Protecting the All of the Layers
When protecting information, organizations must consider the totality of the information system the information lives in. Applying a single control or a control to only one layer of the information system is insufficient. For an information system, organizations should employ a layered approach to its protection scheme. This article will examine how to protect the various layers of a generic Enterprise Resource Planning (ERP) system by reviewing its basic layers, defining defense-in-depth as a concept, reviewing existing standards and guidelines, and examining a selected set of controls that apply to each layer of the ERP system.
Information Systems Layers in ERP Servers
An ERP system is a collection of software that integrates various information and data from across a company; this allows multiple processes to be streamlined for the organization or business to derive greater value (Monk & Wagner, 2013 and Al-Mashari, 2002). In this scenario, the ERP system uses both Microsoft Windows Server 2019 and Ubuntu 20.14 Long Term Support (LTS) operating systems. Windows is a commercially available server operating system while Ubuntu is a popular Linux open source operating system.
At a fundamental level, each ERP server in the scenario (regardless of operating system) possesses the same layers: physical hardware, operating system kernel, and user applications or utilities (Stallings & Brown, 2020). The hardware includes the actual physical components of the ERP system, such as “data processing, data storage, and data communications devices” (p. 29). The operating system kernel is the primary interface between the physical hardware and the layer above it, the user applications, and other utilities. It oversees the details the rest of the ERP system makes use of, such as allocation of memory, disk storage, and low-level networking (Santana, 2014). The last layer of the model Stallings and Brown (2020) describe is the user applications and utilities. This layer is how a user interacts with the operating system and hardware layers to perform a specific task or function (Goodwill Community Foundation, n.d.). Figure 1 shows the three layers in their order.
Figure 1
Model information system showing hierarchy of layers
Note. Adapted from “Computer Security: Principles and Practice, 4th Ed.” by W. Stallings & L. Brown, 2020. Copyright 2020 by Pearson India Education Services Pvt Ltd.
Defense-in-Depth
Just as there are layers in the ERP example above, cybersecurity controls require layers. Cybersecurity professionals call this approach defense-in-depth. The National Institute of Standards and Technology (NIST) (2019) defines defense-in-depth as an “[i]nformation security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization” (para. 1). Barbu and Petrica (2015) describe defense-in-depth as multiple barriers within an information system to protect it. The US Government mandates defense-in-depth for information systems that process or store federal data or information (National Institute of Standards and Technology, 2020).
Figure 2 shows this concept as a series of concentric rings of controls (including management, operational, and technical controls) surrounding the data, which requires protection. In this version, the controls would integrate with each other to provide greater security than they could on their own.
Figure 2
Concentric rings of controls protecting data in a defense-in-depth model
Note: Adapted from “Defense in depth for web applications” by B. Aydin, 2017. https://medium.com/insa-tc/defense-in-depth-for-web-applications-38178696f833. Copyright 2017 by B. Aydin.
Control Frameworks and Guidance
Cybersecurity as a practice does not suffer from a lack of control frameworks and guidance available. From the NIST (2020) controls in Security and Privacy Controls for Information Systems and Organizations to those lists in the ISO/IEC (2020) Information Security Management series, there are a plethora of controls to apply to all layers of the ERP example system above. Other organizations have created guidance documents outlining best practices for their particular specialty. For example, the US Department of Defense (DoD) publishes a set of Security Technical Implementation Guides (STIGS) that outline required configurations for both applications and operating systems used within the DoD while the Payment Card Industry (PCI) has its Payment Application Data Security Standard (PA-DSS) covering how “software vendors and others who develop payment applications that store, process, or transmit cardholder data and/or sensitive authentication data” (PCI Security Standards Council, 2013, p. 7).
Other commercially oriented examples include OWASP and SANS. Each year, OWASP (2021b) provides its Top Ten Web Application Security Risks list for web developers to follow while the SANS Institutes publishes its critical information security controls (Kim, 2021). There are many other frameworks and best practices available for more niche-oriented information systems. Together, these controls provide a valuable resource of options for developers and system administrators to secure their applications and systems.
Applying Select Controls to Specific Information System Layers
Physical Hardware Layer
Many controls apply to physical hardware. NIST (2020) describes one entitled Physical Access Authorization (PE-2) in their Security and Privacy Controls for Information Systems and Organizations. This control ensures that an organization has in place a list of persons (both regular employees and visitors) who may access the location where hardware is located, e.g. a data center or server room. It also requires an organization to have a means of verifying the identity of those individuals through “ID badges, identification cards, and smart cards” (p. 180) and that the organization reviews the access list periodically. This control will prevent tampering with or the removal of system hardware, preventing data loss.
Operating System Kernel Layer
Windows Server 2019
The DoD STIG for the Windows Server 2019 has several controls for military environments. DisableRunAs (V-205810) is one of these controls. Leaving this setting at its default setting will allow the server to store credentials in the Windows Remote Management, potentially allowing threat actors to make use of these credentials to access and exfiltrate data. Administrators should set the system to disallow this function. To change this setting, server administrators should find the registry path called
\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ in the registry hive called HKEY_LOCAL_MACHINE.Once there, set the value of DisableRunAs to 0x00000001 with a type of REG_DWORD (US Department of Defense, 2021b).
Ubuntu 20.14 LTS
The DoD also has a STIG For Ubuntu’s 20.14 LTS operating system. Once control listed in it mandates the restriction of functions, ports, protocols, and/or services to only those necessary (V-238328). The goal of this control is to prevent the “unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling” ((US Department of Defense, 2021a, para. 1). To change this via Ubuntu’s Universal Firewall (UFW), in a terminal window, type:
$ sudo ufw allowfollowed by the port or protocol and the direction (either “in” or “out”) corresponding to the protocol or service the organization requires.
User Applications and Utilities Layer
Regardless of the application and operating system it runs on, logging is a vital control. OWASP (2021a) provides a document on logging best practices including input and output validation failures, authentication successes and failures, authorization failures, as well as application “errors and system events e.g. syntax and runtime errors, connectivity problems, performance issues, third party service error messages, file system errors, file upload virus detection, configuration changes” (para. 21).
Conclusion
An organization must consider all layers of its information systems when trying to protect its data. Applying a single control or a control to only one layer of the information system is insufficient. Building and integrating the controls available at each of the three layers in an information system (physical, operating system, and application) is defense-in-depth. Controls range across the cybersecurity spectrum of management, operational, and technical concepts. By leveraging the vast array of control frameworks and guidance documents available, system administrators can secure their servers to mitigate many risks, including data leakage.
References
Al-Mashari, M. A. (2002). Implementing ERP through SAP R/3: A Process Change Management (PCM) Perspective. Journal of King Saud University — Computer and Information Sciences, 14, 25–38. https://doi.org/10.1016/s1319-1578(02)80002-7
Aydin, B. (2017, November 20). Defense in depth for web applications. Medium. Retrieved December 30, 2021, from https://medium.com/insa-tc/defense-in-depth-for-web-applications-38178696f833
Barbu, I.-D., & Petrica, G. (2015). Defense in depth principle to ensure information security. International Journal of Information Security and Cybercrime, 4(1), 41–46. https://doi.org/10.19107/ijisc.2015.01.06
Goodwill Community Foundation. (n.d.). Computer basics: understanding applications. GCFGlobal.org. Retrieved December 30, 2021, from https://edu.gcfglobal.org/en/computerbasics/understanding-applications/1/
ISO. (2020, April 3). ISO/IEC 27001 — information security management. ISO. Retrieved September 24, 2021, from https://www.iso.org/isoiec-27001-information-security.html
Kim, F. (2021, December 15). CIS controls v8. SANS Institute. Retrieved December 30, 2021, from https://www.sans.org/blog/cis-controls-v8/
Monk, E. F., & Wagner, B. J. (2013). Concepts in enterprise resource planning. Cengage Learning.
National Institute of Standards and Technology. (2019, July). Glossary. Computer Security Resource Center. Retrieved December 30, 2021, from https://csrc.nist.gov/glossary/
National Institute of Standards and Technology. (2020). (publication). Security and privacy controls for information systems and organizations. National Institute of Standards and Technologies. Retrieved November 16, 2021, from https://doi.org/10.6028/NIST.SP.800-53r5.
OWASP. (2021a). Logging cheat sheet. Logging — OWASP Cheat Sheet Series. Retrieved December 30, 2021, from https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
OWASP. (2021b). OWASP top ten. OWASP. Retrieved December 30, 2021, from https://owasp.org/www-project-top-ten/
PCI Security Standards Council. (2013, November). Requirements and security assessment procedures. PCI Payment Application Data Security Standards. Retrieved December 31, 2021, from https://www.pcisecuritystandards.org/minisite/en/docs/PA-DSS_v3.pdf
Santana, M. (2014). Eliminating the security weakness of Linux and Unix operating systems. In J. R. Vacca (Ed.), Network and System Security (pp. 155–178). essay, Elsevier.
Stallings, W., & Brown, L. (2020). Computer security: principles and practice (4th ed.). Pearson India Education Services Pvt Ltd.
US Department of Defense. (2021a). V-238328. STIG Viewer | Unified Compliance Framework. Retrieved December 30, 2021, from https://www.stigviewer.com/stig/canonical_ubuntu_20.04_lts/2021-03-23/finding/V-238328
US Department of Defense. (2021b). V-205810. STIG Viewer | Unified Compliance Framework. Retrieved December 30, 2021, from https://www.stigviewer.com/stig/microsoft_windows_server_2019/2021-03-05/finding/V-205810
