Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Published byRemington Chafe Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Systems Research Group - FAU Process Standards (and Process Improvement)"— Presentation transcript:

1 Secure Systems Research Group - FAU Process Standards (and Process Improvement)

2 Secure Systems Research Group - FAU Wireless Security Survey Update Standard Format for all Protocols Identity Authentication Session key Message/data encryption DoS, Location detection Discussion of strengths & vulnerabilities Discussion of planned enhancements

3 Secure Systems Research Group - FAU Example for GSM Identity: –Fixed identity (IMSI) used when first turned on –Temporary identity (TMSI) given when turned on and other times –128bit authentication key (Ki) – {IMSI, Ki} in removable SIM card and known to provider Authentication: –128bit challenge/32bit response, A3 algorithm using Ki A3 unspecified, providers typically use Comp-128 for A3 Session key: –64bit cypher key (Kc) Kc computed in client with A8 algorithm using challenge and Ki Kc given to base station by provider A8 unspecified, common for last 10 or more bits to be zero Message/Data Encryption: –A5 114bit stream cypher using Kc and 22bit frame number A5/1 for use in Europe A5/2 for export A5/3 based on Kasumi now available Decryption at level ?? of protocol stack in base station Location detection –Possible by triangulation, but identity changes

4 Secure Systems Research Group - FAU Additions New Protocols –WiMax and Mobile WiMax –EV-DO –New military wireless protocols New domains –Vehicle system wireless (as a variant of shopfloor) Map of spectrum usage Updates (i.e., wrt. advances in cryptography)

5 Secure Systems Research Group - FAU ISO/IEC 17799:2005(E) Information technology — Security techniques — Code of practice for information security management Second edition 2005-06-15

6 Secure Systems Research Group - FAU Intent of the Standard “This International Standard establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.” “The control objectives and controls of this International Standard are intended to be implemented to meet the requirements identified by a risk assessment. This International Standard may serve as a practical guideline for developing organizational security standards and effective security management practices and to help build confidence in inter-organizational activities.”

7 Secure Systems Research Group - FAU 39 Categories in 11 Clauses 5.Security Policy (1) 6.Organizing Information Security (2) 7.Asset Management (2) 8.Human Resources Security (3) 9.Physical and Environmental Security (2) 10.Communications and Operations Management (10) 11.Access Control (7) 12.Information Systems Acquisition, Development and Maintenance (6) 13.Information Security Incident Management (2) 14.Business Continuity Management (1) 15.Compliance (3)

8 Secure Systems Research Group - FAU Structure of a Category a control objective stating what is to be achieved; one or more controls that can be applied to achieve the control objective. Control descriptions are structured as follows: a.Control: Defines the specific control statement to satisfy the control objective. b.Implementation guidance: Provides more detailed information to support the implementation of the control and meeting the control objective. c.Other information: Provides further information that may need to be considered, for example legal considerations and references to other standards.

9 Secure Systems Research Group - FAU Applicable to development? (Section #: topic covered) 5: Security policy 8: Human resources security 10: Communications and operations management 11: Access control (i.e., to source code) 13.2: Management of information security incidents and improvements

10 Secure Systems Research Group - FAU 12. Information systems acquisition, development and maintenance 12.1 Security requirements of information systems 12.2 Correct processing in applications 12.3 Cryptographic controls 12.4 Security of system files 12.5 Security in development and support processes 12.6 Technical Vulnerability Management

11 Secure Systems Research Group - FAU 12.2 Correct processing in applications Objective: To prevent errors, loss, unauthorized modification or misuse of information in applications. Controls should include the validation of input data, internal processing and output data The design and implementation of applications should ensure that the risks of processing failures leading to a loss of integrity are minimized. Specific areas to consider include:

12 Secure Systems Research Group - FAU 12.5 Security in development and support processes Objective: To maintain the security of application system software and information. 12.5.1 Change control procedures 12.5.2 Technical review of applications after operating system changes 12.5.3 Restrictions on changes to software packages 12.5.4 Information leakage 12.5.5 Outsourced software development

13 Secure Systems Research Group - FAU 12.5.1 Change control procedures The implementation of changes should be controlled by the use of formal change control procedures. Introduction of new systems and major changes to existing systems should follow a formal process of documentation, specification, testing, quality control, and managed implementation.

14 Secure Systems Research Group - FAU 12.5.1 Change control procedures c) reviewing controls and integrity procedures to ensure that they will not be compromised by the changes; d) identifying all software, information, database entities, and hardware that require amendment; e) obtaining formal approval for detailed proposals before work commences;

15 Secure Systems Research Group - FAU 12.5.2 Technical review of applications after operating system changes When operating systems are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security.

16 Secure Systems Research Group - FAU 12.5.3 Restrictions on changes to software packages Modifications to software packages should be discouraged, limited to necessary changes, and all changes should be strictly controlled. As far as possible, and practicable, vendor- supplied software packages should be used without modification.

17 Secure Systems Research Group - FAU 12.5.4 Information leakage Opportunities for information leakage should be prevented. (includes preventing trojan code) a) scanning of outbound media and communications for hidden information; b) masking and modulating system and communications behaviour to reduce the likelihood of a third party being able to deduce information from such behaviour; c) making use of systems and software that are considered to be of high integrity, e.g. using evaluated products (see ISO/IEC 15408);

18 Secure Systems Research Group - FAU 12.5.5 Outsourced software development Outsourced software development should be supervised and monitored by the organization. a) licensing arrangements, code ownership, and intellectual property rights (see 15.1.2); b) certification of the quality and accuracy of the work carried out; c) escrow arrangements in the event of failure of the third party; d) rights of access for audit of the quality and accuracy of work done; e) contractual requirements for quality and security functionality of code; f) testing before installation to detect malicious and Trojan code.

19 Secure Systems Research Group - FAU 12.6 Technical Vulnerability Management Objective: To reduce risks resulting from exploitation of published technical vulnerabilities. These considerations should include operating systems, and any other applications in use. Timely information about technical vulnerabilities of information systems being used should be obtained, the organization's exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk. A current and complete inventory of assets … Appropriate, timely action should be taken …

20 Secure Systems Research Group - FAU Observations and Analysis Some wireless stuff Focus is on in-house IS/IT support group Does not address development activities (some items can apply to development team) Has category for OS evolution. Less attention to impact of emerging networking options Addresses only 2 nd of Leveson’s 4 levels

21 Secure Systems Research Group - FAU Leveson’s Types of Causes Technical Human Organizational Regulatory

Download ppt "Secure Systems Research Group - FAU Process Standards (and Process Improvement)"

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
Cloud computing security related works in ITU-T SG17

Cloud computing security related works in ITU-T SG17
ISMS standards and control processes ISO27001 & ISO27002

ISMS standards and control processes ISO27001 & ISO27002
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Overview of IS Controls, Auditing, and Security Fall 2005.

Overview of IS Controls, Auditing, and Security Fall 2005.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
ISO Information Security Management

ISO Information Security Management
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Spreadsheet Management. Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed.

Spreadsheet Management. Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Similar presentations

Ads by Google