Engineering Essential Characteristics Security Engineering Process Overview

Model Architecture Security Engineering Base Practices – Represent best practices – Iterative, and not ordered by lifecycle phase Project and Organizational Base Practices – Adapted from Systems Engineering CMM – Reference materials for interpreting generic practices Capability Levels (Generic Practices) – Management, measurement and institutionalization aspects – Assess and improve organization’s process capability – Rank ordered according to maturity

Capability Levels Represent the maturity of the security engineering organization

An alternative view of risk: – Security Engineering Process organic to system – Define Security Policy based upon system architecture and environment Security Engineering Base Practice Implementations (2) Assurance Configuration Management Security Documentation Feedback Requirements Definition Security Policy Rationalization of System & Security Requirements Development Implementation Security Test & Evaluation Assess Residual Risk Operations & Maintenance Support Elements of System Development Lifecycle

An alternative view of risk (2): – Security requirements integral to Requirements Definition – Security requirements designed to address three principal types of vulnerabilities:  Inherent (e.g., remote login service—no authentication)  Strength-of-mechanism (e.g., password construction)  Defective engineering (e.g., buffer overflow condition) – Security requirements documents primarily address inherent and strength-of-mechanism vulnerabilities Security Engineering Base Practice Implementations (3) Inherent Strength-of- Mechanism Defective Engineering

Internet ??? A Problem of Trust.. Who Are You Doing Business With? Identity of transacting parties Integrity of messages Non-repudiation Global system interoperability Predictable and transparent trust environment Parties are reluctant to do business electronically unless they can be assured of:

Security Policy Review Organizational Security Review Asset Classification Control Review Personnel Security Review Physical and Environmental Security Review -Information security policy review -Information Security Infrastructure review -Security of third party access review -Outsourcing review -Accountability for assets review -Information classification review -Security in job definition and resourcing review -Responding to security incidents and -User training review malfunctions review malfunctions review-Secure areas review -General controls review Systems Development and Maintenance Review -Security Requirements of systems review -Security in application systems review -Cryptographic controls review -Security of systems files review -Security in development and support process review Annual Review Communications and Operation Management Review Access Control Review -Operational procedures and responsibilities review System planning and acceptance review -Protection against malicious software review -Housekeeping review -Network management review -Media handling and security review -Exchanges of information and software review -Business requirements for access control review -User access management review -User responsibilities review Network access control review -Operating system access control review -Application access control review -Monitoring system access control review -Mobil computing and telecommuting access review Business Continuity Management Review -Aspects of business continuity management review Compliance Review -Compliance with legal requirement review -Reviews of security policy and technical compliance review -System audit considerations review

Profile Scan Enumerate Exploit Report -Open Source -Edgar Search -Network Numeration -Organizational Query -Domain Query -Network Query -POC Query -DNS Interrogation -Network Mapping -Network Reconnaissance -Live System Identification -Port Scanning -System identification -Services identification -War dialing -System Enumeration -Identity Network Resources -Identity Network Share -Identity Banners -Identity Applications -Identify System Vulnerabilities -Exploit System Vulnerabilities -Validate system Vulnerabilities -Zero day exploiting -Document system Vulnerabilities -Document Executive summaries -Document Technical Summaries -Document Business Concerns -Document Recommendations -Provide Industry Standard -Security Practices -Document Data Retrieved Present -Executive Level -Technical Level Quarterly Testing