security management practices general overview of good security management processes. introduces...
TRANSCRIPT
Security Management Practices
General overview of good security management processes. Introduces topics used in several other sections
Overview
Basic Security Concepts Policies, Standards, Guidelines, &
Procedures Roles played in security management Security Awareness Risk Management Data & Information Classification
Concepts
C.I.A. - Confidentiality, Integrity, & Availability
Identification, Authentication, Accountability, Authorization, Privacy
Objective of Security Controls: reduce likelihood & impact of threats
Systems Security Lifecycle
1. Initiation2. Development/Acquisition3. Implementation4. Operation/maintenance5. Disposal
3 Primary Tenants of InfoSec
Confidentiality
Integrity Availability
Personnel Concepts Identification
Authentication
Accountability
Authorization
Privacy
System Concepts Assume external systems are insecure Examine the trade-offs (nothing is free) Use Layered Security (greater work factor) Minimize the system elements that are
“trusted” Isolate public accessed systems Authenticate both users & processes Use Unique Identities to ensure
accountability Implement least privilege
TOA: Trade-off Analysis Define the objective (in writing)
Identify alternatives (courses of action)
Compare alternatives
Realize that there are no perfectly secure systems in opperation
Security Controls
Objective: reduce vulnerabilities & minimize the effect of an attack Attack likelihood Attack cost Attack countermeasures
Deterrent controls Corrective Controls Detective Controls
Simple Threat Matrix
likelihood of an attack
impa
ct
0,0
A
B
C
Information Classification
Why classify data & information Concepts Classification Terms
Governmental Private Sector
Criteria Roles used in the classification
process
Roles… Owner
Who gets the blame level of classification, review of protection,
delegation to custodian, Custodian
Actual day-to-day, backups, verify backups, restoration, policy maintenance
User Operating procedures, user account
management, detecting unauthorized/Illicit activity
Termination
Implementation
1. Policy: 1. senior management (demonstration of
commitment 2. general organizational3. Policy: Functional
2. Implementation1. Standards -- Baselines2. Guidelines3. Procedures
Risk management
Risk can never be totally eliminated Primary purpose
1. Identification of risks2. Cost / benefit analysis
Benefits1. Creates clear cost-to-value2. Helps analysis process3. Helps design and creation
Terms
Asset Threat Vulnerability Safeguard Exposure
Factor (EF)
Single Loss Expectancy (SLE)
Annualized Rate of Occurrence (ARO)
Annualized Loss Expectancy (ALE)
Attacks Criminal
Fraud-prolific on the Internet Destructive, Intellectual Property Identity Theft, Brand Theft
Privacy: less and less available people do not own their own data Surveillance, Databases, Traffic Analysis Echelon, Carnivore
Publicity & Denial of Service Legal
Brief Risk Analysis Overview
Quantitative vs Qualitative Steps
Potential losses Potential threats
Asset valuation Safeguard selection Remedies
Risk Analysis
“The identification and evaluation of the most likely permutation of assets, known and anticipated vulnerabilities, and known and anticipated types of attackers.”
Assets
What are you trying to Protect Why is it being protected Risk for other systems on network Data
Tampering vs. Stealing Liability
Attackers
Categorize by Objective, Access, Resources, Expertise,
and Risk Hackers:
Galileo, Marie Curie Lone Criminals, Insiders, Espionage,
Press, Organized Crime, Terrorists
Motives
Business competitors Same motives as “real-life” criminals Financial motives
Credit cards The Cuckcoo’s Egg
Political motives Personal / psychological motives
Motives Honeypot “to learn tools tactics and motives of blackhat
community”
Script Kiddies Canned Exploits of Perl or Shell scripts Still major threat
Knowing motives helps predict attack Degrees of motivation
Automated tools Hardened systems vs Easy Kills
Steps in an Attack
1. Identify Target & collect Information2. Find vulnerability in target3. Gain appropriate access to target4. Perform the attack5. Complete attack, remove evidence,
ensure future access
After you get root
1. Remove traces of root compromise2. Gather information about system3. Make sure you can get back in4. Disable or patch vulnerability
Vulnerability Landscape
Physical World Laptops
Virtual World
Trust Model
System Life cycled
Vulnerabilities Only potential until someone figures out
how to exploit
Need to identify and address Those applicable & which must mitigated now Are likely to apply & must be planned against Seem unlikely and/or are easy to mitagate
Attack Trees (Bruce Schneier)
Visual Representation of attacks against any given target
Attack goal is root Attack subgoals are leaf nodes
For each leaf determine subgoals necessary to achieve
And cost to achieve penetration using different types of attackers
Attack Tree Example
Steal Customer Data
Obtain Backup Media Intercept eMail Hack into Server
Burfglarize Office(Cost $10,000)
Bribe Admin at ISP($5,000) Hack remote users home system
($1,000)
Hack SMTP Gateway($2000)
Defenses Three general means of mitigating
attack risk Reducing asset value to attacker Mitigating specific vulnerabilities
Software patches Defensive Coding
Neutralizing or preventing attacks Access control mechanisms Distinguish between trusted & untrusted
users
Security
Security is a process not a Product
Weakest link in the process
Examples of Threat Modeling in Secrets & Lies chapter 19
Security Awareness People are often the weakest link Benefits:
Awareness of need to protect the system Skill & knowledge improvement More in-depth knowledge
Be careful of over training Constant barrage == ignored Too much knowledge of how the system works
References Cohen, Fred “A Preliminary Classification
Scheme for Information Security Threats, Attacks, and Defenses; A Cause and Effect Model; and Some Analysis Based on that Model.” Sandia National Laboratories, Sept 1998 (www.all.net/journal/ntb/cause-and-effect.html)
Bauer, Michael E. “Building Secure Servers with Linux.” O’Reilly, 2003