Post on 22-Oct-2015
Information Security Maintenance
Module 12 – Chapter 12
Based on the Fourth Edition of:M. E. Whitman, H. J. Mattord:. Principles of Information Security
School of Business, Department of Information Technology
Introduction Security Management Models The Security Maintenance Model Digital Forensics
The only thing we can predict with certainty is change.
Jayne Spain, Department ofChildren and Family Learning, State of Minnesota
Module 12 – Chapter 12 Information Security Maintenance 2
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Learning Objectives
Discuss the need for ongoing maintenance of the informationsecurity program
List the recommended security management models, anddefine a model for a full maintenance program
Identify the key factors involved in monitoring the externaland internal environment, and describe how planning intoinformation security maintenance
Define digital forensics, and describe the management of thedigital forensics function
Describe the process of acquiring, analyzing, and maintainingpotential evidentiary material
Module 12 – Chapter 12 Information Security Maintenance 3
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Outline
1 Introduction
2 Security Management Models
3 The Security Maintenance Model
4 Digital Forensics
Module 12 – Chapter 12 Information Security Maintenance 4
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Introduction
Organizations should avoid overconfidence after improvingtheir information security profile
Organizational changes that may occur include:
Acquisition of new assets; emergence of new vulnerabilities;business priorities shift; partnerships form or dissolve;organizational divestiture and acquisition; employee hire andturnover
If program does not adjust, may be necessary to begin cycleagain
More expensive to re-engineer information security profileagain and again
Module 12 – Chapter 12 Information Security Maintenance 5
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Security Management Models
Management model must be adopted to manage and operateongoing security program
Models are frameworks that structure tasks of managingparticular set of activities or business functions
Module 12 – Chapter 12 Information Security Maintenance 6
Introduction Security Management Models The Security Maintenance Model Digital Forensics
NIST SP 800-100 IS Handbook: A Guide for Managers
Provides managerial guidance for establishing andimplementing of an information security program
Thirteen areas of information security management
Provide for specific monitoring activities for each task
Tasks should be done on an ongoing basis
Not all issues are negative
Module 12 – Chapter 12 Information Security Maintenance 7
Introduction Security Management Models The Security Maintenance Model Digital Forensics
NIST SP 800-100 IS Handbook: A Guide for Managers
1. Information security governance
Agencies should monitor the status of their programs toensure that:
Ongoing information security activities provide support toagency mission
Current policies and procedures are technology-aligned
Controls are accomplishing the intended purpose
2. System development life cycle:
The overall process of developing, implementing, and retiringinformation systems through a multi-step process
Module 12 – Chapter 12 Information Security Maintenance 8
Introduction Security Management Models The Security Maintenance Model Digital Forensics
NIST SP 800-100 IS Handbook: A Guide for Managers
3. Awareness and training
Tracking system should capture key information on programactivities
Tracking compliance involves assessing the status of theprogram
The program must continue to evolve
4. Capital planning and investment control
Designed to facilitate and control the expenditure of agencyfunds
Select-control-evaluate investment life cycle
Module 12 – Chapter 12 Information Security Maintenance 9
Introduction Security Management Models The Security Maintenance Model Digital Forensics
NIST SP 800-100 IS Handbook: A Guide for Managers
Figure 12-1 Select-Control-Evaluate Investment Life Cycle
Module 12 – Chapter 12 Information Security Maintenance 10
Introduction Security Management Models The Security Maintenance Model Digital Forensics
NIST SP 800-100 IS Handbook: A Guide for Managers
5. Interconnecting systems
The direct connection of two or more information systems forsharing data and other information resources
Can expose the participating organizations to risk
When properly managed, the added benefits include greaterefficiency, centralized access to data, and greater functionality
6. Performance measures
Metrics: tools that support decision making
Six phase iterative process
Module 12 – Chapter 12 Information Security Maintenance 11
Introduction Security Management Models The Security Maintenance Model Digital Forensics
NIST SP 800-100 IS Handbook: A Guide for Managers
Figure 12-3 Information Security Metrics Development Process
Module 12 – Chapter 12 Information Security Maintenance 12
Introduction Security Management Models The Security Maintenance Model Digital Forensics
NIST SP 800-100 IS Handbook: A Guide for Managers
7. Security planning:
one of the most crucial ongoing responsibilities in securitymanagement
8. Information technology contingency planning:
consists of a process for recovery and documentation ofprocedures
9. Risk management
Ongoing effort
Tasks include performing risk identification, analysis, andmanagement
Module 12 – Chapter 12 Information Security Maintenance 13
Introduction Security Management Models The Security Maintenance Model Digital Forensics
NIST SP 800-100 IS Handbook: A Guide for Managers
Figure 12-4 Information Security Metrics Program Implementation Process
Module 12 – Chapter 12 Information Security Maintenance 14
Introduction Security Management Models The Security Maintenance Model Digital Forensics
NIST SP 800-100 IS Handbook: A Guide for Managers
Figure 12-5 The NIST Seven-Step Contingency Planning Process
Module 12 – Chapter 12 Information Security Maintenance 15
Introduction Security Management Models The Security Maintenance Model Digital Forensics
NIST SP 800-100 IS Handbook: A Guide for Managers
Figure 12-6 Risk Management in the System Security Life Cycle
Module 12 – Chapter 12 Information Security Maintenance 16
Introduction Security Management Models The Security Maintenance Model Digital Forensics
NIST SP 800-100 IS Handbook: A Guide for Managers
10. Certification, accreditation, and security assessments
An essential component in any security program
The status of security controls is checked regularly
Auditing: the process of reviewing the use of a system formisuse or malfeasance
11. Security services and products acquisition
12. Incident response: incident response life cycle
13. Configuration (or change) management: manages theeffects of changes in configurations
Module 12 – Chapter 12 Information Security Maintenance 17
Introduction Security Management Models The Security Maintenance Model Digital Forensics
NIST SP 800-100 IS Handbook: A Guide for Managers
Figure 12-7 The Information Security Services Life Cycle
Module 12 – Chapter 12 Information Security Maintenance 18
Introduction Security Management Models The Security Maintenance Model Digital Forensics
NIST SP 800-100 IS Handbook: A Guide for Managers
Figure 12-8 The Incident Response Life Cycle
Module 12 – Chapter 12 Information Security Maintenance 19
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 True or False: If an organization deals successfully withchange and has created procedures and systems that can beadjusted to the environment, the existing securityimprovement program can continue to work well.Answer:
True
2 An effective information security governance program requiresreview.
Answer: constant
3 An is defined as the direct connection of two or moreinformation systems for sharing data and other informationresources.Answer: system interconnection
Module 12 – Chapter 12 Information Security Maintenance 20
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 True or False: If an organization deals successfully withchange and has created procedures and systems that can beadjusted to the environment, the existing securityimprovement program can continue to work well.Answer: True
2 An effective information security governance program requiresreview.
Answer: constant
3 An is defined as the direct connection of two or moreinformation systems for sharing data and other informationresources.Answer: system interconnection
Module 12 – Chapter 12 Information Security Maintenance 20
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 True or False: If an organization deals successfully withchange and has created procedures and systems that can beadjusted to the environment, the existing securityimprovement program can continue to work well.Answer: True
2 An effective information security governance program requiresreview.
Answer:
constant
3 An is defined as the direct connection of two or moreinformation systems for sharing data and other informationresources.Answer: system interconnection
Module 12 – Chapter 12 Information Security Maintenance 20
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 True or False: If an organization deals successfully withchange and has created procedures and systems that can beadjusted to the environment, the existing securityimprovement program can continue to work well.Answer: True
2 An effective information security governance program requiresreview.
Answer: constant
3 An is defined as the direct connection of two or moreinformation systems for sharing data and other informationresources.Answer: system interconnection
Module 12 – Chapter 12 Information Security Maintenance 20
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 True or False: If an organization deals successfully withchange and has created procedures and systems that can beadjusted to the environment, the existing securityimprovement program can continue to work well.Answer: True
2 An effective information security governance program requiresreview.
Answer: constant
3 An is defined as the direct connection of two or moreinformation systems for sharing data and other informationresources.Answer:
system interconnection
Module 12 – Chapter 12 Information Security Maintenance 20
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 True or False: If an organization deals successfully withchange and has created procedures and systems that can beadjusted to the environment, the existing securityimprovement program can continue to work well.Answer: True
2 An effective information security governance program requiresreview.
Answer: constant
3 An is defined as the direct connection of two or moreinformation systems for sharing data and other informationresources.Answer: system interconnection
Module 12 – Chapter 12 Information Security Maintenance 20
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
4 planning consists of a process for recovery anddocumentation of procedures for conducting recoveryAnswer:
Contingency
5 True or False: Information security technical controls are notaffected by the same factors as most computer-basedtechnologies.Answer: False
6 True or False: The first clue that an attack is underway oftencomes from reports by observant users.Answer: True
7 Reparing known vulnerabilities in any of the network or systemenvironments is known as .Answer: patching
Module 12 – Chapter 12 Information Security Maintenance 21
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
4 planning consists of a process for recovery anddocumentation of procedures for conducting recoveryAnswer: Contingency
5 True or False: Information security technical controls are notaffected by the same factors as most computer-basedtechnologies.Answer: False
6 True or False: The first clue that an attack is underway oftencomes from reports by observant users.Answer: True
7 Reparing known vulnerabilities in any of the network or systemenvironments is known as .Answer: patching
Module 12 – Chapter 12 Information Security Maintenance 21
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
4 planning consists of a process for recovery anddocumentation of procedures for conducting recoveryAnswer: Contingency
5 True or False: Information security technical controls are notaffected by the same factors as most computer-basedtechnologies.Answer:
False
6 True or False: The first clue that an attack is underway oftencomes from reports by observant users.Answer: True
7 Reparing known vulnerabilities in any of the network or systemenvironments is known as .Answer: patching
Module 12 – Chapter 12 Information Security Maintenance 21
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
4 planning consists of a process for recovery anddocumentation of procedures for conducting recoveryAnswer: Contingency
5 True or False: Information security technical controls are notaffected by the same factors as most computer-basedtechnologies.Answer: False
6 True or False: The first clue that an attack is underway oftencomes from reports by observant users.Answer: True
7 Reparing known vulnerabilities in any of the network or systemenvironments is known as .Answer: patching
Module 12 – Chapter 12 Information Security Maintenance 21
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
4 planning consists of a process for recovery anddocumentation of procedures for conducting recoveryAnswer: Contingency
5 True or False: Information security technical controls are notaffected by the same factors as most computer-basedtechnologies.Answer: False
6 True or False: The first clue that an attack is underway oftencomes from reports by observant users.Answer:
True
7 Reparing known vulnerabilities in any of the network or systemenvironments is known as .Answer: patching
Module 12 – Chapter 12 Information Security Maintenance 21
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
4 planning consists of a process for recovery anddocumentation of procedures for conducting recoveryAnswer: Contingency
5 True or False: Information security technical controls are notaffected by the same factors as most computer-basedtechnologies.Answer: False
6 True or False: The first clue that an attack is underway oftencomes from reports by observant users.Answer: True
7 Reparing known vulnerabilities in any of the network or systemenvironments is known as .Answer: patching
Module 12 – Chapter 12 Information Security Maintenance 21
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
4 planning consists of a process for recovery anddocumentation of procedures for conducting recoveryAnswer: Contingency
5 True or False: Information security technical controls are notaffected by the same factors as most computer-basedtechnologies.Answer: False
6 True or False: The first clue that an attack is underway oftencomes from reports by observant users.Answer: True
7 Reparing known vulnerabilities in any of the network or systemenvironments is known as .Answer:
patching
Module 12 – Chapter 12 Information Security Maintenance 21
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
4 planning consists of a process for recovery anddocumentation of procedures for conducting recoveryAnswer: Contingency
5 True or False: Information security technical controls are notaffected by the same factors as most computer-basedtechnologies.Answer: False
6 True or False: The first clue that an attack is underway oftencomes from reports by observant users.Answer: True
7 Reparing known vulnerabilities in any of the network or systemenvironments is known as .Answer: patching
Module 12 – Chapter 12 Information Security Maintenance 21
Introduction Security Management Models The Security Maintenance Model Digital Forensics
The Maintenance Model
Designed to focus organizational effort on maintainingsystems.
Recommended maintenance model based on five subject areas:
1 External monitoring
2 Internal monitoring
3 Planning and risk assessment
4 Vulnerability assessment and remediation
5 Readiness and review
Module 12 – Chapter 12 Information Security Maintenance 22
Introduction Security Management Models The Security Maintenance Model Digital Forensics
The Security Maintenance Model(cont.)
Figure 12-10 The Maintenance Model
Module 12 – Chapter 12 Information Security Maintenance 23
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Monitoring the External Environment
Objective to provide early awareness of new threats, threatagents, vulnerabilities, and attacks that is needed to mount aneffective defense
Entails collecting intelligence from data sources and givingthat intelligence context and meaning for use byorganizational decision makers
Module 12 – Chapter 12 Information Security Maintenance 24
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Monitoring the external Environment (cont.)
Figure 12-11 External Monitoring
Module 12 – Chapter 12 Information Security Maintenance 25
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Monitoring the external Environment (cont.)
Data Sources
Acquiring threat and vulnerability data is not difficult
Turning data into information decision makers can use is thechallenge
External intelligence comes from three classes of sources:1 vendors
2 computer emergency response teams (CERTs)
3 public network sources
Regardless of where or how external monitoring data iscollected, must be analyzed in context of organization’ssecurity environment to be useful
Module 12 – Chapter 12 Information Security Maintenance 26
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Monitoring the external Environment (cont.)
Monitoring, Escalation, and Incident Response
Function of external monitoring process is to monitor activity,report results, and escalate warnings
Monitoring process has three primary deliverables:
1 Specific warning bulletins issued when developing threats andspecific attacks pose measurable risk to organization
2 Periodic summaries of external information.
3 Detailed intelligence on highest risk warnings.
Module 12 – Chapter 12 Information Security Maintenance 27
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Monitoring the external Environment (cont.)
Data Collection and Management
Over time, external monitoring processes should captureknowledge about external environment in appropriate formats
External monitoring collects raw intelligence, filters forrelevance, assigns a relative risk impact, and communicates todecision makers in time to make a difference
Module 12 – Chapter 12 Information Security Maintenance 28
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Monitoring the external Environment (cont.)
Figure 12-12 Data Flow Diagrams for External Data Collection
Module 12 – Chapter 12 Information Security Maintenance 29
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Monitoring the Internal Environment
Maintain informed awareness of state of organization’snetworks, systems, and security defenses
Internal monitoring accomplished by:
Doing inventory of network devices and channels, ITinfrastructure and applications, and information securityinfrastructure elements
Leading the IT governance process
Real-time monitoring of IT activity
Monitoring the internal state of the organization’s networksand systems
Module 12 – Chapter 12 Information Security Maintenance 30
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Monitoring the Internal Environment (cont.)
Figure 12-13 Internal Monitoring
Module 12 – Chapter 12 Information Security Maintenance 31
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Monitoring the Internal Environment (cont.)
Network Characterization and Inventory
Organizations should have carefully planned and fullypopulated inventory for network devices, communicationchannels, and computing devices
Once characteristics identified, they must be carefullyorganized and stored using a mechanism (manual orautomated) that allows timely retrieval and rapid integrationof disparate facts
Module 12 – Chapter 12 Information Security Maintenance 32
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Monitoring the Internal Environment (cont.)
Making Intrusion Detection and Prevention Systems Work
The most important value of raw intelligence provided byintrusion detection systems (IDS) is providing indicators ofcurrent or imminent vulnerabilities
Log files from IDS engines can be mined for information
Another IDS monitoring element is traffic analysis
Analyzing attack signatures for unsuccessful system attackscan identify weaknesses in various security efforts
Module 12 – Chapter 12 Information Security Maintenance 33
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Monitoring the Internal Environment (cont.)
Detecting deferences
Difference analysis: procedure that compares current state ofnetwork segment against known previous state of samesegment
Differences between the current state and the baseline statethat are unexpected could be a sign of trouble and needinvestigation
Module 12 – Chapter 12 Information Security Maintenance 34
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Planning and Risk assessment
Primary objective is to keep lookout over entire IS program
Accomplished by identifying and planning ongoing informationsecurity activities that further reduce risk
Primary objectives:
Establishing a formal information security program review
Instituting formal project identification, selection, planning,and management processes
Coordinating with IT project teams to introduce riskassessment and review for all IT projects.
Integrating a mindset of risk assessment across organization
Module 12 – Chapter 12 Information Security Maintenance 35
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Planning and Risk assessment (cont.)
Figure 12-14 Planning and Risk Assessment
Module 12 – Chapter 12 Information Security Maintenance 36
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Planning and Risk assessment (cont.)
Information security Program Planning and Review
Periodic review of ongoing IS program coupled with planningfor enhancements and extensions is recommended
Should examine IT needs of future organization and impactthose needs have on information security
recommended approach takes advantage of the fact mostorganizations have annual capital budget planning cycles andmanage security projects as part of that process
Module 12 – Chapter 12 Information Security Maintenance 37
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Planning and Risk assessment (cont.)
Large projects should be broken into smaller projects forseveral reasons:
Smaller projects tend to have more manageable impacts onnetworks and users
Larger projects tend to complicate change control process inimplementation phase
Shorter planning, development, and implementation schedulesreduce uncertainty
Most large projects can easily be broken down into smallerprojects, giving more opportunities to change direction andgain flexibility.
Module 12 – Chapter 12 Information Security Maintenance 38
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Planning and Risk assessment (cont.)
Risk Security Assessments
A key component for driving security program change isinformation security operational risk assessment (RA)
RA identifies and documents risk that project, process, oraction introduces to organization and offers suggestions forcontrols
Information security group coordinates preparation of manytypes of RA documents
Module 12 – Chapter 12 Information Security Maintenance 39
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 The objective of the is to provide the early awarenessof new and emerging threats, threat agents, vulnerabilities,and attacks that is needed to mount an effective and timelydefense.Answer:
external monitoring domain
2 The primary goal of the is to maintain an informedawareness of the state of all of the organization’s networks,information systems, and information security defenses.Answer: internal monitoring domain
3 The primary objective of the is to keep a lookout overthe entire information security program.Answer: planning and risk assessment domain
Module 12 – Chapter 12 Information Security Maintenance 40
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 The objective of the is to provide the early awarenessof new and emerging threats, threat agents, vulnerabilities,and attacks that is needed to mount an effective and timelydefense.Answer: external monitoring domain
2 The primary goal of the is to maintain an informedawareness of the state of all of the organization’s networks,information systems, and information security defenses.Answer: internal monitoring domain
3 The primary objective of the is to keep a lookout overthe entire information security program.Answer: planning and risk assessment domain
Module 12 – Chapter 12 Information Security Maintenance 40
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 The objective of the is to provide the early awarenessof new and emerging threats, threat agents, vulnerabilities,and attacks that is needed to mount an effective and timelydefense.Answer: external monitoring domain
2 The primary goal of the is to maintain an informedawareness of the state of all of the organization’s networks,information systems, and information security defenses.Answer:
internal monitoring domain
3 The primary objective of the is to keep a lookout overthe entire information security program.Answer: planning and risk assessment domain
Module 12 – Chapter 12 Information Security Maintenance 40
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 The objective of the is to provide the early awarenessof new and emerging threats, threat agents, vulnerabilities,and attacks that is needed to mount an effective and timelydefense.Answer: external monitoring domain
2 The primary goal of the is to maintain an informedawareness of the state of all of the organization’s networks,information systems, and information security defenses.Answer: internal monitoring domain
3 The primary objective of the is to keep a lookout overthe entire information security program.Answer: planning and risk assessment domain
Module 12 – Chapter 12 Information Security Maintenance 40
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 The objective of the is to provide the early awarenessof new and emerging threats, threat agents, vulnerabilities,and attacks that is needed to mount an effective and timelydefense.Answer: external monitoring domain
2 The primary goal of the is to maintain an informedawareness of the state of all of the organization’s networks,information systems, and information security defenses.Answer: internal monitoring domain
3 The primary objective of the is to keep a lookout overthe entire information security program.Answer:
planning and risk assessment domain
Module 12 – Chapter 12 Information Security Maintenance 40
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 The objective of the is to provide the early awarenessof new and emerging threats, threat agents, vulnerabilities,and attacks that is needed to mount an effective and timelydefense.Answer: external monitoring domain
2 The primary goal of the is to maintain an informedawareness of the state of all of the organization’s networks,information systems, and information security defenses.Answer: internal monitoring domain
3 The primary objective of the is to keep a lookout overthe entire information security program.Answer: planning and risk assessment domain
Module 12 – Chapter 12 Information Security Maintenance 40
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Vulnerability Assessment and Remediation
Primary goal: identification of specific, documentedvulnerabilities and their timely remediation
Accomplished by:
blue Using vulnerability assessment procedures
Documenting background information and providing testedremediation procedures for vulnerabilities
Tracking vulnerabilities from when they are identified
Communicating vulnerability information to owners ofvulnerable systems
Reporting on the status of vulnerabilities
Ensuring the proper level of management is involved
Module 12 – Chapter 12 Information Security Maintenance 41
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Vulnerability Assessment and Remediation (cont.)
Figure 12-15 Vulnerability Assessment and Remediation
Module 12 – Chapter 12 Information Security Maintenance 42
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Vulnerability Assessment and Remediation (cont.)
Process of identifying and documenting specific and provableflaws in organization’s information asset environment
Five vulnerability assessment processes that follow can servemany organizations as they attempt to balance intrusivenessof vulnerability assessment with need for stable and productiveproduction environment
Module 12 – Chapter 12 Information Security Maintenance 43
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Vulnerability Assessment and Remediation (cont.)
Penetration Testing:
A level beyond vulnerability testing
Is a set of security tests and evaluations that simulate attacksby a malicious external source (hacker)
Penetration test (pen test): usually performed periodically aspart of a full security audit
Can be conducted one of two ways: black box or white box
Module 12 – Chapter 12 Information Security Maintenance 44
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Vulnerability Assessment and Remediation (cont.)
Internet Vulnerability Assessment
Designed to find and document vulnerabilities present inorganization’s public-facing network
Steps in the process include:
Planning, scheduling, and notification
Target selection
Test selection
Scanning
Analysis
Record keeping
Module 12 – Chapter 12 Information Security Maintenance 45
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Vulnerability Assessment and Remediation (cont.)
Intranet Vulnerability Assessment
Designed to find and document selected vulnerabilities presenton the internal network
Attackers are often internal members of organization, affiliatesof business partners, or automated attack vectors (such asviruses and worms)
This assessment is usually performed against selected criticalinternal devices with a known, high value by using selectivepenetration testing
Steps in process almost identical to steps in Internetvulnerability assessment
Module 12 – Chapter 12 Information Security Maintenance 46
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Vulnerability Assessment and Remediation (cont.)
Platform security Validation
Designed to find and document vulnerabilities that may bepresent because of mis-configured systems in use withinorganization
These mis-configured systems fail to comply with companypolicy or standards
Fortunately, automated measurement systems are available tohelp with the intensive process of validating compliance ofplatform configuration with policy
Module 12 – Chapter 12 Information Security Maintenance 47
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Vulnerability Assessment and Remediation (cont.)
Wireless Vulnerability Assessment
Designed to find and document vulnerabilities that may bepresent in wireless local area networks of organization
Since attackers from this direction are likely to take advantageof any loophole or flaw, assessment is usually performedagainst all publicly accessible areas using every possiblewireless penetration testing approach
Module 12 – Chapter 12 Information Security Maintenance 48
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Vulnerability Assessment and Remediation (cont.)
Modem Vulnerability Assessment
Designed to find and document any vulnerability present ondial-up modems connected to organization’s networks
Since attackers from this direction take advantage of anyloophole or flaw, assessment is usually performed against alltelephone numbers owned by the organization
One element of this process, often called war dialing, usesscripted dialing attacks against pool of phone numbers
Module 12 – Chapter 12 Information Security Maintenance 49
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Vulnerability Assessment and Remediation (cont.)
Documenting Vulnerability
Vulnerability tracking database should provide details as wellas a link to the information assets
Low-cost and ease of use makes relational databases arealistic choice
Vulnerability database is an essential part of effectiveremediation
Module 12 – Chapter 12 Information Security Maintenance 50
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Vulnerability Assessment and Remediation (cont.)
Remediating Vulnerability
Objective is to repair flaw causing a vulnerability instance orremove risk associated with vulnerability
As last resort, informed decision makers with proper authoritycan accept risk
Important to recognize that building relationships with thosewho control information assets is key to success
Success depends on organization adopting team approach toremediation, in place of cross-organizational push and pull
Module 12 – Chapter 12 Information Security Maintenance 51
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Vulnerability Assessment and Remediation (cont.)
Acceptance or Transference of Risk
In some instances, risk must simply be acknowledged as partof organization’s business process
Management must be assured that decisions made to assumerisk the organization are made by properly informed decisionmakers
Information security must make sure the right people makerisk assumption decisions with complete knowledge of theimpact of the decision
Module 12 – Chapter 12 Information Security Maintenance 52
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Vulnerability Assessment and Remediation (cont.)
Threat Removal
In some circumstances, threats can be removed withoutrepairing vulnerability
Vulnerability can no longer be exploited, and risk has beenremoved
Other vulnerabilities may be amenable to other controls thatdo not allow an expensive repair and still remove risk fromsituation
Module 12 – Chapter 12 Information Security Maintenance 53
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Vulnerability Assessment and Remediation (cont.)
Vulnerability Repair
Optimum solution in most cases is to repair vulnerability
Applying patch software or implementing a workaround oftenaccomplishes this
In some cases, simply disabling the service removesvulnerability; in other cases, simple remedies are possible
Most common repair is application of a software patch
Module 12 – Chapter 12 Information Security Maintenance 54
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Readiness and Review
Primary goal is to keep information security programfunctioning as designed and continuously improving
Accomplished by:
Policy review
Program review
Rehearsals
Module 12 – Chapter 12 Information Security Maintenance 55
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Readiness and Review
Figure 12-16 Readiness and Review
Module 12 – Chapter 12 Information Security Maintenance 56
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 True or False: The objective of the internal monitoringdomain is to provide the early awareness of new and emergingthreats, threat agents, vulnerabilities, and attacks that isneeded to mount an effective and timely defense.Answer:
False
2 The primary goal of the is to maintain an informedawareness of the state of all of the organization’s networks,information systems, and information security defenses.
(a) awareness monitoring domain(b) information monitoring domain(c) internal monitoring domain(d) external monitoring domain
Answer: (c)
Module 12 – Chapter 12 Information Security Maintenance 57
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 True or False: The objective of the internal monitoringdomain is to provide the early awareness of new and emergingthreats, threat agents, vulnerabilities, and attacks that isneeded to mount an effective and timely defense.Answer: False
2 The primary goal of the is to maintain an informedawareness of the state of all of the organization’s networks,information systems, and information security defenses.
(a) awareness monitoring domain(b) information monitoring domain(c) internal monitoring domain(d) external monitoring domain
Answer: (c)
Module 12 – Chapter 12 Information Security Maintenance 57
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 True or False: The objective of the internal monitoringdomain is to provide the early awareness of new and emergingthreats, threat agents, vulnerabilities, and attacks that isneeded to mount an effective and timely defense.Answer: False
2 The primary goal of the is to maintain an informedawareness of the state of all of the organization’s networks,information systems, and information security defenses.
(a) awareness monitoring domain(b) information monitoring domain(c) internal monitoring domain(d) external monitoring domain
Answer:
(c)
Module 12 – Chapter 12 Information Security Maintenance 57
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 True or False: The objective of the internal monitoringdomain is to provide the early awareness of new and emergingthreats, threat agents, vulnerabilities, and attacks that isneeded to mount an effective and timely defense.Answer: False
2 The primary goal of the is to maintain an informedawareness of the state of all of the organization’s networks,information systems, and information security defenses.
(a) awareness monitoring domain(b) information monitoring domain(c) internal monitoring domain(d) external monitoring domain
Answer: (c)
Module 12 – Chapter 12 Information Security Maintenance 57
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
3 The primary goal of the to identify specific,documented vulnerabilities and their timely remediation.Answer:
vulnerability assessment and remediation domain
4 The primary goal of the is to keep the informationsecurity program functioning as designed and to keep itcontinuously improving over time.Answer: readiness and review domain
5 The process is designed to find and document thevulnerabilities that may be present because of mis-configuredsystems in use within the organization.Answer: platform security validation (PSV)
Module 12 – Chapter 12 Information Security Maintenance 58
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
3 The primary goal of the to identify specific,documented vulnerabilities and their timely remediation.Answer: vulnerability assessment and remediation domain
4 The primary goal of the is to keep the informationsecurity program functioning as designed and to keep itcontinuously improving over time.Answer: readiness and review domain
5 The process is designed to find and document thevulnerabilities that may be present because of mis-configuredsystems in use within the organization.Answer: platform security validation (PSV)
Module 12 – Chapter 12 Information Security Maintenance 58
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
3 The primary goal of the to identify specific,documented vulnerabilities and their timely remediation.Answer: vulnerability assessment and remediation domain
4 The primary goal of the is to keep the informationsecurity program functioning as designed and to keep itcontinuously improving over time.Answer:
readiness and review domain
5 The process is designed to find and document thevulnerabilities that may be present because of mis-configuredsystems in use within the organization.Answer: platform security validation (PSV)
Module 12 – Chapter 12 Information Security Maintenance 58
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
3 The primary goal of the to identify specific,documented vulnerabilities and their timely remediation.Answer: vulnerability assessment and remediation domain
4 The primary goal of the is to keep the informationsecurity program functioning as designed and to keep itcontinuously improving over time.Answer: readiness and review domain
5 The process is designed to find and document thevulnerabilities that may be present because of mis-configuredsystems in use within the organization.Answer: platform security validation (PSV)
Module 12 – Chapter 12 Information Security Maintenance 58
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
3 The primary goal of the to identify specific,documented vulnerabilities and their timely remediation.Answer: vulnerability assessment and remediation domain
4 The primary goal of the is to keep the informationsecurity program functioning as designed and to keep itcontinuously improving over time.Answer: readiness and review domain
5 The process is designed to find and document thevulnerabilities that may be present because of mis-configuredsystems in use within the organization.Answer:
platform security validation (PSV)
Module 12 – Chapter 12 Information Security Maintenance 58
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
3 The primary goal of the to identify specific,documented vulnerabilities and their timely remediation.Answer: vulnerability assessment and remediation domain
4 The primary goal of the is to keep the informationsecurity program functioning as designed and to keep itcontinuously improving over time.Answer: readiness and review domain
5 The process is designed to find and document thevulnerabilities that may be present because of mis-configuredsystems in use within the organization.Answer: platform security validation (PSV)
Module 12 – Chapter 12 Information Security Maintenance 58
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Digital Forensics
Digital forensics is used to investigate what happened duringattack on assets and how attack occurred
Based on the field of traditional forensics
Involves preservation, identification, extraction,documentation, and interpretation of computer media forevidentiary and/or root cause analysis
Evidentiary material (EM) is any information that couldpotentially support organizations legal or policy-based caseagainst suspect
Module 12 – Chapter 12 Information Security Maintenance 59
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Digital Forensics (cont.)
Used for two key purposes:
1 To investigate allegations of digital malfeasance
2 To perform root cause analysis
Organization chooses one of two approaches:
1 Protect and forget (patch and proceed): defense of data andsystems that house, use, and transmit it
2 Apprehend and prosecute (pursue and prosecute):identification and apprehension of responsible individuals, withadditional attention on collection and preservation of potentialEM that might support administrative or criminal prosecution
Module 12 – Chapter 12 Information Security Maintenance 60
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Digital Forensics Team
Most organizations
Cannot sustain a permanent digital forensics team
Collect data and outsource analysis
Information security group personnel should be trained tounderstand and manage the forensics process to avoidcontamination of potential EM
Expertise can be obtained by training
Module 12 – Chapter 12 Information Security Maintenance 61
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Affidavits and Search Warrants
Affidavit
Sworn testimony that certain facts are in the possession of theinvestigating officer that they feel warrant the examination ofspecific items located at a specific place
The facts, the items, and the place must be specified
When an approving authority signs the affidavit, it becomes asearch warrant, giving permission to:
Search the EM at the specified location
Seize items to return to the investigator for examination
Module 12 – Chapter 12 Information Security Maintenance 62
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Digital Forensics Methodology
All investigations follow the same basic methodology:
1 Identify relevant items of evidentiary value (EM)
2 Acquire (seize) the evidence without alteration or damage
3 Take steps to assure that the evidence is at every stepverifiably authentic and is unchanged from the time it wasseized
4 Analyze the data without risking modification or unauthorizedaccess
5 Report the findings to the proper authority
Module 12 – Chapter 12 Information Security Maintenance 63
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Digital Forensics Methodology
Figure 12-17 The Digital Forensics Process
Module 12 – Chapter 12 Information Security Maintenance 64
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Evidentiary Procedures
Strong procedures for the handling of potential EM canminimize the probability of an organization’s losing a legalchallenge
Organizations should develop specific procedures withguidance, for example:
Who may conduct an investigation and who is authorized in aninvestigation
What affidavit and search warrant-related issues are required
The methodology to be followed
The final report format
Module 12 – Chapter 12 Information Security Maintenance 65
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 is the coherent application of methodical investigatorytechniques to present evidence of crimes in a court ofcourt-like setting.Answer:
Forensics
2 The v model of data acquisition is where theinvestigator removes the power source and then uses a utilityor special device to make a bit-stream sector-by-sector copy ofthe hard drives contained in the system.Answer: offline
3 In information security, most operation focus on .Answer: policies
Module 12 – Chapter 12 Information Security Maintenance 66
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 is the coherent application of methodical investigatorytechniques to present evidence of crimes in a court ofcourt-like setting.Answer: Forensics
2 The v model of data acquisition is where theinvestigator removes the power source and then uses a utilityor special device to make a bit-stream sector-by-sector copy ofthe hard drives contained in the system.Answer: offline
3 In information security, most operation focus on .Answer: policies
Module 12 – Chapter 12 Information Security Maintenance 66
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 is the coherent application of methodical investigatorytechniques to present evidence of crimes in a court ofcourt-like setting.Answer: Forensics
2 The v model of data acquisition is where theinvestigator removes the power source and then uses a utilityor special device to make a bit-stream sector-by-sector copy ofthe hard drives contained in the system.Answer:
offline
3 In information security, most operation focus on .Answer: policies
Module 12 – Chapter 12 Information Security Maintenance 66
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 is the coherent application of methodical investigatorytechniques to present evidence of crimes in a court ofcourt-like setting.Answer: Forensics
2 The v model of data acquisition is where theinvestigator removes the power source and then uses a utilityor special device to make a bit-stream sector-by-sector copy ofthe hard drives contained in the system.Answer: offline
3 In information security, most operation focus on .Answer: policies
Module 12 – Chapter 12 Information Security Maintenance 66
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 is the coherent application of methodical investigatorytechniques to present evidence of crimes in a court ofcourt-like setting.Answer: Forensics
2 The v model of data acquisition is where theinvestigator removes the power source and then uses a utilityor special device to make a bit-stream sector-by-sector copy ofthe hard drives contained in the system.Answer: offline
3 In information security, most operation focus on .Answer:
policies
Module 12 – Chapter 12 Information Security Maintenance 66
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Quick Quiz
1 is the coherent application of methodical investigatorytechniques to present evidence of crimes in a court ofcourt-like setting.Answer: Forensics
2 The v model of data acquisition is where theinvestigator removes the power source and then uses a utilityor special device to make a bit-stream sector-by-sector copy ofthe hard drives contained in the system.Answer: offline
3 In information security, most operation focus on .Answer: policies
Module 12 – Chapter 12 Information Security Maintenance 66
Introduction Security Management Models The Security Maintenance Model Digital Forensics
Additional resources
1 Computer Forensics Investigatorhttp://www.jobprofiles.org/govcpolicie1.htm
2 SANS Reading Room – Penetration Testinghttp://www.sans.org/reading room/whitepapers/testing/
3 High Tecdh Crime Institutehttp://www.hightechcrimeinstitute.com/
4 High Tech Crime Networkhttp://www.htcn.org/
Module 12 – Chapter 12 Information Security Maintenance 67