Chapter 22

Management issues

Managing security project

What to protect and howRisk versus reward

Profit is the reward for riskRisk management

IT risks, fires, flood, legal, exchange rate, political……..

Organizational issues

You need to understand the ability, motivation, discipline of your guards, auditors, checkout staff…..any employees involved in your system

Interaction with reliabilityQuality versus security

Displacement activityGiven an issue that cannot be solved easily

people attack and solve an easier one.

Risk dumping

Digital signaturesDump risk onto consumer

ATMs can not be fraudedDump risk onto consumer

Moral issues If you dump risk you really have no

incentive to help correct fraud In fact you are de-incentive that you can not

admit that fraud can occur.

Methodology

Software EngineeringWaterfall model (sequential) Iterative design2D life cycle modelsAutomated regression testing

Not as useful for security engineerTend to pop-up in new features

Safety critical systems

It still worries me who wrote the code for ABS systems

Tend to follow waterfall model Identify hazards/risks Strategy to cope Trace risk to affected hardware/software Look at operating procedures Test systems

Fault tree analysis page 501 Failure modes and effects analysis (FMEA)

Other issues

You will never stop bears getting to campers food if the brighter bears are smarter than the dumber campers

Fault masking

Requirements Evolution

Bug fixing Patch management

Control tuning. Tune system in light of experience

Evolving environments Attacks that were not practical, suddenly are

Organizational change Employee turnover Business process re-engineering

Building large system from scratch

Software engineering study Most often not understanding requirements Why was Y2K not a crisis? Requirements

were very clear Must define requirements of security Realize it will be iterative Many eyes will help see problems

(parallelizing the process)

Economic issues

Reality can be painfulYou must be creative

Security reflects who is paying for itOften driven more by capitalistic issues

than rational onesAlso often driven by legal risk And perceived risk

Aritcles

Download music lawsuits, have they continued? What was the real purpose?

Security requirements evolution articleDisplacement activity article

List of resources

Threat tree analysis http://www.microsoft.com/whdc/driver/security/threa

tmodel.mspx http://www.isograph-software.com/atpover.htm http://www.microsoft.com/downloads/details.aspx?

FamilyID=62830F95-0E61-4F87-88A6-E7C663444AC1&displaylang=en

http://www.code-magazine.com/Article.aspx?quickid=0211091

List of resources

FMEA analysishttp://www.fmeainfocentre.com/http://www.reliasoft.com/newsletter/3q2002/

fmea.htmhttp://main.isixsigma.com/forum/

showmessage.asp?messageID=30127