email article printer friendly more resources

Follow Established Best Practices
Use these proven strategies to prevent threats to your organization's systems from turning into attacks.
by Geir Olsen

May 2003 Issue

For This Solution: .NET Framework, IIS Lockdown Tool, Microsoft Baseline Security Analyzer

Securing your enterprise is about understanding all threats you face and taking the necessary steps to mitigate them. This work is never complete because new threats surface all the time and your systems are in constant flux. The work you must do falls into the categories of information gathering, analysis, design, education, planning, implementation, enforcement, reporting, and logistics. You can take advantage of substantial work that others have done already in all these categories. This column examines a set of established best practices you can follow to enhance the security of your enterprise information systems. Investing time and effort in prevention can keep you from becoming a victim.

A key component of information gathering is threat modeling. Threat modeling involves defining all the potential violators of your systems, be they insiders or outsiders. Understanding who these people are helps you understand how they can attack or violate your systems, which in turn helps you focus on closing the right doors. Threat modeling also involves developing and prioritizing a comprehensive list of threats. Threat-modeling a software system in development differs significantly in some ways from threat-modeling applications deployed in your production environment already, but it's similar in other ways. When you model a system already in deployment, having an asset map in place helps tremendously. An asset map, which I'll discuss in more detail later, is a list of all assets in need of protection—everything from your physical machines to specific pieces of information stored in a database.

Michael Howard and David LeBlanc's STRIDE model can help you find the threats and the vulnerabilities in your code and in your infrastructure (see Resources). STRIDE stands for the major categories of threats you face: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. Spoofing is pretending to be someone you're not; tampering means changing data; repudiation includes changing log files to cover tracks; information disclosure means gaining access to information you're not supposed to see; denial of service means doing something to a system that makes it unavailable to legitimate users; and elevation of privilege means gaining access to spaces you typically don't have access to.

Using the STRIDE categories to identify threats and vulnerabilities has proven to work well, whether you're studying source code, activity diagrams, or deployment diagrams. Make sure you list all possible threats, even those you think initially aren't that important. The study of "insignificant" threats often leads to the discovery of more substantial ones. Once you have a list of your threats, use Howard and LeBlanc's DREAD categories to rank them: Damage potential (What is the potential damage?), Reproducibility (How easy is it to turn the threat into an exploit?), Exploitability (How much effort and skill is needed to execute attack?), Affected users How many users would be affected?), and Discoverability (How likely is it that the vulnerability will be exploited?). Use a scale from 1 to 10 for each threat and calculate the average to arrive at a DREAD number.

Maintain Deployment Diagrams
Make sure you keep accurate deployment diagrams on hand. They can help you understand your IT infrastructure from the perspective of potential threats. Ensure that all "doors" to the external world are documented, and don't allow the use of software and hardware that can create back doors to your networks. All a violator needs is a modem and Windows Routing and Remote Access Service (RAS) or a third-party remote-access application. This threat, which can be extremely difficult to discover, is often underestimated.

Say you have an employee with a modem on the PC he uses at work. The user discovers he can gain easy access from home or the road to his desktop PC by installing routing and RAS, PC Anywhere, or another remote-access application. Some of these packages also allow access to the entire corporate LAN. The employee might simply be looking for a more convenient way to get work done—or he might be disgruntled. View each PC with a modem as a potential threat, and set up routines to probe these machines for software or services that can open up back doors to your network.