2Security Planning Policy Current state – risk analysis Requirements Recommended controlsAccountabilityTimetableContinuing attention
3Security Planning - Policy Who should be allowed access?To what system and organizational resources should access be allowed?What types of access should each user be allowed for each resource?
4Security Planning - Policy What are the organization’s goals on security?Where does the responsibility for security lie?What is the organization’s commitment to security?
5OCTAVE Methodology http://www.cert.org/octave/ Identify enterprise knowledge.Identify operational area knowledge.Identify staff knowledge.Establish security requirements.Map high-priority information assests to information infrastructure.Perform an infrastructure vulnerability evaluation.Conduct a multidimensional risk analysis.Develop a protection strategy.
6Security Planning – Requirements of the TCSEC Security Policy – must be an explicit and well-defined security policy enforced by the system.Every subject must be uniquely and convincingly identified.Every object must be associated with a label that indicates its security level.The system must maintain complete, secure records of actions that affect security.The computing system must contain mechanisms that enforce security.The mechanisms that implement security must be protected against unauthorized change.
7Security Planning Team Members Computer hardware groupSystem administratorsSystems programmersApplication programmersData entry personnelPhysical security personnelRepresentative users
8Security Planning Assuring Commitment to a Security Plan Business Continuity PlansAssess Business ImpactDevelop StrategyDevelop PlanIncident Response PlansAdvance PlanningResponse TeamAfter the Incident is Resolved
9Risk Analysis Risk impact - loss associated with an event risk probability – likelihood that the event will occurRisk control – degree to which we can change the outcomeRisk exposure – risk impact * risk probability
10Risk Analysis – risk reduction Avoid the riskTransfer the riskAssume the riskRisk leverage = [(risk exposure before reduction) – (risk exposure after reduction)] / cost of risk reductionCannot guarantee systems are risk freeSecurity plans must address action needed should an unexpected risk becomes a problem
11Steps of a Risk Analysis Identify assetsDetermine vulnerabilitiesEstimate likelihood of exploitationCompute expected annual lossSurvey applicable controls and their costsProject annual savings of control
12Identify Assets Hardware Software Data People Procedures (policies, training)DocumentationSuppliesInfrastructure (building, power, water,…)
14Determine Vulnerabilities What are the effects of unintentional errors?What are the effects of willfully malicious insiders?What are the effects of outsiders?What are the effects of natural and physical disasters?
15Risk Analysis Estimate Likelihood of Exploitation Classical probabilityFrequency probability (simulation)Subjective probability (Delphi approach)Computer Expected Lost (look for hidden costs)Legal obligationsSide effectsPsychological effects
16Risk Analysis Survey and Select New Controls Project Savings What Criteria Are Used for Selecting Controls?Vulnerability Assessment and Mitigation (VAM) MethodologyHow Do Controls Affect What They Control?Which Controls Are Best?Project SavingsDo costs outweigh benefits of preventing / mitigating risks
17Arguments for Risk Analysis Improve awarenessRelate security mission to management objectivesIdentify assets, vulnerabilities, and controlsImprove basis for decisionsJustify expenditures for security
18Arguments against Risk Analysis False sense of precision and confidenceHard to performImmutability (filed and forgotten)Lack of accuracy“Today’s complex Internet networks cannot be made watertight…. A system administrator has to get everything right all the time; a hacker only has to find one small hole. A sysadmin has to be lucky all of the time; a hacker only has to get lucky once. It is easier to destroy than to create.”Robert Graham, lead architect of Internet Security Systems
19Organizational Security Policies Who can access which resources in what manner?Security policy - high-level management document that informs all users of the goals and constraints on using a system.
20Security Policies Purpose Recognize sensitive information assetsClarify security responsibilitiesPromote awareness for existing employeesGuide new employees
21Security Policies Audience UsersOwnersBeneficiariesBalance Among All Parties
22Contents Purpose Protected Resources (what - asset list) Nature of the Protection (who and how)
23Characteristics of a Good Security Policy Coverage (comprehensive)DurabilityRealismUsefulnessExamples
24Physical Security Natural Disasters Power Loss Human Vandals Flood FireOtherPower LossUPS; surge suppressors (line conditioners)Human VandalsUnauthorized Access and UseTheft
25Physical Security Interception of Sensitive Information Dumpster Diving - ShreddingRemanence (slack bits)Overwriting Magnetic DataDiskWipeDegaussingEmanation - Tempest
26Contingency Planning BACKUP!!!!! OFFSITE BACKUP!!!!! Complete backupRevolving backupSelective backupOFFSITE BACKUP!!!!!Networked Storage (SAN)Cold site (shell)Hot site