Security Management Practices

1
Security Management Practices

• 2004 Summer Workshop
• Data Collection and Data Sharing
• July 13, 2004

Presented byRaza Hasan DBA DHMHs Center for
Cancer Surveillance Control
2
Security Management

• Ensuring Confidentiality, Integrity and
  Availability of information assets

3
How?

• Develop and implement a Security Program
• Conduct Risk Management

4
Security Policies

• Organization policy
• Is used to create an organization's central
  computer security program
• Issue specific polices
• Addresses issues such as Internet usage, e-mail
  privacy, etc.
• System specific policies
• Addresses security for a specific system

5
Examples of Security Policies

• Network/Web Policy
• Employment Policy
• Database Policy

6
Network/Web Security Policy

• Attempts to minimize risks associated with
  services offered through Networks/Web

7
Network/Web Security Policy

• Security policy depends on accurate
  identification of your
• Assets (what you try to protect)
• Threats (what you try to protect your assets
  from)
• Services (what you allow your users to do)

8
Examples of Assets

• Data
• Computer/Network resources
• Reputation

9
Examples of Threats

• Sophisticated hackers
• Script Kiddies
• Spies
• Hostile insiders (consultants, employees)
• Accidents by valid users

10
Examples of Network/Web Services

• Public
• Web site
• Email
• E-Commerce
• Private
• Internal web site
• Internal email
• Web surfing
• Virtual Private Network (VPN)

11
Elements of Network/Web Policy

• A good network/Web security policy dictates what
  traffic you allow in and out of your network, and
  what you allow between network segments
• Architecture
• Firewall

12
Architecture

• A network architectures security can be improved
  with physical components such as firewalls and
  network configuration, for example, network
  address translation, virtual private networks,
  and establishing Demilitarized Zones (DMZs).
• A networks security can be weakened by adding
  poorly configured dial-up services and improperly
  implemented DMZs.

13
Firewalls

• Device that restricts traffic between two
  networks based upon a defined set of rules
• Usually a dedicated device it should perform no
  other role.

14
Firewall Diagram
Untrusted Network
Firewall
Protected Network
15
Typical Network Configuration

• Demilitarized Zone (DMZ)
• Separates external network, public servers, and
  private systems.
• If hackers manage to take over a server, they do
  not automatically get access to the private
  systems.
• Must be careful not to grant special access
  between the public servers and the private
  network.

16
Example Policy
17
Example Policy (contd)

• Protocols permitted between networks (all others
  denied)

18
Employment Policies and Practices

• Job Position Description
• Separation of duties
• Least privilege
• Determine position sensitivity
• Filling the position
• Background checks
• Personal interview
• Employee training and awareness

19
Employment Policies and Practices User
Administration

• User Account Management
• Process of requesting/establishing/issuing/closing
  user accounts
• Tracking users and access authorizations
• Managing the above functions
• Audit and management reviews
• Detecting unauthorized or illegal activities
• Temporary assignments, transfers and termination
• Contractor access considerations
• Public access considerations

20
Database Security Policy

• Aggregation Problem
• When several access rights allow access to a
  piece of information that should not be known
• Can be solved by
• Separating information into containers
• Provide context dependant classification
• Elevate containers security to a higher level

21
Database Security (contd)

• Inference Problem
• Occurs when a user can deduce information from
  the information they have access to
• Can be solved by
• Fuzzy queries
• Database design
• Specify content and context dependant rules

22
Risk Management

• Risk is the possibility of something adverse
  happening to the organization
• Risk management is the process of assessing risk
  and taking steps to reduce it
• Four ways to manage risk
• Risk assignment and transfer (insurance)
• Risk rejection (ignore risk)
• Risk reduction (install safeguards)
• Risk acceptance (e.g., costs exceed the benefits)

23
Risk Management Framework

• Risk Assessment
• Determine assessment scope and methodology
• Collect and analyze data
• Interpret risk and analyze results
• Risk Mitigation
• Select safeguards
• Accept residual risk
• Implement controls and monitor effectiveness

24
Risk Assessment Quantitative Techniques

• Annual Loss Expectancy (ALE)
• ALEI x F
• I estimated impact in dollars
• F estimated frequency of occurrence per year
• Net Present Value (NPV)
• NPV PV (Benefits) PV (Costs)

25
Risk Assessment Qualitative Techniques

• Judgment and intuition of experts (a.k.a. gut
  feeling)
• Delphi technique
• Polling

26
Risk Management Involves

• Identification
• Assets (Classification)
• Threats
• Vulnerabilities
• Safeguards

27
Data Classification Schemes
Government Top Secret Secret Confidential Sensi
tive Unclassified

• Corporate
• Sensitive
• Confidential
• Private
• Public

Highest Level Lowest Level
In order to develop effective information
security policy, information produced or
processed by an organization must be classified
according to its sensitivity to loss or
disclosure.
28
Distinction Between a Threat and Vulnerability

• A threat is an activity, deliberate or
  intentional, with the potential for causing harm
  to a computer system or activity
• A vulnerability is a flaw or weakness that may
  allow harm to occur to a computer system or
  activity

29
(No Transcript)
30
(No Transcript)
31
Common Threats and Vulnerabilities

• Causes of economic losses in public and private
  sectors
• 65 due to errors and omissions
• 13 due to dishonest employees
• 6 due to disgruntled employees
• 8 due to loss of supporting infrastructure
• 5 due to water not related to fires and floods
• Less than 3 due to outsiders

32
Common Threats and Vulnerabilities

• Fraud and theft
• Employee sabotage
• Loss of physical or infrastructure support
• Malicious hackers or crackers
• Industrial espionage
• Malicious code

33
Recommendations

• Develop a Policy
• Implement Security controls in all System
  Development Phases
• Raise Awareness

34
System Development Controls

• Security needs to be integrated in the full
  system development cycle (process)

• Phase 1 Initiation
• Phase 2 Development/Acquisition
• Phase 3 Implementation
• Phase 4 Operation/Maintenance
• Phase 5 Disposal

35
Security Awareness/Training Implementation

• To implement an effective security awareness
  training program you need to
• Identify program scope, goals and objectives
• Identify training staff
• Identify target audiences
• Motivate management and employees
• Administer the program
• Maintain the program
• Evaluate the program (very difficult)

36
References

• NIST Computer Security Resource Center
  http//csrc.ncsl.nist.gov/
• SANS Institute www.sans.org
• DHMH Policies accessible through its Intranet
  http//indhmh/irma/itpolicies/
• Presenters Contact
• Raza Hasan
• Phone 410-767-6932
• Email rhasan_at_dhmh.state.md.us