2Topics to be covered Change control Data classification Employment policies & practicesInfoSec policiesRisk managementRoles and responsibilitiesSecurity awareness trainingSecurity management planning
3Change control & management Why is change control & change management a security issue?Many businesses live or die on data integrityChanges can break a security modelModifying system breaks warrantyGartner Group analyst recently stated that a rogue Y2K programmer can cause $1B in potential lossesNeeded since change requester does not understand the security implications of their requestSecurity administrator must analyze and assess carefully the impact to the system
4Change control & management ToolsChecksumsDigital signaturesTripwireEffective change control can uncover:cases of policy violation by staff; where programs are installed or changed without following the proper notification proceduresPossible hardware failure leading to data corruptionViruses, worms, malicious code
5Change control & management For change control & management to work, you must have:Golden copies of the software, for comparison use or database generationSecure infrastructure. Software must be securely stored on physically protected media. If an intruder can get root, and change the golden copies, then the change control tools will be ineffective.
6Change control & management HardwareDisks, peripheralsDevice driversBIOSApplication and operating systems softwareUpgradesService packs, patches, fixesChanges to the firewall rulebase/proxiesNLM’sRouter software
7Change control & management Policies, procedures and processesDevelop polices that will stabilize the production processing environment by controlling all changes made to itFormal change control processes will help to ensure that only authorized changes are made, that they are made at the approved time, and that they are made in the approved mannerPromptly implement security patches, command scripts, & similar from vendors, CERT, CIAC, etc.Have procedures for roll-back to prior versions in case of problems, AKA, don’t burn your software bridges
8Data classificationClassification is part of a mandatory access control model to ensure that sensitive data is properly controlled and securedDoD multi-level security policy has 4 classifications:Top SecretSecretConfidentialUnclassifiedOther levels in use are:Eyes onlyOfficers onlyCompany confidentialPublic
9Data classification benefits Data confidentiality, integrity & availability are improved since appropriate controls are used throughout the enterpriseProtection mechanisms are maximizedA process exists to review the values of company business dataDecision quality is increased since the quality of the data upon which the decision is being made has been improved
10Data classificationTop Secret - applies to the most sensitive business information which is intended strictly for use within the organization. Unauthorized disclosure could seriously and adversely impact the company, stockholders, business partners, and/or its customersSecret - Applies to less sensitive business information which is intended for use within a company. Unauthorized disclosure could adversely impact the company, its stockholders, its business partners, and/or its customersConfidential - Applies to personal information which is intended for use within the company. Unauthorized disclosure could adversely impact the company and/or its employeesUnclassified - Applies to all other information which does not clearly fit into any of the above three classifications. Unauthorized disclosure isn’t expected to seriously or adversely impact the company
11MAC data classification In MAC systems, every subject and object in a system has a sensitivity label and a set of categories:classification [category]Top Secret [CEO, CFO, Board Members]Confidential [Internal employees, auditors]The function of categories is that even someone with the highest classification isn’t automatically cleared to see all information at that level. This support the concept of need to know
12Misc. data classification issues In a commercial setting, responsibility for assigning data classification labels is on the person who created or updated the informationWith the exception of general business correspondence, all externally-provided information which is not public in nature must have a data classification system label.All tape reels, floppy disks and other computer storage media containing secret, confidential, or private information must be externally labeled with the appropriate sensitivity classificationHolders of sensitive information must take appropriate steps to ensure that these materials are not available to unauthorized persons.
13Data classification Roles & responsibilities Information owner Information custodianApplication ownerUser managerSecurity administratorSecurity analystChange control analystData analystSolution providerEnd user
14Employment policies & practices Background checks/security clearancesChecking public records provides critical information needed to make the best hiring decision.Conducting these often simple checks verifies the information provided on the application is current and true, and gives the employer an immediate measurement of an applicant’s integrity.
15Background checksWhat does a background check prevent potentially prevent against:lawsuits from terminated employeeslawsuits from 3rd-parties or customers for negligent hiringunqualified employeeslost business and profitstime wasted recruiting, hiring and trainingtheft, embezzlement or property damagemoney lost (to recruiters fees, signing bonus)negligent hiring lawsuitdecrease in employee moralworkplace violence, or sexual harassment suits
16Background checksWho should be checked? Employee background checks should be performed for all sensitive positions. Information security staff in sensitive positions include those responsible for:firewall administratione-commerce managementKerberos administratorSecurID & Password usagePKI and certificate managementrouter administrator
17Background checks What can be checked for an applicant: Credit Report SSN searchesWorkers Compensation ReportsCriminal RecordsMotor Vehicle ReportEducation Verification & Credential ConfirmationReference ChecksPrior Employer Verification
18Military security clearance Of the most meticulous background checks is those requiring a DoD security clearance. After reviewing the 30-page Defense Industrial Personnel Security Clearance Review, one will get a new understanding of painstaking review. A defense security clearances is generally only requested for individuals in the following categories whose employment involves access to sensitive government assets:Members of the military;Civilian employees working for the Department of Defense or other government agencies;Employees of government contractors.
19Military security clearance A DoD review, more correctly known as a personnel security investigation is comprised of the following:a search of investigative files and other records held by federal agencies, including the FBI and, if appropriate, overseas countriesa financial checkfield interviews of references (in writing, by telephone, or in person), to include coworkers, employers, personal friends, educators, neighbors, and other individuals, as appropriatea personal interview with the applicant conducted by an Investigator
20Employment agreement Non-compete Non-disclosure Restrictions on dissemination of corporate information, i.e., press, analysts, law enforcement
21Hiring & termination Policies and procedures should come down from HR Should address:how to handle employee’s departureshutting down accountsforwarding and voiclock and combination changessystem password changes
22Separation of dutiesThe principle of separating of duties is that an organization should carefully separate duties, so that people involved in checking for inappropriate use are not also capable of make such inappropriate useNo person should be responsible for completing a task involving sensitive, valuable or critical information from beginning to end. Likewise, a single person must not be responsible for approving their own work
23Separation of duties Separate: Split knowledge development/production security/auditaccounts payable/accounts receivableencryption key management/changing of keysSplit knowledgeEncryption keys are separated into two components, each of which does not reveal the other
24Information security policies Policy is perhaps the most crucial element in a corporate information security infrastructureMarcus Ranum defines a firewall as “the implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do”Corporate computing is a complex operation. Effective policies can rectify many of the weaknesses and faults
25Information security policies Benefits:Ensure systems are utilized in the manner intended forEnsure users understand their roles & responsibilitiesControl legal liability
26Information security policies Components of an effective policy:TitlePurposeAuthorizing individualAuthor/sponsorReference to other policiesScopeMeasurement expectationsException processAccountabilityEffective/expiration datesDefinitions
27Information security policies How to ensure that policies are understood:Jargon free/non-technical languageRather then, “when creating software authentication codes, users must endeavor to use codes that do not facilitate nor submit the company to vulnerabilities in the event that external operatives break such codes”, use “passwords that are guessable should not be used”.FocusedJob position independentNo procedures, techniques or methodsPolicy is the approach. The specific details & implementations should be in another documentResponsibility for adherenceUsers must understand the magnitude & significance of the policy. “I thought this policy didn’t apply to me” should never be heard.
28Information security policies How should policies be disseminated?New hires should get hard copies at orientationRehires should go through orientationHard copiesWeb/corporate intranetBrochuresVideosPosters/voic
29Risk managementSecurity risks start when the power is turned-on. At that point, security risks commence. The only way to deal with those security risks is via risk managementRisks can be identified & reduced, but never eliminatedNo matter how secure you make a system, it can always be broken into given sufficient resources, time, motivation and moneyPeople are usually cheaper & easier to compromise than advance technological safeguards
30Qualitative and quantitative There are two different risk management metrics: qualitative and quantitativeQuantitative, or a quasi-subjective, risk management attempts to establish and maintain an independent set of risk metrics & statisticsQualitative
31Qualitative vs. quantitative Qualitative - ProsCalculations are simple and readily understood and executeNot necessary to determine quantitative threat frequency & impact dataNot necessary to estimate the cost of recommended risk mitigation measures & calculate cost/benefitA general indication of significant areas of risk that should be addressed is providedQualitative - ConsRisk assessment & results are essentially subjective in both process & metrics. Use of independently objective metrics is eschewed.No effort is made to develop an objective monetary basis for the value of targeted information assetsNo basis is provided for cost/benefit analysis of risk mitigation measures. Only subjective indication of a problemIt is not possible to track risk management performance objectively when all measures are subjective
32Qualitative vs. quantitative Quantitative - ProsAssessment & results are based substantially on independently objective processes & metrics. Thus, meaningful statistical analysis is supportedThe value of information (availability, confidentiality & integrity) as expressed in monetary terms with supporting rationale, is better understood. Thus, the basis for expected loss is better understood.A credible basis for cost/benefit assessment of risk mitigation measures is provided. Thus, information security budget decision-making is supportedQuantitative - ConsCalculations are complex. If they are not understood or effectively explained, management may mistrust the results of black-box testingA substantial amount of information about the target information & its IT environment must be gatheredThere is not yet a standard, independently developed & maintained threat population & frequency knowledge base. Thus, users must rely on the credibility of the vendors who develop & support the automated tools or do perform the research.
33Risk management nomenclature Annualized loss expectancy (ALE)Single loss expectance x annualized rate of occurrence = ALEAnnualized rate of occurrence (ARO)On an annualized basis, the frequency with which a threat is expected to occurExposure factorA measure of the magnitude of loss or impact on the value of an assetProbabilityChance or likelihood, in a finite sample, that an event will occur or that a specific loss value may be attained should the event occurThreatAn event, the occurrence of which cold have an undesired impartSafeguardRisk reducing measure that acts to detect, prevent or minimize loss associated with the occurrence of a specified threat or category of threatsVulnerabilityThe absence or weakness of a risk-reducing safeguard
34Risk assessmentSince you can’t protect yourself if you do not know what you are protecting against, a risk assessment must be performedA risk assessment answers 3 fundamental questions:Identify assets - What I am trying to protect?Identify threats - What do I need to protect against?Calculating risks - How much time, effort & money am I willing to expend to obtain adequate protection?After risks are determined, you can then develop the policies & procedures needed to reduce the risks
36Identifying threats Earthquake, flood, hurricane, lightening Structural failure, asbestosUtility loss, i.e., water, power, telecommunicationsTheft of hardware, software, dataTerrorists, both political and informationSoftware bugs, virii, malicious code, SPAM, mail bombsStrikes, labor & union problemsHackers, internal/externalInflammatory usenet, Internet & web postingsEmployee illness, deathOutbreak, epidemic, pandemic
37Calculating (quantifying) risks This is the hard part. Insurance & historical records may help, but your actuary is your best friend.How much damage did Kevin Mitnick do? Estimates range from $500,000 to $120,000,000Review the risksLists should be regularly updatedSmall changes in operations or corporate structure can have significant risk implicationsChanges such as location, vendor, M&A, etc., must be included into the risk factor
38Cost/benefit analysis Cost of a lossOften hard to determine accuratelyCost of preventionLong term/short termAdding up the numbersOutput of an Excel spreadsheet listing assets, risks & possible lossesFor each loss, know its probability, predicted loss & amount of money needed to defend against the loss
39Security awareness Must be driven from the top-down Must be comprehensive, all the way down to the floppy & hard copiesEducationHard copiesWeb-basedTraining & education
40Security management planning But most importantly, to be successful in selling security you must know your company’s or client’s businessKnow what is importantEach industry has differing priorities
41Security management planning Identify costsInitial investmentongoing costsIdentify benefitsHelp Desk reductionCommon data locationsReduced Remote Access costsImprove Business Partner accessEnhanced public perceptionErnst & Young Cyberprocess Certification
42Security management planning Identify potential losses if security is not properly implementedTrade secretsconfidential informationpersonaladverse publicityviruses, worms, malicious Java and ActiveX applicationsdenial of servicehard drive reformats, router reconfigurationsM&Afinancialshacked web pagesbreach of Human Resources information
43Security management planning Management ProcrastinationFour primary reasons why the decision maker typically procrastinates in deciding whether to allocate funds or commence the initiative:Unable to understand or quantify security threats and technical vulnerabilities. This results in buying decision paralysis.Unable to measure (through quantitative or qualitative analysis) the severity and probability of risk.Begins the analysis with a preconceived notion that the cost of controls will be excessive or the security technology does not exist.Believes that the security solution will interfere with the performance or appearance of the business product