| |
 |
|
|
|
|
|
Main
|
Auditing SecurityThe auditor’s report was favorable. All except the last section. Internal LAN security had been tightened fairly well. As well as the library could afford, anyway. The web server was open to attack, however. The auditor had been able to access the Administrator account on the server. That was very bad. The director wondered if the $300 he had left in the grant would be enough to cover the re-configuration. Once your library embarks upon a program of network security, how do you know your resources are secured as well as they should be, or can be? Once your staff, or a contractor you’ve hired, has configured your network components for secure operation, how can you confirm that the job is done well? To what standard do you compare your security implementation? If any of these questions have occurred to you, then you get bonus points for thinking ahead. These are pertinent questions that every manager should ask at some point in the process of installing, configuring, or securing her network. Taking the word of staff or a contractor when you can’t verify the work yourself is risky. The best course is to hire an independent contractor, one who is knowledgeable in the basics of securing network resources, especially in networks providing public access. A security audit is the process of assessing the various components and the operating environment of a computer network for vulnerabilities. The audit may be either casual or formal, superficial or detailed, onsite or conducted entirely over the Internet. An in-house self-audit can be conducted when the library employs technically trained personnel, but this is unusual. These audits work well in a security project where the library is assessing what security measures may need to be implemented. As a final audit, however, a self-audit loses the benefit of an independent, objective view. In this chapter I present some of the issues surrounding security audits and contracting with an auditor to test the security implementation of your organization’s network. I also propose three levels of auditing for small public libraries, by which the security of your network can be assessed. If you are able to contract for an audit, then these are many of the items your auditor will be reviewing. If not, then these points should provide you or your network administrator with a guide to use in conducting a self-audit. Purpose of an AuditIn order to assure library staff and interested funding authorities that the library network’s implementation meets some definition of "best practice," it is necessary to perform an audit of the configuration. Best practice does not mean perfect. As mentioned in previous chapters, it is impossible to create a perfectly secure network. That ideal would provide access to no users at all. Any walls that are built technologically can, in theory, be "vaulted" technologically. In public libraries and other small community organizations where funding for technology is extremely limited, best practice is amended to provide a configuration that is reasonably secure given the organization’s determination of its acceptable level of risk. In small public libraries, acceptable risk may be much greater than it would be, say, in a small non-profit community organization, where the loss of proprietary information or of personal information associated with community businesses or organization members is critical. So the determination of what is an appropriate level of security may differ from one organization to another. The audit provides feedback to the library director indicating whether the library configured security meets its determination of appropriate security. Benefits of an AuditHaving created security goals for the library in response to developing its security policy, library staff and board members will have engaged in a reasonable discussion of the risks associated with offering public network services. The library will also have determined a base level of security it wishes to implement. After hiring someone to configure the network to meet this level of security, the security audit will determine how well the security implementation meets the library’s goals. The following list shows the potential results of a network security audit:
Is an Audit Essential?In short, no. At this time, there is no granting agency I am aware of that requires a network security audit as part of its technology grant. A few local funding authorities are just now beginning to implement security policies, and many have no security policy, so they are not yet concerned with audits. However, without an audit it is impossible for the library to know how open to attack its network is. Therefore, the library cannot know how likely it is to lose the service of a workstation, a server, or other network device. Where no audit is performed, a range of scenarios may be present, but be unknown. Here is a list of extreme scenarios and their consequences:
When the library has no knowledge of its network’s degree of insecurity, it is much more likely that one of the following consequences will be realized:
Hopefully, these illustrate that without an audit the library will not have a proper idea of its network security risk. Therefore, the library director will have no means to budget adequately for annual network support and maintenance. If the library significantly under-budgets its need for network maintenance, it may be unable to have network equipment repaired or reconfigured. In most libraries, this is an unacceptable risk. On the other hand, some libraries simply do not have the financial resources for an independent audit (grant resources are becoming available for audits, however). In this case, a self-audit is highly recommended. A self-audit requires someone on staff or a volunteer to be familiar with securing the network in the basic ways mentioned in the Network Security Checklist included in Part III of this guide. The implementation chapters in Part II will help you learn what each measure means, but staff will need additional training to implement/audit these measures. One portion of the online component of this training series will provide this basic instruction. There are other network security training resources as well. The Audit ProjectContentSecurity practitioners may each recommend different security measures to be implemented, depending on their background experience and knowledge of the library environment. Here are seven major areas I use to classify specific security measures:
All of these may be evaluated in a network security audit. Not all of them, and not all of the measures described within each area, are appropriate in every environment. In addition, as mentioned previously, the library must decide what its acceptable level of risk is. By doing so, the library can determine the scope of its own audit. One aspect of deciding which measures will be audited is whether the cost of securing a specific measure is greater than the cost of recovering from an attack resulting from leaving it unsecured. Where a specific security measure is not implemented, the library should provide written justification of its exclusion to the auditor. This informs the auditor of the parameters of the audit. While the auditor may suggest reasons for implementing such a measure, the library is the ultimate arbiter of what risks it is willing to accept. Standard Security MeasuresTo our knowledge, there is no standard list of network security measures that can or should be implemented or assessed to ensure maximum security of a library’s computer network. The only documents close to this ideal that I have discovered are the consensus documents from the SANS Institute (listed in the bibliography). To fill the gap and assist libraries with security implementations and audits, I have developed the Network Security Checklist. The measures listed in the Checklist are divided into three separate levels of network security in public libraries. These are presented in Elements of a Security Audit at the end of this chapter. As more practicing library network administrators and analysts review the Checklist, it should become more of a standard, reflecting the best practice in public libraries. A copy will be maintained online with the electronic version of this manual. (See the reverse of the title page for the Web address.) What an Auditor Might Examine and TestThere are a number of established methods for conducting security audits. Some assess the security of all aspects of the network. Some assess the security of particular components, such as just the security of the perimeter equipment (router/firewall, web server) connecting the network to the Internet. In the business world, managing staff accounts and Internet-based attacks draw the most attention, but these are usually not the primary concern of most libraries. There are three common types of audits. Each uses very different techniques.
A problem with this approach is that it may not provide an accurate evaluation of the organization’s actual perimeter security. It depends to a large degree on the auditor’s skill in breaking into private networks. If the auditor is unable to breach the perimeter security, it tells you only that his skill is not sufficient to break into the network, not that the network is secure. On the other hand, a breach of the perimeter—especially if the auditor is able to become Administrator, or "root" (gain the privileges of the all-powerful super-user on the system)—indicates a major vulnerability. Such a breach is usually demonstrated by planting an innocuous file or program on a server or adding a new user account with administrator privileges. Another problem with this approach in libraries is that it ignores a much more prevalent threat: the local user who accesses the network daily via a local workstation. Having great perimeter security may not preclude very bad things from happening from within the library.
The purpose of this audit is to learn as much as possible about the level of vulnerability in the network configuration. The report provided through a white box audit usually describes the auditor’s tests and findings in detail, and, therefore, it is the most helpful of the report generated through an audit. Expect the audit cost to include time to produce the report. Specific items that could be included in a manual audit are listed in Elements of a Security Audit in Public Libraries later in this chapter. Information an Auditor NeedsThe scope of the audit, as described above, will require the auditor to have access to differing levels of information. The information may be public or very sensitive information. I recommend asking the auditor what he or she requires soon after a contract is signed. The library may need some time locating and packaging the materials requested. The auditor may need some time to review the materials after receiving them prior to an onsite visit. Here is a list of the items most likely to be requested by the auditor for reference prior to or during the security audit:
ResponsibilitiesWhen the library hires a security consultant to perform an audit, especially an onsite, manual audit, there is some risk inherent in providing access to confidential and sensitive network information. The auditor will have access to an administrator account and passwords, as well as access to sensitive documents, such as personnel records or patron information. Therefore, it is a good idea to have a non-disclosure agreement (actually, a disclosure agreement, limiting what will and what will not be disclosed) indicating the responsibilities of the auditor and organization in detail. First, the library must agree to disclose all of the information required by the auditor to access system and network resources during the audit. This information will provide the auditor with a basis from which to perform a thorough inspection and audit of the network. Lacking information such as an administrator’s password may prevent the auditor from accessing portions of the network which need to be evaluated. On the other hand, the auditor must agree not to disclose to any other party any of the information she is provided for purposes of the audit, or any information she accesses/discovers during the course of the audit. Any such disclosure can be considered a breach of security. The auditor, however, may need to disclose some information in specific instances to another person in her organization, so her firm—and not just the specific auditor—should be bound under this area of non-disclosure. Sound security practice (some may call it paranoia) suggests that an agency undergoing an audit should change all significant passwords (for administrator accounts) immediately after the auditor concludes the final onsite visit. When changed, the new passwords should be created with strong password guidelines currently practiced or suggested for practice by the auditor. In addition to the disclosure agreement signed by the auditing firm, it is also a good idea for the library to have a similar written agreement with the firm it uses for installation and/or maintenance of the library’s network equipment. [Note: The vendor responsible for installation and configuration must agree to provide to the library the specific passwords used to configure or administer each piece of equipment (hub, switch, router, firewall, etc.). In several cases in the past, vendors have withheld these passwords from library staff, causing the library difficulty in trying to change vendors for maintenance and expense in trying to solve configuration problems.] The signed agreement should also include a statement that the vendor will not disclose such information to any third party. Likewise, the library has responsibilities in this regard as well. The library must agree not to disclose the nature of passwords and other configuration information used by a vendor, because the vendor may use similar devices in the creation of passwords for other agencies. This is not recommended from a security standpoint, but may indeed occur. By disclosing the library’s password to some other agency or library (third party), the library may inadvertently give someone a "head start" in breaking into another agency’s network. A final responsibility of the auditor will be to schedule the time at which an onsite visit will be made. In some cases, the audit may interrupt ordinary operation of the network, and the audited agency needs time in advance to prepare for the possibility of an outage. For example, especially in public libraries, public access workstations may need to be reserved for the auditor’s inspection, leading to "downtime" for the library’s public access service. Project DeliverablesThe primary product of a network security audit will be the auditor’s report. In businesses there may be a formal presentation of findings as well, providing business representatives an opportunity to ask the auditor questions. Such presentations require time to develop, time to travel back to the business, and time to make the presentation. All this increases the final cost of the audit. Most libraries would be better served to receive copies of the report and have an opportunity through e-mail or a phone call to resolve questions arising from the report. Be aware that some audit reports are mainly printouts from automated network scanning utilities. While these may be extensive, their content may be unhelpful. At the other extreme are complete custom documents detailing the state of security on each system, including areas of weakness in each system, with a list of recommendations for further implementation. Such documentation is very helpful, but is expensive to produce. Selecting an AuditorQualificationsNetwork security auditing in small organizations is still in its infancy. There are very few practitioners who are certified security professionals. Therefore, determining a vendor’s qualification to conduct the audit is based on several evaluative factors:
There may be other vendor qualifications or characteristics that are important to your library. For example, the hourly/daily fee a vendor charges is a primary consideration for most small public libraries. If you develop a Request for Proposals (RFP) or Request for Quotes (RFQ) for the project, be sure to ask responding vendors for references of other clients, particularly any public library clients. Ask the RFP/RFQ respondent to describe her experience with security in a public access environment. Also ask her for a generic copy (with all client references and any sensitive information removed) of a report or two from a similar audit she performed previously. Evaluate each vendor responding to the library RFP or RFQ based on these characteristics and documents. Formal ProcessThe security audit is really the last step in implementing a network security project. So a number of preliminary steps is assumed:
Given the security implementation, there is a separate process required to conduct a network security audit. Here are the major steps:
Elements of a Security AuditIn the following tables I present three levels of security a small public library may choose to implement and have audited. The lists are creatively labeled Basic, Intermediate, and Advanced. They are cumulative. To secure a network at Level Two, everything in Level One must be implemented as well. The items listed in each level are taken from the Network Security Checklist and categorized according to the top ten threats identified in Chapter One. They are listed in order of expected cost, from the least to secure to the most expensive. The lists may not completely represent your library’s needs, but are intended to be a starting point. Feel free to delete or add specific security measures from other levels as library administration deems appropriate.
SummaryIn this chapter we looked at various aspects of network security audits. These include:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 
|
|
|
|
|
|
|
SITE NAVIGATION TEXT LINKS