Transcript Slide 1

Security Management and
Administration of Deployed Systems
 Chandwani, Narainder
 Jean-François, Nathanaël
 Oberoi, Paramjot
3/2/05
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
Overview






Information Security Management
Acquisition Management
Ongoing Security Management
Configuration Management
Security Review and Testing
Security Awareness and Education
Information Security Management
 ISACA (Information Systems Audit and Control Association)
: oversee and direct information security activities to execute
the information security program
 Not cut and dry - sometimes even abstract
Acquisition Management
 Responsibilities with respect to outside services
 Request
 Evaluate
 Acquire
 Manage
 Not standalone
 Coordinate with IT operation to ensure comprehensive,
effective information security
Formal Methods
 National Security Agency/Central Security Service
(NSA/CSS) Circular No. 500R – 1/9/2001
 The Software Acquisition Capability Maturity Model® (SACMM®)
 The U.S. Office of the Secretary of Defense (OSD)
Acquisition Reform
 Evolutionary Acquisition
500R – Acquisition Management of SE
projects







Apply best practices and processes
Systems architectures supporting open system concepts
Make use of commercial off-the-shell (COTS)
Software reuse
Systems engineering and interoperability requirements
Software metrics
Assess and mitigate IA risks
500R – Information Assurance
 Requirements developed and applied throughout acquisition
cycle
 IA management – employ best practices known to reduce
risks.
 Employ practices to ensure CIA, authentication, and nonrepudiation of project information during design activities
 Apply intrusion protection, detection, and reaction
capabilities
SA-CMM
 Carnegie Mellon Software Engineering Institute, federal
agencies, U.S. DoD, other acquisition experts
 Key Process Areas (KPAs) associated with each maturity
level indicates an acquisition process capability in the model
SA-CMM
Level
Focus
Key Process Areas
1 - Initial
Competent people and heroics
N/A
2 – Repeatable Management
Basic Project
Transition to support
Evaluation
Contract tracking and oversight
Requirements development and management
Solicitation
Software acquisition planning
3 - Defined
Process standardization
Training program
Acquisition risk management
Contract performance management
Project performance management
User requirements
Process definition and maintenance
4 - Quantitative
Quantitative management
Quantitative acquisition management
Quantitative process management
5 - Optimizing
Continuous process improvement
Acquisition innovation management
Continuous process improvement
OSD Acquisition Reform
 Published 2/9/1994 to clarify and define acquisition
management in the DoD
 10 Principles of Acquisition
 Empower People to Manage – not Avoid Risk
 Operate in Integrated Product Teams
 Reduce Cycle Time by 50 Percent
 Expand Use of Commercial Products and Processes
 Use Performance Specifications and Nongovernment
Standards
OSD Acquisition Reform
 Issue Solicitations That Reflect the Quality of a World
Class Buyer
 Procure Goods and Services with “Best Value”
Techniques
 Test and Inspect in the Least Obtrusive Manner to Add
Value to the Process or Products
 Manage Contracts for End Results
Evolutionary Acquisition
 10/30/2002 – Interim Defense Acquisition Guidebook issued
by OSD
 The required final functionality of the target deliverable is
defined at the start of the program, and each increment
takes advantage of developments in technology
 The required functionality is not definable up front, but
evolves in each increment with the changing needs of
the user and maturing technology
 Contracts – Service Level Agreements (SLAs)
Service Level Agreements
 Contract between a customer and provider specifying the
minimum level of service to be supplied by supplier
 Mutually agreed-upon quality of service
 Need of metrics to define levels of service
 Average CPU usage
 Minimum required system up time
 Average response times
 Baseline performance levels to compare actual
performance levels
 Dial-in access capabilities
 Transaction volumes
 Usage rate
 Number of users
Service Level Agreements
 Need not be from outsiders only
 Telecommunications example
 Help desks
 Bandwidth to be provided
 On-site customer support that will be provided
 Penalties that will have to be paid by the provider if
agreed-upon services levels are not met
Service Level Agreements
 Third party service provider – ISP
 Vicarious Liability – legal responsibility for causing injury
to someone or something when in reality the entity had
no involvement
 Respondent superior – a superior is legally
accountable for the acts of a subordinate
 Contributory infringer : “one who was in a position to
control the use of copyrighted works by others and had
authorized the use without permission from the copyright
owner.”
 Clients are not vicariously liable for activities of the
provider – independent contractor
Contracts
 Contracts
 Agreement to do or not do a something specific
 Implied or express (defined – in writing)
 Written – Orally
 Mutual assent and understanding of the same terms
Contracts
 Entering into a contract
 Capacity and ability to do so
 Minors – mentally infirm
 Extreme duress – legality
 Different understanding of terms and conditions may
render it null
 Biased
Contracts
 Damages
 Ensure that injured party receives what was expected
from the agreement
 Compensation for any damage caused by the breach –
or would result from the breach
 Limitations
 Foreseeable
 Mental or emotional distress
 Punitive damages
Contracts
 Contract Performance
 Payment for services actually rendered
 Defaulting party who has not substantially performed
 Conditional contract obligation
 An event has or has not occurred
 Dependent on other party’s performance
 Cannot be obstructed by other party
 Actual breach – unwarranted failure to perform in due
time
 Anticipatory breach – repudiation before the time when
performance is due
Ongoing Security Monitoring
 Monitoring and Auditing
 Both used to maintain operational assurance.
 Audit : one-time periodic event to evaluate security
 Monitoring: ongoing activity that examines either the
system or the users.
 More real-time an activity is, the more it falls into the
category of monitoring
 Two levels
 Application level
 System-wide basis
 In house or external
Monitoring
 Entails mechanisms, tools, and techniques to identify
security events capable of affecting the operation
 Illegal software installation
 Hardware faults and error states
 Anomalies
 Intrusion Detection
 Detective analysis of intrusion attempts
 Create a sampling of traffic patterns
Monitoring
 Violation Analysis
 Establish clipping levels
 Baseline of user activity considered routine level of
user errors
 Allow system to ignore normal user errors
 Violation record produced – level exceeded
 Need to be tracked, processed, and analyzed
 Repetitive mistakes
 Authorization exceeded
 Unrestricted access to too many users
 Patterns indicating serious intrusion attempts
 Profile-based anomaly detection – profile metrics
Auditing
 Provide management with information to keep them
informed about the operation of target systems
 Ability to determine if system is operating in accordance with
accepted industry practices
 Mitigation not elimination
 Risk willing to tolerate
 Types of risks
 Control risk : controls in place will not prevent, correct, or
detect errors on timely basis
 Detection risk: procedures conducted will overlook
problem
 Inherent risk: susceptibility of business or process to
commit relevant errors
Auditing
Security Auditing
Internal and external
IT auditors
Backup controls
System and transaction controls
Data library procedures
Systems development standards
Data center security
Contingency plans
Auditing
 Audit trails
 Audit logs
 Transaction’s date and time
 Person responsible for transaction
 Terminal of transaction processing
 Amendments to production jobs
 Problem Management and Auditing
 Reduce failures to manageable level
 Prevent occurrence or reoccurrence of a problem
 Mitigate negative effects of problems on computing
services and resources
Configuration Management
 Process of tracking and approving changes to a system
 Identifying, controlling, and auditing all changes made to
the system
 Hardware, software, networking
 Ensure that changes do not unintentionally diminish
security
 Ensure change is implemented in an orderly manner
through formalized testing
 User base is informed of impending change
 Analyze effect of the change on the system after
implementation
 Reduce negative impact change might have on
resources and services
Configuration Management
 Five generally accepted procedures
 Applying to introduce a change
 Cataloging the intended change
 Scheduling the change
 Implementing the change
 Reporting the change to appropriate parties
 Four major aspects
 Configuration identification
 Configuration control
 Configuration status accounting
 Configuration auditing
Configuration Management
 Configuration Identification
 Decompose into identifiable, understandable,
manageable, trackable units – Configuration Items
 CI represents smallest portion to be subject to
independent configuration control procedures
 Vary in size, type and complexity
 Granularity
 Relatively large CIs for elements unlikely to
change
 Small CIs for elements likely to change more often
Configuration Management
 Configuration control
 Ensure system changes are approved before
implementation
 Procedures for proposing, monitoring, approving, and
implementing changes
 Configuration status accounting
 Document status of configuration control activities
 Trace changes and establish history of problems and
fixes
 Configuration auditing
 Quality assurance component
 Periodic checks to determine consistency and
completeness of accounting information
Configuration Management
 Documentation change control
 Update relevant documents in response to changes
 Changes to system infrastructure
 Changes to security policies or procedures
 Changes to disaster recovery or business continuity
plans
 Facility environment changes – office moves
Security Review and Testing
 Incident, threat, and vulnerability data collection and review
 Testing of infrastructure, externally and internally
 Baseline establishments for future review
Security Review and Testing
 Common steps
 Review policies
 Develop security matrix
 Review security documentation
 Review audit capability and use
 Review security patches and updates
 Run analysis tools
 Correlate all information
 Develop report
 Make recommendation to correct problems
Security Review and Testing
 Collect information about device or network to facilitate
attack on the system
 System scanning
 Network reconnaissance
 Domain names and ip blocks – firewalls and
perimeter devices – running services – IDS –
platforms and protocols – general network
infrastructure
 Gaining system access
 Session hijacking – password cracking – sniffing –
default accounts exploitation – social engineering
 Removing evidence of the attack
 Editing and clearing security logs – compromising log
server – replacing system files – leaving back-door
Trojans
Security Review and Testing
 Identify weaknesses in a system
 Vulnerability scanning – unused ports – uncontrolled,
unauthorized software
 Discovery scanning – inventory and classification –
information on OS and available ports – identify running
applications to determine device function
 Workstation scanning – standard software configuration
is current with latest security patches, locate uncontrolled
or unauthorized software
 Server scanning
Security Review and Testing
 Port scanning
 Scan types (TCP/UDP)
 Stealth scans – spoofed scans
 Scanning tools
 Computer Oracle and Password System (COPS)
 HPing – Legion – Nessus – NMap – Remote Access
Perimeter Scanner (RAPS) – System Administrator’s
Integrated Network Tool (SAINT) – System Administrator
Tool for Analyzing Networks (SATAN) - Tcpview
Security Review and Testing
 Issues with vulnerability testing
 False positives – legitimate software using ports
registered to other software
 Heavy traffic – adverse affect on WAN links, even disable
slow links
 False negatives – exhaust resources on scanning
machine, not properly identifying vulnerabilities
 System crash
 Unregistered port numbers – port numbers in use are not
registered – unable to identify software in use
Security Awareness and Education
 Understand how actions can greatly affect overall security
position of the organization
 Computer security awareness and education – enhance
security through following
 Make users aware of their security responsibilities and
teaching them correct practices – help change behavior
 Develop skills and knowledge
 Build in-depth knowledge to design, implement, or
operate security programs
Security Awareness and Education
 Often overlooked by proactive or reactive administering of
security practices
 Effective program requires proper planning, implementation,
maintenance, and periodic evaluation – NIST (800-14)
recommendations
 Identify program scope, goals, and objectives
 Identify training staff
 Identify target audience
 Motivate management and employees
 Administer the program
 Maintain the program
 Evaluate the program
Security Awareness and Education
 Awareness methods and techniques
 Management commitment necessary
 Integrating awareness
 Periodic awareness sessions to orient new
employees and refresh senior employees – direct,
simple and clear
 Live/interactive presentations – lectures, videos
 Publishing/distribution – posters, company
newsletters
 Incentives – awards and recognition for securityrelated achievement
 Reminders
Security Awareness and Education
 Integrating Awareness (continued)
 Training – different from awareness – specific classroom
or one-on-one training
 InfoSec example
 Security-related job training for operators and specific
users
 Awareness training for specific departments or
personnel groups with security-sensitive positions
 Technical security training for IT support personnel
and system administrators
 Advanced InfoSec training for security practitioners
and IS auditors
 Security training for senior managers, functional
managers
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
Objective
To Create a consistently configured environment that is secure
against known vulnerabilities in operating system and
application software
Patch Management
Security and Patch Information Sources
Patch Prioritization and Scheduling
Patch Testing
Change Management
Patch Installment and Deployment
Audit and Assessment
Security & Patch Information Systems
Intake and Vetting
Responsible Personnel
Comprehensive and Accurate Asset Management
Relationship with key OS, N/W Device, Application Vendors
Public Websites
Windows XP SP2
AOL Toolbar
Photoshop CS
Freedom Force
NBA Live 2000
Word Perfect
Virtual PC
Zone Alarm
No notification for some email programs
Patch Prioritization Scheduling
Patch Cycle
Critical Security and functionality
Patch Testing
Verification of Patch Source and Integrity
Test Environment
Installing and rebooting
Initial Phases of Roll Out
Testing In Virtual Environment
Change Management
Process of controlling changes to the infrastructure or any
aspect of service, in a controlled manner, enabling approved
changes with minimum disruption
Contingency and Backout plans
Monitoring and Acceptance Plans
Milestone and Acceptance Criteria
Patch Installation & Deployment
Actual Work
Visible
Overall Success
Tools
Restricted User Rights
Audit & Assessment
Success & Extent
Accurate and Effective Asset
System Discovery & Auditing
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
Definition
The process of correcting flaws and enhancing the capability
of an Information System.
Changing a process to keep a compromised system from
being able to use vulnerable areas of itself to cause further
damage. This change can be something that is temporarily in
place until the "hole" in the system's security is fixed, or it can
be a permanent change to keep this type of attack from
happening again.
Stages of System Modification
Evaluate Systems
Assess Changes or Enhancement Request
Nature of Change
Impact of Change
Execute the Change
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
Types of ID
Host Based
Network Based
Host Based ID System
Monitor Accesses
Changes in user privileges
Critical System Files
Dial In attempt to non communication ports
Network Based IDS
String Signatures
Port Signatures
Header Condition Signatures
IDS Approaches
Knowledge Based
-- Use a Database
-- Mostly Used
Behavior Based
--Deviations from Leaned Pattern
Knowledge vs. Behavior
Low False Alarm Rates
It is OS based
New unique and original
vulnerabilities have to be
configured with the knowledge
Base
High False Alarm Rates
It is not OS based
They adapt to new, unique and
original vulnerabilities
Honey Pots
System configured Intentionally to lure Intruders
Simulate Network Services
HTTP, SMTP, DNS servers
Details of Hackers
Physically Isolated
Evidence of Intrusion in Honey Pots
Firewall Logs
System Logs
IDS or other Monitoring Tools
Incident Response
A IRT well-trained group of people
Purpose is to promptly and correctly handle an incident so that
it can be quickly contained, investigated, and recovered from.
Members from within the company.
They must be people that can drop what they’re doing and
have the authority to make decisions and take actions
Incident Response Team
Management
Information Security
Auditor
Attorney
Human Resources
Public Relation Officer
Steps In IR
Planning and writing of procedures
Defining what the incidents are going to be
Review of plan with the management
All the members in the team should respond to their duties
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
Business Continuity Planning
What is it ?
Why do we need it ?
When do we need it ?
Who participates ?
Where to carry out ?
How to prepare ?
What is BCP
SANS defines BCP
Business Continuity refers to the activities required to
keep your organization running during a period of
displacement or interruption of normal operation
Business Continuity Institute defines BCP
A collection of procedures and information which is
developed, compiled and maintained in readiness for use in
the event of an emergency or disaster
Need for BCP
Need
-- Disaster can occur anytime.
-- 24 * 7 Business
Reason for BCP
Equipment Failure
Disruption of power supply
Application Failure
Human Error, Sabotage or strike
Malicious Software
Hacking or Internet Threats
Social unrest or terrorist attacks
Fire
Natural Disaster
Responsible for BCP
Who participates
-- Everyone.
Responsibility
--Business Continuity Coordinator
--Disaster Recovery Coordinator
Back up of BCP
Cold Site
Hot Site
Mutual Backup
Remote Journaling
Mirrored Site
Phases of BCP
Project Initiation
Business Analysis
Designing the Plan
Implementation
Testing
Maintenance
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
Definition
A security audit is an audit of how the confidentiality, integrity
and availability of an organization’s information is assured.
It is a systematic, measurable technical assessment of how
the organization’s security policy is employed
Personal Interviews, Vulnerability scans, examination of
operating system settings
Work of Security Auditor
Audit Log
Cryptographic tools
Access control lists
Code and configuration changes
Custom Built Application
Key Management
The distribution of public keys
The use of public-key to distribute secret keys
Distribution of Public Keys
Public Announcement of Public keys
Publicly Available Directory
Public key Authority
Public Key Certificates
Distribution of Secret Key
Simple Secret Key Distribution
Secret Key Distribution with Confidentiality and Authentication
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
System Decommission
What is system decommission?
(Disposition in NIST's System Development Life-Cycle)
All IT systems eventually go through an end of life phase
Newer, faster, cheaper, more efficient technology
Proprietary technology maker goes out of business (ex.
Sun)
*Security concerns (risk)
Ex. NTLM vs Kerberos authentication
Vendor no longer releases security patches
System Decommission
Information preservation
Legal requirements? Security breach?
Ex. Your organization decommissions an old email
system. Do industry regulations require you to keep
all emails?
Ex. Your organization decommissions an old web
server. Do you store the access the logs? Who has
access to the logs?
Will the technology be there to read the data in the
future?
Ex. Your organization backs up all data on 100 meg
IOMEGA zip disks.
System Decommission
Media sanitation
Residual magnetic or electrical of data must be purged
by deleting, over-writing, degaussing, or destroying.
Improperly done, data can be reconstructed providing
access to sensitive information to unauthorized
individuals.
In highly sensitive\classified areas destruction is
required.
Smelting, disintegration, pulverization,
incineration, etc.
Ex. Digital forensics on NASA computers.
System Decommission
Hardware and software disposal
Can be sold, given away, or discarded as provided by
applicable law or regulation.
Must comply with license or other
agreements\contracts.
Rarely need to destroy hardware (exception: storage
devices that cannot be sanitized properly).
System Decommission - POSA
What should we take into account?
4 Sale & user information
8 Complete transaction
CFAC
5 Y/N
1 Sale information
7 Complete Trans.
Register
6 Y/N
POSA
2 Display
Sale Info
3 User CC
information
USER
Overview
Acquisition and Configuration Management
Ongoing Security Monitoring
Monitoring New Threats
User/Employee Awareness and Compliance
Security Patch Management
System Modification
Incident Response
Business Continuity Planning
Security Auditing
System Decommission
Operational Security
Operational Security
Threat: an event that could cause harm by violating the security
Operating environment
Internal or external intruders
Authorized users who abuse their power
Vulnerability: a weakness in a system that enables security to be
violated.
Asset: anything that is a computing resource or ability.
Operational Security
What is Operational Security (OPSEC)?
“The controls over the hardware in a computing facility, the
data used in a facility, and the operators using these
resources in a facility.” CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, Krutz, Vines.
“The whole point of operations security is to have a set of
operational (daily, habit ingrained) practices that make it
harder for another group to compile critical information.”
“The wolf is at your door.”
Operational Security
Identify critical information
What is the information or resource that you have that other
people may consider important?
What is the value?
What are the potentials of an adversary?
How likely is that someone can get this information?
Operational Security
Put restrictions on the flow of information
If information is classified, don't leave “breadcrumbs”
Ex. Dates, times, places, budget, contingency plans, etc.
Categories of Controls
Preventative Controls
Designed to lower the amount and impact of unintentional
errors.
Prevent unauthorized intruders from accessing the system.
Ex. ACLs, firewalls.
Detective Controls
Used after the fact.
Used to detect unauthorized actions.
Can be used for legal recourse.
Ex. User auditing.
Categories of Control
Corrective (or Recovery) Controls
Designed to mitigate the impact of a loss event through data
recovery procedures.
Ex. backups.
Application Controls
Designed to minimize and detect operational regularities.
Categories of Control
Application Controls
Input\Output Controls
Ensure that only proper transactions are put into the system,
and that they are correct. Output controls verify the
integrity of the data and add confidentiality if needed.
Ex. Comparing input values to a list.
Processing Controls
Guarantee that transactions are valid and accurate and
errors are reprocessed.
Ex. Rejecting transactions for invalid amounts.
Categories of Controls
Change Controls
Implemented to preserve data integrity in a system.
Ex. Tripwire\MD5 Hashing, baselining your system.
Test Controls
Put into place during the testing of a system of a system to
prevent violations of confidentiality and to ensure transaction
integrity.
Operational Security
Configuration/Change Management
Ensure that the change is implemented in an orderly manner
through formalized testing.
Ensure that user base is informed in advance.
Analyze the effect of the change after implementation.
Reduce the negative impact the change may have had on the
computing services and resources.
Orange Book Controls
Trusted Computer Security Evaluation Criteria (TCSEC) also
define requirements for operational security:
System architecture
System integrity
Covert channel analysis
Trusted facility management
Trusted Recovery
Orange Book Controls
Covert Channel
An information path that is not normally used for
communication within a system.
Ex. repeatedly changing the amount of free space on your hard
disk.
Deter with noise and traffic generation.
Orange Book Controls
Trusted Facility Management
Assignment of a specific individual to administer the securityrelated functions of a system. Requires separate operator and
administrator roles.
Separation of Duties
Impossible for a single person to compromise entire system.
Single admin cannot have total control.
Orange Book Controls
Rotation of Duties
Variation of separation of duties. Limit the amount of time an
operator is to perform a security-related task before being
moved.
Failure Preparation\System Recovery
System must not be vulnerable when down, i.e. fails safe.
Backup files should not be vulnerable.
Encrypt? Store in a locked location?
Orange Book Controls
Administrative Controls
Personnel Security
Employment Screening\Background Checks
Mandatory Vacations
Job Action Warnings or Termination
Separation of Duties and Responsibilities
Least Privilege
Need to Know
Change/Configuration Management Controls
Questions\Comments