Security Management Practices

General overview of good security management processes. Introduces topics used in several other sections

Overview

Basic Security Concepts Policies, Standards, Guidelines, &

Procedures Roles played in security management Security Awareness Risk Management Data & Information Classification

Concepts

C.I.A. - Confidentiality, Integrity, & Availability

Identification, Authentication, Accountability, Authorization, Privacy

Objective of Security Controls: reduce likelihood & impact of threats

Systems Security Lifecycle

1. Initiation2. Development/Acquisition3. Implementation4. Operation/maintenance5. Disposal

3 Primary Tenants of InfoSec

Confidentiality

Integrity Availability

Personnel Concepts Identification

Authentication

Accountability

Authorization

Privacy

System Concepts Assume external systems are insecure Examine the trade-offs (nothing is free) Use Layered Security (greater work factor) Minimize the system elements that are

“trusted” Isolate public accessed systems Authenticate both users & processes Use Unique Identities to ensure

accountability Implement least privilege

TOA: Trade-off Analysis Define the objective (in writing)

Identify alternatives (courses of action)

Compare alternatives

Realize that there are no perfectly secure systems in opperation

Security Controls

Objective: reduce vulnerabilities & minimize the effect of an attack Attack likelihood Attack cost Attack countermeasures

Deterrent controls Corrective Controls Detective Controls

Simple Threat Matrix

likelihood of an attack

impa

ct

0,0

A

B

C

Information Classification

Why classify data & information Concepts Classification Terms

Governmental Private Sector

Criteria Roles used in the classification

process

Roles… Owner

Who gets the blame level of classification, review of protection,

delegation to custodian, Custodian

Actual day-to-day, backups, verify backups, restoration, policy maintenance

User Operating procedures, user account

management, detecting unauthorized/Illicit activity

Termination

Implementation

1. Policy: 1. senior management (demonstration of

commitment 2. general organizational3. Policy: Functional

2. Implementation1. Standards -- Baselines2. Guidelines3. Procedures

Risk management

Risk can never be totally eliminated Primary purpose

1. Identification of risks2. Cost / benefit analysis

Benefits1. Creates clear cost-to-value2. Helps analysis process3. Helps design and creation

Terms

Asset Threat Vulnerability Safeguard Exposure

Factor (EF)

Single Loss Expectancy (SLE)

Annualized Rate of Occurrence (ARO)

Annualized Loss Expectancy (ALE)

Attacks Criminal

Fraud-prolific on the Internet Destructive, Intellectual Property Identity Theft, Brand Theft

Privacy: less and less available people do not own their own data Surveillance, Databases, Traffic Analysis Echelon, Carnivore

Publicity & Denial of Service Legal

Brief Risk Analysis Overview

Quantitative vs Qualitative Steps

Potential losses Potential threats

Asset valuation Safeguard selection Remedies

Risk Analysis

“The identification and evaluation of the most likely permutation of assets, known and anticipated vulnerabilities, and known and anticipated types of attackers.”

Assets

What are you trying to Protect Why is it being protected Risk for other systems on network Data

Tampering vs. Stealing Liability

Attackers

Categorize by Objective, Access, Resources, Expertise,

and Risk Hackers:

Galileo, Marie Curie Lone Criminals, Insiders, Espionage,

Press, Organized Crime, Terrorists

Motives

Business competitors Same motives as “real-life” criminals Financial motives

Credit cards The Cuckcoo’s Egg

Political motives Personal / psychological motives

Motives Honeypot “to learn tools tactics and motives of blackhat

community”

Script Kiddies Canned Exploits of Perl or Shell scripts Still major threat

Knowing motives helps predict attack Degrees of motivation

Automated tools Hardened systems vs Easy Kills

Steps in an Attack

1. Identify Target & collect Information2. Find vulnerability in target3. Gain appropriate access to target4. Perform the attack5. Complete attack, remove evidence,

ensure future access

After you get root

1. Remove traces of root compromise2. Gather information about system3. Make sure you can get back in4. Disable or patch vulnerability

Vulnerability Landscape

Physical World Laptops

Virtual World

Trust Model

System Life cycled

Vulnerabilities Only potential until someone figures out

how to exploit

Need to identify and address Those applicable & which must mitigated now Are likely to apply & must be planned against Seem unlikely and/or are easy to mitagate

Attack Trees (Bruce Schneier)

Visual Representation of attacks against any given target

Attack goal is root Attack subgoals are leaf nodes

For each leaf determine subgoals necessary to achieve

And cost to achieve penetration using different types of attackers

Attack Tree Example

Steal Customer Data

Obtain Backup Media Intercept eMail Hack into Server

Burfglarize Office(Cost $10,000)

Bribe Admin at ISP($5,000) Hack remote users home system

($1,000)

Hack SMTP Gateway($2000)

Defenses Three general means of mitigating

attack risk Reducing asset value to attacker Mitigating specific vulnerabilities

Software patches Defensive Coding

Neutralizing or preventing attacks Access control mechanisms Distinguish between trusted & untrusted

users

Security

Security is a process not a Product

Weakest link in the process

Examples of Threat Modeling in Secrets & Lies chapter 19

Security Awareness People are often the weakest link Benefits:

Awareness of need to protect the system Skill & knowledge improvement More in-depth knowledge

Be careful of over training Constant barrage == ignored Too much knowledge of how the system works

References Cohen, Fred “A Preliminary Classification

Scheme for Information Security Threats, Attacks, and Defenses; A Cause and Effect Model; and Some Analysis Based on that Model.” Sandia National Laboratories, Sept 1998 (www.all.net/journal/ntb/cause-and-effect.html)

Bauer, Michael E. “Building Secure Servers with Linux.” O’Reilly, 2003