1. Chapter 8 – Administering Security
Security Planning
Risk Analysis
Security Policies
Physical Security

2. Security Planning Policy Current state – risk analysis Requirements
Recommended controls
Accountability
Timetable
Continuing attention

3. Security Planning - Policy
Who should be allowed access?
To what system and organizational resources should access be allowed?
What types of access should each user be allowed for each resource?

4. Security Planning - Policy
What are the organization’s goals on security?
Where does the responsibility for security lie?
What is the organization’s commitment to security?

5. OCTAVE Methodology http://www.cert.org/octave/
Identify enterprise knowledge.
Identify operational area knowledge.
Identify staff knowledge.
Establish security requirements.
Map high-priority information assests to information infrastructure.
Perform an infrastructure vulnerability evaluation.
Conduct a multidimensional risk analysis.
Develop a protection strategy.

6. Security Planning – Requirements of the TCSEC
Security Policy – must be an explicit and well-defined security policy enforced by the system.
Every subject must be uniquely and convincingly identified.
Every object must be associated with a label that indicates its security level.
The system must maintain complete, secure records of actions that affect security.
The computing system must contain mechanisms that enforce security.
The mechanisms that implement security must be protected against unauthorized change.

7. Security Planning Team Members
Computer hardware group
System administrators
Systems programmers
Application programmers
Data entry personnel
Physical security personnel
Representative users

8. Security Planning Assuring Commitment to a Security Plan
Business Continuity Plans
Assess Business Impact
Develop Strategy
Develop Plan
Incident Response Plans
Advance Planning
Response Team
After the Incident is Resolved

9. Risk Analysis Risk impact - loss associated with an event
risk probability – likelihood that the event will occur
Risk control – degree to which we can change the outcome
Risk exposure – risk impact * risk probability

10. Risk Analysis – risk reduction
Avoid the risk
Transfer the risk
Assume the risk
Risk leverage = [(risk exposure before reduction) – (risk exposure after reduction)] / cost of risk reduction
Cannot guarantee systems are risk free
Security plans must address action needed should an unexpected risk becomes a problem

11. Steps of a Risk Analysis
Identify assets
Determine vulnerabilities
Estimate likelihood of exploitation
Compute expected annual loss
Survey applicable controls and their costs
Project annual savings of control

12. Identify Assets Hardware Software Data People
Procedures (policies, training)
Documentation
Supplies
Infrastructure (building, power, water,…)

13. Determine Vulnerabilities
Asset
Confidentiality
Integrity
Availability
Hardware
Software
Data
People
procedures

14. Determine Vulnerabilities
What are the effects of unintentional errors?
What are the effects of willfully malicious insiders?
What are the effects of outsiders?
What are the effects of natural and physical disasters?

15. Risk Analysis Estimate Likelihood of Exploitation
Classical probability
Frequency probability (simulation)
Subjective probability (Delphi approach)
Computer Expected Lost (look for hidden costs)
Legal obligations
Side effects
Psychological effects

16. Risk Analysis Survey and Select New Controls Project Savings
What Criteria Are Used for Selecting Controls?
Vulnerability Assessment and Mitigation (VAM) Methodology
How Do Controls Affect What They Control?
Which Controls Are Best?
Project Savings
Do costs outweigh benefits of preventing / mitigating risks

17. Arguments for Risk Analysis
Improve awareness
Relate security mission to management objectives
Identify assets, vulnerabilities, and controls
Improve basis for decisions
Justify expenditures for security

18. Arguments against Risk Analysis
False sense of precision and confidence
Hard to perform
Immutability (filed and forgotten)
Lack of accuracy
“Today’s complex Internet networks cannot be made watertight…. A system administrator has to get everything right all the time; a hacker only has to find one small hole. A sysadmin has to be lucky all of the time; a hacker only has to get lucky once. It is easier to destroy than to create.”
Robert Graham, lead architect of Internet Security Systems

19. Organizational Security Policies
Who can access which resources in what manner?
Security policy - high-level management document that informs all users of the goals and constraints on using a system.

20. Security Policies Purpose
Recognize sensitive information assets
Clarify security responsibilities
Promote awareness for existing employees
Guide new employees

21. Security Policies Audience
Users
Owners
Beneficiaries
Balance Among All Parties

22. Contents Purpose Protected Resources (what - asset list)
Nature of the Protection (who and how)

23. Characteristics of a Good Security Policy
Coverage (comprehensive)
Durability
Realism
Usefulness

24. Physical Security Natural Disasters Power Loss Human Vandals Flood
Fire
Other
Power Loss
UPS; surge suppressors (line conditioners)
Human Vandals
Unauthorized Access and Use
Theft

25. Physical Security Interception of Sensitive Information
Dumpster Diving - Shredding
Remanence (slack bits)
Overwriting Magnetic Data
DiskWipe
Degaussing
Emanation - Tempest

26. Contingency Planning BACKUP!!!!! OFFSITE BACKUP!!!!!
Complete backup
Revolving backup
Selective backup
OFFSITE BACKUP!!!!!
Networked Storage (SAN)
Cold site (shell)
Hot site

27. A cold site is a facility with power and cooling available, in which a computing system can be installed to begin immediate operation.
A hot Site is a computer facility with an installed and ready-to run computing system.