Presentation on theme: "Information Systems Security Computer System Life Cycle Security."— Presentation transcript:
Information Systems Security Computer System Life Cycle Security
Integrating security to computer system Security should not be an afterthought Security can be applied more systematically Security needs to be incorporated into all phases of the computer life cycle to ensure that security can keep up with change in the system’s environment, technology, procedures and personnel.
Computer System Life Cycle Initiation Development/Acquisition Implementation Operation/Maintenance Disposal Note: the SDLC is included in the Development/Acquisition phase
Initiation The discovery of the need for a new system or enhancement to an existing system The system characteristics and functionality proposed within the given constraints Basic security aspect of the system developed through Sensitivity Assessment
Sensitivity Assessment What information is handled What potential damage could occur through error, unauthorized disclosure or modification, or unavailability of data or system What laws or regulations affect security To what threats is the system or information particularly vulnerable
Sensitivity Assessment Are there significant environmental considerations What are the security relevant characteristics of the user community What internal security standards, regulations, or guidelines apply to the system
Development/Acquisition Determine security features, assurances, and operational practices Incorporating the security requirement into design specification Actually acquiring them
Determining security requirements Technical (access controls) Assurances (background check for developers) Operating practices (awareness and training) Balance between function and usability Based on cost-benefit analysis
Taking security requirements into specifications The information on security requirements needs to be validated, updated and organized into detailed security protection requirements and specifications used by system developers and purchasers
Acquiring the system If the system is being built Monitor the development process for security problems Incorrect code Poor development tools Manipulation of code Malicious insiders Trojan horses
Acquiring the system If the system is bought Ensure security is part of contract documents Security analysis of proposed systems
Implementation Proper configuration of the system Security testing Security certification and accreditation
Some hints on installation Obtain software from refutable vendor Verify the software Test on test system before moving to production system Read the installation and see what happens Do a complete installation before customization Cleanse the test system before moving to production system
Operation and Maintenance Security operation and administration Operational assurance Periodic re-analysis of the system and re- accreditation Manage change
Security operation and administration Holding training classes Backup Manage cryptographic keys Administer user accounts and access privileges Apply upgrade and patch
Operational Assurance Monitoring Perform system audit
Periodic re-analysis Is there a major change in the system Environmental change System change New vulnerability found Time lapse
Disposal Information archived Media sanitized Overwriting Degaussing Destruction Can license of software be transferred
Configuration Management The control of changes that are made to the hardware, software, firmware, and the documentation of the information system throughout its life cycle, and the auditing and reporting of the changes. This can be looked upon as a quality assurance process.
Configuration Management To configuration items Identify and document the functional and physical characteristics of the configuration item Control changes to configuration items and their related documentation
Configuration Management Record and report information needed to manage configuration items effectively, including the status of proposed changes and the implementation status of approved changes Audit configuration items to verify conformance to specifications, drawing, interface control documents and other contract requirements.
Configuration Management To digital data files Uniquely identify the digital data files, including versions of the files and their status (e.g. working, released, submitted, approved) Record and report information needed to manage the data files effectively, included the status of updated versions of files
Configuration Management Things to consider How to initiate the change Who are the concerned parties What is the approval process How to phase in the changes What to do with the older versions What if problem happens
Configuration Management Work required Revision control Installation and testing Fault tracing System integration Maintenance of development environment Periodic auditing
Penetration Testing To test a system by breaking in To identify methods of gaining access to a system by using common tools and techniques used by the attackers The objective is to determine feasibility of an attack, the amount of business impact of a successful exploit, if discovered.
Penetration Testing The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures
Penetration Testing Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.
Penetration Testing To be used with careful consideration, notification and planning It might slow the organization’s network response time and in some extreme case cause damage to the system Formal permission must be obtained from the organization and the rule of engagement established
Type of Test Blue teaming Test with the knowledge and consent of the organization’s IT staff Red teaming Test without the knowledge of the organization’s IT staff but full knowledge and permission of the upper management
Type of Test External test Tester are not provided with any real information about the target environment but has to collect it covertly Internal Test Tester are granted some level of access to the network usually as a user