1. Planning for Security
Chapter 5

2. Information Security
Quality security programs begin & end with policy.
Primarily management problem, not technical one.

3. Information Security Policies
Form basis for all IS security planning
Direct how issues should be addressed
Don’t specify proper operation of equipment or software
Should never contradict law
Obligates personnel to function in manner that adds to security of info
Least expensive control to execute
Most difficult to implement properly
Standup in court if challenged
Be properly administered through dissemination and documented acceptance

4. Policy Plan or course of action Convey instructions
Organizational laws
Dictate acceptable and unacceptable behavior
Define
What is right
What is wrong
The appeal process
What are the penalties for violating policy
Written to support the mission, vision and strategic plan of org

5. Standards Detail statements of what must be done to comply with policy
Types
Informal – de facto standards
Formal – de jure standards

6. Policies, Standards, and Practices
Policies are sanctioned by senior management
Standards are built on should policy and carry the weight of policy
Practices, procedures, and guidelines include detailed steps required
Policies
Standards
Practices
Procedures
Guidelines
Drive

7. Mission/Vision/Strategic Plan
Mission – written statement of organization purpose
Vision – written statement of organization goals
Strategic Plan - written statement of moving the organization toward its mission

8. Policies Security Policy Information security policy Three types
Set of rules that protects & organization's assets
Information security policy
Set of rules protects organization’s information assets
Three types
General or Enterprise
Issue-specific
System-specific

9. EISP Enterprise Information Security Policy Executive level document
General Information Security Document
2-10 pages in length
Shapes the philosophy of security in IT
Contains requirements to be met
Assigns responsibilities
Addresses legal compliance

10. ISSP Issue-Specific Security Policy
Addresses specific areas of technology
Requires frequent updates
Contains statement on organization’s position on specific issue

11. 3 Approaches to ISSP Independent document tailored to a specific issue
Scattered approach
Departmentalized
Single comprehensive document covering all issues
Centralized management and control
Tend to over generalize the issue
Skip vulnerabilities

12. 3 Approaches to ISSP Modular plan
Unified policy creation and administration
Maintain each specific issue’s requirements
Provide balance

13. Elements of Issue-Specific Security Policy Statement
Statement of Policy
Appropriate Use
Systems management
Violations of policy
Policy review and modification
Limitations of Liability

14. Statement of Policy Clear statement of policy
Fair and responsible use of the Internet
What is the scope of the policy?
Responsible person
What technologies and issues are addressed?

15. Appropriate Use Who can use the technology What it can be used for
Defines “fair and reasonable use”
What can it cannot be used for

16. Systems Management Focus on user’s relationship to systems management
Regulating
Use of
Storage of materials
Authorized monitoring of employees
Scrutiny of and electronic documents

17. Violations of Policy
Give guidance on penalties and repercussions of violating policy
Specifics on penalties
How to report violations

18. Policy Review and Modification
Procedures and a timetable for periodic review
Specific methodology for review
Specific methodology for modification

19. Limitations of Liability
Set of disclaimers
If employee violates policy or law, the company will not protect them
Company is not liable for actions of employees

20. SysSP System-Specific Policy
Frequently codified as standards & procedures
Used when configuring or maintaining system
Example
Access Control Lists (ACLs)
Configuration rules

21. Continuity Strategies
Continuous availability of info systems
Probability high for attack
Managers must be ready to act
Contingency Plan (CP)
Prepared by organization
Anticipate, react to, & recover from attacks
Restore organization to normal operations

22. Components of Contingency Plan
Planning
Incident
Response
(Focus on immediate
response)
Disaster
Recovery
(Focus on restoring
system)
Business
Continuity
(Focus
establish business
functions at
alternate site)

23. Figure 5-22 – Contingency Planning Timeline

24. Figure 5-23 – Major Steps in Contingency Planning
Business Impact Analysis
The first phase in the development of the CP process is the Business Impact Analysis or BIA.
A BIA is an investigation and assessment of the impact that various attacks can have on the organization, and takes up where the Risk Assessment process leaves off.
The BIA assumes that these controls have been bypassed, have failed, or are otherwise ineffective in stopping the attack, and that the attack was successful.
The question asked at this point is, if the attack succeeds, what do we do then?
The CP team conducts the BIA in the following stages:
Threat Attack identification
Business unit analysis
Attack success scenarios
Potential damage assessment
Subordinate plan classification
Threat Attack Identification and Prioritization
Most organizations have already performed the tasks of identifying and prioritizing threats.
All that is required now is to update the threat list with the latest developments and add one additional piece of information, the attack profile.
An attack profile is a detailed description of the activities that occur during an attack, must be developed for every serious threat the organization faces and are used to determine the extent of damage that could result to a business unit if the attack were successful.
Business Unit Analysis
The second major task within the BIA is the analysis and prioritization of business functions within the organization.
The intent of this task is to identify the functional areas of the organization and prioritize them to determine which are most vital to the continued operations of the organization.
Efforts in function analysis focus on the result of a prioritized list of the various functions the organization performs.
Attack Success Scenario Development
Next the BIA team must create a series of scenarios depicting the impact a successful attack from each threat could have on each prioritized functional area with details on the method of attack, the indicators of attack, and the broad consequences.
Then attack success scenarios with more detail are added to the attack profile, including alternate outcomes, describing a best, worst, and most likely case that could result from each type of attack on this particular business functional area.
Potential Damage Assessment
From the attack success scenarios developed above, the BIA planning team must estimate the cost of the best, worst, and most likely cases.
These costs include the actions of the response team(s) described in subsequent sections as they act to quickly and effectively recover from any incident or disaster, and can also management representatives from all of the organization’s communities of interest of the importance of the planning and recovery efforts.
This final result is referred to as an attack scenario end case.
Subordinate Plan Classification
Once the potential damage has been assessed, and each end case has been evaluated, a subordinate plan must be developed or identified from among existing plans already in place.
These subordinate plans will take into account the identification of, reaction to, and recovery from each attack scenario.
An attack scenario end case is categorized as disastrous or not.
The qualifying difference is whether or not an organization is able to take effective action during the event to combat the effect of the attack.

25. Incident Response Planning
Activities to be performed when an incident has been identified
What is an incident?
If action threatens information & completed
Characteristics
Directed against information assets
Realistic change of success
Threaten the confidentiality, integrity, or availability of info

26. Incident Response
Set of activities taken to plan for, detect, and correct the impact
Incident planning
Requires understanding BIA scenarios
Develop series of predefined responses
Enables org to react quickly

27. Incident Response Incident detection
Mechanisms – intrusion detection systems, virus detection, system administrators, end users

28. Incident Detection Possible indicators Presence of unfamiliar files
Execution of unknown programs or processes
Unusual consumption of computing resources
Unusual system crashes

29. Incident Detection Probable indicators Activities at unexpected times
Presence of new accounts
Reported attacks
Notification form IDS

30. Incident Detection Definite indicators Use of dormant accounts
Changes to logs
Presence of hacker tools
Notification by partner or peer
Notification by hackers

31. Incident Detection Predefined Situation Loss of availability
Loss of integrity
Loss of confidentiality
Violation of policy
Violation of law

32. Incident Reaction Actions outlined in the IRP Guide the organization
Stop the incident
Mitigate the impact
Provide information recovery
Notify key personnel
Document incident

33. Incident Containment Strategies
Sever affected communication circuits
Disable accounts
Reconfigure firewall
Disable process or service
Take down
Stop all computers and network devices
Isolate affected channels, processes, services, or computers

34. Incident Recovery Get everyone moving and focused Assess Damage
Identify and resolve vulnerabilities
Address safeguards
Evaluate monitoring capabilities
Restore data from backups
Restore process and services
Continuously monitor system
Restore confidence

35. Disaster Recovery Plan
Provide guidance in the event of a disaster
Clear establishment of priorities
Clear delegation of roles & responsibilities
Alert key personnel
Document disaster
Mitigate impact
Evacuation of physical assets

36. Crisis Management
Disaster recovery personnel must know their responses without any supporting documentation
Focus first & foremost -people involved
Team responsibilities
Support personnel and loved ones
Determine impact on normal operations
Keep public informed
Communicate with major players

37. Business Continuity Planning
Prepares an organization to reestablish critical operations
Temporary facilities
Continuity strategy
Integration of off-side data storage & recovery functions
Off-site backup
Identification of critical business functions
Identification of critical resources

38. Alternative Site Configurations
Hot sites
Fully configured computer facilities
All services & communication links
Physical plant operations
Warm sites
Does not include actual applications
Application may not be installed and configured
Required hours to days to become operational

39. Alternative Site Configurations
Cold sites
Rudimentary services and facilities
No hardware or peripherals
empty room

40. Alternative Site Configurations
Time-shares
Hot, warm, or cold
Leased with other orgs
Service bureau
Provides service for a fee
Mutual agreements
Rolling mobile site

41. Off-Site Disaster Data Storage
“off-site” – how far?
Electronic vaulting
Transfer of large batches of data
Receiving server archives data
Fee
Journaling
Transfer of live transactions to off-site
Only transactions are transferred
Transfer is real time

42. Off-Site Disaster Data Storage
Shadowing
Duplicated databases
Multiple servers
Processes duplicated
3 or more copies simultaneously

43. ACL Policies Restrict access from anyone & anywhere
Can regulate specific user, computer, time, duration, file

44. ACL Policies What regulated Who can use the system
What authorization users can access
When authorization users can access
Where authorization users can access

45. ACL Policies Authorization determined by persons identity
Can regulated specific computer equipment
Regulate access to data
Read
Write
Modify
Copy
Compare

46. Rule Policies More specific operation of a system than ACL
May or may not deal with user directly
Define configuration of firewalls, IDS, and proxy servers

47. Policy Management Living documents Must be managed
Constantly changed and grow
Must be properly disseminated
Must be properly managed
Responsible individual
Policy administrator
Champion & manager
Not necessarily a technically oriented person

48. Reviews Schedule Procedures and practices
Retain effectiveness in changing environment
Periodically reviewed
Should be defined and published
Should be reviewed at least annually
Procedures and practices
Recommendations for change
Reality one person drafts

49. Document Configuration Management
Include date of original
Includes date of revision
Include expiration date

50. Information Classification
Control for the protection of information
Important facet of policy
Least
“for internal use only”
Clean desk policy

51. Information Security Blueprint
Risk Assessment
Quantitative and qualitative analysis
Feasibility studies
Cost benefit analysis
Good idea of systems vulnerabilities
Specify tasks to be accomplished
Specify order of performing tasks
Serve as plan for IS security needs for years not just today

52. Information Security Blueprint
Basis for design, selection & implementation
All security policies
Education
Training program
Technology controls

53. Security Models ISO (International Organization for Standards)
IEC (International Electrotechnical Commission)

54. Security Models ISO/IEC 17799
Purpose – “give recommendations for information security management for use by those who are responsible for initiating, implementing, or maintaining security in their organization.
Provides a common basis
Must pay for these

55. Security Modes
NIST
Available from Computer Security Resource Center of National Institute for Standards & Technology
Publically available at no charge
Several publications dealing with various aspects

56. Security Models IETF VISA Internal Base lining and Best Practices
Internet Engineering Task Force
VISA Internal
Focus on system that can and do integrate with VISA
Base lining and Best Practices
Comparison of your organization security with another

57. Hybrid Framework People must become a layer of security Human firewall
Information security implementation
Policies
People
Education, training, and awareness
Technology

58. Figure 5-15 – Spheres of Security
Figure 6-16, showing the sphere of security, is the foundation of the security framework.
Generally speaking, the sphere of security represents the fact that information is
under attack from a variety of sources. The sphere of use, at the left of the figure, illustrates
the ways in which people can directly access information: for example, people read
hard copies of documents; they also access information through systems, such as the
electronic storage of information. Information, as the most important asset to security,
is illustrated at the core of the sphere. Information is always at risk from attacks through
the people and computer systems that have direct access to the information. Networks
and the Internet represent indirect threats, as exemplified by the fact that a person
attempting to access information from the Internet must first go through the local
networks and then access systems that contain the information. The sphere of protection,
at the right of the figure, illustrates that between each layer of the sphere of use
there must exist a layer of protection to prevent access to the inner layer from the
outer layer. Each shaded band is a layer of protection and control. For example, the
layer labeled “policy education and training” is located between people and the information.
Controls are also implemented between systems and the information,
between networks and the computer systems, and between the Internet and internal
networks. This reinforces the concept of defense in depth.
As illustrated in the sphere of protection portion of Figure 6-16, a variety of controls can be used to protect the
information. The list in the figure is not intended to be comprehensive but illustrates
individual safeguards that protect the various systems that are located closer to the
center of the sphere. However, as people can directly access each ring as well as the
information at the core of the model, people require unique approaches to security.
In fact, the resource of people must become a layer of security, a human firewall that
protects the information from unauthorized access and use. The members of the
organization must become a safeguard, which is effectively trained, implemented,
and maintained, or else they, too, become a threat to the information.
Principles of Information Security, 2nd Edition

59. Hybrid Framework Managerial Controls Cover security process
Implemented by security administrator
Set directions and scope
Addresses the design and implementation
Addresses risk management & security control reviews
Necessity and scope of legal compliance

60. Hybrid Framework Operational Controls
Operational functionality of security
Disaster recovery
Incident response planning
Personnel and physical security
Protection of production inputs and outputs

61. Hybrid Framework Operational Controls
Development of education, training & awareness
Addresses hardware and software system maintenance
Integrity of data

62. Hybrid Framework Technical Controls
Addresses the tactical & technical issues
Addresses specifics of technology selection & acquisition
Addresses identification
Addresses authentication
Addresses authorization
Addresses accountability

63. Hybrid Framework Technical Controls
Addresses development & implementation of audits
Covers cryptography
Classification of assets and users

64. Hybrid Framework Security Architecture Components Defenses in Depth
One of basic tenants
Implementation of security in layers
Policy
Training
Technology
Security Perimeter
Defines the edge between the outer limit of an organization’s security and the beginning of the outside world

65. Hybrid Framework Security Architecture Components
First level of security – protects all internal systems from outside threats
Multiple technologies segregate the protected information
Security domains or areas of trust

66. Key Technology Components
SETA
Security education, training and awareness
Employee errors among top threats
Purpose
Improve awareness of need to protect
Develop skills and knowledge
Build in-depth knowledge to design, implement, or operate security programs

67. Comparative Framework of SETA
Education
Training
Awareness
Attribute
Why
How
What
Level
Insight
Knowledge
Information
Objective
Understanding
Skill
Exposure
Teaching method
Theoretical instruction
Discussion seminar
Background reading
Hands-on practice
Practical instruction
Lecture
Case study
Posters
Media
Videos
Newsletters
Test measure
Essay
(interpret learning)
Problem solving
(apply learning)
True or false
Multiple choice
(identify learning)
Impact timeframe
Long-term
Intermediate
Short-term

68. Business Impact Analysis (BIA)
Investigate & assess impact of various attack
First risk assessment – then BIA
Prioritized list of threats & critical info
Detailed scenarios of potential impact of each attack
Answers question
“if the attack succeeds, what do you do then?”

69. BIA Sections Threat attack identification & prioritization
Attack profile – detailed description of activities that occur during an attack
Determine the extent of resulting damage
Business Unit analysis
Analysis & prioritization-business functions
Identify & prioritize functions w/in orgs units

70. BIA Sections Attack success scenario development
Series of scenarios showing impact
Each treat on prioritized list
Alternate outcomes
Best, worst, probable cases
Potential damage assessment
Estimate cost of best, worst, probable
What must be done under each
Not how much to spend
Subordinate Plan Classification
Basis for classification as disastrous not disastrous