Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security: Chapter 9

Published byAvice Washington Modified over 6 years ago

Similar presentations

Presentation on theme: "Computer Security: Chapter 9"— Presentation transcript:

1 Computer Security: Chapter 9
Administering Security

2 addressed by technology. Planning
Not all of security is addressed by technology. Planning does it and will it fit our security needs today and tomorrow? Risk analysis Benefits vs cost  do we lose? Policy Guide to ensure continuous security and protection Physical control Environment’s impact on security

3 Security Planning As technology advances so must the security planning adapt From computing centres  personal computers  mobile devices A security plan is a document that describes how and organization will address its security needs The plan is subject to periodic review and revision as needs change What is in the plan?

4 Security planning must address 7 issues
Policy Current state Requirements Recommended controls Accountability Timetable Continuing attention

5 Policy Indicates Hard to write  very strict? Slightly loose?
the goals of computer security effort the willingness of the people involved to work to achieve those goals Hard to write  very strict? Slightly loose? Must address/cover Who should be allowed access? To what system and organizational resources should access to be allowed? What types of access should each user be allowed for each resource?

6 Current Security Status
Policy Statement should specify these: The organization’s goal on security. Where the responsibility for security lies. The organization’s commitment to security. Current Security Status Understanding the current state of security Vulnerabilities, threats, assets, controls in place etc. Risk analysis provide the basis of describing this current status It also provides a good look at the future trend

7 Requirements Functional or performance demand placed on a system to ensure a desired level of security Requirements stems from Our need for security The security need of people we service Governmental guidelines and laws regarding security Ensure that my credit card number is never displayed  requirement Credit card info should be kept hidden but needs to be seen by authorized personnel and the card company  constraint Encrypt it with a strong encryption  control

8 Responsibility for implementation
Recommended controls Addresses implementation issues  how system will be designed and developed to meet stated security requirements. Responsibility for implementation Identify who is responsible for implementing the security requirements They will be held accountable if req. not met Many roles, many aspects PC users, project leaders, managers, database admins, information officers, staff members, etc

9 Timetable Continuing attention
Show how and when the elements of the plan will be performed Used to Help track progress Ensure additions, upgrades, phasing-out are done without disrupting normal activities too much With the staffs understanding the reason (so will be more willing) By addressing the most serious/critical elements are given priority Continuing attention Periodic reviews and updates

10 Security Planning Team For?
To perform security analysis To recommend security program To write security plan Who? Representative of the following group: Computer hardware group, System programmers, Applications programmers, data entry personnel, Physical security personnel, Representative users How many? Depends on organizational size Usually 5-9 members

11 2 very specific security problems that needs to be in the plan
Now that you have a plan, commit to it. Else no point doing it in the first place. The team should understand the people when developing the plan The people must understand the team and follow the plan Management must use and enforce plan 2 very specific security problems that needs to be in the plan Business continuity plans No computers – no customers – no sales – no profits Incident response plans How to handle current security incident

12 Business Continuity Plans (BCP)
BCP documents how a business will continue to function during a computer security incident. It’s a plan B – to keep the business going BCP deals with situations having two characteristics: catastrophic situations, in which all or major part of a computing capability is suddenly unavailable. long duration, in which the outage is expected to last for so long that business will suffer. The steps in business continuity plan are these: Assess the business impact of a crisis. Develop a strategy to control impact. Develop and implement a plan for the strategy.

13 Incident Response Plans (IRP)
An IRP tells the staff how to deal with a security incident. The goal of IRP  handling the current security incident, without regard for the business issues. An incident Could be a serious breach of security but not interrupt business severely could be a single event, a series of events, or an ongoing problem. An IRP should Define what constitutes as an incident Identify who is responsible for taking charge of the situation Describe the plan of action

14 IRP usually has 4 phases: Advance planning
Look ahead, plan in hand, trainings and drills, less to lose Triage Alarms raised, people in charge are called, at the ready Running the incident Follow leader (who follows plan), everyone do their designated jobs Review All is done, did we do well?, are there room for improvement?

15 Risk Analysis Security planning begins with risk analysis
Risk jargons: Risk analysis: process of examining a system and its operational context to determine possible exposures and potential harm. Risk impact : a loss associated with an event Risk probability: the likelihood of the event occurring, measured 0(impossible) to 1(certain) Risk control: the degree to which we can change the outcome. What can be done to eliminate or reduce risk.

16 Risk exposure: risk impact * risk probability
Likelihood of virus attack (0.3)* cost of cleanup(RM10000)  risk exposure = RM3000. Is it worth buying an antivirus for RM100 to avoid this exposure? Risk reduction: reducing risk by means of avoiding it Change requirements and policy etc transferring it Allocating it elsewhere or on someone else, buy insurance to cover loss assuming it Accept it, control with possible resources, deal with loss incurred Risk leverage: ((risk exposure b4 reduction) – (risk exposure after reduction)) (cost of risk reduction)

17 The nature of risk is that its not a perfect science
Process Identify and list out exposures of computing system Identify possible controls and cost Cost-benefit analysis (CBA) The nature of risk is that its not a perfect science Technology changes, as do people/administration/government Threats changes, at times, everyday. When problem cannot be prevented, it must be dealt with good control measures. Training and awareness are key.

18 Steps of a risk analysis
Identify Assets Identify Vulnerabilities of Assets Predict Likelihood of Occurrence Compute Uncovered Cost per Year Survey New Controls Project Annual Savings

19 Identify Vulnerabilities of Assets
Identify Assets What are our assets? People, data, h/w, s/w, structure, supplies, blueprint etc Identify Vulnerabilities of Assets What damage might occur from whom and from where Threat-asset matrix can help Can be used together with a matrix of attributes contributing to vulnerabilities (table 8-4 Pfleeger pg 513)

20 Asset Integrity Availability Confidentiality Hardware Software Data
Overloaded, destroyed Failed, stolen, destroyed, unavailable Software Stolen, copied, pirated Impaired by Trojan horse, modified, tampered with Deleted, misplaced, usage expired Data Disclosed, accessed by outsider, inferred Damaged- hardware error, software error, user error Deleted, misplaced, destroyed People Quit, retired, terminated, on vacation Documentation Lost, stolen, destroyed Supplies Lost, stolen, damaged

21 Predict Likelihood of Occurrence
Will it? What’s the probability of it happening? We can predict/estimate by way of Classical probability: look at how the world works. A bit hard for future plans/happenings Frequency probability: observing a real systems and looking at the results. May take time. What if system not built yet? Subjective probability: Ask the experts and analyze results. Opinions may differ. Delphi may be used to reconcile differences.

22 Compute Uncovered Cost per Year
What are the loss if exploited? Cost to replace, repair, rebuild, legalities, fine etc Survey New Controls What controls can best address the vulnerabilities (and within cost) Does certain controls be performing greatly for 2 (or more) vulnerabilities? Controls may include training and awareness to combat being exploited 3 questions should be asked i. What criteria are used for selecting control? ii. How do controls affect what they control? iii. Which controls are best?

23 Project Savings Determining whether the cost outweighs the benefits of preventing risks Some factors to consider: purchase price, maintenance, its advantage org., loss if its not around, etc Effective cost: the actual cost to control

24 Risk analysis can be viewed as positive and negative Positive:
Improve awareness Relate security mission to management objectives Identify assets, vulnerabilities and controls Improve basis for decisions Justify expenditures for security Negative: False sense of precision and confidence Hard to perform Immutability (not to be taken seriously) Lack of accuracy Risk analysis is a useful planning tool, even if its not perfect

25 Organizational security policy

26 Organizational security policy
Policy Who can access what resources in what manner/way? Security policy is used for: Recognizing sensitive information assets Clarifying security responsibilities Promoting awareness for existing employees Guiding new employees It must address everyone associated with the organization: managers, employees, cleaners, visitors, vendors etc

27 A good policy is… Comprehensive Durable Realistic
Coverage is good (likely and unlikely events). General but strict enough (and vice versa) Durable Can grow and adapt well with organization growth and reorganization. Realistic It is doable and beneficial in terms of time, cost and convenience. Easily understood and followed by everyone involved

28 Physical security

29 What is physical security?
Physical measures, policies, and procedures to protect an entity which include protection of site, building, equipment, transport, systems, data and human from natural and environmental hazards and also malicious actions. The most obvious but often left unnoticed Goal : to provide a safe environment for all assets and interests of the organization, including information system activities.

30

31

32 Physical security is the first line of defense. It concerns with:
People’s safety How people can safely enter an environment How environment effects the whole working system

33

34

35 Control mechanisms can be…
Administrative Policy and procedure knowledge, implementation, and monitoring What steps to follow? Is it clear? Physical Keys, locks, fencing, guards, mantraps etc Technical Intrusion detection and monitoring systems, fire detection, sprinkler systems etc

36 Protecting sensitive information

37 Sensitive information
Sensitive information must be dealt with carefully  storage, destruction, transmission Digital information may have copies upon copies upon copies (in backups, mobile drives, floppy disc, etc) Ways of disposing include: Shredding Overwrite magnetic data Degaussing Protection against emanation: tempest

38 Overwriting magnetic data
Shredding Paper, printer ribbon, disc Shred one way, may still be readable  2 way shredder Shred and burn Overwriting magnetic data Deleting from magnetic disk will only point it somewhere. It will be there till written over. It may still retain some data residue, so overwrite it over and over again with different pattern of data. But it takes time. Someone who is diligent enough may still sort the data out.

39 Degaussing a technique of exposing storage media to extremely powerful magnetic fields for the purpose of scrambling the contents of the media into an unrecognizable mess. For low density media such as floppy drives and tapes, a degaussing tool of adequate power can be a quick and effective way of clearing data. For high-density storage, however, it is more time consuming, less effective, and generally has other detrimental effects

40 Tempest Computer components (printers, disk drives, processors) emit signals that can be detected. Tempest is a US government program where computer equipment is certified emission-free (no detectable emission) 2 approaches: Enclosing the device in a conductive case (of copper) Modifying emanations

41 Contingency planning

42 A plan on what to do in the face of a crisis.
It is about restarting from the point of failure  hence data up to the point of failure must be ready, and correct. So what to do after a crisis? Three main categories of disruptions Non-disaster (emergency) – device malfunction or failure Disaster – Facility is unavailable for a day or longer Catastrophe – Major disruption that destroys the facility

43 Backup Some data needs frequent backup, some don’t.
Some are frequently changed, some are not. Types: Complete backup - when everything on the system is copied Revolving backup - When each time backup is done, it will replace the older backup file. Selective backup - when only file that have been changed are saved. Keeping backup in a same building, could risk losing it in fire.  then opt for offsite backup

44 Offsite backup Networked storage
Backup copy stored at a site well away that crisis not likely to affect the offsite location at the same time Backup completed, then transported to backup site Reduces risk of loss Networked storage Same as offsite backup, but use network instead to backup file. Other people host your backup, out of harms way Protection is important  provider trustable?

45 Backup facility options
Hot Site Fully configured and ready to operate within hours Warm Site Partially configured without computers, used most often as subscription based Cold Site Basic environment, may take weeks to activate Redundant Site Used to guarantee zero downtime. Also good for long-term solution with minimal downtime.

46 Hot Site: +ve and -ve Advantages Disadvantages
Ready within hours for operations Highly available Usually used for short-term solutions, but available for longer stays Annual testing available Disadvantages Very expensive Limited on hardware and software choices

47 Warm/Cold Site: +ve and -ve
Advantages Less expensive Availability for longer timeframes due to reduced cost Practical for proprietary hardware or software use Disadvantages Not immediately available Operational testing not usually available Resources for operations not immediately available

48 Transaction redundancy
Electronic Vaulting Copy of modified file is sent to a remote location where an original backup of the file is stored Transfers bulk backup information Batch process of moving data Remote Journaling Moves the journal or transaction log to a remote location, not the actual files Parallel processing of transactions to an alternate site Communication line used to transmit data as it is generated

Download ppt "Computer Security: Chapter 9"

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Chapter 8 – Administering Security

Chapter 8 – Administering Security
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Security Controls – What Works

Security Controls – What Works
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Introducing Computer and Network Security

Introducing Computer and Network Security
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter 10 10-1.

Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
Week 11 - Wednesday.  What did we talk about last time?  Exam 2  Before that:  Network security controls  Firewalls  Intrusion detection systems.

Week 11 - Wednesday.  What did we talk about last time?  Exam 2  Before that:  Network security controls  Firewalls  Intrusion detection systems.
Chapter 10: Computer Controls for Organizations and Accounting Information Systems

Chapter 10: Computer Controls for Organizations and Accounting Information Systems
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Security Operations. 2 Domain Objectives Protection and Control of Data Processing Resources Media Management Backups and Recovery Change Control Privileged.

Security Operations. 2 Domain Objectives Protection and Control of Data Processing Resources Media Management Backups and Recovery Change Control Privileged.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2015 Operations Security.

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2015 Operations Security.
Chapter 8 Administering Security

Chapter 8 Administering Security

Similar presentations

Ads by Google