Chapter 7-8:

Administering Security

- By Getaneh T.
 Security Plan
• A security plan is a document that describes how an organization will address its security
needs. The plan is subject to periodic review and revision as the organization’s security
needs change.
• Contents of a security plan
1. policy, indicating the goals of a computer security effort and the willingness
of the people involved to work to achieve those goals
2. current state, describing the status of security at the time of the plan
3. requirements, recommending ways to meet the security goals
4. recommended controls, mapping controls to the vulnerabilities identified in the
policy and requirements
5. accountability, describing who is responsible for each security activity
6. timetable, identifying when different security functions are to be done
7. continuing attention, specifying a structure for periodically updating the
security plan
1) Policy
• A security plan must state the organization’s policy on security.
• A security policy is a high-level statement of purpose and intent.

The policy statement should specify the following:

• The organization's goals on security. For example, should the system protect
data from leakage to outsiders, protect against loss of data due to physical
disaster, protect the data's integrity, or protect against loss of business when
computing resources fail? What is the higher priority: serving customers or
securing data?
• Where the responsibility for security lies. For example, should the
responsibility rest with a small computer security group, with each employee,
or with relevant managers?
• The organization's commitment to security. For example, who provides
security support for staff, and where does security fit into the organization's
structure?
2) Current Security Status
• The status can be expressed as a listing of organizational assets, the
security threats to the assets, and the controls in place to protect the
assets.
• Also defines the limits of responsibility for security.

2) Requirements
• Requirements are usually derived from organizational needs.
• Requirements explain what should be accomplished, not how.
• Must have these characteristics : correctness, consistency, completeness,
realism, need, verifiability, traceability.
• May be constrained by budget, schedule, performance, policies,
government regulations and more.
4) Recommended Controls
• The security plan must also recommend what controls should be
incorporated into the system to meet the requirements.

5) Responsibility for Implementation

• A section of the security plan should identify which people are

responsible for implementing the security requirements.

• At the same time, the plan makes explicit who is accountable should
some requirement not be met or some vulnerability not be addressed.

6) Time Table - shows how and when the elements of the plan will be
performed. These dates also give milestones so that management can track
the progress of implementation.
Security Planning Team Members
• Computer hardware group
• System administrators
• Systems programmers
• Applications programmers
• Data entry personnel
• Physical security personnel
• Representative users
Business Continuity Plans
• Documents how a business will continue to function during a computer
security incident.
• An ordinary security plan covers computer security during normal times
and deals with protecting against a wide range of vulnerabilities from the
usual sources.
• A business continuity plan deals with situations having two
characteristics:
1) catastrophic situations, in which all or a major part of a computing

capability is suddenly unavailable

2) long duration, in which the outage is expected to last for so long
that business will suffer
The steps in business continuity planning are these:
• Assess the business impact of a crisis.
• Develop a strategy to control impact.
• Develop and implement a plan for the strategy
Incident Response Plans
• Tells the staff how to deal with a security incident.
• The goal of incident response is handling the current security
incident, without regard for the business issues.
• An incident response plan should
1) define what constitutes an incident
2) identify who is responsible for taking charge of the situation
3) describe the plan of action
Phases of Incident Response Plans
• Advance Planning
• Triage
• Running the incident
Response Team
• Response team is the set of people charged with responding to the
incident.
• To develop policy and identify a response team, you need to consider
certain matters.
1) Legal Issues
2) Preserving Evidence
3) Records
4) Public Relations
Risk Analysis
• A risk is a potential problem that the system or its users may experience.
• Characteristics of an event to be considered as a risk :
1. A loss associated with an event.
2. The likelihood that the event will occur.
3. The degree to which we can change the outcome.
• Strategies used :
1. Avoiding the risk
2. Transferring the risk
3. Assuming the risk
• Risk leverage is the difference in risk exposure divided by the cost of
reducing the risk. In other words, risk leverage is

• If the leverage value of a proposed action is not high enough, then we

look for alternative but less costly actions or more effective reduction
techniques.
Steps of Risk Analysis
1. Identify assets
2. Determine vulnerabilities
3. Estimate likelihood of exploitation
4. Compute expected annual loss
5. Survey applicable controls and their costs
6. Project annual savings of control
1. Identify Assets
The assets can be considered in categories, as listed below.
• Hardware: processors, boards, keyboards, monitors, terminals,
microcomputers, workstations, tape drives, printers, disks, disk drives,
cables, connections, communications controllers, and communications
media
• Software: source programs, object programs, purchased programs, in-
house programs, utility programs, operating systems, systems programs
(such as compilers), and maintenance diagnostic programs
• Data: data used during execution, stored data on various media, printed
data, archival data, update logs, and audit records
• People: skills needed to run the computing system or specific programs
• Documentation: on programs, hardware, systems,
administrative procedures, and the entire system
• Supplies: paper, forms, laser cartridges, magnetic media, and printer fluid
2. Determine Vulnerabilities
Asset Secrecy Integrity Availability
Hardware Overloaded, Failed, stolen,
destroyed, destroyed,
tampered with unavailable
Software Stolen, copied, Impaired by Trojan Deleted, misplaced,
pirated Horse, modified, usage expired
tampered with
Data Disclosed, accessed Damaged- software Deleted, misplaced,
by outsider, error-hardware destroyed
inferred error- user error
People Quit, retired,
terminated, on
vacation
Documentation Lost, stolen,
destroyed
Supplies Lost, stolen,
damaged
Attributes Contributing to vulnerabilities
Design/Architecture Behavioral General
Singularity – uniqueness, centrality, Behavioral sensitivity/fragility Accessible, detectable, identifiable,
homogeneity transparent, interceptable

Separability Malevolence Hard to manage or control

Logic/implementation errors, Rigidity Self-unawareness and
fallibility unpredictability

Design sensitivity, fragility, limits, Malleability Predictability

finiteness

Unrecoverability Gullibility, deceivability, naivete

Complacency
Corruptibility, controllability
3. Estimate Likelihood of Exploitation
• Determining how often each exposure is likely to be exploited.

Ratings of Likelihood
Frequency Rating
More than once a day 10
Once a day 9
Once every three days 8
Once a week 7
Once in two weeks 6
Once a month 5
Once every four months 4
Once a year 3
Once every three years 2
Less than once in three years 1
4. Compute Expected Loss
• Determine the likely loss if the exploitation does indeed occur.

5. Survey and Select New Controls

• Analysis of the controls to see which ones address the risks we have
identified.
• Match each vulnerability with at least one appropriate security
technique.
Advantages of Risk Analysis
• Improve awareness
• Relate security mission to management objectives
• Identify assets, vulnerabilities and controls
• Improve basis for decisions
• Justify expenditures for security
Disadvantages of Risk Analysis
• False sense of precision and confidence
• Hard to perform
• Immutability
• Lack of Accuracy
Organizational Security Policies
• Purpose
❑ recognizing sensitive information assets
❑ clarifying security responsibilities
❑ promoting awareness for existing employees
❑ Guiding new employees

• Audience – Users, owners, beneficiaries

• Contents
✓ A security policy must identify its audiences: the beneficiaries,
users, and owners.
✓ The policy should describe the nature of each audience and their
security goals.
✓ Several other sections are required, including the purpose of the

computing system, the resources needing protection, and the

nature of the protection to be supplied. We discuss each one in
turn.
• Goals
1. Promote efficient business operation.
2. Facilitate sharing of information throughout the organization.
3. Safeguard business and personal information.
4. Ensure that accurate information is available to support business

processes.
5. Ensure a safe and productive place to work.
6. Comply with applicable laws and regulations.

• Protected resources - protected assets should be listed in the policy.

• Nature of Protection - indicate who should have access to the protected
items. It may also indicate how that access will be ensured and how
unauthorized people will be denied access.
Characteristics of Good Security Policy
• Coverage - It must either apply to or explicitly exclude all possible
situations.
• Durability - grow and adapt well. If written in a flexible way, the
existing policy will be applicable to new situations.
• Realism - must be realistic. It must be possible to implement the
stated security requirements with existing technology.
• Usefulness - The policy must be written in language that can be
read, understood, and followed by anyone who must implement it
or is affected by it.
Physical Security
• Natural Disasters
❑ Flood
❑ Fire
• Power Loss
Solutions – UPS, surge supressors
• Human Vandals
• Unauthorized access and use – theft
• Interception of Sensitive Information - Shredding
• Overwriting Magnetic Data – Degaussing
• Protecting Against Emanation : Tempest

Contingency Planning
❑ Backup
• Offsite Backup
• Networked Storage
• Cold Site or shell - facility with power and cooling available, in which
a computing system can be installed to begin immediate operation.
•Hot site - computer facility with an installed and ready-to-run
computing system.
Legal And Ethical Issues
 Protecting Programs and Data
1) Copyrights – designed to protect the expression of ideas.
✓ Applies to a creative work, such as a story, photograph, song, or
pencil sketch.
✓ Intention is to allow regular and free exchange of ideas.
✓ Gives the author exclusive right to make copies of the expression
and sell them in public.
▪ Intellectual Property
▪ Originality of work
▪ Fair use of Material – copyrighted object is subjected to fair use.
A purchaser has the right to use the product in the manner for
which it was intended and in a way that does not interfere with
the author's rights.
▪ Requirements for registering a copyright.
• Notice - Any potential user must be made aware that the work is copyrighted.
• Officially filed.
Copyright Infringement
• The holder of the copyright must go to court to prove that someone
has infringed on the copyright.
• The infringement must be substantial, and it must be copying, not
independent work.

Copyrights for Digital Objects

2) Patents
• Protect inventions, tangible objects, or ways to make them, not
works of the mind.
• Designed to protect the device or process for carrying out an idea,
not the idea itself.
• The distinction between patents and copyrights is that patents were intended to
apply to the results of science, technology, and engineering, whereas copyrights were
meant to cover works in the arts, literature, and written scholarship. A patent can
protect a "new and useful process, machine, manufacture, or composition of matter."
• Requirement of Novelty
₋ A patent can be valid only for something that is truly novel or unique, so
there can be only one patent for a given invention.
₋ An object patented must also be nonobvious.

• Registering a Patent
• Patent Infringement
A patent holder must oppose all infringement.
Failing to sue a patent infringement even a small one or one the
patent holder does not know about can mean losing the patent rights
entirely.
• Applicability of Patents to Computer Objects
3)Trade Secrets
• The information has value only as a secret, and an infringer is one who divulges the
secret. Once divulged, the information usually cannot be made secret again.

Characteristics of Trade Secrets

1. Must always be kept secret.
2. If someone else happens to discover the secret
independently, there is no infringement and trade secret
rights are gone.
Reverse Engineering - one studies a finished object to determine how it is
manufactured or how it works.
• Trade secret protection works best when the secret is not apparent in the product.
Applicability to computer objects
❑ Trade secret protection allows distribution of the result of a secret
(the executable program) while still keeping the program design
hidden.
❑ Trade secret protection does not cover copying a product (specifically
a computer program), so it cannot protect against a pirate who sells
copies of someone else's program without permission.
❑ Difficulty with computer programs is that reverse engineering works.

Difficulty of Enforcement - Trade secret protection is of no help when someone infers

a program's design by studying its output or, worse yet, decoding the object
code. Both of these are legitimate (that is, legal) activities, and both cause trade
secret protection to disappear.
Comparing Copyright, Patent, and Trade Secret Protection

Copyright Patent Trade Secret

Protects Expression of idea, not Invention the way A secret, competitive

idea itself something works advantage
Protected object made Yes; intention is to Design filed at Patent No
public promote publication Office
Requirement to Yes No No
distribute
Ease of filing Very easy, do-it-yourself Very complicated; No filing
specialist lawyer
suggested

Duration Life of human originator 19 years Indefinite

plus 70 years, or total of
95 years for a company

Legal protection Sue if unauthorized copy Sue if invention copied Sue if secret improperly
sold obtained
Protecting Hardware – Hardware can be patented.
Protecting Firmware - Trade secret protection is appropriate for the code
embedded in a chip.
Protecting Object Code Software - copyright protection is appropriate.
Protecting source code software – copyright or trade secret protection.
Protecting Documentation - A program and its documentation must be
copyrighted separately.
Protecting Web Content - most appropriate protection is copyright
Protecting Domain Names and URLs - Domain names, URLs, company names,
product names, and commercial symbols are protected by a trademark, which
gives exclusive rights of use to the owner of such identifying marks.
Characteristics of Information
• Information as an object
• Information is not depletable
• Information can be Replicated
• Information has a Minimal Marginal Cost
• The Value of Information is often Time Dependent
• Information is often transferred Intangibly

These characteristics of information affect its legal treatment.

Legal Issues Relating To Information
Example 1- Information Commerce
• Information is unlike most other goods traded, even though it
has value and is the basis of some forms of commerce.
Example 2- Electronic Publishing
• Many newspapers and magazines post a version of their content
on the Internet, as do wire services and television news
organizations.
Example 3- Protecting Data in a Database
• Databases are a particular form of software that has posed significant
problems for legal interpretation.
• How does one determine that a set of data came from a particular
database (so that the database owner can claim some compensation)?
• Who even owns the data in a database if it is public data, such as names
and addresses?

Example 4- Electronic Commerce

• Suppose the information you order is not suitable for use or never arrives
or arrives damaged or arrives too late to use. How do you prove
conditions of the delivery?
• For catalog sales, you often have receipts or some paper form of
acknowledgment of time, date, and location.
• But for digital sales, such verification may not exist or can be easily modified.
Protecting Information
• Criminal and Civil Law
✓ Criminal Law - Goal is to punish a criminal
✓ Civil Law – Goal is restitution: to make the victim “whole”
again by repairing the harm.
• Tort Law - A tort is harm not occurring from violation of a statute or from
breach of a contract but instead from being counter to the accumulated
body of precedents.
• Contract Law
Differences between Law and Ethics
Law Ethics
Described by formal, written documents Described by unwritten principles
Interpreted by courts Interpreted by each individual
Established by legislatures representing Presented by philosophers, religions,
all people professional
groups
Applicable to everyone Personal choice
Priority determined by courts if two laws Priority determined by an individual if
conflict two
principles conflict
Court is final arbiter of "right" No external arbiter
Enforceable by police and courts Limited enforcement
Characteristics of Ethics
• Ethics and Religion
✓ Two people with different religious backgrounds may develop the
same ethical philosophy, while two exponents of the same religion
might reach opposite ethical conclusions in a particular situation.
✓ We can analyze a situation from an ethical perspective and reach
ethical conclusions without appealing to any particular religion or
religious framework.
• Ethical Principles are not universal
• Ethics does not provide answers
Ethical Reasoning Principles
• Consequence-Based - focuses on the consequences of an action.
• Rule-Based