Tag Archives: security

The Importance of Data Classification (Information Classification)

The importance of security varies by organization. The variations exist because of the differing values placed on information and networks within organizations. For example, organizations involved in banking and healthcare will likely place a greater priority on information security than organizations involved in selling greeting cards. However, in every organization there exists a need to classify data so that it can be protected appropriately. The greeting card company will likely place a greater value on its customer database than it will on the log files for the Internet firewall. Both of these data files have value, but one is more valuable than the other and should be classified accordingly so that it can be protected properly.

Data classification is the process used to identify the value of data and the cost of data loss or theft. Consider that the cost of data loss is different than the cost of data theft. When data is lost, it means that you no longer have access to the data; however, it does not follow automatically that someone else does have access to the data. For example, an attacker may simply delete your data. This action results in lost data. Data theft indicates that the attacker stole the data. With the data in  the attacker’s possession, the attacker can sell it or otherwise use it in a way that can damage the organization’s value. The worst case scenario is data theft with loss. In this case, the attacker steals the data and destroys the copies. Now the attacker can use the data, but the organization cannot.

When classifying data, then, you are attempting to answer the following questions:

  • How valuable is the data to the organization?
  • How valuable is the data to competitors or outside individuals?
  • Who should have access to the data?
  • Who should not have access to the data?

It might seem odd to ask both of the latter two questions, but it can be very important. For example, you may identify a group who should have access to the data with the exception of one individual in that group. In this case, the group should have access to the data, but the individual in that group should not, and the resulting permission set should be built accordingly. In a Microsoft environment, you would create a group for the individuals needing access and grant that group access to the resource. Next, you would explicitly deny access to the individual who should not have access. The denial overrides the grant and you accomplish the access required.

Many organizations will classify data so that they can easily implement and maintain permissions. For example, if data is classified as internal only, it’s a simple process to configure permissions for that data. Simply create a group named All Employees and add each internal employee to this group. Now, you can assign permissions to the All Employees group for any data classified as internal only. If data is classified as unclassified or public, you can provide access to the Everyone group in a Windows environment and achieve the needed permissions. The point is that data classification leads to simpler permission (authorization) management.

From what I’ve said so far, you can see that data classification can be defined as the process of labeling or organizing data in order to indicate the level of protection required for that data. You may define data classification levels of private, sensitive, and public. Private data would be data that should only be seen by the organization’s employees and may only be seen by a select group of the organization’s employees. Sensitive data would be data that should only be seen by the organization’s employees and approved external individuals. Public data would be data that can be viewed by anyone.

Consider the following applications of this data classification model:

  • The information on the organization’s Internet web site should fall in the classification of public data.
  • The contracts that exist between the organization and service providers or customers should fall in the classification of sensitive data.
  • Trade secrets or internal competitive processes should be classified as private data.

The private, sensitive, and public model is just one example of data classification, but it helps you to determine which data users should be allowed to store offline and which data should only be access while authenticated to the network. By keeping private data off of laptops, you help reduce the severity of a peer-to-peer attack that is launched solely to steal information.

This data classification process is at the core of information security, and it can be outlined as follows:

  1. Determine the value of the information in question.
  2. Apply an appropriate classification based on that value.
  3. Implement the proper security solutions for that classification of information.

From this very brief overview of information classification and security measures, you can see why different organizations have different security priorities and needs. It is also true, however, that every organization is at risk for certain threats. Threats such as denial of service (DoS), worms, and others are often promiscuous in nature. The attacker does not care what networks or systems are damaged or made less effective in a promiscuous attack. The intention of such an attack is often only to express the attacker’s ability or to serve some other motivation for the attacker, such as curiosity or need for recognition. Because many attacks are promiscuous in nature, it is very important that every organization place some level of priority on security regardless of the intrinsic value of the information or networks they employ.

Value of Certification

While reading through the most recent issue of Information Security Magazine (which is really just a Web site more than a magazine now days), I came across a well written article titled Determining the Value of Infosec Certifications. I was enjoying the article until I came upon those wonderful cloaking phrases like "in my experience" and "it did surprise me." The first statement indicates that the author doesn't care what statistics say when they disagree with his or her opinion. The second statement is an admission of the fact that the survey data disagrees with his or her opinion. The point is that the author of the referenced article is insisting that his view (certifications are not that important) is more correct than the statistics. In fact, when 54 percent of the respondents of a survey said that they received a promotion directly related to having a security certification, the author said that this was just their "perception" and that he was surprised by this.

Maybe this author should look at government employees working in security who are absolutely required to have certain security certifications if they want to continue in their roles. There is no question, regardless of anyone's opinion, of whether these employees are benefited (in their job opportunities) by having certifications like the CISSP, CWSP, Security+ and CASP.

Now the author is right about one thing: very rarely do professionals gain employment exclusively on a certification. However, this does not diminish the value of the certification. Yes, experience is important; however, give me a technologist with ten years of experience with no certifications and another with the exact same experience and multiple certifications, I'm going with the certified candidate every time. Why? Because the possession of the certification tells me something about the individual. It tells me she or he is not an arrogant know-it-all who feels that her or his methods are always right. This makes me feel more comfortable as an employer. I can trust that they will not "do their own thing" regardless of the damage it may do to my organization or my client's organizations.

I'm very appreciative of the article's author for pointing out that experience is essential. He is right about that for sure, but certifications tell us the individual is willing to learn and prove his knowledge. When someone tells me that certifications don't prove anything, here is my simple response, "Not getting certified definitely proves nothing." Think about it. The truth can't be more simple: getting certified proves you have the knowledge to pass that exam; not getting certified proves that you are not certified. Certainly, gaining certifications relevant to the area in which you wish to work cannot do you any harm.

ICACLS Syntax for ACL Management

One of the great new tools in Windows Vista and Windows 7 is the ICACLS command line command. While I’m very annoyed with Microsoft for not supporting the old CACLS syntax and adding the features of ICACLS (all our old CACLS-based batch files break), I have to admit that a few capabilities are very welcome. One such capability is the function used to export and import ACLs from and into objects.

For example, imagine you are about to make several permission changes to a directory structure. You want to ensure you can revert to the current permission structure if you make mistakes. ICACLS allows you to quickly export the permissions for an entire directory structure with the /save switch.

The ICACLS syntax for ACL (or permission) export is as follows:

ICACLS folder_name* /save filename.acl /T

The /T switch is used to indicate that directory recursion should be used. The /save switch is used to export the results. For example, to save the permissions in a directory named HORSES on the C: drive and all subdirectories and folders, execute the following command:

ICACLS C:HORSES* /save horses.acl /T

The file, horses.acl, will contain the permissions in text format. Later, you can import the permissions with the /restore switch if required. To restore the permissions, execute the following ICACLS syntax:

ICACLS C:HORSES /restore horses.acl

Of course, the ICACLS command provides syntax for permission management as well as backing up and restoring the permissions; however, this new feature is one of the most important to know about. Hopefully, you find this information useful.

Random Screening and Security

So, I just passed through security at the Columbus, Ohio airport for the sixth or seventh time this year. Of my journeys through the TSA stalls in Columbus, I recall one time this year that I was not selected for a little extra patting, rubbing or travel bag exploration. In my opinion, this is where the problem with random screening rests.

If the TSA would only scan boarding passes as the passengers go through security, they could determine which passengers have been selected for "random" screening many times in the past and ensure that they are not wasting their time on the same person again and again. For example, I have a friend who flies frequently (3-4 times each month like me) and he said he has not been "randomly" selected once this year.

The biggest problem is that we're depending on extremely biased machines to randomize the passengers. These biased machines are also known as humans. Maybe one TSA agent always selects the person they feel will be most cooperative. Maybe they select every fifth person through to attempt pure randomization. Through observation tests, I can assure you that no such pattern is used even if they are told to use such a pattern. In one sixty minute period I observed 53 passengers going through security. No humanly trackable pattern appeared in the selection process.

However, one interesting pattern did appear. Of the 53 people passing through, 7 were selected for additional screening. Of the 53 passengers, 4 helped other people with an item that fell or some other needed assistance. Not one of these four people were selected.

This made me so curious that I had to do an experiment. While sitting at the Atlanta airport, where hundreds trudge through security each hour, I was able to observe a security lane where the "random selector" agent could clearly see everyone as they were preparing to come through. In just over two hours, I observed 27 people helping someone else through the line. Again, they were not selected for additional screening.

Now, clearly, further research is required to verify this bias, but the preliminary counts seem to indicate that you can greatly increase your odds of avoiding "random" selection by helping someone on the way through the line. And this is just one example of the bias within the human machine.

So, how do we fix this. Simple, an alternating pattern must be used to select the "random" passengers. Each TSA agent can be assigned a pattern (one could be the 3, 5, 2, 1, 7, 3, 5, 2, etc and another be 4, 5, 2, 5, 3, 2, 1, 4, 5, 2, 5, etc) and the "random selector" agent can be replaced with another agent after 3-4 iterations of the pattern making it difficult for pattern watchers to discover the pattern.

Additionally, to add variety to the pattern, if a passenger has been screened more than 3 of the last 5 times they've flown within the last sixty days, the agent is notified through a vibration signal with a hip mounted device. The agent simply passes over this passenger and continues his pattern with the next passenger. Of course, this would require boarding pass scanning outside of security, but maybe this would provide some real value at the point of entry in opposition to what we have now.

Now, I know what you're thinking, "Tom, this sounds too confusing." I say that the TSA agents are paid very well and we should not hesitate to require this ability and skill from them. Those who can't cut it, simply find themselves in lower paid positions, such as the non-observing guard at the exit of security.

In the end, random just ain't random when humans are involved and it can actually make for weakened security. Just a thought.

You Cannot Prevent a Wireless DoS Attack (wireless denial of service attack)

I'm not sure why it's such a big deal to me, but I get very frustrated by articles and blogs with titles like the following:

How to prevent wireless DoS attacks

I think it's because, um, YOU CAN'T! You simply cannot prevent a wireless DoS attack against the RF layer of the network.

Don't let wireless intrusion prevention system (WIPS) vendors fool you. You can detect a wireless denial of service (DoS) attack, but you cannot prevent it if it is an RF-level attack. Sure, if it's a frame level attack, you can prevent it through algorithms and dynamic network configuration management procedures. But if you're dealing with a physical level (RF) DoS attack, you can only remove it once the source is located – you cannot prevent it.

All I need is a 2.4 GHz RF generator and I can blanket the entire 2.4 GHz license free ISM band that is used by 802.11 b/g/n. With a 5 GHz RF generator, I could potentially do the same for the U-NII bands used by 802.11a/n. The point is that an RF generator or set of such generators can completely saturate the available spectrum with energy levels that prevent functional communications on any allowed channel. Dynamic channel management and "self-healing" solutions cannot help with this.

A good old fashioned human being with a spectrum analyzer is one of the best ways to locate a physical layer wireless DoS attack. WISP solutions may also be able to triangulate the source of the attack if sensors or multi-purpose access points (access points that both provide wireless functionality and sensing abilities) are used; however, it's not like the WIPS system can somehow zap the attacking device and kill it (though that's a nice thought for the future). The end result is that a physical layer DoS simply CANNOT be prevented. It can only be mitigated (i.e., the severity is reduced by detecting it quickly, locating it and eradicating it).

Personally, I find no greater joy in my IT work than tracking down an attacker and letting him see me with my spectrum analyzer as he flees in fear (and I memorize is license plate number to report him to the police). Would I really even want a software program and hardware set to take away that joy?

Inventors of the world, if you can find a true solution that truly prevents wireless denial of service attacks, you can make billions. Get started.

UPDATE: About an hour after first writing this post I was extremely annoyed by the following press release:


Notice the press release uses the phrase DoS attack prevention, but then the actual press release admits frankly that all it does is "counter wireless DoS attacks". My point is still the same: On a wired network, you can immediately shut of the port from which a DoS attack is originating . This can be accomplished in just a few seconds. You cannot accomplish this today when a wireless DoS attack is launched against the entire unlicensed spectrum in which your wireless LAN operates. Please, vendors, just be honest and quit using the word prevent in relation to wireless DoS attacks!