Helpful Concepts of the Business Security System Design

Alexander Liss

06/20/98

 

Catching the Criminals and Elimination of Temptation *

Optimal Level of Security *

Rising Security Requirements *

Random and Dynamic System *

Perpetual Upgrading of the Security System *

Accounting *

Security and Reliability *

Convenience and Clear Justification of Procedures *

New Challenges and Old Types of Weaknesses *

Separate System *

Distributed Security System *

Distributed "Back Door" *

Multiple Certificates *

Parallel Systems *

Umbrellas and Bridges *

Clear Modular and Layered Structure *

New Challenges *

 

In the age of Internet there are many Security tools, which migrate from the world of military and intelligence into the business world. However the business world is substantially different. We bring here a few simple concepts, which can help the designer of the Business Security System.

 

Catching the Criminals and Elimination of Temptation

Business Security Systems play important social role.

Implementation of the Business Security System does not mean and should not be interpreted as mistrust of employees or customers. It has mostly other role, which has to be emphasized relentlessly. Security System prevents the temptation of breaking the law.

Criminals try to break into the business, and the proper designed Security System helps to catch them. In this instance Security System plays an active role, and it has to play this role - there is a social need in punishment of criminals.

Responsible individuals do not attempt to break into the business because of their high moral values, and not because of the hurdles of breaking through. For this group of people the Security System should be as transparent as possible.

However there is a big group of people, confused, stressed, etc., who might try to break the system, on the way moving themselves into the world of criminals. The Business Security System protects them from making this mistake by eliminating the temptation. This is an important social service, which managers have to have in mind when they make decisions about deployment of Security System. Even a weak System, which can be broken by the specialists with enough resources, is beneficial.

 

Optimal Level of Security

The Security always comes at the expense of the business effectiveness. In the same time the business already carries the risk to fail because of the business reasons unrelated to Security, and improved Security might increase this risk. Hence there should be the Optimal Level of Security where the balance is achieved between Security related risks and other business risks.

In general, the very complexity of the business is a good protection against the attack in the civilized society. People with skills, which can understand the workings of the business, usually can earn money legally, while criminals operate in the world where sophisticated business activity is unknown.

Business Security System relies on the civility of the society. Complex business structures can exist only in the civil society - if the level of civility is low the business actually cannot exist for many reasons unrelated to the Security.

When we design the Security System for the business we can assume some level of the civility of society, and we should assume it. Usually actual Optimal Level of Security is achieved through experience and some experimentation.

Rising Security Requirements

The problem, which businesses are facing is that Optimal Level of Security is rising because of the globalization of the economy and new communication abilities. Still business relies on the civility of the society, however the society is changing and the less civilized parts of the society are gaining access to the vital business structures.

The simple example is with the computer viruses. Programmers who can write these kind of the sophisticated programs usually can find a good paying job, hence feel integrated into the society, and think twice before they dedicate their efforts to writing viruses. However good computer specialists in for example Bulgaria or Pakistan often are not paid well, feel discontent and some of them get involved in the production of these malicious programs, which spread fast through the global communication network.

Also some criminals gain access to new skills and new technology usually through intimidation or theft of information. A recent scheme with the stock manipulation, where Mafia was involved, is an example.

 

Random and Dynamic System

There is no perfect Security System, there is always a tag of war between ones who protect the business and ones who try to penetrate it, and there are always security holes. The main difference, which the Security System brings, is that without Security System there are permanent security holes and with Security System security holes are random and changing.

When security holes are random and changing, the attacker needs time and resources to find the hole and penetrate the system; hence both properties of the security system - randomness and dynamic nature of security holes are important. Therefore, any Security System has to keep security weaknesses changing - closing ones and inevitably opening the other. The Security System has to evolve all the time.

This has an additional benefit - when security personnel updates security system all the time the Security System can be adapted relatively easily to the changes in the business. Also the reaction of the personnel on the security event is more adequate, because the testing of changes in the system is similar to the rare security event and personnel, which is involved in the frequent testing, has proper experience and can react adequately. This is similar to the fire department - fires happened infrequently but they require unusually high amount of coordinated efforts - hence perpetual training is needed.

 

Perpetual Upgrading of the Security System

Business is always in the process of change. Also some parts of it get separated, some external businesses get integrated. The Security System should work well in this environment. New security weaknesses are discovered in the process of the monitoring the Security System and new security tools becoming available. Usually this situation is managed with the chain of upgrades of Security System. This approach works well with the described above need for the dynamic Security System.

The Security System has to be designed in the special way - ready for upgrading. The special procedures preparing the new versions of Security System have to be set forth together with the design. This is an important concept - the perpetually changing Business Security System.

 

Accounting

Many subtle properties of the good Security System can be understood with the reference to business accounting. Accounting is very effective tool of the theft prevention. It works by the exposing theft, thus allowing other social structures (low enforcement) to take over. Security system in the civilized society has similar goals - to catch unwanted activity in time and pass this information to special social structures.

Any unaccounted assets or business activity are an invitation for the theft. Similar any unaccounted external access of the business information system is an invitation for the penetration of the business.

The similarity goes further. The accounting information, if it falls in the hands of enemy, can be very damaging for the business. The security logs can be very valuable for the enemy also. Use of accounting for the taxation and evaluation of the value of the company stock sometimes leads to the forgery of the books. Use of the security logs for the management leads to the forgery of logs.

Absence of the vital accounting in the Security Systems is much more spread than one can think. The example is the ability to access own work computer from home through the modem attached to it. Usually, if one has the access to the computer one has the access to the network. Rarely this access is logged somewhere in the independent storage area - if someone breaks the security through this gateway no one knows.

 

Security and Reliability

The design of Security System requires peculiar approach to the reliability issues.

There are two contradicting issues involved. First, failure of the Security System (or the main system) can open up the security hole. Second, failure of the Security System can block the access to the main system producing "denial of service". "Denial of service" can be so detrimental to business that the business would rather accept the risk of the penetration, than allow the disruption of the normal activity.

Hence Security System has to be extremely reliable.

It has to be designed in the assumption that anything that can go wrong with the main system will go wrong eventually.

Security System as any other system is always in the process of upgrading and correction. Hence it has to be designed in the way, that its modules are independent, have clear functions and interface, that replacement of such module can be done without any affect on the rest of the system.

The overall design of the Security System has to be clear and simple, without complexities, which can cause the unanticipated states of the system. The desire to make the Security System faster and using fewer resources should not impede this requirement of system simplicity and clarity of the design.

 

Convenience and Clear Justification of Procedures

All procedures the Security System where non-security personnel or customers are involved should be convenient and should have clear interpretation. Military set up security procedures, many of which are based on the experience of specialists and do not have simple straightforward interpretation. These procedures are drilled on the regular basis and followed to the letter. In the business setting people find very fast how to circumvent the security procedures, which affect their productivity. They do not do it because of some kind of malicious nature; they do it because they do not see the reason behind these procedures.

Passwords are a good example. There are too many passwords and security codes, which people have to memorize. They write them in convenient places instead. The password management has to be though through carefully in the stages of the design of Security System. Replacement of the passwords with sensible (long) pass-phrases can alleviate the problem.

 

New Challenges and Old Types of Weaknesses

Any Security System has its weaknesses, the question is where are they. Some types of weaknesses we understand better and had learnt already how to cope with. Other types of weaknesses are new and even the comprehension of these threats requires special knowledge. Often we even do not know how we can use the tools of society to protect against these new types of weaknesses of the Security System. There is an additional problem with new types of weaknesses - managers do not understand them and it is difficult to get funding on appropriate upgrade of the Security System.

New technologies bring new Security threats. Hence, the Business Security System should be designed in the way, that the potential holes introduced by the new technology are covered completely with the technological tools. The inevitable potential Security threats should be localized in clearly understandable areas, which are protected by the proper behavior of specialists (as the management of the password file). In other words, the Security System has to be designed in the way that all its potential weaknesses are of the familiar type, that people can understand easily what and why they have to do to protect the business.

In the case of cryptographic protection it means, that weak cryptography should not be employed at all, even when there is a good justification that it is sufficient (for example, it is really very expansive and improbable to have the attack on it). In each moment and for each particular task there are algorithms and lengths of keys, which make cryptographic attack practically impossible. They have to be used. For example DES for encryption and MD5 for hashing should not be used even when they deliver adequate level of security in the particular situation. In the case of the security breach the possibility of the breach of cryptographic algorithms should be excluded from onset.

 

Separate System

Security System has to be independent from other systems of the business. From the productivity point of view there is always the desire to have Security System built in, for example, network administration and so on. However to have it effective it is important to have it separate but integrated system. Security System cannot be analyzed or upgraded in part, it always has to be viewed as a whole. It has to be managed as a whole. The idea seems to be obvious, but it is forgotten again and again in the actual designs.

 

Distributed Security System

With all the need for the centralized approach to the design and maintenance of the Security System, the actual design of it benefits greatly, if it is done in the distributed way.

 

Distributed "Back Door"

Business Security System always needs a "back door" - it should have a capability of the recovery of the protected data by authorized personnel - the business does not want to loose the data when some employee quits it. The government imposes similar requirement, but for the national security reasons. "Back door" is a requirement, which is difficult to implement consistently.

First, the "back door" is a potential security threat and its access has to be carefully designed. Fortunately cryptography has tools which allow access to information only when a few members of authorized team collide. This can be used as a protection against possible insider attack.

Second, it requires a special storage of secrets. Centralized storage of secrets creates problems of its own. Everywhere it is possible it is better to have decentralized storage of secretes. For example the symmetric key used to encrypt the file can be stored with the file but encrypted with the special public key cryptographic system, which secrets are available only to the authorized personnel. Similar with each encrypted message passed through the company’s network.

Passing of encrypted messages has an additional problem. The government is concerned that secure communication channels can be used for illegal activity, and wide availability of these channels makes a clear invitation for criminals. The method which we recommend here - to pass along with the message the cryptographic key used to encrypt it, but in the form, which can be recovered only with the knowledge of special ("escrow") secrets, has one flaw. If criminals control both ends of communication channel, they can drop, fake or transform this special additional message, rendering the recovery of original message impossible. Hence to make it work, the system has to be designed in the way, that at least one end of the communication channel is under the tight control and the message does not go through, if this additional information in the proper form is not appended.

 

Multiple Certificates

Digital certificates are powerful tools of the security system, however they are often misused. Absence of the protection against stolen identity is one of the examples. Authentication systems based on biometrics only are rarely used - what will you do if someone can fake the thumb or the hand needed to get the access. There is no way to replace them with new authentication tool. We have a serious problem with social security number as means of authentication. Crooks use false identity to get the personal credit, which someone else has to repay.

Similar problems exist with digital certificates. Replacement of the certificate is a lengthy process - the productive time is lost. The replacement of the family of certificates because something in the certification process was compromised can be a disaster. Certificates create also the privacy problem monitoring the certificates in the information system can give a lot of information to someone who is not a part of the security personnel.

These problems can be easily solved with the multiple certificates - the same person can have multiple certificates acquired through different certification process. This allows seamless renewal of certificates, upgrade of the some of certification systems while other support the business activity, revocation of the compromised certificates without interruption of the business process, etc.

Digital certificates can be stored in cards (stripe, smart) or in the computer protected (encrypted) with the help of the password(s).

 

Parallel Systems

It has to have a few different security system which work in parallel and the ability to turn on and off any of them in a short time - this allows seamless perpetual upgrade of the security system.

.

Umbrellas and Bridges

It has to be as a system of flexible "umbrellas", which can easily expand or retract the covered area. Areas covered with different "umbrellas" have to communicate the information through security "bridges". Security "bridges" allow different "umbrellas" utilize different security technique.

 

Clear Modular and Layered Structure

It has to have a clear structure that perpetual correction and upgrades do not introduce some new security holes because they upset some intricate balance. The obvious way to achieve it is to make it modular and layered, where each module and each layer are independent. This means for example that the same secret key should not be used for encryption and authentication even when it can be done securely - some future correction can open inadvertently the security hole.

 

New Challenges

It took quite some time until the businesses found the proper deployment of personal computers. The problem with personal computers is their inherent low level of reliability. That was a design feature - it allowed PCs to be so cheap. Reliable computers require much more resources, use more sophisticated software and more costly. Eventually PC in the business took place of the smart terminal, which uses data on the reliable servers, plus personal productivity tool. Hence, was found the way to employ them without jeopardizing the reliability of the business.

Introduction of the connectivity to Internet produces similar problem from the business point of view. Home computer, which is connected to the Internet periodically or computers in the learning organizations do not present much of the interest for the criminals. Hence orientation of the PCs on the easy connection to Internet does not produce serious security threat there.

The picture is quite different in the business world. With the tendency to communicate, gather information, and even commence business transaction through Internet, PC as a productivity tool in the business setting has to have the connection to Internet. However this opens all kinds of possibilities to attack the business through these numerous PCs connected to Internet. Again, the businesses are in the situation, when they have to find the way to employ PCs, without jeopardizing security.

The proper solution has to be based on the creation of the "secure computer" inside every PC and "secure network" inside the existing business network, which "secure computers" use to communicate. "Secure computers" and "secure network" form the "secure area". When the information (data or program) has to be moved to or from secure area explicit permission has to be given and this event has to be logged.

This can be done with the software, and the worker would be able to access business information through "secure network" and outside information through Internet using the same physical computer. Each time the information is moved between "secure area" and "insecure area" in the same physical computer the security event is triggered.