1 Figure 1-17: Security Management Security is a Primarily a Management Issue, not a Technology Issue Top-to-Bottom Commitment Top-management commitment Operational execution Enforcement
2 Figure 1-17: Security Management Comprehensive Security Closing all avenues of attack Asymmetrical warfare Attacker only has to find one opening Defense in depth Attacker must get past several defenses to succeed Security audits Run attacks against your own network
3 Figure 1-17: Security Management General Security Goals (CIA) Confidentiality Attackers cannot read messages if they intercept them Integrity If attackers change messages, this will be detected Availability System is able to server users
4 Figure 1-18: The Plan—Protect— Respond Cycle Planning Need for comprehensive security (no gaps) Risk analysis (see Figure 1-19) Enumerating threats Threat severity = estimated cost of attack X probability of attack Value of protection = threat severity – cost of countermeasure Prioritize countermeasures by value of prioritization
5 Figure 1-19: Threat Severity Analysis StepThreat Cost if attack succeeds Probability of occurrence Threat severity Countermeasure cost Value of protection Apply countermeasure? Priority 6 7 A $500,000 80% $400,000 $100,000 $300,000 Yes 1 B $10,000 20% $2,000 $3,000 ($1,000) No NA C $100,000 5% $5,000 $2,000 $3,000 Yes 2 D $10,000 70% $7,000 $20,000 ($13,000) No NA
6 Figure 1-18: The Plan—Protect— Respond Cycle Planning Security policies drive subsequent specific actions (see Figure 1-20) Selecting technology Procedures to make technology effective The testing of technology and procedures
7 Figure 1-20: Policy-Driven Technology, Procedures, and Testing Policy Technology (Firewall, Hardened Webserver) Procedures (Configuration, Passwords, Etc.) ProtectionTesting (Test Security) Attempt to Connect to Unauthorized Webserver Only allow authorized personnel to use accounting webserver
8 Figure 1-18: The Plan—Protect— Respond Cycle Protecting Installing protections: firewalls, IDSs, host hardening, etc. Updating protections as the threat environment changes Testing protections: security audits
9 Figure 1-18: The Plan—Protect— Respond Cycle Responding Planning for response (Computer Emergency Response Team) Incident detection and determination Procedures for reporting suspicious situations Determination that an attack really is occurring Description of the attack to guide subsequent actions
10 Figure 1-18: The Plan—Protect— Respond Cycle Responding Containment Recovery Containment: stop the attack Repair the damage Punishment Forensics Prosecution Employee Punishment Fixing the vulnerability that allowed the attack