proper levels of logging at the database level, which are usually not enabled due for performance reasons, that data could easily be retrieved from the database without being noticed.
One of the most frequently asked questions we receive with regard to implementing logging via the data security hierarchy is about performance implications. Introducing logging at each of these layers will also introduce the potential for latency and performance degradation. However, through the appropriate combination of system and network architectures, we have been able to minimize the impact of the additional logging to approximately 1 percent to 2 percent overhead.
Security is a risk management problem; you balance cost of risk against the cost of protection. If the cost of the loss is less than the cost to protect something, then it does not make economic sense to spend money protecting it. However, in this equation you cannot ignore the intangibles which may ensue because of a breach of confidentiality, such as loss of reputation or business. All one has to do is talk to ChoicePoint, CardSystems Solutions or LexisNexis to gain insight into the power of fear in customers by being associated with a breach in confidentiality.
You cannot protect your organization from that which you do not know. However, you can ensure that you have enough forensic evidence captured that should an unfortunate breach of confidentiality occur, you can report that you have excellent information that will help determine the perpetrators and bring them to justice. From the time we are children, we are taught that "bad people" exist in the world. Our fears are allayed by the knowledge that these bad people can be caught and stopped. Should your organization be the victim of data theft, you want to be able to state confidently that you have enough evidence to help law enforcement identify and capture the responsible individual. For this reason, you should invest in the development of a logging and auditing framework.
For more information on related topics visit the following related portals...
JP Morgenthal is managing partner for Avorcor, an IT consultancy that focuses on integration and legacy modernization. He is also author of Enterprise Information Integration: A Pragmatic Approach. Questions or comments regarding this article can be directed to JP via e-mail at firstname.lastname@example.org. Do you have and idea for a future Enterprise Architecture column? Send it to JP; and if it is used, you will win a free copy of his book.