Worksheet 4.27 Business Worksheet for Secure Software. Business Worksheet for Secure Software IMPACT ANALYSIS ID BEFORE PLAN PERCENT IMPROVEMENT NEW VALUE Quality Management worksheet completed for this element/template? (check box)  Employees Introduce security as a fundamental "mission" for software developers. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Cross-train developers, to the next level of detail, on security concerns raised in our worksheets. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Work with developers to make security a regular part of all documentation. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Schedule regular security review meetings. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Build time into schedules for security. Reward developers for thinking about security and for introducing well thought-out security features. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Customers Work with customers to understand their security requirements and document them. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ How are you designing and developing software to better address customer security requirements and expectations? ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ 292 Chapter 4 Worksheet 4.27 Business Worksheet for Secure Software. (continued) Owners Providers of chronically insecure software will increasingly be held responsible. Communicate this to owners. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Companies that are perceived as providing insecure software, products, or services will be hurt. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Introduce a top-down management philosophy reflecting the importance of public perception relating to product security. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Suppliers and Partners Develop policies and procedures to hold suppliers and partners responsible for providing insecure products and services. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ If you bundle software with a partner and its software is insecure, yours is too. Drive partners to security quality. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Information Write specific/focused security requirements for all high-impact information of any kind you manage with your software. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Infrastructure Develop a plan and customer configuration guidance for protecting likely high-impact infrastructure with your software. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ The Remaining Core and Wrap-up Elements 293 BUSINESSPEOPLE: OWNERS Assure them that security is addressed in the software development process. Despite the liability disclaimers, both written and implicit, that are delivered with software, distributors of chronically insecure software will increasingly be held accountable.We have already seen dramatic inroads made in various markets, fueled by the perception that one software product is more secure than another. In the past, owners were more concerned with features, price, and schedule (the same prior- ities as their customers); they are now concerned with security. From the perspective of the owner, if security is not introduced into the software development process, the damage to the business may have no bounds. If your organization sells software to others, introduce security quality and security-related features to the product sales pitch. BUSINESSPEOPLE: SUPPLIERS Refuse to accept poor security. Companies that supply you with chroni- cally insecure software need to be either replaced or driven, using the methods described in these guidelines, to produce quality security. (This topic is covered in the Quality Management worksheets.) BUSINESSPEOPLE: PARTNERS Introduce requirements for any software development/bundling efforts your organization engages in. If you partner with a company and bundle its software with yours, you become “one” with that company’s security strategy. This means that if its software is insecure, the customer will not differentiate between your partner’s software and yours. BUSINESS: INFORMATION Associate specific security requirements with information elements (a private key, username/password credential of some kind). Information touched by your application in any way (configuration, customer/user information, programming variables) should have a notion of security requirements associated with it. This is not to suggest that you take this to the point of absurdity, as in write a security specification for every variable used by a software developer. Instead, make sure the developers think about what information they place into a variable and how it is managed and made accessible to a hacker. Without the notion of security in the develop- ment process, it’s difficult to predict the shortcuts people will take. Another example is storing a username/password pair persistently in memory rather than retrieving it, doing whatever check is needed, then immediately wiping it from memory. In each of these examples, there are information elements (a private key, username/password credential of some kind), and there are specific security requirements that should be associated with them. 294 Chapter 4 Selling Security Use Worksheet 4.28 here. EXECUTIVES Simulate a vulnerability, based on risk assessment. Simulate a vulnera- bility and parameterize the costs to the organization in terms of public perception, effect on business (different groups reprioritizing, losing time), and, most important, impact on customers. If you supply software to others, simulate a widespread, highly publicized vulnerability; if you supply software to your own organization, show how impact is reduced as you phase in a secure software design and development process. Because secure software design and development may add time to development schedules and cost, your sell will be complicated, but as noted earlier, times are changing and some of the selling difficulties are being solved for you. MIDDLE MANAGEMENT Relate the business impact of vulnerabilities discovered in core opera- tional software. Work to convince them that your objective is to reduce this impact—reduce this risk and overhead. Be as specific as you can about business process workflow impact. Prepare them to accept poten- tially longer delays in getting the features they are after, assuring them that the reduced impact is well worth it. BUSINESS: INFRASTRUCTURE Prioritize vulnerabilities as accurately as possible. Insecure soft- ware is a threat to all infrastructure. While you can argue that a vul- nerability in a word processor may be less significant than one in a directory server, when thinking about the myriad deployment and attack scenarios, the conclusion is that it’s difficult to predict exactly what will happen. Vulnerabilities can spread like the plague. Never- theless, the reality is that you often need to prioritize your secure software review for existing deployments. The prioritization would follow the parameters of your impact analysis, as discussed in Chapter 2, and would attempt to estimate the cost of the security review, any rewrites, or new vendors required to meet secure soft- ware objectives. The Remaining Core and Wrap-up Elements 295 Worksheet 4.28 Selling Security Worksheet for Secure Software. Selling Security Worksheet for Secure Software IMPACT ANALYSIS ID BEFORE PLAN PERCENT IMPROVEMENT NEW VALUE Executive The risk of public perception relating to insecure software you develop or deploy is very high. Demonstrate this. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ The impact on customers affected by your security holes can be very high. Provide an example of customer costs. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Show how a streamlined secure software process may improve customer satisfaction and increase market share. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Show how your secure software plan reduces the potential impact on the organization. Show costs including schedule impact. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Middle Management Highlight how insecure software impacts the workflow process, be it product support, development, or operations. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Show the cumulative costs of responding to security problems, both internally and for the customer. Compare to your planned costs. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ 296 Chapter 4 Worksheet 4.28 Selling Security Worksheet for Secure Software. (continued) STAFF Use your impact analysis to sell them. Staff members involved in devel- opment have their own view on all of this. Staff impacted by insecure software will understand the risks and can be sold, using your impact analysis translated into day-to-day terms, on the increased costs associ- ated with developing or acquiring securely developed software—fewer features, more time in development. Secure Time Services Summary As discussed in Chapter 2 and throughout the preceding security elements, time has more to do with security than you might first think. It’s routinely leveraged up and down the security stack, and sophisticated hackers often attack it first as a means to undermine your security and to better cover their tracks. Intrusion-detection systems may rely on time as well to detect certain attack signatures. Work with middle management and executives to build a bridge of understanding around schedule impact and benefits. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Staff Sell staff on security by showing that management cares about it. Show how you add time and resources for security. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Build a security training, awareness, and reward process, as discussed earlier in the Business worksheet. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ The Remaining Core and Wrap-up Elements 297 Figure 4.8 Secure time services. Security Stack Use Worksheet 4.29 here. PHYSICAL Assess time security on systems used for building access control. These systems can make use of time as a means for logging movement from one room to the next, so you need to consider how time is secured on them, as well as how they are administered. Your incident response team may need to rely on these logs, and if the recorded time is not reliable, then their effort will be impeded. Introduce diversity. Time servers used throughout the security stack, where time is centralized and delivered electronically to core system components, should be physically secured, diverse, and redundant. NETWORK Institute a common, consistent, and secure time reference. Network components routinely rely on time for system logging, access control, and authentication. For example, VPNs based on IPSec can use a PKI for authentication. PKIs are very dependent on secure time because digital certificates are valid for certain time periods only. Therefore, validating a digital certificate requires a common, consistent, and secure time refer- ence. Also, authentication protocols, such as Kerberos, implementable at the network, application, and operating system levels, fail completely or can otherwise be compromised if your time services are hacked or brought down. Diversity, redundancy, and isolation Fundamentals Secure software Incident response See also: 298 Chapter 4 Worksheet 4.29 Security Stack Worksheet for Secure Time. (continues) Security Stack Worksheet for Secure Time IMPACT ANALYSIS ID BEFORE PLAN PERCENT IMPROVEMENT NEW VALUE Quality Management worksheet completed for this element/template? (check box)  Physical Determine how your building access control systems may make use of time. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Identify other physical security-sensitive systems that make use of time. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Assess the reliability and strength of physical time sources. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Develop administrator policies and procedures that place importance on reliability and securely maintaining time sources. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Network Identify network components that rely on time for security-related services such as logging (e.g., time stamps in logs), access, and authentication. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ For all authentication mechanisms used by network components, identify reliance on time. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Develop a plan to maintain time reliably and securely for all security-sensitive network components and related services. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ The Remaining Core and Wrap-up Elements 299 Worksheet 4.29 Security Stack Worksheet for Secure Time. (continued) Obtain secure versions of protocols. Time is distributed across the net- work using protocols such as the Network Time Protocol (NTP). NTP alone is not a sufficiently secure method of delivering sensitive time. Secure versions of NTP are available, as are other more secure time dis- tribution mechanisms. Application Perform a complete audit to assess how high-impact applications use time in your organization. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ For each application leveraging time, determine the security and reliability of the time source. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Develop a plan to maintain time reliably and securely for all high-impact applications. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Operating System Determine how time is managed in your operating system. Assess the reliability and security of time sources. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Identify specific operating system functions such as logging and authentication that make use of time. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Develop a plan to ensure the security and reliability of time mechanisms used within your operating system. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ 300 Chapter 4 APPLICATION Identify any applications that may benefit from secure time-stamping technology. Financial applications, for example, make use of time, as in recording the time of a transaction. Nonrepudiation-based applica- tions use time to record the moment an event occurred and was autho- rized (similar to signing and dating a contract). Because some applications rely on time as an important part of their functionality (e.g., an application that manages stock market transactions), their source of time and associated time distribution protocol should be secured. OPERATING SYSTEM Monitor how time is set and maintained. It’s of paramount importance that time be set and maintained securely in operating systems because time typically starts there and is propagated outward. The operating system itself also makes use of time for logging, authentication, access control, and housekeeping, such as the last time a file was modified (a favorite item for a hacker to modify). See the preceding text on Network, relating to protocols such as NTP: Typically, protocols such as this one are used to set the time in your operating system. Life-Cycle Management Use Worksheet 4.30 here. TECHNOLOGY SELECTION Choose technology that derives time consistently. For example, choose an atomic clock or one that derives time from a satellite signal or uses some other time-derivation technology. Organizations that instead pre- fer to rely on clocks built into computers today (that is, clocks on the computer’s motherboard), must face the fact that such clocks are sur- prisingly inaccurate. Make your time source and distribution method diverse and redundant. Then, if it fails, you will be able to fall back to another reliable time source. Synchronize time across your stack. The manner in which time is shared and synchronized up and down the security stack is key. From an inci- dent response standpoint, if you must correlate multiple suspicious events occurring at multiple levels of your security stack (for example, an event recording room access with another showing access to a sensi- tive application), then you must synchronize time across your stack. Too few organizations think about such things—for example, how many synchronize the time reference on their building access systems with their corporate authentication servers? The Remaining Core and Wrap-up Elements 301 [...]... Staff management demands considerable cross-organizational training; consequently, in most organizations, access to systems and facilities is managed in an ad hoc fashion That is, when an employee joins the company, typically he or she must contact a large, disjointed set of individuals to get user accounts for different systems, badges, and so forth Similarly, when an employee leaves, often no clean,... your managed security service provider, allowing you to set individual and shared responsibilities and expectations N OT E The Quality Management worksheet provides particular value for managed security, especially as it relates to performance metrics such as incident response Managed security providers can be a big help It’s not possible, though, for them to handle every single aspect of your security, ... Address the reliability and security of any remote managed security provider access mechanism such as IPSec Worksheet 4.42 Managed (Outsourced) Security Worksheet The Remaining Core and Wrap-up Elements Performance Review your security plan and work to address any areas where your security implementation... for 24 hours based on default SSL/TLS parameters If the user revisits your Web site again within 24 hours, there is no need for another server authentication event After 24 hours, if the user visits again, another digital signing server authentication event must occur For performance on Web servers running SSL, this handshake incurs a far greater performance impact than the standard encryption performed... Worksheet 4. 38 Administration and Maintenance Worksheet The Remaining Core and Wrap-up Elements Laws and Regulations Laws and regulations can drive your security plan in many of the areas we’ve previously studied Examples include recordkeeping, such as providing proof of events and transactions, the requirement to conform to laws regarding encryption usage and export, certain open standards required... activity has taken place—say, because the employee was terminated for violating company policies The Remaining Core and Wrap-up Elements Life-Cycle Management Use Worksheet 4.34 here TECHNOLOGY SELECTION Investigate human resource information systems For larger organizations, human resource information systems (HRIS) are increasingly becoming a single point of management for certain elements of security. .. fair to say that they take it for granted and assume you will do so BUSINESSPEOPLE: SUPPLIERS As for customers, explain how your staff management policies and procedures relate to them Suppliers and partners should be concerned with staff changes only when they are directly affected, meaning when people they routinely interact with are no longer with your organization In such a case, notify them BUSINESSPEOPLE:... interoperability and standards are very important but that we should not allow ourselves to become overly driven by them Remember, in the end, that our mission is to move security and business forward With that in mind, review your entire security plan and ask yourself, again, where do you get the most benefit from interoperability and standards? Prioritize the importance of interoperability and standards based... encryption performed over an SSL session IPSec sessions using PKI for authentication will also be CPU-intensive when any authentication is carried out Performance Worksheet IMPACT ANALYSIS ID BEFORE PLAN PERCENT IMPROVEMENT NEW VALUE Quality Management worksheet completed for this element/template? (check box) Identify performance-sensitive components in your security stack (for example, a particular... administrators Make this information available to the team for the past 12 months 313 314 Chapter 4 Life-Cycle Management Worksheet for Staff Management ANALYSIS IMPACT ID BEFORE PLAN PERCENT IMPROVEMENT NEW VALUE Quality Management worksheet completed for this element/template? (check box) Technology Selection Assess how well your HRIS staff management software integrates with staff management security requirements . 4 Worksheet 4.33 Security Stack Worksheet for Staff Management. (continues) Security Stack Worksheet for Staff Management IMPACT ANALYSIS ID BEFORE PLAN PERCENT IMPROVEMENT NEW VALUE Quality Management. Remaining Core and Wrap-up Elements 295 Worksheet 4. 28 Selling Security Worksheet for Secure Software. Selling Security Worksheet for Secure Software IMPACT ANALYSIS ID BEFORE PLAN PERCENT IMPROVEMENT. cat-and-mouse game. 302 Chapter 4 Worksheet 4.30 Life-Cycle Management Worksheet for Secure Time. (continues) Life Cycle Management Worksheet for Secure Time IMPACT ANALYSIS ID BEFORE PLAN PERCENT IMPROVEMENT