Information SecurityInformation SecurityMaintenanceMaintenancePrinciples of Information SecurityChapter 12

Topic ObjectivesTopic Objectives Discuss

◦ The need for ongoing system maintenance◦ Security management/maintenance models◦ Monitoring external and internal environment◦ Planning and Risk Assessment◦ Vulnerability Assessment and Remediation◦ Readiness and Review Procedures◦ Digital forensics◦ Managing potential evidentiary material

2

3

Need for Ongoing Need for Ongoing MaintenanceMaintenanceThings change!

◦ business priorities◦ business partnerships and organizational

structure◦ employee turnover◦ assets◦ threats◦ vulnerabilities

Ongoing change within the organization and the technology environment must be addressed and integrated into the overall security plan.

4

System Management and System Management and Maintenance ModelsMaintenance ModelsISO Network Management Model◦Focuses on methods to manage and

operate systems◦Modified to support requirements for

information security porgramsSecurity Maintenance Model

◦Focuses on methods to maintain systems

5

Modified ISO Network Modified ISO Network Management ModelManagement Model Structured approach to administration and

management of networks and systems ◦ Modified to support tasks in information security

programs

1. Fault Management2. Configuration and Change Management3. Accounting and Auditing Management4. Performance Management5. Security Program Management

6

ISO Model - Fault ISO Model - Fault ManagementManagement

Traditional model◦ technology focus◦ process of identifying, tracking, diagnosing, and resolving

faults in system Info Sec model

◦ includes people and technology --- includes nontechnical issues

◦ identifying faults and remediating them fault detection

vulnerability assessments, penetration testing fault correction

taking appropriate action to eliminate or mitigate faults

◦ monitoring and resolution of user complaints possible indicators of faults, weaknesses, or intrusions - Help

Desk trouble tickets provide mechanism for documenting,

monitoring and tracking problem resolution knowledge base of common problems and solutions

7

ISO Model - ISO Model - Configuration and Change Configuration and Change ManagementManagement Addresses both technical and nontechnical changes

◦ Nontechnical Change Management - maintenance of policies and procedures

Configuration Management◦ Administration of the configuration of the

components of the security program Change Management

◦ Administration of changes in the strategy, operation, or components of the information security program.

8

ISO Model - Technical Configuration ISO Model - Technical Configuration and Change Managementand Change Management

Monitor and administer changes to technical components of information systems

4 Steps for Configuration Management◦ Configuration Identification

Identify/document configuration items

◦ Configuration control Administer changes and revisions (by developing organization)

◦ Configuration status accounting Track and record change implementations

◦ Configuration audit audit configuration management program

9

ISO Model - ISO Model - Accounting and Auditing Accounting and Auditing ManagementManagement Chargeback Accounting

◦ provides mechanism for tracking use of resources charge internal departments for system use examples: cpu cycle time (rarely used), computing

system resources, network architect and software engineer development time

allows recovery of IT expenses from non-IT units Accounting management

◦ involves monitoring use of particular component of a system

Auditing◦ Review system usage to determine whether misuse

or malfeasance has occurred use computer-generated activity logs; log analyzers detects unusual behavior, hacking attempts, etc. configure duplicate logs and offline storage

10

ISO Model - Performance ISO Model - Performance ManagementManagement

Monitor information security system performance◦ network devices, firewalls, proxy servers, content filters◦ performance factors to evaluate: memory usage, cpu

usage, network traffic, data storage Use established performance baselines to:

◦ detect abnormal levels of activity◦ identify performance shortfalls that should be addressed

by upgrades

11

ISO Model - ISO Model - Security Program ManagementSecurity Program Management

Formal management standards relevant to information security programs (there is a fee to obtain these standards)◦ ISO 27002 (previously ISO 17799)

Code of Practice for Information Security Management◦ ISO 27001 (previously BS 7799 Part 2)

Provides the process model described below Plan-Do-Check-Act process

◦ Plan Perform risk analysis of vulnerabilities

◦ Do Apply internal controls to manage risk

◦ Check Perform periodic/frequent reviews to verify effectiveness

◦ Act Develop incident response plans as necessary

12

Information Security Information Security Maintenance ModelMaintenance Model Focus on maintaining systems 5 Areas/Domains

1. External Monitoring

2. Internal Monitoring

3. Planning and Risk Assessment

4. Vulnerability Assessment and Remediation

5. Readiness and Review

13

Maintenance ModelMaintenance Model

14

Maintenance Model - Maintenance Model - Monitoring the External Monitoring the External EnvironmentEnvironment

Goal: Maintain awareness of changing external threats. ◦ Provide early detection of new and emerging threats, threat agents,

vulnerabilities, and attacks Collect external intelligence from available data sources

◦ CERT web site◦ vendors◦ public internet sites

Provide intelligence context and meaning for use by decision makers within the organization

Characteristics of an effective external monitoring program: ◦ Creates documented and repeatable procedures◦ Provides proper training◦ Equips staff with proper access and tools◦ Designs criteria and cultivates expertise◦ Develops suitable communications methods◦ Integrates the Incident Response Plan with the results of the external

monitoring process Escalates warnings to the internal organization about new threats

15

External MonitoringExternal Monitoring

16

ISM Model - ISM Model - Monitoring the Internal Monitoring the Internal EnvironmentEnvironment

Goal: maintain informed awareness of the state of the organization’s networks, systems, and defenses by maintaining an inventory of IT infrastructure and applications

Accomplished by◦ Maintaining complete inventory of network and IT

infrastructure Referred to as characterization of the network

◦ Leading IT governance process to integrate changes◦ Performing real-time monitoring of IT activity using

intrusion detection systems Prevent risk of attacks in future Identify security weaknesses

◦ Detect variances introduced to the network or system hardware and software, e.g., by automated difference-detection methods

17

Internal MonitoringInternal Monitoring

18

ISM Model - IT GovernanceISM Model - IT Governance Goal: increased awareness of the impact of change

◦ translated into a description of the risk◦ obtained through operational risk assessment

Method: active engagement in an organization-wide IT governance process

Awareness of change comes from two components of the IT governance process:◦ Architecture review boards

provides orderly introduction of change in information technology

◦ IT change control process frequently supervised by change control committee that

ensures awareness of change and integration of information security aspects

19

ISM Model - ISM Model - Planning and Risk AssessmentPlanning and Risk Assessment

Monitor the entire information security program

◦ Plan ongoing information security activities to further reduce risk

◦ Perform risk assessment to identify and document risks introduced by projects and latent risks in the environment document risks introduced by new projects or processes and identify

possible controls for these risks

◦ Uses periodic reviews

◦ Part of organization's strategic planning process and annual capital budget planning cycle.

Primary goals are:

◦ Establish a formal information security program review process

◦ Institute formal project identification, selection, planning, and management processes

◦ Introduce risk assessment and review for all IT projects

◦ Create a mindset of risk assessment across the organization

20

Planning and Risk Planning and Risk AssessmentAssessment

21

ISM Model - ISM Model - Vulnerability Assessment and Vulnerability Assessment and RemediationRemediation

Goal: identify specific, documented vulnerabilities and perform timely remediation◦ Use effective vulnerability assessment procedures

collect intelligence about network, platforms, dial-in modems, and wireless network systems

◦ Document background information provide tested remediation procedures for reported

vulnerabilities

◦ Track and report status of vulnerabilities from time of discovery to remediation or formally accepted

◦ Communicate information about vulnerabilities include risk estimates and remediation plans

◦ Escalate unremediated vulnerabilities to management obtain management involvement in ultimate decision to

accept the risk of loss

22

Vulnerability Assessment Vulnerability Assessment ProcessProcess

23

ISM Model - ISM Model - Remediating VulnerabilitiesRemediating Vulnerabilities

Goal:

◦ Repair the flaw causing a vulnerability instance or remove the risk (mitigate the risk) from the vulnerability

◦ As a last resort, informed decision makers with the proper authority can accept the risk

Team approach to remediation is the key to success Remediation Options

◦ Acceptance of Risk Must be a conscious decision based on full information and cost-

benefit analysis

◦ Threat Removal (Prevention) Remove the risk by making the threat impossible to accomplish (use

standalone computer, vice networked)

◦ Vulnerability Repair preferred option when possible; patches and updates; repair problem

causing the vulnerability

24

ISM Model - Readiness and ISM Model - Readiness and ReviewReview

Goal: Keep the program functioning as designed and continuously improving

Accomplished by:◦ Policy review

Periodic review and update to provide a current foundation for the information security program

◦ Readiness review Major planning components should be reviewed on a

periodic basis to ensure they are current, accurate, and appropriate

◦ Rehearsals & War Games Rehearse major plan elements to make sure all

participants are capable of responding as needed War games - realistic simulations

25

Readiness and ReviewReadiness and Review

26

Principles of Information Security, 3rd Edition 27

Digital ForensicsDigital ForensicsDigital forensics

◦ investigate what happened during attack on assets and how attack occurred

◦ Based on the field of traditional forensics

◦ Involves preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis

Evidentiary material (EM)

◦ any information that could potentially support organizations legal or policy-based case against suspect

Principles of Information Security, 3rd Edition 28

Digital Forensics Digital Forensics (continued)(continued) Used for two key purposes:

◦ To investigate allegations of digital malfeasance

◦ To perform root cause analysis

Organization chooses one of two approaches when using digital forensics:

◦ Protect and forget (patch and proceed)

focuses on defense of data and systems that house, use, and transmit it

◦ Apprehend and prosecute (pursue and prosecute)

focuses on identification and apprehension of responsible individuals, with additional attention on collection and preservation of potential EM that might support administrative or criminal prosecution

Tools: http://www.forensicswiki.org/wiki/Main_Page

Principles of Information Security, 3rd Edition 29

SummarySummary Maintenance of information security program is essential

Security management models assist in planning for ongoing operations

It is necessary to monitor external and internal environment

Planning and risk assessment are essential parts of information security maintenance

Need to understand how vulnerability assessment and remediation tie into information security maintenance

Need to understand how to build readiness and review procedures into information security maintenance

Digital forensics and management of digital forensics function