Resource Page:
MANAGING THE TRUST OF THE 
TRUSTED PARTNERS
Creating a Truly Secure Network

November 2001 Mfg.Trust Feature Story

Trends
Resources
Contrary Views

Trends

(February 2002 Update)

The Enemy Inside the Gates: Preventing and Detecting Insider Attacks

It’s nine in the evening in your office building. Most people have gone home long ago, many of the office lights are off, and the janitors are quietly making their rounds. From a single, solitary cubicle comes the familiar blue glow of a computer screen along with the rhythmic tippy-tap of a keyboard. This could be the sound of a dedicated employee working late into the night. But it’s not. Quite the opposite, it is a trusted worker stealing valuable propriety information off the company’s network.
http://www.securityfocus.com/infocus/1546 

KPMG e.fr@ud Survey 2001

“Seventy-nine percent of respondents stated that the highest probability of a breach occurring to their e-commerce system would be perpetrated through the Internet or other external access. However, it is well documented that a company is at greater risk of being the victim of an internal security breach. The survey results illustrate how executives can be misinformed about the actual vulnerabilities of their network systems.” Find the survey here.

ASIS/PWC Trends in Proprietary Information Theft

“Forty-four companies of the total 97 that responded reported a total of over 1,000 incidents of thefts. Of these, 579 incidents were valued with a total estimated loss of nearly $1 billion dollars. The average company responding reported 2.45 incidents with estimated losses per incident of over $500,000. The vast majority of the reported incidents were in High Technology (530) and Services organizations (356). Although Manufacturing reported only 96 incidents, the acknowledged losses of manufacturing companies accounted for the majority of losses reported in the survey, and averaged almost $50 million per incident.” Find the survey here.

Resources

Cisco Systems Guides

The Cisco Systems system of web sites has, for years, defined “best practices” in commercial use of the web.

Recent offerings include the following two concise security guides in PDF format for easy downloading and printing. They are designed to educate customers on the basics of network security. Both of these articles clearly address the authentication and access control issues raised in the November Mfg.Trust newsletter.

The first, "A Beginner's Guide to Security," (.pdf) is targeted at true network security novices. It explains why security is so important, different types of network threats, and the general technologies that are available to protect networks.  

The second, "Cisco Network Security Primer," is geared toward corporate executives who are interested in learning why they should invest in security solutions. The Primer describes the threats to networks, the potential costs of intrusions, and it provides an overview of how to build a security infrastructure.  

National Institute for Standards and Technology (NIST)

Computer Security Division & Computer Security Resource Center

These two groups recently combined the CSD and CSRC websites into one website. Their mission includes a charge to improve information systems security by: raising awareness of IT risks, vulnerabilities and protection requirements, particularly for new and emerging technologies, and educating consumers. NIST does that very well. They also advise Federal agencies on secure IT planning, implementation, management and operation.

Of particular interest to manufacturers are two of their “Special Publication” reports on research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. These reports can be downloaded in various formats from: http://csrc.nist.gov/publications/nistpubs/index.html

An Introduction to Computer Security: The NIST Handbook, SP 800-12

At 290+ pages, this “handbook” is more appropriate for bench pressing, but it is complete and understandable. The handbook was written primarily for those who have computer security responsibilities and need assistance understanding basic concepts and techniques. The purpose of this handbook is not to specify requirements but, rather, to discuss the benefits of various computer security controls and situations in which their application may be appropriate. It provides a broad overview of computer security to help readers understand their computer security needs and develop a sound approach to the selection of appropriate security controls. It does not describe detailed steps necessary to implement a computer security program, provide detailed implementation procedures for security controls, or give guidance for auditing the security of specific systems.

Engineering Principles for Information Technology Security (A Baseline for Achieving Security),
SP 800-27

In support of industry automation efforts, several private and public organizations have developed a number of explicit and implicit information system security principles. These security principles, in turn, have the potential to become an extensive canon for users, designers, and engineers to consider in designing information system security programs. This document (EP-ITS) seeks to compile and present many of these security principles into one, easy-to-use document for those concerned with information system security. EP-ITS offers 33 principles that provide a foundation upon which a consistent approach to IT security capabilities can be constructed.

Role Based Access Control

This site (http://csrc.nist.gov/rbac/) provides access to NIST's award winning RBAC research. With RBAC, security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role.

Contrary Views

We try to balance “conventional wisdom” whenever possible.

SECURITY FOR THE CXO: 
Stronger Passwords Aren’t

When it comes to strong passwords, anything less than 100 percent compliance is weak. Article here.

Why Information Security is Hard - An Economic Perspective

Dr. Ross Anderson, (http://www.cl.cam.ac.uk/users/rja14/) of University of Cambridge Computer Laboratory and author of  “Security Engineering - a Guide to Building Dependable Distributed Systems,” offers his views in the paper cited below.

 “Why Information Security is Hard - An Economic Perspective is an early draft of a paper that tries to explain why security mechanisms are seldom deployed well, or at all. Many people believe that given better access control, cryptographic protocols, firewalls, and so on, the problems can be solved. Here, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.”

A Highly Polished Jewel: 
The IT Baseline Protection Manual

The German 'Bundesamt fuer Sicherheit in der Informationstechnik' publishes the very highly regarded IT Baseline Protection Manual. Best of all it is available without charge, and they have an English version. This manual has recently been updated and is available here. 

Glance at the structure and layout. You will appreciate their beautifully Teutonic organization and thoroughness (Security is a topic for which thoroughness is important!), and a clear crisp definition of the issues. You’ll find security concepts, tools for a basic security check, and an assessment of protection requirements.

The IT Baseline Protection Manual should be viewed as a reasoned approach as to how a reasonable level of IT security can be achieved and maintained. It contains standard security safeguards, implementation advice and aids for numerous IT configurations that are typically found in IT systems today. It offers advice on methodology and practical aids to implementation.

 …Perhaps more than some will want to know, but a great reference and resource.