Confidentiality, integrity, and availability
Information security is dynamic and complex to the point that it's easy to get overwhelmed by the details and lose track of the real issues. I find it valuable to periodically relate whatever task I'm working on back to the three pillars of information security: confidentiality, integrity, and availability. (Actually, there's a fourth pillar, but Windows IT security professionals currently don't deal with it much. See the Web-exclusive sidebar "The Fourth Pillar of Nonrepudiation," http://www .windowsitpro.com/windowssecurity, InstantDoc ID 46251.) Every requirement you try to meet ultimately boils down to one of these three pillars, and every threat you try to address ultimately threatens one of them. Such sanity checks help keep my efforts on track and help me avoid missing crucial details. Each detail is important because, in security, you're only as strong as the weakest link in the chain. Let's look at how confidentiality, integrity, and availability relate to a typical Windows-centric network in a small-to-midsized business (SMB).
In the media, you constantly hear about confidentiality in regard to the privacy of customer and patient data. Although you shouldn't ignore such consumer privacy issues, confidentiality is much more than that. Confidentiality is about preventing someone from reading information they're not authorized to read. In these days of zombied systems, bots, and worms, it's important to keep in mind that confidential information has to be protected from not just malicious people but also their agents, which can be malicious software, a compromised computer, or another compromised network component.
Confidentiality concerns show up throughout the SMB network. The files on file servers and workstations are the primary assets that require confidentiality. Before even thinking about Windows-level security controls, think physical security. Anyone with physical access to a computer can ultimately gain access to the files stored on that computer.
Securing your servers is fairly simple. You just place them in a locked room to which a minimum number of individuals have access. But for workstations, especially laptops, physical security isn't something that can be guaranteed. The one and only way to protect confidential data on workstations is through encryption. There are a host of encryption applications on the market, including file-level and disk-level programs. File-level programs (e.g., WinZip Computing's WinZip) require frequent user interaction, whereas disk-level programs (e.g., PC Guardian Technologies' Encryption Plus Hard Disk) typically require user interaction at boot-up only.
A newer way of handling file encryption is to use USB flash drives that require either PIN or biometric authentication. Windows provides an interesting option called Encrypting File System (EFS), which is transparent to the user and fully integrated with the rest of Windows security. With EFS, you simply enable encryption on certain folders and Windows does the rest. EFS is definitely worth looking into, but you need to understand how it works and what administrators and users must do to keep EFS encrypted information truly secure.
Ensuring the confidentiality of data stored on a physically secured file server is mostly a matter of assigning appropriate folder permissions that limit Read access to authorized groups of users. However, there are ways server-based files can get into the wrong hands despite strict permissions. For example, a malicious individual connected to the network can sniff (i.e., eavesdrop) packets and reconstruct entire files as users retrieve them from the file server. If you have a wireless LAN (WLAN), the risk is even greater because the attacker need only be in range to grab the files out of thin air. Although installing a fully switched network (as opposed to using hubs that retransmit packets to each node on the network) and other measures make sniffing more difficult, ultimately the only solution is to encrypt the server-based files. Fortunately, Windows provides excellent IPsec support. IPsec is the Internet standard for providing confidentiality, integrity, and authentication of IP network packets. It takes only a few minutes to enable IPsec on a Windows network if you have Active Directory (AD). Without AD, you can't automatically push out IP Security Policies through Group Policy, but you can still manually configure systems.
If an SMB can't use IPsec because it needs to support non-Windows or nondomain PCs yet still has a WLAN to secure, Windows offers great support for the latest Wi-Fi security protocols (802.1x and Wi-Fi Protected Access--WPA). The latest Wi-Fi security protocols can be very secure, and they're supported by consumer-level Wireless Access Points (APs).
Another important way server-based files can be compromised is through backup media. What path does your backup media take between the server and its offsite storage? For example, one of my clients has his receptionist change the company server's Iomega REV backup disk each morning and take the previous night's disk home with her. What if the disk were stolen from her car or home? What if she's tempted to sell the tape to a competitor? You can mitigate such risks by using a file-level encryption program to encrypt the backup files as they're written to the backup disk.
To ensure integrity, you need to prevent information from being inappropriately modified. Data integrity can be compromised through accidental events or malicious means. Storage media problems, crashed or buggy programs, and noisy transmission environments can cause accidental data corruption. Because the hardware, the Windows OS, or an application in the network typically catches accidental data corruption, accidental corruption problems usually become availability problems, which I'll discuss in the next section. So, let's concentrate on malicious threats to data integrity.
Malicious individuals might corrupt or delete data just for the nihilistic thrill of it, for revenge, or for other reasons. However, malware (i.e., malicious software that's designed to compromise the privacy, integrity, or availability of a system or network) damages data more often than an actual person.
The first line of defense against malicious data corruption is to restrict who can modify or delete the data in files. Windows file permissions can go a long way toward combating simple data-corruption attempts. However, most dishonest employees and outside attackers execute fraud at a much higher level inside the application. Most application-level data-integrity threats can be mitigated only by the application itself. So, it's important to understand and implement each application's security controls, no matter whether the application is an accounting system or a shopping cart on an e-commerce site. The best generalized advice I can give is for you to determine which operations or transactions can put the integrity of the application and its data at risk, then restrict those operations or transactions accordingly.
If the application lacks sufficiently granular security controls to restrict users from certain sensitive operations or transactions, you might be able to compensate with detective controls (i.e., controls that help contain risks by detection rather than prevention). Sometimes, it's good enough just to be able to detect data corruption before the data gets used in other operations. Examples of detective controls include checking application logs and manually reconciling processed records or transaction totals.
As a final note, you need to keep in mind that data files aren't the only file types for which integrity is important. Program executables, scripts, and similar types of files are regularly targeted by malware for the purpose of spreading a worm or virus. Ensuring integrity in the face of malware threats requires a multipronged approach. Although a properly configured and regularly updated antivirus solution is the cornerstone of a malware-threat mitigation strategy, that solution shouldn't constitute the whole building. Other ways to combat malware include increasing security awareness among users, having a malware response plan in place, and avoiding unsafe actions (e.g., Web browsing, reading email) when logged on with administrative permissions.
Temporarily losing access to data, a service (e.g., email), or an e-commerce site can be just as damaging as confidentiality- or integrity-related incidents. Worse, permanent loss of data can put a company out of business. Backups only prevent permanent loss of data and, at best, limit the duration of temporary outages. You probably already perform regular backups, but the only way to know whether the backup is viable is to actually test it. Don't rely on the verify feature of your backup application.
SMBs have more options than ever to prevent hardware-related outages. For SMBs that need reliability and readily available technical support more than flexibility and control (you get flexibility and control when you own and run your own servers), I highly recommend looking at the wide variety of solutions available from service providers, such as application hosting providers of Microsoft Exchange Server and Microsoft SharePoint Portal Server. There are even Web-based hosted-accounting systems. Application service providers (ASPs) can take advantage of economies of scale to provide applications that have a higher level of availability than an SMB could achieve on its own. Today, an SMB with fast Internet access can reap many of the same outsourcing benefits as large enterprises.
If outsourcing isn't an option, all isn't lost. Highly available hardware is rapidly becoming affordable because of new fault-tolerant technologies, such as Serial ATA (SATA) RAID drives. And companies such as Dell are offering new fault-tolerant options such as redundant power supplies in entry-level servers. You can get highly available Internet access for the cost of a new dual WAN router (which costs only between $200 and $600) and two broadband accounts (e.g., one DSL account and one cable account) from separate ISPs.
But backup and fault-tolerant technologies and options don't guard against availability outages caused by human error. Good Change and Configuration Management (CCM) practices are the only way to prevent these types of outages. Before making a change to your network, you should perform an impact analysis. Identify applications and components that will be affected. Even in SMB networks, it's easy to overlook something, so I recommend keeping an up-to-date diagram that shows each physical component on your network and the applications and services hosted on or delivered by each component. Look for a way to test the change in a nonproduction environment. When that isn't possible, try to schedule the change when the impact will be minimized in case the change goes awry. After making the change, test the most important activities supported by your network to make sure nothing was broken.
Cover Your Bases
You might have noticed that information security is about more than just good guy versus bad guy. Information security is about securing information from any type of threat, whether it's an attacker, disgruntled employee, fire, disk drive crash, or lightning strike. Whenever you're thinking about how an asset (e.g., server, file) should be protected, make sure you have all three bases covered.