Thursday, July 2, 2009

9: Themes of “Design” Security Measures

Focus of This Article

Minimization and uniformity are often themes that are considered good practices. This article provides examples to illustrate the concepts.


Enhancing security through minimization is best explained through examples.

Account Management Example
Only provide accounts to people who need them and remove unnecessary accounts. Providing accounts to people who request it without verifying their need can result in accounts being given to the wrong people. Remove accounts of people who no longer need them. Accounts of people who left the company can be hijacked without the knowledge of the organization.

Account Privilege Example
Only provide privileges that are necessary. For instance, grant privileges that allow deletion of your organization’s data from a critical application’s database to very few people if at all. This protects against trusted administrators going “rogue.”

Confidential Data Example
Do not store sensitive data that you do not need. Keeping around sensitive data only increases the probability of breaching confidentiality. Do you need everyone’s physical mailing addresses in Active Directory for everyone to see? Mailing addresses can be used for identity theft.

Services on Externally Facing Computers Example
In externally facing assets, have the minimum number of active ports. A computer that hosts a web server might only need http and https ports open on the external network connections. If these are the only two ports that are open, do you need a firewall between the Internet and the computer? Perhaps not. If you choose not to have a firewall, then there’s one less equipment to manage. You save money by not buying equipment and not spending time configuring it.


Vulnerability Patching Example
Having many one-of-a-kind computers can undermine your ability to automate patch roll out. Patches may install correctly in some but not in others because of differences in their configuration. Manual patching is a time consuming process and can leave your computers vulnerable for too long. Uniformly configuring computers can make patch roll out easier; if the patch installs successfully, then the identical process can be used to patch sister computers. This process can be automated with the use of patch management software.

Data Loss Protection Example
DLP products may require an agent to be installed on everyone’s personal computers. The successful roll out of the agent may rely on the uniform configuration of everyone’s personal computers. Installation of the agent may fail if the user has changed the personal computer’s configuration drastically from the norm. If the configuration on personal computers is kept the same, the roll out may be easier.

Minimization and uniformity are two themes to consider when designing your IT infrastructure. These concepts will be revisited later in the context of the CyberSecurity Framework.

Next Article:
Article 10: Themes of “Maintain/Monitor” Security Measures

Go to: Table of Contents

Bookmark and Share

No comments:

Post a Comment