Transcript Slide 1
Security Management and
Administration of Deployed Systems
Chandwani, Narainder
Jean-François, Nathanaël
Oberoi, Paramjot
3/2/05
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
Overview
Information Security Management
Acquisition Management
Ongoing Security Management
Configuration Management
Security Review and Testing
Security Awareness and Education
Information Security Management
ISACA (Information Systems Audit and Control Association)
: oversee and direct information security activities to execute
the information security program
Not cut and dry - sometimes even abstract
Acquisition Management
Responsibilities with respect to outside services
Request
Evaluate
Acquire
Manage
Not standalone
Coordinate with IT operation to ensure comprehensive,
effective information security
Formal Methods
National Security Agency/Central Security Service
(NSA/CSS) Circular No. 500R – 1/9/2001
The Software Acquisition Capability Maturity Model® (SACMM®)
The U.S. Office of the Secretary of Defense (OSD)
Acquisition Reform
Evolutionary Acquisition
500R – Acquisition Management of SE
projects
Apply best practices and processes
Systems architectures supporting open system concepts
Make use of commercial off-the-shell (COTS)
Software reuse
Systems engineering and interoperability requirements
Software metrics
Assess and mitigate IA risks
500R – Information Assurance
Requirements developed and applied throughout acquisition
cycle
IA management – employ best practices known to reduce
risks.
Employ practices to ensure CIA, authentication, and nonrepudiation of project information during design activities
Apply intrusion protection, detection, and reaction
capabilities
SA-CMM
Carnegie Mellon Software Engineering Institute, federal
agencies, U.S. DoD, other acquisition experts
Key Process Areas (KPAs) associated with each maturity
level indicates an acquisition process capability in the model
SA-CMM
Level
Focus
Key Process Areas
1 - Initial
Competent people and heroics
N/A
2 – Repeatable Management
Basic Project
Transition to support
Evaluation
Contract tracking and oversight
Requirements development and management
Solicitation
Software acquisition planning
3 - Defined
Process standardization
Training program
Acquisition risk management
Contract performance management
Project performance management
User requirements
Process definition and maintenance
4 - Quantitative
Quantitative management
Quantitative acquisition management
Quantitative process management
5 - Optimizing
Continuous process improvement
Acquisition innovation management
Continuous process improvement
OSD Acquisition Reform
Published 2/9/1994 to clarify and define acquisition
management in the DoD
10 Principles of Acquisition
Empower People to Manage – not Avoid Risk
Operate in Integrated Product Teams
Reduce Cycle Time by 50 Percent
Expand Use of Commercial Products and Processes
Use Performance Specifications and Nongovernment
Standards
OSD Acquisition Reform
Issue Solicitations That Reflect the Quality of a World
Class Buyer
Procure Goods and Services with “Best Value”
Techniques
Test and Inspect in the Least Obtrusive Manner to Add
Value to the Process or Products
Manage Contracts for End Results
Evolutionary Acquisition
10/30/2002 – Interim Defense Acquisition Guidebook issued
by OSD
The required final functionality of the target deliverable is
defined at the start of the program, and each increment
takes advantage of developments in technology
The required functionality is not definable up front, but
evolves in each increment with the changing needs of
the user and maturing technology
Contracts – Service Level Agreements (SLAs)
Service Level Agreements
Contract between a customer and provider specifying the
minimum level of service to be supplied by supplier
Mutually agreed-upon quality of service
Need of metrics to define levels of service
Average CPU usage
Minimum required system up time
Average response times
Baseline performance levels to compare actual
performance levels
Dial-in access capabilities
Transaction volumes
Usage rate
Number of users
Service Level Agreements
Need not be from outsiders only
Telecommunications example
Help desks
Bandwidth to be provided
On-site customer support that will be provided
Penalties that will have to be paid by the provider if
agreed-upon services levels are not met
Service Level Agreements
Third party service provider – ISP
Vicarious Liability – legal responsibility for causing injury
to someone or something when in reality the entity had
no involvement
Respondent superior – a superior is legally
accountable for the acts of a subordinate
Contributory infringer : “one who was in a position to
control the use of copyrighted works by others and had
authorized the use without permission from the copyright
owner.”
Clients are not vicariously liable for activities of the
provider – independent contractor
Contracts
Contracts
Agreement to do or not do a something specific
Implied or express (defined – in writing)
Written – Orally
Mutual assent and understanding of the same terms
Contracts
Entering into a contract
Capacity and ability to do so
Minors – mentally infirm
Extreme duress – legality
Different understanding of terms and conditions may
render it null
Biased
Contracts
Damages
Ensure that injured party receives what was expected
from the agreement
Compensation for any damage caused by the breach –
or would result from the breach
Limitations
Foreseeable
Mental or emotional distress
Punitive damages
Contracts
Contract Performance
Payment for services actually rendered
Defaulting party who has not substantially performed
Conditional contract obligation
An event has or has not occurred
Dependent on other party’s performance
Cannot be obstructed by other party
Actual breach – unwarranted failure to perform in due
time
Anticipatory breach – repudiation before the time when
performance is due
Ongoing Security Monitoring
Monitoring and Auditing
Both used to maintain operational assurance.
Audit : one-time periodic event to evaluate security
Monitoring: ongoing activity that examines either the
system or the users.
More real-time an activity is, the more it falls into the
category of monitoring
Two levels
Application level
System-wide basis
In house or external
Monitoring
Entails mechanisms, tools, and techniques to identify
security events capable of affecting the operation
Illegal software installation
Hardware faults and error states
Anomalies
Intrusion Detection
Detective analysis of intrusion attempts
Create a sampling of traffic patterns
Monitoring
Violation Analysis
Establish clipping levels
Baseline of user activity considered routine level of
user errors
Allow system to ignore normal user errors
Violation record produced – level exceeded
Need to be tracked, processed, and analyzed
Repetitive mistakes
Authorization exceeded
Unrestricted access to too many users
Patterns indicating serious intrusion attempts
Profile-based anomaly detection – profile metrics
Auditing
Provide management with information to keep them
informed about the operation of target systems
Ability to determine if system is operating in accordance with
accepted industry practices
Mitigation not elimination
Risk willing to tolerate
Types of risks
Control risk : controls in place will not prevent, correct, or
detect errors on timely basis
Detection risk: procedures conducted will overlook
problem
Inherent risk: susceptibility of business or process to
commit relevant errors
Auditing
Security Auditing
Internal and external
IT auditors
Backup controls
System and transaction controls
Data library procedures
Systems development standards
Data center security
Contingency plans
Auditing
Audit trails
Audit logs
Transaction’s date and time
Person responsible for transaction
Terminal of transaction processing
Amendments to production jobs
Problem Management and Auditing
Reduce failures to manageable level
Prevent occurrence or reoccurrence of a problem
Mitigate negative effects of problems on computing
services and resources
Configuration Management
Process of tracking and approving changes to a system
Identifying, controlling, and auditing all changes made to
the system
Hardware, software, networking
Ensure that changes do not unintentionally diminish
security
Ensure change is implemented in an orderly manner
through formalized testing
User base is informed of impending change
Analyze effect of the change on the system after
implementation
Reduce negative impact change might have on
resources and services
Configuration Management
Five generally accepted procedures
Applying to introduce a change
Cataloging the intended change
Scheduling the change
Implementing the change
Reporting the change to appropriate parties
Four major aspects
Configuration identification
Configuration control
Configuration status accounting
Configuration auditing
Configuration Management
Configuration Identification
Decompose into identifiable, understandable,
manageable, trackable units – Configuration Items
CI represents smallest portion to be subject to
independent configuration control procedures
Vary in size, type and complexity
Granularity
Relatively large CIs for elements unlikely to
change
Small CIs for elements likely to change more often
Configuration Management
Configuration control
Ensure system changes are approved before
implementation
Procedures for proposing, monitoring, approving, and
implementing changes
Configuration status accounting
Document status of configuration control activities
Trace changes and establish history of problems and
fixes
Configuration auditing
Quality assurance component
Periodic checks to determine consistency and
completeness of accounting information
Configuration Management
Documentation change control
Update relevant documents in response to changes
Changes to system infrastructure
Changes to security policies or procedures
Changes to disaster recovery or business continuity
plans
Facility environment changes – office moves
Security Review and Testing
Incident, threat, and vulnerability data collection and review
Testing of infrastructure, externally and internally
Baseline establishments for future review
Security Review and Testing
Common steps
Review policies
Develop security matrix
Review security documentation
Review audit capability and use
Review security patches and updates
Run analysis tools
Correlate all information
Develop report
Make recommendation to correct problems
Security Review and Testing
Collect information about device or network to facilitate
attack on the system
System scanning
Network reconnaissance
Domain names and ip blocks – firewalls and
perimeter devices – running services – IDS –
platforms and protocols – general network
infrastructure
Gaining system access
Session hijacking – password cracking – sniffing –
default accounts exploitation – social engineering
Removing evidence of the attack
Editing and clearing security logs – compromising log
server – replacing system files – leaving back-door
Trojans
Security Review and Testing
Identify weaknesses in a system
Vulnerability scanning – unused ports – uncontrolled,
unauthorized software
Discovery scanning – inventory and classification –
information on OS and available ports – identify running
applications to determine device function
Workstation scanning – standard software configuration
is current with latest security patches, locate uncontrolled
or unauthorized software
Server scanning
Security Review and Testing
Port scanning
Scan types (TCP/UDP)
Stealth scans – spoofed scans
Scanning tools
Computer Oracle and Password System (COPS)
HPing – Legion – Nessus – NMap – Remote Access
Perimeter Scanner (RAPS) – System Administrator’s
Integrated Network Tool (SAINT) – System Administrator
Tool for Analyzing Networks (SATAN) - Tcpview
Security Review and Testing
Issues with vulnerability testing
False positives – legitimate software using ports
registered to other software
Heavy traffic – adverse affect on WAN links, even disable
slow links
False negatives – exhaust resources on scanning
machine, not properly identifying vulnerabilities
System crash
Unregistered port numbers – port numbers in use are not
registered – unable to identify software in use
Security Awareness and Education
Understand how actions can greatly affect overall security
position of the organization
Computer security awareness and education – enhance
security through following
Make users aware of their security responsibilities and
teaching them correct practices – help change behavior
Develop skills and knowledge
Build in-depth knowledge to design, implement, or
operate security programs
Security Awareness and Education
Often overlooked by proactive or reactive administering of
security practices
Effective program requires proper planning, implementation,
maintenance, and periodic evaluation – NIST (800-14)
recommendations
Identify program scope, goals, and objectives
Identify training staff
Identify target audience
Motivate management and employees
Administer the program
Maintain the program
Evaluate the program
Security Awareness and Education
Awareness methods and techniques
Management commitment necessary
Integrating awareness
Periodic awareness sessions to orient new
employees and refresh senior employees – direct,
simple and clear
Live/interactive presentations – lectures, videos
Publishing/distribution – posters, company
newsletters
Incentives – awards and recognition for securityrelated achievement
Reminders
Security Awareness and Education
Integrating Awareness (continued)
Training – different from awareness – specific classroom
or one-on-one training
InfoSec example
Security-related job training for operators and specific
users
Awareness training for specific departments or
personnel groups with security-sensitive positions
Technical security training for IT support personnel
and system administrators
Advanced InfoSec training for security practitioners
and IS auditors
Security training for senior managers, functional
managers
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
Objective
To Create a consistently configured environment that is secure
against known vulnerabilities in operating system and
application software
Patch Management
Security and Patch Information Sources
Patch Prioritization and Scheduling
Patch Testing
Change Management
Patch Installment and Deployment
Audit and Assessment
Security & Patch Information Systems
Intake and Vetting
Responsible Personnel
Comprehensive and Accurate Asset Management
Relationship with key OS, N/W Device, Application Vendors
Public Websites
Windows XP SP2
AOL Toolbar
Photoshop CS
Freedom Force
NBA Live 2000
Word Perfect
Virtual PC
Zone Alarm
No notification for some email programs
Patch Prioritization Scheduling
Patch Cycle
Critical Security and functionality
Patch Testing
Verification of Patch Source and Integrity
Test Environment
Installing and rebooting
Initial Phases of Roll Out
Testing In Virtual Environment
Change Management
Process of controlling changes to the infrastructure or any
aspect of service, in a controlled manner, enabling approved
changes with minimum disruption
Contingency and Backout plans
Monitoring and Acceptance Plans
Milestone and Acceptance Criteria
Patch Installation & Deployment
Actual Work
Visible
Overall Success
Tools
Restricted User Rights
Audit & Assessment
Success & Extent
Accurate and Effective Asset
System Discovery & Auditing
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
Definition
The process of correcting flaws and enhancing the capability
of an Information System.
Changing a process to keep a compromised system from
being able to use vulnerable areas of itself to cause further
damage. This change can be something that is temporarily in
place until the "hole" in the system's security is fixed, or it can
be a permanent change to keep this type of attack from
happening again.
Stages of System Modification
Evaluate Systems
Assess Changes or Enhancement Request
Nature of Change
Impact of Change
Execute the Change
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
Types of ID
Host Based
Network Based
Host Based ID System
Monitor Accesses
Changes in user privileges
Critical System Files
Dial In attempt to non communication ports
Network Based IDS
String Signatures
Port Signatures
Header Condition Signatures
IDS Approaches
Knowledge Based
-- Use a Database
-- Mostly Used
Behavior Based
--Deviations from Leaned Pattern
Knowledge vs. Behavior
Low False Alarm Rates
It is OS based
New unique and original
vulnerabilities have to be
configured with the knowledge
Base
High False Alarm Rates
It is not OS based
They adapt to new, unique and
original vulnerabilities
Honey Pots
System configured Intentionally to lure Intruders
Simulate Network Services
HTTP, SMTP, DNS servers
Details of Hackers
Physically Isolated
Evidence of Intrusion in Honey Pots
Firewall Logs
System Logs
IDS or other Monitoring Tools
Incident Response
A IRT well-trained group of people
Purpose is to promptly and correctly handle an incident so that
it can be quickly contained, investigated, and recovered from.
Members from within the company.
They must be people that can drop what they’re doing and
have the authority to make decisions and take actions
Incident Response Team
Management
Information Security
Auditor
Attorney
Human Resources
Public Relation Officer
Steps In IR
Planning and writing of procedures
Defining what the incidents are going to be
Review of plan with the management
All the members in the team should respond to their duties
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
Business Continuity Planning
What is it ?
Why do we need it ?
When do we need it ?
Who participates ?
Where to carry out ?
How to prepare ?
What is BCP
SANS defines BCP
Business Continuity refers to the activities required to
keep your organization running during a period of
displacement or interruption of normal operation
Business Continuity Institute defines BCP
A collection of procedures and information which is
developed, compiled and maintained in readiness for use in
the event of an emergency or disaster
Need for BCP
Need
-- Disaster can occur anytime.
-- 24 * 7 Business
Reason for BCP
Equipment Failure
Disruption of power supply
Application Failure
Human Error, Sabotage or strike
Malicious Software
Hacking or Internet Threats
Social unrest or terrorist attacks
Fire
Natural Disaster
Responsible for BCP
Who participates
-- Everyone.
Responsibility
--Business Continuity Coordinator
--Disaster Recovery Coordinator
Back up of BCP
Cold Site
Hot Site
Mutual Backup
Remote Journaling
Mirrored Site
Phases of BCP
Project Initiation
Business Analysis
Designing the Plan
Implementation
Testing
Maintenance
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
Definition
A security audit is an audit of how the confidentiality, integrity
and availability of an organization’s information is assured.
It is a systematic, measurable technical assessment of how
the organization’s security policy is employed
Personal Interviews, Vulnerability scans, examination of
operating system settings
Work of Security Auditor
Audit Log
Cryptographic tools
Access control lists
Code and configuration changes
Custom Built Application
Key Management
The distribution of public keys
The use of public-key to distribute secret keys
Distribution of Public Keys
Public Announcement of Public keys
Publicly Available Directory
Public key Authority
Public Key Certificates
Distribution of Secret Key
Simple Secret Key Distribution
Secret Key Distribution with Confidentiality and Authentication
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
System Decommission
What is system decommission?
(Disposition in NIST's System Development Life-Cycle)
All IT systems eventually go through an end of life phase
Newer, faster, cheaper, more efficient technology
Proprietary technology maker goes out of business (ex.
Sun)
*Security concerns (risk)
Ex. NTLM vs Kerberos authentication
Vendor no longer releases security patches
System Decommission
Information preservation
Legal requirements? Security breach?
Ex. Your organization decommissions an old email
system. Do industry regulations require you to keep
all emails?
Ex. Your organization decommissions an old web
server. Do you store the access the logs? Who has
access to the logs?
Will the technology be there to read the data in the
future?
Ex. Your organization backs up all data on 100 meg
IOMEGA zip disks.
System Decommission
Media sanitation
Residual magnetic or electrical of data must be purged
by deleting, over-writing, degaussing, or destroying.
Improperly done, data can be reconstructed providing
access to sensitive information to unauthorized
individuals.
In highly sensitive\classified areas destruction is
required.
Smelting, disintegration, pulverization,
incineration, etc.
Ex. Digital forensics on NASA computers.
System Decommission
Hardware and software disposal
Can be sold, given away, or discarded as provided by
applicable law or regulation.
Must comply with license or other
agreements\contracts.
Rarely need to destroy hardware (exception: storage
devices that cannot be sanitized properly).
System Decommission - POSA
What should we take into account?
4 Sale & user information
8 Complete transaction
CFAC
5 Y/N
1 Sale information
7 Complete Trans.
Register
6 Y/N
POSA
2 Display
Sale Info
3 User CC
information
USER
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
Operational Security
Threat: an event that could cause harm by violating the security
Operating environment
Internal or external intruders
Authorized users who abuse their power
Vulnerability: a weakness in a system that enables security to be
violated.
Asset: anything that is a computing resource or ability.
Operational Security
What is Operational Security (OPSEC)?
“The controls over the hardware in a computing facility, the
data used in a facility, and the operators using these
resources in a facility.” CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, Krutz, Vines.
“The whole point of operations security is to have a set of
operational (daily, habit ingrained) practices that make it
harder for another group to compile critical information.”
“The wolf is at your door.”
Operational Security
Identify critical information
What is the information or resource that you have that other
people may consider important?
What is the value?
What are the potentials of an adversary?
How likely is that someone can get this information?
Operational Security
Put restrictions on the flow of information
If information is classified, don't leave “breadcrumbs”
Ex. Dates, times, places, budget, contingency plans, etc.
Categories of Controls
Preventative Controls
Designed to lower the amount and impact of unintentional
errors.
Prevent unauthorized intruders from accessing the system.
Ex. ACLs, firewalls.
Detective Controls
Used after the fact.
Used to detect unauthorized actions.
Can be used for legal recourse.
Ex. User auditing.
Categories of Control
Corrective (or Recovery) Controls
Designed to mitigate the impact of a loss event through data
recovery procedures.
Ex. backups.
Application Controls
Designed to minimize and detect operational regularities.
Categories of Control
Application Controls
Input\Output Controls
Ensure that only proper transactions are put into the system,
and that they are correct. Output controls verify the
integrity of the data and add confidentiality if needed.
Ex. Comparing input values to a list.
Processing Controls
Guarantee that transactions are valid and accurate and
errors are reprocessed.
Ex. Rejecting transactions for invalid amounts.
Categories of Controls
Change Controls
Implemented to preserve data integrity in a system.
Ex. Tripwire\MD5 Hashing, baselining your system.
Test Controls
Put into place during the testing of a system of a system to
prevent violations of confidentiality and to ensure transaction
integrity.
Operational Security
Configuration/Change Management
Ensure that the change is implemented in an orderly manner
through formalized testing.
Ensure that user base is informed in advance.
Analyze the effect of the change after implementation.
Reduce the negative impact the change may have had on the
computing services and resources.
Orange Book Controls
Trusted Computer Security Evaluation Criteria (TCSEC) also
define requirements for operational security:
System architecture
System integrity
Covert channel analysis
Trusted facility management
Trusted Recovery
Orange Book Controls
Covert Channel
An information path that is not normally used for
communication within a system.
Ex. repeatedly changing the amount of free space on your hard
disk.
Deter with noise and traffic generation.
Orange Book Controls
Trusted Facility Management
Assignment of a specific individual to administer the securityrelated functions of a system. Requires separate operator and
administrator roles.
Separation of Duties
Impossible for a single person to compromise entire system.
Single admin cannot have total control.
Orange Book Controls
Rotation of Duties
Variation of separation of duties. Limit the amount of time an
operator is to perform a security-related task before being
moved.
Failure Preparation\System Recovery
System must not be vulnerable when down, i.e. fails safe.
Backup files should not be vulnerable.
Encrypt? Store in a locked location?
Orange Book Controls
Administrative Controls
Personnel Security
Employment Screening\Background Checks
Mandatory Vacations
Job Action Warnings or Termination
Separation of Duties and Responsibilities
Least Privilege
Need to Know
Change/Configuration Management Controls
Questions\Comments