information security maintenance principles of information security chapter 12
TRANSCRIPT
Information SecurityInformation SecurityMaintenanceMaintenancePrinciples of Information SecurityChapter 12
Topic ObjectivesTopic Objectives Discuss
◦ The need for ongoing system maintenance◦ Security management/maintenance models◦ Monitoring external and internal environment◦ Planning and Risk Assessment◦ Vulnerability Assessment and Remediation◦ Readiness and Review Procedures◦ Digital forensics◦ Managing potential evidentiary material
2
3
Need for Ongoing Need for Ongoing MaintenanceMaintenanceThings change!
◦ business priorities◦ business partnerships and organizational
structure◦ employee turnover◦ assets◦ threats◦ vulnerabilities
Ongoing change within the organization and the technology environment must be addressed and integrated into the overall security plan.
4
System Management and System Management and Maintenance ModelsMaintenance ModelsISO Network Management Model◦Focuses on methods to manage and
operate systems◦Modified to support requirements for
information security porgramsSecurity Maintenance Model
◦Focuses on methods to maintain systems
5
Modified ISO Network Modified ISO Network Management ModelManagement Model Structured approach to administration and
management of networks and systems ◦ Modified to support tasks in information security
programs
1. Fault Management2. Configuration and Change Management3. Accounting and Auditing Management4. Performance Management5. Security Program Management
6
ISO Model - Fault ISO Model - Fault ManagementManagement
Traditional model◦ technology focus◦ process of identifying, tracking, diagnosing, and resolving
faults in system Info Sec model
◦ includes people and technology --- includes nontechnical issues
◦ identifying faults and remediating them fault detection
vulnerability assessments, penetration testing fault correction
taking appropriate action to eliminate or mitigate faults
◦ monitoring and resolution of user complaints possible indicators of faults, weaknesses, or intrusions - Help
Desk trouble tickets provide mechanism for documenting,
monitoring and tracking problem resolution knowledge base of common problems and solutions
7
ISO Model - ISO Model - Configuration and Change Configuration and Change ManagementManagement Addresses both technical and nontechnical changes
◦ Nontechnical Change Management - maintenance of policies and procedures
Configuration Management◦ Administration of the configuration of the
components of the security program Change Management
◦ Administration of changes in the strategy, operation, or components of the information security program.
8
ISO Model - Technical Configuration ISO Model - Technical Configuration and Change Managementand Change Management
Monitor and administer changes to technical components of information systems
4 Steps for Configuration Management◦ Configuration Identification
Identify/document configuration items
◦ Configuration control Administer changes and revisions (by developing organization)
◦ Configuration status accounting Track and record change implementations
◦ Configuration audit audit configuration management program
9
ISO Model - ISO Model - Accounting and Auditing Accounting and Auditing ManagementManagement Chargeback Accounting
◦ provides mechanism for tracking use of resources charge internal departments for system use examples: cpu cycle time (rarely used), computing
system resources, network architect and software engineer development time
allows recovery of IT expenses from non-IT units Accounting management
◦ involves monitoring use of particular component of a system
Auditing◦ Review system usage to determine whether misuse
or malfeasance has occurred use computer-generated activity logs; log analyzers detects unusual behavior, hacking attempts, etc. configure duplicate logs and offline storage
10
ISO Model - Performance ISO Model - Performance ManagementManagement
Monitor information security system performance◦ network devices, firewalls, proxy servers, content filters◦ performance factors to evaluate: memory usage, cpu
usage, network traffic, data storage Use established performance baselines to:
◦ detect abnormal levels of activity◦ identify performance shortfalls that should be addressed
by upgrades
11
ISO Model - ISO Model - Security Program ManagementSecurity Program Management
Formal management standards relevant to information security programs (there is a fee to obtain these standards)◦ ISO 27002 (previously ISO 17799)
Code of Practice for Information Security Management◦ ISO 27001 (previously BS 7799 Part 2)
Provides the process model described below Plan-Do-Check-Act process
◦ Plan Perform risk analysis of vulnerabilities
◦ Do Apply internal controls to manage risk
◦ Check Perform periodic/frequent reviews to verify effectiveness
◦ Act Develop incident response plans as necessary
12
Information Security Information Security Maintenance ModelMaintenance Model Focus on maintaining systems 5 Areas/Domains
1. External Monitoring
2. Internal Monitoring
3. Planning and Risk Assessment
4. Vulnerability Assessment and Remediation
5. Readiness and Review
13
Maintenance ModelMaintenance Model
14
Maintenance Model - Maintenance Model - Monitoring the External Monitoring the External EnvironmentEnvironment
Goal: Maintain awareness of changing external threats. ◦ Provide early detection of new and emerging threats, threat agents,
vulnerabilities, and attacks Collect external intelligence from available data sources
◦ CERT web site◦ vendors◦ public internet sites
Provide intelligence context and meaning for use by decision makers within the organization
Characteristics of an effective external monitoring program: ◦ Creates documented and repeatable procedures◦ Provides proper training◦ Equips staff with proper access and tools◦ Designs criteria and cultivates expertise◦ Develops suitable communications methods◦ Integrates the Incident Response Plan with the results of the external
monitoring process Escalates warnings to the internal organization about new threats
15
External MonitoringExternal Monitoring
16
ISM Model - ISM Model - Monitoring the Internal Monitoring the Internal EnvironmentEnvironment
Goal: maintain informed awareness of the state of the organization’s networks, systems, and defenses by maintaining an inventory of IT infrastructure and applications
Accomplished by◦ Maintaining complete inventory of network and IT
infrastructure Referred to as characterization of the network
◦ Leading IT governance process to integrate changes◦ Performing real-time monitoring of IT activity using
intrusion detection systems Prevent risk of attacks in future Identify security weaknesses
◦ Detect variances introduced to the network or system hardware and software, e.g., by automated difference-detection methods
17
Internal MonitoringInternal Monitoring
18
ISM Model - IT GovernanceISM Model - IT Governance Goal: increased awareness of the impact of change
◦ translated into a description of the risk◦ obtained through operational risk assessment
Method: active engagement in an organization-wide IT governance process
Awareness of change comes from two components of the IT governance process:◦ Architecture review boards
provides orderly introduction of change in information technology
◦ IT change control process frequently supervised by change control committee that
ensures awareness of change and integration of information security aspects
19
ISM Model - ISM Model - Planning and Risk AssessmentPlanning and Risk Assessment
Monitor the entire information security program
◦ Plan ongoing information security activities to further reduce risk
◦ Perform risk assessment to identify and document risks introduced by projects and latent risks in the environment document risks introduced by new projects or processes and identify
possible controls for these risks
◦ Uses periodic reviews
◦ Part of organization's strategic planning process and annual capital budget planning cycle.
Primary goals are:
◦ Establish a formal information security program review process
◦ Institute formal project identification, selection, planning, and management processes
◦ Introduce risk assessment and review for all IT projects
◦ Create a mindset of risk assessment across the organization
20
Planning and Risk Planning and Risk AssessmentAssessment
21
ISM Model - ISM Model - Vulnerability Assessment and Vulnerability Assessment and RemediationRemediation
Goal: identify specific, documented vulnerabilities and perform timely remediation◦ Use effective vulnerability assessment procedures
collect intelligence about network, platforms, dial-in modems, and wireless network systems
◦ Document background information provide tested remediation procedures for reported
vulnerabilities
◦ Track and report status of vulnerabilities from time of discovery to remediation or formally accepted
◦ Communicate information about vulnerabilities include risk estimates and remediation plans
◦ Escalate unremediated vulnerabilities to management obtain management involvement in ultimate decision to
accept the risk of loss
22
Vulnerability Assessment Vulnerability Assessment ProcessProcess
23
ISM Model - ISM Model - Remediating VulnerabilitiesRemediating Vulnerabilities
Goal:
◦ Repair the flaw causing a vulnerability instance or remove the risk (mitigate the risk) from the vulnerability
◦ As a last resort, informed decision makers with the proper authority can accept the risk
Team approach to remediation is the key to success Remediation Options
◦ Acceptance of Risk Must be a conscious decision based on full information and cost-
benefit analysis
◦ Threat Removal (Prevention) Remove the risk by making the threat impossible to accomplish (use
standalone computer, vice networked)
◦ Vulnerability Repair preferred option when possible; patches and updates; repair problem
causing the vulnerability
24
ISM Model - Readiness and ISM Model - Readiness and ReviewReview
Goal: Keep the program functioning as designed and continuously improving
Accomplished by:◦ Policy review
Periodic review and update to provide a current foundation for the information security program
◦ Readiness review Major planning components should be reviewed on a
periodic basis to ensure they are current, accurate, and appropriate
◦ Rehearsals & War Games Rehearse major plan elements to make sure all
participants are capable of responding as needed War games - realistic simulations
25
Readiness and ReviewReadiness and Review
26
Principles of Information Security, 3rd Edition 27
Digital ForensicsDigital ForensicsDigital forensics
◦ investigate what happened during attack on assets and how attack occurred
◦ Based on the field of traditional forensics
◦ Involves preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis
Evidentiary material (EM)
◦ any information that could potentially support organizations legal or policy-based case against suspect
Principles of Information Security, 3rd Edition 28
Digital Forensics Digital Forensics (continued)(continued) Used for two key purposes:
◦ To investigate allegations of digital malfeasance
◦ To perform root cause analysis
Organization chooses one of two approaches when using digital forensics:
◦ Protect and forget (patch and proceed)
focuses on defense of data and systems that house, use, and transmit it
◦ Apprehend and prosecute (pursue and prosecute)
focuses on identification and apprehension of responsible individuals, with additional attention on collection and preservation of potential EM that might support administrative or criminal prosecution
Tools: http://www.forensicswiki.org/wiki/Main_Page
Principles of Information Security, 3rd Edition 29
SummarySummary Maintenance of information security program is essential
Security management models assist in planning for ongoing operations
It is necessary to monitor external and internal environment
Planning and risk assessment are essential parts of information security maintenance
Need to understand how vulnerability assessment and remediation tie into information security maintenance
Need to understand how to build readiness and review procedures into information security maintenance
Digital forensics and management of digital forensics function