Technical Controls for Risk Management Bob Trimble COSC

Technical Controls for Risk Management Bob Trimble COSC 481 4 -20 -2006

Risk Management n Risk management • Identify threats • Determine the risk to the organization • Reducing those risks to an acceptable level n It allows IT managers to balance economic costs of protective measures to achieve a gain in profit

Risk Management Process n Step 1 - Gather system-related information • Hardware • Software • Data and information n Step 2 - Threat identification stage • Potential for a threat-source to exploit weaknesses n n Accidentally Intentionally • Three types of threats n n n Natural threats Environmental threats Human threats

n Step 3 - Determine Exploitable Vulnerabilities • Several main areas Organization policies n Network and system configurations n Security features and controls n • Previous lists • Earlier risk assessment • Security audit reports • Vendor reports • Security advisories • Vulnerability lists http: //icat. nist. gov n www. sans. org n

n Step 4 - Control analysis stage • Analyze implemented or planned controls • Security controls cover the use of technical and non-technical methods • Technical controls are safeguards that are incorporated into computer hardware, software, or firmware • Non-technical controls are management and operational controls, such as security policies; operational procedures; and personnel, physical, and environmental security

n Step 5 - Calculating likelihood rating • The probability that a threat will occur • Three catagories High n Medium n Low n n Step 6 - Determine threat impact • Three things calculated Estimation of the frequency n Approximate cost for each occurrence n Weighted factor based on an analysis n

n n Step 7 - Total risk of a threat source Ratings X Threat impact value = n Step 8 - Control recommendation stage List is sorted Methods of reduction discussed n Design and implementation < recovering from the threat n n

Access Control n Subjects • User’s processes n Objects • Files • Directories n Two options for control • What a subject is allowed to do • What may be done with an object

Access Control n n n Subjects are permitted to access any object Security levels • Hierarchical groups denoting degrees of sensitivity. • Clearance Security categories • Non-hierarchical groups which show different sensitivity • Classification

Access Control Matrix n Access operations • • • n Access rights permit or deny an action to be function on a file. Read Write Execute Two main types of access control • Discretionary access control • Mandatory access control. n Access control matrix • Theoretical • Elements of the matrix are access rights Info. doc Passwd file Prog_counting Alice r, w r x Bob r, w r -

ACL and Capabilities n Access control list • • n Structure Objects have a list of all accessible subjects Permissions Column of the access control matrix Capabilities list • • Structure Subjects have a list of all accessible objects Permissions Row from the access control matrix

Security Models n Foundation of all secure systems is a mathematical model • • n Behavior desired of the system Enforce the security policy Confidentiality Integrity Bell and La. Padula model • Simple Security Property (ss-property) • *-property (star property) n Biba model • Simple Integrity Property (si-property) • Integrity *-property

Firewalls n n n Block unauthorized traffic Host Based Network Based Three characteristics • • • All communication passes through the firewall The firewall permits only authorized traffic The firewall can withstand an attack upon itself • • • Packet-filtering routers Circuit-level gateways Application-level gateway Three types of firewalls

Firewalls n Strengths: • • • Firewalls can help enforce the security policy. Firewalls can restrict specific services. Firewalls have only one purpose – security. There is no compromise with usability. • Firewalls are good at notifying the appropriate people when an attack occurs. n Weaknesses: • Firewalls will not protect against authorized traffic. If an attack originates from a service or port that is authorized, the firewall will not stop it. • Firewalls are only as effective as their configuration. • Firewalls will not stop social engineering. • Firewalls cannot fix a poorly designed or administered security policy. • Firewall cannot stop attacks from traffic which does not pass through it.

Intrusion Detection System n n Monitors activity on the network Types • Host based IDS • Network based IDS n n Protects an entire network or subnetwork Signature Database