IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection of Generic Components
_________________________________________________________________________________________
perpetrators. The estimates only needs to be a little on the low side to produce a risk which appears to
be acceptable so that no additional measures are taken even though these are in fact necessary.
A description of how to perform a risk analysis is provided in the IT Security Manual (see
References).
Penetration testing
Penetration testing is used to estimate in advance the prospects of a deliberate attack on a set of IT
assets succeeding and to deduce from this what additional measures are necessary. It entails simulating
the aggressive behaviour of a wilful insider or external aggressor and ascertaining what existing
security weaknesses could be used and what potential damage could be caused. The following are
some of the approaches commonly used:
- attacks involving the guessing of passwords or dictionary attacks,
- attacks involving recording of and tampering with network traffic,
- attacks involving the import of false data packets,
- attacks involving exploitation of known software weaknesses (macro languages, operating system
errors, remote access services etc.).
A distinction should be made here between two different forms of penetration testing:
- Black box approach: the aggressor does not have any information about the IT assets in advance.
This approach is used to simulate an external aggressor.
- White box approach: the aggressor is in possession of information about the internal structure,
applications and services used. Typically this would be information available to an insider.
A further distinction is whether penetration testing is only co-ordinated with Management or whether
the staff concerned are given advance warning. Penetration testing requires in-depth knowledge and
experience to perform effectively, as otherwise the possibility that the "attacks" implemented during
testing may cause unintended damage cannot be excluded.
Differential security analysis
One approach to identifying the more stringent IT security measures that are necessary for those IT
assets which are particularly sensitive is to perform a differential security analysis. The first step here
is to investigate which IT security safeguards go beyond baseline protection or which IT baseline
protection safeguards that have been implemented are classified as optional. A comparison is then
performed as to whether the more stringent safeguards taken correspond to the standard solutions
which have been established in practice for highly sensitive IT areas. It should be noted here that the
relevant basic parameters (confidentiality, integrity and availability) are critical in determining
whether the more stringent safeguards are appropriate. Thus, for example, cryptographic measures will
assist in raising confidentiality and integrity aspects of security but generally they will have little
effect on availability or they may even have a negative impact on achieving this objective of
protection. It is also important to ensure that any products needed are suitable and that the more
stringent safeguards are correctly implemented so that they can achieve their full effect.
Typical more stringent measures in the area of IT systems include the use of certified operating
systems or special security versions of operating systems, the use of authentication tokens or even
isolation of IT systems. Examples of more stringent measures which might be used in the area of
communications links are: capping of external connections, line encryption or end-to-end encryption,
armoured cable runs or pressure-monitored cables, redundant communications lines or redundant cable
routing and the use of multi-level firewalls combined with intrusion detection tools. In the area of
_________________________________________________________________________________________
IT-Baseline Protection Manual: Otober 2000