Administering Security

 Security Planning
• comparison of security planning / strategie
• focus on procedure
• ex; how much we spend for the proj
• targeting achievement
• who involved
• only ITdept who implement strategy planning
 Risk Analysis
 Security Policies
• - how to allocate resources(time(testing , configuration),
money/budget, human resources)

• -must make sure training on policies to make sure everyone knows

 Physical Security
 Security Planning
 Policy
 Current state – risk analysis

• What are the assets

• What are the risks which link wit the asset
• Who are going to
 Requirements
 Recommended controls

 Accountability

 Timetable

 Continuing attention
 Security Planning - Policy
 Who should be allowed access?
 To what system and organizational

resources should access be allowed?

 What types of access should each

user be allowed for each resource?

 Security Planning - Policy
 What are the organization’s goals on
security?
 Where does the responsibility for

security lie?
 What is the organization’s

commitment to security?
 OCTAVE Methodology
(operationally control, threats, asset, vulnerabilities)
http://www.cert.org/octave/

 Identify enterprise knowledge.

 Identify operational area knowledge.
 Identify staff knowledge.
 Establish security requirements.
 Map high-priority information assests to
information infrastructure.
 Perform an infrastructure vulnerability
evaluation.
 Conduct a multidimensional risk analysis.
 Develop a protection strategy.
 Security Planning – Requirements of the
TCSECTesting( computer,system, evaluation ,criteria) not
comming for final
 Security Policy – must be an explicit and well-
defined security policy enforced by the system.
 Every subject must be uniquely and convincingly
identified.
 Every object must be associated with a label that
indicates its security level.
 The system must maintain complete, secure
records of actions that affect security.
 The computing system must contain mechanisms
that enforce security.
 The mechanisms that implement security must be
protected against unauthorized change.
 BS7799
 BS7799- It is the information security standard
 Have 137 control ex:installation, uninstallation,
 Initially created for British standard for
government and university standard
 Can be simply implemented for any type of
organization
Security Planning Team Members
 Computer hardware group
 System administrators

 Systems programmers

 Application programmers

 Data entry personnel

 Physical security personnel

 Representative users
 Security Planning
 Assuring Commitment to a Security Plan
 Business Continuity Plans
• Assess Business Impact
• Develop Strategy
• Develop Plan
 Incident Response Plans
• Advance Planning
• Response Team
• After the Incident is Resolved
 Risk Analysis
 Risk impact - loss associated with
an event
 risk probability – likelihood that

the event will occur

 Risk control – degree to which we

can change the outcome

 Risk exposure – risk impact * risk

probability
 Risk Analysis – risk reduction
 Avoid the risk
 Transfer the risk

 Assume the risk

 Risk leverage = [(risk exposure before

reduction) – (risk exposure after
reduction)] / cost of risk reduction
 Cannot guarantee systems are risk free
 Security plans must address action needed
should an unexpected risk becomes a
problem
 Steps of a Risk Analysis
 Identify assets
 Determine vulnerabilities

 Estimate likelihood of exploitation

 Compute expected annual loss

 Survey applicable controls and their

costs
 Project annual savings of control
 Identify Assets
 Hardware
 Software
 Data
 People
 Procedures (policies, training)
 Documentation
 Supplies
 Infrastructure (building, power, water,…)
 Determine Vulnerabilities
Asset Confidentiality Integrity Availability

Hardware

Software

Data

People

procedures
 Determine Vulnerabilities
 What are the effects of unintentional
errors?
 What are the effects of willfully
malicious insiders?
 What are the effects of outsiders?
 What are the effects of natural and
physical disasters?
 Risk Analysis
 Estimate Likelihood of Exploitation
• Classical probability
• Frequency probability (simulation)
• Subjective probability (Delphi approach)
 Computer Expected Lost (look for hidden
costs)
• Legal obligations
• Side effects
• Psychological effects
 Risk Analysis
 Survey and Select New Controls
• What Criteria Are Used for Selecting Controls?
 Vulnerability Assessment and Mitigation (VAM)
Methodology
• How Do Controls Affect What They Control?
• Which Controls Are Best?
 Project Savings
• Do costs outweigh benefits of preventing /
mitigating risks
 Arguments for Risk Analysis
 Improve awareness
 Relate security mission to

management objectives
 Identify assets, vulnerabilities, and

controls
 Improve basis for decisions

 Justify expenditures for security

 Arguments against Risk Analysis
 False sense of precision and confidence
 Hard to perform
 Immutability (filed and forgotten)
 Lack of accuracy
 “Today’s complex Internet networks cannot be made
watertight…. A system administrator has to get everything
right all the time; a hacker only has to find one small hole.
A sysadmin has to be lucky all of the time; a hacker only
has to get lucky once. It is easier to destroy than to
create.”
• Robert Graham, lead architect of Internet Security Systems
Organizational Security Policies
 Who can access which resources in
what manner?
 Security policy - high-level

management document that informs

all users of the goals and constraints
on using a system.
 Security Policies Purpose
 Recognize sensitive information
assets
 Clarify security responsibilities

 Promote awareness for existing

employees
 Guide new employees
 Security Policies Audience
 Users
 Owners

 Beneficiaries

 Balance Among All Parties

 Contents
 Purpose

 Protected Resources (what - asset

list)

 Nature of the Protection (who and

how)
Characteristics of a Good Security
Policy
 Coverage (comprehensive)
 Durability

 Realism

 Usefulness

 Examples
 Physical Security
 Natural Disasters
• Flood
• Fire
• Other
 Power Loss
• UPS; surge suppressors (line conditioners)
 Human Vandals
• Unauthorized Access and Use
• Theft
 Physical Security
 Interception of Sensitive Information
• Dumpster Diving - Shredding
• Remanence (slack bits)
 Overwriting Magnetic Data
 DiskWipe

 Degaussing

• Emanation - Tempest
 Contingency Planning
 BACKUP!!!!!
• Complete backup
• Revolving backup
• Selective backup
 OFFSITE BACKUP!!!!!
 Networked Storage (SAN)

 Cold site (shell)

 Hot site