chapter 8 administering security. planning: prepare and study what will verify our implementation...
TRANSCRIPT
Chapter 8Chapter 8Administering Security
Administering SecurityAdministering SecurityPlanning: prepare and study what will
verify our implementation meets security needs of today and tomorrow.
Risk Analysis: cost/benefit analysis of controls.
Policy: establish a framework to verify security needs are met.
Physical Control: what aspects of the computing environment have an impact on security?
Security PlanningSecurity Planning“The system security plan should be viewed as
documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable” (SANS).
Contents of Security PlanContents of Security PlanPolicy: the goal of the computer security.Current State: describe current status.Requirements: how to meet goals. legal,
etc.Recommended Controls: map controls to
vulnerabilities identified.Accountability: who is responsibleTimetable: due dates for tasksContinuous Attention: keep it up to date.
Table 8-1 The Six “Requirements” of the TSEC
Security Policy There must be an explicit and well-defined security policy enforced by the system.
Identification Every subject must be uniquely and convincingly identified. Identification is necessary so that subject/object access can be checked
Marking Every object must be associated with a label that indicates its security level. The association must be done so that the label is available for comparison each time an access to the object is required.
Accountability The system must maintain complete, secure records of actions that affect security. Such actions include introducing new users to the system, assigning or changing the security level of a subject or an object, and denying access attempts.
Assurance The computing system must contain mechanisms that enforce security, and it must be possible to evaluate the effectiveness of these mechanisms.
Continuous protection
The mechanisms that implement security must be protected against unauthorized change.
Figure 8-1 Inputs to the Security Plan.
Do we protect everything?Do we protect everything?Risk AssessmentRisk Categorization and
PrioritizationRisk MitigationResources AvailablePlanningImplementationTestingUpdates to plan
04/19/23 7Live Chat 5
Risk AnalysisRisk Analysis
04/19/23 8
Risk Assessment
Organization: Date:
Probability ImpactThreat Description High Medium Low High Medium Low
What are the risks?
What is the probability of occurring?
What is the impact if it happens?
Live Chat 5
Risk AnalysisRisk Analysis
Assets: what are we trying to protect?Threats and Vulnerabilities: potential
harmful occurrences (power loss, hackers, virus, earthquake).◦Vulnerability: a weakness that allows a
threat to cause harm.Risk = Threat * Vulnerability.Risk = Threat * Vulnerability *
Impact($).
Risk Analysis MatrixRisk Analysis Matrix
EVENT: Insignificant
Minor
Moderate
Major
Catastrophic
Almost Certain
H H E E E
Likely M H H E E
Possible L M H E E
Unlikely L L M H E
Rare L L M H H
Like
lihood
Consequences
E-ExtremeH-HighM-MediumL-Low
Risk Analysis TermsRisk Analysis Terms Annualized Loss Expectancy (ALE):
◦ annual cost of a loss due to a risk. Help to mitigate risk. Asset Value (AV): value of asset you are protecting Exposure Factor (EF): percentage of value an asset lost due
to an incident. Single Loss Expectancy(SLE): cost of a single loss. (AV x EF). Annual Rate of Occurrence (ARE): number of losses per year. Annualized Loss Expectancy: yearly cost due to a risk.
◦ SLE x ARO Total Cost of Ownership (TCO): total cost of a mitigating
safeguard. Return On Investment (ROI): amount of $$$ saved by
implementing a safeguard.
Risk ChoicesRisk ChoicesAccept: if low likelihood and low
impact.Mitigate: lower risk to acceptable
level.Transfer: buy insurance.Avoid it: drop the project.
Figure 8-2 Vulnerabilities Suggested by Attributes and Objects.
Figure 8-3 Vulnerabilities Enabling a Trojan Horse Attack.
Six attributes might enable a Trojan horse attack
Figure 8-4 Mapping Control Techniques to Vulnerabilities.Example:Vulnerability E primarily controlled by Technique 2.
Figure 8-5 Matrix of Vulnerabilities and Controls.Attributes leading to vulnerabilities on left, controls on top.
Figure 8-6 Valuation of Security Techniques.
Figure 8-7 Relevance of Certain Security Techniques to Roles and Attack Components.
Figure 8-8 Risk Calculation for Regression Testing.
Arguments For Risk Arguments For Risk AnalysisAnalysis
Improve Awareness◦increase level of interest.
Relate Security Mission to Management Objectives◦Security costs money.◦Need people to understand security
balances harm and the costs of controls.Identify Assets, Vulnerabilities &
Controls.
Arguments For Risk Arguments For Risk AnalysisAnalysisImprove basis for decisions
◦Risk analysis augments the manager’s judgment as a basis for the decision.
Justify Expenditures for Security◦Balance costs versus risks to identify
the business case for a control.
Arguments Against Risk Arguments Against Risk AnalysisAnalysisFalse Sense of Precision and
Confidence◦Uses empirical data to generate estimates of risk impact, risk probability and risk exposure.
Hard to Perform◦Assessment is subjective and time consuming.
Arguments Against Risk Arguments Against Risk AnalysisAnalysisImmutability
◦Risk analysis is often quickly forgotten.
◦Analysis must be a living document and not a one time event.
Lack of accuracy◦Hard to estimate risks.◦May be gaps due to our limited knowledge of the system.
Physical SecurityPhysical Security
Natural Disasters◦Earthquake, hurricane, flood, fire, storms,
etc.Environmental
◦Electrical Brown/black outs, spikes, surges, sag,
fault. ◦HVAC, air conditioning, humidity controls.◦Electromagnetic Interference (EMI)
Theft ◦Internal, external
Physical SecurityPhysical SecurityShredding: shred documents.Overwrite magnetic media or shred it.
Degaussing: use magnetic field to destroy.
TEMPEST: protect against electromagnetic signal emission.◦Certify emission free◦Enclose device or modify emanations.
Business Continuity Plan Business Continuity Plan (BCP)(BCP)Long Term Strategic Business Oriented Plan for Continued Operation.
BCP Goal◦Ensure that business continues to
operate before, during and after a disaster
◦Ensure critical services can be delivered in the wake of a disruption and after it is over.
Disaster Recovery PlanDisaster Recovery PlanShort term plan for dealing with
specific IT oriented disruptions.Tactical.Mitigate the impact of a disaster.
◦Recover critical IT systems.Part of the Business Continuity
Plan.
Contingency PlanningContingency Planning
Redundant Site: exact production duplicate.
Hot $ite: ◦fully configured site with all necessary
hardware and critical applications.Warm Site:
◦Some aspects of hot site, rely on backup data to reconstitute systems after a disruption.
Cold Site (shell): alternative location.
Contingency PlanningContingency PlanningMobile Site: Datacenter in a boxReciprocal Agreement
◦Bi-directional agreement between two organizations to share space if a disaster occurs.
Backups◦Geographically distributed.◦Environmentally controlled.