Introduction

What is security? The answer we provide you may be surprising. Frankly, most of security is mental. How do you perceive what you are securing? How do you perceive threats to your environment? Do you believe the situation is manageable, or do you believe the situation is overwhelming? Are you willing to implement security into your daily operations? Do you consider security a ubiquitous part of overall operations? The list can go on. How you answer these questions will determine the level of security you will achieve.

Likewise, if you want to believe that computer hackers are invincible, you will do nothing to protect yourself. After all, why waste your money trying to stop someone you can't stop? If you approach information and computer security like they are manageable, then they are. If you throw up your hands in defeat, you will be defeated. The way you think affects the way that you perceive and approach the problem. If you believe security is manageable, you will perform basic research, determine reasonable security measures, and implement those measures. It is only then that you can say that you are taking personal responsibility for your security.

Consider the exploits of such infamous hackers as Kevin Mitnick, Adrian Lamo and Kevin Poulsen. Mitnick is best known for his social engineering feats which allowed him to hack the networks of Motorola, NEC, Nokia, Sun Microsystems and Fujitsu Siemens. Mitnick was eventually caught, prosecuted and served time in prison for his illegal activities. His activities did raise public awareness of security issues involving computer networks and their security.

Defining Security

There are lots of books about security, but the fact of the matter is that security is unattainable. You can never be completely secure. According to the American Heritage Dictionary and the Random House Unabridged Dictionary, the primary definition of security is essentially:

Freedom from risk or danger.

Your information will never be free of risk or danger. Anyone who tells you that they can provide you with perfect security is either a fool or a liar. Likewise corporate security programs are bound to fail, unless they really define their mission to their organization. Security is not about achieving freedom from risk. It is about the management of risk. Anyone who expects to achieve a perfect security solution will drive themselves crazy.

So fundamentally, security is about the management of loss or risk. Information security is about the management of loss of information and the resulting cost of that loss, or risk. It is therefore important to define risk.

Defining Risk

There are many different definitions of what is considered risk. It is useful at this point to provide a practical definition of risk. You can use the formula in Figure 1.1 to express risk.

Risk itself is basically the potential loss resulting from the balance of threats, vulnerabilities, countermeasures, and value. Usually it is a monetary loss; however, sometimes risk can even be measured in lives. To quickly break down the components of risk:

* Threats are the people or entities that can do you harm.

* Vulnerabilities are the weaknesses that allow the threat to exploit you.

* Countermeasures are the precautions you take.

* Value is the potential loss you can experience.

Defining Value

Value is the most important component of risk. Without value, there is no risk. You technically have nothing to lose. Usually though, you have some value embedded in most things that you own or do.

Let's look at an example of value in something that might seem inconsequential. If you have a piece of paper containing the location where you ate lunch yesterday, that would appear to be generally worthless. However, let's say that you left your wallet at the restaurant. That piece of paper could then be worth a very large amount of money to you.

Instead of leaving your wallet at the restaurant, let's assume that you are an executive for a large company, and you were meeting with people from another company that you were thinking of acquiring, or potentially were going to do business with. In this case, the information about the restaurant and meeting could help divulge the attendees and their potential business relationship. If a competitor or even a person who buys and sells stock learned of a meeting, they could profit from the information.

On the other hand, nobody may care. As you see though, Value is a relative and fluid issue. There are three different types of value: monetary, nuisance, and competitor.

* Monetary Value is the actual financial worth of information or other assets. If you lose the asset, you lose money. This is a hard value. Sometimes it is difficult to put a hard value on something, but you can find a way to estimate it. If you don't, your insurance people will.

* Nuisance Value is the potential cost of dealing with a loss. For example, while you may not have a financial loss related to an identity theft, the aggravation is costly. For example, there is the time lost in dealing with cleaning up a credit report. While you might not be found liable for someone running up bills in your name, you have to take the time to prove that the bills are not yours. This process can take months of your time. Nuisance value must be considered in any calculation of risk.

* Competitor Value is the value of an asset in the eyes of an adversary. For example, credit card receipts are generally worthless to an individual after a transaction is completed. People usually take the receipt home and throw it out. However, if the credit card receipt contains the full credit card number, it can be very valuable to a criminal. In the business world, a draft business proposal, for example, can be modified and the draft is then worthless to the business itself. However, if a competitor gets their hands on the draft, they can know exactly what they are competing against. So while something might not have an immediate value to you, its competitor value means that it might cost you value in the future.

When assessing risk, you first have to start with how much you have to lose. If you have nothing to lose, you don't have to worry about anything else. The reality though is that there is always something to lose, so you can't live in a dream world. However, it is critical to know how much you have to lose to temper how much you spend on your security program.

Defining Threat

The threat is essentially the who or what that can do you harm if given the opportunity. They cannot do you harm on their own. They require that you leave yourself vulnerable. Also, while people generally assume that Threats are malicious in nature, most threats that you face do not intend to cause you any harm.

First, you should consider that threats can be either malicious or malignant (we will break this down even further, later in this chapter). Malicious threats intend to do you harm. They include terrorist actions, malicious insiders, hackers, competitors, generic criminals, spies, and foreign countries. The type of harm they can cause you can vary by the type of intent they have. Again though, they have intent.

Malignant threats are threats which are always present. They do not have intent; however, they have the possibility to cause you harm. Malignant threats are present in everyday life. Unfortunately, the more you combat malicious threats, the more you enable malignant threats. For example, the Department of Homeland Security wants to remove markings on train cars that indicate the type of poisonous materials inside the car. They believe that terrorists might specifically target rail cars with poisonous materials, like chlorine, as they enter large cities. However, local fire departments need to know what is inside a rail car to know the potential dangers they face if a train catches fire, derails, and so on. Clearly, terrorists are a malicious threat, while fires and derailments are malignant threats that actually happen quite frequently.

A who threat is a person or group of people. These are entities that can do you harm. They can be insiders with malicious intentions, or they just might be uneducated employees. Threats can be competitors, foreign intelligence agencies, or hackers. There are also many nonmalicious people and groups that don't intend to cause you harm, but do. These are malignancies. There are millions of people on the Internet who leave their computers vulnerable. Their vulnerable computers can be taken over by a third party, who uses the computers to attack you. There are a seemingly infinite number of entities that may do you harm.

A what threat is an occurrence such as a hurricane, earthquake, flood, or snowstorm. These threats are completely uncontrollable and agnostic in their intent. They do however cause more damage than any malignant threat could ever hope to. For example, Hurricane Katrina caused tens of billions of dollars in damage and the loss of thousands of lives. Power outages have a cumulative cost of billions of dollars as well, and are caused by a wide variety of natural disasters, or even something as simple as a tree limb falling down. Tornados may seem like movie occurrences to many, but likewise cause the loss of billions of dollars and hundreds of lives each year.

When determining your risk, you have to evaluate which threats are relevant to your circumstances. Even though you might believe that you potentially face every threat in the world, the reality is that some threats are much more likely than others. As we will discuss in the next section on vulnerabilities, the threats are actually less of a factor than the vulnerabilities that they compromise.

Defining Vulnerability

Vulnerabilities are basically the weaknesses that allow the threat to exploit you. Threats are entities. By themselves, they cause you no harm. When there is vulnerability to exploit, you have risk. For example, let's say there is a hacker on the Internet. If you don't have a computer, there is no way for the hacker to exploit you. Having a computer does present a low-level vulnerability in and of itself. However, it doesn't have to be a major vulnerability. There can be many vulnerabilities in various software packages. The software itself, assuming it is not updated, is a vulnerability that can lead to a computer being compromised simply by being connected to the Internet. Some sources believe that the Microsoft Windows Meta File vulnerability that led to at least 57 malware entities cost the industry $3.75 billion. There are four categories of vulnerabilities: technical, physical, operational, and personnel.

* Technical vulnerabilities are problems specifically built into technology. All software has bugs of one form or another. A bug that creates information leakage or elevated privileges is a security vulnerability. Any technology implemented improperly can create a vulnerability that can be exploited.

* Physical vulnerabilities are infamous. They range from unlocked doors to apathetic guards to computer passwords taped to monitors. These are vulnerabilities that provide for physical access to an asset of value.

* Operational vulnerabilities are vulnerabilities that result from how an organization or person does business or otherwise fails to protect their assets. For example, Web sites can give away too much information. Stories about teenagers providing too much information on MySpace.com, which led to sexual assaults, are commonplace. While people are quick to condemn teenagers, the U.S. military currently finds that military personnel are putting sensitive information in their personal blogs. Corporate public relations departments have released corporate secrets in their marketing efforts.

* Personnel vulnerabilities involve how an organization hires and fires people within organizations. It can also involve the contractors involved in the organization. For example, if a company does not check references, it is opening itself up to fraud. Likewise, if there are problem employees, a company needs to make sure that they identify the problems and treat them appropriately. For example, in an organization that does not remove access for people who have left the company, those people can create future damage. While that might sound silly, there have been countless cases where a fired employee was able to access company computers and steal information or sabotage their former employer.

(Continues...)

---

Excerpted from Securing Citrix XenApp Server in the Enterprise by Tariq Bin Azad Copyright © 2008 by Elsevier, Inc.. Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---