Administering Security

1
Administering Security

• Vulnerabilities, Risk Analysis, and Security
  Policy

2
Vulnerabilities
3
Vulnerabilities

• Security objectives
• Prevent attacks
• Detect attacks
• Recover from attacks
• Attacks against weaknesses in the information
  systems
• Need find weaknesses

4
Identifying and Eliminating Weaknesses

• Vulnerability monitoring
• Secure system development
• User training and awareness
• Avoiding single point of failure

5
I. Vulnerability Monitoring

• Identify potential weaknesses in existing
  information systems
• Reveal wide-range of vulnerabilities

6
I. Security Flaws

• Secure software installation
• Correct installation of software
• Change default settings
• Validate upgrades/changes
• Patch new security flaws

7
I. Vulnerability Detection Tools

• Computer Oracle and Password System (COPS) FREE
• Checks vulnerabilities of UNIX systems
• Secure Analysis Tool for Auditing Networks
  (SATAN) FREE
• SAFEsuite (Internet Security Systems, Inc.)
• Family of network security assessment tools (web
  security scanner, firewall scanner, intranet
  scanner, system security scanner)
• Keyed to the IP address of the customer

8
I. Keeping up with Security Publications

• Legal publications how to remove vulnerabilities
• CERT advisories
• SANS Security Digest
• Hacker publications how to exploit known
  vulnerabilities
• Security mailing lists

9
II. Building Secure Systems

• 1960s US Department of Defense (DoD) risk of
  unsecured information systems
• 1981 National Computer Security Center (NCSC) at
  the NSA
• DoD Trusted Computer System Evaluation Criteria
  (TCSEC) Orange Book

10
II. National Information Assurance Partnership
(NIAP)

• 1997 National Institute of Standards and
  Technology (NIST), National Security Agency
  (NSA), and Industry
• Aims to improve the efficiency of evaluation
• Transfer methodologies and techniques to private
  sector laboratories
• Functions developing tests, test methods, tools
  for evaluating and improving security products,
  developing protection profiles and associated
  tests, establish formal and international schema
  for CC.

11
III. Security Awareness and Training

• Major weakness users unawareness
• Organizational effort
• Educational effort
• Customer training
• Federal Trade Commission program to educate
  customers about web scams

12
IV. Avoid Single Point of Failure

• Critical information resources
• Identification
• Backup
• Hiding
• Separation of duties
• Multi-person requirements
• Limit temptations

13
Risk Analysis
14
Overview

• Definition and Purpose Of Risk Analysis
• Elements of Risk Analysis
• Quantitative vs Qualitative Analysis
• Quantitative Example
• Qualitative Example

15
Risk Management Cycle
From GAO/AIMD-99-139
16
What is Risk Analysis?

• The process of identifying, assessing, and
  reducing risks to an acceptable level
• Defines and controls threats and vulnerabilities
• Implements risk reduction measures
• An analytic discipline with three parts
• Risk assessment determine what the risks are
• Risk management evaluating alternatives for
  mitigating the risk
• Risk communication presenting this material in
  an understandable way to decision makers and/or
  the public

17
Benefits of Risk Analysis

• Assurance that greatest risks have been
  identified and addressed
• Increased understanding of risks
• Mechanism for reaching consensus
• Support for needed controls
• Means for communicating results

18
Basic Risk Analysis Structure

• Evaluate
• Value of computing and information assets
• Vulnerabilities of the system
• Threats from inside and outside
• Examine
• Availability of security countermeasures
• Effectiveness of countermeasures
• Costs (installation, operation, etc.) of
  countermeasures

19
Who should be Involved?

• Security Experts
• Internal domain experts
• Knows best how things really work
• Managers responsible for implementing controls

20
Critical Assets

• People and skills
• Goodwill
• Hardware/Software
• Data
• Documentation
• Supplies
• Physical plant
• Money

21
Threats

• Attacks against key security services
• Confidentiality, integrity, availability
• One threat classification
• Disclosure
• Deception
• Disruption
• Usurpation

22
Example Threat List

• T35 Operating System Penetration/Alteration
• T36 Operator Error
• T37 Power Fluctuation (Brown/Transients)
• T38 Power Loss
• T39 Programming Error/Bug
• T40 Sabotage
• T41 Static Electricity
• T42 Storms (Snow/Ice/Wind)
• T43 System Software Alteration
• T44 Terrorist Actions
• T45 Theft (Data/Hardware/Software)
• T46 Tornado
• T47 Tsunami (Pacific area only)
• T48 Vandalism
• T49 Virus/Worm (Computer)
• T50 Volcanic Eruption

• T17 Errors (All Types)
• T18 Electro-Magnetic Interference
• T19 Emanations Detection
• T20 Explosion (Internal)
• T21 Fire, Catastrophic
• T22 Fire, Major
• T23 Fire, Minor
• T24 Floods/Water Damage
• T25 Fraud/Embezzlement
• T26 Hardware Failure/Malfunction
• T27 Hurricanes
• T28 Injury/Illness (Personal)
• T29 Lightning Storm
• T30 Liquid Leaking (Any)
• T31 Loss of Data/Software
• T32 Marking of Data/Media Improperly
• T33 Misuse of Computer/Resource
• T34 Nuclear Mishap

• T01 Access (Unauthorized to System - logical)
• T02 Access (Unauthorized to Area - physical)
• T03 Airborne Particles (Dust)
• T04 Air Conditioning Failure
• T05 Application Program Change
• (Unauthorized)
• T06 Bomb Threat
• T07 Chemical Spill
• T08 Civil Disturbance
• T09 Communications Failure
• T10 Data Alteration (Error)
• T11 Data Alteration (Deliberate)
• T12 Data Destruction (Error)
• T13 Data Destruction (Deliberate)
• T14 Data Disclosure (Unauthorized)
• T15 Disgruntled Employee
• T16 Earthquakes

23
Vulnerabilities

• Flaw or weakness in system
• Security Procedures
• Design
• Implementation
• Threats trigger vulnerabilities
• Accidental
• Malicious

24
Example Vulnerabilities

• Physical
• V01 Susceptible to unauthorized building access
• V02 Computer Room susceptible to unauthorized
• access
• V03 Media Library susceptible to unauthorized
• access
• V04 Inadequate visitor control procedures
• (and 36 more)
• Administrative
• V41 Lack of management support for security
• V42 No separation of duties policy
• V43 Inadequate/no computer security plan policy

V47 Inadequate/no emergency action plan (and 7
more) Personnel V56 Inadequate personnel
screening V57 Personnel not adequately trained
in job ... Software V62 Inadequate/missing
audit trail capability V63 Audit trail log not
reviewed weekly V64 Inadequate control over
application/program changes
Communications V87 Inadequate communications
system V88 Lack of encryption V89 Potential for
disruptions ... Hardware V92 Lack of hardware
inventory V93 Inadequate monitoring of
maintenance personnel V94 No preventive
maintenance program V100 Susceptible to
electronic emanations
25
Controls

• Mechanisms or procedures for mitigating
  vulnerabilities
• Prevent
• Detect
• Recover
• Understand cost and coverage of control
• Controls follow vulnerability and threat analysis

26
Example Controls

• C01 Access control devices - physical
• C02 Access control lists - physical
• C03 Access control - software
• C04 Assign ADP security and assistant in writing
• C05 Install-/review audit trails
• C06 Conduct risk analysis
• C07Develop backup plan
• C08 Develop emergency action plan
• C09 Develop disaster recovery plan
• ...
• C21 Install walls from true floor to true
  ceiling
• C22 Develop visitor sip-in/escort procedures
• C23 Investigate backgrounds of new employees
• C24 Restrict numbers of privileged users
• C25 Develop separation of duties policy
• C26 Require use of unique passwords for logon

C27 Make password changes mandatory C28 Encrypt
password file C29 Encrypt data/files C30
Hardware/software training for personnel C31Prohi
bit outside software on system ... C47 Develop
software life cycle development program C48
Conduct hardware/software inventory C49
Designate critical programs/files C50 Lock
PCs/terminals to desks C51 Update communications
system/hardware C52 Monitor maintenance
personnel C53 Shield equipment from
electromagnetic interference/emanations C54Identi
fy terminals
27
Risk Control Trade Offs

• Only Safe Asset is a Dead Asset
• Asset that is completely locked away is safe, but
  useless
• Trade-off between safety and availability
• Do not waste effort on efforts with low loss
  value
• Dont spend resources to protect garbage
• Control only has to be good enough, not absolute
• Make it tough enough to discourage enemy

28
Types of Risk Analysis

• Quantitative
• Assigns real numbers to costs of safeguards and
  damage
• Annual loss expectance (ALE)
• Probability of event occurring
• Can be unreliable/inaccurate
• Qualitative
• Judges an organizations risk to threats
• Based on judgment, intuition, and experience
• Ranks the seriousness of the threats for the
  sensitivity of the asserts
• Subjective, lacks hard numbers to justify return
  on investment

29
Qualitative Risk Analysis

• Generally used in Information Security
• Hard to make meaningful valuations and meaningful
  probabilities
• Relative ordering is faster and more important
• Many approaches to performing qualitative risk
  analysis
• Same basic steps as quantitative analysis
• Still identifying asserts, threats,
  vulnerabilities, and controls
• Just evaluating importance differently

30
Key Points

• Key Elements of Risk Analysis
• Assets, Threats, Vulnerabilities, and Controls
• Most security risk analysis uses qualitative
  analysis
• Not a scientific process
• Companies will develop their own procedure
• Still a good framework for better understanding
  of system security

31
Security Policy
32
Overview

• Understanding why policy is important.
• Defining various policies.
• Creating an appropriate policy.
• Deploying policies.
• Using policy effectively.

33
Understanding Why Policy is Important

• The two primary functions of a policy are
• It defines the scope of security within an
  organization.
• It clearly states the expectations from everyone
  in the organization.

34
Understanding Why Policy is Important

• Policy defines how security should be
  implemented.
• It includes the system configurations, network
  configurations, and physical security measures.
• It defines the mechanisms used to protect
  information and systems.
• It defines how organizations should react when
  security incidents occur.
• Policy provides the framework for employees to
  work together.
• It defines the common goals and objectives of the
  organizations security program.
• Proper security awareness training helps
  implement policy initiatives effectively.

35
Defining Various Policies

• Information policy.
• Security policy.
• Computer use policy.
• Internet use policy.
• E-mail policy.
• User management procedures.
• System administration procedures.
• Backup policy.
• Incident response policy.
• Configuration management procedures.
• Design methodology.
• Disaster recovery plans.

36
Information Policy

• Identification of sensitive information.
• Classifications.
• Marking and storing sensitive information.
• Transmission of sensitive information.
• Destruction of sensitive information.

37
Identification of Sensitive Information

• Sensitive information differs depending on the
  business of the organization.
• It may include business records, product designs,
  patent information, and company phone books.
• It may also include payroll, medical insurance,
  and any other financial information.

38
Classifications

• Only the lowest level of information should be
  made public.
• All proprietary, company sensitive, or company
  confidential information is releasable to
  employees.
• All restricted or protected information must be
  made available to authorized employees only.

39
Marking and Storing Sensitive Information

• The policy must mark all sensitive information.
• It should address the storage mechanism for
  information on paper or on computer systems.
• Incase of information stored on computer systems,
  the policy should specify appropriate levels of
  protection.
• Use encryption wherever required.

40
Transmission of Sensitive Information

• The policy addresses how sensitive information
  needs to be transmitted.
• It specifies the encryption method to be used
  while transmitting information through electronic
  mail.
• Incase of hardcopies of information, request a
  signed receipt.

41
Destruction of Sensitive Information

• To destroy sensitive information
• Shred the information on paper.
• Use cross-cut shredders that provide an added
  level of protection.
• PGP desktop and BCWipe can be used to delete
  documents placed on a desktop.

42
Security Policy

• Identification and authentication.
• Access control.
• Audit.
• Network connectivity.
• Malicious code.
• Encryption.
• Waivers.
• Appendices.

43
Identification and Authentication

• The security policy defines how users will be
  identified.
• It defines the primary authentication mechanism
  for users and administrators.
• It defines stronger mechanism for remote access
  such as VPN or dial-in access.

44
Access Control

• The security policy defines the standard
  requirement for access control of electronic
  files.
• The requirement includes the required mechanism
  and the default requirements for new files.
• The mechanism should work with authentication
  mechanism to allow only authorized users to
  access the information.

45
Audit

• Security policies must frequently audit the
  following events
• Logins (successful and failed).
• Logouts.
• Failed access to files or system objects.
• Remote access (successful and failed).
• Privileged actions.
• System events (such as shutdowns and reboots).

46
Audit

• Each event should also capture the following
  information
• User ID (if there is one)
• Date and time
• Process ID (if there is one)
• Action performed
• Success or failure of the event

47
Network Connectivity

• The security policy specifies the rules for
  network connectivity and the protection
  mechanisms. It includes
• Dial-in connections.
• Permanent connections.
• Remote access of internal systems.
• Wireless networks.

48
Malicious Code

• The security policy specifies where security
  programs that look for malicious code need to be
  placed.
• Some appropriate locations are file servers,
  desktop systems, and electronic mail servers.
• It should specify the requirements for security
  programs.
• It should require updates of signatures for such
  security programs on a periodic basis.

49
Encryption

• The security policy should define the acceptable
  encryption algorithms for use.
• It can refer to the information policy to choose
  the appropriate algorithms to protect sensitive
  information.
• It should also specify the procedures required
  for key management.

50
Waivers

• The security policy should provide a mechanism
  for risk assessment and formulating a contingency
  plan.
• For each situation, the system designer or
  project manager should fill a waiver form.
• The security department reviews the waiver
  request and provides risk assessment results and
  recommendations to minimize the risk.
• The waiver should be approved by the
  organizations officer in charge of the project.

51
Appendices

• The security policy appendices should have
  details of
• Security configurations for various operating
  systems.
• Network devices.
• Telecommunication equipments.

52
Computer Use Policy

• Ownership of computers - States that all
  computers are owned by the organization.
• Ownership of information - States that all
  information stored on or used by the
  organizations computers is proprietary to the
  organization.
• Acceptable use of computers - States all
  acceptable and unacceptable use of the
  organizations computers.
• No expectation of privacy - States that the
  employee have no expectation of privacy for any
  information stored, sent, or received on the
  organizations computers.

53
Internet Use Policy

• The Internet use policy is a part of the general
  computer use policy.
• It can be a separate policy due to the specific
  nature of the Internet use.
• The Internet use policy defines the appropriate
  uses of the Internet within an organization.
• It may also define inappropriate uses such as
  visiting non-business-related web sites.

54
E-mail Policy

• Internal mail issues - The electronic mail policy
  should not be in conflict with other human
  resource policies.
• External mail issues - Electronic mail leaving an
  organization may contain sensitive information.
  Therefore, it may be monitored.

55
User Management Procedures

• New employment procedure - Provides new employees
  with the proper access to computer resources.
• Transferred employee procedure - Reviews
  employees computer access when they are
  transferred within the organization.
• Employee termination procedure - Ensures removal
  of users who no longer work for the organization.

56
System Administration Procedure

• Software upgrades - Defines how often a system
  administrator will check for new patches or
  updates.
• Vulnerability scans - Defines how often and when
  the scans will be conducted by security.
• Policy reviews - Specifies the security
  requirements for each system.
• Log reviews - Specifies configuration of
  automated tools that create log entries and how
  exceptions must be handled.
• Regular monitoring - Documents when network
  traffic monitoring will occur.

57
Backup Policy

• Frequency of backups - Identifies how often
  backups actually occur.
• Storage of backups - Defines how to store backups
  in a secure location. It also states the
  mechanism for requesting and restoring backups.
• Information to be backed up - Identifies which
  data needs to be backed up more frequently.

58
Incident Response Procedure

• Incident handling objectives - Specifies the
  objectives of the organization when handling an
  incident.
• Event identification - States corrective actions
  for an intrusion or user mistake.
• Escalation - Specifies an escalation procedure
  such as activating an incident response team.
• Information control - Specifies what information
  is classified and what can be made public.
• Response - Defines the type of response when an
  incident occurs.
• Authority - Defines which individual within the
  organization or the incident response team has
  the authority to take action.
• Documentation - Defines how the incident response
  team should document its actions.
• Testing of the procedure - Tests the IRP once it
  is written. It also identifies the loop holes in
  the procedure and suggests corrective actions.

59
Configuration Management Procedures

• Initial system state - Documents the state of a
  new system when it goes into production. It
  should include details of the operating system,
  version, patch level, application details, and
  configuration details.
• Change control procedure - Executes a change
  control procedure when a change is to be made to
  an existing system.

60
Design Methodology

• Requirements definition - Specifies the security
  requirements that need to be included during the
  requirement definition phase.
• Design - Specifies that security should be
  represented to ensure that the project is secured
  during the design phase.
• Test - Specifies that when the project reaches
  the testing phase, the security requirement
  should also be tested.
• Implementation - Specifies that the
  implementation team should use proper
  configuration management procedures.

61
Disaster Recovery Plans

• Single system or device failures - Includes a
  network device, disk, motherboard, network
  interface card, or component failure.
• Data center events - Provides procedures for a
  major event within a data center.
• Site events - Identifies the critical
  capabilities that need to be restored.
• Testing the DRP - Identifies key employees and
  performs walkthroughs of the plan periodically.

62
Creating an Appropriate Policy

• To create an appropriate policy
• Identify which policies are most relevant and
  important to an organization.
• Conduct a risk assessment to identify risk areas.
  
• Define all acceptable and unacceptable employee
  behavior. State all restrictions clearly.
• Identify individuals and other stakeholders who
  will be affected by the policy. State
  expectations clearly.
• Define a set of possible outlines.
• Draft the policy based on the outline.
• Include stakeholders during discussions and
  invite suggestions.
• Brainstorm before developing the final policy.

63
Deploying the Policy

• Every department of the organization that is
  affected by the policy must accept the underlying
  concept.
• Conduct security awareness training where
  employees are informed of the intended change.
• Make well-planned transitions rather than radical
  changes while implementing the policy.

64
Using Policy Effectively

• Identify security requirements early in the
  process. Security should be a part of the design
  phase of the project.
• Examine existing systems to ensure it is in
  compliance to new policies.
• Conduct periodic audits to ensure compliance with
  the policy.
• Review policies regularly to ensure they are
  still relevant for the organization.

65
Summary

• Policies define how security is implemented
  within an organization.
• Each policy must have a purpose, scope, and
  responsibility.
• An organization must establish information
  policy, security policy, computer use policy,
  Internet and e-mail policy, and a backup policy.
• An organization must also define user management,
  system administration, incident response, and
  configuration management procedures.
• The disaster recovery plan details recovery
  action for various levels of failures.
• While creating a policy ensure that it will be
  relevant and important to an organization.
• Involve stakeholders in policy discussions.
  Conduct security awareness trainings regularly.
• Include security issues at each development phase
  of a project.