Security Policies Must Be Enforced!

Last week, I had a very interesting meeting with the Belgian FCCU (“Federal Computer Crime Unit“) about the security of “public” networks. The FCCU is the Federal Police division involved in  all kind of computer forensics investigations. By the way, they also have their own Linux live-CD called “Lnx6N4” which proposes a compilation of useful tools to perform forensics investigation. [Note: the same tools can help you to recover crashed hard drives – can be useful]

In short, the meeting focused on how to protect yourself (on a legal point of view) when you plan to offer a free Internet access to visitors during an event like a conference, a LAN party or any other organizations. The FCCU inspector was very open to organize a meeting to discuss this important topic and gave a lot of tips. Security awareness seems to be a recurrent task. That’s good!

Today, the only way to identify a user is via his assigned IP address (fixed or dynamic) There was a lot of debates and studies which prove that an IP address is not 100% reliable. Some  judgments also went in the same direction. But on most of the networks today, it remains the only way to track users.

I’d like to focus on a key principle given by the FCCU: The security policies. Organizations have to define security policies and make their users aware of them but it’s not enough. It’s so easy to let users agree on a policy by clicking on a button or signing a sheet of paper. Organizations must apply those policies and have the right tools in place to enforce them. This is called in the security jargon: “due care” and “due diligence”.

“Due care are steps that are taken to show that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees.” And, [Due diligence are the] “continual activities that make sure the protection mechanisms are continually maintained and operational.” (Source: Harris, Shon (2003). All-in-one CISSP Certification Exam Guide (2nd Ed. ed.))

Let me give a practical example. A small company with a team of ten people. They have a small LAN based on classic tools (a directory, collaboration and office tools) and they use a small ADSL connection to the Internet. A few weeks ago, one of the team members harassed an ex-girlfriend. She filed a complaint and the Police first investigations showed that the company public IP address was used to send offensive e-mails (the IP was provided by the Internet Service Provider). In a first scenario, there is no trace of the DHCP IP addresses assignments. The Police must assume that the ten-people are suspicious. This means a lot of time to investigate and, worse, a high pressure on the whole team! (this could even have a very bad impact on their productivity). Second scenario, the local system administrator has a log file and is able to find which internal IP address was used (via the firewall logs) and who received it (via the DHCP logs). The Police will focus on only one person.

This is a dump example but it proves that notifying your users that their activity could be monitored for investigation purpose is not enough! Investments (money & time) must be done to implement the controls associated to the security policy. And you don’t necessarily need the latest SIEM solution with full-correlation engine to do the job. If your amount of data is low, the open-source world is full of solution which will perfectly match your requirements. But DO it and in the RIGHT way!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.