Solving Cybersecurity Problems Through the Application of Standards
In November 1999, Bruce Schneier famously wrote that “complexity is the worst enemy of security” in his essay titled, A Plea for Simplicity – you can’t secure what you don’t understand.
As information technology has proliferated throughout society over the past 20 years, Schneier’s complexity principle is even more relevant today than it was in the relatively simpler times of 1999. Back then, mobile devices were not as ubiquitous as smart phones are today. The concept of the Internet of Things really didn’t exist. There were no IP-enabled cameras, doorbells, thermostats, refrigerators, etc. And while JCR Licklider, a pioneer of the Internet, proposed an Intergalactic Network as far back as 1962, cloud computing – Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) – didn’t exist in 1999 as they do today.
Schneier’s principle is an adaptation of the linear algebra concept of an undetermined system, which is defined as a system that has more variables than equations. In such cases, the number of solutions can be infinite. When this concept is applied to information systems, the same holds true. If there are more unknowns than knowns, you will never be able to secure the system.
Solving for X
If we accept that complexity is considered the worst enemy of security, then conversely, simplicity should be considered the best friend of security. Simplicity can be achieved by designing and securing systems using sets of standards that reduce the number of unknowns regardless of the sophistication of the system. Allowing for Rube Goldberg designs whereby the system accomplishes simple tasks in an overly complex or indirect manner should never be accepted from a security or IT management perspective. The more moving parts there are, the more things that can go wrong.
In cybersecurity, we can help introduce equations in the form of standards or best practices to help offset the number of unknowns. At a macro level those best practices can be found in the form of frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), the International Standards Organizations/International Electrotechnical Commission (ISO/IEC) 27002 series, Information Technology – Security Techniques – Code of Practice for Information Security Controls, the Center for Internet Security’s (CIS) Critical Security Controls for Effective Cyber Defense, among others. Each of these approaches provide organizations with guidance for developing a comprehensive cybersecurity program that effectively manages risk. The NJCCIC derived its New Jersey Statewide Information Security Manual from the above frameworks.
Applicable statutory and regulatory requirements also help organizations in limiting the number of unknowns by dictating compliance with certain standards. But even with the application of cybersecurity frameworks, without standards for the management and governance of information technology, they will have limited effect on the security of an organization’s systems. IT governance and management frameworks such as the Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) or the Information Technology Infrastructure Library (ITIL) when layered on top of cybersecurity frameworks help to further reduce the unknowns in the systems throughout an organization.
At a more granular level, configuration management policies and standards can help to further drive down the number of unknowns by establishing baseline configuration settings for all information assets owned, licensed, or managed by the organization. These information assets include routers, managed switches, firewalls, wireless access points, servers, workstations, embedded devices, mobile devices, etc., etc. Several very good resources for configuration baselines include the CIS Security Benchmarks, the Defense Information Security Agency’s (DISA) Security Technical Implementation Guides (STIGs), as well as vendor provided security configurations guides and tools, such as the Microsoft Security Configuration Wizard.
Regardless of the baselines you use, all information systems should be hardened to comply with applicable statutory, regulatory, contractual, and policy compliance obligations such that:
Each operating system is hardened to provide only necessary ports, protocols, and services to meet business needs and have in place supporting technical controls such as: anti-virus, file integrity monitoring, and logging as part of their baseline operating build standard or template;
Deviations from standard baseline configurations must be authorized following change management processes prior to deployment, provisioning, or use;
Unless a technical or business reason exists, standardized images should be used to represent hardened versions of the underlying operating system and the applications installed on the system. These images must be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors; and
Naming conventions for devices located on organizational networks should give no indication of the purpose or the owner of the device.
As technically feasible, organizations should employ automated mechanisms to verify standard device configurations and detect changes. This includes, but is not limited to:
Implementing and testing an automated configuration monitoring system that verifies all remotely testable secure configuration elements, and alerts asset custodians and security personnel when unauthorized changes occur;
Logging all alterations to such files and automatically reporting deviations to security personnel;
Detecting new listening ports, new administrative users, changes to group and local policy objects (where applicable), and new services running on a system; and
Devising a list of authorized software and version that is required for each technology platform, including servers, workstations, and laptops of various kinds and uses.
To further limit the number of unknowns, organizations should adhere to the “principle of least functionality” when configuring systems to provide only essential capabilities and specifically prohibit or restrict the use of the following functions, ports, protocols, and/or services. Doing so includes, but is not limited to:
Identifying and removing insecure services, protocols, and ports;
Enabling only necessary and secure services, protocols, and daemons, as required for the function of the system;
Implementing security features for any required services, protocols or daemons that are considered to be insecure (e.g., NetBIOS, Telnet, FTP, etc.);
Verifying services, protocols, and ports are documented and properly implemented by examining firewall and router configuration settings; and
Removing all unnecessary functionality, such as:
File systems; and
Unnecessary web services.
Cybersecurity is a hard-enough problem to solve without unnecessarily introducing complexity. The application of best practices, standards, and benchmarks is effective in reducing complexity and helps to answer Schneier’s plea for simplicity.