An Audit (and
Commentary) Based On
Risk Assessment - Best Practices
(as compiled by the President’s Commission on Critical Infrastructure
Protection)
Conduct a security training program for all employees
according to their job responsibilities and access authorizations, integrating
this program with existing physical security aspects.
[Do you have an integrated physical
and non-physical security training program for all employees? Is the training
program customized to the needs and level of expertise of the different
employees you train?]
[In most cases, physical and other
forms of security are so different that integrating the training programs
does not make sense! Most organizations cannot afford to have fully customized
training, and provide common training for all workers.]
Authenticate the identity of all users of the system,
determine the uses of the system for which they are authorized, and restrict
access to only the authorized functions and data.
[Are all users of all systems
identified and authenticated before being granted access? Is the authentication
properly suited to the risk associated with teir access? Is the access
granted to each person using each system limited to the functions they
are supposed to use those systems for and the data they are permitted to
use those functions on? How are the list of functions, data, persons, and
authentication methods determined and associated so that access is properly
restricted?]
[Almost no system allow this level
of control and the cost of implementation would be far out of line with
the risks in many cases! This is a poor risk management strategy. Most
PCs, which comprise more than 90% of all information systems in use today,
don't allow strong authentication before use, don't allow functions to
be easily limited, don't protect data stored in or passing through or by
them, and have no means for allowing such controls to be specified.]
Isolate critical operational control systems from all
public and most internal networks, or provide adequate firewalls.
[What are the critical operational
control systems in your organization? How are they isolated from public
and other internal systems and networks? If firewalls are used, how is
their adequacy measured, determined, tested, verified, and how is this
related to the overall risk management process of the organization?]
[Separation is, in many cases, against
federal regulations which mandate that many of these systems be accessible
from the Internet, it is antithical to modern best practices, and current
firewall technology is not capable of providing a high level of assurance
at a reasonable cost!]
Provide adequate procedural and technical controls to
assure data integrity, to detect instances of unauthorized change or deletion,
and to recover when necessary.
[What threat profile do you
face as an organization? What procedural or technical controls would be
adequate to assure data integrity, detection of unauthorized change or
deletion, and recovery against attack mechanisms within the capabilities
of that threat profile? Are these controls in place for every bit of data
in every system within the organization?]
[Since no system of controls can
fully mitigate all risks of disruption, a risk management process must
be used in order to make sensible decisions about information assurance!
Most organizations haven't properly defined a threat profile, and still
fewer have related this to controls.]
Authenticate and log the origin of all commands to change
the operating conditions of the controlled infrastructure.
[Does each infrastructure component
have the capability to authenticate and log the origin of all commands
that could change its operating condition? Are these cababilities enabled?
How is the audit information secured? How is forgery detected?]
[Most infrastructure components
today can not authenticate or log the origin of commands! The cost of replacement
would be astronomical, and current authentication technology is not designed
to support this activity.]
Create a CERT, or similar response capability, with the
equipment and training needed to investigate suspected intrusions, isolate
and recover damaged systems, and restore service to customers.
[Do you have personnel trained
to the level of national-level incident response teams? Do you have equipment
suited to investigate all suspected intrusions? Can you safely isolate
and recover damaged systems without major impact on the rest of your systems?]
[There are too few people available
today with this level of expertise to staff teams for the current critical
infrastructures! The cost and impact of CERT teams on critical infrastructure
protection has not been analyzed from a risk management perspective and
thus we do not really know whether this is a good idea or a waste of funds.]
Provide adequate back-up and recovery capability for
the programs and data of any information system that is necessary for normal
operations and customer service. To better assure the availability of key
control systems, information systems and data, consider redundancy, geographic
separation of primary and back-up systems, alternative methods, effective
use of encryption, and other relevant security options.
Conduct regular assessments of the vulnerability of information
systems using the technical expertise of the National Security Agency (NSA)
and others as appropriate to assure that new techniques for attacking systems
can be contained by the protective measures currently installed.
[Do you know what the technical
expertise of the NSA is? How do you tell who is appropriate to perform
assessments of vulnerabilities of your information systems? How regularly
are what subsets of your information systems assessed for vulnerabilities
and how is this frequency determined?]
[The NSA is not competent to perform
this function for all systems, the capabilities of the NSA are not known
to the infrastructure providers, and the history of the government in relating
effectively with industry is so poor that this proposal is unlikely to
be widely accepted! This is not properly supported by a risk management
process, so that the frequency of assessment is not known. Furthermore,
the NSA has historically been reluctant to share any such information.]
While I believe that the PCCIP is well-meaning in their attempt to identify
best practices in risk assessment, they seem to have missed the mark in
this particular analysis. I suspect that no government agency today could
pass an independent audit based on the specified criteria.
For related information on this server, look at:
Your comments are welcomed - email to fred at all.net