Research in: Security Planning and Auditing

Research in:Security Planning and Auditing

Bel G Raggad

Seidenberg School of CS & IS

1. Security Planning2. Security Risk Assessment3. Security Taxonomy4. Security Auditing5. Risk-Driven Security Program6. Security Standards7. Biometrics

Outline

Security Planning

Purpose of Security Plan:

· Provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements; and

· Delineate responsibilities and expected behavior of all individuals who access the system.

Security Planning

SecurityPlan

Raggad SP Methodology

Major Application

General Support System

(Input) (Output = a book)(Process)

StrategicSecurity

Definition

StrategicSecurityAnalysis

StrategicSecurityDesign

StrategicSecurityChoice

StrategicSecurityReview

(Tools)

1.1 Background1.2 Purpose of Security Plan1.3 System Boundaries1.4 Multiple Similar Systems1.5 System Category1.6 Major Applications1.7 General Support System

Chapter 1: Introduction for MA or GSS

2.1 Plan Control2.2 System Identification2.2.1 System Name/Title

2.2.2 Responsible Organization2.2.3 Information Contact(s)

2.2.4 Assignment of Security Responsibility2.3 System Operational Status2.4 General Description/Purpose2.5 System Environment2.6 System Interconnection/Information Sharing2.7 Sensitivity of Information Handled 2.7.1 Laws, Regulations, and Policies Affecting

the System2.7.2 General Description of Sensitivity

Chapter 2: System Definition for MA or GSS

3.1 Risk Assessment and Management3.2 Review of Security Controls3.3 Rules of Behavior3.4 Planning for Security in the Life Cycle

3.4.1 Initiation Phase3.4.2 Development/Acquisition Phase3.4.3 Implementation Phase3.4.4 Operation/Maintenance Phase3.4.5 Disposal Phase

3.5 Authorize Processing

Chapter 3: Management Controls for MA or GSS

Operational Controls for GSS

4.MA.1 Personnel Security4.MA.2 Physical and Environmental Protection4.MA.3 Production, Input/Output Controls4.MA.4 Contingency Planning4.MA.5 Application Software Maintenance Controls4.MA.6 Data Integrity/Validation Controls4.MA.7 Documentation4.MA.8 Security Awareness and Training

4.GSS.1 Personnel Security4.GSS.2 Physical and Environmental Protection4.GSS.3 Production, Input/Output Controls4.GSS.4 Contingency Planning 4.GSS.5 Hardware and System Software Maintenance Controls4.GSS.6 Integrity Controls4.GSS.7 Documentation4.GSS.8 Security Awareness and Training4.GSS.9 Incident Response Capability

Operational Controls for MA

Chapter 4

5.MA.1 Identification and Authentication

5.MA.1.1 Identification5.MA.1.2 Authentication

5.MA.2 Logical Access Controls 5.MA.3 Public Access Controls5.MA.4 Audit Trails

5.GSS.1 Identification and Authentication

5.GSS.1.1 Identification5.GSS.1.2 Authentication

5.GSS.2 Logical Access Controls5.GSS.3 Audit Trails

Technical Controls for MA Technical Controls for GSS

Chapter 5

Chapter 6 for MA or GSS

6.1 Periodic Reviews

6.2 Monitoring the SP Progress

SP Methodology

1. Strategic Security Definition2. Strategic Security Analysis3. Strategic Security Design4. Strategic Security Choice5. Strategic Security Review

Chapter 1:

Introduction/Executive Summary

(1 section)

Chapter 2:

SystemDefinition

(10 sections)

Chapter 3:

ManagerialControls

(3 sections)

Chapter 4:

OperationalControls

(8 sections)

Chapter 5:

TechnicalControls

(3/4 sections)

Chapter 6:

Conclusions

(1 section)

SP is a book of 6 Chapters

1.StrategicDefinition

Phase

2.StrategicAnalysis

Phase 3.StrategicDesignPhase

4.StrategicChoicePhase

5.StrategicReviewPhase

-Security plan certification and acceptance page;-Security plan document handling/control;-Date of study;-Responsible organization; -Information contacts.-System name/title;-System category;-General description and purpose;-System environment and special considerations; and-Systems interconnections and information sharing.

Strategic Security Definition

Restructuring-Reorganization-Process reengineering

Security control measures-Management controls-Operational controls-Technical controls

Strategic Security Design

-Administration controls:■Assignment of Security Responsibility ■Personnel security

-Development/Implementation controls:■ Authorization of Processing ■Security Specifications■Acquisition Specifications■Design Review and Testing

Management Controls

-Physical and Environmental Protection-Production -Hardware and System Software Maintenance Controls -Security Awareness and Training -Documentation -Contingency Plan -Audit and Variance Detection

Operational Controls

-User Identification and Authentication--Identification--Authentication

-Authorization/Access Controls--Logical access controls--Dial-In Access--Wide Area Networks--Screen Warning Banners (SWB)

-Public Access Controls-Data Integrity/Validation Controls

--Malicious Programs--Virus Protection--Message Authentication--Integrity Verification

--Reconciliation--Digital Signature

-Audit Trail Mechanisms-Confidentiality Controls-Incident Response Capability

Technical Controls

-The security plan phases performed so far may produce different versions of a security plan

-SPW meets with system owners and the security admin to review new organizational changes, new security policy additions, new security change requests before presenting the prevailing versions of the completed security plan.

-The purpose of the strategic security choice is to make sure that all recommendations included in the final version of the security plan is the most appropriate possible

-System owners have to approve all security controls adopted in the security plan

Strategic Security Choice

The purpose of the strategic review is to ensure that the system or application behaves according to the Design Manual

containing the security solutions included in the security plan.

Security Strategic Review

-Life cycle: set arbitrarily to 3 years. -System owners have periodically evaluate risks-System owners have to periodically evaluate the validity of

security controls included in the security plan-Any change in the security risks or in the security controls,

corrective actions should be applied. -Security controls become invalid or lose efficiency or

effectiveness when an organizational change takes place, when a new technology emerges, when security policies change, etc.

-Methodology proposes a security deficiency indicator called the security corrective score that should be periodically computed. If the security corrective score goes below a prescribed threshold, for example 0.4, the security plan should be revised.

Strategic Security Review

Research in Risk Methodology

Security Risk Model

Affected Asset

Vulnerabilities

Damage

Layer T

Layer S

Layer A

Layer V

RS4: unsecured Asset

Threat

Relative Security

Affected Asset

No Vulnerabilities

No Damage

Layer T

Layer S

Layer A

Layer V

RS4: Secure Asset

Threat

Relative Security

Equation (T,S,V,B)?

Threat

Security

Vulnerability

Business value

Basic Risk (S=0) ?

Residual Risk (S>0)

VulnerabilitiesV=.2

Damage

Layer T

Layer S

Layer A

Layer V

Risk to loose $400?

Threat

B=$20,000

t =.5

V =.2

T

ARisk=$400?

Relative Security

S=.8

Relative Security

S=.2

VulnerabilitiesV=.9

Damage

Layer T

Layer S

Layer A

Layer V

Risk to loose $11,520

Threat

B=$20,000

t =.8

V =.2

T

ARisk=

$11,520

Relative Security

S=0

Layer T

Layer S

Layer A

Layer V

Risk to loose $4,000

B=$20,000

V1=.2V3=.3

V2=.6

V4=.5

V2=.4

t =.5Prob that

threat would take place.

Prob that threat has effect on asset T

given threat T has taken place.

Expected loss of asset A due to threat =4,000

A

T

V=(v1+v2+v3+v4+v5)//5=.4

Relative Security S=(.8,.6,.0,1.0,.6)

Layer T

Layer S

Layer A

Layer V

Risk in $: $1,480

B=$20,000

S1=.8S3=.0

S5=.6

S4=1

S2=.6

t =.5Prob that

threat would take place.

Prob that threat has effect on asset T

given threat T has taken place.

Expected loss of asset A due to threat T=

$1,480A

T

Mathematical Model

R[Ω]

A1

Aj

Am

T

T

T

v1n’(1-s1n)

v11’ (1-s11)

Vj1’(1-sj1)

vjn’(1-sjn)

vm1’(1-sm1)

vmn’(1-smn)

w1

wj

wm

ζ1

L11

L1n

Lj1

Ljn

Lm1

Lmn

ζn

ζ1

ζ1

ζn

ζn

SecurityControls

Vulnerabilities

Probabilitiesof exclusive

threats

Assets

Asset Economic weights

Enterprise Risk

All Assets

Any exclusive threat T

Business Loss due to Threat*Vulnerability

vij’=Transpose vector of Asset Aj’s vulnerabilities associated with Threat T i.

Security Taxonomy

&

Policy Flow Diagram

The Vital Defense Strategy:

Raggad’s Taxonomy

3 Discrimination

Parameters:

-SECURITY DISRUPTION-ACTING ENTITY-ATTACK MODEL

3 SECURITY DISRUPTIONS: (F. COHEN, 1995)

-INFORMATION LEAKAGE-INFORMATION CORRUPTION

-INFORMATION/SERVICE DENIAL

5 ACTING ENTITIES: (Whitten, Bentley, and Barlow, 1996)

-PEOPLE-ACTIVITY

-NETWORK-TECHNOLOGY

-DATA

4 ATTACK MODELS:

-PROBE MODEL-AUTHORIZED ACCESS MODEL

-FACTORY MODEL-INFRASTRUCTURE MODEL

DISRUPTION * ENTITY * MODEL

60 TYPES of SECURITY INFORMATION SYSTEMS

A

D

N

P

T

C

L

D

AA FA IN PR

IN,

P, D How can People evoke an Infras attack and produce a DoS?

Linking Security Taxonomy to IDS?

1. IDS processing;2. IDS monitoring;3. IDS timing;4. IDS analysis;5. IDS distribution;6. IDS embedding

IDS Engine

IDS Response:

Linking Security Taxonomy to Policy?

First-order policy flow context diagram

Activity

People Technology

Data

Network

Linking Security Taxonomy to Security Strategy?

Phases for a security strategy

Phase 1: Define a security strategy

Phase 2: Develop security policy and controls

Modified Benson’s methodology for defining a security strategy (MBSS)

Objective: help security professionals develop a strategy to protect the availability, integrity, and confidentiality of data in organization's information technology (IT) system.Players: information resource managers, computer security officials, administrators, and policy staff.Risks reduced: systematic approach to:

Establish contingency plans in case of a disaster. Eliminate user errors and malicious and non-malicious attacks. Detect and prevent from attackers who can gain access to the system and disrupt services, render systems useless, or alter, delete, or steal information.

The process of MBSS

Security administrators and management: Decide how much time, money, and effort needs to be spent in order to develop the appropriate security policies and controls. Analyze company’s specific needs and determine its resource and scheduling requirements and constraints. Not a one-time activity: a security strategy can save the organization valuable time and provide important reminders of what needs to be done, but it is not a one-time activity. An integral part of the system lifecycle: periodic updating or appropriate revision are needed, and when changes in configurations and other conditions and circumstances take place. An iterative process: It is never finished and should be revised and tested periodically.

MBSS: steps for a security strategy

Steps in defining a security strategy:

Reviewing current security policies

Identifying Assets and Vulnerabilities to Known Threats

Identifying Likely Attack Methods, Tools, and Techniques

Establishing Proactive and Reactive Strategies

Testing

Review of current policiesNeed for a strategy: to determine the vulnerabilities current security policies and controls that guard them.

Current status of security policy: Need to identify areas of deficiencies in the policies and examine all existing documents as:

Physical computer security policies such as physical access controls.

Network security policies (for example, e-mail and Internet policies).

Data security policies (access control and integrity controls).

Contingency and disaster recovery plans and tests.

Computer security awareness and training.

Computer security management and coordination policies.

Any other document that contains sensitive info, eg., computer BIOS passwords, router configuration passwords, access control documents, and other device management passwords

Identifying Assets and Vulnerabilities to Known Threats

Assessing an organization's security needs:

determining its vulnerabilities to known threats.

recognizing the types of assets that an organization has, which will suggest the types of threats it needs to protect itself against.

Examples of some typical asset/threat situations:

The security admin of a bank knows that the integrity of the bank's information is a critical asset and that fraud, accomplished by compromising this integrity, is a major threat. Fraud can be attempted by inside or outside attackers.

The security admin of a Web site knows that supplying information reliably (data availability) is the site's principal asset. The threat to this information service is a denial of service attack, which is likely to come from an outside attacker.

Other examples of some typical asset/threat situations

A law firm security admin knows that the confidentiality of its information is an important asset. The threat to confidentiality is intrusion attacks, which might be launched by inside or outside attackers.

A security admin in any organization knows that the integrity of information on the system could be threatened by a virus attack. A virus could be introduced by an employee copying games to his work computer or by an outsider in a deliberate attempt to disrupt business functions.

etc.

Identifying likely attack methods, tools, and techniques

Listing the threats helps the security administrator to identify the various methods, tools, and techniques that can be used in an attack.

Methods can range from viruses and worms to password and e-mail cracking.

It is important that administrators update their knowledge of this area on a continual basis, because new methods, tools, and techniques for circumventing security measures are constantly being devised.

Establishing proactive and reactive strategies

For each method, the security plan should include a proactive strategy as well as a reactive strategy. The proactive or pre-attack strategy is a set of steps that helps to minimize existing security policy vulnerabilities and develop contingency plans. Determining the damage that an attack will cause on a system and the weaknesses and vulnerabilities exploited during this attack helps in developing the proactive strategy. The reactive strategy or post-attack strategy helps security personnel to assess the damage caused by the attack, repair the damage or implement the contingency plan developed in the proactive strategy, document and learn from the experience, and get business functions running as soon as possible.

TestingCan only be carried out after the reactive and proactive strategies have been put into place. Need to perform simulation attacks in order to assess where the various vulnerabilities exist and adjust security policies and controls accordingly. These tests should not be performed on a live production system because the outcome could be disastrous. Need to have labs and test computersIn order to secure the necessary funds for testing, it is important to make management aware of the risks and consequences of an attack as well as the security measures that can be taken to protect the system, including testing procedures.If possible, all attack scenarios should be physically tested and documented to determine the best possible security policies and controls to be implemented.

Incident response team

The incident response team should be involved in the proactive efforts of the security professional. These include:

Developing incident handling guidelines.

Identifying software tools for responding to incidents/events.

Researching and developing other computer security tools.

Conducting training and awareness activities.

Performing research on viruses.

Conducting system attack studies.

Incident response team

These efforts will provide knowledge that the organization can use and information to issue before and during incidents.

After the security administrator and incident response team have completed these proactive functions, the administrator should hand over the responsibility for handling incidents to the incident response team.

This does not mean that the security administrator should not continue to be involved or be part of the team, but the administrator may not always be available and the team should be able to handle incidents on its own.

The team will be responsible for responding to incidents such as viruses, worms, or other malicious code; intrusions; hoaxes; natural disasters; and insider attacks. The team should also be involved in analyzing any unusual event that may involve computer or network security.

Modified Benson’s methodology for developing security policy and controls: MBSPC

I. PA: Assess risks and Predict attacks:For each type of threat, do:Begin

For each type of method of attack, do:Begin

PS: Proactive strategyPS1: Predict possible harmPS2: Identify vulnerabilities PS3: Minimize vulnerabilitiesPS4: Plan contingencies

RS: Reactive strategyRS1: Assess damageRS2: Determine cause of damageRS3: Recover from damageRS4: Document and learnRS5: Implement contingency plan

EndEnd

II. RO: Review outcomeIII. RP: Review policy effectivenessIV. AP: Adjust policy accordingly

MBSPC

Methodology for developing security policy and controls that can be used to implement security policies and controls to minimize possible attacks and threats.

The methods can be used for all types of attacks on computer systems, whether they are malicious, non-malicious or natural disasters;

Can be re-used repeatedly for different attack scenarios.

The methodology is based on the various types of threats, methods of attack, and vulnerabilities.

PA step: Predict Possible Attacks / Analyze Risks

Predict Possible Attacks / Analyze Risks

Determine the attacks that can be expected and ways of defending against these attacks.

It is impossible to prepare against all attacks; therefore, prepare for the most likely attacks that the organization can expect.

It is always better to prevent or minimize attacks than to repair the damage after an attack has already occurred.

How to minimize attacks: it is necessary to understand the various threats that cause risks to systems, the corresponding techniques that can be used to compromise security controls, and the vulnerabilities that exist in the security policies.

Predicting possible attacks

Understanding threats, techniques, and vulnerabilities can help to predict attacks occurrence, may be even their timing or location.

Predicting an attack is a matter of predicting its likelihood, which depends upon understanding its various aspects.

Remember the equation: Threats + Motives + Tools and Techniques + Vulnerabilities = Attack

For each threat do:

For Each Type of Threat

Consider all of the possible threats that cause attacks on systems. -malicious attackers, -non-malicious threats, and -natural disasters.

Threats such as ignorant or careless employees and natural disasters do not involve motives or goals; hence, no predetermined methods, tools, or techniques are used to launch an attack.

Most of these attacks are internally generated.

For these types of threats, security personnel need to implement separate proactive and reactive strategies.

For Each Type of Method of Attack:

Attack: needs a method, tool or technique to exploit various vulnerabilities in systems, security policies, and controls.

A malicious attacker can use different methods to launch the same attack.

Defense strategy must be customized for each type of method used in each type of threat.

Critical: keep current on the various methods, tools, and techniques used by attackers.

Denial of service attacks Worms

Intrusion attacks Trojan horses

Social engineering E-mail cracking Viruses

Viruses Packet modification

Packet replay Password cracking

etc.

Proactive strategy = a set of predefined steps that should be taken to prevent attacks before they occur.

Find out how an attack could possibly affect or damage the computer system and the vulnerabilities it exploits.

Knowledge gained in assessments helps in implementing security policies that will control/minimize the attacks.

Steps for proactive strategy:

1.Determine the damage that the attack will cause. 2.Determine the vulnerabilities and weaknesses that the attack will exploit. 3. Minimize the vulnerabilities and weaknesses that are determined to be weak points in the system for that specific type of attack.

Important: Security policies/controls wont always be completely effective in eliminating attacks. Thus, need to develop contingency and recovery plans in the event that security controls are penetrated.

PS step: Proactive strategy

PS1 step: Determine possible damage resulting from an attack

Possible damages can range from minor computer glitches to catastrophic data loss. The damage caused to the system will depend on the type of attack.

Use a test or lab environment to clarify the damages resulting from different types of attacks, if possible. This will enable security personnel to see the physical damage caused by an experimental attack. Not all attacks cause the same damage.

Examples of tests to run:

Simulate an e-mail virus attack on the lab system, and see what damage was caused and how to recover from the situation.

Use social engineering to acquire a username and password from an unsuspecting employee and observe whether he or she complies.

More examples of tests to run

Simulate what would happen if the server room burned down. Measure the production time lost and the time taken to recover.

Simulate a malicious virus attack. Note the time required to recover one computer and multiply that by the number of computers infected in the system to ascertain the amount of downtime or loss of productivity.

Important: always involve the incident response team, because a team is more likely than an individual to spot all of the different types of damage that have occurred.

PS2 step: Determine vulnerabilities/ weaknesses that attacks can exploit

Determine the Vulnerabilities or Weaknesses that an attack can exploit .

If the vulnerabilities that a specific attack exploits can be discovered, current security policies and controls can be altered or new ones implemented to minimize these vulnerabilities.

Determining the type of attack, threat, and method makes it easier to discover existing vulnerabilities. This can be proved by an actual test.

List of possible vulnerabilities in the areas of: --physical, --data, and --network security.

Physical security

Are there locks and entry procedures to gain access to servers?

Is there sufficient air conditioning and are air filters being cleaned out regularly?

Are air conditioning ducts safeguarded against break-ins?

Are there uninterruptible power supplies and generators and are they being checked through maintenance procedures?

Is there fire suppression and pumping equipment, and proper maintenance procedures for the equipment?

Is there protection against hardware and software theft? Are software packages and licenses and backups kept in safes?

Are there procedures for storing data, backups, and licensed software off-site and onsite?

Data security

What access controls, integrity controls, and backup procedures are in place to limit attacks?

Are there privacy policies and procedures that users must comply to?

What data access controls (authorization, authentication, and implementation) are there?

What user responsibilities exist for management of data and applications?

Have direct access storage device management techniques been defined? What is their impact on user file integrity?

Are there procedures for handling sensitive data?

Network security

What kinds of access controls (Internet, wide area network connections, etc.) are in place?

Are there authentication procedures? What authentication protocols are used for local area networks, wide area networks and dialup servers? Who has the responsibility for security administration?

What type of network media, for example, cables, switches, and routers, are used? What type of security do they have?

Is security implemented on file and print servers?

Does your organization make use of encryption and cryptography for use over the Internet, Virtual Private Networks (VPNs), e-mail systems, and remote access?

Does the organization conform to networking standards?

PS3 step: Minimize Vulnerabilities and Weaknesses exploited by a possible attack

Minimizing the security system's vulnerabilities and weaknesses that were determined in the previous assessment is the first step in developing effective security policies and controls.

This is the payoff of the proactive strategy.

By minimizing vulnerabilities, security personnel can minimize both the likelihood of an attack, and its effectiveness, if one does occur.

Be careful not to implement too stringent controls because the availability of information could then become a problem.

There must be a careful balance between security controls and access to information. Information should be as freely available as possible to authorized users.

PS4 step: Make contingency plans

A contingency plan is an alternative plan that should be developed in case an attack penetrates the system and damages data or any other assets with the result of halting normal business operations and hurting productivity.

The plan is followed if the system cannot be restored in a timely manner. Its ultimate goal is to maintain the availability, integrity and confidentiality of data.

It is simply "Plan B."

There should be a plan per type of attack and/or per type of threat. Each plan consists of a set of steps to be taken in the event that an attack breaks through the security policies.

MBSPC Methodology Template

Example of Benson’s template: Human non-malicious threat with dos

Example of Benson’s template: Human malicious threat with virus

Example of Benson’s template: Human malicious threat with Social Engineering

Security Standards?

Main Three Standards?

ISO 15408

ISO 17799

ISO 27001

Linking Security Standards to Security Audit?

Nominal Audit

Technical Audit

Risk-Driven Security Program

17799 Claims & Testing Prescriptions

ISMS:27001

Minimal Phases1. Security planning

-Purpose of the audit-Grade of the audit-Auditor selection or confirmation

2. Security policy comprehension-Understanding security policy-Validity audit security policy

3. Nominal Audit: Nominal inputs:

ISO 17799 A-dataAuditor's judgmentsOwners' judgments

Nominal processes:Show and tell Documentation inspectionsInterviewing

Nominal outputs:-A scores-B scores-C scores-Corporate security posture-Claims-Testing prescriptions-Grade-audit compliance

4. Technical Audit: TA inputs:

-NA claims-Auditor's judgments-BS7799.2 requirements

TA processes:-Scope of technical audit-Risk IAMS-Vulnerability assessment-Testing as needed

TA outputs:-Security program-Statement of applicability-Post-review schedule

5. Report generation-Grade of audit sought-ISO 17799 compliance report-ISO 27001 compliance report-Recommended security program-Statement of applicability-Post-review schedule

Research: Make the Standards alive?

ISO 17799 Conformity

And then …

Expert System?:

-What can we do to improve conformity?

Research: Risk-Driven Security Program?

How to develop such a program?

How to develop a Statement of Applicability?

ISO 27001: Annex A

-If a Sec Control is adopted: Justify!-If a Sec Control is not adopted: Justify!-If a new Sec Control is added to Annex A: Say Why?

Research: We still don’t have sound model to do this?

Research on Biometrics

-Multi-mode-Multi-agents-Bayesian Networks-Dempster & Shafer Theory-Fuzzy Set Theory-Possibility Theory-Genetic Computing-Data Mining-etc

Modeling:

Research on IDS

-Multi-mode-Multi-agents-Bayesian Networks-Dempster & Shafer Theory-Fuzzy Set Theory-Possibility Theory-Genetic Computing-Data Mining-etc

Modeling:

Conclusion

-Opportunities for Research in Security: Too many

-What do you need?

-Doability of what you start-The right Bibliography-Statistics Background-Quantitative Background-Computing Background

Research in: Security Planning and Auditing

Documents

Transcript of Research in: Security Planning and Auditing