Administrating Security

8/9/2019 Administrating Security

1/27

Administering SecurityAdministering Security Security PlanningSecurity Planning

comparison of security planning /comparison of security planning / strategiestrategie

focus on procedurefocus on procedure

ex; how much we spend for theex; how much we spend for the projproj

targeting achievementtargeting achievement

who involvedwho involved

onlyonly ITdeptITdept who implement strategy planningwho implement strategy planning Risk AnalysisRisk Analysis

Security PoliciesSecurity Policies -- how to allocate resources(time(testing , configuration),how to allocate resources(time(testing , configuration),

money/budget, human resources)money/budget, human resources)

--must make sure training on policies to make sure everyone knowsmust make sure training on policies to make sure everyone knows

Physical SecurityPhysical Security


2/27

Security PlanningSecurity Planning PolicyPolicy

Current stateCurrent state risk analysisrisk analysis

What are the assetsWhat are the assets

What are the risks which link wit theWhat are the risks which link wit theassetasset

Who are going toWho are going to

RequirementsRequirements Recommended controlsRecommended controls

AccountabilityAccountability

TimetableTimetable


3/27

Security PlanningSecurity Planning -- PolicyPolicy

WhoWho should be allowed access?should be allowed access?

To what system and organizationalTo what system and organizational

resourcesresources should access be allowed?should access be allowed? WhatWhat typestypes of access should eachof access should each

user be allowed for each resource?user be allowed for each resource?


4/27

Security PlanningSecurity Planning -- PolicyPolicy

What are the organizations goals onWhat are the organizations goals onsecurity?security?

Where does the responsibility forWhere does the responsibility forsecurity lie?security lie?

What is the organizationsWhat is the organizationscommitment to security?commitment to security?


5/27

OCTAVE MethodologyOCTAVE Methodology

((operationally control, threats, asset, vulnerabilities)operationally control, threats, asset, vulnerabilities)

http://www.cert.org/octave/http://www.cert.org/octave/

Identify enterprise knowledge.Identify enterprise knowledge. Identify operational area knowledge.Identify operational area knowledge. Identify staff knowledge.Identify staff knowledge.

Establish security requirements.Establish security requirements. Map highMap high--priority informationpriority information assestsassests toto

information infrastructure.information infrastructure. Perform an infrastructure vulnerabilityPerform an infrastructure vulnerability

evaluation.evaluation. Conduct a multidimensional risk analysis.Conduct a multidimensional risk analysis. Develop a protection strategy.Develop a protection strategy.


6/27

Security PlanningSecurity Planning Requirements of theRequirements of the TCSECTestingTCSECTesting((

computer,systemcomputer,system, evaluation ,criteria), evaluation ,criteria) notnot commingcomming for finalfor final

Security PolicySecurity Policy must be an explicit and wellmust be an explicit and well--defined security policy enforced by the system.defined security policy enforced by the system.

Every subject must be uniquely and convincinglyEvery subject must be uniquely and convincinglyidentified.identified.

Every object must be associated with a label thatEvery object must be associated with a label thatindicates its security level.indicates its security level.

The system must maintain complete, secureThe system must maintain complete, securerecords of actions that affect security.records of actions that affect security.

The computing system must contain mechanismsThe computing system must contain mechanismsthat enforce security.that enforce security.

The mechanisms that implement security mustThe mechanisms that implement security mustbe protected against unauthorized change.be protected against unauthorized change.


7/27

BS7799BS7799

BS7799BS7799-- It is the information security standardIt is the information security standard

Have 137 controlHave 137 control ex:installation, uninstallation,ex:installation, uninstallation,

Initially created for British standard forInitially created for British standard for

government and university standardgovernment and university standard Can be simply implemented for any type ofCan be simply implemented for any type of

organizationorganization


8/27

Security Planning Team MembersSecurity Planning Team Members

Computer hardware groupComputer hardware group

System administratorsSystem administrators

Systems programmersSystems programmers Application programmersApplication programmers

Data entry personnelData entry personnel

Physical security personnelPhysical security personnel Representative usersRepresentative users


9/27

Security PlanningSecurity Planning

Assuring Commitment to a Security PlanAssuring Commitment to a Security Plan

Business Continuity PlansBusiness Continuity Plans

Assess Business ImpactAssess Business Impact

Develop StrategyDevelop Strategy

Develop PlanDevelop Plan

Incident Response PlansIncident Response Plans

Advance PlanningAdvance Planning Response TeamResponse Team

After the Incident is ResolvedAfter the Incident is Resolved


10/27

Risk AnalysisRisk Analysis

Risk impactRisk impact -- loss associated withloss associated withan eventan event

risk probabilityrisk probability likelihood thatlikelihood thatthe event will occurthe event will occur

Risk controlRisk control degree to which wedegree to which wecan change the outcomecan change the outcome

Risk exposureRisk exposure risk impact * riskrisk impact * riskprobabilityprobability


11/27

Risk AnalysisRisk Analysis risk reductionrisk reduction

Avoid the riskAvoid the risk

Transfer the riskTransfer the risk

Assume the riskAssume the risk

Risk leverage = [(risk exposure beforeRisk leverage = [(risk exposure beforereduction)reduction) (risk exposure after(risk exposure afterreduction)] / cost of risk reductionreduction)] / cost of risk reduction

Cannot guarantee systems are risk freeCannot guarantee systems are risk free Security plans must address actionSecurity plans must address action

needed should an unexpected riskneeded should an unexpected riskbecomes a problembecomes a problem


12/27

Steps of a Risk AnalysisSteps of a Risk Analysis

Identify assetsIdentify assets

Determine vulnerabilitiesDetermine vulnerabilities

Estimate likelihood of exploitationEstimate likelihood of exploitation Compute expected annual lossCompute expected annual loss

Survey applicable controls and theirSurvey applicable controls and their

costscosts Project annual savings of controlProject annual savings of control


13/27

Identify AssetsIdentify Assets

HardwareHardware

SoftwareSoftware

DataData

PeoplePeople

Procedures (policies, training)Procedures (policies, training)

DocumentationDocumentation

SuppliesSupplies

Infrastructure (building, power, water,)Infrastructure (building, power, water,)


14/27

Determine VulnerabilitiesDetermine Vulnerabilities

AssetAsset ConfidentialityConfidentiality IntegrityIntegrity AvailabilityAvailability

HardwareHardware

SoftwareSoftware

DataData

PeoplePeople

proceduresprocedures


15/27

Determine VulnerabilitiesDetermine Vulnerabilities

What are the effects of unintentionalWhat are the effects of unintentionalerrors?errors?

What are the effects of willfullyWhat are the effects of willfullymalicious insiders?malicious insiders?

What are the effects of outsiders?What are the effects of outsiders?

What are the effects of natural andWhat are the effects of natural andphysical disasters?physical disasters?


16/27


Estimate Likelihood of ExploitationEstimate Likelihood of Exploitation Classical probabilityClassical probability

Frequency probability (simulation)Frequency probability (simulation)

Subjective probability (Delphi approach)Subjective probability (Delphi approach)

Computer Expected LostComputer Expected Lost (look for hidden(look for hiddencosts)costs)

Legal obligationsLegal obligations Side effectsSide effects

Psychological effectsPsychological effects


17/27


Survey and Select New ControlsSurvey and Select New Controls

What Criteria Are Used for Selecting Controls?What Criteria Are Used for Selecting Controls?

Vulnerability Assessment and Mitigation (VAM)Vulnerability Assessment and Mitigation (VAM)

MethodologyMethodology How Do Controls Affect What They Control?How Do Controls Affect What They Control?

Which Controls Are Best?Which Controls Are Best?

Project SavingsProject Savings

Do costs outweigh benefits of preventing /Do costs outweigh benefits of preventing /mitigating risksmitigating risks


18/27

Arguments for Risk AnalysisArguments for Risk Analysis

Improve awarenessImprove awareness

Relate security mission toRelate security mission to

management objectivesmanagement objectives Identify assets, vulnerabilities, andIdentify assets, vulnerabilities, and

controlscontrols

Improve basis for decisionsImprove basis for decisions Justify expenditures for securityJustify expenditures for security


19/27

Arguments against Risk AnalysisArguments against Risk Analysis

False sense of precision and confidenceFalse sense of precision and confidence

Hard to performHard to perform

Immutability (filed and forgotten)Immutability (filed and forgotten)

Lack of accuracyLack of accuracy Todays complex Internet networks cannot be madeTodays complex Internet networks cannot be made

watertight. A system administrator has to get everythingwatertight. A system administrator has to get everythingright all the time; a hacker only has to find one small hole.right all the time; a hacker only has to find one small hole.

A sysadmin has to be lucky all of the time; a hacker onlyA sysadmin has to be lucky all of the time; a hacker onlyhas to get lucky once. It is easier to destroy than tohas to get lucky once. It is easier to destroy than tocreate.create. Robert Graham, lead architect of Internet Security SystemsRobert Graham, lead architect of Internet Security Systems


20/27

Organizational Security PoliciesOrganizational Security Policies

WhoWho can accesscan access which resourceswhich resources ininwhatmannerwhatmanner??

Security policySecurity policy -- highhigh--levellevelmanagement document that informsmanagement document that informsall users of the goals and constraintsall users of the goals and constraintson using a system.on using a system.


21/27

Security Policies PurposeSecurity Policies Purpose

Recognize sensitive informationRecognize sensitive informationassetsassets

Clarify security responsibilitiesClarify security responsibilities Promote awareness for existingPromote awareness for existing

employeesemployees

Guide new employeesGuide new employees


22/27

Security Policies AudienceSecurity Policies Audience

UsersUsers

OwnersOwners

BeneficiariesBeneficiaries Balance Among All PartiesBalance Among All Parties


23/27

ContentsContents

PurposePurpose

Protected Resources (whatProtected Resources (what -- assetassetlist)list)

Nature of the Protection (who andNature of the Protection (who andhow)how)


24/27

Characteristics of a Good SecurityCharacteristics of a Good Security

PolicyPolicy

Coverage (comprehensive)Coverage (comprehensive)

DurabilityDurability

RealismRealism UsefulnessUsefulness

ExamplesExamples


25/27


Natural DisastersNatural Disasters

FloodFlood

FireFire

OtherOther

Power LossPower Loss

UPS; surge suppressors (line conditioners)UPS; surge suppressors (line conditioners)

Human VandalsHuman Vandals Unauthorized Access and UseUnauthorized Access and Use

TheftTheft


26/27


Interception of Sensitive InformationInterception of Sensitive Information

Dumpster DivingDumpster Diving -- ShreddingShredding

Remanence (slack bits)Remanence (slack bits)Overwriting Magnetic DataOverwriting Magnetic Data

DiskWipeDiskWipe

DegaussingDegaussing

EmanationEmanation -- TempestTempest


27/27

Contingency PlanningContingency Planning

BACKUP!!!!!BACKUP!!!!!

Complete backupComplete backup

Revolving backupRevolving backup Selective backupSelective backup

OFFSITE BACKUP!!!!!OFFSITE BACKUP!!!!!

Networked Storage (SAN)Networked Storage (SAN) Cold site (shell)Cold site (shell)

Hot siteHot site

Administrating Security

Documents

Transcript of Administrating Security