In-Depth

Develop a Security Plan Now

The best place to start the secure enterprise is with a comprehensive security plan that works as you do.

• By Danielle Ruest and Nelson Ruest
• 09/13/2005

Develop a Security Plan Now

If you're involved in any IT role today, you probably know that the hottest corporate topic is security. That's not unusual given the steady increase in threats and the shortened timeline to install patches, but what is unusual is the way people are going about managing and implementing security. It's easy to get confused. There are so many security-related products on the market and so many recommendations that it's hard to figure out where to start or, if you've already started, where to continue on.

Take, for example, Company A. After a series of continued attacks and increasing threats directed towards its network, Company A decides to go on a special security retreat to try to solve the problem. This retreat includes the chief information officer (CIO), the chief technology officer (CTO), and all the key members of the IT team. After days of intense discussions, they come out with a few key recommendations and new security policies. Now, the network is going to be secure once and for all! But, one of the most prominent recommendations that come out of this retreat is to implement two-factor authentication for all administrative users. Okay...

This approach might be useful in some ways, but let's look at how they propose to do this. One might think that the easiest way to implement two-factor authentication is to upgrade all of the servers to Windows Server 2003, which natively supports two-factor authentication for administrators. Then, once the upgrade is complete, proceed with the distribution of smart-card tokens to administrators. In fact, if you use low-cost USB tokens, this entire project could cost very little to Company A.

However, this is not the approach that Company A selects. Instead, all servers are going to stay the same, running Windows NT, 2000, and some spattering of Windows Server 2003. A third-party tool is going to be used to implement two-factor authentication on all of these operating systems. Several hundreds of thousands of dollars later, perhaps even going past the million-dollar mark, the

project is complete and Company A feels much more secure. Is this what you would do? Is this the approach you would use for securing your network? How does this fit into your overall security plan? Hopefully your answers are not the same as Company A. While there is a lot to be said about a third-party security solution implementation, a sound security plan starts from the ground up. There has been enough press about the significant vulnerabilities inherent in Windows NT, and even in Windows 2000, though to a much lesser degree. Any "solution" that does not do away with these older operating systems cannot be a truly secure solution. In addition, when you consider that these operating systems are still present in the enterprise, yet the most important recommendation Company A can come up with is to secure access from administrators—a group that is supposed to be trusted in the first place—you wonder just how secure its network is.

In fact, you don't have to "throw money" at security problems to resolve most of them. What you need is a proper security plan and a proper security strategy. Both start with the basics. Both deal with updated infrastructures and proper management and operational policies. Both deal with making sure high-privileged passwords are secure and modified on a regular basis. Both need to begin with the particular needs of your organization and grow from there.

Develop Your Security Plan
Each security plan has the same basic structure. There are four key elements of a sound security plan:

• Security policy design
• Defense planning
• Monitoring
• Testing

The first element involves the development of a corporate security policy. This policy should outline what needs to be protected and how it should be protected. One such policy is the Castle Defense System (CDS) (see the sidebar, "Using the Castle Defense System"). The CDS outlines a five-layer protection system that describes what needs to be protected. Like a medieval castle, the five layers of protection include the identification of critical information, the implementation of physical protection systems, the hardening of all operating systems, the control of information access, and the control of all external access to critical assets. Each of these five layers addresses a core component of your infrastructure and operations. In fact, the CDS provides a sort of checklist that can help you quickly evaluate where you stand with security.

The second component of the security plan is defense planning. Start by identifying potential vulnerabilities. The problem with security is that it needs to cover every single aspect of your infrastructure as well as prepare for potential malicious actions. For example, one of the major vulnerabilities is human error. Too many organizations still support the practice of asking for a user's password during a support call. This practice is completely unacceptable. What's worse, it is completely unnecessary if you're using the latest technologies.

Windows XP and Windows Server 2003 both include Remote Assistance, which allows any help desk employee to perform activities within the context of a user. In addition, there's no need for password exchange with tools such as Run As, which lets you call another security context from within an existing session. At worst, the help desk engineer should ask to reset the user's password for a temporary period and then hand it back to the user. Internal errors and accidental breaches are not the only type of attacks you need to defend against, but they are a symptom of what a defense plan needs to address. Security starts first and foremost at home.

The third aspect of a security plan is monitoring. You must develop a strategy that addresses the core elements of the two previous components of the plan: the policy and the defense plan. Monitoring is much more than just auditing; it means taking a practical and proactive approach to system vigilance. You need to know every component of your system and understand how it should behave in a normal setting. Any deviance to this normal behavior can help identify a potential problem or issue. One excellent tool for monitoring potential security issues with Microsoft technologies is Microsoft Operations Manager (MOM) 2005. MOM gives you an interactive and real-time window into the behavior of your systems (see Resources). This might not be the only tool you need, but it is a start.

In addition, you'll need to make sure your systems are up to date. Patch management is one of the most critical and important aspects of proactive security management. You need the right tool and the right strategy to manage patches, and you need to know when to put these in place and making sure that the increased security you gain from them does not break your business processes. One excellent free tool to use for patch management is Microsoft's new Windows Server Update Services (WSUS). It provides sound patch management, lets you know exactly which machines need a given patch, and lets you plan proper patch testing (see the sidebar, "Manage Patches With Windows Server Update Services").

The final aspect of your plan is testing. Testing serves several purposes. As mentioned above, testing patches will make sure your systems don't break once the patch is applied, but patch testing is not the only aspect of security testing. Security testing really focuses on response testing. What happens when a security breach occurs? How does your team respond? Do all the members of the team know what their responsibilities are and how to react? Security testing is also an excellent training tool because it helps your staff know what their position is in your defense strategy, and it lets them learn exactly what they need to do in case of a breach. You should schedule regular tests, and you should run through different scenarios in each test. Too many organizations don't do this and yet complain they are not secure enough.

Where to Go From Here
The complete security plan might have little to do with two-factor authentication for administrators, but it does give you a more solid approach to security. Of course, once the core elements of the plan are in place, you might determine that two-factor authentication is an important aspect for your organization, but you still need to start with the basics first. It's basic common sense: Get your house in order first, then move on to more sophisticated implementations. The four key components of the security plan surround the Castle Defense System and form a lifecycle that requires constant monitoring and update (see Figure 1).

Putting this plan in place might not be as much fun as working with new technologies, and it certainly won't cost as much. What it will do is make sure your network is secure and well-planned, well-documented, and well-protected at all times.