Chapter 8Chapter 8Administering Security

Administering SecurityAdministering SecurityPlanning: prepare and study what will

verify our implementation meets security needs of today and tomorrow.

Risk Analysis: cost/benefit analysis of controls.

Policy: establish a framework to verify security needs are met.

Physical Control: what aspects of the computing environment have an impact on security?

Security PlanningSecurity Planning“The system security plan should be viewed as

documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable” (SANS).

Contents of Security PlanContents of Security PlanPolicy: the goal of the computer security.Current State: describe current status.Requirements: how to meet goals. legal,

etc.Recommended Controls: map controls to

vulnerabilities identified.Accountability: who is responsibleTimetable: due dates for tasksContinuous Attention: keep it up to date.

Table 8-1 The Six “Requirements” of the TSEC

Security Policy There must be an explicit and well-defined security policy enforced by the system.

Identification Every subject must be uniquely and convincingly identified. Identification is necessary so that subject/object access can be checked

Marking Every object must be associated with a label that indicates its security level. The association must be done so that the label is available for comparison each time an access to the object is required.

Accountability The system must maintain complete, secure records of actions that affect security. Such actions include introducing new users to the system, assigning or changing the security level of a subject or an object, and denying access attempts.

Assurance The computing system must contain mechanisms that enforce security, and it must be possible to evaluate the effectiveness of these mechanisms.

Continuous protection

The mechanisms that implement security must be protected against unauthorized change.

Figure 8-1  Inputs to the Security Plan.

Do we protect everything?Do we protect everything?Risk AssessmentRisk Categorization and

PrioritizationRisk MitigationResources AvailablePlanningImplementationTestingUpdates to plan

04/19/23 7Live Chat 5

Risk AnalysisRisk Analysis

04/19/23 8

Risk Assessment

Organization: Date:

Probability ImpactThreat Description High Medium Low High Medium Low

What are the risks?

What is the probability of occurring?

What is the impact if it happens?

Live Chat 5

Risk AnalysisRisk Analysis

Assets: what are we trying to protect?Threats and Vulnerabilities: potential

harmful occurrences (power loss, hackers, virus, earthquake).◦Vulnerability: a weakness that allows a

threat to cause harm.Risk = Threat * Vulnerability.Risk = Threat * Vulnerability *

Impact($).

Risk Analysis MatrixRisk Analysis Matrix

EVENT: Insignificant

Minor

Moderate

Major

Catastrophic

Almost Certain

H H E E E

Likely M H H E E

Possible L M H E E

Unlikely L L M H E

Rare L L M H H

Like

lihood

Consequences

E-ExtremeH-HighM-MediumL-Low

Risk Analysis TermsRisk Analysis Terms Annualized Loss Expectancy (ALE):

◦ annual cost of a loss due to a risk. Help to mitigate risk. Asset Value (AV): value of asset you are protecting Exposure Factor (EF): percentage of value an asset lost due

to an incident. Single Loss Expectancy(SLE): cost of a single loss. (AV x EF). Annual Rate of Occurrence (ARE): number of losses per year. Annualized Loss Expectancy: yearly cost due to a risk.

◦ SLE x ARO Total Cost of Ownership (TCO): total cost of a mitigating

safeguard. Return On Investment (ROI): amount of $$$ saved by

implementing a safeguard.

Risk ChoicesRisk ChoicesAccept: if low likelihood and low

impact.Mitigate: lower risk to acceptable

level.Transfer: buy insurance.Avoid it: drop the project.

Figure 8-2  Vulnerabilities Suggested by Attributes and Objects.

Figure 8-3  Vulnerabilities Enabling a Trojan Horse Attack.

Six attributes might enable a Trojan horse attack

Figure 8-4  Mapping Control Techniques to Vulnerabilities.Example:Vulnerability E primarily controlled by Technique 2.

Figure 8-5  Matrix of Vulnerabilities and Controls.Attributes leading to vulnerabilities on left, controls on top.

Figure 8-6  Valuation of Security Techniques.

Figure 8-7  Relevance of Certain Security Techniques to Roles and Attack Components.

Figure 8-8  Risk Calculation for Regression Testing.

Arguments For Risk Arguments For Risk AnalysisAnalysis

Improve Awareness◦increase level of interest.

Relate Security Mission to Management Objectives◦Security costs money.◦Need people to understand security

balances harm and the costs of controls.Identify Assets, Vulnerabilities &

Controls.

Arguments For Risk Arguments For Risk AnalysisAnalysisImprove basis for decisions

◦Risk analysis augments the manager’s judgment as a basis for the decision.

Justify Expenditures for Security◦Balance costs versus risks to identify

the business case for a control.

Arguments Against Risk Arguments Against Risk AnalysisAnalysisFalse Sense of Precision and

Confidence◦Uses empirical data to generate estimates of risk impact, risk probability and risk exposure.

Hard to Perform◦Assessment is subjective and time consuming.

Arguments Against Risk Arguments Against Risk AnalysisAnalysisImmutability

◦Risk analysis is often quickly forgotten.

◦Analysis must be a living document and not a one time event.

Lack of accuracy◦Hard to estimate risks.◦May be gaps due to our limited knowledge of the system.

Physical SecurityPhysical Security

Natural Disasters◦Earthquake, hurricane, flood, fire, storms,

etc.Environmental

◦Electrical Brown/black outs, spikes, surges, sag,

fault. ◦HVAC, air conditioning, humidity controls.◦Electromagnetic Interference (EMI)

Theft ◦Internal, external

Physical SecurityPhysical SecurityShredding: shred documents.Overwrite magnetic media or shred it.

Degaussing: use magnetic field to destroy.

TEMPEST: protect against electromagnetic signal emission.◦Certify emission free◦Enclose device or modify emanations.

Business Continuity Plan Business Continuity Plan (BCP)(BCP)Long Term Strategic Business Oriented Plan for Continued Operation.

BCP Goal◦Ensure that business continues to

operate before, during and after a disaster

◦Ensure critical services can be delivered in the wake of a disruption and after it is over.

Disaster Recovery PlanDisaster Recovery PlanShort term plan for dealing with

specific IT oriented disruptions.Tactical.Mitigate the impact of a disaster.

◦Recover critical IT systems.Part of the Business Continuity

Plan.

Contingency PlanningContingency Planning

Redundant Site: exact production duplicate.

Hot $ite: ◦fully configured site with all necessary

hardware and critical applications.Warm Site:

◦Some aspects of hot site, rely on backup data to reconstitute systems after a disruption.

Cold Site (shell): alternative location.

Contingency PlanningContingency PlanningMobile Site: Datacenter in a boxReciprocal Agreement

◦Bi-directional agreement between two organizations to share space if a disaster occurs.

Backups◦Geographically distributed.◦Environmentally controlled.