Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Management Practices General overview of good security management processes. Introduces topics used in several other sections.

Published byHoratio McCarthy Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Management Practices General overview of good security management processes. Introduces topics used in several other sections."— Presentation transcript:

1 Security Management Practices General overview of good security management processes. Introduces topics used in several other sections

2 Overview  Basic Security Concepts  Policies, Standards, Guidelines, & Procedures  Roles played in security management  Security Awareness  Risk Management  Data & Information Classification

3 Concepts  C.I.A. - Confidentiality, Integrity, & Availability  Identification, Authentication, Accountability, Authorization, Privacy  Objective of Security Controls: reduce likelihood & impact of threats

4 Systems Security Lifecycle 1.Initiation 2.Development/Acquisition 3.Implementation 4.Operation/maintenance 5.Disposal

5 3 Primary Tenants of InfoSec Confidentiality Integrity Availability

6 Personnel Concepts  Identification  Authentication  Accountability  Authorization  Privacy

7 System Concepts  Assume external systems are insecure  Examine the trade-offs (nothing is free)  Use Layered Security (greater work factor)  Minimize the system elements that are “trusted”  Isolate public accessed systems  Authenticate both users & processes  Use Unique Identities to ensure accountability  Implement least privilege

8 TOA: Trade-off Analysis  Define the objective (in writing)  Identify alternatives (courses of action)  Compare alternatives  Realize that there are no perfectly secure systems in opperation

9 Security Controls  Objective: reduce vulnerabilities & minimize the effect of an attack Attack likelihood Attack cost Attack countermeasures  Deterrent controls  Corrective Controls  Detective Controls

10 Simple Threat Matrix likelihood of an attack impact 0,0 A B C

11 Information Classification  Why classify data & information  Concepts  Classification Terms Governmental Private Sector  Criteria  Roles used in the classification process

12 Roles…  Owner Who gets the blame level of classification, review of protection, delegation to custodian,  Custodian Actual day-to-day, backups, verify backups, restoration, policy maintenance  User Operating procedures, user account management, detecting unauthorized/Illicit activity Termination

13 Implementation 1.Policy: 1.senior management (demonstration of commitment 2.general organizational 3.Policy: Functional 2.Implementation 1.Standards -- Baselines 2.Guidelines 3.Procedures

14 Risk management  Risk can never be totally eliminated  Primary purpose 1.Identification of risks 2.Cost / benefit analysis  Benefits 1.Creates clear cost-to-value 2.Helps analysis process 3.Helps design and creation

15 Terms  Asset  Threat  Vulnerability  Safeguard  Exposure Factor (EF)  Single Loss Expectancy (SLE)  Annualized Rate of Occurrence (ARO)  Annualized Loss Expectancy (ALE)

16 Attacks  Criminal Fraud-prolific on the Internet Destructive, Intellectual Property Identity Theft, Brand Theft  Privacy: less and less available people do not own their own data Surveillance, Databases, Traffic Analysis Echelon, Carnivore  Publicity & Denial of Service  Legal

17 Brief Risk Analysis Overview  Quantitative vs Qualitative  Steps Potential losses Potential threats  Asset valuation  Safeguard selection  Remedies

18 Risk Analysis “The identification and evaluation of the most likely permutation of assets, known and anticipated vulnerabilities, and known and anticipated types of attackers.”

19 Assets  What are you trying to Protect  Why is it being protected  Risk for other systems on network  Data Tampering vs. Stealing Liability

20 Attackers  Categorize by Objective, Access, Resources, Expertise, and Risk  Hackers: Galileo, Marie Curie  Lone Criminals, Insiders, Espionage, Press, Organized Crime, Terrorists

21 Motives Business competitors  Same motives as “real-life” criminals  Financial motives Credit cards The Cuckcoo’s Egg  Political motives  Personal / psychological motives

22 Motives  Honeypot “to learn tools tactics and motives of blackhat community” Honeypot  Script Kiddies Canned Exploits of Perl or Shell scripts Still major threat  Knowing motives helps predict attack  Degrees of motivation Automated tools Hardened systems vs Easy Kills

23 Steps in an Attack 1.Identify Target & collect Information 2.Find vulnerability in target 3.Gain appropriate access to target 4.Perform the attack 5.Complete attack, remove evidence, ensure future access

24 After you get root 1.Remove traces of root compromise 2.Gather information about system 3.Make sure you can get back in 4.Disable or patch vulnerability

25 Vulnerability Landscape  Physical World Laptops  Virtual World  Trust Model  System Life cycled

26 Vulnerabilities  Only potential until someone figures out how to exploit  Need to identify and address Those applicable & which must mitigated now Are likely to apply & must be planned against Seem unlikely and/or are easy to mitagate

27 Attack Trees (Bruce Schneier)  Visual Representation of attacks against any given target  Attack goal is root  Attack subgoals are leaf nodes For each leaf determine subgoals necessary to achieve And cost to achieve penetration using different types of attackers

28 Attack Tree Example Steal Customer Data Obtain Backup Media Burfglarize Office (Cost $10,000) Intercept eMail Bribe Admin at ISP ($5,000) Hack remote users home system ($1,000) Hack SMTP Gateway ($2000) Hack into Server

29 Defenses  Three general means of mitigating attack risk Reducing asset value to attacker Mitigating specific vulnerabilities  Software patches  Defensive Coding Neutralizing or preventing attacks  Access control mechanisms  Distinguish between trusted & untrusted users

30 Security  Security is a process not a Product  Weakest link in the process  Examples of Threat Modeling in Secrets & Lies chapter 19

31 Security Awareness  People are often the weakest link  Benefits: Awareness of need to protect the system Skill & knowledge improvement More in-depth knowledge  Be careful of over training Constant barrage == ignored Too much knowledge of how the system works

32 References  Cohen, Fred “A Preliminary Classification Scheme for Information Security Threats, Attacks, and Defenses; A Cause and Effect Model; and Some Analysis Based on that Model.” Sandia National Laboratories, Sept 1998 (www.all.net/journal/ntb/cause-and- effect.html)www.all.net/journal/ntb/cause-and- effect.html  Bauer, Michael E. “Building Secure Servers with Linux.” O’Reilly, 2003

Download ppt "Security Management Practices General overview of good security management processes. Introduces topics used in several other sections."

Similar presentations

Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
Security Controls – What Works

Security Controls – What Works
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Introducing Computer and Network Security

Introducing Computer and Network Security
Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system.

Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Risk Management.

Risk Management.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
CPSC 6126 Computer Security Information Assurance.

CPSC 6126 Computer Security Information Assurance.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Introduction to Network Defense

Introduction to Network Defense
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework

Similar presentations

Ads by Google