chapter 22 management issues. managing security project what to protect and how risk versus reward...
Post on 19-Dec-2015
218 views
TRANSCRIPT
Chapter 22
Management issues
Managing security project
What to protect and howRisk versus reward
Profit is the reward for riskRisk management
IT risks, fires, flood, legal, exchange rate, political……..
Organizational issues
You need to understand the ability, motivation, discipline of your guards, auditors, checkout staff…..any employees involved in your system
Interaction with reliabilityQuality versus security
Displacement activityGiven an issue that cannot be solved easily
people attack and solve an easier one.
Risk dumping
Digital signaturesDump risk onto consumer
ATMs can not be fraudedDump risk onto consumer
Moral issues If you dump risk you really have no
incentive to help correct fraud In fact you are de-incentive that you can not
admit that fraud can occur.
Methodology
Software EngineeringWaterfall model (sequential) Iterative design2D life cycle modelsAutomated regression testing
Not as useful for security engineerTend to pop-up in new features
Safety critical systems
It still worries me who wrote the code for ABS systems
Tend to follow waterfall model Identify hazards/risks Strategy to cope Trace risk to affected hardware/software Look at operating procedures Test systems
Fault tree analysis page 501 Failure modes and effects analysis (FMEA)
Other issues
You will never stop bears getting to campers food if the brighter bears are smarter than the dumber campers
Fault masking
Requirements Evolution
Bug fixing Patch management
Control tuning. Tune system in light of experience
Evolving environments Attacks that were not practical, suddenly are
Organizational change Employee turnover Business process re-engineering
Building large system from scratch
Software engineering study Most often not understanding requirements Why was Y2K not a crisis? Requirements
were very clear Must define requirements of security Realize it will be iterative Many eyes will help see problems
(parallelizing the process)
Economic issues
Reality can be painfulYou must be creative
Security reflects who is paying for itOften driven more by capitalistic issues
than rational onesAlso often driven by legal risk And perceived risk
Aritcles
Download music lawsuits, have they continued? What was the real purpose?
Security requirements evolution articleDisplacement activity article
List of resources
Threat tree analysis http://www.microsoft.com/whdc/driver/security/threa
tmodel.mspx http://www.isograph-software.com/atpover.htm http://www.microsoft.com/downloads/details.aspx?
FamilyID=62830F95-0E61-4F87-88A6-E7C663444AC1&displaylang=en
http://www.code-magazine.com/Article.aspx?quickid=0211091
List of resources
FMEA analysishttp://www.fmeainfocentre.com/http://www.reliasoft.com/newsletter/3q2002/
fmea.htmhttp://main.isixsigma.com/forum/
showmessage.asp?messageID=30127