Chapter 8

1
Chapter 8 Administering Security

• Security Planning
• Risk Analysis
• Security Policies
• Physical Security

2
Security Planning

• Policy
• Current state risk analysis
• Requirements
• Recommended controls
• Accountability
• Timetable
• Continuing attention

3
Security Planning - Policy

• Who should be allowed access?
• To what system and organizational resources
  should access be allowed?
• What types of access should each user be allowed
  for each resource?

4
Security Planning - Policy

• What are the organizations goals on security?
• Where does the responsibility for security lie?
• What is the organizations commitment to security?

5
OCTAVE Methodologyhttp//www.cert.org/octave/

• Identify enterprise knowledge.
• Identify operational area knowledge.
• Identify staff knowledge.
• Establish security requirements.
• Map high-priority information assests to
  information infrastructure.
• Perform an infrastructure vulnerability
  evaluation.
• Conduct a multidimensional risk analysis.
• Develop a protection strategy.

6
Security Planning Requirements of the TCSEC

• Security Policy must be an explicit and
  well-defined security policy enforced by the
  system.
• Every subject must be uniquely and convincingly
  identified.
• Every object must be associated with a label that
  indicates its security level.
• The system must maintain complete, secure records
  of actions that affect security.
• The computing system must contain mechanisms that
  enforce security.
• The mechanisms that implement security must be
  protected against unauthorized change.

7
Security Planning Team Members

• Computer hardware group
• System administrators
• Systems programmers
• Application programmers
• Data entry personnel
• Physical security personnel
• Representative users

8
Security Planning

• Assuring Commitment to a Security Plan
• Business Continuity Plans
• Assess Business Impact
• Develop Strategy
• Develop Plan
• Incident Response Plans
• Advance Planning
• Response Team
• After the Incident is Resolved

9
Risk Analysis

• Risk impact - loss associated with an event
• risk probability likelihood that the event will
  occur
• Risk control degree to which we can change the
  outcome
• Risk exposure risk impact risk probability

10
Risk Analysis risk reduction

• Avoid the risk
• Transfer the risk
• Assume the risk
• Risk leverage (risk exposure before reduction)
  (risk exposure after reduction) / cost of risk
  reduction
• Cannot guarantee systems are risk free
• Security plans must address action needed should
  an unexpected risk becomes a problem

11
Steps of a Risk Analysis

• Identify assets
• Determine vulnerabilities
• Estimate likelihood of exploitation
• Compute expected annual loss
• Survey applicable controls and their costs
• Project annual savings of control

12
Identify Assets

• Hardware
• Software
• Data
• People
• Procedures (policies, training)
• Documentation
• Supplies
• Infrastructure (building, power, water,)

13
Determine Vulnerabilities
Asset Confidentiality Integrity Availability
Hardware
Software
Data
People
procedures
14
Determine Vulnerabilities

• What are the effects of unintentional errors?
• What are the effects of willfully malicious
  insiders?
• What are the effects of outsiders?
• What are the effects of natural and physical
  disasters?

15
Risk Analysis

• Estimate Likelihood of Exploitation
• Classical probability
• Frequency probability (simulation)
• Subjective probability (Delphi approach)
• Computer Expected Lost (look for hidden costs)
• Legal obligations
• Side effects
• Psychological effects

16
Risk Analysis

• Survey and Select New Controls
• What Criteria Are Used for Selecting Controls?
• Vulnerability Assessment and Mitigation (VAM)
  Methodology
• How Do Controls Affect What They Control?
• Which Controls Are Best?
• Project Savings
• Do costs outweigh benefits of preventing /
  mitigating risks

17
Arguments for Risk Analysis

• Improve awareness
• Relate security mission to management objectives
• Identify assets, vulnerabilities, and controls
• Improve basis for decisions
• Justify expenditures for security

18
Arguments against Risk Analysis

• False sense of precision and confidence
• Hard to perform
• Immutability (filed and forgotten)
• Lack of accuracy
• Todays complex Internet networks cannot be made
  watertight. A system administrator has to get
  everything right all the time a hacker only has
  to find one small hole. A sysadmin has to be
  lucky all of the time a hacker only has to get
  lucky once. It is easier to destroy than to
  create.
• Robert Graham, lead architect of Internet
  Security Systems

19
Organizational Security Policies

• Who can access which resources in what manner?
• Security policy - high-level management document
  that informs all users of the goals and
  constraints on using a system.

20
Security Policies Purpose

• Recognize sensitive information assets
• Clarify security responsibilities
• Promote awareness for existing employees
• Guide new employees

21
Security Policies Audience

• Users
• Owners
• Beneficiaries
• Balance Among All Parties

22
Contents

• Purpose
• Protected Resources (what - asset list)
• Nature of the Protection (who and how)

23
Characteristics of a Good Security Policy

• Coverage (comprehensive)
• Durability
• Realism
• Usefulness
• Examples

24
Physical Security

• Natural Disasters
• Flood
• Fire
• Other
• Power Loss
• UPS surge suppressors (line conditioners)
• Human Vandals
• Unauthorized Access and Use
• Theft

25
Physical Security

• Interception of Sensitive Information
• Dumpster Diving - Shredding
• Remanence (slack bits)
• Overwriting Magnetic Data
• DiskWipe
• Degaussing
• Emanation - Tempest

26
Contingency Planning

• BACKUP!!!!!
• Complete backup
• Revolving backup
• Selective backup
• OFFSITE BACKUP!!!!!
• Networked Storage (SAN)
• Cold site (shell)
• Hot site