Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 8 – Administering Security  Security Planning  Risk Analysis  Security Policies  Physical Security.

Similar presentations


Presentation on theme: "Chapter 8 – Administering Security  Security Planning  Risk Analysis  Security Policies  Physical Security."— Presentation transcript:

1 Chapter 8 – Administering Security  Security Planning  Risk Analysis  Security Policies  Physical Security

2 Security Planning  Policy  Current state – risk analysis  Requirements  Recommended controls  Accountability  Timetable  Continuing attention

3 Security Planning - Policy  Who should be allowed access?  To what system and organizational resources should access be allowed?  What types of access should each user be allowed for each resource?

4 Security Planning - Policy  What are the organization’s goals on security?  Where does the responsibility for security lie?  What is the organization’s commitment to security?

5 OCTAVE Methodology http://www.cert.org/octave/  Identify enterprise knowledge.  Identify operational area knowledge.  Identify staff knowledge.  Establish security requirements.  Map high-priority information assests to information infrastructure.  Perform an infrastructure vulnerability evaluation.  Conduct a multidimensional risk analysis.  Develop a protection strategy.

6 Security Planning – Requirements of the TCSEC  Security Policy – must be an explicit and well- defined security policy enforced by the system.  Every subject must be uniquely and convincingly identified.  Every object must be associated with a label that indicates its security level.  The system must maintain complete, secure records of actions that affect security.  The computing system must contain mechanisms that enforce security.  The mechanisms that implement security must be protected against unauthorized change.

7 Security Planning Team Members  Computer hardware group  System administrators  Systems programmers  Application programmers  Data entry personnel  Physical security personnel  Representative users

8 Security Planning  Assuring Commitment to a Security Plan  Business Continuity Plans Assess Business ImpactAssess Business Impact Develop StrategyDevelop Strategy Develop PlanDevelop Plan  Incident Response Plans Advance PlanningAdvance Planning Response TeamResponse Team After the Incident is ResolvedAfter the Incident is Resolved

9 Risk Analysis  Risk impact - loss associated with an event  risk probability – likelihood that the event will occur  Risk control – degree to which we can change the outcome  Risk exposure – risk impact * risk probability

10 Risk Analysis – risk reduction  Avoid the risk  Transfer the risk  Assume the risk  Risk leverage = [(risk exposure before reduction) – (risk exposure after reduction)] / cost of risk reduction  Cannot guarantee systems are risk free  Security plans must address action needed should an unexpected risk becomes a problem

11 Steps of a Risk Analysis  Identify assets  Determine vulnerabilities  Estimate likelihood of exploitation  Compute expected annual loss  Survey applicable controls and their costs  Project annual savings of control

12 Identify Assets  Hardware  Software  Data  People  Procedures (policies, training)  Documentation  Supplies  Infrastructure (building, power, water,…)

13 Determine Vulnerabilities AssetConfidentialityIntegrityAvailability Hardware Software Data People procedures

14  What are the effects of unintentional errors?  What are the effects of willfully malicious insiders?  What are the effects of outsiders?  What are the effects of natural and physical disasters?

15 Risk Analysis  Estimate Likelihood of Exploitation Classical probabilityClassical probability Frequency probability (simulation)Frequency probability (simulation) Subjective probability (Delphi approach)Subjective probability (Delphi approach)  Computer Expected Lost (look for hidden costs) Legal obligationsLegal obligations Side effectsSide effects Psychological effectsPsychological effects

16 Risk Analysis  Survey and Select New Controls What Criteria Are Used for Selecting Controls?What Criteria Are Used for Selecting Controls?  Vulnerability Assessment and Mitigation (VAM) Methodology How Do Controls Affect What They Control?How Do Controls Affect What They Control? Which Controls Are Best?Which Controls Are Best?  Project Savings Do costs outweigh benefits of preventing / mitigating risksDo costs outweigh benefits of preventing / mitigating risks

17 Arguments for Risk Analysis  Improve awareness  Relate security mission to management objectives  Identify assets, vulnerabilities, and controls  Improve basis for decisions  Justify expenditures for security

18 Arguments against Risk Analysis  False sense of precision and confidence  Hard to perform  Immutability (filed and forgotten)  Lack of accuracy  “Today’s complex Internet networks cannot be made watertight…. A system administrator has to get everything right all the time; a hacker only has to find one small hole. A sysadmin has to be lucky all of the time; a hacker only has to get lucky once. It is easier to destroy than to create.” Robert Graham, lead architect of Internet Security SystemsRobert Graham, lead architect of Internet Security Systems

19 Organizational Security Policies  Who can access which resources in what manner?  Security policy - high-level management document that informs all users of the goals and constraints on using a system.

20 Security Policies Purpose  Recognize sensitive information assets  Clarify security responsibilities  Promote awareness for existing employees  Guide new employees

21 Security Policies Audience  Users  Owners  Beneficiaries  Balance Among All Parties

22 Contents  Purpose  Protected Resources (what - asset list)  Nature of the Protection (who and how)

23 Characteristics of a Good Security Policy  Coverage (comprehensive)  Durability  Realism  Usefulness  Examples

24 Physical Security  Natural Disasters FloodFlood FireFire OtherOther  Power Loss UPS; surge suppressors (line conditioners)UPS; surge suppressors (line conditioners)  Human Vandals Unauthorized Access and UseUnauthorized Access and Use TheftTheft

25 Physical Security  Interception of Sensitive Information Dumpster Diving - ShreddingDumpster Diving - Shredding Remanence (slack bits)Remanence (slack bits)  Overwriting Magnetic Data  DiskWipe  Degaussing Emanation - TempestEmanation - Tempest

26 Contingency Planning  BACKUP!!!!! Complete backupComplete backup Revolving backupRevolving backup Selective backupSelective backup  OFFSITE BACKUP!!!!!  Networked Storage (SAN)  Cold site (shell)  Hot site


Download ppt "Chapter 8 – Administering Security  Security Planning  Risk Analysis  Security Policies  Physical Security."

Similar presentations


Ads by Google