Title: TEL2813IS2820 Security Management
1TEL2813/IS2820 Security Management
2Contact
- James Joshi
- 706A, IS Building
- Phone 412-624-9982
- E-mail jjoshi_at_mail.sis.pitt.edu
- Web /jjoshi/TELCOM2813/Spring2005/
- Office Hours Wednesdays 1.00 3.00 p.m. or By
appointments - GSA will be announced later
3Course objective
- The course is aimed at imparting knowledge and
skill sets required to assume the overall
responsibilities of administration and management
of security of an enterprise information system.
4Course objective
- After the course, ability to to carry out
- detailed analysis of enterprise security by
performing various types of analysis - vulnerability analysis, penetration testing,
- audit trail analysis,
- system and network monitoring, and
- Configuration management, etc.
- Carry out the task of security risk management
using various practical and theoretical tools.
5Course objective
- After the course, ability to carry out
- Design detailed enterprise wide security plans
and policies, and deploy appropriate safeguards
(models, mechanisms and tools) at all the levels
due consideration to - the life-cycle of the enterprise information
systems and networks, - legal and social environment
- Be able to certify products according to IA
standards (Common Criteria Evaluations)
6Course content
- Introduction to Security Management
- Security policies/models/mechanisms
- Security Management Principles, Models and
Practices - Security Planning/ Asset Protection
- Security Programs and Disaster Recovery Plans
- Standards and Security Certification Issues
- Rainbow Series, Common Criteria
- Security Certification Process
- National/International Security Laws and Ethical
Issues
- Security Analysis and Safeguards
- Vulnerability analysis (Tools Tech.)
- Penetration testing
- Risk Management
- Protection Mechanisms and Incident handling
- Access Control and Authentication architecture
- Configuration Management
- Auditing systems audit trail analysis
- Network defense and countermeasures
- Intrusion Detection Systems (SNORT)
- Architectural configurations and survivability
- Firewall configurations
- Virtual private networks
- Computer and network forensic
- Privacy Protection
- Case studies on OS and application software
(e.g., SELinux, Unix and Windows Security)
7Course Material
- Recommended course material
- Management of Information Security, M. E.
Whitman, H. J. Mattord - Guide to Disaster Recovery, M. Erbschilde
- Guide to Network Defense and Countermeasures, G.
Holden - Real Digital Forensics Computer Security and
Incident Response, 1/e Keith J. Jones, Richard
Bejtlich, Curtis W. Rose - Computer Security Art and Science, Matt Bishop
(ISBN 0-201-44099-7), Addison-Wesley 2003 - Security in Computing, 2nd Edition, Charles P.
Pfleeger, Prentice Hall - A list of papers will be provided
8Tentative Grading
- Assignments (50)
- Homework/Quiz/Paper review/Class
Participation/Seminar attendance 40 - One/two presentation 10
- Exams 20
- Project 30
9Course Policies
- Your work MUST be your own
- Zero tolerance for cheating/plagiarism
- You get an F for the course if you cheat in
anything however small NO DISCUSSION - Discussing the problem is encouraged
- Homework
- Penalty for late assignments (15 each day)
- Ensure clarity in your answers no credit will
be given for vague answers - Homework is primarily the GSAs responsibility
- Check webpage for everything!
- You are responsible for checking the webpage for
updates
10Introduction
11Introduction
- Information technology is critical to business
and society - Computer security is evolving into information
security - Information security is the responsibility of
every member of an organization, but managers
play a critical role
12Introduction
- Information security involves three distinct
communities of interest - Information security managers and professionals
- Information technology managers and professionals
- Non-technical business managers and professionals
13Communities of Interest
- InfoSec community
- protect information assets from threats
- IT community
- support business objectives by supplying
appropriate information technology - Business community
- policy and resources
14What Is Security?
- The quality or state of being secureto be free
from danger - Security is achieved using several strategies
simultaneously
15Security and Control
- Controls
- Physical Controls
- Technical Controls
- Administrative
- Prevention Detection Recovery
- Deterrence, Corrective
- Examples
- Physical security
- Personal security
- Operations security
- Communications security
- Network security
16InfoSec Components
17CIA Triangle
- The C.I.A. triangle is made up of
- Confidentiality
- Integrity
- Availability
- Over time the list of characteristics has
expanded, but these three remain central - CNSS model is based on CIA
18NSTISSC Security Model (4011)
19Key Concepts Confidentiality
- Some threats
- Hackers
- Masqueraders
- Unauthorized users
- Unprotected download of files
- LANS
- Trojan horses
- Confidentiality
- only those with sufficient privileges may access
certain information - Confidentiality model
- Bell-LaPadula
- No write down No read up
- TCSEC/TNI (Orange, Red Book)
20Key Concepts Integrity
- Other issues
- Origin integrity
- Data integrity
- Integrity
- Integrity is the quality or state of being whole,
complete, and uncorrupted - Integrity model
- Biba/low water mark
- No write up No read down
- Clark-Wilson
- Separation of duty
- Lipner
21Key Concepts Availability
- Availability
- making information accessible to user access
without interference or obstruction - Survivability
- Ensuring availability in presence of attacks
22Key Concepts privacy
- Privacy
- Information is to be used only for purposes known
to the data owner - This does not focus on freedom from observation,
but rather that information will be used only in
ways known to the owner
23Key Concepts Identification
- Identification
- Information systems possess the characteristic of
identification when they are able to recognize
individual users - Identification and authentication are essential
to establishing the level of access or
authorization that an individual is granted
24Key Concepts Authentication Authorization
- Authentication
- Authentication occurs when a control provides
proof that a user possesses the identity that he
or she claims - Authorization
- authorization provides assurance that the user
has been specifically and explicitly authorized
by the proper authority to access the contents of
an information asset
25Key Concepts Accountability Assurance
- Accountability
- The characteristic of accountability exists when
a control provides assurance that every activity
undertaken can be attributed to a named person or
automated process - Assurance
- Assurance that all security objectives are met
26What Is Management?
- A process of achieving objectives using a given
set of resources - To manage the information security process, first
understand core principles of management - A manager is
- someone who works with and through other people
by coordinating their work activities in order to
accomplish organizational goals
27Managerial Roles
- Informational role Collecting, processing, and
using information to achieve the objective - Interpersonal role Interacting with superiors,
subordinates, outside stakeholders, and other - Decisional role Selecting from alternative
approaches and resolving conflicts, dilemmas, or
challenges
28Differences Between Leadership and Management
- The leader influences employees so that they are
willing to accomplish objectives - He or she is expected to lead by example and
demonstrate personal traits that instill a desire
in others to follow - Leadership provides purpose, direction, and
motivation to those that follow - A manager administers the resources of the
organization, budgets, authorizes expenditure
29Characteristics of a Leader
- Bearing
- Courage
- Decisiveness
- Dependability
- Endurance
- Enthusiasm
- Initiative
- Integrity
- Judgment
- Justice
- Knowledge
- Loyalty
- Tact
- Unselfishness
Used by US military
30What Makes a Good Leader?Action plan
- Know yourself and seek self-improvement
- Be technically and tactically proficient
- Seek responsibility and take responsibility for
your actions - Make sound and timely decisions
- Set the example
- Know your subordinates and look out for their
well-being
- Keep your subordinates informed
- Develop a sense of responsibility in your
subordinates - Ensure the task is understood, supervised, and
accomplished - Build the team
- Employ your team in accordance with its
capabilities
31Leadership quality and types
- A leader must
- BE a person of strong and honorable character
- KNOW you, the details of your situation, the
standards to which you work, human nature, and
your team - DO by providing purpose, direction, and
motivation to your team - Three basic behavioral types of leaders
- Autocratic
- Democratic
- Laissez-faire
32Characteristics of Management
- Two well-known approaches to management
- Traditional management theory using principles of
planning, organizing, staffing, directing, and
controlling (POSDC) - Popular management theory using principles of
management into planning, organizing, leading,
and controlling (POLC)
33The PlanningControlling Link
34Planning Organization
- Planning process that develops, creates, and
implements strategies for the accomplishment of
objectives - Three levels of planning
- Strategic
- Tactical
- Operational
- Organization structuring of resources to support
the accomplishment of objectives
35Leadership
- Encourages the implementation of
- the planning and organizing functions,
- Includes supervising employee behavior,
performance, attendance, and attitude - Leadership generally addresses the direction and
motivation of the human resource
36Control
- Control
- Monitoring progress toward completion
- Making necessary adjustments to achieve the
desired objectives - Controlling function determines what must be
monitored as well as using specific control tools
to gather and evaluate information
37Control Tools
- Four categories
- Information
- Information flows/ communications
- Financial
- Guide use of monetary resources (ROI,CBA,..)
- Operational
- PERT, Gantt, process flow
- Behavioral
- Human resources
38The Control Process
39Solving Problems
- Step 1 Recognize and Define the Problem
- Step 2 Gather Facts and Make Assumptions
- Step 3 Develop Possible Solutions
(Brainstorming) - Step 4 Analyze and Compare the Possible
Solutions (Feasibility analysis) - Step 5 Select, Implement, and Evaluate a Solution
40Feasibility Analyses
- Economic feasibility assesses costs and benefits
of a solution - Technological feasibility assesses an
organizations ability to acquire and manage a
solution - Behavioral feasibility assesses whether members
of the organization will support a solution - Operational feasibility assesses if an
organization can integrate a solution
41Principles Of Information Security Management
- The extended characteristics of information
security are known as the six Ps - Planning
- Policy
- Programs
- Protection
- People
- Project Management
42InfoSec Planning
- Planning as part of InfoSec management
- is an extension of the basic planning model
discussed earlier - Included in the InfoSec planning model are
- activities necessary to support the design,
creation, and implementation of information
security strategies as they exist within the IT
planning environment
43InfoSec Planning Types
- Several types of InfoSec plans exist
- Incident response
- Business continuity
- Disaster recovery
- Policy
- Personnel
- Technology rollout
- Risk management and
- Security program including education, training
and awareness
44Policy
- Policy set of organizational guidelines that
dictates certain behavior within the organization - In InfoSec, there are three general categories of
policy - General program policy (Enterprise Security
Policy) - An issue-specific security policy (ISSP)
- E.g., email, Intenert use
- System-specific policies (SSSPs)
- E.g., Access control list (ACLs) for a device
45Programs
- Programs are operations managed as
- specific entities in the information security
domain - Example
- A security education training and awareness
(SETA) program is one such entity - Other programs that may emerge include
- a physical security program, complete with fire,
physical access, gates, guards, and so on
46Protection
- Risk management activities, including
- risk assessment and control,
- Protection mechanisms, technologies tools
- Each of these mechanisms represents some aspect
of the management of specific controls in the
overall security plan
47People
- People are the most critical link in the
information security program - Human firewall
- It is imperative that managers continuously
recognize the crucial role that people play
includes - information security personnel and the security
of personnel, as well as aspects of the SETA
program
48Project Management
- Project management discipline should be present
throughout all elements of the information
security program - Involves
- Identifying and controlling the resources applied
to the project - Measuring progress and adjusting the process as
progress is made toward the goal
49(No Transcript)
50 Security Planning
51Introduction
- Successful organizations utilize planning
- Planning involves
- Employees
- Management
- Stockholders
- Other outside stakeholders
- Physical environment
- Political and legal environment
- Competitive environment
- Technological environment
52Introduction
- Strategic planning includes
- Vision statement
- Mission statement
- Strategy
- Coordinated plans for sub units
- Knowing how the general organizational planning
process works helps in the information security
planning process
53Introduction
- Planning
- Is creating action steps toward goals, and then
controlling them - Provides direction for the organizations future
- Top-down method
- Organizations leaders choose the direction
- Planning begins with the general and ends with
the specific
54Information Security Planning
55Components Of PlanningMission Statement
- Mission statement
- Declares the business of the organization and its
intended areas of operations - Explains what the organization does and for whom
- Example
- Random Widget Works, Inc. designs and
manufactures quality widgets, associated
equipment and supplies for use in modern business
environments
CSSD http//technology.pitt.edu/security.html
56Components Of PlanningVision Statement
- Vision statement
- Expresses what the organization wants to become
- Should be ambitious
- Example
- Random Widget Works will be the preferred
manufacturer of choice for every businesss
widget equipment needs, with an RWW widget in
every machine they use
57Components Of PlanningValues
- By establishing organizational principles in a
values statement, an organization makes its
conduct standards clear - Example
- RWW values commitment, honesty, integrity and
social responsibility among its employees, and is
committed to providing its services in harmony
with its corporate, social, legal and natural
environments. - The mission, vision, and values statements
together provide the foundation for planning
58Components Of PlanningStrategy
- Strategy is the basis for long-term direction
- Strategic planning
- Guides organizational efforts
- Focuses resources on clearly defined goals
- strategic planning is a disciplined effort to
produce fundamental decisions and actions that
shape and guide what an organization is, what it
does, and why it does it, with a focus on the
future.
59Strategic Planning
60Strategic Planning
- Organization
- Develops a general strategy
- Creates specific strategic plans for major
divisions - Each level of division
- translates those objectives into more specific
objectives for the level below - In order to execute this broad strategy,
- executives must define individual managerial
responsibilities
61Planning for the Organization
62Strategic Planning
- Strategic goals are then translated
- into tasks with specific, measurable, achievable,
reasonably high and time-bound objectives (SMART) - Strategic planning
- then begins a transformation from general to
specific objectives
63Planning Levels
64Planning levels
- Tactical Planning
- Shorter focus than strategic planning
- Usually one to three years
- Breaks applicable strategic goals into a series
of incremental objectives
65Planning levels
- Operational Planning
- Used by managers and employees to organize the
ongoing, day-to-day performance of tasks - Includes clearly identified coordination
activities across department boundaries such as - Communications requirements
- Weekly meetings
- Summaries
- Progress reports
66Typical Strategic Plan Elements
- Introduction by senior executive (President/CEO)
- Executive Summary
- Mission Statement and Vision Statement
- Organizational Profile and History
- Strategic Issues and Core Values
- Program Goals and Objectives
- Management/Operations Goals and Objectives
- Appendices (optional)
- Strengths, weaknesses, opportunities and threats
(SWOT) analyses, surveys, budgets etc
67Tips For Planning
- Create a compelling vision statement that frames
the evolving plan, and acts as a magnet for
people who want to make a difference - Embrace the use of balanced scorecard approach
- Deploy a draft high level plan early, and ask for
input from stakeholders in the organization - Make the evolving plan visible
68Tips For Planning
- Make the process invigorating for everyone
- Be persistent
- Make the process continuous
- Provide meaning
- Be yourself
- Lighten up and have some fun
69Planning For Information Security Implementation
- The CIO and CISO play important roles
- in translating overall strategic planning into
tactical and operational information security
plans - CISO plays a more active role
- in the development of the planning details than
does the CIO
70CISO Job Description
- Creates strategic information security plan with
a vision for the future of information security
at Company X - Understands fundamental business activities
performed by Company X - Based on this understanding, suggests appropriate
information security solutions that uniquely
protect these activities - Develops action plans, schedules, budgets, status
reports and other top management communications
intended to improve the status of information
security at Company X
71Planning for InfoSec
- Once plan has been translated into IT and
information security objectives and tactical and
operational plans for information security,
implementation can begin - Implementation of information security can be
accomplished in two ways - Bottom-up
- OR
- Top-down
72Approaches to Security Implementation
73The Systems Development Life Cycle (SDLC)
- SDLC methodology for the design and
implementation of an information system - SDLC-based projects may be initiated by events or
planned - At the end of each phase, a review occurs when
reviewers determine if the project should be
continued, discontinued, outsourced, or postponed
74Phases of An SDLC
75Investigation
- Identifies problem to be solved
- Begins with the objectives, constraints, and
scope of the project - A preliminary cost/benefit analysis is developed
to evaluate the perceived benefits and the
appropriate costs for those benefits
76Analysis
- Begins with information from the Investigation
phase - Assesses the organizations readiness, its
current systems status, and its capability to
implement and then support the proposed system(s) - Analysts determine what the new system is
expected to do, and how it will interact with
existing systems
77Logical Design
- Information obtained from analysis phase is used
to create a proposed solution for the problem - A system and/or application is selected based on
the business need - The logical design is the implementation
independent blueprint for the desired solution
78Physical Design
- During the physical design phase, the team
selects specific technologies - The selected components are evaluated further as
a make-or-buy decision - A final design is chosen that optimally
integrates required components
79Implementation
- Develop any software that is not purchased, and
create integration capability - Customized elements are tested and documented
- Users are trained and supporting documentation is
created - Once all components have been tested
individually, they are installed and tested as a
whole
80Maintenance
- Tasks necessary to support and modify the system
for the remainder of its useful life - System is tested periodically for compliance with
specifications - Feasibility of continuance versus discontinuance
is evaluated - Upgrades, updates, and patches are managed
- When current system can no longer support the
mission of the organization, it is terminated and
a new systems development project is undertaken
81The Security SDLC
- May differ in several specifics, but overall
methodology is similar to the SDLC - SecSDLC process involves
- Identification of specific threats and the risks
that they represent - Subsequent design and implementation of specific
controls to counter those threats and assist in
the management of the risk those threats pose to
the organization
82Investigation in the SecSDLC
- Often begins as directive from management
specifying the process, outcomes, and goals of
the project and its budget - Frequently begins with the affirmation or
creation of security policies - Teams assembled to analyze problems, define
scope, specify goals and identify constraints - Feasibility analysis determines whether the
organization has resources and commitment to
conduct a successful security analysis and design
83Analysis in the SecSDLC
- A preliminary analysis of existing security
policies or programs is prepared along with known
threats and current controls - Includes an analysis of relevant legal issues
that could affect the design of the security
solution - Risk management begins in this stage
84Risk Management
- Risk Management process of identifying,
assessing, and evaluating the levels of risk
facing the organization - Specifically the threats to the information
stored and processed by the organization - To better understand the analysis phase of the
SecSDLC, you should know something about the
kinds of threats facing organizations - In this context, a threat is an object, person,
or other entity that represents a constant danger
to an asset
85Key Terms
- Attack deliberate act that exploits a
vulnerability to achieve the compromise of a
controlled system - Accomplished by a threat agent that damages or
steals an organizations information or physical
asset - Exploit technique or mechanism used to
compromise a system - Vulnerability identified weakness of a
controlled system in which necessary controls are
not present or are no longer effective
86Threats to Information Security
87Some Common Attacks
- Malicious code
- Hoaxes
- Back doors
- Password crack
- Brute force
- Dictionary
- Denial-of-service (DoS) and distributed
denial-of-service (DDoS)
- Spoofing
- Man-in-the-middle
- Spam
- Mail bombing
- Sniffer
- Social engineering
- Buffer overflow
- Timing
88Risk Management
- Use some method of prioritizing risk posed by
each category of threat and its related methods
of attack - To manage risk, you must identify and assess the
value of your information assets - Risk assessment assigns comparative risk rating
or score to each specific information asset - Risk management identifies vulnerabilities in an
organizations information systems and takes
carefully reasoned steps to assure the
confidentiality, integrity, and availability of
all the components in organizations information
system
89Design in the SecSDLC
- Design phase actually consists of two distinct
phases - Logical design phase team members create and
develop a blueprint for security, and examine and
implement key policies - Physical design phase team members evaluate the
technology needed to support the security
blueprint, generate alternative solutions, and
agree upon a final design
90Security Models
- Security managers often use established security
models to guide the design process - Security models provide frameworks for ensuring
that all areas of security are addressed - Organizations can adapt or adopt a framework to
meet their own information security needs
91Policy
- A critical design element of the information
security program is the information security
policy - Management must define three types of security
policy - General or security program policy
- Issue-specific security policies
- Systems-specific security policies
92SETA
- An integral part of the InfoSec program is
- Security education and training (SETA) program
- SETA program consists of three elements
- security education, security training, and
security awareness - Purpose of SETA is to enhance security by
- Improving awareness
- Developing skills and knowledge
- Building in-depth knowledge
93Design
- Attention turns to the design of the controls and
safeguards used to protect information from
attacks by threats - Three categories of controls
- Managerial
- Operational
- Technical
94Managerial Controls
- Address design/implementation of the
- security planning process and
- security program management
- Management controls also address
- Risk management
- Security control reviews
95Operational Controls
- Cover management functions and lower level
planning including - Disaster recovery
- Incident response planning
- Operational controls also address
- Personnel security
- Physical security
- Protection of production inputs and outputs
96Technical Controls
- Address those tactical and technical issues
related to - designing and implementing security in the
organization - Technologies necessary to protect information are
examined and selected
97Contingency Planning
- Essential preparedness documents provide
contingency planning (CP) to prepare, react and
recover from circumstances that threaten the
organization - Incident response planning (IRP)
- Disaster recovery planning (DRP)
- Business continuity planning (BCP)
98Physical Security
- Physical Securityaddresses
- the design, implementation, and maintenance of
countermeasures that protect the physical
resources of an organization - Physical resources include
- People
- Hardware
- Supporting information system elements
99Implementation in the SecSDLC
- Security solutions are acquired, tested,
implemented, and tested again - Personnel issues are evaluated and specific
training and education programs conducted - Perhaps most important element of implementation
phase is management of project plan - Planning the project
- Supervising tasks and action steps within the
project - Wrapping up the project
100InfoSec Project Team
- Should consist of individuals experienced in one
or multiple technical and non-technical areas
including - Champion
- Team leader
- Security policy developers
- Risk assessment specialists
- Security professionals
- Systems administrators
- End users
101Staffing the InfoSec Function
- Each organization should examine the options for
staffing of the information security function - Decide how to position and name the security
function - Plan for proper staffing of information security
function - Understand impact of information security across
every role in IT - Integrate solid information security concepts
into personnel management practices of the
organization
102InfoSec Professionals
- It takes a wide range of professionals to support
a diverse information security program - Chief Information Officer (CIO)
- Chief Information Security Officer (CISO)
- Security Managers
- Security Technicians
- Data Owners
- Data Custodians
- Data Users
103Certifications
- Many organizations seek professional
certification so that they can more easily
identify the proficiency of job applicants - CISSP
- SSCP
- GIAC
- SCP
- ICSA
- Security
- CISM
104Maintenance and Change in the SecSDLC
- Once information security program is implemented,
- it must be properly operated, managed, and kept
up to date by means of established procedures - If the program is not adjusting adequately to the
changes in the internal or external environment,
it may be necessary to begin the cycle again
105Maintenance Model
- While a systems management model is designed to
manage and operate systems, a maintenance model
is intended to focus organizational effort on
system maintenance - External monitoring
- Internal monitoring
- Planning and risk assessment
- Vulnerability assessment and remediation
- Readiness and review
- Vulnerability assessment
106(No Transcript)
107ISO Management Model
- One issue planned in the SecSDLC is the systems
management model - ISO network management model - five areas
- Fault management
- Configuration and name management
- Accounting management
- Performance management
- Security management
108Security Management Model
- Fault Management involves identifying and
addressing faults - Configuration and Change Management involve
administration of components involved in the
security program and administration of changes - Accounting and Auditing Management involves
chargeback accounting and systems monitoring - Performance Management determines if security
systems are effectively doing the job for which
they were implemented
109Security Program Management
- Once an information security program is
functional, it must be operated and managed - In order to assist in the actual management of
information security programs, a formal
management standard can provide some insight into
the processes and procedures needed - This could be based on the BS7799/ISO17799 model
or the NIST models described earlier