security management practices general overview of good security management processes. introduces...
TRANSCRIPT
![Page 1: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/1.jpg)
Security Management Practices
General overview of good security management processes. Introduces topics used in several other sections
![Page 2: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/2.jpg)
Overview
Basic Security Concepts Policies, Standards, Guidelines, &
Procedures Roles played in security management Security Awareness Risk Management Data & Information Classification
![Page 3: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/3.jpg)
Concepts
C.I.A. - Confidentiality, Integrity, & Availability
Identification, Authentication, Accountability, Authorization, Privacy
Objective of Security Controls: reduce likelihood & impact of threats
![Page 4: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/4.jpg)
Systems Security Lifecycle
1. Initiation2. Development/Acquisition3. Implementation4. Operation/maintenance5. Disposal
![Page 5: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/5.jpg)
3 Primary Tenants of InfoSec
Confidentiality
Integrity Availability
![Page 6: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/6.jpg)
Personnel Concepts Identification
Authentication
Accountability
Authorization
Privacy
![Page 7: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/7.jpg)
System Concepts Assume external systems are insecure Examine the trade-offs (nothing is free) Use Layered Security (greater work factor) Minimize the system elements that are
“trusted” Isolate public accessed systems Authenticate both users & processes Use Unique Identities to ensure
accountability Implement least privilege
![Page 8: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/8.jpg)
TOA: Trade-off Analysis Define the objective (in writing)
Identify alternatives (courses of action)
Compare alternatives
Realize that there are no perfectly secure systems in opperation
![Page 9: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/9.jpg)
Security Controls
Objective: reduce vulnerabilities & minimize the effect of an attack Attack likelihood Attack cost Attack countermeasures
Deterrent controls Corrective Controls Detective Controls
![Page 10: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/10.jpg)
Simple Threat Matrix
likelihood of an attack
impa
ct
0,0
A
B
C
![Page 11: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/11.jpg)
Information Classification
Why classify data & information Concepts Classification Terms
Governmental Private Sector
Criteria Roles used in the classification
process
![Page 12: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/12.jpg)
Roles… Owner
Who gets the blame level of classification, review of protection,
delegation to custodian, Custodian
Actual day-to-day, backups, verify backups, restoration, policy maintenance
User Operating procedures, user account
management, detecting unauthorized/Illicit activity
Termination
![Page 13: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/13.jpg)
Implementation
1. Policy: 1. senior management (demonstration of
commitment 2. general organizational3. Policy: Functional
2. Implementation1. Standards -- Baselines2. Guidelines3. Procedures
![Page 14: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/14.jpg)
Risk management
Risk can never be totally eliminated Primary purpose
1. Identification of risks2. Cost / benefit analysis
Benefits1. Creates clear cost-to-value2. Helps analysis process3. Helps design and creation
![Page 15: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/15.jpg)
Terms
Asset Threat Vulnerability Safeguard Exposure
Factor (EF)
Single Loss Expectancy (SLE)
Annualized Rate of Occurrence (ARO)
Annualized Loss Expectancy (ALE)
![Page 16: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/16.jpg)
Attacks Criminal
Fraud-prolific on the Internet Destructive, Intellectual Property Identity Theft, Brand Theft
Privacy: less and less available people do not own their own data Surveillance, Databases, Traffic Analysis Echelon, Carnivore
Publicity & Denial of Service Legal
![Page 17: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/17.jpg)
Brief Risk Analysis Overview
Quantitative vs Qualitative Steps
Potential losses Potential threats
Asset valuation Safeguard selection Remedies
![Page 18: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/18.jpg)
Risk Analysis
“The identification and evaluation of the most likely permutation of assets, known and anticipated vulnerabilities, and known and anticipated types of attackers.”
![Page 19: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/19.jpg)
Assets
What are you trying to Protect Why is it being protected Risk for other systems on network Data
Tampering vs. Stealing Liability
![Page 20: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/20.jpg)
Attackers
Categorize by Objective, Access, Resources, Expertise,
and Risk Hackers:
Galileo, Marie Curie Lone Criminals, Insiders, Espionage,
Press, Organized Crime, Terrorists
![Page 21: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/21.jpg)
Motives
Business competitors Same motives as “real-life” criminals Financial motives
Credit cards The Cuckcoo’s Egg
Political motives Personal / psychological motives
![Page 22: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/22.jpg)
Motives Honeypot “to learn tools tactics and motives of blackhat
community”
Script Kiddies Canned Exploits of Perl or Shell scripts Still major threat
Knowing motives helps predict attack Degrees of motivation
Automated tools Hardened systems vs Easy Kills
![Page 23: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/23.jpg)
Steps in an Attack
1. Identify Target & collect Information2. Find vulnerability in target3. Gain appropriate access to target4. Perform the attack5. Complete attack, remove evidence,
ensure future access
![Page 24: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/24.jpg)
After you get root
1. Remove traces of root compromise2. Gather information about system3. Make sure you can get back in4. Disable or patch vulnerability
![Page 25: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/25.jpg)
Vulnerability Landscape
Physical World Laptops
Virtual World
Trust Model
System Life cycled
![Page 26: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/26.jpg)
Vulnerabilities Only potential until someone figures out
how to exploit
Need to identify and address Those applicable & which must mitigated now Are likely to apply & must be planned against Seem unlikely and/or are easy to mitagate
![Page 27: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/27.jpg)
Attack Trees (Bruce Schneier)
Visual Representation of attacks against any given target
Attack goal is root Attack subgoals are leaf nodes
For each leaf determine subgoals necessary to achieve
And cost to achieve penetration using different types of attackers
![Page 28: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/28.jpg)
Attack Tree Example
Steal Customer Data
Obtain Backup Media Intercept eMail Hack into Server
Burfglarize Office(Cost $10,000)
Bribe Admin at ISP($5,000) Hack remote users home system
($1,000)
Hack SMTP Gateway($2000)
![Page 29: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/29.jpg)
Defenses Three general means of mitigating
attack risk Reducing asset value to attacker Mitigating specific vulnerabilities
Software patches Defensive Coding
Neutralizing or preventing attacks Access control mechanisms Distinguish between trusted & untrusted
users
![Page 30: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/30.jpg)
Security
Security is a process not a Product
Weakest link in the process
Examples of Threat Modeling in Secrets & Lies chapter 19
![Page 31: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/31.jpg)
Security Awareness People are often the weakest link Benefits:
Awareness of need to protect the system Skill & knowledge improvement More in-depth knowledge
Be careful of over training Constant barrage == ignored Too much knowledge of how the system works
![Page 32: Security Management Practices General overview of good security management processes. Introduces topics used in several other sections](https://reader035.vdocuments.mx/reader035/viewer/2022062322/56649ea15503460f94ba4a5b/html5/thumbnails/32.jpg)
References Cohen, Fred “A Preliminary Classification
Scheme for Information Security Threats, Attacks, and Defenses; A Cause and Effect Model; and Some Analysis Based on that Model.” Sandia National Laboratories, Sept 1998 (www.all.net/journal/ntb/cause-and-effect.html)
Bauer, Michael E. “Building Secure Servers with Linux.” O’Reilly, 2003