Information Security for Volunteer Organisations Part 1 David Teisseire, CISSP March 2009
Introduction Many volunteer organisations and community groups struggle with the issues surrounding information security within their computer networks and workstations. Those tasked with the protection and maintenance of these resources often have little formal background and are selected based on willingness to perform the role and the possession of some computer experience. Against such a background, information security becomes just another task along with the memory upgrade and the printer toner change. In this paper we shall look at information security (infosec) for these organisations with particular emphasis on the unique issues faced within a community based organisation.
Fundamental Issues Shared Responsibility In many community and charity organisations one of two opposite situations exist. The System Administrator role is either shared with a number of people or in smaller organisations, the person tasked with the role is also responsible for a number of other functions. Neither situation is optimal for the effective performance of the information security role. Multiple Administrators In the case where there are a number of persons who share the role and the responsibility for the security of the information resources, there arises issues with who is or was responsible for a particular event, task or duty. There is also, in this type of situation, a tendency to work by con census with all the parties having equal authority and input. No one person has final say in matters and as such, no one person is singularly responsible for the success or failure of the site. In such an environment, it is not uncommon for factions and turf wars to erupt regarding how or when a particular change to the system is to be managed and implemented. Clearly in these cases, one person must be given the final authority and power to direct the site and those that use the assets. The selection of the person to lead the IT team is more a function of how the organisation elects its leaders than anything related to this paper. 1
Multiple Tasking The other commonly found situation is where the person tasked with the security of the system is also involved in a number of unrelated areas of the organisation. It is not inconceivable for this person to be tied up with handling matters such as ordering office supplies or calculating rosters. Typically the urgent will take precedence over the important. The roster and the ordering of pens and paper, tangible activities, will often win over the checking of the fire wall logs or ensuring passwords have been changed as per policy. Regardless of the size or the mission of the community organisation, the leaders must be made to understand that like commercial enterprises, the role of information security is not one to be lightly assigned then forgotten. It is a role in itself and should be given the time and resources for its performance.
Volunteer Exit The very nature of volunteer and community organisations places a great deal of emphasis on the retention of their worker force. People are attracted to the organisation based on community, moral or some other attraction. Under these situations, a perceived change in policy, a personal conflict with another or just a change in the volunteer’s circumstances may be cause for them to leave and no longer actively support the organisation. We should consider what effects such an event may have on the information security posture of the organisation. User Exit Where a user of the system no longer is a part of the organisation, the administrator must take prompt action to close their user account and remove all access rights to the organisation’s information. This of course is standard practice in all well run businesses and corporations. Within the volunteer organisation there are factors that complicate this simple policy. A volunteer is not required to advise the organisation that they no longer will be providing any form of service. That means that the system administrator may not have any formal notification of the requirement to close the user’s account. Compounding this is the situation where many users offer their services on an ad hoc basis. This may mean that a user may not access the computer systems for weeks or months at a time. Clearly, the administrator cannot rely on the lack of logins to a specific account as an indicator of the currency of that account. We should note, however, that an account that has not been used for an extended time does pose a security threat in its own right, but we will cover that at a later time. The question then is, who would know if the account holder is still active? Perhaps the best source of information in this regard would be the person who prepares the rosters. They would, or should know who is available for the rostering period, be that a week, month or quarter. As the administrator, you should be one of the first people to receive a copy of the upcoming roster. In addition, the person who prepares the roster should advise you of anyone who
2
has come off the rotor. Failing that, you could compile a list of accounts that have not been accessed for some time and forward that to the roster preparer for verification of the continuing active status within the organisation. This simple solution will not of course have any application monitoring the currency of people that have access to the system on a more permanent basis, that is those not on an ongoing roster of duties. In this class are those that perform more permanent roles in finance, counseling, administration, secretarial and governance. System Administration Exit A similar situation exists when a person who is tasked with a system administration role, either complete or sectional, departs from the organisation. A situation like this creates the potential for widespread damage to both the systems, the data and the reputation of the organisation. The nature of the role may require that the person have access to the system from remote locations, such as their home or a mobile device. coupled with the wide spread access rights, a disgruntled or disillusioned administrator could cause extensive damage. The same issues exist as for the general users mentioned above. A user with system administrator rights may not advise the organisation of their decision to no longer support the organisation or its goals. Then there is the matter of who is going to take over the operation of the systems? More importantly, who is going to disable the outgoing administrators password and access rights. Further complications arise when the outgoing person is the only person in possession of the passwords for system level access or has the authority to deal with service providers such as ISP and telecom carriers. Later we will look at the potential solutions to these problems by using techniques like key escrow.
Differing modus operandi We all know that people are different and as such have a tendency to do things in different ways, different order with different priorities. It is because of these differences in our personalities and motivations, that organisations like the military insist that everything be done according to well laid down plans and procedures. Community organisations are not and should not be para military organisations enforcing strict adherence to rigid rules for all actions and conduct. Discretion is required here, we need to choose which things really matter and have to be controlled and which are of a nature that allows for greater leeway and individual expression. The directory structure of a Linux box for instance is not open for individual interpretation. The directory structure takes the form it does for a reason, so that applications will be found where they are expected to be found. On the other hand, the naming convention for personal files is less of a drama and the wise administrator would not enforce compliance to a rigid norm. The administrator could encourage the user to adopt a standard naming convention and explain why compliance would be beneficial, but beyond that there is little to be gained.
3
Other things that must be standardised include the frequency and class of backups, the allocation of access rights, in fact, any matter that would have a detrimental effect on the security of the system if not adhered to.
Blame Shifting Associated with the above, the matter of blame shifting or “I thought he was going to do it”. Without clear policy and operating procedures, it is easy for things to be overlooked. It may be a backup, the deletion of a user account, the locking of the server room door or the updating of virus definitions. The end result is that everyone thinks the matter was attended to when it wasn’t. Everyone in this situation is living in a state of false security. Only clearly defined responsibilities and proforma checklists are going to have any great impact against this type of situation. A person may be irresponsible and sign off on a task as being performed when it hasn’t, but the goal here is to reduce the risk to the informational assets. We cannot positively guarantee that the asset will not be compromised, we can only take precautions to reduce the risk exposure.
Defining Information Security A casual observer may consider information security as being the safeguarding of data and information on a computer network and or individual computers. Although this is a central function, the role comprises much more and covers such areas as physical security, who has access, their access areas and much more. We may consider information security as being the role of ensuring the confidentiality, integrity and accessibility of data and information within an organisation and its partners. The 3 factors above, confidentiality, integrity and accessibility are considered the foundational objectives of information security. Looking at these factors, frequently known as the CIA triangle, we discover that; • Confidentiality is the aspect where only those who have a need or a right to access specific information are allowed access to that information. It is the old need to know basis. • Integrity is the ensuring that the data and information is protected against accidental or malicious change. Those using the information should be confident of its accuracy and timeliness. • Accessibility relates to people being able to access the information within an acceptable time frame. No matter how accurate the data, it is of little use if people are not able to access it. Information security is, when we consider the above, the methods that are employed to ensure the confidentiality, integrity and accessibility of the data under our control. The field of information security may be broken down into a number of discrete areas, each of which will be covered in this and subsequent articles.
4
Threat Vectors One of the ways that information security specialists determine what precautions to take is by doing a threat analysis. The objective is to identify the various threats the organisation is exposed. These threats are generally termed threat vectors. Threat vectors may be classified in a number of ways. One method identifies them in relation to the nature of the source of the threat. They may be, for instance, natural disaster, local equipment failure, infrastructure failure or malicious damage. This is the method we shall use in this paper. In considering threats, it is natural to think of a threat being an incoming event, that is something someone or something does to the organisation, much like an attack. As we shall see later, a threat may also be an outgoing event, or something that is done using the assets of the organisation. This distinction will become much clearer as we look at each specific threat.
Telecommunications Telecommunications is a large field that covers things such as the telephone on the desk, the PABX or PBX switchboards, modems, cable and broadband Internet access, wireless and cellular phones to name a few. This classification includes what many consider the greatest threat - the Internet. Accordingly considerable effort will be devoted to this class of threat. We should however never forget that any threat may compromise the site and we should not concentrate on one to the exclusion of the others. Telephone The telephone on the desk, is also called POTS (plain old telephone service). Many today do not see the telephone service as any kind of threat to the organisation. The rationale is there are much more appealing targets, but such a view of the telephone service and its potential for damage to the organisation may prove costly should the telephone system be targeted by an attacker. Let us firstly take a simple example, the use of the telephone system to make unauthorised or unapproved outgoing voice calls. There are a number of aspects to this. Firstly, there is the financial cost of these calls. Most community organisations and indeed commercial businesses factor in the cost of local personal calls as a cost of doing business. It is simply a cost of having people there and allowing for personal local calls is deemed a good personal relations strategy. What about overseas calls or calls to premium services like “charge by the minute” services? At the very least, the organisation will incur financial charges associated with the calls, but there are other potential ramifications. The call may be to an inappropriate party or the call could bring discredit to the organisation. The example of a church phone service incurring charges from the use of phone sex services springs to mind. Another example could be where the telephone service is used to harass an individual or minority group. Actions such as the above have the potential to place the organisation in the media spotlight with the task of constraining the tide of public opinion against them. Organisations that rely on public support and funding could face a period
5
of reduced funding and possible governmental investigation for the use of the telephone system in this way. There are other ways that the telephone system may be used that pose a threat to the organisation. If there is a PABX (Private Automatic Branch Exchange) then the organisation has the ability to control its telephone lines and the way the extension phones use those lines. The way those lines and extensions are configured and the security of the configuration passwords determine how outside parties are able to manipulate the PABX for their own ends. Under certain conditions. an outside caller is able to access an outgoing exchange line and originate calls from the PABX as if they were an extension off the switchboard. The implications of such actions may be far reaching and may give rise to legal liability for originating an illegal telephone call. Another way that a telephone line may pose a threat is where a computer user installs a modem on the telephone line for their own use. Such a modem would bypass the security provisions in place and could potentially compromise the entire local area network. An ill configured modem may be left in an auto answer mode, enabling any outside caller to connect to the attached computer, from there a caller may have access to the rest of the network and potentially to a wider area network should one be accessible. Attackers may use auto diallers, also known as war diallers, to search for modems attached to telephone lines. They accomplish this by selecting a number bank either from a ranged pool or if they know the number range assigned to a organisation, they may dial that range looking for a modem that responds. Once a modem answers, they know they have potential access. The pool of telephone numbers allocated to the organisation may be obtained from the Telco or from the billing details obtainable from the organisations accounts department. Using the same type of procedure used by attackers, it is possible to dial into all telephone numbers that are owned or billed to the organisation. If any number answers with a modem tone then effort should be expended to trace back to the offending computer. This process used to be much easier before computers had modems built into the mother board. Modems were a discrete device complete with lights and a cable attached to the computer. One could simply walk past the pool of computers and instantly see whether a modem was attached. Today the only real physical evidence is the presence of a telephone cable, usually a flat cable terminating in a rj12 type socket, going into the computer case. Should you find a computer with this type of cabling, and the computer is not authorised for modem use then there is a good chance that you have found the offender. We should be asking under what conditions would a user need to have a telephone line connected to their computer? One situation that may justify the connection is where a user has the need to fax documents from their computer to another fax machine. Although fax use has declined over the years there are still organisations that require documents to be faxed rather then sent as email attachments. If a modem is not set up to auto answer, there is still the matter of it being used to access the Internet via a dial up access account. Although the speed of dial up Internet is painfully show, it is still access and as such may pose a threat due to the nature of the content accessed. 6
A dial up connection could be used to access a peer to peer network like the torrent network and illegal content could be downloaded. In many cases the torrent network runs at speeds that are significantly slower than the dial up modem line speed, so this would not be an issue with the reduction of access speed. Alternatively, a modem could be used to access a BBS. A BBS(Bulletin Board System) is a somewhat older style computer community where people were able to access information and software by dialing into the BBS connected to conventional telephone lines. Although they have been almost universally replaced by Internet access, it is of interest to note that one authority claims that between the 1980’s and the present, there have been over 75,000 BBS’s operated. There are still some around, but they are very rare. The greatest risk in the foreseeable future is the reemergence of the dial up BBS as Internet monitoring and filtering by ISPs become more prevalent. Those that desire to do illegal things will use new or even old technologies. If your organisation permits them access to those technologies, then the organisation may be called publicly to account for actions done in its name. Network Access Points Network access points can be conveniently be divided into both hard wire nodes and wireless access points. Wireless access will be covered in the next section. Organisations that occupy older buildings or sites that are quite expansive face the potential issue of unused local area network nodes that are still connected to the network backbone. If an active node is located in an unused portion of the building then an unauthorised person could connect to the node and gain access to the network infrastructure. Another way that this level of access could be achieved is for an attacker to access a wiring cabinet or equipment rack in an unsecured utility room. Frequently routers, switches and hubs are located in out of the way places with little or no physical security. Wireless Access Points The most significant issue with wireless network access points is also its most attractive feature. Wireless access allows users to move away from their desks and still have access to the network and wider area networks suc as the Internet. Wireless alllows a user to take their laptop into a meeting and access remote data for a presentation. Wireless being a radio transmission, there is no way to easily ensure that the transmissions remain within the confines of the organisation. The ability for a person located outside the organisation, or even an unauthorised user within, being able to access the network from a portable device poses a significant threat. Wireless access points are frequently used by unauthorised persons parked outside the building as a means to obtain access to the Internet. Any traffic generated from this type of security breach may be attributed to the organisation with attendant ramifications.
7
The solution to this matter is to enable encryption which requires a user to provide a password to log on to the access point. At present there are two levels of encryption standard implemented for wirelerss access devices. The first and by far the weaker is what is termed WEP (Wired Equivalent Privacy) which may be compromised within a few minutes with automated tools. The other protocol is WPA (Wifi Protected Access) and the newer WPA2. These protocols provide a higher level of security. WEP is a depreciated technology, however there are still some devices in use that only support WEP and as such an administrator should enable WEP regardless of the poor level of protection it provides. Any protection is better than having the access open for anyone to use. The other method that may be employed is to turn off the SSID beacon. The wireless access point will send out the Service Set Identifier (SSID) which is the access point’s name. When the beacon is turned off, a device has to know the SSID before they can access the wireless access point. Although this is not a security measure as such, it does provide some additional protection from casual snooping for access points. The combination of WEP and non transmission of the SSID may provide a minimal level of security until a WPA supported solution can be implemented. Surprising as it may seem, many sites do not use any form of security at all and are open to anyone should they decide to use them. A quick drive around the streets will reveal many sites with no security on them at all. Shopping centres will usually have at least one, sometimes many more open access points. Persons wishing to gain access to the Internet through a wifi popint will tend to go for the soft targets first, the harder you make it for them the safer you will be. Internet Access When discussing Internet access threat vectors, it is important that we distinguish between copper and wireless type technologies. copper wire is the basis of both cable and ADSL systems. ADSL is currently available in both ADSL and ADSL/2 flavours, the main distinction being the increased speed of ADSL/2. In terms of of ease of security and monitoring, any hard wired service is simpler and more manageable. All traffic to the Internet must pass through the edge router, thus monitoring is centralised and no traffic may pass that is not open to being monitored. This does not ensure all traffic is readable as it may be encrypted or may be in binary format, however no traffic is able to bypass the edge router. Although traffic may not be readable, the destination IP address is always able to be read and as such black list solutions may be implemented. The edge router or gateway may pose a problem in that the traffic may be illegally monitored or sniffed by anyone with access to the device. This access does not need to be physical, but may be obtained by anyone with root user rights to the router. This is a particularly large problem as many routers are configured with the default passwords still active. Default password to devices are readily available on the Internet. A simple google search with the search term “cisco default passwords” turns up over 18 million hits with links to sites such as http://www.phenoelit-us.org/dpl/dpl.html.
8
Physical Security One common mistake made by System Administrators is to place almost all their attention on the technical solution and very little attention on the physical security aspects. Regardless of how good your firewalls and policies, they will do little to protect the informational assets if someone can just come in and walk away with the server box.
Key Management Key management in this context refers to the management of the physical keys that operate the door locks and padlocks that protect the perimeter of the building and access to certain areas within the site. The other type of key management, that relating to software keys will be discussed in a later paper. When we consider the matter of keys, we very rapidly realise that the loss of a key poses a number of issues. Firstly, if a key is stolen, lost or other wise compromised, then the thing that the key was safeguarding is either compromised or open to some form of theft. Immediately we come up against conflicting objectives. If we look at the situation where a sole person has access rights to a physical room or controlled space, then there should only be one copy of the key in existence. What then if that one key is lost or stolen? In the case of a physical lock, then the services of a locksmith would resolve the problem. The key barrel would be changed and a new key issued. The situation could be resolved for a fee and a few hours. A similar solution would be adopted if the key holder left the organisation unexpectedly and did not return the key or if the key holder was critically injured. From the above discussion, it can be seen that there may be a justifiable need for a duplicate key to reduce both the cost of a locksmith callout and the time during which the asset would be locked away from use. The problem is the existence of another key poses two distinct threats. Firstly, the duplicate may be lost or compromised. The chance of a key being compromised rises with the number of copies of that key in circulation. More keys, more chance that the key will be lost or stolen because there are more places where it may be compromised. Secondly, there is the issue of key responsibility and accountability. With more than one person in possession of the key the responsibility and accountability is shared. Remember that accountability is based on being able to identify the specific person who is performing an action. If there are more than one person who may have unlocked a door then accountability essentially ceases to be of much use. Clearly we have reduced the number of potential persons who have performed the action but we have no degree of certainty as to which one. This reason alone is why account and password sharing is never acceptable, you just can’t tell who did what. Key Escrow The answer to the issue above is key escrow. Key escrow is a procedure where a key or more broadly an access right is held by a party in a secure manner until it is required to fullfill its role. In this case a key would be locked away in a secure location with a responsible party. In addition the key would be secured
9
in such a manner that any tampering or illegal use of the key would be readily identifiable. A simple application of this principle would be for the key to be secured in a tamper proof envelope or container and that container would be locked away in a safe which would have a limited number of persons with access rights. Supporting this procedure would be an individual register which would act as a chain of custody document, that is the entry of the key into escrow and every subsequent issue of the key to a person would be recorded, both the removal and the return details. Such a system would provide a number of tangible benefits. The person entrusted with the key could be secure in the knowledge that they were the only person in possession of a circulating key to the asset. They would know however that should the key become misplaced or otherwise unavailable, that there is a procedure to permit access to the asset. The principle of accountability and responsibility is not compromised by this procedure, because anyone being issued the duplicate key has to sign for it and they are then held responsible for the asset during that period. A more likely situation is where a number of persons are entrusted with the responsibility for a secured asset. In this situation a number of persons will have either access to the key or have a physical copy of the key on their person. A common example of this is where a number of people have the task of opening the front door. Alarm Codes In these situations it is not the front door key that is the access granting and identification point. Most organisations will have some form of security alarm system. Although it is common for the alarm code to be common amongst many users, this is not a recommended practice. It may be simpler to assign a single deactivation code, but it has the potential to create a number of significant problems in the future. If we take the situation where a person is no longer responsible for the opening of the building then they would have their key recovered, however unless the deactivation code is changed, they still have the ability to deactivate the alarm. Experience shows that few organisation will go to the effort of changing the deactivation code, they consider the recovery of the key sufficient. The main problem with a shared code is that it is a shared code, that is there is no way of identifying the individual that deactivated the alarm from the code itself. There may be other mechanisms in place but the alarm code itself provides no identifying information. If we issue every individual a specific entry code, then we are able to positively identify the person responsible for the entry. They may not be the actual person as they may have given the key and code to another, but they are the responsible person. In event that a person’s role changes or they leave the organisation, then their code is deactivated. Where security is concerned there is no need for people to share keys or codes where there is provision for individually issued access codes. Cypher Codes Another commonly found physical access device is the cypher keypad. This device consists of a numerical keypad that an authorised person enters a multi digit code to gain access to the asset. These devices 10
generally employ a code consisting of 4 digits which must be entered in the correct sequence. Some cheaper devices only require that the correct 4 digits be entered regardless of the order of entry. Site managers should ensure that the cypher code is changed on a regular basis. The reasoning for this is that the code will over a period of time become common knowledge. The length of time between changes are somewhat determined by the size of the site and the number of people that have been provided with the code. In any case the code should be considered to have exceeded its use by date within 90 days. Many sites should change the code every 30 days. Cypher codes should be looked at in the same light as passwords and there is reason to enforce the same requirement to change on a regular basis. Like password changes, an administrator will face user resistance
Conclusion We shall continue to look at these matters in Part 2 of this series.
11