Security controls that do not support audit mode should be deployed gradually, while security controls that support audit mode need to be deployed by using a three-step methodology of audit, review and enforce. Microsoft suggests four stages of gradual deployment of security controls: deployment on systems in a lab, deployment on 2% to 5% of the organization’s systems, deployment on the next 25% of the organization’s systems and deployment on the remainder of the organization’s systems. The SECCON framework mimics the defense readiness condition (DEFCON) framework used by the United States Armed Forces. The DEFCON framework contains five levels of readiness of the U.S. army. The highest level of readiness (DEFCON 1) is used for situations where a nuclear war is imminent, while the lowest level (DEFCON 5) is the default state of readiness of the U.S. army. The SECCON framework also includes five levels. Level 1 indicates the need to implement the strictest security measures, while Level 5 requires the implementation of regular security measures. In this article, we will examine the five levels in detail.
The five levels of the SECCON framework
Level 1 (Administrator workstation)
The strictest security measures need to be used by system administrators (mainly of security and identity systems) to protect administrator workstations. If those administrator workstations are subject to successful cyberattacks, it can have serious information security consequences. Microsoft has not yet announced the measures that will fall within the scope of Level 1. The lack of information about Level 1 measures makes the security configuration framework incomplete which, in turn, may negatively impact the reputation of the framework. Therefore, we can expect that Microsoft will soon add the missing pieces to the puzzle.
Level 2 (DevOps workstation)
Developers and testers are often targets of credential theft attacks and supply chain attacks. Credential theft attacks allow criminals to gain administrative access to computing devices and retrieve credentials stored on those devices. The stolen credentials are usually used to access other computing devices without authorization. Most major corporate attacks involve credential theft attacks. Supply chain attacks rely on commercial services and products purchased by the targeted organizations. For example, such attacks may include modifying the software or hardware acquired by an organization in such a way as to allow attackers to penetrate the organization’s computer systems without authorization. Developers and testers must take two things into account: that credential theft attacks and supply chain attacks can lead to interruptions of the critical business functions of an organization and/or information security breaches threatening the reputation and trade secrets of the organization. Knowing this, developers and testers are advised to use high-information security measures, which are classified as Level 2 measures. Similar to Level 1 measures, Level 2 measures have not been disclosed by Microsoft yet.
Level 3 (Enterprise VIP security)
Level 3 measures are appropriate for: 1) organizations that are at a high risk of sophisticated cyberattacks; 2) organizations who would like to protect data that, if released without an authorization, may have a profound impact on their business operations (e.g., impact on the stock prices of the targeted organizations).
Level 4 (Enterprise high security)
Organizations that wish to protect sensitive or confidential information are advised to use Level 4 measures. However, those measures may affect app compatibility and, therefore, may need to go through an audit-configure-enforce workflow. The deployment of Level 4 measures is relatively easy and usually takes less than 90 days.
Level 5 (Enterprise security)
Microsoft recommends Level 5 measures as the minimum measures which organizations need to take. Those measures can be deployed within 30 days.
Conclusion
The SECCON framework provides organizations with guidance that helps them to decide on what type of information security measures they need to implement. Without this kind of guidance, organizations may be confused and adopt stricter- or weaker-than-necessary information security measures. Regarding weaker-than-necessary measures, it should be pointed out that the 2013 PWC Global State of Information Security survey found that 50% of all examined organizations missed important security policy elements (e.g., physical security or user administration). Another survey conducted by Insight Express indicated that 23% of the examined organizations had no security policies and 75% of the examined organizations had outdated or ineffective security policies. Pertaining to stricter-than-necessary measures, it is worth mentioning that such measures are not a cure-all that will solve the organization’s information security problems once and for all. On the contrary: too-strict security measures may hamper user experience and productivity. In the light of the observations above, the main goal of information security architects needs to be the identification and implementation of balanced measures that protect their organizations to the maximum possible extent without negatively affecting their business operations. The SECCON framework is a perfect tool for organizations who are ready to move towards a more balanced information security strategy.
Sources
Introducing the security configuration framework: A prioritized guide to hardening Windows 10, Microsoft Introducing the security configuration framework, Microsoft Grimes, R., “Hacking the Hacker: Learn From the Experts Who Take Down Hackers,” John Wiley & Sons, April 2017 Landoll, D., “Information Security Policies, Procedures, and Standards: A Practitioner’s Reference,” CRC Press, 2017 Mooney, T., “Information Security A Practical Guide: Bridging the gap between IT and management,” IT Governance Ltd, 2015 Sigler, K., Shoemaker, D., Kohnke, A., “Supply Chain Risk Management: Applying Secure Acquisition Principles to Ensure a Trusted Technology Product,” CRC Press, 2017
Co-Author
Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She holds an advanced Master’s degree in IP & ICT Law. Her particular interests include data protection, cybercrime law, and legal aspects of e-commerce business.
