Enhancing Security with an IT Network Awareness Center
Content
Copyright © 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
Enhancing Security with an IT Network Awareness Center
By Scott Driml
I
n today’s business world, nothing is more critical to efficient operations than the organization’s IT networks. Because of this dependence, networks will continue to be a target for intruders outside and within an organization. To assess the operational availability of these networks, developing an awareness of overall network security is just as important as the operational status of the networks themselves. There can be several networks within one company and each must be monitored to establish a clear view of the IT status, to respond to any attack on the organization’s resources and to make the most efficient use of those resources. To view the overall health of the organization’s IT systems, a network awareness center that examines multiple networks is required.
mance monitors. Typically, they assign a security officer to monitor the data flowing into the networks, or that responsibility is outsourced to a company offering focused security services. Some organizations have separate internal functions for network operation and network security; others outsource either or both. Today, most security architectures are based on a combination of methods widely deployed and sporadically monitored. When a network security problem arises, coordinating a quick response may be difficult, particularly across the entire organization.
One Big Network? Think Again
As much as corporate executives like to think of their organization as one large network, it is not. The overall network is often composed of subnetworks that are isolated for business and security reasons and run by separate network operation centers. It also is common to have individual centers for finance, human resources, customer service, order entry, e-commerce, engineering, manufacturing and inventory functions. Collapsing these multiple networks into one central network probably will not happen for business reasons, and because the individual operation centers need to maintain control of their function. With this type of architecture, critical questions quickly arise when there is a network security issue. How should an organization respond? How quickly can the problem be solved? Only one network may have a problem—are others vulnerable? If a virus infected one network, it can spread to other networks because of connectivity.
IT Networks—Vital to Success but Vulnerable
For most companies, the daily routine revolves around computers and computer systems. E-mail, file sharing, teleconferencing, e-commerce, customer communication and centralized applications are just a few examples of networked business functions. The importance of these functions will continue to grow in the future, as organizations use voice communications over IP networks, expand e-commerce and implement web-based billing and other Internet-related services. Subsequently, the communications of an entire organization will be based on a network or multiple networks, as many organizations are operating that way today. In addition, the set of functions that operates on these networks is enticing to internal intruders and external hackers. The networks often become vulnerable to attack because they are increasingly valuable. Successful penetration of a network can result in access to confidential information, or even data subversion. If the intent is malicious, the organization could be disabled for a period of time resulting in loss of productivity, loss of revenue and/or damage to organization goodwill.
The Network Awareness Center
To generate a quick, dynamic response, the organization must have the ability to examine multiple networks, which may be operated by multiple entities. Even if there is no security problem, the company must have ongoing, across-theboard network visibility, i.e., the big picture. The answer is a network awareness center that combines the attributes of the security system with the attributes of the network operation centers. It would not have responsibility for day-to-day operation of the networks. Instead, its job would be to understand the health and status of all networks. For example, a multistate organization with network operation
The Old Security Model
The old security model is similar to the current model, which requires updating. All companies deploy mechanisms within their networks to reduce intrusion. These include firewalls, encryption software, intrusion detection sensors and perfor-
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2003
centers in cities A, B and C would want to know if the center is down. The US air traffic control system is based on the same concept. There is a national center (an awareness center) that can see all aircraft flying in the United States, but it does not control the aircraft. Regional air traffic control centers are responsible for the aircraft and the protocols for handing over aircraft from one center to another. In a crisis or emergency, the national center can communicate with all the regional centers and help to coordinate the necessary response. This architecture functioned at its highest level on 11 September 2001, during the terrorist attacks in the US. Is an organization’s network awareness center a super network operations center in disguise? No. Successful organizations follow internal procedures to optimize functional and operational performance, and placing them under the control of a central authority might not optimize the company’s operation. The network awareness center creates an overall awareness. Network operations are decentralized. However, the extent of the awareness center’s authority is a matter of internal policy. For instance, the awareness center might have access to all resources, but its level of control should be established clearly by a policy that states what it can and cannot do when there is a security issue. The focus for the organization is merging local control and responsibility with global vision and insight. Sounds good, so why not do it?
credibility. The organization must believe that its awareness center is a rock-solid, reliable source of information. In another scenario, separation and confidentiality of communication is important for external companies that operate IT networks for their own clients. A client certainly does not want its data crossing over into a competitor’s network. Often, the solution to a security problem at one client is applicable to another client as a preventive measure. This is a valuable service, but where the problem occurred should be kept confidential. Authenticated Control Network awareness centers operating under a policy of broad control (they have authority to respond autonomously to an attack) should have that control authenticated. A trail of authentication should trace back to the awareness center with a high standard of proof. Who took a particular action? When did it take place? How did the network operation centers know that action was authorized? Aggregation and Display of Data from Various Networks It is not unusual for individual network operation centers to use different hardware, software and protocols. The awareness center’s skill at creating a clear picture of network health depends on its ability to aggregate and display all of the information coming from the operation centers. The aggregation must be possible without changing procedures at the operation centers. Otherwise, the organization is dictating policy or driving solutions that could hamper the efficiency of the local operation, without a solid business reason. There are tools and protocols available that address the aggregation problem without forcing standardization. The ultimate goal is for the organization to benefit from aggregation and display with a faster response to a security emergency across all of the subnetworks.
The Issues
Everything in the business world has built-in issues, and a network awareness center is no exception. Policy To avoid violating the autonomy of the network operation centers, lines of control must be established. How they interrelate to the operation centers must be understood. This may involve adding tasks at the awareness center, or modifying tasks at the operation centers, but there should be a solid business reason for doing it. Poor implementation could shift risk from the operation centers to the awareness center, and that risk should remain with the operation centers because they are responsible for their networks. Assuming that the risk has been moved away from an operation center, when it has not, could result in confusion in the event of an emergency. Separation of the Networks Once a network awareness center is up and running, the organization potentially has created a central point of attack for hackers and internal intruders. The separation of individual networks is very important to security and operations and must be maintained. Confidentiality of Communication The network awareness center may not want all operation centers to be aware of a potential security breach. Broadcasting a false positive would seriously damage the awareness center’s
Summary
• IT networks are vital to efficient organization operations in today’s business world. • Many organizations have multiple networks and multiple network operation centers that manage information of increasing value. • IT networks are vulnerable and enticing to internal intruders and external hackers. • Organizations need to view multiple networks to create a clear understanding of their network health and status. • A network awareness center that combines security and operation center attributes can generate “the big picture” that organizations need to assess and coordinate their networks. • Implementation of a network awareness center involves issues such as policy, separation of the networks, confidentiality of communication, authenticated control, and aggregation and display of data.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2003
Scott Driml is the strategic solutions director for the secure systems operation business area at General Dynamics Decision Systems in Scottsdale, Arizona, USA. This business area is responsible for the integration of security technologies used to enhance customer operations. Driml has been a speaker at commercial and military conferences, addressing information assurance and its impact on system design and operation. He joined General Dynamics Decision Systems (formerly the Motorola Government Electronics Group) in 1983 as a design engineer. Since then, he has performed design, project management and program development tasks for INFOSEC-related products and systems. These products and systems range from space payloads, to integrated avionics, to large-scale integrated circuits to network monitoring and management tools. © 2003 General Dynamics. All rights reserved.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. © Copyright 2003 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2003
Enhancing Security with an IT Network Awareness Center
By Scott Driml
I
n today’s business world, nothing is more critical to efficient operations than the organization’s IT networks. Because of this dependence, networks will continue to be a target for intruders outside and within an organization. To assess the operational availability of these networks, developing an awareness of overall network security is just as important as the operational status of the networks themselves. There can be several networks within one company and each must be monitored to establish a clear view of the IT status, to respond to any attack on the organization’s resources and to make the most efficient use of those resources. To view the overall health of the organization’s IT systems, a network awareness center that examines multiple networks is required.
mance monitors. Typically, they assign a security officer to monitor the data flowing into the networks, or that responsibility is outsourced to a company offering focused security services. Some organizations have separate internal functions for network operation and network security; others outsource either or both. Today, most security architectures are based on a combination of methods widely deployed and sporadically monitored. When a network security problem arises, coordinating a quick response may be difficult, particularly across the entire organization.
One Big Network? Think Again
As much as corporate executives like to think of their organization as one large network, it is not. The overall network is often composed of subnetworks that are isolated for business and security reasons and run by separate network operation centers. It also is common to have individual centers for finance, human resources, customer service, order entry, e-commerce, engineering, manufacturing and inventory functions. Collapsing these multiple networks into one central network probably will not happen for business reasons, and because the individual operation centers need to maintain control of their function. With this type of architecture, critical questions quickly arise when there is a network security issue. How should an organization respond? How quickly can the problem be solved? Only one network may have a problem—are others vulnerable? If a virus infected one network, it can spread to other networks because of connectivity.
IT Networks—Vital to Success but Vulnerable
For most companies, the daily routine revolves around computers and computer systems. E-mail, file sharing, teleconferencing, e-commerce, customer communication and centralized applications are just a few examples of networked business functions. The importance of these functions will continue to grow in the future, as organizations use voice communications over IP networks, expand e-commerce and implement web-based billing and other Internet-related services. Subsequently, the communications of an entire organization will be based on a network or multiple networks, as many organizations are operating that way today. In addition, the set of functions that operates on these networks is enticing to internal intruders and external hackers. The networks often become vulnerable to attack because they are increasingly valuable. Successful penetration of a network can result in access to confidential information, or even data subversion. If the intent is malicious, the organization could be disabled for a period of time resulting in loss of productivity, loss of revenue and/or damage to organization goodwill.
The Network Awareness Center
To generate a quick, dynamic response, the organization must have the ability to examine multiple networks, which may be operated by multiple entities. Even if there is no security problem, the company must have ongoing, across-theboard network visibility, i.e., the big picture. The answer is a network awareness center that combines the attributes of the security system with the attributes of the network operation centers. It would not have responsibility for day-to-day operation of the networks. Instead, its job would be to understand the health and status of all networks. For example, a multistate organization with network operation
The Old Security Model
The old security model is similar to the current model, which requires updating. All companies deploy mechanisms within their networks to reduce intrusion. These include firewalls, encryption software, intrusion detection sensors and perfor-
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2003
centers in cities A, B and C would want to know if the center is down. The US air traffic control system is based on the same concept. There is a national center (an awareness center) that can see all aircraft flying in the United States, but it does not control the aircraft. Regional air traffic control centers are responsible for the aircraft and the protocols for handing over aircraft from one center to another. In a crisis or emergency, the national center can communicate with all the regional centers and help to coordinate the necessary response. This architecture functioned at its highest level on 11 September 2001, during the terrorist attacks in the US. Is an organization’s network awareness center a super network operations center in disguise? No. Successful organizations follow internal procedures to optimize functional and operational performance, and placing them under the control of a central authority might not optimize the company’s operation. The network awareness center creates an overall awareness. Network operations are decentralized. However, the extent of the awareness center’s authority is a matter of internal policy. For instance, the awareness center might have access to all resources, but its level of control should be established clearly by a policy that states what it can and cannot do when there is a security issue. The focus for the organization is merging local control and responsibility with global vision and insight. Sounds good, so why not do it?
credibility. The organization must believe that its awareness center is a rock-solid, reliable source of information. In another scenario, separation and confidentiality of communication is important for external companies that operate IT networks for their own clients. A client certainly does not want its data crossing over into a competitor’s network. Often, the solution to a security problem at one client is applicable to another client as a preventive measure. This is a valuable service, but where the problem occurred should be kept confidential. Authenticated Control Network awareness centers operating under a policy of broad control (they have authority to respond autonomously to an attack) should have that control authenticated. A trail of authentication should trace back to the awareness center with a high standard of proof. Who took a particular action? When did it take place? How did the network operation centers know that action was authorized? Aggregation and Display of Data from Various Networks It is not unusual for individual network operation centers to use different hardware, software and protocols. The awareness center’s skill at creating a clear picture of network health depends on its ability to aggregate and display all of the information coming from the operation centers. The aggregation must be possible without changing procedures at the operation centers. Otherwise, the organization is dictating policy or driving solutions that could hamper the efficiency of the local operation, without a solid business reason. There are tools and protocols available that address the aggregation problem without forcing standardization. The ultimate goal is for the organization to benefit from aggregation and display with a faster response to a security emergency across all of the subnetworks.
The Issues
Everything in the business world has built-in issues, and a network awareness center is no exception. Policy To avoid violating the autonomy of the network operation centers, lines of control must be established. How they interrelate to the operation centers must be understood. This may involve adding tasks at the awareness center, or modifying tasks at the operation centers, but there should be a solid business reason for doing it. Poor implementation could shift risk from the operation centers to the awareness center, and that risk should remain with the operation centers because they are responsible for their networks. Assuming that the risk has been moved away from an operation center, when it has not, could result in confusion in the event of an emergency. Separation of the Networks Once a network awareness center is up and running, the organization potentially has created a central point of attack for hackers and internal intruders. The separation of individual networks is very important to security and operations and must be maintained. Confidentiality of Communication The network awareness center may not want all operation centers to be aware of a potential security breach. Broadcasting a false positive would seriously damage the awareness center’s
Summary
• IT networks are vital to efficient organization operations in today’s business world. • Many organizations have multiple networks and multiple network operation centers that manage information of increasing value. • IT networks are vulnerable and enticing to internal intruders and external hackers. • Organizations need to view multiple networks to create a clear understanding of their network health and status. • A network awareness center that combines security and operation center attributes can generate “the big picture” that organizations need to assess and coordinate their networks. • Implementation of a network awareness center involves issues such as policy, separation of the networks, confidentiality of communication, authenticated control, and aggregation and display of data.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2003
Scott Driml is the strategic solutions director for the secure systems operation business area at General Dynamics Decision Systems in Scottsdale, Arizona, USA. This business area is responsible for the integration of security technologies used to enhance customer operations. Driml has been a speaker at commercial and military conferences, addressing information assurance and its impact on system design and operation. He joined General Dynamics Decision Systems (formerly the Motorola Government Electronics Group) in 1983 as a design engineer. Since then, he has performed design, project management and program development tasks for INFOSEC-related products and systems. These products and systems range from space payloads, to integrated avionics, to large-scale integrated circuits to network monitoring and management tools. © 2003 General Dynamics. All rights reserved.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. © Copyright 2003 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2003
