Volume 2, Number 4 2007 - Journal of Digital Forensics, Security

Transcription

Volume 2, Number 4
2007
Journal of Digital Forensics, Security and Law, Vol. 2(4)
Volume 2, Number 4
2007
Editors
Glenn S. Dardick, Editor-in-Chief
Longwood University
Virginia, USA
John W. Bagby
The Pennsylvania State
University
Pennsylvania, USA
Linda K. Lau
Longwood University
Virginia, USA
Jill Slay
University of South Australia
South Australia, Australia
David P. Biros
Oklahoma State University
Oklahoma, USA
Jong In Lim
Korea University
Seoul, Korea
Il-Yeol Song
Drexel University
Pennsylvania, USA
Nick V. Flor
University of New Mexico
New Mexico, USA
Jigang Liu
Metropolitan State University
Minnesota, USA
Bernd Carsten Stahl
De Montfort University
Leicester, UK
Michael Gendron
Central Connecticut State
University
Connecticut, USA
Marcus K. Rogers
Purdue University
Indiana, USA
Craig Valli
Edith Cowan University
Western Australia, Australia
Gary C. Kessler
Champlain College
Vermont, USA
Pedro Luís Próspero Sanchez
University of Sao Paulo
Sao Paulo, Brazil
Linda Berns Wright
Longwood University
Virginia, USA
Copyright © 2007 ADFSL, the Association of Digital Forensics, Security and Law. Permission
to make digital or printed copies of all or any part of this journal is granted without fee for
personal or classroom use only and provided that such copies are not made or distributed for
profit or commercial use. All copies must be accompanied by this copyright notice and a full
citation. Permission from the Editor is required to make digital or printed copies of all or any part
of this journal for-profit or commercial use. Permission requests should be sent to Dr. Glenn S.
Dardick, Editor, Journal of Digital Forensics, Security and Law, Department of CIMS, College
of Business and Economics, Longwood University, 1642 Horsepen Hills Road, Maidens,
Virginia 23102 or emailed to [email protected].
ISSN 1558-7215
1
Special Issue Editor’s Note
At a time when enrollment in Computer Science and Management Information
Systems is low nation-wide, the fields of Digital Forensics, Information
Security, and Cyber law are hot topics in our CS and MIS classrooms. Indeed,
these fields are drawing students back. Therefore, it is imperative that will
build relevant and interesting curriculum for our digital forensic and
information security classrooms.
In this special issue, the Association for Digital Forensics, Security, and Law
teamed with the organizers of the 2007 Information Security Curriculum
Development conference (InfoSecCD). The best papers in the various tracks of
the conference were reviewed and the “best of the best” were selected for this
special issue. In all, five papers were selected; four in the academic domain
and one geared more toward our practitioner readers. All should be of worth to
those who have an interest in the information security domain.
The issue begins with “SecurityCom: A Multi-player Game for Research and
Teaching Information Security Teams.” The article describes and innovative
simulation program that pits network defenders against network attackers in a
team-oriented approach. To add to the realism players have limited resources
in which to use toward their objectives
Next, the paper titled, “Education organization baseline control protection and
trusted level security,” discusses the variability of information security
standards across academic institutions. The article goes onto develop a baseline
criteria for those institution that incorporates management control, operational
control, logical control, and development and maintenance control factors.
Then we move to “Making molehills out of mountains: Bring security research
to the classroom.” In this paper the author describes how many times research
is not translated into a usable form for the classroom. He goes on to discuss
how researcher can benefit from this as it provides a mechanism by which the
research can then be incorporated into the business community.
In “The Design and Implementation of an Automated Security Compliance
Toolkit: A Pedagogical Exercise,” the authors describe how students can
design and develop a security compliance toolkit from open source tools. Not
only does the development of the toolkit serve as a valuable pedagogical
exercise, but it demonstrates to students that regulatory compliance need not be
an expensive task.
We close this issue with our practitioner-oriented paper; “Network and
Database Security: Regulatory Compliance, Network and Database Security A Unified Process and Goal.”
This paper discusses a defense-in-depth approach toward securing database
2
information in transit and at rest. Students in the classroom as well as those in
the database management field can benefit from this article.
I would like to this opportunity to thank the co-chairs of the 2007 Information
Security Curriculum Development conference, Dr. Michael Whitman and Mr.
Herb Mattord, both from Kennesaw State University. They developed a
rigorous review process for the articles submitted to this special issue. Also, I
extend my thanks to the authors for their most informative papers. Because IT
education articles and information security articles are often difficult to get
published in MIS journals, many researchers shy aware from preparing them. I
am pleased to see that these authors understand the value of information
security curriculum development. Finally, I would like to thank Dr. Glenn
Dardick, Editor-in-Chief of the JDFSL, for graciously allowing this special
issue.
Dr. David Biros
Guest Editor, JDFSL
3
Call for Papers
The Journal of Digital Forensics, Security and Law is now calling for papers
in, or related to, the following areas:
1) Digital Forensics Curriculum
2) Cyber Law Curriculum
3) Information Assurance Curriculum
4) Digital Forensics Teaching Methods
5) Cyber Law Teaching Methods
6) Information Assurance Teaching Methods
7) Digital Forensics Case Studies
8) Cyber Law Case Studies
9) Information Assurance Case Studies
10) Digital Forensics and Information Technology
11) Law and Information Technology
12) Information Assurance and Information Technology
To be considered for inclusion in the 3rd issue of the 2008 volume of the
Journal of Digital Forensics, Security and Law, manuscripts should be
submitted prior to midnight July 1st, 2008.
4
Call for Papers: Special Issue on
Online Communities
The purpose of the special issue is to contribute to the discussion and
understanding of the current status and perspectives of digital forensics,
security and law as it applies to security issues in online communities.
Prospective authors are invited to submit regular technical papers or position
papers. The later should present novel ideas at an early stage of development or
share future vision. All the submissions should describe original and
unpublished work, not currently under review by any other journal or
conference.
All submitted papers will be blind reviewed with respect to their relevance,
originality, adequacy, contribution, correctness, readability and presentation.
To be considered for inclusion in this special issue of the journal, manuscripts
should be received no later than midnight (EDT) of March 9th, 2008.
Prospective authors should submit an electronic copy of their complete
manuscripts through the journal's manuscript tracking system at
http://www.jdfsl.org/submission.asp or may be submitted by email to the
special issue editor, Nick Flor, at [email protected].
5
Guide for Submission of Manuscripts
All manuscripts should be word-processed (letter or correspondence-quality
font). If the paper has been presented previously at a conference or other
professional meeting, this fact, the date, and the sponsoring organization
should be given in a footnote on the first page. Funding sources should be
acknowledged in the "Acknowledgements" section. Articles published in or
under consideration for other journals should not be submitted. Enhanced
versions of book chapters can be considered. Authors need to seek permission
from the book publishers for such publications. Papers awaiting presentation or
already presented at conferences must be significantly revised (ideally, taking
advantage of feedback received at the conference) in order to receive any
consideration.
Manuscripts should be submitted through the JDFSL online system in Word
format using the following link: http://www.jdfsl.org/submission.asp.
Manuscripts may also be submitted to the editor in Word format as well. The
editor of the JDFSL, Dr. Glenn S. Dardick, may be reached via email at
[email protected].
The copyright of all material published in JDFSL is held by the Association of
Digital Forensics, Security and Law (ADFSL). The author must complete and
return the copyright agreement before publication. The copyright agreement
may be found at http://www.jdfsl.org/copyrighttransfer.pdf.
Additional information regarding the format of submissions may be found on
the JDFSL website at http://www.jdfsl.org/authorinstructions.htm.
6
Contents
Special Issue Editor’s Note .................................................................... 2
Call for Papers ........................................................................................ 4
Call for Papers: Special Issue on Security Issues in Online
Communities ........................................................................................... 5
Guide for Submission of Manuscripts .................................................. 6
SecurityCom: A Multi-Player Game for Researching and
Teaching Information Security Teams ................................................. 9
Douglas P. Twitchell
Education Organization Baseline Control Protection and
Trusted Level Security ......................................................................... 19
Wasim A. Al-Hamdani
Making Molehills Out of Mountains: Bringing Security
Research to the Classroom................................................................... 43
Richard G. Taylor
The Design and Implementation of an Automated Security
Compliance Toolkit: A Pedagogical Exercise .................................... 59
Guillermo Francia III, Brian Estes, Rahjima Francia, Vu Nguyen and
Alex Scroggins
Network and Database Security: Regulatory Compliance,
Network, and Database Security - A Unified Process and Goal....... 77
Errol A. Blake
Subscription Information................................................................... 107
Announcements and Upcoming Events ............................................ 108
7
8
SecurityCom: A Multi-Player Game for
Researching and Teaching
Information Security Teams
Illinois State University
Campus Box 5150
Normal, Illinois 61790
[email protected]
ABSTRACT
A major portion of government and business organizations’ attempts to
counteract information security threats is teams of security personnel. These
teams often consist of personnel of diverse backgrounds in specific specialties
such as network administration, application development, and business
administration, resulting in possible conflicts between security, functionality,
and availability. This paper discusses the use of games to teach and research
information security teams and outlines research to design and build a simple,
team-oriented, configurable, information security game. It will be used to study
how information security teams work together to defend against attacks using a
multi-player game, and to study the use of games in training security teams.
Studying how information security teams work, especially considering the
topic of shared-situational awareness, could lead to better ways of forming,
managing, and training teams. Studying the effectiveness of the game as a
training tool could lead to better training for security teams.
Keywords: Experiential Learning, Security Education, Gaming
1. INTRODUCTION
With the rise of information technology and information availability has come
the inevitable rise of information theft as well as other threats to security that
are specific to information technology. Some of the threats familiar today
include viruses, spyware, phishing, identity theft, and corporate espionage.
Information security, a field of study that originated in the military’s need for
secrecy, has now evolved into a multi-faceted research area with immediate
implications in today’s world. Research into information security has resulted
in many valuable technologies such as firewalls and anti-virus software, yet
has also called attention to the need for education and training for both general
computer users and information security specialists. Games and other
simulations are beginning to be a part of this education and training and
research.
The use of games for teaching or research is not new. Games and other
9
simulations have been used for business training and research since the 1960s
(Kolb & Wolfe, 1990). The main reasoning for using games and simulations
for training and education is that there is a body of evidence suggesting that
experiential learning creates superior learning outcomes in the learner than
lecture-style learning does (Kolb, 1984). Experiential learning is learning that
involves some degree of applying concepts by performing tasks that relate to
the concepts. Often experiential learning is meant to give the learner an
opportunity to make decisions in a low-risk environment while at the same
time giving the learner an emotional appreciation for how the concepts work in
the “real world.” Experiential learning with games has also been extensively
and successfully used in teaching and learning in teams (Kayes, Kayes, &
Kolb, 2005).
The use of games in security education and training is also not new. Several
games have been developed over the years to help end users understand the
need for security and to help security professionals become better at making
decisions concerning security (Saunders, 2002).
Among them are
CyberProtect from the Defense Information Systems Agency, and
CyberCIEGE from the Naval Postgraduate School. However, in these and
other information security games, the emphasis has not been on learning as
teams, and although these games include monetary trade-offs, they don’t
include the political trade-offs and negotiations between security and
availability—at least those that include negotiations between real people.
To evaluate these games and guide the development of a new information
security game that involves teams, we can use Demsey, Haynes, Lucassen, and
Casey (2002) who listed the following Criteria on which to evaluate a game for
learning:
1. The game must be relatively simple to play.
2. The game can be adapted and reprogrammed inexpensively.
3. The game must have some identifiable potential for educational use, if
adapted.
4. The game must be different from the other games in its category.
5. The game must be designed so that it can be played by a single
player.
For games created for information security education, Criterion 3 is given, and
since we are emphasizing team performance, Criterion 5 is less important.
Therefore, we will evaluate CyberProtect, CyberCIEGE, StrikeCom, and the
proposed game using Criteria 1, 2, and 4.
CyberProtect, created for the Defense Information Security Administration in
1999, won several awards for gaming in general. In this game, the player
10
represents a network administrator with a budget who must buy equipment and
training to defend the network against attack. The game is played in rounds
during which the player must buy and install assets with varying degrees of
effectiveness and in various locations on the network. When a round is
complete, random attacks are attempted on the network, and their efficacy
reported. When finished the game gives the player an overall report of
preparedness. CyberProtect’s user interface and game-play are relatively easy
with only two screens (the network, shown in Figure 1, and the budget) to
navigate during play, therefore, CyberProtect meets Criterion 1. However, the
game source code and configuration are hidden, so Criterion 2 is not met.
Finally, CyberProtect was one of the first computer games produced for
information security education and therefore meets Criterion 4.
Figure 1 A screenshot of CyberProtect showing the view of the network
Another, CyberCIEGE (Irvine, Thompson & Allen, 2005), was recently
created and was developed using the same kind of interface as the popular
game The Sims. Players in this game are immersed in a three-dimensional
office where they can be confronted with a number of different information
security scenarios. These scenarios are configurable through a language
developed for the game itself allowing a high level of configurability and
handily meeting Criterion 2. However, the ability to adapt and configure the
game to complex situations and scenarios seems to make the game more
difficult to use. The player’s interface includes seven panels, which include
the main 3D interface and six other panels with various options for the user
(see Figure 2). While such complexity may allow for more realistic scenarios
and may be appropriate for longer courses where learning the interface can take
11
place, it doesn’t seem that the game meets Criterion 1 and may not be
appropriate for shorter training courses. Since, however, CyberCIEGE is
highly configurable, it may be possible to design scenarios with simple, easyto-learn interfaces. CyberCIEGE does, however, meet Criterion 4.
Figure 2: Screenshots from CyberCIEGE showing the 3D office view
(upper left) and a detail panel (lower right)
Finally, StrikeCom (Twitchell, et. al., 2005) was originally created to support
deception detection research, and was later used by the Department of
Defense’s Office of Force Transformation during short course seminars to
teach some of the tenets of Network Centric Warfare (NCW) including shared
situational awareness. The game requires teams to search a grid-based game
board for enemy camps. In the most commonly used configuration, each player
had two assets with which to search the board. During each of five turns, the
players search the board and submit their search. At the end of each turn, the
game returned one of three results: likely nothing found, uncertain, or likely
something found. After the end of the five searching turns, the teams use the
information acquired in the previous rounds to place bombs for destroying the
enemy camps.
When StrikeCom was used in military officer training, the emphasis was
placed on the communication among team members during the searching and
striking rounds. These communications were the basis for teaching NCW.
NCW (Cebrowski & Gartska, 1997) is one of the leading theories currently
driving U.S. military operations. It contains five tenets: 1) Knowledge of the
adversary; 2) Shared situational awareness; 3) Commanders intent; 4)
Decentralized execution and 5) Self synchronization. Of these, Shared
12
Situational Awareness (SSA) is one of the most appropriate for implementation
using information security—especially in teams. It has shown to be a valuable
tenet of network-centric warfare through the use of tools such as the Blue
Force Tracker used in Iraq and Afghanistan. This tool allows individuals from
all levels of the military to be able to see where they are in relation to others on
both sides of the battlefield. Furthermore, it gives them the information they
need to make informed decisions that might affect others. Since information
security (or information warfare as it has been called) is often compared to
warfare, SSA could be just as important to information security as it is for
military operations and should be tested as a part of an information security
system.
Figure 3: A screenshot from StrikeCom’s Search phase.
The game board is on the left, and the chat window is on the right
StrikeCom was used during NCW short courses offered by the Department of
Defense to experientially illustrate the concept of SSA and other NCW tenets.
To accomplish this, the game was tuned so teams of 3 officers or civilians play
using 3 communication media. The first game has players sitting next to each
other and talking face-to-face, the next game is played using chat only with
players who are anonymous. These two game situations are common
experiences in actual tactical and operational military interactions. Hence, posthoc analysis of game scores, communication channel, player behavior and
interaction reveal a number of critical teaching points for intent, decentralized
13
execution, self-synchronization and SSA. After these two games are played
and debriefed, a third game is played with a shared visualization tool
(augmented SSA) added. At the conclusion of the final game, NCW concepts
are evaluated with the training group via a panel of experts. StrikeCom was,
according to user feedback comments, successful at supporting these
workshops for the training of NCW concepts with various military groups
around the world.
Like CyberCIEGE, StrikeCom is highly configurable, but is also simple to use,
as is illustrated by its wide use in short training courses where the students
learned how to use and used the game for learning in a two-hour session.
Therefore, StrikeCom meets Criteria 1 and 2. However, it doesn’t necessarily
meet Criterion 4, since other grid/turn-based games have been used in the past.
Despite its team orientation, its ease of use, and configurability, StrikeCom is
not specifically built for information security education and research.
Although deception detection and shared-situational analyses are wellsimulated in the game, information, computer, and network security are not.
Therefore, we propose modifying StrikeCom to have a simple information
security interface while retaining its team orientation and configurability. The
new game will be called SecurityCom.
2. OBJECTIVES OF PROPOSED RESEARCH
This research has three main objectives. First, build a research and teaching
tool, SecurityCom, that can be used in this and other projects to test aspects of
team interaction and education in information systems security. Second,
determine how important SSA is to the effectiveness and efficiency of
information systems security teams.
Third, determine how effective
SecurityCom is at aiding the education of security personnel compared to other
learning modes.
2.1 Build SecurityCom
SecurityCom will be built using the same concepts as StrikeCom used—team
interaction and simplicity. The user interface will allow for the interaction
between security personnel on the team and also allow for the researcher to
capture communications among team members. A chat window will be the
main channel of communication, which will provide the means to
communicate remotely or co-located, and it will allow capture by the
researcher. The user interface will be simple and intuitive so that the user will
require a minimal amount of training to complete the exercise. CyberProtect
was a good example and aspects of its user interface design will be integrated
into SecurityCom’s user interface. The user interface itself will be built on a
web-browser-based interface to allow for ease of administration and
deployment. A mock-up of the user interface is shown in Figure 4.
14
Figure 4: A mock up of the SecurityCom interface
Left: a palette of network components.
Middle: the dynamic network diagram or shared situational awareness.
Right: a chat window for communication.
Bottom: network component properties
2.2 TEST SHARED-SITUATIONAL AWARENESS (SSA)
SSA is the ability of all team members to see the dynamic environment in realtime as it changes. The information SSA gives allows team members to make
informed decisions on future actions. In battle, the use of SSA results in
greater effectiveness at hitting targets, greater efficiency in the use of
resources, and fewer friendly-fire incidents. In information security SSA
should allow security teams to make quicker decisions concerning security
controls and allow them to be more effective in mitigating risk. The purpose of
this objective is to test whether SSA does increase efficiency and effectiveness
in mitigating information security risk.
2.3 Test SecurityCom against other games and methods
As indicated above, the use of games for information security education is not
new, and there are several games such as CyberProtect and CyberCIEGE that
have already been developed. Therefore, SecurityCom should be compared
against these other games to determine whether it is superior or inferior in its
effectiveness at aiding the teaching of security concepts. Unfortunately, these
and other information security games currently available are not multi-player,
15
so the comparison will have to be done with individuals. Comparing the
games not only provides evidence for which game is more effective, but it also
helps inform researchers whether the theories upon which the games are built
have validity.
Furthermore, the purpose of this objective is to test
SecurityCom’s performance relative to other games, but also other modes of
learning such as classroom lecture.
3. METHODOLOGY
The philosophy underlying the methodology of this research project is the
information systems field’s Design Science (Hevner, March, Park, & Ram,
2004). This research methodology framework is based on the idea that
information systems research should be centered on an “IT artifact:” a formal
method, instrumentation, computer program, or hardware that is designed,
built, and tested. Theory informs the design and construction of the artifact,
and the subsequent testing in the laboratory, the field, or other suitable arena.
The design and testing then feed into improvement of the theory or creation of
further theory.
SecurityCom is the IT artifact to be designed, built, and tested. The informing
theories include experiential learning theory, the theory that educational,
training, and awareness are integral to information security, and the NCW tenet
of SSA. Once built, SecurityCom will be used to perform two laboratory
experiments. The first experiment will test the usefulness of SSA in security
teams, and the second will test the SecurityCom game against other
information security games.
To test the usefulness of SSA in information security, groups of three subjects
will be randomly assigned to one of two treatments. In the first treatment the
groups will not have a SSA displays during the first half of the game, but it will
be given to them during the second half. In the second treatment, the opposite
will be done: the groups will have the SSA during the first half, but will not
have it during the second. Effectiveness at mitigating risk to information
security on the given network will be the dependent variables that will be
measured at half way through the game and at the end of the game.
Differences between the treatments will be compared using repeated-measures
ANOVA.
In the second experiment, SecurityCom with full SSA will be compared to two
(or one depending on the availability of subjects) other information security
experiential learning games. This time, because the other games are not yet
capable of multi-player play, individuals will be randomly assigned to one of
four (or three) treatments:
SecurityCom with SSA, CyberProtect,
CyberCIEGE, or classroom lecture. The dependent variable to measure is the
individual’s grasp of a specific information security concept. The learning will
be measured by comparing a pre- and post-test. Again, repeated-measures
ANOVA will be used to assess the differences among the treatments.
16
Together these experiments using SecurityCom will provide evidence on the
usefulness of SecurityCom specifically and gaming generally in information
security education and shared-situational awareness in information security
team effectiveness. The evidence can then be used to further update the
informing theories.
4. CONCLUSION
It is encouraging to see the advances being made in using experiential learning
in information security education. In addition to the games mentioned in this
paper, the Collegiate Cyber Defense Competition (CCDC) run yearly around
the U.S. provides an immersive, semi-real-world environment where students
can apply what they have learned while under pressure. Since the CCDC
requires numerous resources and is therefore only run once each year, the
games mentioned and proposed in this paper provide a means for continuous
experiential learning with little investment in resources.
SecurityCom, based on CyberProtect and StrikeCom, will provide an
experiential learning platform for teaching team concepts in information
security, especially those involving the allocation of scarce resources and the
tension between security and availability. Learners using SecurityCom will get
a taste of how security is implemented in the context of organizational
resources and politics, and they will gain some experiences advocating for
security. SecurityCom should also be valuable to information security
researchers hoping to gain insight into the behavior of information security
professionals that work in teams, especially shared-situational awareness.
ACKNOWLEDGEMENTS
This paper was originally presented at the 2007 Information Security
Curriculum Development Conference, September 28-29, 2007, Kennesaw,
Georgia, USA.
AUTHOR BIOGRAPHY
Douglas P. Twitchell, PhD is an assistant professor of information systems in
the School of Information Technology at Illinois State University. He is the
author of several articles and conference proceedings on behavioral issues in
information security. His other research interests include online conversations,
text mining, and deception detection.
REFERENCES
Cebrowski, A. K., & Garstka, J. (1997). “Network centric warfare: Its origin
and future. Naval Institute Proceedings,” 124(1), 28-36.
Dempsey, J. V., Haynes, L. L., Lucassen, B. A., & Casey, M. S. (2002). “Forty
simple computer games and what they could mean to educators.” Simulation &
Gaming, 33(2), 157-168.
17
Hevner, A. R., March, S. T., Park, J., & Ram, S. (2004). “Design science in
information systems research.” MIS Quarterly, 28(1), 75-105.
Irvine, C. E., Thompson, M. F., & Allen, K. (2005). “CyberCIEGE: Gaming
for information assurance.” Security & Privacy Magazine, 3(3), 61-64.
Kayes, A. B., Kayes, C. D., & Kolb, D. A. (2005). “Experiential learning in
teams.” Simulation & Gaming, 36(3), 303-329.
Keys, B., & Wolfe, J. (1990). “The role of management games and simulations
in education and research.” Journal of Management, 16(2), 307-337.
Kolb, D. A. (1984). Experiential learning: experience as the source of learning
and development. Englewood Cliffs, N.J.: Prentice-Hall.
Saunders, J. H. (2002). “Simulation approaches in information security
education.” Journal of Information Security, 1(2).
Twitchell, D. P., Wiers, K., Adkins, M., Burgoon, J. K., & Nunamaker, J., Jay
F. (2005). ‘StrikeCOM: A multi-player online strategy game for researching
and teaching group dynamics.’ Paper presented at the Thirty-Eighth Hawaii
International Conference on System Sciences (CD/ROM), Big Island, Hawaii
18
Education Organization Baseline Control
Protection and Trusted Level Security
Wasim A. Al-Hamdani, PhD
Information Security Lab
Division of Computer and Technical Sciences
Kentucky State University, Frankfort, KY 40601
Phone: (502)597-6728, Fax (502)597-5763
[email protected]
ABSTRACT
Many education organizations have adopted for security the enterprise best
practices for implementation on their campuses, while others focus on ISO
Standard (or/and) the National Institution of Standards and Technology.
All these adoptions are dependent on IT personal and their experiences or
knowledge of the standard. On top of this is the size of the education
organizations. The larger the population in an education organization, the more
the problem of information and security become very clear. Thus, they have
been obliged to comply with information security issues and adopt the national
or international standard. The case is quite different when the population size
of the education organization is smaller. In such education organizations, they
use social security numbers as student ID, and issue administrative rights to
faculty and lab managers – or they are not aware of the Family Educational
Rights and Privacy Act (FERPA) – and release some personal information.
The problem of education organization security is widely open and depends on
the IT staff and their information security knowledge in addition to the
education culture (education, scholarships and services) has very special
characteristics other than an enterprise or comparative organization
This paper is part of a research to develop an “Education Organization
Baseline Control Protection and Trusted Level Security.” The research has
three parts: Adopting (standards), Testing and Modifying (if needed).
The baseline control criteria covers the following topics: management
control, operational control, logic control, physical control and
development and maintenance control. This paper is concerned with the first
two controls.
Definition: for the purpose of this research, the following definition will be
used: Education organization: a university campus, technical colleges, and
high school; include several education units (department, college), with four
different personals: faculty, staff, student and administration.
19
EOBC stands for Education Organization Baseline Control.
Keywords: Information security, information security control, information
security baseline, security trusted level, education organization, education
environment, campus information security, information security education ,
information security infrastructure.
1. INTRODUCTION AND PROBLEM STATEMENT
The final version of national strategy encourages colleges and universities “to
secure their cyberspace by establishing some or all of the following
approaches” pp. 25, 41 (The National strategy secure cyberspace 2003)

One or more information sharing and analysis centers deal with cyber
attacks and vulnerabilities;
An on-call point-of-contact to Internet service providers and law
enforcement officials in the event that the school’s IT systems are
discovered to be launching cyberattacks;
Model guidelines empowering chief information officer (CIOs) to
address cybersecurity;
One or more sets of best practices for IT security; and
Model user awareness programs and materials.
The report specifies the following: “Top university presidents have adopted a
five-point Framework for Action that commits them to giving IT security high
priority and to adopting the policies and measures necessary to realize greater
system security,” these are:
(1) Make IT security a priority in higher education;
(2) Revise institutional security policy and improve the use of existing
security tools;
(3) Improve security for future research and education networks;
(4) Improve collaboration between higher education, industry, and
government; and
(5) Integrate work in higher education with the national effort to strengthen
critical infrastructure.
An education culture (education, scholarships and services) (Luker & Petersen
2003) has very special characteristics other than an enterprise or comparative
organization. Education culture normally has in common : Free organization,
focusing on learning, scholarship, services, large turnover in numbers
(semester/year period), one semester as a major period, age of the participants
in the organization, learning in group or individual settings, include nonacademic and extracurricular services.
With all these factors, a major question arises: “How to protect assets?” and
20
furthermore, “What are the assets?” In an education organization, information
assets could be defined as: student grades, research reports, exam papers,
student/staff/faculty personal information, library (e-library), administration
reports and process, personnel evaluations, accountancy department assets,
student records, student registration, network infrastructure, lab resources, and
others.
Compliance issues to the above assets are policies, procedures, guidelines, data
backup and retention, data privacy, transferring and downloading data,
communications, firewalls and external connectivity, intrusion detection
systems, intrusive computer software, disaster controls, physical and logical
access controls, device and media controls, and procedural controls.
How to protect these assets? The answer depends on the size of the education
organization. The other side of the problem is the level of IT department
expertise and knowledge in the field of information security. A normal solution
is to adopt security best practices and standards.
There are many information security standards and guidelines to be followed,
such as:

The free online National Institution of Standards and Technology.
(National Institution of Standard and Technology 2007);
Request for comments such as:(RFC 2196 site handbook or RFC 2504
user security handbook (Request for comments 2004);
The international standards like ISO 19977 (INCITS/ISO/IEC 177992005 2005);
IT Governance: A Manager's Guide to Data Security and BS
7799/ISO 17799 (Calder and Watkins 2005);
American National Standard Instute (Code of practice for information
security management publications standard and the guidance
document Contracting for Information Security in Commercial
Transactions: An Introductory Guide) (ANSI American National
Standard Instute 2008).
Some universities do understand the problem and have organized their assets to
standard policies, procedures and guidelines, such as:
•
•
•
•
•
University of California (University of California 2007);
University of Iowa ( University of Iowa 2004);
University of Colorado at Boulder (University of Colorado at Boulder
2007);
University of Utah, (University of Utah 2006);
University of Purdue (University of Purdue 2006).
The problem is cited in small population education organizations where the
21
enterprise best practices implementation is very costly and the edges between
secure and insecure organizations are not clear. In addition, there is a lack of
security expertise in the small institution in IT department. The case is quite
different in large education organizations where information security is on the
front burner to be a critical factor and to be attended. Theoretically speaking,
the size of the population should not affect the information security practices –
that is, disclosure of personal information is simply releasing personal
information. The problem is there are no baselines, no trusted level and secure
level in which one can say, “X or Y education organizations or campus is in a
state of compliance with the security level required”? More specifically, there
is no existing standard, best practices, standard policy level, guidelines in
academic and education organizations that IT could follow up with. Total
success is dependent upon the IT personnel – expertise, knowledge and so on.
Even with this knowledge, creating or adapting standard or best practices is not
an easy issue because IT has to select the most suitable for their campuses
(quite possibly after some trial). Looking at a large population education
organization, we can see their adaptation coming from IOS or the NIST
standards or from error and trials.
Academic and education organizations have very special characteristics and
features that distinguish them from any other enterprise or national agencies.
Such organizations have features such as free organization, focuses on
learning, large number of turnover (semester/year period), one semester is a
major period, age of the participant in the organization, learning in group or
individual, include non-academic and extracurricular services.
The need for information security base standards and trusted levels or even
minimum levels of trust for an education institution is very essential, as some
educational organizations are still using practices that are classified as security
breaches for personnel and the organization; for example, using social security
numbers for student ID numbers, no security policies, no network password
policy, no secure managements, no information and data risk analysis, no
backup policy, all faculty have level of administrative right, no access control
policy, no physical security, no configuration managements, no change control
managements.
The problem becomes more critical if we look at the research level where
copyright (intellectual property) issues or grading systems are considered. The
problem is very clear with cyber courses and e-classes where student
assessment is based on open recourses (many instructors fall into cybercheating without being aware of it, such as blackboard cheating (Al-Hamdani,
2008). Hence, the need for standards to be developed and tested is very critical
for small- and medium-sized education organizations (the case could be very
critical for large populated campuses as well). The need for detailed standards
and checklists, as well as a baseline security matrix could be automated to
22
deliver the best security practices needed. The matrix could also evaluate any
education organization to decide the security level and then indicate where
weaknesses and measures are needed to improve the level of security.
The need for standards in an education organization should take into account
the education organization, culture properties, and culture behaviors, and focus
on educational best practices for security control, legislation, architecture, and
continuity of operations.
2. BASELINE SECURITY INFRASTRUCTURE
As the education campus population increases, the security issue starts to be a
problem for IT personnel, and many depend on IT expertise, skill and
knowledge for information security. The authentic need for security normally
drives IT personnel to find the best solutions for their security problem.
Basically, there are four solutions that IT would approach. These are:
NIST free publications as a guideline (National Institution of Standard and
Technology 2007) using documents, such as:

SP 800-12 An Introduction to Computer Security;
SP 800-14 Generally Accepted Principles and Practices for Securing
Information Technology Systems;
SP 800-16 Information Technology Security Training Requirements
SP 800-27 Engineering Principles for IT Security;
SP 800-18 Guide for Developing Security Plans for Federal
Information Systems;
SP 800-26 Self-Assessment Guide for Information Technology
Systems;
SP 800-27 Engineering Principles for Information Technology
Security (A Baseline for Achieving Security) ;
SP800-53 Recommended Security Controls for Federal Information
Systems.
ISO (IT Governance: A Manager’s Guide to Data Security and BS 7799/ISO
17799; INCITS/ISO/IEC 17799-2005 2005) such as: ISO 17799 Information
Technology Code of Practice for Information Security Management
Federal Information Processing Standards Publications (FIPS publications)
(Federal Information Processing Standards Publications 2007), using
documents such as:

PS PUB 1999 Standards for Security Categorization of Federal
Information and Information Systems, 2004 February;
FIPS 200 Minimum Security Requirements for Federal Information
and Information Systems.
Industry best practices issues, which normally comes with software and
23
hardware purchases.
These guidelines (and others -see Appendix 1) can be classified as:
Information Security Management
• ISO/IEC 17799:2005 and ISO/IEC 27001:2005 (INCITS/ISO/IEC
17799-2005 2005; Calder and Watkins 2005) ;
• RFC 2196 (The Internet Engineering Task Force (IETF)) ;
• IT Baseline Protection Manual (Germany) (Sicheres E-Government
2008) ;
• OECD Guidelines for the Security of Information Systems (OECD
Guidelines for the Security of Information Systems 2005).
Evaluation
• ISO 15408 ("Common Criteria") (ISO 15408. Common Criteria for
Information Technology Security Evaluation,V3.1 2006) ;
• Perhaps the most important of these books is the Trusted Computer
System Evaluation Criteria (TCSEC, or Orange Book) (Rainbow
Series 2006) ;
• Information Technology Security Evaluation Criteria ("ITSEC") (UK)
(Information Technology Security Evaluation Criteria (ITSEC) 1991).
• Gateway Certification Guide and DSD EPL (Australia/New Zealand)
(Defence Signals Directorate 2007).
Development
• Capability Maturity Model (CMM) (Chrissis et al 2003) ;
• Capability Maturity Model (SSE-CMM) (System Security Engineering
Capability Maturity Model (SSE-CMM) 2008).
Risk
•
•
Acquisition Risk Management (US) (Risk Management Guide for
DoD Acquisition 2003) ;
AS/NZS 4360 ("Risk Management") (Australia/New Zealand)
(Standards Australia Online Catalogue 2008).
Authentication
• ISO 11131 ("Banking and Related Financial Services; Sign-on
Authentication") (Standards Australia Online Catalogue 2008) ;
• ISO 11131:1992 Banking and Related Financial Services; Sign-on
Authentication (Standards Australia Online Catalogue 2008).
All these documents and their adaptations depend on:
•
•
Level of security required
IT personnel
24
•
•
•
The management’s support
Cost efficiency for the campus
Real threats (real case)
Normally, a large campus has more efficient security measures and this is
reflected in their policies, standards, procedures and best practices. A campus
with more than 33,000 students (not counting faculty and staff) must have
reasonable information security practices and policies. Information security
policies cover many issues, such as:
•
•
•
•
•
Security Breach of Personal Information;
Electronic Distribution of University Information via the Internet;
Information Security ;
Protection of Confidential Electronic Information ;
Copyrighted Material.
Comparing the large campus security measures with a small campus and
education organization of 3,000 to 5,000, we could find a single-page
information security policy and other basic policies (such as a password policy
or a firewall policy), which are normally software or hardware driven.
Even with advanced security issues having been taken care of, things happen in
open organizations (Hacker News, 2006), such as universities when two
students “have been accused of hacking into a professor's computer, giving
grades to nearly 300 students and sending pizza, magazine subscriptions and
CDs to the professor's home” . What about an education campus where the
information security has one page and they use social security numbers as
student/faculty and staff accounts numbers and the first password (for system
login) is a home phone number? Especially the student level of knowledge in
information technology has become higher in the last few years as a result of
cheap hardware and open resource software.
The significant goals for this research are:

Adopt national and international baseline security issues;
Examine a number of large education campus security principles and
baselines;
Examine a number of small education campuses’ security issues;
Find the security connection (statistically) between the two types of
education organizations;
Build a trusted level of baseline security (standard);
Develop a checklist;
Deliver an information security matrix.
One of the most important objectives is the evolution, and this will be achieved
by:
25

Measuring the control trusted level on the two types of campuses
(large and small);
Using a feedback function to enhance the weakness in the developed
baseline;
Measuring again the changes in the trusted level;
Developing an automated system to help the checklist and to deliver
benchmarks.
3. THE SUGGESTED BASELINE
3.1 Basic Baseline Control
The level of baseline security is achieved by implementing a minimum set of
controls to protect information against the most common threats. An early step
in the baseline approach may be a gap analysis (Information Security
Guideline for NSW Government 1997). The risk in the baseline approach is
that there may be an unidentified ‘non-standard’ threat or vulnerability that is
missed by gap analysis and/or baseline controls. For information assets
assessed as high risk, IT department may be necessary to conduct a detailed
risk analysis. Although this type of analysis normally requires considerable
time, effort and expertise, the selection of controls should always include a
balance of non-technical and technical safeguards. Non-technical controls are
of a general nature and include those that provide physical, personnel, and
administrative security. Technical controls relate specifically to the information
system considered.
3.2 Baseline Control Classifications
Controls could be classified (Information Security Guideline for NSW
Government 1997) as:

Management and overall organization baseline control;
Operation baseline control;
Technical baseline control;
physical baseline control;
Development and maintenance baseline control.
These classifications are used to assist in identifying non-technical and
technical controls, there are 10 classes of control (ISO/IEC 17799:2000)
(International Standard ISO/IEC 17799:2000 Code of Practice for Information
Security Management 2002):

Security policy;
Security organization;
Asset classification and control;
Personnel security;
Physical and organizational security;
26

Communications and operations management;
Access control;
System development and maintenance;
Business continuity management;
Compliance.
Others classifications covers administrative, technical and physical (Harris, S
2005)
Controls may perform one of the following functions:

Deter: Avoid or prevent the occurrence of an undesirable event;
Protect: Safeguard the information assets from adverse events;
Detect: Identify the occurrence of an undesirable event;
Respond: React to or counter the adverse event;
Recover: Restore the integrity, availability and confidentiality of
information assets to their expected state.
3.3 Broad Baseline
The following questions should be considered when applying baseline security:
Which parts of the education organization or education organization
systems can be protected by the same baseline?
Should the same baseline be applied throughout the whole education
organization?
What security level should the baseline education organization aim at?
How will the controls forming the baseline(s) be determined?
The use of one baseline level will reduce the cost of implementing controls
considerably, and everyone within. In doing so, a security professional in an
education organization is usually advisable to aim at the highest security level
of the information and information systems to be protected by the baseline
controls since such implementation is normally not very expensive and
provides adequate security for all information assets. A careful consideration of
all information assets is necessary to make the final decision on which
information assets should be protected by the same baseline.
4. MANAGEMENT AND OVER ALL ORGANIZATION BASELINE
CONTROL
This control dealing with the management of information security, planning,
assignment of responsibilities, and all other relevant activities, controls of the
following activities:
4.1 Information Security Policy
Such as e-mail policy, e-mail retention policy, acceptable user policies,
Application polices, Ethic policy, Password Protection Policy , Personal
27
Communication Device, Remote Access Policy, Mobile Computing and
Storage Devices, Router Security Policy, The Third Party Network Connection
Agreement, Student network access policy, student warless policy and other
policies as the education organization required.
EOBC 1.1: A POLICY DOCUMENT should be approved by management,
published, and communicated, as appropriate, to all faculty, staff and student.
o The policy should be reviewed regularly, in case of influencing
changes, to ensure it remains appropriate.
o The implementation of the information security policy should be
reviewed independently.
4.2 Information Security Infrastructure
Information security should be managed within the education organization
structure that appropriate to its size (space/population/ratio of faculty-staffstudent). The education organization unit should identify resource requirements
and assign the appropriate roles and responsibilities to allow the effective
management of the information security policy from within the unit. This may
involve the utilization of specialist resources.
1.2: A MANAGEMENT COMMITTEE to ensure that there is clear
direction and visible management support for security.
EOBC
o Where appropriate to the size of the education organization, a crossfunctional committee of management representatives from relevant
parts of the organization should be used to coordinate the
implementation of information security controls.
o Responsibilities for the protection of individual assets and for carrying
out specific security processes should be clearly defined.
o Contact with external information security specialists should be
developed to ensure that the education organization kept to best
practices and identified security vulnerabilities.
o Appropriate contacts with law enforcement authorities, regulatory
bodies, should be maintained.
o Advice on information security provided by in-house or specialist
advisers should be sought and communicated throughout the
organization.
4.3 Information Security Awareness and Training
Training of all personnel (faculty, staff, student and administrators) is critical
to the effective implementation of information security baseline control.
Security awareness and training activities should be ongoing to further
demonstrate management’s commitment to information security. Personnel
should be made aware of the importance of the information processes, the
28
associated threats, vulnerabilities, risks and understand why baseline controls
are needed.
1.3: AWARENESS AND TRAINING to all employees of the educational
organization (and third party if they exist) should receive appropriate training
and regular updates in policies and procedures.
EOBC
4.4 Third Party Access Control
The education organization should control access to information processing
facilities by third party organizations and access should be assigned based on
the assessment of the risk of granting such access. Third parties include:

Hardware and software staff of service providers located off-site;
Trading partners or joint ventures;
On-site contractors for hardware and software maintenance and
support;
Cleaning, catering, security guards and other outsourced support
services;
Student placement;
Casual short-term appointments;
Consultants.
EOBC 1.4: THIRD PARTY ACCESS CONTROL, any arrangements involving
third-party access to education information processing facilities should be
based on a formal contract containing all necessary security requirements,
such as:
o The risks associated with access to education information processing
facilities by third parties should be assessed and appropriate security
controls implemented.
o If confidentiality of information is an issue (student information,
student medical information, faculty personal information, and other
assets), third parties should be required to sign a non-disclosure
agreement.
4.5 Mobile Computing control
Policies and procedures should be established for the use of mobile computing
facilities (laptops, notebooks, palmtops and mobile phones).
1.5: MOBILE COMPUTING CONTROL: A formal policy and appropriate
baseline controls should be in place with proper adaptation to protect against
the risks of working with mobile computing facilities. Mobile computing
security includes (but not limited):
EOBC
o Security management policies (for example, handheld devices).
o Physical security.
29
o Labeling (GPS tracking system if needed).
o Access controls (Identification card, biometrics, etc.) and remote
access.
o Virus protection.
o Encryption of data and passwords.
o Backups procedures.
o Sanitization, declassification and destruction of equipment.
4.6 Asset Classification and Assets Control
In order to assess information security risks, the education organization needs
to identify all major assets that require protection and assign an asset. The
owner who has primary responsibility for the protection of this asset, and
should be able to establish the relative importance and value of the asset to the
education management.
1.6: ASSET CLASSIFICATION AND ASSETS CONTROL: Any means of
asset classification and asset control should be used.
EOBC
o
o
o
An inventory of all important assets should be identified and
maintained.
Classifications and associated protective controls for information
should be suitable to day-to-day needs for sharing or restricting
information and their impacts associated with such needs.
A set of procedures should be defined for information labeling and
handling in accordance with the classification scheme adopted by the
education organization
4.7 Personnel Control Practices
Personnel cover not only permanent and part-time employees of the education
organization but extend to contractors, consultants and other individuals
working on the education organization premises or using the education
organization information and information processing assets. A personal control
practice covers all (depends on the education organization book definitions):

Job description, Duties, Recruitments, Monitoring of personal,
Termination and job changes.
1.7: PERSONNEL CONTROL PRACTICES to support full-time, part-time,
contractors and consultant employees:
EOBC
o
o
Security roles and responsibilities as laid down in the education
information security policy should be documented in job definitions
where appropriate.
Duties and areas of responsibility should be segregated in order to
reduce opportunities for unauthorized modification or misuse of
information or services.
30
o
o
o
Verification checks on permanent staff should be carried out at the
time of job applications.
Employees should sign a confidentiality agreement as part of their
initial terms and conditions of employment.
The terms and conditions of employment should state the employee’s
responsibility for information security.
4.8 Compliance with Legal and Regulatory Requirements
Information security officer should consider all relevant statutory, regulatory
and contractual requirements to ensure compliance. Advice on specific legal
requirements should be obtained from the education organization’s legal
counsel.
1.8: COMPLIANCE WITH LEGAL AND REGULATORY REQUIREMENTS
All relevant statutory, regulatory and contractual requirements should be
explicitly defined and documented for each information system and process.
EOBC
o Appropriate procedures should be implemented to ensure compliance
with legal restrictions on the use of material in respect of intellectual
property rights, and on the use of proprietary software products.
o Important records of the education organization must be protected
from loss, destruction and falsification.
o Controls should be applied to protect personal information in
accordance with relevant legislation.
o Education organization management authorizes the use of information
processing facilities and controls should be applied to prevent the
misuse of such facilities.
o Where action against a person or organization involves the law, either
civil or criminal, the evidence presented must conform to the rules for
evidence laid down in the relevant law or in the rules of the specific
court in which the case will be heard. This should include compliance
with any published standard or code of practice for the production of
admissible evidence.
o Education organization management should ensure that all security
procedures within their area of responsibility are carried out correctly
and all areas within the education organization should be subject to
regular review to ensure compliance with security policies and
standards.
o Information systems should be regularly checked for compliance with
security implementation standards.
4.9 Security Incident Handling
Incident handling is an important aspect of managing information security risk.
A security incident may occur from failures of hardware, infrastructure or
31
software; inadequate operational procedures; malicious code; hacking; and/or
human errors.
EOBC1.9:
SECURITY INCIDENT HANDLING of the education organization must
have a clear definition of “security incident” and where to report an incident.
o
o
o
o
Security incidents should be reported through appropriate channels as
soon after the incident is discovered as possible.
Users of information services are required to report any observed or
suspected security weaknesses in or threats to systems or services.
Procedures must be established and followed for reporting software
malfunctions.
Incident responsibilities and procedures should be established to
ensure a quick, effective and orderly response to security incidents.
4.10 Educational Business Continuity Plan
Business continuity plans may be developed in case of any disaster.
EOBC1.10: EDUCATIONAL BUSINESS CONTINUITY PLAN
o There should be a process in place for developing and maintaining
education business continuity throughout the education organization.
o There should be a managed process in place for developing and
maintaining education business continuity throughout the education
organization.
o Plans should be developed to maintain or restore education business
operations in a timely manner following interruption to, or failure of,
critical processes.
o Business continuity plans should be tested regularly and maintained by
regular reviews to ensure that they are up to date and effective.
o Single framework of education business continuity plans should be
maintained to ensure that all plans are consistent, and to identify
priorities for testing and maintenance.
o Backup copies of essential education organization information and
software should be taken regularly.
4.11 System Audits
To monitoring user behavior and system activity, audits are a key element in
managing vulnerabilities.
EOBC1.11: SYSTEM AUDITS
o Audits of operational systems should be planned and agreed such as to
minimize the risk of disruptions to business.
o Access to systems audit tools should be protected to prevent possible
misuse or compromise.
32
5. OPERATION BASELINE CONTROL
The controls relating to the secure, correct and reliable functioning of the
education organization, operational controls can be implemented by education
organization procedures.
5.1 Documentation
Documented operating procedures should be maintained for all normal
operating and kept under configuration control. The security policy – where all
the security procedures are documented – and the business continuity plan
should be maintained and kept up-to-date.
EOBC2.1: DOCUMENTATION: The operating procedures identified in the
security policy should be documented and maintained.
5.2 Configuration Management
Software, hardware and documentation changes to the information process
facilities must be controlled. Configuration management is the process of
controlling and tracking changes to all items, software, hardware or
documentation to ensure that they are authorized and can be reversed if
required. Configuration management requires the establishment of baselines
against which all changes are tracked.
EOBC2.2: CONFIGURATION MANAGEMENT
o Changes to information processing facilities and all education
organization systems should be controlled.
o New applications systems should be reviewed and tested before and
through changes occur.
5.3 Incident Management
Procedures should be developed, documented, and updated to record any
security breach, and action taken to correct the breach and any
recommendation to prevent such a breach. Whenever a security breach occurs,
the incident should be logged, assigned for follow-up, and analyzed.
EOBC2.3:
INCIDENT MANAGEMENT: Incident management responsibilities
and procedures should be established to ensure a quick, effective and orderly
response to security incidents.
5.4 Software Development
Software development, testing and operational environments should exist
separately.
33
EOBC 2.4:
SOFTWARE DEVELOPMENT
O All required action should be documented for separation of duties to
reduce unauthorized modification or misuse of information or services.
O Development and testing facilities (if they exist) should be separated
from operational facilities.
O Strict control should be maintained over access to program source
code libraries.
O The implementation of changes should be strictly controlled by the use
of formal change control procedures.
5.5 External Facilities
External facilities can introduce potential security exposures, such as the
unauthorized access, damage or loss of data at the outsourced facility. The
same could be applied for lease facilities and equipment.
2.5: EXTERNAL FACILITIES: External facilities management services
will minimize security breaches.
EOBC
O Security checks should be performed before and after using external
faculties or equipments (computers) with appropriate policies and
procedures.
O Data sanitization should be applied with leased computer and memory
systems (to ensure that personal data, grades are not left in
memories).
5.6 Data Backup
Backup and restore procedures should be documented and tested on a regular
basis. Backup procedures will be tested every time a backup is made, but only
by performing a successful restore can the validity of the backup/restore
procedure and the reliability of the media be verified.
EOBC 2.6: DATA BACKUP
o Backup policies should be in place for all components of an education
organization (centralize and decentralize depend on the organization).
o Backup copies of essential education organization information process
and software should be taken regularly.
o Original software copies should be backed up and safely stored.
o Backup should be performed on all network components.
5.7 Protection against Malicious Code
Viruses, Trojan horses, worms and logic bombs are all examples of malicious
code. Controls need to be in place to prevent, detect, and correct the effects of
malicious code.
34
2.7: PROTECTION AGAINST MALICIOUS CODE: Detection and
prevention controls to protect against malicious software and appropriate user
awareness procedures should be implemented. Controls over malicious code
include (but are not limited to):
EOBC
o All systems should be protected by the latest version of antivirus
software, and an education organization must keep their antivirus
software up to date.
o Not to install unauthorized software (widely) onto the education
organization computers (clear system policies should be in place).
o Not to download software from the Internet (widely) onto the
education organization computers.
o Clear firewall policies for all components (and sub-components, for all
networks and subnets) of an education organization.
o The education organization should have administration management
labs policies (faculty, staff and students).
5.8 Logging
Operator logs and network logs should be maintained that report all the
activities performed by different computers and the network activities. A
complete log should be in place in teaching labs. These logs should detail:

Who and what applications were running?
What actions were initiated by the operator?
2.8: LOGGING: All log activities should be clearly specified by the
education organization procedures.
EOBC
o The education organization should be very clear in their policies and
awareness program that the active log is recorded (could be through
network login banner).
o Staff, faculty and student policy valuation should be reported.
o Operational staff should maintain a log of their operational activities.
o Faults should be reported and corrective action taken.
5.9 Information and Data Exchange
Exchanges of data should be subject to a written agreement between education
organizations. The security implications associated with electronic data
interchange, electronic commerce and electronic mail need to be considered.
When reviewing such agreements, security conditions should be considered,
such as management responsibilities, notification of the sender retransmission,
dispatch and receipt, identification of couriers, responsibility and liability for
data loss, technical standards for packaging, transmission, recording and
reading information and software.
EOBC
2.9: DATA EXCHANGE: Exchanges of data between education
35
organizations should be controlled and comply with relevant legislation.
o Agreements, some of which will be formal, should be established for
the electronic or manual exchange of information and software
between organizations.
o Data and information being transported should be protected from
unauthorized access, misuse or corruption.
o Electronic commerce (for registration and transaction) should be
protected against fraudulent activity, contract dispute and disclosure
or modification of information.
o Policies should be sited for electronic commerce use and registration.
5.10 Electronic Office System
Electronic office systems include computers, laptops, PDAs, mail, voicemail,
fax, multimedia and postal services. These systems provide for speedier
distribution of information. Policies need to be implemented to control what is
distributed. Use of mobile phones could lead to confidential information being
overheard in public places.
2.10: ELECTRONIC OFFICE AND E-CLASSES: Policies and guidelines
should be prepared and implemented to control the organization and security
risks associated with electronic office system and e-classes and virtual classes.
EOBC
o Procedures and controls should be in place to protect the exchange of
information through the use of voice, facsimile and video
communications facilities.
o Policies should be prepared for electronic classes and virtual classes.
o There should be a formal authorization process before information is
made publicly available and the integrity of such information should
be protected to prevent unauthorized modification.
o Policy and procedural control should be in place for intellectual
properties (copyright issues) when dealing with virtual classes.
o A control procedure should be in place for electronic cheating.
5.11 Operational Media
Accountability for media should be clearly defined, particularly in respect to
easily removed media, such as floppy disks, backup tapes and paper. Policies
and procedures should be developed and published that specifies the storage
standards and environment for media storage, the process for logging
movement of media, the access control standards and the guidelines for the
proper disposal of media by the education environment.
2.11 OPERATION MEDIA: Policy and procedures should be developed
and published that specify the storage standards and environment for media
storage, the process for logging movement of media, the access control
EOBC
36
standards and the guidelines for the proper disposal of media by the education
environment .
o The management of removable computer media such as tapes, disks,
cassettes and printed reports should be controlled.
o Media should be disposed of securely and safely when no longer
required.
o Procedures for the handling and storage of information should be
established in order to protect such information from unauthorized
disclosure or misuse.
o Systems documentation should be protected from unauthorized people.
6. OTHER CONTROLS
The other controls are technical controls, physical control and maintenance
controls.
The TECHNICAL CONTROL will cover the following:
•
•
•
•
Identification and Authentication
Logical Access
Access rights
Network Management (user access path, network planning, network
configuration, monitoring, Internet connection policies, virtual private
network, etc.)
• Operating System Access Control (work stations, login procedures,
systems utilities, time access and restrictions)
• Application Access Control
• Audit Trails and Logs
The PHYSICAL CONTROL will cover:

Secure areas
Equipment security
Clear desk and screen policy
Removal of property
The DEVELOPMENT AND MAINTENANCE CONTROL will cover:

Software modifications
Cryptography
Application security
Maintains security
7. SUMMARY AND CONCLUSION
This paper is part of a research to adopt and develop “education organization
37
baseline security control.” The research covers mainly three parts: Adaptation
and development, testing, and evaluation. The controls adopted are:

Management and overall organization baseline control;
Operation baseline control;
Technical baseline control;
Physical baseline control; and
Development and maintenance baseline control.
This paper is concerned with first two in particular.
8. REFERENCES
Al-Hamdani, Wasim (2008). “Blackboard Cheating Prevention” (Unpublished
article)
ANSI American National Standard Instute, (2008) Retrieved 2008, from
http://webstore.ansi.org/packages/it_security.aspx
Calder, A. and Watkins, S. IT Governance: A Manager's Guide to Data
Security and BS 7799/ISO 17799 . Kogan Page; (January 2005)
Chrissis, M. B.; Konrad, M., & Shrum, S. (2003). CMMI : Guidelines for
Process Integration and Product Improvement. Addison-Wesley Professional.
Defence Signals Directorate (DSD) (2007). Retrieved 2007, from
http://www.dsd.gov.au/library/infosec/
Federal Information Processing Standards Publications (2007) Retrieved
2008, from http://csrc.nist.gov/publications/PubsFIPS.html
Hacker News Posted by Freaky on 27 Jul 2006 - 08:09 6 comments
http://www.hackwire.com/comments.php?id=192&catid=3
.
Harris, S. (2005) CISSP All-in-One Exam Guide, Third Edition
McGraw-Hill Osborne Media; 3 edition
INCITS/ISO/IEC 17799-2005. (2005). Retrieved 2007, from Information
technology -Security techniques - Code of practice for information:
http://webstore.ansi.org/default.aspx
Information Technology Security Evaluation Criteria (ITSEC). (1991).
Retrieved 2007 from http://www.ssi.gouv.fr/site_documents/ITSEC/ITSECuk.pdf
Information Security Guideline for NSW Government.Part 1,2 and 3. (1997)
Retrieved 2005,from http://oict.nsw.gov.au/docs/
International Standard ISO/IEC 17799:2000 Code of Practicefor
Information Security Management. (2002). Retrieved 2007 from Frequently
Asked Questions.
38
http://csrc.nist.gov/publications/secpubs/otherpubs/reviso-faq.pdf
ISO 15408. Common Criteria for Information Technology Security
Evaluation,V3.1 (2006) . Retrieved 2007, from http://www.iso15408.net/
Luker, M., & Petersen, R., (ed). (2003). Computer and Network Security in
Higher education. Jossey-Bass. ISBN: 0-7879-6666-5
National Institution of Standard and Technology ( 2007). Retrieved 2008, from
http://csrc.nist.gov/publications
OECD Guidelines for the Security of Information Systems (2005). Retrieved
2007, from http://www.oecd.org/document/
Rainbow Series (1988). Retrieved 2008, from
http://www.fas.org/irp/nsa/rainbow.htm
Request for Comments (2004). Retrieved (2008) from
http://www.rfc-editor.org/rfc.html
Risk Management Guide for DoD Acquisition (2003) (Fifth Edition, Version
2.0) Retrieved 2008 from
http://www.dau.mil/pubs/gdbks/risk_management.asp
Sicheres E-Government. Retrieved 2008, from
http://www.bsi.bund.de/gshb/english/etc/menue.html
Standards Australia Online Catalogue. Retrieved 2008, from
http://www.saiglobal.com/shop/Script/search.asp
System Security Engineering Capability Maturity Model (SSE-CMM).
Retrieved 2008, from http://www.sse-cmm.org/index.html
The Internet Engineering Task Force (IETF). Retrieved 2006, from
http://www.ietf.org/rfc/rfc2196.txt
The National strategy secure cyberspace. (2003). Retrieved from The white
house: http://www.whitehouzse.gov/pcipb/
University of Iowa , Network Citizenship Policy (2004) . Retrieved 2008, from
http://cio.uiowa.edu/policy/NetworkCitizenshipV2.shtml
University of California, Business and Finance Bulletin, Electronic
Information Security. (2007). Retrieved 2008, from
http://www.ucop.edu/ucophome/policies/bfb/is3.pdf
University of Utah. (2006). Retrieved 2008, from
http://www.it.utah.edu/leadership/policies
University of Colorado at Boulder, IT Policies and Guidelines.(2007)
Retrieved 2008 from: http://www.colorado.edu/its/policies/index.html
University of Purdue. (2006) from Department of Botany and plant pathology/
baseline security policy, Retrieved 2008,
39
http://www.btny.purdue.edu/Pubs/DeptBaselineSecurityPolicy.pdf
40
APPENDIX 1
Information Security Management
• ISO/IEC 17799:2005
• ISO/IEC 27001:2005
A widely accepted standard, the British Standard BS 7799 has been
updated and published as the international standard ISO/IEC 27001. It
was developed by the British Standards Institute) and is sometimes
referred to as BS ISO/IEC 27001:2005.
• RFC 2196
The Internet Engineering Task Force (IETF) has produced RFC2196
Site Security Handbook, which provides practical guidance to
administrators trying to secure their information and services. IT
Baseline Protection Manual (Germany)
The Federal Agency for Security in Information Technology in
Germany has produced the IT Baseline Protection Manual. This
document presents a set of recommended standard security measures
or "safeguards", as they are referred to in the manual, for typical IT
systems. The most recent version is dated October 2000.
• OECD Guidelines for the Security of Information Systems are
available at ACSI33 (Australia/New Zealand). The Defense Signals
Directorate has produced the Australian Communications Security
Instruction Number 33 (ACSI33) Security Guidelines for Australian
Government IT Systems document.
Evaluation
• ISO 15408 ("Common Criteria") The International Organization for
Standardization (ISO) has produced ISO standard IS 15408. This
standard, The Common Criteria for Information Technology Security
Evaluation v2.1 (ISO IS 15408) is effectively an evolutionary blending
of ITSEC (see below), the Canadian criteria, and the U.S. Federal
Criteria. Available from.
• Rainbow Series ("Orange Book") (Rainbow Series, 1988). An
important series of documents are the Rainbow Series, which outline a
number of security standards developed in the United States. Perhaps
the most important of these books is the Trusted Computer System
Evaluation Criteria (TCSEC, or Orange Book). While this standard has
effectively been superseded by other standards outlined above (it is
dated 1985); it is, nevertheless, a useful document. A further
document, the U.S. Federal Criteria, was drafted but not adopted in
the early 1990s.
• Information Technology Security Evaluation Criteria ("ITSEC") (UK)
The United Kingdom produced the Information Technology Security
41
•
•
Evaluation Criteria (ITSEC) in 1991, and this is another important
historical evaluation scheme/standard. It builds on the Orange Book
scheme to some extent, with greater granularity.
Gateway Certification Guide and DSD EPL (Australia/New Zealand)
The Defense Signals Directorate has also produced the Gateway
Certification Guide, which provides guidelines for independent
assessment of an agency gateway.
The Defense Signals Directorate administers the Australian
government's Evaluated Products List.
Development
• Capability Maturity Model (CMM).
The Software Engineering Institute pioneered the development of the
Capability Maturity Model, which is method for process maturity
assurance.
• System Security Engineering Capability Maturity Model (SSE-CMM).
Risk
•
•
Acquisition Risk Management (US).
AS/NZS 4360 ("Risk Management") (Australia/New Zealand)
Authentication
• ISO 11131 ("Banking and Related Financial Services; Sign-on
Authentication")
ISO 11131:1992 Banking and Related Financial Services; Sign-on
Authentication is
42
Making Molehills Out of Mountains: Bringing
Security Research to the Classroom1
Richard G. Taylor
University of Houston
[email protected]
ABSTRACT
Security research published in academic journals rarely finds its way to the
business community or into the classroom. Even though the research is of high
quality, it is written in a manner that is difficult to read and to understand. This
paper argues that one way to get this academic research into the business
community is to incorporate it into security classrooms. To do so, however,
academic articles need to be adapted into a classroom-friendly format. This
paper suggests ways to do this and provides an example of an academic article
that was adapted for use in a security management class.
Keywords: information security, pedagogy, academic research, teaching
cases, research relevance
1. INTRODUCTION
“Does not the scientist have an obligation to publish? The
standard answer is Yes. But does he not also have an
obligation to be read? The standard answer…ought to be Yes,
although…I sometimes think it is No. A man writes
something…that is so dull that it is hard work to get through
it: has he not missed his responsibility to the science? The
egoistic savant thinks not; he thinks it is the reader’s job to
work hard so as to understand him.”
Edwin G. Boring, Letter in Contemporary Psychology
Is there a place for academic research in the security curriculum? How many
security educators read the academic journals in search of material to
incorporate into their curriculum? My guess would be not many. Why is this?
Does academic research have no applicability to security classroom teaching?
This paper will look at these questions and provide suggestions to bring
academic security research into the security classrooms.
Let’s face it. Articles published in top-tiered academic venues are difficult,
and (very) often un-enjoyable, to read. There, I said it! I realize that at any
time now the academic gods may strike me down. The quality of this research
1
This article was presented on September 28, 2007 at the InfoSecCD conference in Kennesaw,
GA.
43
is of a very high standard, written by knowledgeable researchers, but the
research is often underutilized because it never makes it way to a classroom (or
directly to practitioners).
This is too bad. Security education needs a balance of theory and practice,
however incorporating the two is not an easy task. Steven Alter (2001)
explains that he has used many ideas taken from academic journal articles to
incorporate in his MIS textbooks (Table 1).
Mintzberg
Simon
Tversky, Kahneman, Slovic,
et al.
Markus
Hammer and Champy
Standish Group
Ives and Olsen
Neumann
Mason
how managers use information
steps in decision making
common flaws in decision making
different views of user resistance
reengineering examples
failure rates of information systems
different levels of user involvement
information systems risks
PAPA (privacy, accuracy, property, access)
framework for ethical issues
Sviokla
how the implementation process affects
success
Table 1. Academic Research incorporated Steven Alter’s MIS textbooks.
(Alter, 2001).
One of the primary reasons academic research is not included in classroom
education is the belief that the research has little relevance to practice. A goal
of classroom education is to teach material that will be useful to the students
when they enter the business community. While reviewing many academic
security articles, it seems like there are indeed some that would have little
relevance to the classroom or to practice. However, many contain research that
would benefit both students and practitioners. This relevant research needs to
find its way into security classrooms.
2. RESEARCH RELEVANCE
A comment was posted on AISWorld that started a debate on the relevance of
MIS research to the business community:
There are probably no academic findings of any importance in
IT and few, if any, from business schools in general. The
evidence is simply that few, if any, business people bother to
waste their time with academic journals. Certainly, managers
at Microsoft, Sun, Intel, etc. spend no time with academic
findings. The important work is done by corporations, the
government, or individuals in the pursuit of profit.
44
The research published in top-tiered journals and conferences is very
“academic” in nature, founded upon strong theory and meticulous
methodologies. While the academic community views these publications to be
the type of research that advances knowledge in the MIS discipline, the articles
are often not “reader friendly”, and would be very difficult, if not painful, for
undergraduate (or graduate) students to read. Articles published in the top
academic journals are difficult to read because of “(1) lifeless writing styles,
(2) pretentious language, (3) unnecessary use of unfamiliar jargon, (4)
numerous references to articles and books readers are unfamiliar with and can’t
easily obtain, and (5) extensive reliance on statistical analysis that is
uninteresting and unconvincing to most practitioners and many academics2”
(Bennis & O’Toole, 2005, p.6).
Not only are the articles difficult to read, but many argue that they are no
longer relevant to the business community (Nevill & Wood-Harper, 2001). The
target audience for these articles is no longer the practitioners. Academic
research is intended to be read by other academics. Keen (1991) argues that
this in itself defines the relevance of the research. Academic research is now
more concerned with rigor than with relevance.
“The actual cause of today’s crisis in management education is far broader in
scope and can be traced to a dramatic shift in the culture of business schools.
During the past several decades, many leading [business] schools have quietly
adopted an inappropriate—and ultimately self-defeating—model of academic
excellence. Instead of measuring themselves in terms of the competence of
their graduates, or how well their faculties understand important drivers of
business performance, they measure themselves almost solely by the rigor of
their scientific research” (Bennis & O’Toole, 2005, p.98). Research now
conducted in business schools is produced to add respectability to the scientific
and academic underpinnings of the university.
The MIS community has struggled with the “rigor versus relevance” issue for
some time. The first major MIS publication was MIS Quarterly (MISQ).
MISQ originated through a shared vision between the University of
Minnesota’s Management Information Systems Research Center (MISRC) and
the Society for Management Information Systems (SIM), which is a
practitioner-based organization. All SIM members received MISQ.
In 1992, Blake Ives was editor of MISQ, and in his March editorial comments
he notes that MIS research is straying and loosing its relevance factor to the
business community. Even though research universities claimed to seek closer
relations to the business community, their research efforts do not indicate these
efforts. Universities are more concerned with rigor than with relevance. Ives
states that “[f]aculty many times appear either unable or, as is more likely the
2
My apology if this article contains any of these characteristics.
45
case, unwilling to frame their findings in such a way as to highlight managerial
applicability” (Ives 1992 p. iii). Ives still championed the idea to bridge the
gap between research and practice in MIS research.
Bob Zmud followed Blake Ives as the editor of MISQ. In his editorial
comments in March 1995 (Zmud, 1995), he announced that SIM would no
longer receive copies of MISQ so that MISQ “could redirect its direction
toward the academic community and away from the practitioner community”
(p.v). This marked the end of practitioner-directed research in MISQ. The
“scientific research” now desired by MISQ definitely requires skill; however
the skill no longer focused on time in the field to investigate actual problems
that managers face. Instead more emphasis was placed on statistics and
experimental design, as well as meticulous analysis of data.
Another factor contributing to the lack of practitioner relevance of academic
research involves the reward structure for faculty members. The road to tenure
does not go through practitioner-based research. Young faculty members
understand this explicitly. The pressure to publish in top-tiered academic
journals to meet tenure requirement has resulted in a lack of attention to
research that might benefit practitioners and students alike. This research-based
promotion has resulted in business schools “filled with individuals whose main
professional aspiration is a career devoted to science” (Bennis & O’Toole,
2005, p.100). For example, an IS scholar who continually publishes rigorous
scientific research in MISQ or other “A” journals is considered a star, while
another who publishes relevant articles in practitioner-based publications risks
being denied tenure.
3. SECURITY RESEARCH
The top-tiered MIS journals are (arguably): MISQ, Information Systems
Research (ISR), and the Journal of Management Information Systems (JMIS)
(Lowry et al. 2004). Recently the Journal of the Association of Information
Systems (JAIS), an electronically published journal, has been included in the
level of “A” journals by many top MIS research departments (e.g. University
of Georgia, Georgia State, University of Texas, University of Houston). These
journals have an acceptance rate of less than 10%.
Since 2000, twenty security-related articles have been published in the toptiered journals mentioned above.3 Only six were published before 2000 (See
Appendix A for a list of all security-related articles published in the top-tiered
MIS journals). Since 2000, security-related academic articles also appear in
other quality MIS journals: 11 in Journal of Information Systems; 8 in
3
To determine the articles that I included as security-related, I searched the journals using
keywords of “security” and “privacy”. I then reviewed the abstracts of those articles to arrive at
my determination. Other security-related articles may have been published in those journals but
were not detected using my method.
46
European Journal of Information Systems; 6 in Journal of Strategic
Information Systems; and 5 in Information Systems Journal. The MIS top
academic conference (ICIS) has included a Security and Assurance track for
the last few years. These articles are often considered top-tier publications
since the acceptance rate is very low (i.e. the 2006 Security and Assurance
track at ICIS accepted less than 10% of the articles submitted). There have
been 26 security-related publications in the ICIS proceedings since 2000.
ACM ToISS ACM Transactions of Information & Systems Security
CS
Computers & Security
IS
Information & Security
IMCS
Information Management & Computer Security
ISS
Information Systems Security
IT
Infosecurity Today
IJSN
International Journal of Security & Networks
IJICS
International Journal of Information & Computer Security
IJIS
International Journal of Information Security
IJISP
International Journal of Information Security & Privacy
JCS
Journal of Computing Security
JDFSL
Journal of Digital Forensics, Security & Law
JIPS
Journal of Information Privacy & Security
JISSec
Journal of Information Systems Security
Table 2. Academic journals dedicated to security research
There are also journals solely dedicated to publishing security-related articles
(Table 2). These journals serve as a venue for various types of researchers.
While some, such as the Journal of Information Systems Security (JISSec),
publish academic research, others such as Computers and Security offers
articles published by academics and practitioners alike. Many of the articles
published in Computers and Security are already in a classroom-friendly
format and would make excellent readings for students4. JISSec is one of the
newer security-oriented journals dedicated to publishing high-level academic
research. As they appear in the journal these articles are not classroomfriendly, however many may contain research that could be useful in a security
classroom. (See Appendix B for a listing of all articles published in JISSec
since its inception in 2005).
Security research published in the academic journals and conferences is highquality research often with significant findings; however the articles are often
lost in the black-hole of academia. Many may consider this type of research
not relevant to the practitioner community or the classroom; however the
research may indeed be relevant, but the delivery method may just be
4
Other journals such as Communications of the Association of Information Systems (CAIS),
Communications of the ACM, and MISQe(xecutive) publish classroom-friendly articles.
47
inappropriate, resulting in the articles being overlooked by security educators5.
The goal here is to get the valuable research findings out of academic
community and into the business community to have practical application.
One of the best ways to do this is to incorporate the research into the classroom
so future security professionals can apply the knowledge when they enter to
work environment (Figure 1). Teaching the research findings in a classroom
will eventually find its way to the practitioner community; however only 10%
of academics felt that access to practice via student is important (Nevill &
Wood-Harper, 2001).
Security
Research
Classroom
Business
Community
Figure 1. Improving relevance of academic security research
Analyzing security-related research in top-tiered journals (Appendix A)
produced some interesting articles with findings that could be useful in the
classroom. Some of those articles include (but not limited to): The Economic
Incentives for Sharing Security Information (Gal-or & Ghose, 2005); The
Value of Intrusion Detection Systems in Information Technology Security
Architecture (Cavusoglu et al., 2005); Six Design Theories for IS Security
Policies and Guidelines (Siponen & Iivari, 2006); Including Technical and
Security Risks in the Development of Information Systems: A Programmatic
Risk Management Model (Dillon, 2003); Coping With Systems Risk: Security
Planning Models for Management (Straub & Welke, 1998)6.In their current
format, students would find these articles difficult and un-enjoyable to read.
The challenge for security educators is to translate this academic research into
a format that can be used and enjoyed by students.
4. ADAPTING SECURITY RESEARCH FOR THE CLASSROOM
Typically, articles published in academic journals are between 10,000 and
15,000 words (though some can be much longer)7. Although academic articles
vary in their exact format, they typically contain an array of required
information (Table 3). This information is considered necessary for an article
to be included in an academic journal (much at the insistences of reviewers and
editors). The information in the different sections shows the progression of the
research process the author used to reach his/her conclusions. Though
necessary in academic publications, much of the information would not be
5
As an academic researcher I choose to keep the faith that our research is indeed relevant to the
business community.
6
I have used an adapted version of the Straub and Welke article in a security class.
7
These numbers were obtained by reviewing articles published in MISQ and ISR.
48
needed for use in a classroom environment. For example, the literature review,
methodology, and statistical analysis would not be needed. What are needed
are the problems/research questions and the findings.
Section
Description
Introduction
Defines and describes the problem and/or research questions to
be researched and the need for such research
Literature review
Provides an illustrative account of the theory/theories that will
be used to investigate the stated problem/research questions
Methodology
Describes the research method that the researcher will use to
evaluate the problem/research questions and the reasons why
that method is appropriate
Analysis
Provides the findings obtained from the methodology that was
utilized
Discussion
Discusses the findings
Conclusion
Provides a brief review of the intent of the paper and
summarizes the findings and contributions. Also points out
limitations to the research and suggests areas for future
research.
References
List the references used to write the article
Table 3. The anatomy of an academic research article
Alter (2001) recommended that a short version and a long version be created
for each academic article. The shorter version would be developed to
demonstrate relevance for the classroom and for practitioners, while the longer
versions would demonstrate academic rigor and include more in-depth
discussions of theories, methodologies, and statistical analyses. However,
authors have little incentive to create an alternative version of their article for
classroom use. The tenure process sees to that.
The shorter classroom-friendly versions of research articles could take the form
of research reports, technology briefings, or case studies. Research weighted
with heavy statistical analyses may be more difficult to translate to a classroom
environment, while case studies may be more easily adapted. A great deal of
security research is written using the case study method. Articles that do not
use the case study method should not be rejected as classroom material. These
articles still have the required components: a problem/research question and
the findings. With these components, a creative educator can develop useful
49
material to be used as teaching aids for security students. One such teaching
aide is the security case study.
5. SECURITY CASE STUDIES
Case studies allow students to simulate real-world situations. For this reason,
they are widely used in management courses. Case studies typically involve
working in a team environment, allowing students to use problem solving skills
to attack problems from different perspectives (Sirias, 2002). Case studies
allow educators to “use narrative and stories to allow students to enter the
culture, help them progress from the role of listener to active participant, and
engage in problem solving in the stories that mimic real life settings” (Hsu &
Backhouse, 2002, p. 212). This can improve students desire to learn and can
often be more affective that classroom lectures.
Creating security case studies from academic articles will allow for the
replacement of abstract concepts with stories that help the students see a
problem and give them the opportunity to come up with their own solution. By
incorporating the research findings into the case study, students will be able to
discuss how these findings can be applied to real world security situations.
Security educators should encourage students to make recommendations and
provide solutions to the issues or problems presented in the case, based on the
knowledge that the students acquire in the class (Sirias, 2002). Security case
studies can allow students to gain knowledge about information security and its
impact on the business environment.
Writing teaching case studies is significantly different from writing academic
research articles. Case studies should tell a story to engage the reader. Good
storytelling abilities improves the effectiveness of a teaching case. There are
eight elements that should be included in a security teaching case (adapted
from Cappel & Schwager 2002):
1. Addresses security subject matter for a specific security problem or
course. A case study that may be appropriate for a security
management class may not be useful in a cryptography class, or vice
versa.
2. Has a clear purpose. The case should contain a clear theme or
message, and address the type of knowledge or mental process that the
students should utilize.
3. Provides realism. The students should feel like the problems are from
a real business situation. This adds to their feeling of accomplishment
when they address potential solutions.
50
4. Is of appropriate length. A case should be long enough for the student
to clearly understand the situation and give them the opportunity to
address the issues presented.
5. Is objective in presentation and tone. The case should be as neutral as
possible, without containing any of the writer’s opinions. This allows
the students to develop their own solutions without the pressure to
agree with the writer.
6. Has a hook. There should be a statement or short paragraph at the
beginning that grabs the readers’ attention. This hook could be
included in an abstract.
7. Addresses a timely topic. The case should involve recent security
topics.
8. Has been pre-tested. Have other colleagues look over the case before
use.
Discussion question can be included at the end of the case for students to use,
or can be included in teaching notes. Discussion questions should guide the
students in “applying theories or concepts to situations, distinguishing relevant
from irrelevant facts, evaluating actions, looking at problems from multiple
vantage points, and developing alternatives and solutions” (Cappel &
Schwager 2002, p. 288).
Below is an example of how an academic research article was reformatted into
a teaching case study to be used in a classroom environment.
6. A TEACHING CASE EXAMPLE
As an example, I will discuss how an article published in the 2006 ICIS
proceedings—Management Perception of Unintentional Information
Security Risks (Taylor, 2006)—was converted to a teaching case study.
Because it was published in a top-tiered academic venue, it was highly unlikely
that it will ever be read by practitioners, or incorporated into a security class.
However, the case study did result in some interesting findings that could be
beneficial to practitioners and students alike. Therefore, the article could be
included in a security class if it were rewritten and formatted in a way that
would be “classroom friendly”.
The case deals with security management issues, focusing on the human aspect
of information security8. The study deals with an area of information security
that has received little attention: unintentional security risks. These risks
include any action by an employee that unintentionally put the organization’s
information at risk. These actions could include sharing system passwords,
8
The case study narrative in this article was already written in a reader-friendly manner, so it
was easily converted to a teaching case.
51
leaving sensitive information unsecured on desks or in unlocked file cabinets,
and/or throwing sensitive information in the trash. The case study was
conducted in a financial institution and includes comments from key personnel,
including the CEO, CIO, other executives and managers, IT employees, and
support staff9. The case study also includes observation made by the author
regarding the level of security of the organization. Three findings came out of
the original study:
1. Management perceives the level of information security within their
organization to be high.
2. Management perceives that employees adhere to established
information security policies.
3. Management is unaware of employees’ actions that may
unintentionally expose organizational information to security risks.
The original paper was 16 pages in length with approximately 11,000 words.
This would be too long to use in a classroom. By eliminating the literature
review and methodology sections, the paper was almost cut in half, resulting in
a more manageable case. Further reduction improved readability, ultimately
arriving at a classroom-friendly case study of approximately 6 pages. Note that
even though over half the paper was eliminated, the key components still
remain: the problem and the findings.
Reducing the case study to a manageable size and improving the
readability added to the classroom friendliness. However, more was needed
before the case study was ready to be introduced to a security class. A section
was added that enticed the students to think about the case, and to discuss the
specific situation. Discussion questions added to the end of the reformatted
article helped facilitate this. While this case describes a specific situation, its
focus was not to provide a solution to the problems identified. This leaves an
opening for students to discuss how management can change their perception
and raise their awareness of these unintentional security risks. These changes
that were made to this academic paper made it appropriate, and even beneficial,
for use in a security management class.
Discussion questions were added to the case study (Table 4). The questions
were added at the end of the case study to allow the students a chance to review
the case and develop their own answers. The students were then put in teams
to discuss the questions. Finally, the case was discussed in class with each
team sharing their thoughts and opinions.
9
In the case study, I made up names to use in place of the organizational position. This
contributed to the realism of the study.
52
Discussion Questions
1. Discuss the difference between intentional and unintentional
information security threats.
2. Explain the significance of unintentional threats in organizational
security. Are these threats a real problem for organizations?
3. Why do employees do these actions that unintentionally put the
organization’s information at risk?
4. How can employees be motivated to stop?
5. Does management take these threats seriously?
6. How can managers alter their perceptions of these types of threats?
7. If management’s perceptions are not altered, what will be the affect on
the organization?
8. Are there technology-based security solutions that can help reduce
these threats?
9. Who in the organization is responsible for addressing these types of
threats? Is this an IT problem?
10. What should managers do to eliminate or reduce these threats?
11. Can these threats be eliminated?
Table 4. Case study discussion questions
This is only one example of using academic research that is often considered
irrelevant to business practice. The same could be accomplished by adapting
other academic publications. Some articles may not lend themselves to an easy
adaptation; however many will provide enough information to at least create a
mini-case study of one or two pages. These mini-cases are much more focused
on a single concept and can be discussed in a short time (Sirias, 2002).
When you find an article that you would like to adapt for classroom use,
attempt to work with the original author if possible. If not be sure to give
credit to the author for his/her research efforts. Once case studies (or other
work created for the classroom) are created, they can be posted in a venue
where other security educators can access and use.
Here are some guidelines to follow.
1. Stay current with academic security research
2. Identify research that is relevant for classroom use
53
3. Reformat the research to be appropriate for classroom (i.e. case
study, technology briefing, or just an abbreviated version)10
4. Introduce the classroom-friendly research to your students
Be aware that by reading journals you may come across articles that are
classroom-friendly as published (with some needing only minor adaptations).
Some examples are: Anything You Say Can Be Used Against You in a Court of
Law: Data Mining in Search Archives (Ives & Krotov, 2006), Understanding
Disaster Recovery Planning through a Theater Metaphor: Rehearsing for a
show that might not open (Kendall et al., 2005), Future Security Approaches in
Biometrics (Boukhonine et al., 2005), What is a Chief Privacy Officer? An
Analysis Based on Mintzberg’s Taxonomy of Managerial Roles (Kayworth et
al., 2005), Computer Crime at CEFORMA: a case study (Dhillon et al., 2004),
Computer Crime: theorizing about the enemy within (Dhillon & Moores,
2001), Violations of safeguards by trusted personnel and industry related
information security concerns (Dhillon, 2001), Recovering IT in a Disaster:
Lessons from Hurricane Katrina (Junglas & Ives, 2007).
Many security educators may have abandoned journals for useful classroom
material. Though there is always the Harvard Business Review and the Sloan
Management Review that provides excellent teaching cases, don’t give up on
other journals. Be on the lookout for hidden gems that require little, or no,
modifications. These can add a valuable dimension to the learning process of
your students.
7. CONCLUSION
This paper is not insinuating that security research in academic publications is
unnecessary or irrelevant, just that the research as it is presented for publication
is typically not classroom-friendly. There seems to be no relief on the horizon.
Scientific research will continue in MIS, including research on information
security. Therefore if this research is to be incorporated into the classroom, it
will take a proactive approach from those who are dedicated to teaching
information security. The inclusion of this research into the classroom will
help establish a balance between theory and practice for students.
Not all academic research papers will be adaptable for classroom use; however
for those that can, there are benefits to bringing this research to the classroom.
The bottom line is this: good security research is being published by
knowledgeable authors, yet the research is not finding its way to practitioners
or to the classroom. With a little effort, this research can be brought to the
10
Universities that have access to PhD (or other graduate) students can use that resource to
create classroom-friendly material from academic research.
54
classroom and ultimately make its way to the business community. It is the
security educators’ task to make classroom molehills out of academic research
mountains.
REFERENCES
Alter, S. (2001). "Recognizing the Relevance of IS Research and Broadening
the Appeal and Applicability of Future Publications." Communications of the
Association for Information Systems, 6(3): 1-9.
Bennis, W. G. and O'Toole, J. (2005). "How Business Schools Lost Their
Way." Harvard Business Review March: 96-104.
Boukhonine, S., Krotov V., and Rupert, B. (2005). "Future Security
Approaches to Biometrics." Communications of the Association for
Information Systems, 16(48).
Cappel, J. J. and Schwager, P.H. (2002). "Writing IS Teaching Cases:
Guidelines for JISE Submissions." Journal of Information Systems Education,
13(4): 287-293.
Cavusoglu, H., Mishra, B., Raghunathan, S. (2005). "The Value of Intrusion
Detection Systems in Information Technology Security Architecture."
Information Systems Research, 16(1): 28-46.
Dhillon, G. (2001). "Violation of Safeguards by Trusted Personnel and
Understanding Related Information Security Concerns." Computers &
Security, 20(2): 165-172.
Dhillon, G. and Moores, S. (2001). "Computer crimes: theorizing about the
enemy within." Computers & Security, 20(8): 715-723.
Dhillon, G., Silva, L., and Backhouse, J. (2004). "Computer Crime at
CERORMA: a case study." International Journal of Information Management,
24(6).
Dillon, R. L. (2003). “Including Technical and Security Risks in the
Development of Information Systems: A Pragmatic Risk Management
Model.” Proceedings of the 24th International Conference on Information
Systems, Seattle, WA.
Gal-Or, E. and Ghose, A. (2005). "The Economic Incentives for Sharing
Security Information." Information Systems Research, 16(2): 186-208.
Hsu, C. and Backhouse, J. (2002). "Information Systems Security Education:
Redressing the Balance of Theory and Practice." Journal of Information
Systems Education, 13(3): 211-218.
Ives, B. and Krotov, V. (2006). "Anything You Say Can Be Used Against You
in a Court of Law: Data Mining in Search Archives." Communications of the
Association for Information Systems, 19(29).
55
Junglas, I. and Ives, B. (2007). "Recovering IT in a Disaster: Lessons from
Hurricane Katrina." MISQ Executive, 6(1).
Kayworth, T., Brocato, L. Whitten, D. (2005). "What is a Chief Privacy
Officer? An analysis based on Mintzberg's Taxonomy of Managerial Roles."
Communications of the Association for Information Systems, 16(6).
Keen, P. (1991). “Relevance and Rigor in IS Research: Improving Quality,
Confidence, Cohesion and Impact”, in Information Systems Research:
Contemporary Approaches and Emergent Traditions, eds. H. E. Nissen, H. K.
Klein and R. Hirshheim. Amsterdam, Elsevier Science, IFIP.
Kendall, K. E., Kendall, J.E., Lee, K. (2005). "Understanding Disaster
Recovery Planning through a Theater Metaphor: Rehearsing for a show that
might not open." Communications of the Association for Information Systems,
16(51).
Nevill, N. and Wood-Harper, T. (2001). "Choice of Target Audience for IS
Research: Reflections on Discussions with IS Academic Leaders in the UK."
Communications of the Association for Information Systems, 54(4): 1-37.
Siponen, M. and Iivari, J. (2006). "Six Design Theories for IS Security Policies
and Guidelines." Journal of the Association for Information Systems, 7(7):
445-472.
Sirias, D. (2002). "Writing MIS Mini-Cases To Enhance Cooperative
Learning: A Theory of Constraints Approach." Journal of Information Systems
Education, 13(4): 351-356.
Straub, D. and Welke, R. (1998). "Coping With Systems Risk: Security
Planning Models for Management Decision Making." MIS Quarterly, 22(4):
441-469.
Taylor, R. G. (2006). “Management Perception of Unintentional Information
Security Risks.” Twenty-seventh International Conference on Information
Systems, Milwaukee, WI.
56
Appendix A: Security Research in Top-Tiered
Academic Journals
Journal Year
Article
MISQ
The Value of Privacy Assurance: An Exploratory Field Experiment
Understanding and Mitigating Uncertainty in Online Exchange
Relationships: A Principal—Agent Perspective
Circuits of Poser in Creating De Jure Standards: Shaping an
International Information Systems Security Standard
The Personalization Privacy Paradox: An Empirical Evaluation of
Information Transparency and the Willingness to Be Profiled Online
for Personalization
Coping With Systems Risk: Security Planning Models for
Management
Releasing Individually Identifiable Microdata with Privacy Protection
Against Stochastic Threat: An Application to Health Information
Privacy Protection in Data Mining: A Perturbation Approach for
Categorical Data
An Extended Privacy Calculus Model for E-Commerce Transactions
Maximizing Accuracy of Shared Databases with Concealing Sensitive
Patterns
The Economic Incentives for Sharing Security Information
The Value of Intrusion Detection Systems in Information Technology
Security Architecture
Morality and Computers: Attitudes and Differences in Moral
Judgments
Effective IS Security: An Empirical Study
Interoperability of E-Government Information Systems: Issues of
Identification and Data Sharing
An Information Systems Security Risk Assessment Model Under the
Dempster-Shafer Theory of Belief Functions
Moderating Effects of Task Type on Wireless Technology Acceptance
Managing the Costs of Informational Privacy; Pure Bundling as a
Strategy in Individual Health Insurance Market
Password Security: An Empirical Study
Preventive and Deterrent Controls for Software Piracy
Security of Statistical Databases with an Output Perturbation
Technique
Improvements in Database Concurrency Control with Locking
A Design Theory for Securing Information Systems Design Methods
Six Design Theories for IS Security Policies and Guidelines
Concern for Information Privacy and Online Consumer Purchasing
Private Transactions in Public Places: An Exploration of the Impact of
the computer Environment on Public Transactional Web Site Use
Theoretical Explanations for Firms: Information Privacy Behaviors
Illegal, Inappropriate, and Unethical Behavior in an Information
Technology Context: A Study to Explain Influences
2007
2007
2006
2006
1998
ISR
2007
2006
2006
2005
2005
2005
1999
JMIS
1990
2007
2006
2006
2000
1999
1997
1989
JAIS
1987
2006
2006
2006
2006
2005
2000
57
Appendix B: Journal of Information Systems Security (JISSec)
Journal
Year
Article
Vol. 1(1)
2005
2005
Systemic Risk Redefining Digital Security
Information Warfare: A Comparative Framework for Business
Information Security
The Ephemerizer: Making Data Disappear
Methodology to Assess the Impact of Investment in Security Tools
and Products
SoapSy – Unifying Security Data from Various Heterogeneous
Distributed Systems Into a Single Database Architecture
Case Study: The case of a Computer Hack
RFID: A Systematic Analysis of Privacy Threats & A 7-Point Plan
to Address Them
WIDS – A Wireless Intrusion Detection System for Detecting
Man-in-the-Middle Attacks
Botnets: The Anatomy of a Case
Security Consistency in Information Ecosystems: Structuring the
Risk Environment on the Internet
Security Issues and Capabilities of Mobile Brokerage Services and
Infrastructures
A Conceptual Model for Integrative Information Systems Security
Rating Certificate Authorities: A Market6 Approach to the Lemons
Problem
Towards a Global Framework for Corporate and Enterprise Digital
Policy Management
Managing Information Security: Demystifying the Audit Process
for Security Officers
To Opt-In, or To Opt-Out: That is the Question: A Cast Study
Anchoring Information Security governance Research:
Sociological Groundings and Future Directions
Building User Authentication in an Inter-Organizational
Information System
How Secure is Your Password: An Analysis of E-Commerce
Passwords and their Crack Times
Ethics and morality – A Business Opportunity for the Amoral?
An evaluation of size-based traffic feature for intrusion detection
The effect of span and privacy concerns on e-mail user’s behavior
Vol. 1(2)
2005
2005
2005
Vol. 1(3)
2005
2005
2005
Vol. 2(1)
2005
2006
2006
Vol. 2(2)
2006
2006
2006
2006
Vol.2(3)
2006
2006
2006
2006
Vol. 3(1)
2007
2007
2007
58
The Design and Implementation of an Automated
Security Compliance Toolkit: A Pedagogical
Exercise
Guillermo Francia III
[email protected]
Computer Security and Forensics Laboratory
Jacksonville State University, Jacksonville, AL USA
Brian Estes
[email protected]
Rahjima Francia
[email protected]
Vu Nguyen
[email protected]
Alex Scroggins
[email protected]
ABSTRACT
The demand, through government regulations, for the preservation of the
security, integrity, and privacy of corporate and customer information is
increasing at an unprecedented pace. Government and private entities struggle
to comply with these regulations through various means—both automated and
manual controls. This paper presents an automated security compliance toolkit
that is designed and developed using mostly open source tools to demonstrate
that 1) meeting regulatory compliance does not need to be a very expensive
proposition and 2) an undertaking of this magnitude could be served as a
pedagogical exercise for students in the areas of collaboration, project
management, software engineering, information assurance, and regulatory
compliance.
Keywords: Information Security, Compliance Toolkit, Forensics, Log
Management, Intrusion Detection, Vulnerability Assessment, Sarbanes-Oxley,
HIPAA, FISMA, GLBA.
1. INTRODUCTION
The proliferation of federal regulations involving cybersecurity ushered the
hottest buzzword in information technology: compliance. These federal
59
regulations include the Computer Fraud and Abuse Act (last amended in 2001),
Computer Security Act (1987), Health Insurance Portability and Accountability
Act (1995); Financial Services Modernization Act (also known as GrammLeach-Bliley Act (GLBA), 1999), USA Patriot Act (2001; renewed in 2006),
Sarbanes-Oxley Act (SOX, 2002), and the Federal Information Security
Management Act (FISMA, 2002). The implications of these enactments clearly
define the urgent need to meet their requirements. Attached to some of these
regulations are fines and prison terms if regulated entities are found to be in
non-compliance. Perhaps more importantly, other risks of non-compliance
include the public disclosure of key assets, loss of customers, delisting from
stock exchanges, damage to brand or company reputation, negative impact to
stock price, shareholder lawsuits, and a loss in confidence in key company
stakeholders.
Adding to the trouble of compliance is the fact that the requirements of many
regulations frequently overlap, leaving businesses with the challenge of sorting
out which solutions satisfy which requirements of which regulations. In
(Schwartz, 2006), it was reported that Qumas, a vendor of life sciences
compliance products, discovered that the processes and policies required by the
Food and Drug Administration (FDA) have a lot in common with those
required by SOX and the Patriot Act.
As new mandates and legislation are imposed upon businesses, it is becoming
increasingly important for companies to find ways to manage the mapping and
identification of requirements into easily deployable policies and strategies.
However, companies find these to be very expensive undertakings. In 2005,
corporate spending on the Sarbanes-Oxley Act compliance effort was
estimated to be $6.1 billion (Cognos, 2006). A survey conducted by the
Security Compliance Council reveals that an average of 34% of an
organization’s IT resources are spent on compliance (Perry, 2006). Truly, the
expense of compliance is extremely high, and businesses that are
unintentionally deploying redundant and unnecessary solutions are only adding
to the high cost and frustration of compliance (Kolodgy, 2006). This paper
presents an automated security compliance toolkit that is designed and
developed using mostly open source tools to demonstrate that meeting
regulatory compliance does not need to be very expensive. We developed a
compliance matrix that helped us identify the overlapping requirements of four
main regulations on each sector of the industry and designed the toolkit based
on these common needs.
2. THE REGULATIONS
2.1 The Health Insurance Portability and Accountability Act (HIPAA)
Congress passed HIPAA in 1996. HIPAA is the first federal law to address
health privacy in a comprehensive way (Cole, 2006; Swartz, 2003). It requires
companies to adopt administrative, physical, and technical measures to protect
60
the confidentiality, integrity, and availability of certain health information. In
addition, the Security section of HIPAA and set of HIPAA regulations known
as the Privacy Rule have, for some time, required companies to implement
general security measures to protect health information. The Security Rule,
under HIPAA, requires companies to create, receive, transmit or maintain
health information in an electronic format to meet much more detailed set of
security standards than the HIPAA Privacy Rule (Langin, 2004).
HIPAA applies “covered entities” as defined in the law. This term includes:
healthcare providers, plans, and clearinghouses. Health plans provide or pay
for the cost of healthcare. Clearinghouses are entities that process and facilitate
information relating to an individual’s health, health care, or health care
payment. Healthcare providers are doctors, dentists, hospitals, clinics, nurses,
medical groups or other providers of medical services that maintain or transmit
health information in an electronic form (Langin, 2004). According to HIPAA
rules, if an organization provides one of a number of specified services for a
covered entity and the service involves disclosing protected health information,
it is a business associate. And business associates are directly affected by the
HIPAA Privacy Rule. These business associates may include vendors,
consultants, lawyers, auditors, clearinghouses, billing firms, and records
storage organizations (Swartz, 2003).
2.2 The Federal Information Security Management Act (FISMA)
According to (Nelson, 2006), in the aftermath of September 11, 2001,
Congress passed the E-Government Act, which formally recognized the
importance of information security to the United States' economic and national
security interests. FISMA, title III of the act, requires federal agencies to
develop, document, and implement agency-wide information security programs
to protect the confidentiality, integrity, and availability of information and
systems that support the operations and assets of the agency.
Compliance with FISMA is the law and government agencies are fully
accountable for their success in meeting this goal. FISMA is codified in
FIPS199, Standards for Security Categorization of Federal Information and
Information Systems, which was signed into law December 2003. FIPS 199
defined the requirements to use by Federal agencies in categorizing
information and information systems in order to provide appropriate levels of
information security. Implemented in March 2006, FIPS200, Minimum
Security Requirements for Federal Information and Information Systems, takes
the next step. FIPS200 categorizes systems as required by FIPS199 and then
selects the appropriate set of security controls from technical guidance
documents developed by National Institute of Standards and Technology
(NIST) (Nelson, 2006).
FISMA's provisions fall into three major categories: assessment, enforcement,
and compliance. The first pertains to determining the adequacy of the security
61
of federal assets, the second requires that key information security provisions
be implemented and managed, and the third established provisions for the
management of each agency's information security program and the
accountability of each agency for compliance and reporting. In addition,
FISMA requires the reporting of significant deficiencies. Agencies must
identify and track material weaknesses and report any progress. Using a Plan of
Action and Milestones (POA&M), each agency must commit to a schedule of
remediation (Qualys Guard Enterprise, 2006).
2.3 The Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley (SOX) Act of 2002 was enacted by the US Congress
mainly to address the crisis brought about by the WorldCom and Enron
debacle to the financial markets. The law is ratified to enforce accountability
for financial recordkeeping and reporting of publicly traded corporations. The
CEO and the Chief Financial Officer (CFO) are directly responsible for the
completeness and accuracy of their institution’s financial reporting and recordkeeping systems (PCAOB, 2006; Whitman and Mattord, 2004).
2.4 The Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services
Modernization Act, was signed into law in November 1999. The law applies to
companies that offer financial products and services to individuals, including
banks, insurance companies, mortgage companies, securities brokers, loan
brokers, some financial or investment advisors, tax preparers, providers of real
estate settlement services, and debt collectors (Dhillon, 2006; Qualys Guard
Enterprise, 2006).
2.5 Common Compliance Challenges
Regardless of the regulation, there appears to be a common set of challenges
companies experience when faced with compliance. The challenges, which are
detailed in (Scalable Software, 2006), are as follows:
•
Understanding regulatory mandates.
•
Identifying specific requirements.
•
Creating a system of control across multiple standards.
•
Documenting the compliance auditing approach.
•
Collecting and preserving compliance audit evidence.
3. THE COMPLIANCE MATRIX
Our objective in building the toolkit is to be as far reaching as possible. In
order to accomplish this objective, we decided on identifying a representative
regulation in each enterprise sector and determining shared control objectives.
62
Thus, we arrived at the following mapping and compliance criterion matrix:
•
Public company sector Æ SOX
•
Banking and finance sector Æ GLBA
•
Health care sector Æ HIPAA
•
Federal government sector Æ FISMA
We found more than the twelve common control objectives that are depicted in
Table 1. However, due to time and personnel constraints, we decided to
concentrate our development efforts to satisfying the top twelve common
control objectives.
CONTROL OBJECTIVES
Document Preservation
Document
Disposition/Destruction
Device/Media Control
Media Reuse
Encryption/Decryption
Authentication(2-level)
Transmission Security
Log Management/ Monitoring
Vulnerability Assessment
Intrusion Detection
Report & Benchmark
Message Security
Table 1. The Compliance Criterion Control Objectives
3.1. The Twelve Common Compliance Control Objectives
Group I: Document Control
1) Document Preservation – A system must be in place to gather the
document hash digest and create a backup of the document in a
63
secondary storage device. The hash digest is necessary for future
verification and non-repudiation.
2) Device and Media Control – This control requires an accounting and
access control system to be in place for all devices and storage media.
A secure system must be provided for all media transport.
3) Document Encryption and Decryption – An encryption/decryption
system should be utilized for all electronic documents.
Group II: Privacy and Intellectual Property Control
4) Media Reuse – Due to the fact that the media is going to be reused inhouse, the requirement of this control is not as stringent as that in the
disposition control. This control requires complete document deletion
and reformatting of the media involved.
5) Document Disposal and Destruction – This control assumes that the
media will be disposed and moved out of the company premises. Thus,
a system that will, at the very least, completely obliterate the media or
the documents stored in them is required. A simple deletion and
formatting system would not be sufficient to meet this control
objective.
6) Access Authentication – The minimum requirement of this control
objective is the utilization of a two-factor authentication for document
access.
Group III: Vulnerability Assessment and Proactive Control
7) Transmission Security – This control objective requires that all
electronic document transmissions be made through secure channels
such SSL or VPN. Covert transmission mechanisms such as
steganography are not acceptable.
8) Log Management and Monitoring – A system that continuously
monitors, manages, and rotates log files for the purposes of proactive
security checking and record keeping is required by this control. The
rotated log files must be properly labeled and stored for possible future
audits or forensic investigations.
9) Vulnerability Assessment – This control objective requires that a
system and physical vulnerability assessment (VA) should be
conducted on a regular basis. Every time a weakness is identified by
the VA process, immediate corrective measures must be identified,
documented, and implemented by the security team.
10) Intrusion Detection – An intrusion detection system (IDS) is required
to be in-place in strategic system locations. A constant monitoring of
critical system resources such as the firewall must be in place to
64
deflect, not only external threats but also, security breaches that may
originate from within the perimeter. The IDS provides a mechanism
for early detection of security violation and for an appropriate reaction
or countermeasure corresponding to such violation.
11) Report and Benchmark – A benchmarking and reporting mechanism is
required to a) demonstrate the degree of compliance that was achieved
to auditors, b) assist the system administrators in securing new
installations and production systems, and c) inform upper management
personnel about the status of the company’s compliance projects.
12) Message Preservation and Security – The preservation of electronic
documents that facilitate communications is a major emphasis found in
almost all regulations. The message transmitting tools may include,
among others, emails, weblogs, and instant messages (IMs). It is
imperative that companies provide tools that collect and preserve them
for possible future forensic investigation and analysis.
4. COMPLIANCE FRAMEWORKS AND TOOLS
4.1 IT Governance Frameworks
Despite the complex nature of federal standards and regulations, there are
similarities in their basic frameworks. The process of deploying and regularly
testing the efficacy of those controls becomes much more efficient if
businesses can identify a universal set of those controls that satisfy major
frameworks (Kolodgy, 2006). These best practices IT frameworks are excellent
guidance tools for compliance and policy development. Examples of these
frameworks include COBIT (Control Objectives for Information and Related
Technology), ITIL (IT Infrastructure Library), and ISO (International
Standards Organization) 17799 (Feldman, 2006).
The COBIT framework comprises of four domain measures of IT products:
Planning and Organization, Acquisition and Implementation, Delivery and
Support, and Monitoring (ISACA, 2006).
ITIL is a cohesive set of best practices that were drawn from public and private
entities worldwide. It consists of a series of books giving guidance on the
provision of quality of IT services and on the environmental facilities needed
to support IT (ITIL, 2006).
ISO 17799 provides organizations an international standard for information
security. The standard is divided into 10 working sections which include,
among others, Security Policy, Access Control and Compliance, Asset
Classification and Management, Configuration and Vulnerability Management,
Business Continuity Management, and Operational Change Control (ISO,
2006).
65
4.2 Commercial Tools
There is a plethora of commercial compliance tools that are available on the
market. Although some of these tools are built around open source software
that are available over the Internet, they tend to be very complex and
expensive. In order to familiarize the reader about the features of the
commercial tools, we briefly describe a few of them in what follows.
Symantec Control Compliance Suite (Symantec 2006). This suite of tools
provides regulatory content for SOX, FISMA, HIPAA, GLBA, and Base II. It
has 600 out-of-the-box reports which automatically identify potential security
threats. Additional features include validation of windows configurations,
security audits of networks, monitoring of Windows event logs, and locating
users with weak passwords and expired accounts.
Tripwire Enterprise (Tripwire 2006). This tool monitors changes to critical
applications such as databases, network configurations, directory services, and
file systems. It also provides a facility for audit trails, assessing system damage
after an attack, detecting undesirable system changes, and tracking of
monitoring devices.
NetIO Risk and Compliance Center (NetIQ 2006). NetIQ provides several
solutions for each of the following regulations: SOX, HIPAA, GLBA, and
FISMA. In addition, companies that need to get a better control of their
security practices may opt for solutions that cover the following standards:
ITIL, ISO17799, COBIT, and NIST 800-53.
Qualys Guard Enterprise(QualysGuard 2006). The Qualys Guard has the
largest knowledgebase of vulnerability signatures in the industry. It includes
tools for network mapping, vulnerability scanning, risk analysis, report
generation, end-to-end encryption, and security architecture audits.
4.3. Open Source Tools
The following open source security-related tools are mostly available for
download from the Internet and can be utilized to meet control objectives that
pertain, but not limited, to vulnerability assessment, encryption, intrusion
detection, non-repudiation, log management, authentication, and secure file
management and obliteration.
TrueCrypt (TrueCrypt 2006). This is a software system that performs on-thefly encryption of a storage device volume. The encryption process is done
automatically, i.e. without user intervention, before loading or saving the data.
The entire file system mounted on that encrypted volume is, by itself, also
completely encrypted. Thus, the file property, metadata, link, and free space
information are securely encoded. The availability of a wide selection of
encryption algorithms makes this tool an excellent choice for meeting the
control objectives that require encryption. Figure 1 depicts the Graphical User
66
Interface (GUI) of TrueCrypt.
Figure 1. TrueCrypt Graphical User Interface
MS Log Parser Toolkit (Giuseppini and Burnett, 2004). The Log Parser tool
first appeared as a utility for testing the logging mechanism of Microsoft’s
Internet Information Services (IIS). It provided users the ability to retrieve and
display all the fields from a single log file in any of the three text-logging
formulas supported by IIS. As the tests became more complex, more
specifically the filtering of log entries, Microsoft saw an immediate need for a
log management tool. Version 2.0 was the first version that was made available
outside of Microsoft. MS Log Parser Version 2.2 shipped in January 2005 and
is designed and engineered with the vision of helping users achieve their dataprocessing goals in a simple, fast, and powerful way (Giuseppini and Burnett,
2004). Technically, the tool is not an open source but a free tool that Microsoft
shares with the IT community. A snippet of a Log Parser command is shown in
figure 2.
67
Figure 2. An MS Log Parser Session
Metasploit Framework. This framework provides a complete workbench for
writing, testing, and using exploit code. It is, in fact, a solid platform for
penetration testing, shellcode development, and vulnerability assessment. The
framework is available for multiple operating systems such as Linux,
Windows, BSD, and MacOS X. A screenshot of the metsploit framework at
work is shown in Figure 3.
Figure 3. A Metasploit Framework Screenshot
OSSEC Host-based Intrusion Detection System (HIDS). This is an open source
Host-based Intrusion Detection System which provides basic security and
intrusion detection services such as log analysis, integrity checking, rootkit
68
detection, and time-based alerting. A basic configuration of this system calls
for an installation of a server, where reports are being forwarded to and
analyzed. The reports originate from multiple clients or agents, which are the
stations that need monitoring (OSSEC, 2006).
Center for Internet Security (CIS) Next Generation (NG) Scoring Tool This
scoring tool enables users verify the security configuration of systems and
network devices for conformance with established benchmarks. In addition it
can be used to demonstrate to auditors the system’s compliance with the
internationally accepted standards for security configuration. The CIS Scoring
Tools are host based and produce reports that guide users and system
administrators to secure both new installations and production systems (Center
for Internet Security, 2006). Figure 4 depicts a snapshot of the questionnaire
that is presented to the user for input. Essentially, the questionnaire acts like an
interviewer that extracts pertinent system information from the user.
Figure 4. The NG Tool Questionnaire
69
Figure 5 displays the section of the benchmark report which shows the status of
each security item. An item labeled with the status “Failed” is non-compliant
with the benchmark recommendation; a “Passed” status indicates meeting or
exceeding the benchmark; a “Not Tested” status indicates that the item is either
having a benchmark value which not defined or is too subjective to have a
recommended value. Figure 6 is a portion of the Benchmark Summary Report.
It shows the actual score garnered and the maximum score possible for each
item.
Figure 5. Status of Security Items
Active@KillDisk. This freeware demo tool (a professional version is available
at minimal cost) is used to completely delete information bits from a disk. The
standard system commands found in most operating systems such as delete,
format, and fdisk are simply inadequate in completely erasing the files on a
disk. Furthermore, Active@KillDisk conforms to four international standards
for clearing and sanitizing data. These standards are: US DOD 5220.22-M,
German VISTR, Russian GOST p50739.95, and Gutmann method. The only
drawback is that the software needs to be loaded on a bootable floppy disk to
be operable.
70
Figure 6. Summary of the Benchmark Report
System iNtrusion Analysis & Reporting Environment (SNARE). This is an open
source tool that allows the collection and forwarding of Windows event logs to a
remote audit event collection facility, the SNARE microserver (InterSectAlliance,
2006). An enterprise version of the microserver is available as a commercial
product which is fully supported by the IntersectAlliance Company. SNARE,
which is an Intrusion Detection System (IDS) for Windows, allows system and
security administrators full access and remote control of the application through a
web browser. The application uses intelligent agents to automate the collection and
reporting of log data. The SNARE agent tool is also available for Solaris, AIX,
IRIX, Unix, and Fedora Linux operating systems. A SNARE Event Window
graphical user interface is shown in Figure 7.
Figure 7. A SNARE Event Window
71
5. THE AUTOMATED COMPLIANCE TOOLKIT
The philosophy behind the design and implementation of the automated
compliance toolkit is simplicity and affordability. The three-tier design of the
system provides flexibility to adapt new technologies and future expandability.
Figure 8 depicts the system architecture of the toolkit.
The following section is a brief description of each subsystem.
Subsystem 1: The Device and Media Control Subsystem. The function of this
subsystem is to provide the necessary services to be able to properly secure and
document the transfer of storage media. Additional services that are afforded by
this subsystem are media reuse, document and media disposal and destruction, and
document preservation and non-repudiation. . The open source tools that are used
in creating this subsystem are TrueCrypt for media encryption and nonrepudiation, Eraser for media reuse and destruction, mySQL database for media
cataloging and tracking.
Subsystem 2: The Encryption Subsystem. This subsystem is used for the
encryption and decryption of files. The open source, TrueCrypt, is adopted for the
intended purpose of this subsystem.
Subsystem 3: The Authentication Subsystem. This subsystem is designed and
implemented using two-factor authentication. The first factor requires a strong
password while the second factor is a 512-bit soft-token that is randomly generated
and stored in portable USB memory stick. The authentication subsystem is used
to validate the users of the compliance toolkit.
Subsystem 4: The Vulnerability Assessment Subsystem. The Metasploit
Framework and the Log Parser tool are complementary instruments that are
used to build this subsystem.
Subsystem 5: The Intrusion Detection Subsystem. This Intrusion Detection
subsystem utilizes the open source IDS tools, SNARE and OSSEC. In the both
of the SNARE and OSSEC configuration schemes, a server is deployed using a
Windows host and a number of system data collection agent tools are installed
in client hosts running Fedora Linux, Solaris, and Windows.
Subsystem 6: The Message Preservation Subsystem. The primary objective of
this subsystem is to facilitate the preservation of electronic documents that are
used in business and personal transactions. The open source tools that are used
in creating this subsystem are TrueCrypt for message encryption, decryption,
and non-repudiation, mySQL for record cataloging and tracking, and WinZip
for file compression.
Subsystem 7: The Log Management Subsystem. The MS Log Parser is our
72
primary tool in this subsystem. We built an automated data management
process of log rotation, preservation, and retrieval using the .Net Framework
and the Log Parser. In addition, the logs are maintained for traceability and
accountability in order to comply with the auditing requirements of multiple
regulations.
Subsystem 8: The Report and Benchmark Subsystem. This subsystem is built
primarily with the Center for Internet Security (CIS) Next Generation (NG)
Scoring Tool. The purpose of this subsystem is to verify the security
configuration of systems and network devices for conformance with
established benchmarks. Reports that are generated by this tool will be used as
instruments to document partial or full compliance with federal and state
regulations.
Device and Media Control
Subsystem
Workstation and
Network File Systems
Encryption Subsystem
CLIENT Interface
Authentication Subsystem
Subsystem
Intrusion Detection Subsystem
Storage Device and
Media
Message Preservation Subsystem
Log Management Subsystem
Communication and
Messaging System
Report & Benchmark Subsystem
Figure 8. The Compliance Toolkit’s System Architecture
73
A mapping of the control objectives, which were identified earlier, with the
toolkit subsystems is shown in Table 2. The mapping illustrates which
subsystems satisfy each control objective.
Toolkit Subsystem
Control Objective
1
2
Document Preservation
9
3
4
5
6
7
8
9
9
9
9
9
Document Disposal and
Destruction
9
Device/Media Control
9
Media Reuse
9
Encryption/Decryption
9
9
Authentication(2-level)
Transmission Security
9
9
9
Log Management
And Monitoring
9
9
9
Intrusion Detection
9
Report & Benchmark
9
Message Security
9
9
Table 2. Mapping of Objectives with Subsystems
6. ACKNOWLEDGEMENTS
This project is partially funded by a grant received from the Faculty Research
Council at Jacksonville State University. The opinions expressed herein are
those of the authors and are not necessarily of the University.
7. CONCLUSION AND FUTURE PLANS
We have presented a compliance toolkit that was designed and built using open
source software. As the toolkit evolved, we discovered more features are
immediately realizable using minor tweaks of the system parameters. In doing so,
we covered more control objectives that we have not anticipated during the design
phase. Such features include, among others, security policy auditing, log data
warehousing and mining, visual data analytics, and configuration change control.
Although the toolkit was designed and implemented to be a proof-of-concept
74
variety of a viable commercial instrument, it has the capability to partially meet the
compliance requirements of most regulations. We are confident that we have
achieved our stated goal at the onset, i.e. to demonstrate that meeting regulatory
compliance does not need to be a very expensive proposition. Most importantly,
we have demonstrated that providing students with a meaningful pedagogical
exercise on the areas of collaboration, project management, software engineering,
information assurance, and regulatory compliance is feasible and worthwhile.
The future plans for this toolkit are
1) to continuously enhance its features to cover more control objectives,
2) to add an intelligent agent component that will automate most of the
data collection processes and alert functions, and
3) to study the feasibility of configuring the entire toolkit in a standalone embedded appliance system.
8. REFERENCES
Center for Internet Security (2006), “Next Generation Scoring Tool,”
http://www.cisecurity.org. Access date: October 01, 2006.
Cognos (2006), “IT’s Critical Role in SOX and Regulatory Compliance,”
http://www.cognos.com/pdfs/whitepapers/wp_its_critical_role_in_sox_and_regulato
ry_compliance.pdf?mc=-web_ns_cpp_it_0830, August 30, 2006.
Cole, K. (2006), “HIPAA Compliance: Role Based Access Control Model,”
http://www.giac.org/practical/Kenneth_Cole_GSEC.doc, August 30, 2006.
Dhillon, G. (2006), Principles of Information Systems Security, Wiley Publishing
Inc., New York.
Feldman, Johnathan (2006), “Don’t Get Burned,” Network Computing, September
28, 2006.
Giuseppini, G. and Burnett, M. (2004), Microsoft Log Parser Toolkit, Syngress,
Rockland.
IntersectAlliance (2006), “Guide to SNARE for Windows 2.5.”
http://www.intersectalliance.com/resources/Documentation/Guide_to_SNARE_for_
Windows-2.5.pdf, October 11, 2006.
ISACA (2006), “COBIT Framework,”
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/Ta
ggedPageDisplay.cfm&TPLID=55&ContentID=7981, October 06, 2006.
ITIL (2006), “IT Infrastructure Library (ITIL).” http://www.itil.co.uk, October 06,
2006.
ISO (2006),
http://www.iso.org/iso/en/commcentre/pressreleases/archives/2005/Ref985.html,
October 06, 2006.
75
Kolodgy, C. (2006), “Optimizing Your IT Controls Environment for Compliance
with Multiple Regulations,”
http://eval.veritas.com/mktginfo/enterprise/white_papers/entwhitepaper_idc_bindview_policy_manager_2005.en-us.pdf, August 30, 2006.
Langin, D. (2004), “HIPAA Security Provisions: Is Your Network Ready for a
Physical,” TripWire, pp.1-12.
Nelson, M. (2006), “Complying with the Federal Information Security Management
Act,” TripWire, pp.1-6, 2006.
NetIQ (2006), “NetIQ Compliance Solutions,”
http://www.netiq.com/solutions/regulatory/default.asp, October 10, 2006.
OSSEC (2006), “OSSEC Host-based Intrusion
http://www.ossec.net/en/home.html, October 10, 2006.
Detection
System,”
Public Company Accounting Oversight Board (PCAOB) (2006), “Sarbanes-Oxley
Act of 2002”,
http://www.pcaobus.org/rules/Sarbanes_Oxley_Act_of_2002.pdf,
October 15, 2006.
Perry, C. (2006), ”Compliance Control,” Processor, Vol# 28, Issue#30.
Qualys Guard Enterprise (2006), http://qualys.com/products/qgent, October 10,
2006.
Qualys, Inc. (2004), “FISMA Compliance:
http://www.qualys.com, October 01, 2006.
Making
the
Grade,”
Qualys, Inc. (2006), “Making Gramm-Leach-Bliley Security Compliance Fast &
Easy,” http://www.qualys.com/glba, October 10, 2006.
Scalable Software (2006), “Reducing the Cost of IT Compliance: Streamlining the
IT
Compliance
Life
Cycle,”
http://www.scalable.com/media/whitepapers/wp_Reducing_Compliance_Costs.pdf,
October 13, 2006.
Schwartz, E. (2006), “The Compliance Headache,” InfoWorld, 12.
Swartz, N. (2003), “What Every Business Needs to Know About HIPAA,” The
Information Management Journal, 26-34.
Symantec (2006), “Control Compliance Suite,”
http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1482, October 08,
2006.
Tripwire Enterprise (2006),
http://www.tripwire.com/products/enterprise/index.cfm, October 08, 2006.
TrueCrypt (2006), “TrueCrypt 4.2a,” http://www.truecrypt.org/, October 10, 2006.
Whitman, M. and Mattord, H. (2004), Management of Information Security, Course
Technology.
76
Network and Database Security: Regulatory
Compliance, Network, and Database Security - A
Unified Process and Goal
Errol A. Blake
4192 Medlock River Court
Snellville, GA 30039
(678) 367-7170
[email protected]
ABSTRACT
Database security has evolved; data security professionals have developed
numerous techniques and approaches to assure data confidentiality, integrity,
and availability. This paper will show that the Traditional Database Security,
which has focused primarily on creating user accounts and managing user
privileges to database objects are not enough to protect data confidentiality,
integrity, and availability. This paper is a compilation of different journals,
articles and classroom discussions will focus on unifying the process of
securing data or information whether it is in use, in storage or being
transmitted. Promoting a change in Database Curriculum Development trends
may also play a role in helping secure databases. This paper will take the
approach that if one make a conscientious effort to unifying the Database
Security process, which includes Database Management System (DBMS)
selection process, following regulatory compliances, analyzing and learning
from the mistakes of others, Implementing Networking Security Technologies,
and Securing the Database, may prevent database breach.
Keywords: Information Technology (IT), Information Security (InfoSec),
Database Management System (DBMS), Health Insurance Portability and
Accountability Act (HIPAA), Sarbanes- Oxley Act (SOX), California Security
Breach Information Act (CSBIA), Gramm-Leach-Bliley Act (GLB), The Fair
and Accurate Credit Transactions Act (FACT Act), The Enterprise Information
Security Policy (EISP), System-Specific Policy (SSP), Electronic
Communications Protection Act (ECPA), SQL Injection, PCI Data Security
Standard (PCI DSS).
Categories and Subject Descriptors: H.2 [Database Management]: Security,
integrity, and protection K.4 [Information Security]: Management of
Information. K.4.4 [Computers and Society]: Ecommerce and Security. K.6.5
[Management of Information Systems]: Organization Security, Policy and
Protection.
General Terms: Management, Performance, Security, Legal Aspects
77
1. INTRODUCTION
Information Security is a constantly evolving field; threats are increasing daily
and regulatory voices are tightening their compliance standards. It can be
easily stated that top level executives are sent to the guillotine after a security
breach; especially when it is sensitive information being compromised.
Most data custodians face Information Security risks on a daily basis; thus, it is
up to Information Security professionals to research these risks, threats,
exploits and vulnerabilities and take the necessary measures to secure private
information from unauthorized access and mismanagement. Upper level
management is placing more accountability in the hands of its Information
Technology department to protect sensitive information. Thus, it is assumed
that IT has the privilege to protect the company’s Information Systems. It may
be safe to say that some people are confused with the term Information
Security (InfoSec). Many believe that the term is associated with securing data
communication networks. The term is often used interchangeably with
information assurance and computer security. Information Security and
Assurance and Computer Security, share the common goals of protecting the
confidentiality, integrity and availability (CIA) of information; however, there
are some subtle differences between them. The difference is stated in the
following quote: “these differences lie primarily in the approach to the subject,
the methodologies used, and the areas of concentration” (wikipedia.com,
2007). Whitman (2004) states that “businesses have become more fluid; the
concept of computer security has been replaced by the concept of information
security”. Sometimes an individual uses the term Information Technology
Security interchangeably with Information Security. Many Information
Security professionals may find this misconception offensive especially when
InfoSec is used inappropriately. To avoid any confusion, one may have to
define Information security, and Database Security. According to Whitman
(2004) “Information Security (InfoSec) is the protection of information and its
critical elements including the systems and hardware that use, store, and
transmit that information”. Wikipedia gave an excellent definition and analysis
of database security. Wikipedia’s definition and analysis is the following:
Database security is the system, processes, and procedures that protect a
database from unintended activity. Unintended activity can be categorized
as authorized misuse, malicious attacks or inadvertent mistakes made by
authorized individuals or processes. Database Security is also a specialty
within the broader discipline of computer security [now information
security] (Wikipedia, 2007).
The sources have given a clear concise definition of InfoSec and Database
Security. One will have to conclude that these two definitions are somewhat
similar. They are similar because they arrive at the same conclusion; they are
unified in gaining the same outcome. The definitions conclusions are to protect
78
information from unauthorized access and misuse while the information is in
use, storage, and being transmitted. One cannot rely on the Traditional
Database Security alone to protect data confidentiality, integrity, and
availability. An effort must be made to unify the process of securing data or
information whether it is in use, in storage or being transmitted. Unifying the
Database Security process, which includes DBMS selection process, following
regulatory compliances, analyzing and learning from the mistakes of others,
Implementing Networking Security Technologies, and Securing the Database,
may prevent database breach.
2. LITERATURE REVIEW
2.1 Database Management System Selection. A Curriculum Development
Trend
The three major DBMSs are Oracle, SQL Sever and DB2. DBMS selection is
subjective. DBMS selection is simple; it depends on what you or your
organization’s needs are. DBMS solutions have advantages and disadvantages;
it may be wise to compare these advantages and disadvantages with other
solutions. However, Price (2007) states that there are Pre-DBMS activities one
should consider. In a recent class room discussion or forum posting dated
Monday, 19 February 2007, 10:07 AM, Price (2007) activities include:

Does the proposed DBMS align with corporate strategic goals?
Warren McFarlan’s Strategic Grid and Henderson and Venkatraman’s
Strategic Alignment Model have been used extensively to support
executive decision making processes.
Has a business case been established for the proposed DBMS system?
If so, who is the champion\sponsor and business analyst?
How much will the DBMS selection process cost to the firm?
Has a minimum or maximum range been established for (1) time to
implement the DBMS and (2) procurement of a DBMS?
What methodology will be used to manage the selection and
implementation of the DBMS? Has a Project Manager been selected?
Are the processes\activities to be supported by the new DBMS welldefined? Could these processes\activities be outsourced?
Will the DBMS be a stand-alone, departmental, divisional or an
enterprise solution?
Does the firm maintain Lesson Learned documentation from previous
software project implementation?
When\who performed the last strategic review of the firm’s IS
infrastructure? Is the strategic review documentation available? Can
the current infrastructure support the new DBMS?
When was the last time that the firm’s HR department performed a
capability analysis of the firm’s IS personnel?
79
Price, (2007) further states that “the answer to these pre-DBMS selection
activities will provide valuable insight as to whether or not to use the resources
of a consulting firm. Failure to understand the importance of such questions
should serve as a red flag that management is not equipped to manage the
design\implementation\maintenance of a DBMS system”. This is a subjective
approach, but it makes sense. One will have to agree that pre-DBMS selection
activities are needed when deciding on a DBMS.
After one has conducted their analysis or answered the questions to their preDBMS selection activities, one should then identify a model used to store,
manage, and query databases. Ogbuji (2001) states “probably the most
fundamental choice to make in the DBMS hierarchy is the model used to store,
manage, and query databases. Besides affecting what software you need to
acquire, this affects the very way you will think about the data, and can be a
surprisingly hard choice to undo later on”. One will have to agree that the
selection process depends on the model one uses, whether it is Hierarchical
Model, Network Model, Relational Model, Object/Relational Model, ObjectOriented Model, Semi structured Model, Associative Model, Entity-AttributeValue (EAV) data model, or Context Model.
Database Application, Design and Implementation courses have taught that
there is a difference between the Database Model selected and DBMS that
support that particular model. For an example Oracle supports ObjectRelational Databases and Relational Database. However, most databases in the
market are simply Relational. Therefore, it is important to keep in mind that
DBMS selection depends on the Database model chosen, because not all
DBMS support all Database Models. For the sake of this paper and argument,
this paper will make reference to only Relational Databases in DBMS
selection.
In today’s business environment relational database are the most popular.
Relational databases are, of course, the current king of the hill in database
technologies. This doesn't mean that more data is kept in relational databases
than any other model. A brief reason why relational databases are popular is
stated in the following quote. “Relational databases are wonderful for
discouraging redundant data and for the speed of complex queries; they also
have a huge number of tools and APIs to support them. They are best used in
situations where a lot of records are being combined and cross-referenced to
synthesize result” (Ogbuji, 2001). Ogbuji, states further that an example of
where a lot of records are being combined and cross-referenced to synthesize
result, “might be the production data of a manufacturing firm, where
information about inventory, part specifications, personnel availability, costs,
sales and supplies need to be thoroughly analyzed in order to make production
decisions” (Ogbuji, 2001).
After a Database Model is identified and selected one should select a DBMS
80
that supports that model. Before a DBMS is selected one must consider the
features the DBMS has to offer. Information Security professionals who love
their craft may say that the security-related features of a DBMS is one of the
most important features one should first consider and research. Ogbuji, (2001)
strengthens the point made that one should first consider security related
features of a DBMS. “Probably the most important general features to consider
in your DBMS hunt are security-related. Consider how thoroughly the DBMS
requires authentication from users and keeps an audit trail of the accesses”
(Ogbuji, 2001). Again this paper stresses that the selection process is
subjective. Other features are dependent on what the user or company needs
and can afford. Mbuthia (2007) stated in a recent class room discussion or
forum posting dated Friday, 16 February 2007, 08:24 AM; that “the features to
consider include:

Future of the supplier and are they used significantly by others.
Cost – How much would it cost to buy, and how much would support,
maintenance and upgrades cost.
Query language - what query language is provided, and can more
complicated mathematical functions be defined.
Scalability - Are the number of rows or columns limited and so forth.
Data types - what data types are provided .
Interfaces and APIs – Do they provide for example JDBC or ODBC
interfaces? Also consider the APIs provided and in what languages.
System resources – how much of the system’s resources does it
require such as size of installation, and disk space.
Security.
Depending on the needs of the organization, DBMS selection is an important
factor and starting point for the unification of Regulatory Compliance,
Network and Database Security. Again this paper stresses that these features
are not listed in order of importance, but they are subjective. This paper agrees
with Mbuthia (2007) listing of features; however, for the purpose of this paper
security should be first.
3. APPROACH AND UNIQUENESS
This paper’s approach and uniqueness stems from the fact that there are cases
where well known company databases were breached due to some form of
hacking. Unifying the process of Regulatory compliance, Network and
Database Security may prevent the increase of database breach.
3.1 Corporate data breach
It is often said that experience is the greatest teacher and one should learn from
the mistakes of others. Recent corporate data breaches should raise a red flag to
IS professionals. Knowledge of these data breaches provides professionals with
81
the information about the techniques use to access the database; then enable us
to find proper techniques to prevent such a case to happen again. The journal
article A Case Study on How to Manage the Theft of Information written by
Robert M Polstra III provides an excellent overview of corporate data breach.
Thus, the information required for the overview of this section is provided by
his article. The cases are as follows:
Case I: Citigroup
In May of 2005, Citigroup lost computer tapes that were being sent to the
credit bureau via UPS that included Social Security numbers and payment
history information for 3.9 million customers. After this event, this New
York based company has decided that it will start sending its data to the
credit bureau electronically using encryption.
Case II: ChoicePoint
ChoicePoint has made more than 50 acquisitions since 1997 to make it one
of the largest collections of personal data in the United States. ChoicePoint
sells data ‘to clients doing background checks on job and loan applicants
and conducting criminal investigations’. On February 16, 2005,
ChoicePoint went public to tell 145,000 people that identity thieves may
have gained access to their personal information including their Social
Security numbers and credit reports. ‘Authorities believe it was the work of
a group of people who used IDs stolen from legitimate business people to
set up phony businesses that contracted with ChoicePoint for ID checks,
Bernknopf (ChoicePoint’s spoke person) said’.
Case III: Egghead.com
Egghead Software was a company that opened in 1984 to sell computer
hardware and software that grew to have more than 205 stores worldwide.
Then in 1998 the company moved its business to the internet as
Egghead.com. In December of 2000, Egghead.com stated that ‘a hacker
has breached its computer system and may have gained access to its
customer database’. Jerry Kaplan, Egghead.com’s co-chairman, stated that
there was ‘no evidence’ to support that the database with the credit card
numbers for its customer was stolen but, he also could not give
confirmation that they were not stolen. ‘Egghead's inability to determine
how many of it’s customers credit cards had been compromised may mean
that the company does not have a real-time auditing system in place, said
Paul Robertson, senior developer for security service firm TruSecure Corp.
‘If you don't know how many credit-card numbers you lost, you are giving
a quick, blanket, worst-case answer--and then finding out what happened
afterwards,’ he said.’.
Case IV: New Jersey Crime Ring
82
Bank employees for Wachovia Corporation, Bank of America Corporation,
Commerce Bancorp Inc., and PNC Bank stole information on 676,000
customer accounts that are all New Jersey residents. It is considered the
largest banking security breach in history by the U.S. Department of the
Treasury. ‘The suspects pulled up the account data while working inside
their banks, then printed out screen captures of the information or wrote it
out by hand, Lomia (a New Jersey Police Detective) said. The data was
then provided to a company called DRL Associates Inc., which had been
set up as a front for the operation. DRL advertised itself as a deadbeatlocator service and as a collection agency, but was not properly licensed
for those activities by the state, police said’.
Case V: LexisNexis
LexisNexis is provider of legal and business data. In March of 2005,
LexisNexis announced that the information on 32,000 people was stolen.
These breaches occurred at one of the subsidiary companies, Seisint Inc.
Seisnt Inc. was the company who was the provider of data to the Multistate
Anti-Terrorism Information Exchange (MATRIX) system. ‘LexisNexis,
which acquired Seisint of Boca Raton, Florida, in September for $775
million, expressed regret over the incident and said that it is notifying the
individuals whose information may have been accessed and will provide
them with credit-monitoring services’. In this incident, hackers stole
username and passwords of legitimate users to access the confidential
information. In a statement, ‘Kurt Sanford, president and CEO of
LexisNexis Corporate and Federal Markets, said that the company will
improve the user ID and password administration procedures that its
customers use and will devote more resources to protecting user's privacy
and reinforcing the importance of privacy’. This security breach is very
similar to the incident that happened at ChoicePoint who is one of
LexisNexis’s competitors.
Polstra (2005) cases show a trend. The cases show that the information that
was stolen, were stored in some form of database.
Supplemental Case: TJX
On March 29, 2007, Messmer (2007) wrote an article in Network World
magazine. The article entitled UPDATE--TJX data theft called largest
ever: 45.7M credit card numbers Security breach detailed in financial
filing. Details of the article are as follows:
TJX yesterday (March 28, 2007) disclosed in financial reports that at least
45.6 million credit and debit card numbers were stolen in 2005 and another
130,000 last year by hackers who have yet to be caught. According to
Gartner security expert Avivah Litan, the volume of stolen data gives TJX
the dubious distinction of being the biggest known victim of hacker-based
83
card fraud in history. ‘This is the biggest card heist we’ve heard of so far,’
said Litan, an expert in e-commerce-related security.
Earlier this year TJX publicly stated it had contacted law enforcement in
December 2006 when it ‘earned of suspicious software’ within its
computer systems. According to the Securities and Exchange Commission
filing, since last December TJX has been working with the Department of
Justice, the Secret Service, and the U.S. Attorney in the Boston office in a
criminal investigation to nab the intruders. TJX also is supplying
information to the California attorney general’s office, the Canadian
Provincial Privacy Commissioners, and the U.K. Information
Commissioner, as well as to the London metropolitan police.
The TJX data-theft case was a targeted attack by hackers, who broke in
through unprotected wireless LANs, and made their way through the TJX
network to the controllers to set up operations inside the TJX network to
capture card data. ‘They basically used a program to just capture the data.'
TJX said it expects to incur $5 million in costs in connection with the
computer intrusion. So far, customers don’t seem to be scared off by the
news. Net sales for the 2007 fiscal year at TJX were $17.4 billion, up 9%
over fiscal 2006.
Demographic and credit card information are normally stored in a database and
in most cases, there is some form of DBMS application managing the database.
The New Jersey crime ring case was different. In this case the data leak was
internal; where employees or nefarious thieves rather, were unscrupulous in
handling the accounts of others. They engaged in flagitious activities for their
personal gain. Polstra (2005) cases are prime examples of why management or
Information Security professionals must make a conscientious effort to secure
their database whether it was internal, social engineering or an external forced
entry; to ensure the confidentially, integrity and availability of data. The cases
stated above are a handful of many cases that raised eyebrows of data breach.
The TJX breach is the largest ever and it is a wake up call for the IS/IT
industry to rethink corporate security.
4. PROPOSAL
Along with DBMS selection there are other factors that play a role in the
unifying the process of securing a DBMS. This paper proposes that taking
these factors into consideration and complying with the same factors may
prevent the increase of database breach.
4.1 Regulatory Issues and Compliance
Regulatory compliance plays a role in the Database Security as well as the
selection process. Some regulatory organizations have minimum security
requirements for Databases. There are some DBMS that has more security
84
features than others. The DBMS selection process may be affected by the
passing of the California Security Breach Information Act (CSBIA) (SB-1386).
It is a California state law requiring organizations that maintain personal
information about individuals to inform those individuals if the security of
their information is compromised. The Act stipulates that if there's a security
breach of a database containing personal data, the responsible organization
must notify each individual for whom it maintained information. A business
reputation is at stake if their database is compromised. The Act, which went
into effect July 1, 2003, was created to help stem the increasing incidence of
identity theft. According to the Federal Trade Commission – 2003 Consumer
Fraud and ID Theft Report (2004), “The FTC received more than half a
million consumer complaints (516,740) during calendar year 2003, up from
404,000 in 2002. These include 301,835 complaints about fraud and 214,905
identity theft reports! 42% of all complaints received by the FTC related to ID
theft, up from 40% in 2002”. Bishop (2005) made an analysis in his article
Identity theft: The Next Corporate Liability Wave. His analysis is the
following:
“Each identity theft victim will on average spend $1,495, excluding
attorneys' fees, and 600 hours of their time to straighten out the mess,
typically over the course of a couple of years. For out-of-pocket costs
alone that is, say, $2000 per victim. Multiplying that by 10,000 customer
victims equals $20 million. Adding as little as $15 per hour for the victims'
time and you get $11,000 per case or $110 million in total even before
fines and punitive damages are considered. And that's on top of the
potential impact on your company's future sales. The FTC estimates that
over 24 million people in the United States have had their identity stolen.
The $11,000 damage figure per case developed above represents over $26
billion of potential liability if fault can be ascribed to the data holder”
(Bishop, 2005).
Bishop (2005) states further that “customer and employee databases are prime
targets for identity thieves because a single vulnerability in a company's
information security can yield access to personal data on thousands of
persons”. One can see why the CSBIA and other laws were implemented.
Other regulatory compliance includes the “privacy legislation, such as the early
Federal Act of 1974 and the more recent Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and the Children’s Online Privacy
Protection Act (COPPA), require organizations to put in place adequate
privacy preserving techniques for the management of data concerning
individuals” (Bertino, 2005). Other federal laws impose a duty to safeguard
consumer information in certain areas. For example, “under Title V of the
Gramm-Leach-Bliley Act (GLB), financial institutions are required to take
steps to protect their customers' data, and face the possibility of fines or jail
85
time for failure to comply” (Bishop, 2005). The Fair and Accurate Credit
Transactions Act (FACT Act) was signed by President Bush on Dec. 4, 2003; it
affects almost all companies in the U.S. Bishop (2005) states that
“Among its provisions, this law mandates that businesses must take
reasonable measures to destroy information derived from consumer credit
reports before discarding them, with effect from June 1, 2005. Shredding
papers and wiping or destroying hard drives and backup media will be
standard. From December 2006, merchants accepting credit cards must
leave all but the last five digits off printed receipts”.
Since most customer data are stored in databases and customer and employee
databases are prime targets for unscrupulous individuals, the government is
putting in place regulations to help protect the consumer from illegal activities
or information terrorism. However, professionals must also do their part to
protect their network and databases from acts of terrorism. One must ensure that
the DBMS has adequate security features that may help the organization meet the minimum
regulatory compliance requirement.
4.2 SECURING THE DATABASE
4.2.1 Policies
It is imperative that Information Security managers or personnel, Database
Administrators (DBA) as well as upper level management implement strict
guide lines and procedures in protecting the corporate network as well as their
database applications. The reason is that “IT security is focused primarily on
protecting the perimeter, but with internal data leaks and security breaches
topping the news security executives today are seeking measures to protect
customer data and corporate intellectual property across the organization”
(Dubie, 2006).
Bishop (2005) states that “in addition to the growing threat of class action
lawsuits, new laws are coming into effect to hold organizations responsible for
securing personal data. Companies should evaluate this risk and consider
taking action to reduce their potential liability”.
Database security starts with policies. Policy is defined as “a plan or course of
action as a government, political party, or business, intended to influence and
determine decisions, actions and other matters” (Whitman, 2004). Policies are
comprised of a set of rules that dictates acceptable and unacceptable behavior
within an organization. One can take a closer look at a policy as an agreement,
on what is acceptable behavior, made between the organization and individuals
who work in the organization. It is a code of conduct for the performance of
individual users.
Policies protect information, people, property and reputation. The Enterprise
Information Security Policy (EISP) is an example of how a policy guides the
86
overall security program, including technology. A policy is a Management tool
that is used to control the actions or behaviors of its members with regards to
the misuse of the firm’s information technology infrastructure. The EISP, also
known as a program policy, is a general security policy that sets the strategic
direction, scope and the tone for all of an organization’s security efforts. The
EISP guides the development, implementation, and management requirements
of the information security program. The EISP must directly support the
organization’s vision and mission statements. In light of legal challenges it
must also be defensible. Thus, the EISP must meet two criteria. The existing
policy must be known by members throughout the organization, and violations
of the existing policy must be handled in a standard and consistent way.
To further understand how policy manages access control in an organization,
one could take a closer look at the System-Specific Policy (SSP). The SSP
often functions as standards or procedures to be used when configuring or
maintaining systems. “Normally a management guidance SSP is created by
management to guide the implementation and configuration of technology as
well as to address the behavior of people in the organization in ways that
support the security of information”, (Whitman, 2004). Policy forms a
foundation of trust in the organization, and it is also an important source of
support for organizational goals. It should prohibit activities that detract form
achieving organizational goal.
SSP’s are technically specific, which means that it focuses on implementation
of technical controls such as access control lists (ACL) and configuration rules.
ACL’s include the user access lists, matrices and the capability tables that
govern the rights and privileges of users. More specifically, ACL’s disclose
who can use the system, what the system can provide, when the system will
provide it, where the system will provide it and how authorized users can
access the system. Lastly, configuration rules are specific configuration codes
entered into security systems to guide the execution of the system when
information is passing through it.
Management may also consider a formal access control policy (ACP). The
ACP “determines how access rights are granted to entities and groups. The
ACP must include provisions for periodically reviewing all access rights,
granting access rights to employees, changing access rights when job roles
change and revoking access rights as appropriate” (Whitman, 2004). Many
security managers often fail to revoke access rights especially when an
employee has been terminated or has left the company. These sorts of errors
have cost companies millions of dollars. The ACP may be a part of the SSP.
However, practice has shown that it is better to have specific policies separated
even though they may be combined. The overall philosophy of the organization
is also a key to managing access controls. Dr. Michael Whitman made it clear
that “without an access control policy, systems administrators may implement
87
access controls in a way that is inconsistent with the organization’s overall
philosophy” (Whitman, 2004). Policies and organizational goals must go hand
in hand. The organization and its IT security department must be heading in the
same direction, on one accord.
Policies protect information, people, property and reputation, but only to a
certain degree; even though they are in place they are often disregarded by
employees who commit flagitious crimes for personal gain. The top level
executives are then sent to the guillotine after a security breach, because the
breach was engineered from the inside.
In business it is often easy to forget the word “trust”. Often times contributing to the “bottom
line” has overshadowed a main fundamental in managing a business effectively. Many
organizations do not implement a micromanaging policy. They “trust” their employees to do the
work. Trust and policies goes hand in hand. “Trust implies that one party is willing to depend on
the other party for certain resources or action, even though negative consequences are possible”
(Woon, 2006).
Unfortunately, upper level management may not trust employees due to the
fact that other literature stated that employees are normally the main cause of
security breeches. Dubie (2006) quoted Sean Franklyn, an IT security manager
at a large financial services firm, said that “people are our weakest links. Most
of our wounds are still self-inflicted. Configuration changes that aren’t well
thought out and leave us open and exposed in certain areas are still the hardest
thing to lick”. However, creating a security minded culture is a great start in
securing database. Dubie (2006) states that “creating a security-minded culture
is making it clear why certain security policies are in place. It’s important to
make sure security measures don’t impede business processes”.
4.2.2 Current and Emerging Network Security Technologies
This section will look at the current and emerging technologies that one may
want to implement. Database security starts with implementing policies first
and then focuses on securing the network where the system lays. Policies are
the foundation for implementing security procedures. However, it is important
to note that policies and security cultures cannot depend on people and
processes alone. “There are technologies available today that helps automate
policy enforcement, data collection and protection” (Dubie, 2006). After SSPs
are implemented on the Database System, management may want to implement
hardware that protects not only the DBMS but the entire network
infrastructure. The network infrastructure ranges from physical security
(securing the building where the databases are stored or operate) to the
applications that run on or use that DBMS.
Technologies such as Network Access Control (NAC), and Outbound content
monitors, are just a few from a long list of products that may help harden your
network and database security. The concept of NAC is simple. Snyder (2006)
states NAC simplicity as “authenticate every user connecting to the network,
88
then enforce an access-control policy based on who they are and other
information, such as endpoint security checks and wired vs. wireless access
method”. Again the term policy arises. One of NAC's benefits is that it gives
you the opportunity to set a policy for every user. It is important to note that
NAC is fancy, complex and expensive, but it is just a component in the bigger
picture of information security and network defense. One cannot put a price tag
on keeping information safe. If one purchased a $100,000.00 piece of
equipment and it fails to do its job; then obviously it wasn’t worth it. Careful
analysis, research and testing need to be conducted to see if it is a right fit for
the organization before heavily investing in it. Some vendors offer trial periods
for their product.
Outbound-content monitoring is an excellent way to detect if sensitive
information is leaving the network. Implementing Outbound-content
monitoring or information leakage prevention to the corporate security
architecture may help prevent the monumental ramifications a company may
face if confidential information is leaked to the public, “due a disgruntled
employee here, a careless one there” Schultz, (2007). Shultz, (2007) further
states that:
Today’s information leakage prevention monitoring systems can scan just
about any type of DataStream, including Web traffic, e-mail, FTP,
electronic faxes and instant messages. Some monitors also detect stored
sensitive data squirreled away in Word documents, spreadsheets,
PowerPoint - just about anywhere. In addition, they're much more
linguistically sophisticated than earlier products. Shultz continued by
saying Rather than just being able to search for simple keywords - like the
name 'Trent' - or a particular Social Security number, they can do
conceptual analysis. For an example outbound content monitors can
understand when a mergers-and-acquisition memo needs to be flagged
because it still contains sensitive information even though it has been
paraphrased or rewritten. "Using language analytics, they're able to detect
things that in the past would have slipped by”.
Outbound-content monitoring hardware or software protection is helpful when
there are attempts to compromise databases or the entire network.
Other technologies such as intrusion detection systems (IDS) are helpful in
protecting or monitoring the entire network. IDS help determine (by
conducting a trace to the source) whether an intrusion to unauthorized systems,
or folders are internal or external. It is important to note that if the trace is
leading to an external source, it is up to the Network Administrator to ensure
that the IDS are properly configured so that the trace ends at the perimeter of
the network. If your IDS trace through the corporate perimeter the organization
is guilty of hacking. Once your device traces the path of communication
outside the corporation perimeter the corporation has violated the Electronic
89
Communications Protection Act (ECPA); and or by definition Your
organization is a hacker. One must remember that the ECPA prohibits unlawful
access and certain disclosures of communication contents; meaning that IDS
should not be tapping into a wire that it does not have access to. If the trace
leads to the outside on should contact law enforcement so that they can conduct
the trace on behalf of the company. One must remember that IDS software,
when configured incorrectly will trace beyond the perimeter. The IDS software
today is very intelligent; the software asks to define the address pool and all
subordinate address pools that the company may own, so that it knows its
boundaries. Therefore, if administrators want to trace outside the defined
address pool, the software may ask if one has legal permission to do so.
Therefore, it is very important to implement technologies that will help detect,
monitor, tract and trace suspicious activities. Perimeter security is important
because is protects the gateways to where the database systems lay. Perimeter
security is just as important as system security.
4.2.3 Other Suggestions and Technologies: Web Database Security
Technologies
One has to keep in mind that some organizations keep customer records or
data, allow their customers access to that data via the web. The recent attacks
on web based databases proves that the “Web is being used to provide users
with direct access to established databases” (Bi, Vrbsky, and Jukic 1999).
Securing these web databases is a paradigm in itself. However, this paper will
speak briefly as to how to possibly implement technologies to secure web
databases. Bi et al (1999) states that “Web database systems are typically built
using commercial off-the-shelf components, such as Web servers and database
management systems. Off-the-shelf components do address security, but
unfortunately, a combination of these mechanisms does not necessarily provide
the security and performance needed by an organization”. Web base databases
are a concern; they are vulnerable, because any device connected to the web is
at risk to an attack. These databases are deployed on web servers. Bi et al, 1999
states that:
A Web server represents the biggest potential security weakness in an
organization. A Web server program with errors or a Web server that is
misconfigured can allow unauthorized users to access confidential
information that is stored in the server. Similarly, a faulty Web server can
allow unauthorized users to execute commands on the server host machine
and modify the server system, or even gain information about the host
machine of an organization.
To prevent such a catastrophe, this paper suggests using the proxy server
technology. One must remember that a proxy server is a server that “acts as an
intermediary between a workstation user and the Internet so that the enterprise
can ensure security, administrative control, and caching service. A proxy server
90
is associated with or part of a gateway server that separates the enterprise
network from the outside network and a firewall server that protects the
enterprise network from outside intrusion” (Netproject, 2007). The proxy Database
server intercepts all requests to the real Database server to see if it can fulfill
the requests itself. If not, it forwards the request to the real server. The real
server then sends the information requested, back to the proxy server. With the
proper configuration of firewall rules, routing tables and the proxy server; the
proxy server technology may help secure the DBMS or Database. If the proxy
server is compromised, the threat will not disrupt the network. One reason
being; the proxy server is most likely located in a Demilitarized Zone (DMZ).
A DMZ is a part of the network that is neither part of the internal network nor
directly part of the Internet. It is a no-man's land between the Internet and the
internal network. This zone is NOT in the internal network, but is NOT widely
open on the Internet. A firewall or a router usually protects the DMZ with
network traffic filtering capabilities (possibly stateful packet filtering).
Therefore, if the proxy server is compromise, it does not pose a threat to the
network because of where the proxy server is located; in the DMZ.
4.2.4 DBMS programs and application security
One must not overlook the simplest form DBMS security methods such as
installing patches on the DBMS. Patches help prevent the exploits of
vulnerabilities especially in a SQL server environment; vulnerabilities that
include worms, Denial of service (DoS) attacks and Buffer overflow.
Guimaraes (2006), states that “these vulnerabilities can be exploited by a
remote hacker without ever having to authenticate to the server. The only thing
that needed to be done to avoid losses was to download patches for the
respective SQL Server bugs” and for other enterprise DBMS applications.
Administrators should take the initiative to change the default passwords that
are in place with the system before deploying the DBMS on the corporate
network. Passwords are supposed to be strong. Usernames and passwords such
as “system” and “system” or “sa” and “sa” or administrator and a blank
password field are not strong password. MSDN Library (2007), states that:
Passwords can be the weakest link in a server security deployment. You
should always take great care when you select a password. A strong
password has the following characteristics:

Is at least 8 characters long.
Combines letters, numbers, and symbol characters within the
password.
Is not found in a dictionary.
Is not the name of a command.
Is not the name of a person.
Is not the name of a user.
91
Is not the name of a computer.
Is changed regularly.
Is significantly different from previous passwords.
Microsoft SQL Server passwords can contain up to 128 characters,
including letters, symbols, and digits. Because logins, user names, roles,
and passwords are frequently used in Transact-SQL statements, certain
symbols must be enclosed by double quotation marks (") or square
brackets ([ ]).
Sometimes we tend to over look the simplest things; the simple mistakes can
cost the company millions.
One can harden the DBMS with Data encrypting tools. Tools that do data
encryption are an excellent place to start when trying to secure one’s database
application; and Solix Technologies is an excellent place to start looking. Solix
Technologies is a leading provider of enterprise data management solutions.
They have proven success in helping organizations worldwide to meet
compliance requirements, and achieve Information Lifecycle Management
(ILM) goals and strategies; Solix initially focused on securing and archiving
Oracle databases. “Solix Technologies provides best-of-breed solutions and has
partnered with leading platform and application vendors like Oracle, SAP,
Google, HP, EMC and Sun Microsystems to effectively cater to our customers
unique environments and evolving needs” (Solix, 2006). Silverthorn (2007)
gave a brief analysis of solix encryption software:
Solix has broadened the scope of its archiving software and has rechristened it as the Solix Enterprise Data Management Suite. The suite
addresses both compliance and information lifecycle management (ILM)
with four components: Secure Test and Development, Data Auditor,
Enterprise Archiving, and Application Sunsetting and Migration. The
compliance-related component, Data Auditor, monitors and reports on
archived data that has been accessed, updated, or deleted. It's a policydriven security tool that provides event notification and reporting of
database activity, and can be searched during and audit or e-discovery
inquiry”.
Again the term policy arises. Policies are the foundation to secure anything.
Sometime professionals focus on the external threats that affect databases and
forget about the internal threats. Polstra’s (2006) New Jersey Crime Ring
analysis sheds light on internal thieves. Connor’s (2006) article Solix adds
security features: Archiving software guards data via masking or encryption
quotes Brian Babineau, senior analyst for the Enterprise Strategy Group saying
“Most people worry about the external threat of accessing that information, but
with database information it is different, because developers and internal
parties have access to that information. With this software, you can mask
sensitive rows and columns in the database, so your developer resources do not
92
see them” (Connor, 2006). This software is not cheap. “Prices range from
$100,000 to $400,000 for the components of Solix Enterprise Data
Management Suite, which can be purchased separately. For the mid-market,
the entry level can be as low as $60,000” (Silverthorn, 2007).This paper
suggests that careful analysis, research and testing need to be conducted to see
if it is aright fit for the organization before heavily investing in it. Before
deployment or placing the DBMS into production; one can place the DBMS
into a testing environment, populate the database, and run a series of test. One
test to consider is SQL injection. The Administrator needs to secure the DBMS
from SQL injection. E-government (2007) states that “SQL injection is the
name for a general class of attacks that can allow nefarious users to retrieve
data, alter server settings, or even take over your server if Your not careful.
SQL injection is not a SQL Server problem (as many may think), but a
problem with improperly written applications” on all DBMS. Guimaraes
(2006) gives a brief description of SQL injection.
An SQL injection is an attack to the Database as a result of insecure code.
You create a web page, for example, that will allow a user to input text into
a textbox and that text will be used to build a query that will be executed
against a database. A malicious user enters malformed data into the textbox
which changes the nature of the query and allows the user to gain access to
information that he/she doesn’t have privilege to access, delete or alter data
in the back-end database.
Guimaraes explains further that the attacker can shut down databases by using
SQL injection. His explanation is stated below.
For example, consider a web page that has two input text fields, one to
enter a user name and another to enter a password. The user enters a user
name and password that matches a user name and password in the
database. A dynamically created SQL statement is used to search the
database for matching records. The user is then authenticated and allowed
access to the system. Users who enter an invalid user name and password
should not be authenticated. However, a hacker can enter malformed text
into the user name textbox to gain access to the system without having to
know a valid user name and password. By filling the username field on the
form with the string:‘; shutdown; --‘ and leaving the password blank, the
following SQL statement is executed:
SELECT user FROM all_users where username =’’;shutdown; ---‘ and
pass=’’
Note that after the shutdown with the semi-colon, there are two hyphens. In
SQL two hyphens is a comment so anything after that is not executed. For
Microsoft’s SQL Server database with default system administrator
account (sa) as the application login, the code above will shut down the
93
database server. Another malicious user input could be' Or 1=1 -- for the
user name and the SQL query becomes: SELECT * FROM all_Users
WHERE UserName='' Or1=1 --' AND Password=''
The expression 1 = 1 is always true for every row in the table, and OR will
always return true if one of the expressions is true. This query will return
rows that were not intended to return.
Guimaraes (2006) states further that “there are five measures that you can take
to prevent SQL injection attacks. The author suggests that you implement as
many of these measures as possible to have multiple layers of security in your
application. That way if one of the measures is circumvented because of some
vulnerability, you are still protected”. The five measures are the following:
First, you should never trust user input. You should never use input from a
database query that has not been validated. According to the author, the
best approach to validate user input is to ‘identify the allowable characters
and allow only those characters’. Second, you should never use dynamic
SQL. SQL injection attacks are dependent on dynamic SQL queries. The
author suggests using stored procedures or SQL queries that accept
parameters. Third, you should never connect to a database using an adminlevel account. Fourth, don’t store passwords in plain text. The author
suggests that you encrypt or hash passwords, encrypt connection strings
and other sensitive data. Fifth and finally, error messages that the users see
should display minimal information (Guimaraes, 2006).
If one is paranoid of their DBMS being breeched one can implement Multilevel
Security (MLS). Guimaraes (2006) gave an explanation on MLS and how it
works. The explanation is the following:
Traditional Databases allow you to consider data in two categories:
sensitive or nonsensitive. Multilevel Security (MLS) is a feature that
allows information with different classifications to be available in an
information system, where users have different security clearances and
authorizations, and are prevented from accessing information for which
they have not been cleared or authorized. It was developed for the U.S.
military and intelligence communities. The purpose of this policy is to
separate data based upon its security classification. Classified data is stored
on dedicated systems and access is prevented to users outside the
immediate community of interest. The main drawbacks of this scheme are
redundant databases, redundant workstations, high IT infrastructure cost
and inefficiency. In MLS terminology, objects such as data tables, records
and fields are referred to as passive entities. A subject is an active process
that can request access to objects. Every object is assigned a classification
and every subject a clearance.
Classifications and clearances are collectively referred to as labels. A label
94
consists of two components: hierarchical and unordered compartments,
with hierarchical component specifying the sensitivity of the data. Other
key aspects are Mandatory Access Control (MAC) and Poly-instantiation.
Multilevel Security uses MAC access control to prevent the unauthorized
disclosure of high-level data to low-level users. In MAC, security is
enforced by the system as dictated in the security policy and not by the
owner of the object. Polyinstantion allows a relation to contain multiple
rows with the same primary key where the multiple instances are
distinguished by their security levels. Most DBMSs were not designed
with multilevel security in mind and there is little support for MLS, which
poses significant challenges to the database research communities. Another
approach is to take advantage of new security features contained in new
releases of the standard products. With the release of Oracle 9i, for
example, Oracle implemented Oracle Label Security that allows us to
simulate a multilevel database (at least to a certain degree). It is a built-in
row level access control for high security applications, adding a new field
for each row to store the row’s sensitive labels. Row access can be granted
or denied by comparing the user’s identity and security clearance label
with the row’s sensitive labels (Guimaraes, 2006).
There is another form of DBMS security that may be implemented to add
another level of security to a DBMS. This type of security is often
implemented by the Database Administrator (DBA). These security measures
are also the traditional DBMS securities. These include granting and revoking
privileges to data objects and implementing row and column level security.
“Traditional Database Security has focused primarily on creating user accounts
and managing user privileges to database objects” (Guimaraes, 2006). These
commands are simple and easy to execute. Granting roles and privileges allow
the DBA to keep a leash on who gets to view or manipulate data. Application
security focuses on protecting data while it is in use, storage or in transmission
from unauthorized access.
Other security issues include stored procedure security; more specifically
invokers and definers rights. Invokers and Definers rights pose security issues
for the database. There are internal personnel that may need access to certain
data; but there are some that engage in criminal activities. Invokers and
Definers rights creates and internal database vulnerability. Oracle defines and
gave a brief description of Definers rights as the following:
Definers rights stored routines are procedure or function that runs with the
privileges and access rights of its definer, and not that of the executing
user. This allows database programmers to call procedures or functions that
can read and update the database on behalf of unprivileged users, i.e.
perform tasks that the current invoker of the procedure is unable to perform
themselves (Technical Corner, 2007).
95
Invoker and Definers Rights pose a security issue. It is up to the DBA and
security officials to implement proper stored procedure security. Another
security technique includes locking. Locks can be either:

Implicit locks are locks placed by the DBMS
Explicit locks are issued by the application program
Lock granularity refers to size of a locked resource
Rows, page, table, and database level
Large granularity is easy to manage but frequently causes conflicts
An exclusive lock prohibits other users from reading the locked
resource
A shared lock allows other users to read the locked resource, but they
cannot update it
DBAs and application programmers should decide whether locking the
database is appropriate or not. It is important to note that these methods of
database security are only a few from an evolving list; securing DBMSs are
based on the organization’s policies and the other issues such as regulatory
compliances.
4.3 Management Tools and Technologies
This section of the paper is not in any means trying to tell anyone what they
need to protect their database; that decision is left up to management. This
section propose a guide or something to consider for future implementation.
There are management tools that have been tested and have been approved in
meeting regulatory compliance. Andress (2006) states that “NetIQ
Vulnerability manager is one of the most well rounded product tested. While it
did not stand out in any individual area, it performed solidly across the board
in policy management, reporting, compliance checks, configuration and
remediation”.
Organizations are growing and it is unlikely that they will have one database or
DBMS on their IT infrastructure. Thus, it would be more efficient to be able to
manage all databases from a centralized area. This approach not only increase
efficiency and productivity but also improves security because everything is
monitored from one location. Dubie (2006) states that there are management
tools that can perform the centralized Database management approach; an
analysis of these tools is the following:
Computer Associates CA is making available a free distributed database
management product that could help administrators manage multiple,
heterogeneous databases across their networks. Unicenter Database
Command Center (DCC) is a Web-based database management console
customers can download to any workstation or laptop with access to a
browser, and the software does not require any client software be installed
96
on databases.
DCC provides database administrators with a common look and feel when
working across various systems. This tool allows you to manage and
execute commands on various databases such as Oracle and DB2. While
each database vendor provides management tools for its own offerings, CA
says DCC lets customers perform administration tasks on DB2 UDB for
z/OS, Oracle, DB2 UDB for Linux Unix, Windows and Ingres database.
Lastly this paper will take a look at VeriSign security service as a management
tool. Many individuals at some point in time have entered credit card
information over the web. Most of these websites are “secured”. Most of these
websites use VeriSign as their “intelligent infrastructure services that enable
people and businesses to find, connect, secure, and transact, by providing
encrypted communications when viewing web pages, logging into your
account and downloading reports” (Wikipedia, 2007). VeriSign is probably the
most dominant certificate authority on the Internet at the present time. “VeriSign
operates digital infrastructure that enables and protects billions of interactions
every day across the world’s voice and data networks” (VeriSign, 2007). It is
only fitting to use their product in this paper, because of their product
reliability and goodwill.
Messmer (2006) states that “VeriSign expanded its log-management service
beyond firewalls, operating systems and intrusion-detection systems to
collecting log data related to applications and databases”. Messmer further
states that VeriSign’s service is based on its Security Defense Appliance,
which is placed inside a corporate network to collect, analyze and store logs.
Expanding the log-management service allows the service to collect raw data
or just the security-related events pertaining to applications and databases of
corporate customers” (Messmer, 2006). christened her article by quoting Kelly
Kavanagh, Gartner analyst in information security and privacy; where he states
that ‘centralized logging and monitoring of application-level events is being
driven by regulatory compliance, highly publicized data theft incidents and
targeted application-level attacks’. Again this paper shows that regulatory
compliance plays an important role in Network and Database security.
5. RESULT AND CONTRIBUTION - UNIFYING THE PROCESS OF
DATABASE SECURITY
There are misconceptions that Database security is securing the database. Guimaraes (2006)
states that “Traditional Database Security has focused primarily on securing the
Database, with minor emphasis on securing the Operating System and the
Database Management System (DBMS)”. Database security should be a
unified process, which starts from the corporate network infrastructure to pre
DBMS activities (education and research) to DBMS programs and application
security. Wikipedia states that “Database security can begin with the process
of creation and publishing of appropriate security standards for the database
97
environment. The standards may include specific controls for the various
relevant database platforms; a set of best practices that cross over the
platforms; and linkages of the standards to higher level polices and
governmental regulations” (Wikipedia, 2007). Selecting the proper DBMS may
be influenced by government regulations. One must ensure that the DBMS
meet the regulator’s minimum requirements, but it is up to us as professionals
to implement technologies, procedures and best practices so that we operate at
a higher standard than what is required.
Policies are the foundation for securing information. Policies are comprised of
a set of rules that dictates acceptable and unacceptable behavior within an
organization. One can take a closer look at a policy as an agreement, on what is
acceptable behavior, made between the organization and individuals who work
in the organization. It is a code of conduct for the performance of individual
users. Policies protect information, people, property and reputation.
Establishing an EISP and SSPs and ensuring that personnel follow those
policies may prevent upper level management from going to the guillotine.
After policies are in place it is up to management to secure the perimeter of the
corporate network.
Management must ensure that their network is tightly secured and their
systems comply with regulatory standards. This paper is highly bothered by the
Supplemental Case: TJX. The case shows lack of urgency and leadership. This
paper initially stressed that IS professionals should keep abreast with current
happenings in the industry and learn from the mistakes of others so that one
does not make similar mistakes. This paper proves that TJX and others are not
implementing measures to safe guard their Information Systems. The Citigroup
case shows why it is important to encrypt data. It also shows that TJX did not
learn from Citigroup mistakes. Brodkin (2007) states that “hackers were able to
access such a huge amount of data indicates TJX either failed to encrypt or
truncate card numbers or did not secure encryption keys that can translate
scrambled card information.” Brodkin states further that “TJX says that they
encrypted some card data, but they believe hackers had access to the
decryption tool”. Hopefully, the hackers performed an extensive search to
obtain the decryption tool, to perform their criminal acts. Hopefully, the
decryption tool was not stored in the same databases that were hacked. This
incident shows that if there were some form of intrusion detection system (that
works) on their network, network administrators would have been able to
detect that intrusion. This paper believes that TJX did not comply with the PCI
Data Security Standard (PCI DSS). “The PCI DSS is a multifaceted security
standard that includes requirements for security management, policies,
procedures, network architecture, software design and other critical protective
measures. This comprehensive standard is intended to help organizations
proactively protect customer account data.” (PCIsecuritystandards.org, 2007).
Brodkin (2007) strengthens this paper by stating in his article that “to comply
98
with the PCI DSS, companies must be audited annually and be scanned for
external vulnerabilities by third party auditors at least once a quarter.” This
paper firmly believes that TJX failed to comply with the PCI DSS. TJX may
now face fines, sanctions, retrogress in goodwill and possibly lawsuits of
gargantuan proportion. The Boston Globe (2007) reported that the cost of TJX
breach soars to $256 million, which includes law suits and computer fix. If
TJX IS professionals were keeping abreast with current happenings in the
industry and learn from the mistakes of others, they would not have found
themselves in this situation. Obviously, TJX did not implement measures to
safe guard their Information Systems; they did not comply with PCI DSS.
Further analysis of the PCI DSS states that:
The PCI DSS January 2005 version has been enhanced in the PCI DSS
Version 1.1. The PCI DSS January 2005 version may no longer be used for
PCI DSS compliance validation after December 31, 2006. The PCI DSS
version 1.1, a set of comprehensive requirements for enhancing payment
account data security, was developed by the founding payment brands of
the PCI Security Standards Council, including American Express, Discover
Financial Services, JCB, MasterCard Worldwide and Visa International, to
help facilitate the broad adoption of consistent data security measures on a
global basis.
The core of the PCI DSS is a group of principles and accompanying
requirements, around which the specific elements of the DSS are
organized:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect
cardholder
data
Requirement 2: Do not use vendor-supplied defaults for system passwords
and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open,
public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-toknow
99
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and
cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security.
One must notice that the standards that govern securing information such as
PCI DSS standards and other standards are a combination of Information
Security, Network Security as well as Database Security best practices. Failure
to comply with industry standards and best practices will place companies in a
similar position of TJX and others named in Polstra’s (2005) journal article. As
professionals it is imperative to comply with standards; this further shows that
Database security is a unifying process.
NAC and Outbound-content monitoring is an excellent way to detect if
unauthorized and authorized users are trying to access sensitive information or
to detect if sensitive information is leaving the Database or the network.
Implementing NAC and Outbound-content monitoring or information-leakage
prevention to the corporate security architecture may help prevent the
monetary ramifications a company may face if confidential information is
leaked to the public.
As a professional one cannot over look securing the DBMS programs and
application. Data encrypting software is an excellent place to start when trying
to secure one’s database application. When transmitting data via any medium
the data should be encrypted, especially when the data is sensitive material. If
the Citibank had encrypt its data in the first place their whole incident would
have “never happened”, and possibly Polstra (2006) would have applauded
them for taking proper security measures when transmitting sensitive data.
There are vendors (Solix) that offer software that encrypt data, while it is in
use, storage and transmission.
Applying patches to systems so that worms and hackers cannot exploit
vulnerabilities is vital. Patches help prevent the exploits of vulnerabilities
especially in a SQL server environment. Vulnerabilities that include worms,
Denial of service (DoS) attacks and Buffer overflow can be prevented by
applying the vendor’s patch. This paper explained and gave a detailed example
of SQL injection. Guimaraes (2006) gave five measures that one can take to
prevent SQL injection attacks. Guimaraes stated further that if one implements
as many of these measures as possible to have multiple layers of security in
100
your application. That way if one of the measures is circumvented because of
some vulnerability, you are still protected. It is good practice to follow best
practices. Thus, it is good practice to change default passwords to strong
passwords. This paper stated Microsoft’s characteristics of a strong password.
This paper reiterates that it is good practice to follow best practices. Locking
techniques and issues regarding Definers and Invokers rights are dependant on
the DBA.
Lastly, this paper states that the centralized management approach of database
security is most appropriate because it provides the DBA with a unified
solution to manage multiple distributed databases. Therefore, database
management is equally important. Its importance is illustrated in the following
quote where Dubie (2006) states that “with an ever-increasing number of
databases being supported by enterprises, the need for unified administration is
growing”. Dubie 2006 stated further by quoting Noel Yuhanna, senior analyst
at Forrester Research, recently wrote in the "Trends 2006: Database
Management Systems" report, that “enterprises want a unified solution to
simplify administration, reduce cost and improve operational efficiency" and
security. NetIQ Vulnerability manager, VeriSign security service, Unicenter
Database Command Center (DCC) by Computer Associates may be used as
management and security tools when securing the database. These products
and vendors offer comprehensive management solutions that can help you
reduce the total cost of database ownership, manage day-to-day operations and
increase overall service management responsiveness.
6. CONCLUSION
One may assume that cyber terrorists as well as terrorists to ones identity will
not stop plaguing networks and DBMS. Thus, it is important when selecting a
DBMS, that is has security and other features that would help protect, improve
performance, production and efficiency of the Database.
This paper believes that Database security starts with promoting a change in
Database Curriculum Development trends. Class room discussion plays a role
in helping secure databases. Classroom discussions open up real world
strategies that have been proven effective in securing databases. Students who
are apart of a masters program are required to have some form of industry
experience. The student’s industry experience is an asset within a masters
program because it helps others learn and understand different technologies,
strategies, and approaches when involved in classroom discussions. Some of
these strategies start with DBMS selection and weighing the advantages and
disadvantages of the DBMS. It is important to keep in mind that DBMS
selection depends on the Database model chosen, because not all DBMS
support all Database Models. This paper firmly believe that promoting a
change in Database curriculum development trends to facilitate discussions on
proven strategies used in the real world can be helpful in securing databases.
101
Instead of relying on the traditional Database Design and Implementation
curriculum format, facilitate discussions and conduct meaningful research as a
part of the class. Employers are always open to hear other strategies that were
developed by other companies, especially when those strategies were a part of
a meaningful discussion—a classroom setting; rather than a discussion that
may be considered nefarious.
It is equally important to adhere to standards set forth by regulatory
compliance, voices of these agencies and law officials. It is important to
implement and meet the minimum standards of security that these regulatory
compliances require, but it is equally important to implement and operate
standards at a higher level. Thus, it is imperative that upper level management,
network Administrators, DBAs, and other personnel to adhere to corporate
policies. “Building a more security aware culture is finding the right mix of
processes and technology that suit the business, and then educating the IT staff
and user community on how to maintain secure practices” (Dubie, 2006).
Dubie (2006) further states that “A first step in creating a security-minded
culture is making it clear why certain policies are in place. It is important to
make sure security measures don’t impede business process, but are aligned
with the organization IS policies and strategies along with the alignment of the
organization strategies”.
Experience is the best teacher. One should keep abreast with the latest trends
and happenings in database and network security. As security professionals it
is our duty. We must also learn from the mistakes of others and take
preventative measures that those mistakes does not happen. This paper has
shown cases where hackers are using social engineering techniques (2.2 Case
II: ChoicePoint) to hack or gain sensitive information.
Database security is a unified process. Securing both the network and the
database goes hand in hand. Hackers must penetrate the perimeter before
getting to the database, thus, it is important for network administrators and
DBAs to implement technologies whether it is hardware or software that can
detect, monitor, and prevent abnormal behaviors on the network perimeter and
within the DBMS. The careful management of database is important because it
provides DBAs a unified solution to simplify administration, reduce cost and
improve operational efficiency and security. Hackers have no regard for
privacy and identity; their nefarious acts are crimes against freedom. They have
the mindset of terrorists that plagues homeland security and life itself. Hackers
are on top of their game, and so should we. Therefore, this paper has
discovered that Regulatory Compliance, Network and Database Security is a
unifying process, that may help mitigate the increasing threats and database
breach that we as professionals should work to achieve.
102
ACKNOWLEDGEMENTS
First of all I would like to thank god for the strength, wisdom and patience in
writing this paper. Without him this paper or none of my accomplishments
were possible. I would like to thank my past Database Professors; the late Dr.
William Burg, and Dr. Mario Guimaraes for pouring their knowledge of
Database Management Systems, Database Design and Implementation, and
Database Security on me. Special thanks to Dr. Mario Guimaraes for advising
me to submit this paper to the 2007 InfoSec CD Conference. Special thanks to
Dr. Michael Whitman and Herb Mattord for pouring their knowledge of
Information Security in their books, classroom, and lab sessions. Thanks to the
InfoSec CD for accepting this paper for the 2007 conference. Thanks to KSU
writing center for correcting grammatical errors. Special thanks to ACM
SIGCHI for allowing me to modify templates they had developed.
REFERENCES AND CITATIONS
Federal Trade Commission (FTC). (2004). National and State Trends in Fraud
& Identity Theft January -December 2003. Retrieved March 28, 2007 from
http://www.consumer.gov/idtheft/pdf/clearinghouse_2003.pdf
E-government in New Zealand. (2007). Appendix E - Glossary of Terms:
Chapter15.html - SQL Injection. http://www.e.govt.nz/ retrieved April 4,
2007 from
http://www.e.govt.nz/services/authentication/library/docs/authenticationbpf/chapter15.html/view?searchterm=SQL%20injection
MSDN Library. (2007). SQL Server 2005 Books Online: Strong Passwords.
Retrieved March 30, 2007 from http://msdn2.microsoft.com/enus/library/ms161962.aspx
Netproject. (2007). G. Glossary. Proxy Server. Retrieved April 5, 2007 from
http://www.netproject.com/docs/migoss/v1.0/glossary.html
PCI Security Standards Council. (2007). About The PCI Data Security
Standard (PCI DSS). https://www.pcisecuritystandards.org/tech/
Solix, (2007). About Us. Retrieved March 30, 2007 from
http://www.solix.com/company_overview.htm
Technical Corner. (2007). Stored Procedure Security. Retrieved April 4, 2007
from
http://www.oracle.com/technology/products/rdb/pdf/stored_procedure_sec
urity.pdf
Wikipedia, (2007). Database security. Retrieved from Wikipedia, the free
encyclopedia. http://en.wikipedia.org/wiki/Database_security from
VeriSign. (2007). About VeriSign. Retrieved March 30, 2007 from
http://www.verisign.com/verisign-inc/index.html
103
Andress, M. (2006). NetIQ suite tops test of security compliance wares.
Retrieved March 30, 2007 from Network World Magazine.
http://findarticles.com/p/articles/mi_qa3649/is_200606/ai_n17171660
Bertino, E. Sandu, R. (2005). Database Security-Concepts, Approaches, and
Challenges. IEEE Transactions on Dependable and Secure Computing.
Washington: Jan-Mar 2005. Vol. 2, Iss. 1; p. 2. Retrieved March 28, 2007
from ProQuest® Smart Search. http://proxy.kennesaw.edu:2057/pqdweb
Bishop, J.F, T. Warren, J. (2005). Identity Theft: The Next Corporate Liability
Wave? The Corporate Counselor March 30, 2005. Retrieved, March 29,
2007, from Corporate Counsel Magazine,
http://www.law.com/jsp/cc/pubarticleCC.jsp?id=1112090711870
Brodkin, J. (2007) TJX breach: Rethinking corp. security. Retrieved April 5,
2007 from Network World magazine, April 2, 2007. Vol24, Num13.
www.networkworld.com.
Connor, D. (2006). Solix adds security features: Archiving software guards
data via masking or encryption. Retrieved March 29, 2007 from Network
World magazine, 08/14/06
http://www.networkworld.com/news/2006/081406-solix-archiving.html
Dubie, D. (2006). CA offers free database mgmt. tool. Retrieved March 28,
2007 from NetworkWorld magazine, April 24, 2006. Vol23, Num16.
www.networkwold.com.
http://www.networkworld.com/news/2006/042406-ca databasemanagement.html
Dubie, D. (2006). Managing risk: new reality for IT security executives.
Retrieved March 28, 2007 from NetworkWorld, September 11, 2006.
Vol23, Num16. ww.networkwold.com.
Guimaraes, M. (2006). New Challenges in Teaching Database Security.
Retrieved March 30, 2007 from The ACM Digital Library.
http://proxy.kennesaw.edu:2230/10.1145/1240000/1231060/p64Guimaraes.pdf?key1=1231060&key2=4419225711&coll=ACM&dl=ACM
&CFID=18658173&CFTOKEN=67659094
Messmer, E. (2007). UPDATE--TJX data theft called largest ever: 45.7M
credit card numbers Security breach detailed in financial filing. Retrieved
March 30, 2007 from NetworkWorld, September 11, 2006. Vol23, Num35.
www.networkworld.com.
http://www.networkworld.com/news/2007/032907-tjx-data-theftlargest.html?page=1
Messmer, E. (2006). VeriSign security service expanded for apps, databases.
Retrieved March 28, 2007 from NetworkWorld, September 11, 2006.
Vol23, Num35. www.networkworld.com.
104
http://www.networkworld.com/news/2006/090706-verisign securityservice.html
Mbuthia, S. (2007). Selecting a DBMS. Retrieve March 28, 2007 From
http://csmoodle.kennesaw.edu/mod/forum/discuss.php?=1639
Ogbuji, U. (2001). Choosing a database management system. Retrieved March
28, 2007 from http://www128.ibm.com/developerworks/webservices/library/ws-dbpick.html
Polstra III, M. Robert. (2005). A case study on how to manage the theft of
information. Proceedings of the 2nd annual conference on Information
security curriculum development InfoSec CD '05. ACM Press. 139-141.
Retrieved, March 29, 2007, from
http://proxy.kennesaw.edu:2230/10.1145/1110000/1107653/p135polstra.pdf?key1=1107653&key2=9181415711&coll=ACM&dl=ACM&C
FID=18548384&CFTOKEN=44816403
Price, J. (2007). DBMS selection—James Price. Retrieved March 28, 2007
from http://csmoodle.kennesaw.edu/mod/forum/discuss.php?d=16 78
Schultz, B. (2007). New ways to protect data from insider attacks: The
toughest security problem is the insider attack. These emerging tools
promise to eliminate the threat Retrieved March 25, 2007 from Network
World, 03/19/07 http://www.networkworld.com/supp/2007/ndc2/031907data-leakage-protection.html
Silverthorn, A. (2007). Solix extends archiving software Retrieved March 29,
2007 from infostor magazine March 19, 2007.
http://www.infostor.com/display_article/287507/23/ARTCL/Display/none/
Solix-extends-archiving-software/
Snyder, J. (2006). The pros and cons of NAC: Bottom Line. Retrieved March
29, 2007 from Network World 06/12/06,
http://www.networkworld.com/columnists/2006/061206snyder.html
Whitman, M.E., & Mattord H. J. (2004). Management of Information Security.
Whitman, M.E., & Mattord H. J. (2004). Readings and Cases in the
Management of Information Security
Woon, I. and Kankanhalli , A. Trust, Controls, and Information Security,
Readings and Cases in the Management of Information Security, M.E.
Whitman & H.J. Mattord (Eds.), Course Technology, Thomson Learning,
2006.
Bi, C. Vrbsky, S, V. Jukic, N. (1999). A security paradigm for Web databases.
The ACM Digital Library, Article No. 46. Retrieved from ACM Southeast
Regional Conference archive Proceedings of the 37th annual southeast
regional conference (CD-ROM).
105
Kerber, R. (2007). Cost of data breach at TJX soars to $256m. Suits, computer
fix add to expenses. The Boston Globe.
http://www.boston.com/business/articles/2007/08/15/cost_of_data_breach_
at_tjx_soars_to_256m/
106
Subscription Information
The Journal of Digital Forensics, Security and Law (JDFSL) is a publication of
the Association of Digital Forensics, Security and Law (ADFSL). The Journal
is published on a non-profit basis. In the spirit of the JDFSL mission,
individual subscriptions are discounted. However, we do encourage you to
recommend the journal to your library for wider dissemination.
The journal is published in both print and electronic form under the following
ISSN's:
ISSN: 1558-7215 (print)
ISSN: 1558-7223 (online)
Subscription rates for the journal are as follows:
Institutional - Print & Online: $395 (4 issues)
Institutional - Online only:
$295 (4 issues)
Individual
- Print & Online: $80 (4 issues)
Individual
- Online only:
$25 (4 issues)
Subscription requests may be made to the ADFSL.
The offices of the Association of Digital Forensics, Security and Law
(ADFSL) are at the following address:
Association of Digital Forensics, Security and Law
1642 Horsepen Hills Road
Maidens, Virginia 23102
Tel: 804-402-9239
Fax: 804-680-3038
E-mail: [email protected]
Website: http://www.adfsl.org
107
Announcements and Upcoming Events
2008 Conference on Digital Forensics, Security and Law
Oklahoma USA
April 23-25, 2008
The ADFSL 2008 Conference on Digital Forensics, Security and Law will be
held in Oklahoma in April 2008.
http://www.digitalforensics-conference.org
MFW08 – Mobile Forensics World 2008
www.MobileForensicsWorld.com
O’Hare Marriott, Chicago, Illinois, USA
May 8-10, 2008
Contact: Prof. Rick Mislan, Cyber Forensics Lab, Purdue University
108
Journal of Digital Forensics, Security and Law
Volume 2, Number 4
2007
Contents
Special Issue Editor’s Note.........................................................................................2
Call for Papers ............................................................................................................4
Call for Papers: Special Issue on Security Issues in Online Communities ............5
Guide for Submission of Manuscripts ......................................................................6
SecurityCom: A Multi-Player Game for Researching and Teaching
Information Security Teams ......................................................................................9
Education Organization Baseline Control Protection and Trusted
Level Security............................................................................................................19
Wasim A. Al-Hamdani
Making Molehills Out of Mountains: Bringing Security Research to the
Classroom ..................................................................................................................43
Richard G. Taylor
The Design and Implementation of an Automated Security Compliance
Toolkit: A Pedagogical Exercise ..............................................................................59
Guillermo Francia III, Brian Estes, Rahjima Francia, Vu Nguyen and
Alex Scroggins
Network and Database Security: Regulatory Compliance, Network, and
Database Security - A Unified Process and Goal ...................................................77
Errol A. Blake
Subscription Information.......................................................................................107
Announcements and Upcoming Events ................................................................108