Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Systems Security Computer System Life Cycle Security.

Similar presentations

Presentation on theme: "Information Systems Security Computer System Life Cycle Security."— Presentation transcript:

1 Information Systems Security Computer System Life Cycle Security

2 Integrating security to computer system Security should not be an afterthought Security can be applied more systematically Security needs to be incorporated into all phases of the computer life cycle to ensure that security can keep up with change in the system’s environment, technology, procedures and personnel.

3 Computer System Life Cycle Initiation Development/Acquisition Implementation Operation/Maintenance Disposal Note: the SDLC is included in the Development/Acquisition phase


5 Initiation The discovery of the need for a new system or enhancement to an existing system The system characteristics and functionality proposed within the given constraints Basic security aspect of the system developed through Sensitivity Assessment

6 Sensitivity Assessment What information is handled What potential damage could occur through error, unauthorized disclosure or modification, or unavailability of data or system What laws or regulations affect security To what threats is the system or information particularly vulnerable

7 Sensitivity Assessment Are there significant environmental considerations What are the security relevant characteristics of the user community What internal security standards, regulations, or guidelines apply to the system

8 Development/Acquisition Determine security features, assurances, and operational practices Incorporating the security requirement into design specification Actually acquiring them

9 Determining security requirements Technical (access controls) Assurances (background check for developers) Operating practices (awareness and training) Balance between function and usability Based on cost-benefit analysis

10 Taking security requirements into specifications The information on security requirements needs to be validated, updated and organized into detailed security protection requirements and specifications used by system developers and purchasers

11 Acquiring the system If the system is being built Monitor the development process for security problems Incorrect code Poor development tools Manipulation of code Malicious insiders Trojan horses

12 Acquiring the system If the system is bought Ensure security is part of contract documents Security analysis of proposed systems

13 Implementation Proper configuration of the system Security testing Security certification and accreditation

14 Some hints on installation Obtain software from refutable vendor Verify the software Test on test system before moving to production system Read the installation and see what happens Do a complete installation before customization Cleanse the test system before moving to production system

15 Operation and Maintenance Security operation and administration Operational assurance Periodic re-analysis of the system and re- accreditation Manage change

16 Security operation and administration Holding training classes Backup Manage cryptographic keys Administer user accounts and access privileges Apply upgrade and patch

17 Operational Assurance Monitoring Perform system audit

18 Periodic re-analysis Is there a major change in the system Environmental change System change New vulnerability found Time lapse

19 Disposal Information archived Media sanitized Overwriting Degaussing Destruction Can license of software be transferred

20 Configuration Management The control of changes that are made to the hardware, software, firmware, and the documentation of the information system throughout its life cycle, and the auditing and reporting of the changes. This can be looked upon as a quality assurance process.

21 Configuration Management To configuration items Identify and document the functional and physical characteristics of the configuration item Control changes to configuration items and their related documentation

22 Configuration Management Record and report information needed to manage configuration items effectively, including the status of proposed changes and the implementation status of approved changes Audit configuration items to verify conformance to specifications, drawing, interface control documents and other contract requirements.

23 Configuration Management To digital data files Uniquely identify the digital data files, including versions of the files and their status (e.g. working, released, submitted, approved) Record and report information needed to manage the data files effectively, included the status of updated versions of files

24 Configuration Management Things to consider How to initiate the change Who are the concerned parties What is the approval process How to phase in the changes What to do with the older versions What if problem happens

25 Configuration Management Work required Revision control Installation and testing Fault tracing System integration Maintenance of development environment Periodic auditing

26 Penetration Testing To test a system by breaking in To identify methods of gaining access to a system by using common tools and techniques used by the attackers The objective is to determine feasibility of an attack, the amount of business impact of a successful exploit, if discovered.

27 Penetration Testing The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures

28 Penetration Testing Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

29 Penetration Testing To be used with careful consideration, notification and planning It might slow the organization’s network response time and in some extreme case cause damage to the system Formal permission must be obtained from the organization and the rule of engagement established

30 Type of Test Blue teaming Test with the knowledge and consent of the organization’s IT staff Red teaming Test without the knowledge of the organization’s IT staff but full knowledge and permission of the upper management

31 Type of Test External test Tester are not provided with any real information about the target environment but has to collect it covertly Internal Test Tester are granted some level of access to the network usually as a user

32 Testing methodology

33 The attack phases

34 Reference An Introduction to Computer Security: The NIST Handbook – Chapter 8 Mil-STD 973: Configuration Management Guideline on Network Security Testing – NIST publication 800-42

Download ppt "Information Systems Security Computer System Life Cycle Security."

Similar presentations

Ads by Google