Administrating Security
-
Upload
devinasharad -
Category
Documents
-
view
238 -
download
1
Transcript of Administrating Security
-
8/9/2019 Administrating Security
1/27
Administering SecurityAdministering Security Security PlanningSecurity Planning
comparison of security planning /comparison of security planning / strategiestrategie
focus on procedurefocus on procedure
ex; how much we spend for theex; how much we spend for the projproj
targeting achievementtargeting achievement
who involvedwho involved
onlyonly ITdeptITdept who implement strategy planningwho implement strategy planning Risk AnalysisRisk Analysis
Security PoliciesSecurity Policies -- how to allocate resources(time(testing , configuration),how to allocate resources(time(testing , configuration),
money/budget, human resources)money/budget, human resources)
--must make sure training on policies to make sure everyone knowsmust make sure training on policies to make sure everyone knows
Physical SecurityPhysical Security
-
8/9/2019 Administrating Security
2/27
Security PlanningSecurity Planning PolicyPolicy
Current stateCurrent state risk analysisrisk analysis
What are the assetsWhat are the assets
What are the risks which link wit theWhat are the risks which link wit theassetasset
Who are going toWho are going to
RequirementsRequirements Recommended controlsRecommended controls
AccountabilityAccountability
TimetableTimetable
-
8/9/2019 Administrating Security
3/27
Security PlanningSecurity Planning -- PolicyPolicy
WhoWho should be allowed access?should be allowed access?
To what system and organizationalTo what system and organizational
resourcesresources should access be allowed?should access be allowed? WhatWhat typestypes of access should eachof access should each
user be allowed for each resource?user be allowed for each resource?
-
8/9/2019 Administrating Security
4/27
Security PlanningSecurity Planning -- PolicyPolicy
What are the organizations goals onWhat are the organizations goals onsecurity?security?
Where does the responsibility forWhere does the responsibility forsecurity lie?security lie?
What is the organizationsWhat is the organizationscommitment to security?commitment to security?
-
8/9/2019 Administrating Security
5/27
OCTAVE MethodologyOCTAVE Methodology
((operationally control, threats, asset, vulnerabilities)operationally control, threats, asset, vulnerabilities)
http://www.cert.org/octave/http://www.cert.org/octave/
Identify enterprise knowledge.Identify enterprise knowledge. Identify operational area knowledge.Identify operational area knowledge. Identify staff knowledge.Identify staff knowledge.
Establish security requirements.Establish security requirements. Map highMap high--priority informationpriority information assestsassests toto
information infrastructure.information infrastructure. Perform an infrastructure vulnerabilityPerform an infrastructure vulnerability
evaluation.evaluation. Conduct a multidimensional risk analysis.Conduct a multidimensional risk analysis. Develop a protection strategy.Develop a protection strategy.
-
8/9/2019 Administrating Security
6/27
Security PlanningSecurity Planning Requirements of theRequirements of the TCSECTestingTCSECTesting((
computer,systemcomputer,system, evaluation ,criteria), evaluation ,criteria) notnot commingcomming for finalfor final
Security PolicySecurity Policy must be an explicit and wellmust be an explicit and well--defined security policy enforced by the system.defined security policy enforced by the system.
Every subject must be uniquely and convincinglyEvery subject must be uniquely and convincinglyidentified.identified.
Every object must be associated with a label thatEvery object must be associated with a label thatindicates its security level.indicates its security level.
The system must maintain complete, secureThe system must maintain complete, securerecords of actions that affect security.records of actions that affect security.
The computing system must contain mechanismsThe computing system must contain mechanismsthat enforce security.that enforce security.
The mechanisms that implement security mustThe mechanisms that implement security mustbe protected against unauthorized change.be protected against unauthorized change.
-
8/9/2019 Administrating Security
7/27
BS7799BS7799
BS7799BS7799-- It is the information security standardIt is the information security standard
Have 137 controlHave 137 control ex:installation, uninstallation,ex:installation, uninstallation,
Initially created for British standard forInitially created for British standard for
government and university standardgovernment and university standard Can be simply implemented for any type ofCan be simply implemented for any type of
organizationorganization
-
8/9/2019 Administrating Security
8/27
Security Planning Team MembersSecurity Planning Team Members
Computer hardware groupComputer hardware group
System administratorsSystem administrators
Systems programmersSystems programmers Application programmersApplication programmers
Data entry personnelData entry personnel
Physical security personnelPhysical security personnel Representative usersRepresentative users
-
8/9/2019 Administrating Security
9/27
Security PlanningSecurity Planning
Assuring Commitment to a Security PlanAssuring Commitment to a Security Plan
Business Continuity PlansBusiness Continuity Plans
Assess Business ImpactAssess Business Impact
Develop StrategyDevelop Strategy
Develop PlanDevelop Plan
Incident Response PlansIncident Response Plans
Advance PlanningAdvance Planning Response TeamResponse Team
After the Incident is ResolvedAfter the Incident is Resolved
-
8/9/2019 Administrating Security
10/27
Risk AnalysisRisk Analysis
Risk impactRisk impact -- loss associated withloss associated withan eventan event
risk probabilityrisk probability likelihood thatlikelihood thatthe event will occurthe event will occur
Risk controlRisk control degree to which wedegree to which wecan change the outcomecan change the outcome
Risk exposureRisk exposure risk impact * riskrisk impact * riskprobabilityprobability
-
8/9/2019 Administrating Security
11/27
Risk AnalysisRisk Analysis risk reductionrisk reduction
Avoid the riskAvoid the risk
Transfer the riskTransfer the risk
Assume the riskAssume the risk
Risk leverage = [(risk exposure beforeRisk leverage = [(risk exposure beforereduction)reduction) (risk exposure after(risk exposure afterreduction)] / cost of risk reductionreduction)] / cost of risk reduction
Cannot guarantee systems are risk freeCannot guarantee systems are risk free Security plans must address actionSecurity plans must address action
needed should an unexpected riskneeded should an unexpected riskbecomes a problembecomes a problem
-
8/9/2019 Administrating Security
12/27
Steps of a Risk AnalysisSteps of a Risk Analysis
Identify assetsIdentify assets
Determine vulnerabilitiesDetermine vulnerabilities
Estimate likelihood of exploitationEstimate likelihood of exploitation Compute expected annual lossCompute expected annual loss
Survey applicable controls and theirSurvey applicable controls and their
costscosts Project annual savings of controlProject annual savings of control
-
8/9/2019 Administrating Security
13/27
Identify AssetsIdentify Assets
HardwareHardware
SoftwareSoftware
DataData
PeoplePeople
Procedures (policies, training)Procedures (policies, training)
DocumentationDocumentation
SuppliesSupplies
Infrastructure (building, power, water,)Infrastructure (building, power, water,)
-
8/9/2019 Administrating Security
14/27
Determine VulnerabilitiesDetermine Vulnerabilities
AssetAsset ConfidentialityConfidentiality IntegrityIntegrity AvailabilityAvailability
HardwareHardware
SoftwareSoftware
DataData
PeoplePeople
proceduresprocedures
-
8/9/2019 Administrating Security
15/27
Determine VulnerabilitiesDetermine Vulnerabilities
What are the effects of unintentionalWhat are the effects of unintentionalerrors?errors?
What are the effects of willfullyWhat are the effects of willfullymalicious insiders?malicious insiders?
What are the effects of outsiders?What are the effects of outsiders?
What are the effects of natural andWhat are the effects of natural andphysical disasters?physical disasters?
-
8/9/2019 Administrating Security
16/27
Risk AnalysisRisk Analysis
Estimate Likelihood of ExploitationEstimate Likelihood of Exploitation Classical probabilityClassical probability
Frequency probability (simulation)Frequency probability (simulation)
Subjective probability (Delphi approach)Subjective probability (Delphi approach)
Computer Expected LostComputer Expected Lost (look for hidden(look for hiddencosts)costs)
Legal obligationsLegal obligations Side effectsSide effects
Psychological effectsPsychological effects
-
8/9/2019 Administrating Security
17/27
Risk AnalysisRisk Analysis
Survey and Select New ControlsSurvey and Select New Controls
What Criteria Are Used for Selecting Controls?What Criteria Are Used for Selecting Controls?
Vulnerability Assessment and Mitigation (VAM)Vulnerability Assessment and Mitigation (VAM)
MethodologyMethodology How Do Controls Affect What They Control?How Do Controls Affect What They Control?
Which Controls Are Best?Which Controls Are Best?
Project SavingsProject Savings
Do costs outweigh benefits of preventing /Do costs outweigh benefits of preventing /mitigating risksmitigating risks
-
8/9/2019 Administrating Security
18/27
Arguments for Risk AnalysisArguments for Risk Analysis
Improve awarenessImprove awareness
Relate security mission toRelate security mission to
management objectivesmanagement objectives Identify assets, vulnerabilities, andIdentify assets, vulnerabilities, and
controlscontrols
Improve basis for decisionsImprove basis for decisions Justify expenditures for securityJustify expenditures for security
-
8/9/2019 Administrating Security
19/27
Arguments against Risk AnalysisArguments against Risk Analysis
False sense of precision and confidenceFalse sense of precision and confidence
Hard to performHard to perform
Immutability (filed and forgotten)Immutability (filed and forgotten)
Lack of accuracyLack of accuracy Todays complex Internet networks cannot be madeTodays complex Internet networks cannot be made
watertight. A system administrator has to get everythingwatertight. A system administrator has to get everythingright all the time; a hacker only has to find one small hole.right all the time; a hacker only has to find one small hole.
A sysadmin has to be lucky all of the time; a hacker onlyA sysadmin has to be lucky all of the time; a hacker onlyhas to get lucky once. It is easier to destroy than tohas to get lucky once. It is easier to destroy than tocreate.create. Robert Graham, lead architect of Internet Security SystemsRobert Graham, lead architect of Internet Security Systems
-
8/9/2019 Administrating Security
20/27
Organizational Security PoliciesOrganizational Security Policies
WhoWho can accesscan access which resourceswhich resources ininwhatmannerwhatmanner??
Security policySecurity policy -- highhigh--levellevelmanagement document that informsmanagement document that informsall users of the goals and constraintsall users of the goals and constraintson using a system.on using a system.
-
8/9/2019 Administrating Security
21/27
Security Policies PurposeSecurity Policies Purpose
Recognize sensitive informationRecognize sensitive informationassetsassets
Clarify security responsibilitiesClarify security responsibilities Promote awareness for existingPromote awareness for existing
employeesemployees
Guide new employeesGuide new employees
-
8/9/2019 Administrating Security
22/27
Security Policies AudienceSecurity Policies Audience
UsersUsers
OwnersOwners
BeneficiariesBeneficiaries Balance Among All PartiesBalance Among All Parties
-
8/9/2019 Administrating Security
23/27
ContentsContents
PurposePurpose
Protected Resources (whatProtected Resources (what -- assetassetlist)list)
Nature of the Protection (who andNature of the Protection (who andhow)how)
-
8/9/2019 Administrating Security
24/27
Characteristics of a Good SecurityCharacteristics of a Good Security
PolicyPolicy
Coverage (comprehensive)Coverage (comprehensive)
DurabilityDurability
RealismRealism UsefulnessUsefulness
ExamplesExamples
-
8/9/2019 Administrating Security
25/27
Physical SecurityPhysical Security
Natural DisastersNatural Disasters
FloodFlood
FireFire
OtherOther
Power LossPower Loss
UPS; surge suppressors (line conditioners)UPS; surge suppressors (line conditioners)
Human VandalsHuman Vandals Unauthorized Access and UseUnauthorized Access and Use
TheftTheft
-
8/9/2019 Administrating Security
26/27
Physical SecurityPhysical Security
Interception of Sensitive InformationInterception of Sensitive Information
Dumpster DivingDumpster Diving -- ShreddingShredding
Remanence (slack bits)Remanence (slack bits)Overwriting Magnetic DataOverwriting Magnetic Data
DiskWipeDiskWipe
DegaussingDegaussing
EmanationEmanation -- TempestTempest
-
8/9/2019 Administrating Security
27/27
Contingency PlanningContingency Planning
BACKUP!!!!!BACKUP!!!!!
Complete backupComplete backup
Revolving backupRevolving backup Selective backupSelective backup
OFFSITE BACKUP!!!!!OFFSITE BACKUP!!!!!
Networked Storage (SAN)Networked Storage (SAN) Cold site (shell)Cold site (shell)
Hot siteHot site