Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 8 Administering Security

Published byJuniper Willis Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 8 Administering Security"— Presentation transcript:

1 Chapter 8 Administering Security
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition

2 Administering Security
Planning: prepare and study what will verify our implementation meets security needs of today and tomorrow. Risk Analysis: cost/benefit analysis of controls. Policy: establish a framework to verify security needs are met. Physical Control: what aspects of the computing environment have an impact on security? Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition

3 Security Planning “The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable” (SANS).

4 Contents of Security Plan
Policy: the goal of the computer security. Current State: describe current status. Requirements: how to meet goals. legal, etc. Recommended Controls: map controls to vulnerabilities identified. Accountability: who is responsible Timetable: due dates for tasks Continuous Attention: keep it up to date. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition pg.510

5 The Six “Requirements” of the TSEC Security Policy
Table 8-1 The Six “Requirements” of the TSEC Security Policy There must be an explicit and well-defined security policy enforced by the system. Identification Every subject must be uniquely and convincingly identified. Identification is necessary so that subject/object access can be checked Marking Every object must be associated with a label that indicates its security level. The association must be done so that the label is available for comparison each time an access to the object is required. Accountability The system must maintain complete, secure records of actions that affect security. Such actions include introducing new users to the system, assigning or changing the security level of a subject or an object, and denying access attempts. Assurance The computing system must contain mechanisms that enforce security, and it must be possible to evaluate the effectiveness of these mechanisms. Continuous protection The mechanisms that implement security must be protected against unauthorized change. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition

6 Figure 8-1 Inputs to the Security Plan.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 8-1  Inputs to the Security Plan.

7 Do we protect everything?
Risk Assessment Risk Categorization and Prioritization Risk Mitigation Resources Available Planning Implementation Testing Updates to plan 4/22/2017 Live Chat 5

8 Risk Analysis What are the risks?
What is the probability of occurring? What is the impact if it happens? 4/22/2017 Live Chat 5

9 Risk Analysis Assets: what are we trying to protect?
Threats and Vulnerabilities: potential harmful occurrences (power loss, hackers, virus, earthquake). Vulnerability: a weakness that allows a threat to cause harm. Risk = Threat * Vulnerability. Risk = Threat * Vulnerability * Impact($). Impact is usually expressed in dollars $$$. Impact = consequences. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

10 Risk Analysis Matrix E-Extreme H-High M-Medium L-Low Consequences
EVENT: Insignificant Minor Moderate Major Catastrophic Almost Certain H E Likely M Possible L Unlikely Rare Likelihood Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide E-Extreme H-High M-Medium L-Low

11 Risk Analysis Terms Annualized Loss Expectancy (ALE):
annual cost of a loss due to a risk. Help to mitigate risk. Asset Value (AV): value of asset you are protecting Exposure Factor (EF): percentage of value an asset lost due to an incident. Single Loss Expectancy(SLE): cost of a single loss. (AV x EF). Annual Rate of Occurrence (ARE): number of losses per year. Annualized Loss Expectancy: yearly cost due to a risk. SLE x ARO Total Cost of Ownership (TCO): total cost of a mitigating safeguard. Return On Investment (ROI): amount of $$$ saved by implementing a safeguard. EF for stolen laptop = 100% TCO: upfront costs, annual maintenance, staff hours, vendor fees, licenses etc. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

12 Risk Choices Accept: if low likelihood and low impact.
Mitigate: lower risk to acceptable level. Transfer: buy insurance. Avoid it: drop the project. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

13 Figure 8-2 Vulnerabilities Suggested by Attributes and Objects.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 8-2  Vulnerabilities Suggested by Attributes and Objects.

14 Figure 8-3 Vulnerabilities Enabling a Trojan Horse Attack.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 8-3  Vulnerabilities Enabling a Trojan Horse Attack. Six attributes might enable a Trojan horse attack

15 Figure 8-4 Mapping Control Techniques to Vulnerabilities.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 8-4  Mapping Control Techniques to Vulnerabilities. Example:Vulnerability E primarily controlled by Technique 2.

16 Figure 8-5 Matrix of Vulnerabilities and Controls.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 8-5  Matrix of Vulnerabilities and Controls. Attributes leading to vulnerabilities on left, controls on top.

17 Figure 8-6 Valuation of Security Techniques.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 8-6  Valuation of Security Techniques.

18 Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition
Figure 8-7  Relevance of Certain Security Techniques to Roles and Attack Components.

19 Figure 8-8 Risk Calculation for Regression Testing.
Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition Figure 8-8  Risk Calculation for Regression Testing.

20 Arguments For Risk Analysis
Improve Awareness increase level of interest. Relate Security Mission to Management Objectives Security costs money. Need people to understand security balances harm and the costs of controls. Identify Assets, Vulnerabilities & Controls. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition

21 Arguments For Risk Analysis
Improve basis for decisions Risk analysis augments the manager’s judgment as a basis for the decision. Justify Expenditures for Security Balance costs versus risks to identify the business case for a control. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition

22 Arguments Against Risk Analysis
False Sense of Precision and Confidence Uses empirical data to generate estimates of risk impact, risk probability and risk exposure. Hard to Perform Assessment is subjective and time consuming. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition

23 Arguments Against Risk Analysis
Immutability Risk analysis is often quickly forgotten. Analysis must be a living document and not a one time event. Lack of accuracy Hard to estimate risks. May be gaps due to our limited knowledge of the system. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition

24 Physical Security Natural Disasters
Earthquake, hurricane, flood, fire, storms, etc. Environmental Electrical Brown/black outs, spikes, surges, sag, fault. HVAC, air conditioning, humidity controls. Electromagnetic Interference (EMI) Theft Internal, external Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

25 Physical Security Shredding: shred documents.
Overwrite magnetic media or shred it. Degaussing: use magnetic field to destroy. TEMPEST: protect against electromagnetic signal emission. Certify emission free Enclose device or modify emanations. Pfleeger, C., Pleeger, S. (2007) Security in Computing 4th Edition

26 Business Continuity Plan (BCP)
Long Term Strategic Business Oriented Plan for Continued Operation. BCP Goal Ensure that business continues to operate before, during and after a disaster Ensure critical services can be delivered in the wake of a disruption and after it is over. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

27 Disaster Recovery Plan
Short term plan for dealing with specific IT oriented disruptions. Tactical. Mitigate the impact of a disaster. Recover critical IT systems. Part of the Business Continuity Plan. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

28 Contingency Planning Redundant Site: exact production duplicate.
Hot $ite: fully configured site with all necessary hardware and critical applications. Warm Site: Some aspects of hot site, rely on backup data to reconstitute systems after a disruption. Cold Site (shell): alternative location. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

29 Contingency Planning Mobile Site: Datacenter in a box
Reciprocal Agreement Bi-directional agreement between two organizations to share space if a disaster occurs. Backups Geographically distributed. Environmentally controlled. Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

Download ppt "Chapter 8 Administering Security"

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
IT Service Continuity Management

IT Service Continuity Management
Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Control and Accounting Information Systems

Control and Accounting Information Systems
Chapter 8 – Administering Security

Chapter 8 – Administering Security
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
1 Security Risk Management Liping Cai 02/01/2006.

1 Security Risk Management Liping Cai 02/01/2006.
PRM 702 Project Risk Management Lecture #28

PRM 702 Project Risk Management Lecture #28
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
An Overview of Risk Management

An Overview of Risk Management
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Conostix S.A. Sensible defence.

Conostix S.A. Sensible defence.

Similar presentations

Ads by Google