Security Management

1
Security Management

• Security is Primarily a Management Issue
• Top-to-Bottom Commitment
• Top-management commitment
• Operational execution
• Enforcement

1
2
Security Management

• General Security Goals
• Confidentiality
• Attackers cannot read messages if they intercept
  them
• Integrity
• If attackers change messages, this will be
  detected
• Availability
• System is able to serve users

2
3
Security Management

• Comprehensive Security
• Closing all avenues of attack
• Asymmetrical warfare
• Attacker only has to find one opening
• Defense in depth
• Attacker must get past several defenses to
  succeed
• Security audits
• Run attacks against your own network

3
4
Security Management

• Security Planning
• Risk Analysis
• Security Policies
• Physical Security

4
5
Security Planning

• Policy
• Current state risk analysis
• Requirements
• Recommended controls
• Accountability
• Timetable
• Continuing attention

5
6
Security Planning

• Assuring Commitment to a Security Plan
• Business Continuity Plans
• Assess Business Impact
• Develop Strategy
• Develop Plan
• Incident Response Plans
• Advance Planning
• Response Team
• After the Incident is Resolved

6
7
Security Planning Team Members

• Computer hardware group
• System administrators
• Systems programmers
• Application programmers
• Data entry personnel
• Physical security personnel
• Representative users

7
8
The PlanProtectRespond Cycle

• Planning
• Need for comprehensive security (no gaps)
• Risk analysis
• Enumerating threats
• Threat severity estimated cost of attack X
  probability of attack
• Value of protection threat severity cost of
  countermeasure
• Prioritize countermeasures by value of
  prioritization

8
9
Threat Severity Analysis-example
9
10
The PlanProtectRespond Cycle

• Planning
• Security policies drive subsequent specific
  actions
• Selecting technology
• Procedures to make technology effective
• The testing of technology and procedures

10
11
Policy-Driven Technology, Procedures, and Testing
Only allow authorized personnel to use accounting
webserver
Policy
Technology (Firewall, Hardened Webserver)
Procedures (Configuration, Passwords, Etc.)
Protection
Testing (Test Security)
Attempt to Connect to Unauthorized Webserver
11
12
The PlanProtectRespond Cycle

• Protecting
• Installing protections firewalls, IDSs, host
  hardening, etc.
• Updating protections as the threat environment
  changes
• Testing protections security audits

12
13
The PlanProtectRespond Cycle

• Responding
• Planning for response (Computer Emergency
  Response Team)
• Incident detection and determination
• Procedures for reporting suspicious situations
• Determination that an attack really is occurring
• Description of the attack to guide subsequent
  actions

13
14
The PlanProtectRespond Cycle

• Responding
• Containment Recovery
• Containment stop the attack
• Repair the damage
• Punishment
• Forensics
• Prosecution
• Employee Punishment
• Fixing the vulnerability that allowed the attack

14
15
Security Policy

• What are the Organisations goals on security?
• Where does the responsibility for security lie?
• What is the Organisations commitment to security?

15
16
Security Policy

• Who should be allowed access?
• To what system and Organisational resources
  should access be allowed?
• What types of access should each user be allowed
  for each resource?

16
17
Security Policies User types

• Users
• Owners
• Data subjects
• Balance Among All Parties

17
18
Characteristics of a Good Security Policy

• Coverage (comprehensive)
• Durability
• Realism
• Usefulness
• Examples

18
19
Physical Security

• Natural Disasters
• Flood
• Fire
• Other
• Power Loss
• UPS surge suppressors (line conditioners)
• Human Vandals
• Unauthorized Access and Use
• Theft

19
20
Contingency Planning- Disaster Recovery

• BACKUP!!!!!
• Complete backup
• Revolving backup
• Selective backup
• OFFSITE BACKUP!!!!!

20