Chapter 3: Security

  • Article

Overview

Security is a core aspect of Service Management in today's business world. It is a protective barrier that keeps the business operating in a safe, productive environment. Security insulates infrastructure and provides reliability and credibility to the business. Windows Vista technology offers an organization many new and enhanced security features.

Scenario...

Linda approaches Kevin Cook, Woodgrove's Security Manager, to provide support for the Windows Vista deployment. Kevin discusses this with his Security Advisory committee, stating that this WindowsVista desktop deployment should initially be viewed like any other IT project: as an ongoing process of analysis and adjustment with regards to people, process, and technology. Kevin outlines the scope of the project to his team: 1) Build security into the multiple user profiles; 2) Establish data migration procedures.

Kevin and his team identify several security challenges that WindowsVista security technologies will address:

  • A user is tricked into downloading malware from the Web.
  • Installation of non-standard software violates system integrity.
  • AutoPlay attempts to run malware automatically from a removable drive.
  • An offline attack method is used to view confidential data on a stolen laptop.

Kevin explains to this team that the solutions they come up with must incorporate administrative controls, technical controls, and physical controls while meeting functional requirements.

Classifying IT controls into general categories helps identify the nature of the control while establishing the likely approach to monitoring, testing, and assessing the design and operating effectiveness of the control:

  • Administrative controls. Standards, policies, and procedures, as well as ancillary controls such as communications and awareness training programs. Examples include:
    • Information Classification Policy. Ensures classification of information and rights of access at each level.
    • Business Continuance Policy. Ensures that all aspects of the business are considered in the event of a disruption or disaster.
    • Change management process. Ensures that changes to the IT environment are applied in the correct manner.
  • Technical controls. Access controls, encryption mechanisms, and other technologies used to protect logical information assets from unauthorized use. Examples include:
    • Microsoft BitLocker drive encryption
    • Encrypting File System (EFS)
    • User Account Control (UAC)
    • Access Control Lists (ACL)
    • Physical access to computer is controlled through password protected screensavers.
  • Physical controls. Controls that protect the physical devices on which the information is stored or transmitted. Examples include:
    • Security cables on computers inhibit unauthorized removal of equipment.
    • Locks on doors and windows help control physical access to devices.
    • Universal Power Supply (UPS) is available to sustain business activity on computers in case of a power outage.
    • Data and OS are backed up and recoverable to remote location for business continuance.

Scenario...

Kevin considers the duty cycleof the laptop computer, from OFFto ONto OFF,and evaluates the use and impact of different WindowsVista features and business and security requirements at each phase of the cycle. First, he read the Windows Vista Security Guide to understand and evaluate recommendations for protecting his Windows Vista computers. By using WindowsVista BitLocker and EFS technologies, Kevin plans to achieve the necessary level of security required for the Financial Analysts' laptops. He takes time to talk with other IT professionals as well as business users to understand the risks and costs involved in applying or not applying the technology. He determines how these issues can be addressed using BitLocker and EFS through the Information Classification Policy as well as other technical and physical controls required based on his company's security policy. He organizes his understanding according to the following duty cycle phases, illustrated in Figure 3.1.

Figure 3.1. Windows Vista security throughout the laptop duty cycle

By focusing on WindowsVista data protection and security features, an IT professional will be able to define a controlled desktop environment. The following WindowsVista data protection features can aid in securing a mobile computer environment:

  • BitLocker drive encryption. Helps protect the operating system and the data on the system volume in two ways. First, BitLocker can validate that critical components of the operating system have not been tampered with prior to startup. This is done in conjunction with a Trusted Platform Module (TPM 1.2) that is installed on the system board of the computer. In addition, BitLocker can encrypt the system volume, protecting the data on that volume from being read by unauthorized individuals. The BitLocker encryption keys can be stored using the TPM, the TPM plus a PIN, a USB device alone, or a TPM combined with a USB device.

  • Encrypting File System. EFS is integrated into the New Technology File System, (NTFS) and its purpose, to encrypt files and folders to help protect data, is completely transparent to users. Authorized users are able to access and work with encrypted files like any other file, whereas other users are denied access.**

    Risk assessment.** EFS can help mitigate data theft or compromise due to lost or stolen mobile computers or due to exposure by an insider.

  • Rights Management Services (RMS). RMS helps protect sensitive e-mail, documents, and Web content through a mix of security and usage policy enforcement.
    Risk assessment.** RMS can help mitigate the risk of unauthorized personnel being able to view sensitive information.

Table 3.1. Data Protection Technology Comparison in Windows Vista

Scenario

BitLocker

EFS

RMS

Physical Control

Laptop data protection

X

X

X

Local single-user file and folder protection

X

X

Desktop data protection

X

X

X

Shared computer file and folder protection

X

Remote file and folder protection

X

Untrusted network administrator protection

X

Remote document policy enforcement

X

Protect content in transit

X

Protect content during collaboration

X

Protect against data theft

X

Windows Vista security features that provide enhanced defense against malware:

User Account Control (UAC). The main goal of the UAC is to reduce the exposure and attack surface of the operating system by requiring that all users run in standard user mode. This tool provides a method of separating standard user privileges and tasks from those that require administrator access.

For more information, see "Windows Vista: User Account Control" at https://technet.microsoft.com/en-us/windowsvista/aa905108.aspx.

Windows Firewall. Now includes both inbound and outbound filtering to help protect users. It does this by restricting operating system resources that behave atypically. The firewall starts up automatically and is integrated with the WindowsVista network awareness so that specialized rules can be applied depending on the location of the client computer. For example, if a laptop computer is located on an organization's network, firewall rules can be defined by the administrator of the domain network environment that will match the security requirements of that network. However, when a user attempts to connect the same laptop to the Internet via a public network, such as a free wireless hotspot, a different set of firewall rules can be automatically applied to help ensure that the computer is protected from an attack.

For more information, see "Windows Firewall" at https://www.microsoft.com/technet/network/wf/default.mspx.

Windows Vista Defender. Protects against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It performs real-time monitoring of important WindowsVista locations where malware may reside (such as Startup folder and the autorun registry entries).

To offer the best protection against malicious software, Microsoft strongly recommends that customers also deploy a full antivirus solution in conjunction with Windows Defender.

For more information, see "Windows Defender" at https://technet.microsoft.com/en-us/windowsvista/aa905112.aspx.

Windows Vista Security Center (WSC). WSC runs automatically in WindowsVista as a background process that checks and displays the status of the firewall, automatic updates, malware protection, and other security settings. It is the computer's central hub of security information and constantly checks and displays the status of four important security categories:

  • Firewall
  • Automatic updates
  • Malware protection
  • Other security settings. For client computers running WindowsVista, WSC provides direct links to vendors that can be used to remediate problems that may arise on the computer. For example, if a third-party antivirus or anti-spyware solution is turned off or is out of date, WSC provides a button that the user can click to launch a vendor solution on the computer to correct the problem.

For more information, see “Windows Vista Security Center” at https://www.microsoft.com/windows/products/windowsvista/features/details/securitycenter.mspx.
Note   **WSC provides links to the vendor Web site that the user can use to activate or renew a subscription or obtain updates. Knowing when security software is turned off or is out-of-date and having the ability to easily download updates is key to maintaining a virus-free environment.

Windows Vista Malicious Software Removal Tool. If somehow malicious software does infect a client computer, the WindowsVista Malicious Software Removal Tool provides a way to help remove the malware from the computer. When this tool is run, it scans the computer in the background and produces a report if it detects any infections. This tool operates outside of the OS and does not have any Group Policy settings in WindowsVista.

For more information, see "Windows Vista Malicious Software Removal Tool" at https://www.microsoft.com/security/malwareremove/default.mspx.

Risk assessment**. The Malicious Software Removal Tool provides an additional layer of security to help detect and remove common malicious software in the following instances:

  • If the installed real-time antivirus scanner does not detect a specific instance of malware.
  • If the malware manages to disable the installed real-time antivirus scanner.

****

Scenario...

The Security Advisory committee works through the following steps to come up with an IT security solution for the Windows Vista deployment project. By following the steps shown in Figure 3.2, the project team can ensure that the security solution supports the objectives and key success criteria of the desktop service.

Figure 3.2. Steps for security planning, implementation, validation, and maintenance

Security Management Process

Step 1: Review Project Functional Requirements

Objective:

  • Analyze and understand the business priorities of the end users' various functional requirements.

Success Criteria:

  • A prioritized list of business requirements that will be used to allocate resources.
  • Gain contextual information for possible security and functionality trade-offs.

Frequency:

  • Initial work to interview business customer stakeholders and identify points of alignment.
  • Initial observations of end users in their workplaces.

Step 2: Baseline Security Threat Agents, Threats, Risks, and Exposures

Objective:

  • Use the organization's internal knowledge, internal guidelines, and up-to-date information on IT security from vendors' support sites to proactively determine and document likely security concerns related to each user profile and the chosen products and technologies.

Success Criteria:

  • Proactive use of organization's IT security track record.
  • Potential security threat agents, threats, and exposures are documented.

Frequency:

  • Initial effort for each project.
  • Ongoing tracking of organizational successes and challenges.
  • Regular monitoring of industry status with regards to IT security.

A Visio diagram, such as the example included below of the Woodgrove Sample Security Risk Assessment, is a good way to document risk assessment.

Exhibit 3.1. Sample Security Risk Assessment

Access this content as part of the WVSLM download package.

Step 3: Analyze and Prioritize Security Exposures

Objectives:

  • Gain deeper insight into the probabilities and possible business impacts of various IT security risk conditions by defining and prioritizing IT security risks to the project according to their potential impact to the business.
  • Assign ownership of security risks to the proper subject matter expert (SME).

Success Criteria:

  • Detailed, prioritized IT security risk management document that calls out top risk factors with assigned ownership.

Frequency:

  • Initial creation of documents.
  • Ongoing (weekly to bi-weekly) tracking of risk ranking/reprioritization.
  • Ongoing tracking and management by individual risk owners.

Step 4: Develop Mitigation Plans for Top Risks

Objective:

  • Create specific mitigations for the top risks by evaluating, selecting, and planning for development, testing, and implementation of people, process, and technology countermeasures.

Success Criteria:

  • Specific designs, including products and technologies, to mitigate the most likely IT security exposures have been incorporated into the project's functional specification (or design documents).
  • The security plan sets a baseline and is submitted to project management (see below in Tools and Techniques) for incorporation into the master project plan.
  • Resources for IT security risk mitigation and contingency planning have been allocated in project schedules.

Frequency:

  • After initial creation of a prioritized risk management document.
  • Each time a risk enters the top risk list during periodic review

The process of risk identification, analysis, and ultimate mitigation can be considered as a set of related steps. By following the risk management approach in MOF, organizations can deepen their understanding of risk and develop more effective and efficient risk mitigations*.* For more details, see MOF Risk Management Disciplineat https://www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/mofrisk.mspx.

Figure 3.3. The 6-step MOF Risk Management Discipline

Step 5: Build the Security Solution

Objective:

  • To develop and integrate the IT security solution into the overall project solution build.

Success Criteria:

  • Team creates the IT security solution in tandem with required business functionality, including infrastructure, code, release documentation, and user experience.
  • IT security solution is unit-tested and accepted by the developing team.
  • A dedicated security testing team is formed.
  • The IT security solution passes review.

Frequency:

  • Ongoing during Build phase of project.
  • This activity should cease when all functionality in scope has been built into the solution.

Step 6: Stabilize the Security Solution

Objective:

The dedicated test team validates that the solution meets security requirements or works with the build team to fix issues or create acceptable workarounds. The test team performs the following tasks:

  • Distributes internal releases to the solution team.
  • Tracks and fixes security issues until the solution meets agreed-upon quality.
  • Validates effectiveness of contingency plans for security components.
  • Approves security components for release with the solution.

Success Criteria:

  • Contingency tests are completed and contingency triggers are established.
  • Pilot test is completed.
  • Security components of the solution are tested and audited by a dedicated team..(Depending on the solution and industry, this could be a third-party review of infrastructure and code, a white hattesting to defeat the safeguards, or a combination of the two.)
  • Release Management has approved deployment of the solution.

Frequency:

  • Ongoing during the stabilizing phase of the project.

Step 7: Deploy the Security Solution

Objective:

  • Deploy the security solution to the organization as part of a larger IT project solution, targeting the relevant user groups with security safeguards and countermeasures.

Success Criteria:

  • Systems are secure with minimal negative impact of necessary business functionality.
  • Project's closure documentation includes all aspects of the security solution.

Frequency:

  • At deployment completion milestone or project closure.

Step 8: Optimize Secured Desktop Service

Objective:

  • Periodically review and adjust the security solution to:
    • Meet new security threats.
    • Respond to changing business requirements.
    • Take advantage of technological advancements.

Success Criteria:

  • Security requirements and solutions are reviewed and updated as needed.

Frequency:

  • Ongoing after completion of project.

Scenario...

During Kevin's evaluation of technical solutions, he and the Infrastructure team develop a desktop profile based on BitLocker and Encrypting File System (EFS). Kevin determines that the base Enterprise Client laptop profile as defined in the WindowsVista Security Guide can be used with few modifications. Kevin and his team have now worked through a Group Policy solution that ensures client computers within an Active Directory infrastructure meet the security standards of Woodgrove Bank. Kevin works with the Infrastructure team to include these settings in the Secure Data Profile build image.

NoteThe Windows Vista Security Guide identifies the security policy settings for the Enterprise Client (EC) and Specialized Security Limited Functionality (SSLF) environments and provides the recommended settings configured through the automated process. For more information, see the "Windows Vista Security Guide Appendix A" at https://www.microsoft.com/technet/windowsvista/security/security_group_policy_settings.mspx.

Figure 3.4. Example OU structure for computers running WindowsVista

Because the Woodgrove Bank Financial Analysts Group's computers are laptops, the Group Policy discussion focuses on the laptop organizational unit (OU). See Appendix Aof the Windows Vista Security Guide for laptop OU settings.

NoteThe Windows Vista Security Guide also includes an extensive discussion on Group Policy object (GPO) testing and implementation with Active Directory OUs and Group Policy Management Console (GPMC). It is available at https://www.microsoft.com/technet/windowsvista/security/guide.mspx.

Technical Guidance

Tools and Techniques

Table 3.2 IT Security Project Plan

Tool

IT Security Project Plan

Owner

Security Manager or Project Manager

Description

This document outlines Security Management's approach to any particular IT project. Note that this is not a Gantt chart or project scheduleit resembles a business plan with sufficient background information, justifications, constraints, assumptions, and risks to enable others to understand the IT security side of the project at hand.

Input

The IT Security Project Plan is populated with input from:

  • Business customers and end users of the proposed IT solution, through interviews and observations.
  • Infrastructure, Services, and Support teams through interviews and existing records (for example, knowledge management systems).
  • External sources from technology vendors and industry security subject matter experts.

Output

The IT Security Project Plan is used by:

  • IT project management.
  • Infrastructure, Services, and Support teams.
  • Individual members of the project team who own security risks, mitigation plans, and solutions.
  • Partners who might be involved in developing or testing the project solution.

See also

Microsoft provides both technical and business support through:

Suggested content

The security project plan should be a description of how the solution will be completed. Its language and format should be such that the pertinent information is easily communicated to other members of the project team (or sponsors) who are not necessarily knowledgeable in information technology security. The plan should include the following components:

  • Justification. Who are the threat agents, what are the vulnerabilities, and what are the most likely scenarios for abuse? What are the estimated costs and benefits for the proposed solution?
  • Approach. How will the solution address security risks to confidentiality, integrity, and availability? Will it employ technology, policies, procedures, physical security, and so on, or a combination of several?
  • Quality bar. What are the quality success criteria for the project? Relevant information here would include things like the data sensitivity and strength of encryption needed to maintain its confidentiality. Individual security attributes should be discussed so as to give direction for possible specific controls.
  • References. Include RFCs, standards, and guidelines documentation, such as the Orange Book, Red Book, and Common Criteria, as well as references to existing organizational security policy and project documentation.

Much of the information in this plan flows from the data in the Security Risk Management document (below). The plan will help define conceptual, logical, and physical design definitions in the functional specification.

Table 3.3. Security Risk Management Document

Tool

Security Risk Management Document

Owner

Security Manager or Project Manager

Description

This document details the major security risks identified for the project as a whole. It should include the following:

  • Risk statement. What is the potential problem?
  • Immediate consequence(s). What will happen as soon as the condition is experienced?
  • Downstream (or business) consequence(s). Who else will be affected? How?
  • Possible root cause(s). Why is this condition happening?
  • P = Probability of exposure (using threat agents and threats to model). Based on the organization's track record or industry benchmarks, how probable is it that the condition will be experienced?
  • I = Impact of experiencing the risk as an actual issue. That is, when P= 100 percent. What will the degree of damage or loss be? Impact can use any useful scale but should be measured consistently across all project risks. Possible approaches are impact to the project (cost overruns, schedules, and so on), monetary impact to the business (lost revenues, lower margins, loss of brand), and others. The key is to use one scale consistently for a particular project and to do some kind of normalization when retiring risks to an organizational knowledge base.
  • E = Exposure (E = P x I). Multiply these values to get a consistent scale for prioritizing the project's security risks.
  • Mitigation plans. What could one do to either lower the probability of occurrence or the degree of impact?
  • Mitigation trigger. At what point or after what event will it be worthwhile expending resources to mitigate this potential risk?
  • Contingency plans. If this security risk becomes an outright issue, what can be done to limit the resulting damage?
  • Contingency trigger. When should the contingency plan (potentially a serious effort to cut losses) be initiated?
  • Owner. Who is responsible for the ongoing monitoring of this risk, including the assessment of its probability and impact and the creation of mitigation and contingency plans, if required?

Input

The Security Risk Management document is populated with input from:

  • Infrastructure, Services, and Support teams through interviews and existing records (knowledge management systems, and so on).
  • External sources from technology vendors and industry security subject matter experts.

Output

The Security Risk Management document is used by:

  • IT project management.
  • Infrastructure, Services, and Support teams.
  • Release Management.
  • Individual members of the project team who own security risks, mitigation plans, and solutions.
  • Partners who might be involved in developing or testing the project solution.