Despite your familiarity with security fundamentals, a quick review is essential, if for no other reason than to ensure we are speaking the same language. Mike your time in this section and make sure you understand all the security principles before moving on.
Following arc the I I principles you will find relevant to any security process you participate in. You will find most of these principles relevant to any security discussion. regardless of the technology, whether it’s wireless networking. Bluetooth. network security, or even physical and nontechnical security practices.
- Security versus convenience.
- It is impossible to eliminate all risks.
- Rules of risk calculation and mitigating controls.
- Not all risks must be mitigated.
- Security is not just keeping the boil guys out.
- ROI doesn’t work for security.
- Defense In Depth.
- Least Privilege.
- CIA triad.
- Deterrents. prevention. detection.
- Prevention fails.
Principle 1: Security vs. Convenience
Additional security is typically accompanied by additional inconvenience. There is much debate on this topic. but at a wry basic level you can always add more security by making things more inconvenient. We won’t dive tuo deeply into this. but you should understand the basic concept. A simple example will help clarify.
Suppose you have some personal papers that you lock in a small safe. To make it more secure, you lock that safe in a larger safe. Now whenever you wish to access these papers, you have the added inconvenience of needing to open two safes in addition to having to remember two separate combinations.
However, a paradox manifests itself in the real world, as illustrated in Figure 1-1, which shows what I like to call the security convenience bell curve. Typically, as you increase the inconvenience factor, you also increase security, but there comes a point when this inconvenience has an adverse effect on security.
An example of the security convenience bell curve would be a company’s “password change frequency” policy. At first, the company’s policy requires users to change their passwords every six months. In an attempt to make the company even more secure, the policy is modified so that users must change their password every three months. However, after a few times of changing their passwords, users find it difficult to remember them and start writing them on sticky notes that are then stuck to their monitors or under their keyboards. This is obviously not a good place for confidential data and ultimately makes the business less secure.
Principle 2: It Is Impossible to Eliminate All Risks
First, let’s start with an accurate definition of risk. Per Dictionary.com, risk is the “exposure to the chance of injury or loss” or “a hazard or dangerous chance?’
That’s relatively straightforward, so what’s all the confusion about? The confusion comes from the fact that many people think that for a given security issue, there is a “fix” that completely eliminates any risk from that issue. You must understand that it is, without a doubt, 100 percent impossible to eliminate all risk from any technology, system, or even situation. For every mitigating control there is a discrete level of risk, no matter how minute. Risk is Inherent in everything we do, in every choice we make,every single day,The idea of risk versus on investement (ROI) has been intimately involved in the decision-making process of business owners for centuries: the same knowledge can be applied to our latest technologies in the security realm.
This is best understoood by looking at an example. As kid we were told to look both ways befopre crossing the street, so let’s look at the risk associated with crossing the street.
|Risk||Getting hit by a car|
|Mitigating Control||Looking both ways before crossing the street |
(Igt Should be very easy to see that the mitigating control for crossing
the street is a worthwhile one. But does that elinimate all risk when crossing the street)
|Remaning Risk||Slippery Surface(fall and hurt yourself)|
Now, if you start glancing up at the sky every time you leave your house to look out for falling airplanes, your friends might look at you a little funny-and rightly so. This is simply to prove the point that you cannot eliminate 100 percent of all risks from any given situation, no matter how unlikely it is that a particular threat might occur. Now you may be thinking that to eliminate all these risks, you could simply stay home and never cross any street. Well, in this case you run the risk of living an unfulfilling or unhealthy life, which exposes you to health risks. Again, this might seem like a strange and extreme example, but it is essential for you to understand that there are inherent risks in every choice we make.
It should also be noted that the purpose of analyzing risk is not always to choose the path with the least risk. Rather, it is to make an informed decision that best suits the person or organization. More on this later.
Principle 3: Rules of Risk Calculation and Mitigating Controls
To appropriately compare different risks, we need a consistent method for calculating risk. Although a multitude of different risk equations are available, the most basic equation is as follows:
Risk = Consequence x Probability
Let’s look at each component of this equation individually and then apply the equation to our previous examples of falling airplanes and distracted drivers.
Quantitative costs are anything you can put a hard number to. For example, in quantitative terms, the cost to replace a $100 phone is—you guessed it—$100.
Qualitative costs are much more subjective and harder to define and may be drastically different between person, or organizations. The easiest way to understand qualitative costs is to think of the emotional costs of an incident. For example, if you have a special gift that was given to you, it may be worth only a few dollars if you were to try and sell it, but it might cause a lot of emotional pain if it were lost. Thus, the qualitative cost of replacing it might be very high. This is an extremely simplistic may to look at qualitative cost, but it should help you grasp the concept quickly.
Here are few examples of quantitative impacts:
• The impact of getting struck by a car ranges from “getting injured” to “death.”
• The impact of your car getting a flat tire is the cost of the replacement tire.
• The impact of your phone being stolen is the cost of a replacement phone.
And here are a few examples of qualitative impacts:
• The impact of getting struck by a car would be physical and emotional pain as well as long-term recovery, involving strenuous physical and mental rehabilitation.
• The impact of your car getting a flat tire could include the headache received from having to put the replacement tire on during rush hour. being late for an important interview. and mining your favorite suit while replacing the tire.
• The impact of your phone being stolen might be the loss of several key contacts. the annoyance of having to wait for a replacement phone, and the fear of someone reading your personal text messages.
The preceding calculation will result in the associated risk level. The actual label for the risk level could be a number or a phrase from a corresponding risk matrix, like the one shown in Figure 1-2.
To use the risk matrix in Figure 1-2 you simply identify the likelihood and impact of a potential threat. For example, the likelihood of someone stealing a server might be low and the impact might be low (if you encrypt your hard drives). You would then plot this threat as existing in the lower left quadrant and have an overall threat of low. You could then compare this to other threats and deal with them as your business dictates.
The actual naming convention or the numbers used in the calculation of each component can be essentially arbitrary as long as the same system is used for each calculation. For example. it doesn’t matter if you calculate probability in months, years. or decades, as long as you use the same period for each calculation.
If you’re developing a security program for your own company, feel free to star from scratch and come up with a numeric or naming system that fits your business. The key here is consistency: As long as you’re identifying risk levels using a common system, you’ll be able to identify areas that you wish to mitigate first. You can find plenty of examples to choose from on the Internet, so look for one that fits your business. The Department of Homeland Security provides many good resources at www.dhs.gov. Now let’s use our previous examples to calculate the risk level associated with each. We’ll define an arbitrary system for each component first. Impact will be a number between I and 10. with I being the lowest impact and 10 being the highest. Probability will be a yearly probability based on statistical information.
Vulnerability Falling Airplane Impact 10 (Death) Probability 0.000001 (one out of every 1,000,000 people cites from a falling airplane every year in America) Risk Level _io.0000l (10 .o.00000l)
Vulnerability Distracted Driver Impact 10 (Death) Probability 0.001 (one out of every 1,000 people die from a .cistrociecr driver every year) Risk Level 0.01
|Probability|| 0.000001 (one out of every 1,000,000 people cites from a|
falling airplane every year in America)
|Risk Level||0.0000l (10 * 0.00000l)|
|Probability||0.001 (one out of every 1,000 people die from a .cistrociecr driver every year)|
As you can see. the risk level from distracted drivers is much greater than that of falling airplanes. Therefore, you might want to protect yourself from distracted drivers before worrying about falling airplanes. The difficult part here is that different people might define different probabilities or different vulnerability levels to the same threat. For example, the probability of getting struck by a car while crossing the street is much higher for someone living in New York City than it is for someone living in a rural community in Kansas.
Note Various organizations and industries hove slightly different risk formulas—whether iust different naming conventions for each component or a different number of components. This should not be seen as a Lod thing; certain industries and businesses can benefit from having more complex or more simplistic formulas. However, understanding the current example will give you a strong bowline from which you can approach other formulas
Wondering how all this applies to wireless networking? Let’s take a look at a real world example.
Let’s assume you have 100 wireless access points deployed in your organization with 1,000 wireless users. A new exploit is released that affects the version of firmware currently running on all your access points. The exploit allows an authenticated user to reboot the wireless access point. We’ll calculate the risk level using a High/Medium/Low scheme used in Figure 1-2. (Remember that the risk calculation is Risk = Consequence x Probability.)
⚫ Consequence This would be Low because a reboot would only temporarily affect service to users.
⚫ Probability This is Low as well because only authenticated users can successfully exploit this vulnerability.
Thus, the risk calculation would be Low x Low = Low Risk.
If it costs you four man-hours per access point to apply a patch for this vulnerability, then it might not be worth the cost to mitigate this risk. Instead, it might be more cost effective to live with this risk and use those 400-man hours elsewhere.
Principle 4: Not All Risks Must Be Mitigated
Not all security risks must be mitigated. Yes, I know, as a fellow security fanatic it sounds
counter to what we believe. If there’s a security hole, plug it! But in reality, there are
plenty of risks that we don’t mitigate already. It’s relevant to bring these calculations to a
conscious level. You’ve already read an obvious example—the risk of falling planes. Now
let’s look at the cost to mitigate the risk of falling airplanes.
You could construct a house for a few million dollars that could withstand the impact
from a falling plane, but when you consider the extremely remote possibility of a falling
plane striking your house, you’ll probably come to the conclusion that it’s not worth the cost.
Yes, this is just another extreme example, so let’s look at a very simple business example.
A new regulation has come out that affects your business. If you fail to comply with
the regulation, you will be fined $5,000 every year. You’ve hired an external firm to assess
the cost to make you compliant with the regulation and they think at a bare minimum it
will cost you $2,000,000. It’s not hard to see here that it makes more business sense to just
pay the fine and not try to make your business compliant.
Four main approaches can be taken to manage risk: You can accept the risk, avoid the
risk, transfer the risk, or mitigate the risk. In the two previous examples, we’ve chosen
to accept the risk associated with each scenario. Now let’s look at our other options for
dealing with the risk of the new regulation.
|Avoid||Let’s imagine that the regulation only applies to companies doing business in Texas. If your|
company can prosper without doing business in Texas, then you’ve just avoided the risk.
|Transfer||Maybe you can transfer the risk to a third party. If you could outsource the part of your|
business that’s covered by the regulation and let the third party worry about it, then you’d
have transferred the risk.
|Mitigate||If instead of avoiding, transferring, or accepting the risk, you might decide to implement|
controls to adhere to the regulation. Thus, you would have effectively mitigated the risk of
a fine due to the regulation.
Principle 5: Security Is Not Just Keeping the Bad Guys Out
Security is not just about keeping the bad guys out. An extremely common misconception
is that the primary concern for security administrators is keeping malicious outsiders from
accessing critical systems. Of course, this is a vital component to a comprehensive security
plan; however, it is far from being the only concern. The problem with adopting a “keep
the bad guys out” mentality is the development of the so-called “candy” network, with a
hard outer shell and a delicious gooey center. We’ll address this topic in more detail later.
You may hear many reports stating that the majority of security breaches come from
internal personnel. Now, although I agree with this statement in theory, a little speculation
might help to clarify exactly what is meant by it. Here are the key points:
● How do you define a security compromise? For example, an internal IT administrator
misusing his administrative privileges and reading private e-mails seems like a pretty
obvious internal security compromise. However, what about the user who has too many
privileges on a file share and by an accidental click of a button deletes all the files on
that share? I would define the latter as a security compromise, but maybe the person
writing the incident reports does not.
● How do you define the actual root cause? As an example, what happens when an
end user accidentally infects her personal laptop while at home and then brings that
laptop into the office, infecting other business workstations. Would the root cause
of this compromise be attributed to the malicious user that wrote the virus or the
uneducated employee who unwittingly brought an infected machine into the corporate
environment? I’ll leave it up to you to decide for yourself.
What are accidental versus intended compromises? Using the previous two examples,
does the surveyor discriminate between intentional compromises of security and purely
● Does this mean we shouldn’t worry about our perimeter? Finally, do all these reports
stating that the vast majority of security compromises originate from internal personnel
mean that we should not bother protecting our perimeter and instead focus all our
attention on keeping internal users from wreaking havoc on our networks? Hardly!
The fact remains that very costly compromises do occur from external parties, and if we
were all to stop maintaining our perimeter security we would quickly see the number of
external compromises skyrocket!
Principle 6: ROI Doesn’t Work for Security
The traditional calculation of return on investment (ROI) doesn’t work for expenditures for
security. At a very basic level, the calculation for return on investment determines how much
profit will be produced if you invest X amount of money (or resources) into something.
Using the ROI model, you can compare multiple investments and determine which is
appropriate. Therefore, spending money on security cannot be justified with ROI, because it’s
not a revenue-generating business process. Instead, you’re spending money (and resources)
to protect a greater amount of money (or resources) from being lost. Also keep in mind the
qualitative risks, such as reputation, image, and the long-term effects of damage to these.
Principle 7: Defense In Depth
You can improve security via Defense In Depth. True security does not come from one
risk-mitigating control; instead, it comes from the implementation of many synergistic
solutions. One of the most basic examples of this is one we’re all very familiar with: a
bank. Banks don’t just rely on a big vault to keep all their assets safe; instead, they also
employ armed security guards, cameras, door locks, fences, educated employees, alarm
systems, and so on. This is the essence of Defense In Depth and the foundation for a more
Principle 8: Least Privilege
You can improve security with Least Privilege. One of the most important and often
overlooked methods for configuring security devices and implementing policies is that of
Least Privilege. Least Privilege means giving users the bare minimum rights they need to
perform their duties and then giving them additional privileges as necessary. The opposite way
(the most common) is to give the most amount of privileges and then remove “dangerous”
privileges one by one. This can also be referred to as blacklisting versus whitelisting.
Principle 9: CIA Triad
The CIA Triad is an industry-accepted model for securing systems (specifically, but not
exclusively, data). The acronym stands for Confidentiality, Integrity, Availability. Each of
these is vital to ensuring the security of data:
● Confidentiality Ensure that only those with the rights to view the data have access to
do so, and prevent unauthorized disclosure of sensitive information.
● Integrity Ensure that changes made to the data are made only by authorized individuals,
and prevent unauthorized modifications of systems and data.
● Availability Ensure that access to the data is available when needed, and prevent
disruption of service and productivity.
Principle 10: Prevention, Detection, Deterrents
Within the security realm, most mitigating security controls fall into at least one of the
following three major categories. Going along with the Defense In Depth strategy, it is
wise to implement multiple types of security controls whenever possible.
● Prevention Aims to stop a certain activity before it happens. Examples include locks
on doors, bars on windows, a firewall.
● Detection Uncovers certain activities. Examples include motion-activated cameras
and an intrusion detection system (IDS).
● Deterrents Used to restrict people from doing things they shouldn’t. Deterrents can
be physical or logical in nature. For example, an electric fence would deter people from
climbing it because they risk getting electrocuted. Security cameras can act as a logical
deterrent because evidence of wrongdoing could be used in litigation against a perpetrator.
Many security controls fall into multiple categories. For example, cameras both detect
and potentially deter criminal activity. An electric fence could both prevent someone from
walking onto your property as well as deter anyone from trying to scale it.
Principle 11: Prevention Fails
Another common theme in the security realm is the fact that (essentially) every prevention
measure will eventually fail (or is capable of failing). This doesn’t mean that every single
implementation of a preventative security measure will be bypassed by someone with
malicious intent, but only that it is possible. Another way to look at this is that, in the security industry, the attackers and the defenders are always “one upping” each other.
Consider the following examples:
● I have a fence installed to keep intruders out of my house.
The intruders scale the fence and come into my house.
● I install razor wire at the top of my fence to prevent scaling of the fence.
The intruders toss a large mattress on top of the razor wire and scale over the fence.
● I purchase guard dogs.
The intruders use tranquilizers to knock my dogs out.
Again, these examples are a bit comical, but they should prove the point that you can’t
rely entirely on prevention to secure your environment. Instead, you need a strong Defense
In Depth strategy that uses deterrent techniques and methods of detection well.
Definition of Hacker
The proper definition of the word hacker has been the source of much heated debate. I
choose to use the word to portray both those with and without malicious intent. For me,
the quintessential characteristic of a hacker is a tenacious and creative problem-solving
ability. Whether the person is malicious or a saint is irrelevant.
Want to take your career to the next level? Start evaluating security expenditures with
the knowledge you’ve just obtained. C-level executives don’t think in terms of secure
versus insecure; they think in terms of risk mitigation and risk management (that is, is
this security technology going to prevent me from losing more money than it costs?). It’s
your job to be able to turn packet dumps and firewall configurations into terms of risk
So in a business context you have two calculations to consider for risk:
● Are the risks introduced by implementing a new technology worth the risk added to
● Is the cost of a mitigating control less than the potential losses from the associated
For end users, there’s another component to the calculation that is slightly harder to
define because emotion is involved. For example, some people live in very safe neighborhoods
but still purchase guns for their houses. They might not need a gun to actually be secure,
but because emotionally it makes them feel more secure they are more apt to make