Security Management n Security is Primarily a Management

Security Management n General Security Goals ¡ Confidentiality n Attackers cannot read messages if

Security Management n Comprehensive Security ¡ Closing all avenues of attack ¡ Asymmetrical warfare

Security Management n Security Planning n Risk Analysis n Security Policies n Physical Security

Security Planning n Policy n Current state – risk analysis n Requirements n Recommended

Security Planning n Assuring Commitment to a Security Plan n Business Continuity Plans n

Security Planning Team Members n Computer hardware group n System administrators n Systems programmers

The Plan—Protect—Respond Cycle n Planning ¡ Need for comprehensive security (no gaps) ¡ Risk

Threat Severity Analysis-example Step Threat A B C D 1 Cost if attack succeeds

The Plan—Protect—Respond Cycle n Planning ¡ Security policies drive subsequent specific actions n Selecting

Policy-Driven Technology, Procedures, and Testing Policy Technology (Firewall, Hardened Webserver) Protection Only allow authorized

The Plan—Protect—Respond Cycle n Protecting ¡ Installing protections: firewalls, IDSs, host hardening, etc. ¡

The Plan—Protect—Respond Cycle n Responding ¡ Planning for response (Computer Emergency Response Team) ¡

The Plan—Protect—Respond Cycle n Responding ¡ Containment Recovery n Containment: stop the attack n

Security Policy n What are the Organisation’s goals on security? n Where does the

Security Policy n Who should be allowed access? n To what system and Organisational

Security Policies User types n Users n Owners n Data subjects n Balance Among

Characteristics of a Good Security Policy n Coverage (comprehensive) n Durability n Realism n

Physical Security n n Natural Disasters ¡ Flood ¡ Fire ¡ Other Power Loss

Contingency Planning. Disaster Recovery n n BACKUP!!!!! ¡ Complete backup ¡ Revolving backup ¡

Slides: 20

Download presentation

Security Management n Security is Primarily a Management Issue n Top-to-Bottom Commitment ¡ Top-management commitment ¡ Operational execution ¡ Enforcement 1

Security Management n General Security Goals ¡ Confidentiality n Attackers cannot read messages if they intercept them ¡ Integrity n If attackers change messages, this will be detected ¡ Availability n System is able to serve users 2

Security Management n Comprehensive Security ¡ Closing all avenues of attack ¡ Asymmetrical warfare n Attacker only has to find one opening ¡ Defense in depth n Attacker must get past several defenses to succeed ¡ Security audits n Run attacks against your own network 3

Security Management n Security Planning n Risk Analysis n Security Policies n Physical Security 4

Security Planning n Policy n Current state – risk analysis n Requirements n Recommended controls n Accountability n Timetable n Continuing attention 5

Security Planning n Assuring Commitment to a Security Plan n Business Continuity Plans n ¡ Assess Business Impact ¡ Develop Strategy ¡ Develop Plan Incident Response Plans ¡ Advance Planning ¡ Response Team ¡ After the Incident is Resolved 6

Security Planning Team Members n Computer hardware group n System administrators n Systems programmers n Application programmers n Data entry personnel n Physical security personnel n Representative users 7

The Plan—Protect—Respond Cycle n Planning ¡ Need for comprehensive security (no gaps) ¡ Risk analysis n Enumerating threats n Threat severity = estimated cost of attack X probability of attack n Value of protection = threat severity – cost of countermeasure n Prioritize countermeasures by value of prioritization 8

Threat Severity Analysis-example Step Threat A B C D 1 Cost if attack succeeds 500, 000 100, 000 10, 000 2 Probability of occurrence 80% 20% 5% 70% 3 Threat severity 400, 000 2, 000 5, 000 7, 000 4 Countermeasure cost 100, 000 3, 000 20, 000 5 Value of protection 300, 000 (1, 000) 3, 000 (13, 000) 6 Apply countermeasure? Yes No 7 Priority 1 NA 2 NA 9

The Plan—Protect—Respond Cycle n Planning ¡ Security policies drive subsequent specific actions n Selecting technology n Procedures to make technology effective n The testing of technology and procedures 10

Policy-Driven Technology, Procedures, and Testing Policy Technology (Firewall, Hardened Webserver) Protection Only allow authorized personnel to use accounting webserver Procedures (Configuration, Passwords, Etc. ) Attempt to Connect to Unauthorized Webserver Testing (Test Security) 11

The Plan—Protect—Respond Cycle n Protecting ¡ Installing protections: firewalls, IDSs, host hardening, etc. ¡ Updating protections as the threat environment changes ¡ Testing protections: security audits 12

The Plan—Protect—Respond Cycle n Responding ¡ Planning for response (Computer Emergency Response Team) ¡ Incident detection and determination n Procedures for reporting suspicious situations n Determination that an attack really is occurring n Description of the attack to guide subsequent actions 13

The Plan—Protect—Respond Cycle n Responding ¡ Containment Recovery n Containment: stop the attack n Repair the damage ¡ Punishment n Forensics n Prosecution n Employee Punishment ¡ Fixing the vulnerability that allowed the attack 14

Security Policy n What are the Organisation’s goals on security? n Where does the responsibility for security lie? n What is the Organisation’s commitment to security? 15

Security Policy n Who should be allowed access? n To what system and Organisational resources should access be allowed? n What types of access should each user be allowed for each resource? 16

Security Policies User types n Users n Owners n Data subjects n Balance Among All Parties 17

Characteristics of a Good Security Policy n Coverage (comprehensive) n Durability n Realism n Usefulness n Examples 18

Physical Security n n Natural Disasters ¡ Flood ¡ Fire ¡ Other Power Loss ¡ n UPS; surge suppressors (line conditioners) Human Vandals ¡ Unauthorized Access and Use ¡ Theft 19

Contingency Planning. Disaster Recovery n n BACKUP!!!!! ¡ Complete backup ¡ Revolving backup ¡ Selective backup OFFSITE BACKUP!!!!! 20