InfoGram

This page may contain links to non-U.S. government websites. What this means to you »

March 8, 2001

NOTE: This InfoGram will be distributed weekly to provide members of the emergency services sector with news and information concerning the protection of their critical infrastructures. For further information please contact the U.S. Fire Administration's Critical Infrastructure Protection Information Center at (301) 447-1325 or email at usfacipc@dhs.gov.

"The Ten Immutable Laws of Security Administration"

The last issue of this InfoGram discussed "critical infrastructures." Included among critical infrastructures of fire and emergency services must be the computers and associated networks internal to each department. Researchers at the Microsoft Security Response Center canvassed their network administrators and security gurus regarding "common sense computer security." Encapsulating hundreds of years of hard-earned experience, they developed the "Ten Immutable Laws of Security Administration." There are potential insights for fire and emergency service leaders in the following laws for administering computer security written by Scott Culp.

  1. Nobody believes anything bad can happen to them, until it does. Too many people in the health and safety professions cannot conceive why someone might send them a malicious email or try to crack their password, but an attacker only needs to find one weak link in order to penetrate your network. Leaders must mandate security on the network. Develop a security policy that specifically identifies the value of the information on your network. Now decide what steps the department is willing to take to protect it. Then develop and implement security measures on the network that reflect this policy.
  2. Security only works if the secure way also happens to be the easy way. If security measures obstruct the operational processes of your department, your users may ignore them because they have jobs to do. The result could be an actual diminishment of security after you implemented more stringent policies. Therefore, make sure your department's policy is reasonable, and strikes a balance between security and productivity. Look for ways to make the security processes have value to the users. In cases where you must impose restrictive security measures, then deliberately explain the reasons why they are necessary.
  3. If you don't keep up with security fixes, your network won't be yours for long. There are vulnerabilities in software and some of them involve security. It's a fact of life that disreputable people actively search for these bugs in the hope of using them against you. No matter how secure your network is today, it could all change overnight if a vulnerability is discovered. The good news is that there are many tools to help you deter attacks. Security mailing lists are a great way to learn about the latest attacks. Additionally, several software vendors developed security response processes to investigate and fix vulnerabilities. Make sure you check for new bulletins frequently.
  4. It does no good to install security fixes on a computer that was never secured to begin with. What good are security patches if you have a weak administrator password on your domain controller? Or if you have shared your web server's hard drive with the world? The time to lock down a machine is before it's ever connected to the network. Security checklists from software vendors make it easy to lock down department machines.
  5. Eternal vigilance is the price of security. Sometimes neither security patches nor machine configurations can totally prevent attacks, particularly those not invalid despite being malicious. Your weapon in these cases is the event logs, which let you gauge the health of your systems and determine the right course of action to keep them safe. Be careful when configuring the event logs because you can easily audit so many events that you will exceed your ability to analyze the data. Carefully plan what events you need to log. Finally, keep in mind that the data won't do any good unless you use it. Establish procedures for regularly checking the logs.
  6. Someone is really out there trying to guess your passwords. Passwords are a classic example of the truism that your system is only as secure as the weakest part of your defenses. The first thing an attacker may test is the strength of your passwords. You will never secure your network unless you can enforce a strong password policy. Establish minimum password length, password complexity, and password expiration policies on your network.
  7. The most secure network is a well-administered one.

    Many successful attacks do not involve a flaw in the software. Instead, they exploit misconfigurations - for example, permissions that were lowered during troubleshooting but never reset, an account that was created for an employee who is now gone, or a direct Internet connection that someone set up without approval. If your procedures are sloppy, it can be difficult to keep track of these details. The result will be more holes for the attacker to exploit. Therefore, having specific, documented procedures is an absolute necessity.
  8. The difficulty of defending a network is directly proportional to its complexity. This is related to Law #7. More complex networks are more difficult to administer, but it goes beyond just administering it. The crucial point here is the architecture itself. Add to your department security policy the phrase "few and well-controlled" as your guidance for network administration. Trust relationships? "Few and well-controlled." Network access points? "Few and well-controlled." The point here is that you cannot defend a network you do not understand.
  9. Security is not about risk avoidance; it is about risk management. Inevitably, the security of any useful network will be less than perfect. Fire and emergency service leaders must factor that into their planning. The goal cannot be to avoid all risks to the network. Accept that there will be times when department operations conflict with network security, thus resulting in a compromise. The place to deal with this conflict is in the documented departmental security policy.
  10. Technology is not a panacea. Technology by itself is not enough to guarantee security. There will never be a product you can simply unpackage, install, and instantly gain perfect security. Instead, security is a result of both technology and policy. In other words, it is how the technology is used that ultimately determines whether the network is secure. Deliberately plan for security. Understand what you want to protect and what you are willing to do to protect it. Finally, develop contingency plans for emergencies before they happen.

"Rolling Blackouts and Network Security"

The National Infrastructure Protection Center (NIPC) reported that nationwide rolling blackouts could have a devastating impact on network security. Experts fear the stress being placed on the nation's power grid could make it more susceptible to disruptions from hackers. Now Oregon, Utah, and Washington are preparing for possible rolling blackouts. A spokesperson for a network security consulting firm said "from a cybersecurity perspective, the electric power grids in the West are now more fragile, and margins for error are significantly less. With diminishing margins and power reserves, the probability for cascading catastrophic effects is higher."

"Naked Wife Virus"

A malicious new Internet virus has infected numerous U.S. corporations, promising luckless emailers a video of a "naked wife." Instead of such images, the virus seeks to delete vital system files on the users' computers. The NIPC issued an advisory indicating that it considers this virus a medium threat due to its destructive payload and mass mailing capabilities. Users are advised to delete any email messages with the "Naked Wife.exe" attachment and visit their anti-virus software vendor websites for an update. System administrators are advised to consider blocking emails with "Naked Wife.exe." Additional information regarding NIPC Advisory 01-002 can be found at http://www.nipc.gov/warnings/advisories/2001/01-002.htm.

Disclaimer of Endorsement

The U.S. Fire Administration/EMR-ISAC does not endorse the organizations sponsoring linked websites, and does not endorse the views they express or the products/services they offer.

Fair Use Notice

This INFOGRAM may contain copyrighted material that was not specifically authorized by the copyright owner. EMR-ISAC personnel believe this constitutes "fair use" of copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use copyrighted material contained within this document for your own purposes that go beyond "fair use," you must obtain permission from the copyright owner.

Reporting Notice

DHS and the FBI encourage recipients of this document to report information concerning suspicious or criminal activity to DHS and/or the FBI. The DHS National Operation Center (NOC) can be reached by telephone at 202-282-9685 or by email at NOC.Fusion@dhs.gov.

The FBI regional phone numbers can be found online at www.fbi.gov/contact/fo/fo.htm

For information affecting the private sector and critical infrastructure, contact the National Infrastructure Coordinating Center (NICC), a sub-element of the NOC. The NICC can be reached by telephone at 202-282-9201 or by email at NICC@dhs.gov.

When available, each report submitted should include the date, time, location, type of activity, number of people and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact.

RSS FeedWeekly INFOGRAM's are now available as an RSS Feed. More Information »